台灣「資安防護鐵三角」的運作分析（2016 - 2020年）

本論文從「資安即國安」《國家資通安全戰略報告》衍伸，以戰略研究途徑分析蔡政府時期，「資安防護鐵三角」機制的運作。2010、2011年形成跨府院的國家資通安全機制組織架構，國家安全會議資通安全指導小組下設置「網際防禦」、「外館網際防禦」及「網情蒐集」3大體系，連結行政院國家資通安全會報下設置的「網際防護」、「網際犯罪偵查」2大體系。現在將通傳會納入進資安防護體系，即是「資安鐵三角」防護體系。總結三者的權責，國安會負責資安政策決策的是諮詢委員和資通安全小組，資安辦不是決策單位，而是政策計畫研擬、行政幕僚，要與資安處協同作業；行政院資安處負責的業務可說是包羅萬象，排除國安辦之工作議題、另有做規定或是某部會的業務範圍以外都可以是其工作範圍；通傳會除了規格外，還負有督辦通訊傳播領域之關鍵資訊基礎設施安全等管制的責任。經過：2016年券商集體受DDoS攻擊勒索、2019年《關注31條》網站域名被沒入、銓敘部個資外洩，三個案例分析，資安辦、資安處到通傳會「三位一體」的合作模式，已經彰顯台灣資安防護鐵三角的運作默契。政府將通傳會納入資安防衛體系發揮了功效，各團隊合作，讓資安事件處理更快速、有效、全面。此外，構成「資安防護鐵三角」的三個機關並不是平等的關係，而有著上下之別的層級性。大致上，國安權責單位——國家資通安全辦公室，位處上層位階；資安權責單位——行政院資通安全處，位處中層位階；通安權責單位——國家通訊傳播委員會，位處底層位階。並另外得到三個啟示。第一，性質上「資安防護鐵三角」是否更像是一個「立體」的「戰略金字塔」？戰略金字塔對應到「資安防護鐵三角」，資安辦為金字塔的頂點，是總體戰略的階層；資安處是分類戰略的階層；通傳會是運作戰略的階層。第二，借用歐洲學者Sergei Boeke對國家網路危機管理的分類架構，依照「協調整體資安政策」、「協調一般（戰爭以外）危機處理」、「主要的公部門CERTs」、「資訊能力」、「網路活動監控」、「與情報單位關係」，六個因素來推論網路模式。得出：台灣的資安治理模式屬於網路管理者。第三，應正式從「資安防護」邁向「資安防禦」兩者有著思維上的差異。防護相對上是被動、靜態的，在有事件發生時才進行相關處理；防禦則將攻擊者列入考慮，有著動態、主動的思維，並提升至戰爭的層次。

關鍵字

網路安全；資安防護鐵三角；資安治理；資安戰略；戰略研究途徑

並列摘要

This thesis was derived from the Taiwan National Cybersecurity Strategic Report and analyzed the "Cybersecurity Iron Triangle" during Tsai Ing-Wen’s administration through Strategic Studies approach. The Internet was highly complex and can be roughly divided into three layers with various actors in each layer, especially non-state actors, which limited government’s control. In recent years, cyber threats had mainly come in organized forms of Cyber Crime, Cyber Espionage and Cyber Warfare. In response to the changing environment, Tsai’s government implemented the "Information Security is National Security" Strategy, strengthening the cooperation between government organizations, and included the National Communications Commission (NCC) in this strategy, which forms the "Cybersecurity Iron Triangle". NCC is responsible for the Internet, National Security Council Information Security Office is responsible for national security issues and intelligence gathering, and the rest was the work of Executive Yuan Department of Cyber Security (DOC). Through three case studies, it was clear that there was close coordination and cooperation among governmental organizations, between the government and the private sector, and the new mechanisms were effective. In the end, three observations was obtained. First, was the "Cybersecurity Iron Triangle" similar to the three-dimensional "strategic pyramid" ? The strategic pyramid corresponds to "Cybersecurity Iron Triangle," in which the Information Security Office was at the apex of the pyramid, which was the overall strategic level, the DOC was the level of categorization strategy, and NCC was the level of operational strategy. Second, adapting Sergei Boeke's classification of national cyber crisis management, the network model was inferred based on six factors: Coordination cyber security policy, Coordination generic crisis management, Main public‐sector CERTs, Government cyber capacity, Monitoring government networks, and Embedding intelligence community. It was inferred that Taiwan's Cyber Security Governance model belongs to the Network‐administration. Third, there was a difference in between "Cyber Security Protection" and "Cyber Security Defense." “Protection” was relatively passive and static, and will only be activated when needed. In contrast, “defense” took the attacker into consideration, had a dynamic and proactive mindset that was elevated to the level of warfare.