Companies from across Taiwan’s semiconductor supply chain have been actively involved in SEMI standards and committee activities for decades. In recent years, Taiwan has taken an active role in developing cybersecurity standards for the semiconductor industry. What is the potential for Taiwan to assume a bigger role in managing cybersecurity risks across the global semiconductor supply chain? Could the recent Taiwan tour led by U.S. Department of Commerce improve the region’s standing by establishing greater cooperation between the two regions on supply chain resiliency?
Players across the Taiwan semiconductor supply chain are well-recognized in the global chip industry and play active roles in SEMI activities. In addition, Taiwan has a strong manufacturing base for high-tech, the 3Cs (Computer, Communication, and Consumer Electronics), and the machinery industry – factors that have made the region a target of cyberattacks by some of the world’s most advanced hackers. These intrusions have resulted in substantial fake news and leaks of confidential information. As a key engine of global high-tech production, Taiwan is a catalyst for upgrading OT (operational technologies) security in the global supply chain.
To what extent could emerging cybersecurity standards mandates, particularly from international customers and government, influence the roles and responsibilities of Taiwan’s high-tech suppliers in the development of standards?
Taiwan began an active role in developing cybersecurity standards in 2022, when efforts by TSMC and Taiwan’s cybersecurity professionals gave rise to the release of SEMI E187, among the first cybersecurity standards for semiconductor equipment. In addition, the 3rd Generation Partnership Project (3GPP) held its 100th plenary meeting in Taiwan in 2023. The visit of National Institute of Standards and Technology (NIST) representatives to the Ministry of Digital Affairs (MODA) and the Bureau of Standards, Metrology and Inspection (BSMI) Taiwan last September had great implications for the region's involvement with international standards. The BSMI visit to NIST in October was another example of how to create more dialogue between government agencies.
The new cooperation between Taiwan and the U.S. on cybersecurity standards promises to elevate the profile of Taiwan’s suppliers in the global semiconductor supply chain. The two regions’ collaboration on cybersecurity policy is an important step forward since supply chain security will continue to pose considerable global challenges.
Taiwan is famous for its vital OEM (Original Equipment Manufacturer) role within the global semiconductor and high-tech supply chains. In managing their supply chains, OEMs must balance cost and quality (function specifications) to meet their business requirements. ISO 27001 and cyber insurance are the most common requirements in international contracts for suppliers. The COVID-19 pandemic and resulting chip shortage forced many companies to revisit their relationships with suppliers and work to ensure more resilient supply chains. New rules for cybersecurity and ESG (environmental, social and governance) disclosures have since emerged to help strengthen supply chains. Those disclosures promise to help establish a new relationship between OEMs and their suppliers focused on partnership, and de-emphasize transactional interactions of the past based on cost and quality (Wu, 2022).
Suppliers often use contracts to mandate that buyers follow sound practices to help ensure a resilient supply chain, though some suppliers encourage buyers to complete self-reporting questionnaires in the early stages as they build a strong partnership. To help ensure suppliers meet their cybersecurity requirements, buyers may receive tens of thousands of supply chain questionnaires from suppliers. Preparing, completing and evaluating these questionnaires are formidable tasks for both suppliers and buyers.
One possible solution are questionnaire templates developed for the semiconductor industry by the Cybersecurity Committee at SEMI Taiwan in 2022. The templates can be used as a baseline to identify opportunities for cybersecurity improvements. The SEMI global cybersecurity community revised and adopted the templates for Taiwan’s supply chain this year. Another solution is to develop questionnaires based on existing standards and frameworks. The draft of CSF version 2.0, which provides voluntary guidance, emphasizes best cybersecurity business practices in areas such as cyber governance, cyber risk management, enterprise risk management and supply chain management. These cybersecurity standards can facilitate dialog on various cybersecurity requirements between buyers and suppliers.
Cooperation is key for regional learning communities focused on supply chain management to effectively integrate with local business cultures and industry practices. What’s more, for top management to develop their cybersecurity roadmaps, they must understand which cyber disclosures are voluntary and which are mandatory as they pertain to global and local cyber regulations and standards. And most importantly, they need to know when voluntary cybersecurity practices become de-facto industry requirements.
About the Author
Ming–Chang (Bright) Wu is a Cybersecurity Committee member at SEMI Taiwan and a committee member of Electronic Engineering National Standards Technical Committees at Bureau of Standards, Metrology and Inspection (BSMI) Taiwan. He was granted the 2023 ISC2 Global Achievement Award (APAC) and the ISC2 Taipei Chapter Champion. He currently works as a cybersecurity risk management consultant. He can be reached via his LinkedIn profile.
Source: Ming-chang (Bright) Wu, Re-framing strategic stakeholders’ values in global supply chains, Asia Pacific and Perspectives, Issue 3 (2022): https://www.ctpecc.org.tw//storage/publications/AlbertLiao_2022_APP_V2022I3.pdf