Audrey Tang is not your typical bureaucrat. Taiwan’s Minister of Digital Affairs is the island’s youngest minister, as well as its first prominent non-binary public official. Homeschooled by journalist parents, she was a software developer and digital rights activist at the time of the 2014 Sunflower Movement, when young protestors occupied Taiwan’s legislature to oppose a trade deal with China. Tang, who was already involved in civic movements to promote government transparency, ended up being invited into the government where she took charge of technology initiatives and helped lead the government’s Covid response. She debuted as Minister of Digital Affairs in August 2022, during a peak in tensions with China following a visit to Taiwan by Nancy Pelosi, who was at the time the Speaker of the U.S. House of Representatives.
In keeping with Tang’s transparency ethos, a full version of this interview has been released by her office in Chinese. The English translation has been condensed and lightly edited.
Illustration by Kate Copeland
Q: I’d like to kick off by asking about your job, and your mandate. A lot of people probably don’t know what a Minister of Digital Affairs does.
A: Here in Taiwan, digital affairs covers three aspects. One is social development, that is, everyone should have access to the Internet. For instance, allowing people in remote places to access public services requires the help of the Internet. We have a saying here that “broadband is a human right,” so let’s ensure this human right. That’s the first part.
Another aspect is to respond to sudden contingencies; for example, if an undersea Internet cable is cut, for some “unknown reason,” then [we need to] find a way to restore access with microwaves or satellites. Or last August, again, “who knows why,” but Nancy Pelosi’s image appeared on the advertising billboard outside Taipei Main Station, so we had to respond immediately. When faced with various attacks, not only must you cope very quickly, you also have to improve your whole system every time. This is what we call “resilience.” These are situations that call for an immediate response.
| BIO AT A GLANCE | |
|---|---|
| AGE | 42 |
| BIRTHPLACE | Taipei, Taiwan |
| CURRENT POSITION | Minister of Digital Affairs, Taiwan |
Finally, there is business development. We have a very important concept that all sectors must undergo digital transformation together, not just one or two industries. So we go into, for example, mom-and-pop shops or small stores and also community cooperatives or associations. These need to keep up with the digital transformation. Especially during the pandemic, in-house operations were not convenient and restaurants even closed for a while, so they had to quickly switch to offering delivery and takeout, etc. This is also our job.
These three aspects — social development, business development and sudden developments — we call it “digital resilience for all.”
How do you bring your public personality to this role?
There are still many ‘old hands’ in the world, who, when they think of Taiwan, don’t think of digital democracy. They may still hold impressions gleaned during the more authoritarian era, and the social atmosphere back then didn’t include same-sex marriage, right?
| MISCELLANEA | |
|---|---|
| FAVORITE ARTIST | I often listen to Leonard Cohen, the Canadian poet. Sometimes things I say in interviews, for instance “there’s a crack in everything / that’s how the light gets in”, that all comes from Cohen. |
| FAVORITE FILM | I have a favorite science fiction writer, Ted Chiang. His novella was made into a movie called Arrival, and I think it is very good. The original novella, Story of your Life, was even better. |
There is a big difference between Taiwan nowadays and when I was a child. My parents were both journalists, but at the time there was the so-called newspaper ban; no-one could launch new publications. There were only a few newspapers and a few TV stations, opinion pieces had to get approval from the party committee and so on. It is completely different now. Now we are ranked No. 1 or No. 2 in Asia in terms of the Global Democracy Index.
So when I am active on Twitter or other media. I want to represent Taiwan today, including broadband access as we just discussed, and digital human rights. We call it inclusiveness, and it is a key value.
Some old hands may remember that Mandarin was dominant in Taiwan in the old days, and Taiwanese and other dialects were marginalized. But now we welcome a lot of languages, including the 42 different indigenous languages from our 16 ethnic groups. Taiwan is not only inclusive, it also enables co-creation, or creating together from many different perspectives. This is what we can bring to people overseas.
My personal experience demonstrates that Taiwan is structurally a very different place now than when I was a child.
How do you promote this type of creative digital participation in a society like Taiwan? I don’t know if you use the word “island” or which term you prefer to use for Taiwan, but how does digital participation help?
When I signed the Declaration for the Future of the Internet, [a U.S. initiative to promote norms for a single, global Internet, signed by over 60 countries in April 2022] Taiwan and the other 67 democratic partners were all called “democracies” or “partners,” so we could avoid the problem you just mentioned!
We are the same as democratic partners all over the world. Although so-called globalization has brought the world closer together, with the Internet it seems that the difference isn’t how near or far apart you are, but the distance between values. Those whose values are closest will naturally form an alliance on the Internet.
On the Internet anyone can easily become an isolated island, or become polarized, because everyone is separated by a screen. Things that you wouldn’t say face to face you might say on a screen. It seems that democratic society hasn’t brought people with different ideas closer together; instead, they are getting further and further apart, even so far as to end up in a kind of post-truth situation.
So how do we use Internet technology to facilitate people with completely different views to understand each other, instead of people with similar views just grouping up together? This is my research work, and it is important for the whole world.
For instance, during the pandemic, people who thought privacy is most important, and people who thought protecting each other’s health was most important, had many different opinions when it came to the investigation and tracking of the epidemic. But by using co-creation, as we just talked about, we could enact privacy rights but also allow people who might have problems to be notified as soon as possible when a break-out had happened somewhere. This came from civil society, rather than relying on big government or big companies. We successfully adopted what we called the SMS-based contact tracing system. We kept it up until Omicron’s second wave [in January 2022] when our defenses broke. But by that time, our people had been vaccinated. [Through a combination of quarantine, masking and big data, Taiwan kept a lid on Covid in the first two years of the pandemic, reporting over 17,000 cases and about 850 deaths in 2020-2021. By contrast, it reported 9 million cases and 15,775 deaths in 2022].
So, for instance during Covid, or other sorts of collective experiences, you could provide a sort of platform.
| OWN WORK | |
|---|---|
| At the moment, I am writing a book called Plurality, which you can find here. Its special characteristic is that I am writing it simultaneously in Chinese and English. It’s the summation of our work over the past seven years, so that people who are not so much in this world, for instance, Westerners who are interested in democracy, can still understand. It’s supposed to be read by normal people, in plain language. | |
Yes, we could objectively see that. We relied on civil society’s creativity to let everyone know where the masks were, or make appointments for vaccines or discuss the merits of different brands of vaccines so that it was easy to choose. Or else, tracing infected people so that the public didn’t feel that the country was infringing on the rights of certain groups, or that big companies were using these changes for capitalist expansion. On the contrary, whatever civil society thought of could be transformed into a public good. This approach allowed everyone to trust each other more and more. As long as you trust each other once or twice, mutual trust will grow.
We discovered that even though everyone started from different positions, there can still be some consensus. This way, when new challenges arrive, everyone can work together to solve them. Democracy should be more and more about the ability to co-create, instead of turning into a system where half the people win this time and then the other half win the next time.
I spent most of my career in mainland China, and there we wrote a lot about “netizens”. They have a lot of humor, a lot of participation, but they also have a very shrill type of nationalism, which can get very angry.
In your role, do you ever have any sort of engagement with Internet users in mainland China, or are you 100 percent Taiwan-facing?
We just talked about democratic partners. In fact, even under authoritarian regimes, there are many friends who are enthusiastic about democracy. For example, I have an account on a website called matters.town, which uses a decentralized system called the interplanetary file system [IPFS]. Anyone can post articles on it and they cannot be taken down by governments, or tampered with. Everyone’s computers are backed up with each other, so if any one computer is confiscated, the article is still there. You can’t take it down. Many friends under the CCP regime who are interested in the democratic movement share their practices on such a platform, and they are very willing to try small-scale democratic organization. Their contribution to democracy is found within an authoritarian regime and through the Internet. Of course, they have to protect their anonymity, but many people do it.
The website of our ministry is also set up with IPFS. Last August, when Pelosi came to Taiwan, the websites of many other departments were attacked, and they went down for a while. But because we use such a decentralized system, anyone, even under an authoritarian regime, can donate some of their hard drives to help back us up, so we didn’t go down for a second.
Democracy should be more and more about the ability to co-create, instead of turning into a system where half the people win this time and then the other half win the next time.
These kinds of democratic partnerships are like a federation among democratic partners, a federation that includes people-to-people, not necessarily just governments.
How does the concept that the Internet is everywhere, or technology is everywhere, change Taiwan’s game? For instance in the 1990s there were tensions [between mainland China and Taiwan] but they were entirely conventional. Nowadays, when everyone is online, how does protecting your operations play out in the context of Mainland-Taiwan tensions?
There is a big difference from the 1990s. Nowadays in Taiwan, cyber attacks can come at any time and from anywhere. They are constant.
As you just said, in the 1990s, you could still read the newspaper in the morning and find out that the situation will be relatively dangerous at noon today, or that today’s situation is relatively peaceful. But [nowadays], according to a statement made in May this year by Wellington Koo, Secretary-General of the National Security Council, Taiwan experiences 5 million attempts a day. When you are talking about 5 million attacks a day, there is no such thing as “today is more serious” or “yesterday was less serious.” Anytime, anywhere, as long as there is a weakness, an external attacker will use that weakness. This concept of “anytime, anywhere” is the biggest difference.
Talking about defense means talking about how we can disseminate our influence. In the 1990s, Taiwan was not like today. Now 90 percent of the world’s high-end chips — vital in the supply chain for all the processes on the Internet, including AI — all come from Taiwan, including TSMC [the leading Taiwanese chip manufacturer]. If Taiwan’s production capacity were affected, the ubiquity of this technology would be affected, everywhere. Therefore, the whole world feels the importance of Taiwan.
Geostrategically, Taiwan is more important than it was in the 1990s.
Do you see some patterns in the cyber attacks, such as where they came from, or how they come in? Can you deduce what kind of operation the other party has?
A good example can be seen in August last year, when two things happened. One was that, as I mentioned, the websites of some of our important ministries and committees went down, and the other is that institutions that people consider to be part of the government, like Taiwan Railway, were tampered with. They hacked the advertising billboards outside the train stations or the station lobbies to project some images of Nancy Pelosi. There were rumors on the Internet that hackers had successfully attacked the Ministry of Communications, the Ministry of National Defense, or the Presidential Palace, and journalists found that they could not get onto these websites.
So on the one hand, they made it difficult to inform [the public] about the real and actual situation. Psychologically, the attacks also created this false impression that they [the cyber attackers] already controlled many important organs of government, which made everyone feel uneasy. It was a kind of cognitive warfare.
The purpose of this warfare is to weaken confidence in Taiwan’s entire democratic system and the state of society as a whole. But that time it didn’t work, because after we responded quickly, the stock market still finished up that day and did not fall. That time, their cognitive warfare wasn’t successful. But we could see that some attack methods that seemed to be more fragmentary in the past were highly integrated in August last year.
When I previously reported on hacking from mainland China, we believed that some hackers are organized, but some of them are freelance. When they score, it’s like a trophy hat for them, or a scalp. Do you feel that way?
What I meant just now is that when they have a common tactical goal, they coordinate with each other very quickly. We might have observed that this group of people has such an attack style, or that group of people has a different attack style, even their work and rest periods are not necessarily the same, but when they want to instigate a joint attack, the coordination among them is very fast.
I am thinking of the establishment of the Digital Affairs Ministry. When the attack came in August last year, the ministry had not yet been [formally] established. Our website had just gone online, and in that same hour, the missiles began flying, so our launch also became [a test of] our reaction function. Our joint defense, integrating both civil society and government as well as democratic partners around the world, is now tighter thanks to the establishment of the Ministry of Digital Affairs.
In fact, when President Tsai Ing-wen visited the United States in March this year, there were a certain amount of attacks, but no big incidents. Reported information security incidents have dropped from around 140 last year to dozens this year, all of them relatively small.
There’s another problem other than hacking, which is physical infrastructure. Right now Taiwan relies on deep-sea cables, but several months ago the cable to Matsu Island was cut off. Can you talk about this?
At that time, Matsu was connected to Taiwan by two submarine cables. Within a week [in February 2023], both were “accidentally” cut, by a fishing boat and a cargo ship, both flying the Five-Star flag [PRC flag]. The anchors were “carelessly dropped,” “carelessly dragged” — this is really incredibly careless!
That situation did have a considerable impact. So now we have two policies. One is that we cooperate with the National Communications Commission (NCC) to use microwaves to supplement the bandwidth of the submarine cable, so that by the end of the year, even if the submarine cable is completely cut off, at least Matsu will not be much impacted. In June, we went to Matsu for a live drill of switching to microwaves if the cable is cut. I was speaking with the fire marshall at the Central Emergency Response and Disaster Center in Taipei, and it switched instantly. We didn’t notice anything. If the microwave station is in a known position, there is no way for a ship to cut it, perhaps one could still destroy it physically, as you said. If the microwave station is also destroyed, we still have satellites.
For instance, there’s a microwave station on Taiwan’s main island and a station on the Matsu side. They are connected via an invisible line in the air, so it is a bit like the submarine cable in the sense that it is point to point. There is no physical line, so it is more difficult to cut off. However, a microwave station is just like a submarine cable in that it cannot be hidden from others, so you still know where it is. If you really wanted to take out the microwave station, you could do it.
Using satellites [for communications] is different. The satellite is in the sky, and the receiver is also very small and can be moved around, as you can see in Ukraine. There are many small dishes in Ukraine. They can be placed in hidden places or moved quickly, but no matter where they are, they still get reception from the satellites.
So would each person have to access it themselves or would they function more like broadcasting stations?
That’s right. In Ukraine, they mostly use non-geostationary satellite terminal equipment sites, so-called hot spots. After connecting to a satellite, people within the WiFi range can use their mobile phones, instead of a computer, to access the Internet. But WiFi is indoors and limited in range. So before the end of next year, in addition to trying 700 hot spots, we will also have base station satellite backhaul link sites. Backhaul is connected to the 5G base station, so the range is very wide. As long as you can receive a 5G signal, with an ordinary mobile phone, you can surf the Internet via satellite. One [solution] is small-scale and the other is large-scale, but they both involve satellites. We will test with low-orbit and medium-orbit satellites, and by the end of next year there should be 700 such reception sites.
Is there a limit to how many people can use it? Otherwise, WiFi can get really slow.
That’s right. Of course, 5G does not have this signal interference problem. But the total bandwidth is still limited, just like the transmission speed that satellites can provide. We would have to separate out who could use it more and who would be mainly allowed to send text messages.
So no movies?
Right. Have you ever used WiFi on a plane? If everyone starts streaming movies, they say that only those who have paid more can stream, and everyone else just has to return to email. The same would be true here.
Of course, for foreign communications, it would be like [Ukraine president] Zelensky, who has appeared every day to announce what had happened, or to say he hadn’t run away even though the Russians spread rumors that he had. He showed he still stayed in Kiev and asked for ammunition or tanks or other things. This was a very good way of communicating to the outside world.
We would be the same. We will need external communication, for example, for our president, and for international reporters like you. As long as international reporters have the bandwidth for communication and video, they could transmit abroad what is actually happening, so this would be given a very high priority. Adding all these together would probably use up the Mbps or megabits per second provided by the satellite. It can’t accommodate gigabytes per second like microwaves can.
U.S. Senator Jacky Rosen (D-NV) has proposed increasing cybersecurity cooperation with Taiwan. Would that fall under your ministry? Can you explain what such cooperation would involve?
Starting in 2019, we have held Cyber Offensive and Defensive Exercises, CODE for short. It started with the Cyber Security Department of the Executive Yuan, which is now the Administration for Cyber Security of our Ministry of Digital Affairs. We invite experts in cyber security from domestic and foreign governments, who make up the Red Team, and they use any way they can think of, within the scenario or outside the scenario, or whatever occurs to them. The other team is responsible for defense.
These exercises are not like the previous situational drills, but more like reality; the format is specified in advance but you can use your skills and bring anything. So each time the CODE is different. We’ve had banking and financial facilities, power supply facilities, and communication facilities, the so-called “critical infrastructure”. First we set up the simulations, the simulated bank, the simulated power plant, and the simulated communication provider, and then everyone attacks and defends.
The United States was an observer in 2019, and it also helped us arrange a two-day cyber-security practical education and training for foreign participants. Two years later in 2021, the United States directly joined the exercise. Twenty countries participated that year.
The most important thing is for democratic partners to see that it is not like it was in the 1990s, when Taiwan was far away, when those who hit Taiwan would not turn around and hit them in the next second.
Regarding your question, we hope that this can be more institutionalized. We also have invitations to participate in some drills. These sort of drills mean that when things actually happen, everyone will have a better understanding of how to communicate with each other. We’ll be more experienced in joint defense.
Can you describe these exercises a little more? Are there a few hundred people in a room, typing away, or is everyone in separate locations?
Of course, the Red Team and Blue Team are not sitting in the same room. We set up a simulation venue, and they have to use various methods to infiltrate, or to tamper with and block its services, basically to prevent this important key infrastructure from playing its role. So if it is a communications facility, then nobody can receive the signal. If it is a financial institution, people can’t withdraw from the ATMs. If it is a power plant, then no electricity. If they achieve this result, the Red Team wins. But even if the Blue Team partially succumbs to an attack, it still needs to figure out how quickly it can recover. After recovering, if they can learn from the experience, the next attack by the Red Team will fail.
Watching you describe this, it seems these exercises are kind of fun.
It’s more fun when the Red Team and the Blue Team trained together!
We have a National Institute of Cyber Security, of which I am also the chairperson. Technicians at the institute have to take an exam before they come onboard. This exam is a mock test for the Blue Team. The topic isn’t just random, it’s a Red Team attack that actually happened in history. It’s like a recording. You get to the computer, and within seconds you see the Red Team start to move, and you try to counter. You have to react immediately! If you don’t respond, you will be hit further inside. I’ve taken this test too. I got a score of 80 points, which isn’t bad.
The point is that when we are defending, we must also be able to understand how the attacker thinks. This is called “Purple teaming”. Each time after the red and blue teams conduct their drill, they have to sit down and share their ideas.
Your experiences may stem from Taiwan’s special situation, but in the U.S. we often hear that some city has had their systems frozen or other such problems. Given its experiences, can Taiwan help other countries or smaller regions with their cyber-defense?
Do you think we are so unusual? I have visited Tallinn, in Estonia, and they encountered these types of situations earlier than we did. They have also come up with many solutions. For example, after encrypting some core data, they store them on the computer of their embassy in Luxembourg. The computer is part of the embassy, so if something ever happened to Estonia, all the data could still be recovered from Luxembourg.
They have gradually developed this concept of joint defense, including the “X-Road” they entered into with Iceland and Finland, which is sets of encrypted data exchanged between their governments. Next time a certain regime attacks Estonia, if we learn that a loophole was found, then how should we fix it? Once we find out that we need to fix it, Iceland and Finland can get better too. This is using an open source method to improve recovery capability.
Like the IPFS I mentioned earlier, or our cooperation with Estonia, also cooperations with the U.K. and many other regions, we can see if the components we developed can be shared with theirs. Those that have been developed well, in the course of drills or after actual attacks, can be used elsewhere. This includes the three public clouds that we jointly defend, namely Google, Microsoft, and Amazon. They can integrate what we have researched or encountered. This helps customers of these public cloud services no matter where they are in the world.
Is there some issue that you worry about, but that you think most people aren’t really aware of yet?
Of course! A comprehensive overhaul of passwords.
This is a very important issue that not everyone is fully aware of yet. A short password is easy to guess and crack with machines, while long passwords are easy to forget, so you write it on a note, and stick it on your screen. Then there’s CAPTCHA, when a website asks you to identify a few numbers or recognize a few letters, to prove you are a human, not a robot. But now AI is better, so CAPTCHA blocks people and can let robots in.
| MOST ADMIRED | |
|---|---|
| I don’t think there is a specific person, but I appreciate ‘the spirit of the Internet’. The concept when creating the Internet was that anyone could link up with another like-minded person without seeking approval, this is called the “end-to-end principle” or “permission-less innovation”. I think this is a very important idea, because before this, you had to go through a state or a country or a nation before you could do this kind of multi-lateral interaction. But on the Internet, there can be multi-stakeholder negotiations, for instance all people who encounter climate change can form an interest group, right? I think this new approach is very inspiring. Of course, this is even more important for Taiwan. So I really endorse ‘the spirit of the Internet’. This is also discussed in the first chapter of my book. |
|
Therefore, whether it is CAPTCHA or passwords, the authentication method must be changed. In fact, there are many online financial or banking services that don’t rely on passwords anymore, but require you to press your fingerprint on your mobile phone or use facial identification. This biometric identification is stored in your mobile phone, it’s not that your fingerprint is stored at the bank. It relies on your mobile phone to identify your fingerprint, and then relies on the app to verify whether the mobile phone has been tampered with, and then relies on the telecommunications network or Internet provider to ensure that your app has not been tampered with.
This is called “triple protection”. I think of it as changing the combination lock of one door into three doors, and repairing any one of them if it is breached, so there still isn’t a break in. This concept is called “zero trust”. It is very important.
Ordinary people should update their mobile phone and operating system more, because once that door is breached, it only takes about 24 hours from being breached to being used by attackers all over the world. You should check every day to see if there is any update and update it as soon as possible, then you will not be affected by this. Relatively strong identity authentication, frequent updates, and multiple backups should be no problem to use.
What’s your most important task over the next one or two years?
The most important thing is joint defense by democratic partners.
I met the South Korean representative in Taiwan recently. He is very familiar with tech; he talks about technical details more than any representative I have met during my seven years in government. We discussed how Taiwan and South Korea could achieve joint defense on information security. I emphasized to him that Taiwan’s Information Security Agency is now specialized in this kind of thing, and there are similar organizations in South Korea.
The most important thing is for democratic partners to see that it is not like it was in the 1990s, when Taiwan was far away, when those who hit Taiwan would not turn around and hit them in the next second. This is not the case at all in cyberspace. As I just said, if they succeed in taking down Taiwan, it won’t be easily restored; and if you don’t immediately think about the next 24 hours, you too will be attacked. This is completely different from the geostrategic situation of the past.
That’s why achieving democratic joint defense is the next most important task.
Lucy Hornby is an award-winning foreign correspondent, reporting from Asia for many years for the Financial Times, Reuters and Dow Jones. She was a 2020 fellow at the Nieman Foundation for Journalism at Harvard. She is currently a visiting fellow at Harvard’s Fairbank Center for Chinese Studies, and a non-resident Senior Associate at the Center for Strategic and International Studies (CSIS), researching China’s state-led system during the reform era.
