War Game Pits China Against Taiwan in All-Out CyberwarWar Game Pits China Against Taiwan in All-Out Cyberwar

If China attacked Taiwan, how could Taiwan defend its critical communications infrastructure from cyberattack?

Last year, Dr. Nina A. Kollars and Jason Vogt — both associate professors at the US Naval War College (USNWC) Cyber and Innovation Policy Institute (CIPI) — designed a war game to inspire some novel strategies. They enlisted government and private sector cybersecurity experts at Black Hat and DEF CON to participate, and presented the results at ShmooCon earlier this month.

The scenario was this:

August 6, 2030. Relations between the PRC and Taiwan had deteriorated to the breaking point due to the re-election of a liberal, pro-independence party. Rhetoric towards independence was at an all-time high, and several government representatives had openly called for UN recognition of Taiwan as an independent state. The Central Committee of the Communist Party (CCCP) decided that the risk of Taiwan declaring independence was high enough to warrant military intervention. They began preparations for an invasion. With little chance of surprise, the PRC decided to do their utmost to disrupt Taiwan’s military and civilian communications prior to the assault.

The experts came up with 65 ways Taiwan's government could prepare for such a war, ranging from the low tech, like using ham radio when mobile networks go down, to the ambitious, such as investing in modular nuclear reactors or tidal power generation, to the outlandish, for example using civilians or cultural artifacts as deterrents against military strikes.

Related:Thai Police Systems Under Fire From 'Yokai' Backdoor

Taiwan's Unique Indefensibility

In designing the war game, "We put very specific emphasis on what we call the 'Zelensky playbook,'" Kollars says. Ukrainian President Volodymyr Zelensky made certain that communications could occur between his own people and the capital, and between the capital and the rest of the world. "We went into designing the war game specifically to answer the question: Could the Taiwanese play Zelensky? Even under any kind of duress, could they find a way to keep communicating?"

What was clear early on is that political and geographic factors make Taiwan much more vulnerable to blockade. Ukraine is in mainland Europe, with a long border through which it can receive resources of one kind or another — fuel, Internet connectivity, and food, for example. Taiwan's highly connected populus is served by 16 undersea cables, three of which run through China, making them eminently cuttable. Meanwhile, it imports nearly all of its energy from overseas, and has been phasing out domestic nuclear power, which might otherwise provide a balance. "So pretty quickly you get this pretty dire picture, where it's just a fundamentally different kind of battle," Kollars explains.

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

"Taiwan is in a very vulnerable position because of its geography, but also because of a million little micro-decisions, which ultimately give you the telecommunications and power system that you have," Vogt says. At the time of Russia's invasion, "Ukraine had a much more diverse set of mobile providers, and the power was much more distributed — there's a lot more connections to other countries. So the Russians were probably never in a position where they could digitally isolate Ukraine, writ large. They tried to do it to the capital, but it was always going to be very hard for them. I think in the Taiwan–China scenario, China has the potential to be much more damaging."

How to Defend Taiwan from China

Initially, players devised strategies to combat aggressive but ultimately tempered cyberwarfare: ransomware attacks against data centers, severed submarine fiber optic cables, and forced power outages. Only then did China kick up its game with kinetic strikes, including PRC strikes on Taiwanes aircraft and ensuring that nothing can fly in Taiwanese airspace. In the scenario, PRC also destroyed bridges and key routes to coastal defenses, while also targeting Taiwan's command-and-control systems and all manner of communications systems.

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

How could a small island nation possibly protect its infrastructure against the combined might of the world's second greatest military power?

More than two-thirds (70%) of the solutions proposed by players involved investing in infrastructure for communications, power generation, storage, and data backup and distribution. Some 20% of the ideas focused on recovery — preparing civilians with technical skills, and stockpiling spare resources, for example. Only 10% of recommendations focused on straight cybersecurity.

The physical location of critical resources was also of utmost importance. Some suggested that Taiwan take advantage of its geography by building and stockpiling equipment along its far coast, in forests, and nestled in its eastern mountain range. Some suggested decentralizing its infrastructure, spreading it out in smaller chunks all around the country using solar power and cheap radio systems. Others argued for the opposite: concentrating communications and power systems in fewer, denser areas that China might be reticent to destroy.

"There were some ideas I thought, from a military perspective, were pretty risky," Kollars admits. "One of them was to colocate all of Taiwan's precious assets — like the TSMC semiconductor plant, all of its antiquities from China, large populations, and a nuclear power plant — assuming an adversary wouldn't strike a target that had everything stacked on top of it. That's a heck of a gamble."

Ultimately, the most popular ideas were those that were cheap and practical, like using Bluetooth or Raspberry Pi mesh networks as backups to cellular connectivity. "The thing that surprised us most about this exercise," Vogt recalls, "was how much time they spent talking about the civilian population, and what needed to be done to prepare them: everything from public messaging campaigns on how to be cyber secure to full-on training programs to create civilian cyber cores that could not just protect themselves but also operate and maintain equipment when there's no government around, and keep the communications going for longer periods of time."