Earlier this month, the National Security Bureau of Taiwan (NSB) released its findings that cyberattacks from China targeting Taiwan government networks had doubled in 2024, to an estimated 2.4 million daily attacks. Of particular concern for the freedom of expression, attacks targeting communications infrastructure rose by some 650 percent in 2024.
These findings, according to the NSB, reiterate “the increasingly severe nature of China’s hacking activities against Taiwan,” which range from hacking to direct attacks on the physical layer of the internet like undersea cables. Such tactics are combined with United Front information manipulation operations.
In this complex digital and information threat landscape, Taiwan must balance a robust cybersecurity governance policy with its commitments under international human rights law, including the freedom of expression and the right to privacy. If Taiwan can successfully navigate between cybersecurity and information resilience while adhering to its democratic values, it may not only resist cyberthreats from China but also Beijing’s global efforts to rewrite the rules of digital governance in ways that threaten internet freedom.
In our forthcoming report, “The Expansion of PRC Cybersecurity Norms: Implications for the Indo-Pacific and the Taiwanese Alternative,” we argue that Taiwan’s approach to cybersecurity governance is a critically more rights-based approach contrasting China’s cybersecurity norms. As such, while ensuring ongoing support against such serious threats, the international community should also empower Taiwan to play a more active role in international norms setting.
China’s Authoritarian Cybersecurity Norms
Through its Digital Silk Road and related partnerships in the region and around the world, China is not only engaged in digital infrastructure development and the export of surveillance technologies but also actively promoting its own digital norms for governing these technologies. This dynamic risks supercharging digital authoritarianism in partner countries and normalizing Beijing’s model internationally. One area where China has prioritized its norms setting, at the expense of human rights protections, is in its approach to cybersecurity governance.
The foundation of China’s cybersecurity norms is the notion of cyber sovereignty, first introduced in a 2010 White Paper, which argued that internet governance is part of national sovereignty and that states may impose policies within their borders as they choose. China has since incorporated its vision of cyber sovereignty within its global norms-setting effort. This raises serious human rights concerns, not least of all through the contrast with the fundamental nature of human rights as universal, indivisible, and interdependent, regardless of borders.
China’s normative model emphasizes the importance of multilateral cooperation over multi-stakeholderism. While it is consistent with Xi Jinping’s insistence that the Communist Party leads on all things, it is inherently at odds with the more civil society inclusive, transparent, and rights-based multi-stakeholder approach. Despite China’s efforts, multi-stakeholderism remains an accepted international internet governance best practice.
Since his remarks at the inaugural meeting of the Cyberspace Administration of China a decade ago, Xi has stressed that cybersecurity and informatization are vital elements of national security and development. China conflates digital development with securitization, especially relating to information critical of the party. This influences laws, policies, and institutions that promote content control, for example, as part of critical information infrastructure management, which undermines the freedom of expression and access to information.
Taiwan’s Transparency and Multi-stakeholderism is a better way
Taiwan is demonstrating a better approach to both resisting serious and persistent cybersecurity threats while also straddling commitments to universal principles.
In contrast to China’s cybersecurity governance norms, Taiwan promotes transparency and multi-stakeholderism. Although Taiwan’s threat landscape is a complex web of cyberattacks and information threats, it has thus far avoided the pitfalls of securitizing information infrastructures. This shows deference to human rights safeguards.
Taiwan’s embrace of transparency by design within the cybersecurity governance ecosystem is a notably more multi-stakeholder approach. Examples include grassroots initiatives like g0v.tw, the Hacks in Taiwan Conference (HITCON), and other hackathons. HITCON, for example, has been a pivotal event since beginning in 2005, fostering cybersecurity awareness and advancing technical expertise. The event, organized by the Taiwan Hacker Association (HIT), includes conferences, workshops, and training programs that address global cybersecurity challenges.
Taiwan integrates effective public consultations into the legislative process, leveraging platforms like the Public Policy Network Participation Platform to balance security needs with civil liberties, ensuring accountability in cybersecurity governance. It serves as a vital channel for civic engagement in cybersecurity policymaking. The platform mandates public notice periods for draft legislation and enables citizens to actively shape policy development through structured dialogue. The Cybersecurity Law Subgroup moderates these discussions, ensuring sustained engagement between citizens and policymakers, with the National Development Council moderating the platform for sustained engagement between citizens and policymakers.
Taiwanese policymakers responsible for shaping cybersecurity and infrastructure governance have, furthermore, emphasized that addressing information threats and harmful online content must never compromise fundamental freedoms of expression. For example, the former minister of digital affairs, Audrey Tang, when faced with public debate over the Draft Digital Intermediary Service Act in 2022, maintained clear institutional boundaries, emphasizing that content regulation should fall outside of infrastructure and cybersecurity governance.
Some critics in Taiwan have criticized this approach as too passive in addressing foreign information manipulation and influence operations (FIMI), but it positions Taiwan as a model for information infrastructure governance that doesn’t give in to content control in ways that infringe on the freedom of expression.
Taiwan’s more rights-based approach to cybersecurity is not without room to improve. One example is that some policymakers in Taiwan have proposed incorporating cyber sovereignty, a concept directly associated with China-backed norms, into Taiwan’s National Security Act. Thus far attempts to embrace cyber sovereignty have failed, but it remains a narrative worth monitoring in Taiwan’s evolving governance framework.
From Resilience to Norms Setting
In our forthcoming report, we position Taiwan’s more rights-based approach for cybersecurity governance as a critical contrast to the diffusion of China’s preferred norms, especially in the Indo-Pacific. Taiwan’s approach seeks to balance the significant threat landscape emanating from Beijing with efforts to avoid arbitrary infringement of human rights and fundamental freedoms.
Given the rapid evolution of cyber threats from China, as noted by the NSB and others, the survivability and adaptability of Taiwan’s cybersecurity capacity will remain a critical task.
The international community should do more to embrace and engage with Taiwan as it continues to balance cybersecurity needs and human rights commitments. While Taiwan should be highlighted at regional and international fora as a critical alternative rights respecting model for cybersecurity governance it can also benefit from greater inclusion and capacity building.
Despite efforts from China to alienate Taiwan, it should be embraced at global internet governance venues and empowered to play a more leading role in digital norms and standards setting. Few international actors are as well versed in both responding to the dire cyberattacks from China and resisting its cyber norms as Taiwan.