Table of Contents

Introduction

South Korea is one of the most digitally connected countries in the world. Like other digital societies, it is vulnerable to cyber attacks. These attacks can wreak havoc on institutions, disrupt the economy, and erode social trust. Cyber attacks suspected of originating from North Korea, in particular, have become increasingly sophisticated. North Korea has used cyber attacks to achieve its political goals in South Korea (hereinafter Korea or the Republic of Korea—ROK) by stealing information and millions of dollars, sowing a sense of vulnerability in Korean society. Attacks from North Korea and other malicious actors have disrupted information and communications technology (ICT) systems in the ROK government and the country’s private sector. In response, over the last three decades, Korea has developed better and more comprehensive cybersecurity policies aimed at ensuring the capability to prepare, respond, and recover in both the public and private sectors. However, much more remains to be done.

Korea’s cybersecurity effort began in earnest in the 1980s when the government first began to actively promote informatization of the economy, government, and society.1 Furthermore, the government focused on improving e–civil service and enhancing national competitiveness through the implementation of e-government services. Yet, until the early 2000s, this effort was primarily focused on document security and physical security, aimed at providing a blanket of information protection or information security. These cybersecurity-enhancing goals were defined by Korea’s National Intelligence Service (NIS) for the public sector and by the Ministry of Science and ICT (MSIT) for the private sector. But rather than developing a proactive, comprehensive, and nationwide cybersecurity policy or strategy, these agencies mostly limited themselves to responding to malicious activities and working to develop practical countermeasures.

However, the cyber threat had grown exponentially. Actors supposedly associated with Pyongyang had become capable of routinely launching successful attacks on information technology (IT) systems in South Korea. As the damage and disruption from these attacks intensified, public awareness of the need to improve cybersecurity put new pressures on both government and the private sector to develop a more robust set of tactics and tools.2

In 2009, the government at last made its first attempt to publish a national cybersecurity strategy. Three subsequent attempts followed, but these were more like lists of policy action items rather than strategic vision documents. By this point, however, Korea was also engaging in international efforts to address cyber threats and joining intergovernmental partnerships in cybersecurity. For example, South Korea participated in the first and second United Nations (UN) Groups of Governmental Experts (GGE) on information security, was part of the London Process, and hosted the Organisation for Economic Co-operation and Development (OECD) Ministerial Meeting on the Future of the Internet Economy in 2008, which produced the Seoul Declaration.3 Particularly, because of the links between cyber threats and national security, the government in Seoul held discussions with other countries through the framework of both ad hoc multinational and bilateral mechanisms and channels. One result was the Seoul Conference on Cyberspace, held in 2013, which was an important opportunity to reflect on the importance of digital issues in the diplomatic and security fields. The Seoul Framework and Guidelines for an Open and Secure Cyberspace and Best Practice was produced by that conference.4

So Jeong Kim
So Jeong Kim is a principal researcher for the National Security Research Institute. Since joining in 2004, she now leads the cybersecurity policy team and provides recommendations on cybersecurity policy and regulatory issues.

An attempt was made in 2009 to establish a single, national cybersecurity strategy, and cyber attacks were identified as a serious threat in the National Security Strategy published in July 2014.5 It was not, however, until 2015 that the government announced comprehensive measures to strengthen Korea’s cybersecurity posture and appointed a cybersecurity officer in the National Security Council directly under the president of Korea. With this position, the government tried to provide a focal point for better cybersecurity policymaking and coordination. However, three consecutive officers were not fully effective in that role for varying reasons: from their expertise with cyber issues to political differences on who should have overarching authority on cyber-related matters. In the years since 2015, the role of the independent presidential officer of cybersecurity has been merged with that of the secretary of information convergence.

Despite increased awareness of the importance of cybersecurity, there has been very little research by Korean social scientists about how institutions and practices related to cybersecurity have evolved in the country. Instead, the research on cybersecurity has been mostly limited to the writings of a few jurists on narrow legal aspects and the highly technical discussions of cybersecurity practices shaped by engineers, technologists, and security practitioners. This narrow focus on technological solutions has meant that much policy work needs to be done to ensure that such solutions will be effectively deployed and managed.

Different Korean agencies have pushed different messages and competing tools and programs to address cybersecurity. The result has, until very recently, been a lack of effective strategy and institutionalized policy practice. The Korean-convened ­Global Cyberspace Peace Regime (GCPR), a major platform facilitating highly professional track 1.5 discussions, embracing academic and governmental experts from the Asian region and around the globe, is a step in the right direction.6 Still, contributions from the social science community are lacking. This chapter aims to fill that gap and share lessons learned from Korea’s more recent experience.

Interministerial competition for cybersecurity oversight has been an additional challenge in Korea. Government policies have helped make Korea a high-growth, high-income economy, so the economic ministries have a good deal of clout. But their views of digital issues and particularly cybersecurity are very different from the security agencies. Their priorities and even their cybersecurity language sometimes differ. That said, it is encouraging that internal efforts have started to develop a common terminology or lexicon in this field. It should lead to more coordinated policymaking and action in the future.

Sunha Bae
Sunha Bae is a senior researcher for the National Security Research Institute. She received an MS degree in electrical engineering from the Korea Advanced Institute of Science and Technology in 2009. Bae’s current areas of research interest are critical infrastructure cybersecurity strategy, and the assessment of national cybersecurity capability and cyber attack severity.

The evolution of Korean institutions, policies, and practices and the country’s experience as a target of malicious cyber activity can inform an understanding of its own experiences with cyber defense and data resilience. It can also aid other countries in their approach to cybersecurity.

For more than two decades, major cyber attacks have triggered new initiatives meant to reduce the likelihood of future attacks and reduce the damage and disruption they can cause. After attacks such as the distributed denial-of-service (DDoS) attack in 2009, the attack on broadcasting systems in 2013, and the ransom attack on Korea Hydro and Nuclear Power in 2014, the Korean government responded by announcing new comprehensive measures.7

Cybersecurity Governance

Over the years, the Korean government’s statements about cyber attacks raised awareness among policymakers and the public about the need for more government action to address the threat. Cybersecurity governance was composed of three agencies: the National Cybersecurity Center (NCSC) under the National Intelligence Services for the government and public sector; the Ministry of Science and ICT for the private sector; and then individual response systems for a diverse group of agencies, such as the one at the Ministry of National Defense for the military sector. The NCSC, established in 2004, was named as a general manager, and the National Cyber Safety Management Regulations enacted in 2005 defined each organization’s roles (see figure 10).8

Korea has, in recent years, made significant changes to its framework for cybersecurity. The National Security Council (NSC), which reports directly to the president, has been coordinating cybersecurity since 2015.9 Under the NSC, the NCSC leads practical efforts for cybersecurity across the national government and the public sector where more than 70 percent of the nation’s critical information infrastructure facilities are located.10 Within the NCSC, the Ministry of Science and ICT and the Cyber Command of the Ministry of National Defense are responsible for the private sector and the military sector respectively.

This system has made a positive contribution to the overall improvement of the initial cybersecurity capabilities. There is no doubt as to the effectiveness of many of the measures that were first introduced by public institutions. The state and public sectors actively led the cybersecurity technologies policies and expanded the application to the private sector, supporting the improvement of technical and managerial capabilities. For example, Korea has cybersecurity regulations that provide the basis for strengthening cybersecurity for both the central government and public institutions. With that, for example, collecting and sharing information needed to strengthen cybersecurity is specified as a unique duty of the NIS. The NCSC is establishing and operating a National Cyber Threat Information–sharing system for incident investigation and information sharing in public institutions.11 But some have pointed out that a reexamination of the effectiveness of the existing system is necessary due to the recent technological development and expansion and convergence of cyberspace.

To protect critical information infrastructure from cyber threats and attacks, Korea enacted the Critical Information Infrastructure Protection Act (hereafter CIIP Act) in 2001, which has been subsequently amended. Under the CIIP Act, Korea established a Critical Information Infrastructure Protection Committee under the Office of the Prime Minister to coordinate CIIP-related activities among several governmental authorities. The CIIP Act mandates that the NCSC, for the government and public sector, and the Ministry of Science and ICT, for the private sector, have key roles in CIIP activities in each sector. The NCSC, which has developed advanced technologies and trained experts, has taken the lead in the government’s CIIP-related activities and coordinated the activities of other ministries.12 As a result of the CIIP Act, more than 400 facilities, including nuclear power plant systems, transportation systems, and commercial bank networks, have been designated as critical information infrastructure (CII).13

National Cybersecurity Strategy and National Cybersecurity Basic Plan of 2019

In 2019, the publication of a new National Cybersecurity Strategy by the presidential National Security Office was widely regarded as the most important and effective policy document on cybersecurity produced in more than thirty years in Korea.14 It led to redoubled efforts to strengthen the resiliency of Korea’s digital infrastructure and was followed by the establishment of a basic plan and an implementation plan. The strategy identified 5G design and deployment and anti-drone measures as the most critical areas of government focus, both of which were new issues for priority emphasis in Korean cybersecurity and national security.

The goals of this 2019 strategy are to ensure stable operations of the state, respond to cyber attacks, and build a strong cybersecurity foundation in Korea. For this purpose, the strategy sets out three basic principles: balance individual rights with the need for better cybersecurity, conduct security activities based on the rule of law, and build a system of participation and cooperation among domestic stakeholders and foreign counterparts. The strategy encourages individuals, business, and the government to participate in cybersecurity activities, and pursue close cooperation with the international community. It outlines how Korea will ensure it can continue reaping the benefits provided by ICTs while minimizing risks. The strategy is built around six strategic pillars: secured national critical infrastructure, enhanced cyber attack defense capabilities, trust- and cooperation-based governance, cybersecurity industry growth, fostering a cybersecurity culture, and strengthened international cooperation.

The strategy was followed by the National Cybersecurity Basic Plan, which outlines 100 tasks to be accomplished over the next two to three years.15 The strategic tasks and detailed tasks of the strategy are included in the 2019 National Cybersecurity Strategy. Those 100 tasks have, in turn, been categorized as either policy tasks or technological tasks. Policy tasks make up almost 70 percent of the whole plan and include international collaboration, international norm setting, CIIP, crisis management, and information sharing. In addition to the National Cybersecurity Basic Plan, each agency contributes to an annual National Cybersecurity Implementation Plan.

It is very encouraging that various efforts are being made to achieve the vision presented by the strategy through the basic plan and implementation plan. However, revising and refining the plans will require more research in some key areas. For instance, it is necessary to develop deterrence strategies to discourage cyber attacks, but the strategy does little to make headway in this area. In particular, in-depth discussions with the national security agencies should reflect the scope, intensity, and impact of the increasingly serious cyber attacks—in both military and economic terms. In this regard, the strategy needs to more clearly articulate goals and define terms, as well as explain how responsibilities are assigned to government agencies as well as to private sector organizations. An improved strategy should start with a thorough threat analysis, which would be then be updated as necessary, to enable well-informed, data-driven decisionmaking.

Revision of the National Intelligence Service Act

Since 2006, the ROK has worked to implement the so-called Cybersecurity Basic Law to make clear each agency’s role and responsibility and the nationwide cybersecurity framework. The National Intelligence Service, in particular, has pushed for the enactment of the Cybersecurity Basic Law, revised the National Intelligence Service Act, and established the basis for its role regarding cybersecurity. On that basis, the government revised the National Intelligence Service Act in 2020 and enacted the Cybersecurity Business Regulations in 2020 that stipulated the National Intelligence Service’s role in cybersecurity.

The revision of the National Intelligence Service Act that established the scope of the NIS’s cybersecurity operations, Article 4 of the National Intelligence Service Act, defined three main tasks: collection, analysis, and distribution of cybersecurity-related information; countermeasures related to cybersecurity performance; and preventing and responding to cyber attacks and threats against government agencies and public sector institutions.

In addition, the name of the National Cybersecurity Center was changed from “cyber safety” to “cybersecurity” in Article 3(3) of the Cybersecurity Business Regulations.16 The National Intelligence Service Act emphasized that the security of cyberspace is an important national security issue. The act therefore defined cybersecurity as one of the key tasks of the National Intelligence Service (NIS). Therefore, the name of the center was changed to the same as the name of the NIS task. In addition, when the National Cybersecurity Center was established (in 2004), the term “national security” was often translated as “safety” in Korea, but more recently it has been generally translated as “security.”17

The basis for establishing and implementing basic measures for cybersecurity led by the NIS in the consultation of National Security Council and other central government agencies was provided in Article 8 of the Cybersecurity Business Regulations. The National Security Research Institute was designated as a research-and-development (R&D) specialized institution for cybersecurity affairs to expand its work to develop the strategies, policies, and technologies necessary to improve cybersecurity (in Article 17).

Nevertheless, much like the national cyber strategy, the NIS law and the enforcement ordinance of the law also have room for improvement. First, some terms are not defined under these regulations in a consistent way—not least, the very definition of “cybersecurity.” The National Cyber Safety Management Regulations defined this as encompassing three things—cyber attacks, cyber safety, and cyber crisis—but the revised NIS law and the newly enacted enforcement ordinance have no clear definition of “cybersecurity.”18

It is also necessary to clarify the duties of the different offices and agencies involved in cybersecurity and cyber resilience. For instance, the NIS can collect, create, and distribute “cybersecurity-related information including information on international hacking group and state-sponsored group” according to the law’s Article 4.19 But the scope of “international and national hacking groups” has not been defined in the law.20

Korean New Deal

Various fields in Korea, including ICT and cybersecurity, have changed due to the coronavirus pandemic that hit in 2020. With the explosive growth of telecommuting and online services such as telemedicine (which some Koreans refer to as “untact”—a new word combining “un” and “contact”), Korea’s dependence on ICT technology is expanding more rapidly than ever before. The government announced the Korean New Deal in July 2020 to overcome the economic recession after the pandemic and to change the paradigm across Korea’s economy and society.21 The Korean New Deal applies to both the public (excluding the military) and the private sectors and consists of three projects: the Digital New Deal, the Green New Deal, and the Strong Safety Net. Cybersecurity is included in the Digital New Deal project.

The Digital New Deal is a policy aimed at promoting and spreading digital innovation and dynamism across the economy by expanding the digital divide based on ICT, such as e-government infrastructure services. Cybersecurity is mainly related to the first project on “stronger integration of DNA (data, networks, and artificial intelligence) throughout the economy.” That project consists of four subprojects, and two of them deal with cybersecurity.

The first subproject is focused on “making a smart government that utilizes 5G and AI.” The government will implement pilot projects based on blockchain technology, establish 5G at all government complexes, and transition to cloud computing for public information system by 2025. Systems for citizen services, such as homepages for public disclosure, will be transferred to a private cloud center. And systems for public administration are scheduled to be relocated and integrated into a public security cloud center with enhanced security functions.

And the second subproject is focused on “advancing cybersecurity.” Cybersecurity threats are becoming more sophisticated and causing widespread damage due to digitalization and the spread of untact services. So, the goal of the project is to make the digital environment safer, enable untact services in daily life, and to foster the security industry.

The “advancing cybersecurity” initiative is divided into three domains: firms, people, and industry. First, for firms, the government helps unprepared SMEs make the security investments needed to strengthen cyber defense, diagnose threats, and improve response. In addition, special emphasis is put on addressing vulnerabilities in untact services. For people, the government supports major public facilities for software and website inspections, remote security checks, and safety measures to enhance cybersecurity for people’s daily lives. Lastly, for industry, in order to revitalize the cybersecurity industry ecosystem, the government is promoting the application of new technologies such as blockchain and fostering promising AI-based security companies.

The Evolution of Korean Cybersecurity Policy

Notions of cybersecurity—and the challenges it presents—have evolved significantly in Korea over the last twenty years. This is reflected through the development of concepts and terminology used to describe digital technologies and cyber threats.

Research and Development Trend Analysis (by Keyword Comparison)

This chapter’s analysis of keywords in cybersecurity-related academic journals demonstrates how research trends in cybersecurity have changed during the last two decades in response to new threats and to the increased attention being paid to this issue.22 The papers analyzed are limited to highly respected Korean-language journals registered in the Korean Citation Index (KCI).23 The National Research Foundation of Korea, which manages research journals (including papers published by domestic academic societies), does an annual ranking of journals to determine which will be recognized as KCI-registered journals.

To analyze research trends, the authors divided the catalogue of published papers into four time periods based on when major cyber attacks hit Korea after 2001. The major cyber attacks during this period were the 2003 internet disruption, the 2009 DDoS attack, and the KHNP hacking in 2014.

From 2001 to 2003, keywords related to the information society, laws, ethics, and passwords frequently appeared. Information security terms began to be used in the 2004–2009 period. For example, keywords and phrases such as “personal information protection,” “privacy,” “self-regulation,” “government regulation,” “RFID,” “risk analysis,” and “biometrics” began to creep into Korean academic and policy discussions. It was during this period that the Korean government began to regulate the internet. Measures such as an online identification system were implemented, but this led to controversy about freedom of expression on the internet. As a result, the need for self-regulation emerged and the Korea Internet Self-Governance Organization was established in 2008.

For 2010–2014, as in previous time periods, “information protection,” “information security,” and “personal information protection” appear at the top of the rankings. But keywords such as “security policy,” “information protection governance/management system,” and “cybersecurity” appear at the top for the first time, suggesting a further evolution in Korean thinking. Finally, from 2015 to September 2019, the top keywords were “information protection,” “information security,” “and “cybersecurity.” Related keywords such as “security,” “basic law,” “cyber terrorism,” and “cyber crime” were also widely used.

This study shows that terms with similar meanings to cybersecurity, such as “information protection” and “information security,” were incorporated into the research over time. Such terms often lacked clear definitions. Part of the reason for this is that due to interministerial competition, a cyber glossary was not (and still has not been) clearly defined by the government. The development of a cyber glossary, drawing on U.S. and other international research, is essential for the future development of Korea’s cybersecurity policy.

Strategic Training and Competition

In South Korea, the Cyber Conflict Exercise (CCE) is a competition sponsored by NIS and NSR and includes a so-called strategy game.24 During the CCE, situation report procedure and media response training are part of the strategy game to highlight the importance of comprehensive crisis response capabilities during a cyber crisis, and to improve not only technical response capabilities but also policy response capabilities.

Situation reporting is an activity that promptly “reports a summary of the current situation and related response activities accurately.”25 It is essential in the event of a cyber crisis. Quick, accurate analysis is needed to identify the cause of the accident and establish countermeasures, support rapid recovery, prevent further spread of damage, and promote coordination and cooperation in response with related domestic organizations.

Media response refers to the activities of participants in the competition to analyze trends in media such as newspapers and social networking services, and to respond to direct inquiries from media parties. In order to limit the cascading effects caused by attacks and minimize social confusion in a crisis, participants need to create content and prepare efficient and consistent communication measures that build and maintain the trust of the public and the media in peacetime as well as in crisis situations.

The policy training scenario consisted of a cyber attack on government agencies and infrastructure in a virtual city called Hope City, Korea, and simulated the response of government officials and other key players. A status report provided a cyber warning at each stage of the exercise. Participants briefed the “media” in the middle of the competition process, and via inquiries and answers on social media.

Most of the participants had no history of work related to situation reporting or media response, but they received positive evaluations, having gained experience in crisis communication and policy decisionmaking through strategic games. These games and simulations helped participants realize the need to improve policymakers’ ability to respond to a cyber crisis.

In 2021, the ROK joined the North Atlantic Treaty Organization’s Locked Shields exercise.26 Korea’s participation in the exercise was led by the NIS,27 which combines technical exercise and strategic exercise, and the government placed great significance in participating in strategic exercise.28

Strengths and Weaknesses of Korean Cybersecurity Capabilities

Korea is among the most connected economies in the world. This is expected only to intensify with the arrival of the Fourth Industrial Revolution (4IR) and its expansion of machine learning and artificial intelligence. Many Koreans view the 4IR as a new driving force for innovative growth in one of the world’s most innovative economies. Better cybersecurity will be a prerequisite to the success of the 4IR. That is why Korea is investing, including in international cyber partnerships, to promote better cybersecurity policies and practices at home while offering its distinctively Korean contributions to other countries.

K-Global Cybersecurity Capability Assessment and Applicability

Korea has developed a tool to make basic data available for cyber-related decisionmaking: the Korea Global Cybersecurity Capability Assessment (GCCA) tool.29 It assesses the national competency level through comparison and analysis with other countries according to selected criteria.

As interest in the GCCA has increased and research has continued, the scope of the project has expanded. Initially, the main purpose of the GCCA was to focus on understanding the current state of cybersecurity and suggest new directions for policy development and capability-building measures. Recent additions to the GCCA can help foster global cooperation, information sharing, and awareness raising. These additions facilitate sharing of policies, technical standards, and best practices between countries. Due to the global nature of cyberspace, the boundaries between countries are blurring and attacks using cyber infrastructures in other countries are easy to carry out and harder to attribute. For that reason, Korean government officials and corporate leaders tend to emphasize how international security is affected by cyber attacks to critical national infrastructure. Through capability assessment, Korea aims not only to strengthen cybersecurity, but also to lay the foundation for strengthening cybersecurity through cross-border cyber defense programs with international partners, enabling cooperative responses to global cyber threats. This trend is well reflected in the International Telecommunication Union’s Global Cybersecurity Index 2018.30

The GCCA was developed by the NSR using a national cybersecurity assessment methodology that reflects Korea’s own unique and distinctive characteristics. The assessment is conducted through expert surveys, with seventeen assessment criteria in five categories: policy, legislation, organization, technology, and education/training.

The policy category provides an assessment of the will and direction to strengthen cyber capabilities at the national level, and consists of five criteria, including cybersecurity policy and infrastructure protection policy. The legislation category provides an assessment of the legal basis for policy promotion, and consists of four criteria, including the level of development of cybersecurity regulations and critical infrastructure protection legislation and regulations.

The categories of organization, technology, and education and training assess the level of implementation of national cybersecurity policies and laws. In the organizational category, there are four criteria, including the level of development of the Korean organizations responsible for cybersecurity and the role of critical infrastructure protection organizations. In the technology category, there are three criteria: the level of development of cybersecurity R&D programs, the establishment of standards, and technology adoption. In the category of education and training, there are three criteria, including education programs for training professional manpower.

As assessment result indicators, rankings by country were derived for comparative analysis with leading countries. This helps decisionmakers to identify the strengths and weaknesses of each country. In comparison to other countries that have used the assessment tool, Korea was assessed relatively high in terms of the establishment of infrastructure protection standards and implementation of cybersecurity technologies. However, it was assessed to be relatively low with respect to governance and cybersecurity R&D education programs.

Strengths and Weaknesses of Korea’s Cybersecurity Capabilities

To analyze the strengths and weaknesses of Korea’s cybersecurity capabilities, therefore, the authors conducted an importance performance analysis (IPA). The IPA is a method that sets priorities by using the importance and performance of an analysis target.31 It has been used in various social science fields, such as public administration, policy studies, and business administration.

The IPA displays the results in a quadrant centering on the average value of importance and performance. In the GCCA, the x-axis was defined as the importance of each criterion and the y-axis was defined as the score for each criterion. The IPA matrix was derived by crossing the two axes using the median value for the x-axis and the average value for the y-axis as the origin. Quadrant I (“Keep up the good work”) are criteria with high importance and high scores, and it is desirable to maintain the current status. Quadrant II (“Possible overkill”) are criteria that scored higher than their importance and require passive management. Quadrant III (“Low priority”) reflect both low importance and performance, requiring mid- to long-term improvement. Quadrant IV (“Concentrate here”) includes criteria that have a high importance but a low score, so they involve items that need intensive improvement in the future.32

The importance of each criterion for the IPA was scored by surveying domestic experts in Korea. The IPA analysis of GCCA results for Korea show that the elements that need to be improved to bolster its cybersecurity capabilities mainly include national crisis management policies and legislation, and cybersecurity regulations. Criteria that need improvement in the medium to long term include cyber crime regulations, standards establishment and implementation, and education programs.

The Korean government announced its National Cybersecurity Strategy in 2019 and soon afterward announced its associated implementation plan, including eighteen key tasks and 100 detailed tasks in the National Cybersecurity Basic Plan. However, the government failed to assign priorities to each task in the strategy and the basic plan. In the future, according to the analysis of Korea’s global cybersecurity capability evaluation, it will be important for the efficiency of the implementation of each task to be improved by identifying the assessed criteria that need to be given a priority focus (quadrant IV).

Key Features of Cybersecurity Governance and Best Practices in Korea

Cybersecurity Governance

The ROK has continuously encountered cyber attacks. Cyber attacks have occurred at various scales—from simple phishing attacks to infrastructure paralysis. Therefore, the ROK has clarified the responsibilities of organizations addressing cyber threats and established laws and policies to prevent and respond to cyber attacks in both peacetime and crisis periods.

Most components of critical infrastructure in the ROK, including energy, water, and transportation, are designated as public institutions and are operated centrally by the state (almost 70 percent). So, the role of the private sector in strengthening the cybersecurity of critical infrastructure, while essential, is smaller than in many other countries. The state leads the collection and sharing of threat information regarding infrastructure, and the response to cyber attacks on critical infrastructure. Therefore, the establishment and implementation of cybersecurity policies for critical infrastructure could be quickly accomplished with active cooperation without significant opposition or extended negotiations.

Lastly, cybersecurity governance in the ROK involves the public sector, the private sector, and the military, with the National Security Council as the control tower. There is a cooperation framework covering the three sectors. In particular, the NIS, an intelligence agency, has been central since the beginning of the nation’s cybersecurity policy establishment in the early 2000s, and the Joint Cyber Threat Response Team (representing the three sectors) is also under the NIS. The NIS viewed cyber attacks as a national security issue and actively collected threat information. On the other hand, the illegal collection of information using software by the NIS has led to its role in cybersecurity being contentious and led to public distrust.

Good Practices

Over the years, the ROK has taken several measures to prevent recurrences of the damage caused by cyber attacks.

After the 2003 internet disruption, Korea established a mandatory system for constant backup.33 The central government introduced a backup solution near the end of 2003, and it became mandatory for local governments in 2004. After other incidents, countermeasures were focused on the development of defense technologies, such as a proactive response system for DDoS attacks that was established after the 2009 DDoS attack, as well as improving a rapid cyber treatment system for zombie computers following the 2011 DDoS attacks.34

In response to these incidents, the government also acted to strengthen information protection in the private sector. In January 2004, the government revised the Information and Communication Network Act to make safety checks of information protection mandatory.35 The safety check evaluates whether every provider of information and communications services and every business operator of agglomerated information and communication facilities complies with the government’s information protection guidelines to prevent intrusion incidents in the private sector.36 There were complaints from target companies regarding the burden of costs, but the government saw this as an opportunity to raise the security awareness and security level of internet-related companies overall.37

Given Korea’s extensive history with DDoS attacks, the network environment is well equipped with a DDoS attack response system. DDoS response solutions are installed throughout the network infrastructure, and regular simulation exercises are conducted to prepare for attacks. Also, the government distributes DDoS attack response guides to the public and private sector actors and provides blocking measures tailored to the type of attack.

In addition, the network separation system was introduced in central government ministries in 2006 and the network separation of the public sector was completed in 2010. The necessity of network separation in the private/financial sector emerged after the DDoS attacks in 2011, and the scope of the network separation regulations was expanded. The regulations are defined in relevant legislation by sector. According to this legislation, the public sector should separate internal and external networks, and companies, which have more than 1 million personal information records, should separate the computer network where personal information is stored.38 It further states that financial companies should block internet access from their business computers, and ensure that computers for system operation, development, and security are on separate networks.39

Cyber attacks can occur anytime. So thorough preparations are carried out when hosting large-scale events at the national level, such as the Olympics. Despite that, when Korea hosted the Winter Games at PyeongChang in 2018, information systems related to the Olympics were damaged and most services were stopped due to an attack by an advanced persistent threat (APT) that had been carefully prepared for a long time.

The organizing committee for the Olympics considered the possibility of a cyber attack during preparation and strengthened security when designing the system. In addition, high-intensity hacking exercises, penetration testing, training, information protection pre-diagnosis, and personal information impact assessments were also conducted.40 In particular, the committee installed a very advanced defense system against DDoS attacks, which are the main type of attack. The committee organized and operated on an information protection system that cooperated with government departments such as the NIS, the Cyber Police Agency, and Cyber Command, as well as an advisory organization composed of private companies and white hat hackers.

A quantitative evaluation of the effectiveness of various cybersecurity policies of the Korean government has not been conducted. However, the results of an annual survey targeting public organizations and private companies in charge of information protection show that the number of cyber attacks that cause damage is decreasing, and activities for preventing and responding to accidents are being strengthened.41

The National Intelligence Service annually surveys the number of cyber attacks in the public sector targeting 130 central administrative agencies.42 According to the survey, the number of cyber attacks that caused damage is continuously decreasing even though the number of cyber attacks is increasing.

The Ministry of Science and Technology also annually surveys more than 9,000 businesses to establish and implement information protection policies.43 According to this survey, the ratio of system and network security check and backup of important data has been increasing (see figure 18).

The ROK’s experiences could be useful for other countries to refer to when establishing cyber attack prevention and response systems. Until the last few years, the ROK has been a follower, adopting the cybersecurity policies of other advanced countries, but it is increasingly positioned to become a pioneer.

Further Considerations

Due to Korea’s tendency to focus on defense technologies and the fact that different agencies are responsible for different aspects of cybersecurity, the need for a systematic, national cybersecurity strategy was not given high priority. For years, there was no long-term plan or high-level coordinator capable of overseeing an effective national cybersecurity initiative. Instead, after each attack, narrow policy changes were adopted to improve incident response, based on the analysis and experiences with the recent attack.

But preparing to fight the last war does not provide better defenses against new and different threats. And in Korea, it has often seemed that the new policies were aimed primarily at responding to public sentiment and public opinion and showing that policymakers had learned from the postmortems after the incidents.44 Policies and institutions focused only on recovery and defense from severe attacks, not on fundamental improvements to the legal base or addressing related constitutional issues. The establishment of a basic cybersecurity law or strategy to specify essential elements for cybersecurity functions for national security purposes has not been promoted, leaving uncertainty about the direction of cybersecurity policy at the national level, who coordinates cybersecurity policy, the roles and responsibilities by each department, the authority and resources available for rapid response and prevention against cyber threat, and the scope of information collection and sharing.

After recognizing the problem, the NIS, which has a key role in cybersecurity in public institutions, promoted the Basic Cybersecurity Act in 2016, but it was not enacted due to disagreements with other ministries about their roles and responsibilities, and public distrust of the intelligence agency. It wasn’t until 2019 that the government established the first National Cybersecurity Strategy.

The NIS also promoted the preparation of related legislation but encountered opposition and ended up focusing on countermeasures. Time after time, there would be a push for new, far-reaching legislation, but the process would get bogged down, and momentum was lost. This is because there was a culture of “development first, security later,” since IT development was judged to be more important, and policymakers had questions about whether cyber attacks were really serious or threatened national security. Worse, because the various strategy documents were not useful, after each new attack, the narrowly focused policy solutions and systems created resulted in a patchwork of overlapping policies and systems.45

Finally, there has been no response to instigators of cyber attacks. Through government-led investigations, the reason and background of attacks are evaluated, and if the culprit is North Korea, it is ROK practice to have it be publicly attributed. There are few cases of public attribution in the event of attacks from other countries. Indeed, to date, in cases unrelated to North Korea, no prosecution or separate sanctions have been imposed on the attackers. For example, South Korea has not publicly confirmed that the PyeongChang Olympics incident was due to a cyber attack originating from Russia. Nor have there been cases of public attribution or sanctions to help deter frequent cyber attacks originating from China.

There are various reasons specific to Korea for the absence of public attribution.46 One is that the reliability of the results from investigations has been low because the technology to conduct these investigations has not been available in Korea and/or the Korean government has been unwilling to hire foreign computer forensics experts. Another is that there is simply no standing procedure in Korea for public attribution, especially when it comes to foreign actors other than North Korea. However, the ROK has shown willingness to take countermeasures in national cybersecurity strategy and is currently making efforts to identify culprits and prepare procedures for disclosure to deter cyber attacks.47

How Korea Can Improve Cyber Security Policy and Data Resilience

Korea clearly needs to overcome gaps in its cybersecurity policy in light of these challenges to its current policy approach and governance. Indeed, recent cyber attacks show the strengths and weaknesses of Korea’s current cybersecurity capabilities.

The government needs to begin by changing its posture both to deter and to respond to future cyber attacks. Even though Korea has been the target of several large-scale cyber attacks, an analysis of twenty years of major cyber attacks reveals no evidence of active responses against the attackers. In the case of an attack that caused anxiety to the entire nation, such as the attack on KHNP, there was no diplomatic response or action taken to respond to the attackers at all, even though a government joint investigation team analyzed the malicious code and Internet Protocol data used in the attack and found the source.

This should change in the future. The Korean government has announced its willingness to actively respond to attacks that undermine public trust. And the goal of ensuring a proactive deterrent against cyber attacks was included in the National Cybersecurity Strategy in 2019. As part of this, the government announced plans to actively respond to all cyber attacks that infringe upon national security and national interests by concentrating national capabilities and acquiring effective means to analyze causes of cyber attacks and identify the culprits.

Such a proactive response to cyber attacks would be welcome: it can contribute to raising awareness of cybersecurity among decisionmakers—in both the public and private sectors—and to raising the priority of cybersecurity when crafting future policies.

Second, it is necessary to expand the government’s effort to address issues of economic and security threats caused by cyber attacks. The Korean government’s established policies focus on political and military security in response to cyber attacks. However, cyber attacks on Korean cryptocurrency exchanges to steal financial profits are increasing, as demonstrated by the recent attacks on of Coinrail (2018), Bithumb (2018), and Upbit (2019).48 In addition, it was revealed that Korean universities were included in the cyber attacks when China took over IT systems used for marine science and technology research at three universities around the world in 2019.49 Chinese cyber attacks to steal intellectual property from other countries are also increasing.50

This shows that although cyber attacks are not equivalent to war or armed attacks, they can still cause billions of dollars of economic harm or lead to the theft of critical intellectual property in peacetime, threatening Korea’s economic security. For this reason, policymakers need to focus on economic, political, and military security in tandem. They must recognize that the internet and the cloud have become a space for military operations and that better defenses against cyber attacks are needed. In Korean cybersecurity policy, expanding the priorities for securing economic security and establishing cybersecurity policies that consider economic security seem to be ways to pursue effective benefits in establishing a cybersecurity framework.

Ultimately, Korea needs a national cybersecurity risk management system and many more concerted efforts to strengthen cybersecurity resilience in national public institutions. According to research by Specops Software, Korea ranked fifth in the world in terms of the number of cyber attacks between 2006 and 2020, and these attacks are occurring more and more frequently.51 Korea is also highly dependent on electronic government, ranking second in the UN’s 2020 Global E-government Development Index.52 Since cyber defenses will never be bulletproof, it is necessary to build tolerance and strengthen resilience against cyber attacks in order to prevent and respond to cybersecurity at the national level.

Backup systems are essential to minimizing damage. A key part of improving cyber resilience of national public institutions is expanding the introduction of cloud solutions through the Cloud Service Assurance Program (CSAP). The CSAP supplies public institutions with private cloud services that have verified safety and reliability, and it has a similar purpose to the United States’ Federal Risk and Authorization Management Program. The scope of certification covers all cloud services for public institution work and services including assets (such as ICT systems, facilities, and so on), organization and management, operations, and support services. There are fourteen categories of control for certification, including cybersecurity policy and organization, supply chain management, and incident management.

If the cloud service is expanded in government agencies, high-quality security solutions (such as antivirus, intrusion detection, and response systems) can be made available at a low cost. In addition, strengthening the security of cloud computing systems can prevent damage and destruction of important data, which will contribute to resilience. This will help the Korean public sector ensure a more rapid response in the event of a future cyber crisis.

Notes

1 Korea has been making continuous efforts to realize an information society, first introduced the internet in 1982, and commercialized it in 1994. NIS, “National Cybersecurity White Paper 2004” (in Korean), 2004, p. 3.

2 Awareness of information protection has increased across the country, including government agencies and telecommunication companies after the 2003 internet disruption. NIS, “National Cybersecurity White Paper 2004” (in Korean), 2004, pp. 6–7.

3 OECD, “Declaration for the Future of the Internet Economy (The Seoul Declaration),” OECD/LEGAL/0366, adopted on June 17, 2008.

4 “Seoul Framework for and Commitment to Open and Secure Cyberspace,” United Nations, 2013,

https://www.un.org/disarmament/wp-content/uploads/2019/10/ENCLOSED-Seoul-Framework-for-and-Commitment-to-an-Open-and-Secure-Cyberspace.pdf.

5 JinKyu Kang, “NIS, National Cyber Security Strategy to Be Implanted in the Second Half of Year,” Digital Times, June 11, 2009, https://www.dt.co.kr/contents.html?article_no=2009061202010560739004.

6 The National Security Research Institute has hosted the GCPR since 2014 five times with NCSC and Ministry of Foreign Affairs (three times).

7 Sea Min, “Significantly Strengthen National Cybersecurity” (in Korean), BoanNews, March 18, 2015, https://www.boannews.com/media/view.asp?idx=45697&kind=2.

8 NIS et al., “White Paper on Information Security 2004” (in Korean), 2004, p. 7.

9 From 2015 to 2018, the NSC designated the cybersecurity adviser to lead the cybersecurity efforts nation-wide, however, this position was merged with the cyber information convergence adviser under the same NSC.

10 NIS et al., “White Paper on Information Security 2021” (in English), 2021, p. 64.

11 The NCSC investigates the causes and attack vector of cyber incidents that occur in the national computer network and shares information to prevent and respond to cyber attacks in the public sector.

12 Most critical infrastructure in the ROK is owned by public institutions and is operated by the government. In fact, the Korean government continued to promote the privatization of public enterprises to enhance the competitiveness of public institutions, and as a result, some infrastructure such as finance, power generation, telecommunications, airports, and transportation were privatized. However, due to various problems such as resistance from stakeholders and lack of information on the privatization of public enterprises, partial privatization happened rather than absolute privatization, and in many cases, the ownership could not be transferred. As a result, the company manages and operates the infrastructure, but the government budget is injected and the government can intervene in the management. As a result, the government is leading efforts for infrastructure cybersecurity, but management and operating companies are also actively participating in the development and implementation of government policies.

13 Supra note 12, p.6

14 National Security Office of Cheong Wa Dae, “National Cybersecurity Strategy” (in Korean), April 2019.

15 National Security Office of Cheong Wa Dae, “National Cybersecurity Basic Plan” (in Korean), September 2019.

16 In English, the NCSC has been represented as the National Cyber Security Center, however, it was originally named the National Cyber Safety Center. This has resulted in some confusion about the NCSC among Koreans.

17 Kum Hyun, “How Did Security Become ‘Security’ (An-bo in Korean)? Focusing on the Process of Transition to ‘Safety’ (An-jeon in Korean), ‘Ensure Security’ (An-Jeon Bo-Jang in Korean), and ‘Security’ (An-bo in Korean),” Korea Journal of International Relation 60, no. 4 (2020): 41–77.

18 The National Cyber Security Management Decree defines as follows: The term “cyber attack” means any attack that illegally invades, disrupts, paralyzes, destroys, or intercepts information on the national information and communications network by electronic means, such as hacking, computer viruses, logic bombs, mail bombs, service interruptions, etc. The term “cyber safety (security)” means the state of maintaining stability, such as the confidentiality, integrity, availability, etc. of national information and communications networks by protecting the national information and communications network from cyber attacks. The term “cyber crisis” means a situation in which information distributed and stored through information and communication networks from cyber attacks is leaked, changed, or destroyed, affecting national security, creating social and economic chaos, or undermining or suspending key functions of the national information and communication system.

19 Korean National Law Information Center, “National Intelligence Service Act” (in Korean), https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EA%B5%AD%EA%B0%80%EC%A0%95%EB%B3%B4%EC%9B%90%EB%B2%95.

20 Supra note 23, p.10.

21 Ministry of Economy and Finance, “Korean New Deal: National Strategy for a Great Transformation,” April 2020. See https://english.moef.go.kr/pc/selectTbPressCenterDtl.do?boardCd=N0001&seq=4948.

22 Minkyung Song, “Trend Analysis of Information Protection Research in Korea,” Korea Institute of Information and Security and Cryptology, Chungcheong Chapter (KIISC CC), 2019.

23 The KCI is a system to analyze citation relationship among articles in a database of domestic journals, articles (including original papers), and other references.

24 It was conducted at the CCE 2019 by the authors.

25 “Situation Report (SITREP) Template,” Persimmon Group, April 3, 2016, https://www.thepersimmongroup.com/situation-report-sitrep-template/.

26 Locked Shields is NATO’s cyber defense exercise. See more at https://www.ccdcoe.org/exercises/locked-shields.

27 The NIS formed a joint team with the Korea Electric Power Corporation and the National Security Research Institute. Technical training to defend against attacks on systems and strategic training to introduce Korea’s cybersecurity policy were conducted by dividing manpower by sectors such as energy, defense, and network.

28 ByungChul Won, “NIS Participates in Locked Shield, Which Is World’s Largest Cyber Defense Exercise, for the First Time,” BoanNews, April 14, 2021, https://www.boannews.com/media/view.asp?idx=96502.

29 Sunha Bae and Minkyung Song, “K-Global Cybersecurity Capacity Assessment and Application,” GCPR 2019, September 30, 2019.

30 The Global Cybersecurity Index (GCI) is a multi-stakeholder initiative to raise cybersecurity awareness and to measure the commitment of countries to cybersecurity and its wide field of application cutting across industries and sectors. Find the 2018 edition at https://www.itu.int/pub/D-STR-GCI.01-2018.

31 John A. Martilla and John C. James, “Importance-Performance Analysis,” Journal of Marketing 41, no. 1 (1977): 77–79.

32 Supra note 37, p.18.

33 Gayong Moon, “2003: 1.25 Internet Disruption, Changing the Frame of Information Protection,” BoanNews, May 12, 2019, https://www.boannews.com/media/view.asp?idx=79427.

34 Gilju Lee, “Established a DDoS Response System for Public Institutions,” Korea Information Telecommunication News, October 2009, http://www.koit.co.kr/news/articleView.html?idxno=32885; Chulsun Park, “3.4 DDoS Cyber-Attack Response and Future Countermeasures,” Korea policy briefing, March 2011, https://www.korea.kr/news/policyNewsView.do?newsId=18709693.

35 Act on Promotion of Information and Communication Network Utilization and Information Protection, etc. (January 29, 2004) Article 46(30), see https://www.law.go.kr/LSW//lsInfoP.do?lsiSeq=58583&chrClsCd=010203&urlMode=engLsInfoR&viewCls=engLsInfoR#0000.

36 The Safety Check of Information Protection System was changed to the ISMS (Information System Management System) in 2012.

37 Sujeong Sin, “Issues and Implications for the Safety Check of Information Protection System,” BoanNews, March 13, 2006, https://www.boannews.com/media/view.asp?idx=1688&direct=mobile.

38 Enforcement decree of the Act on Promotion of Information and Communication Network Utilization and Information Protection, etc. (August 18, 2012); National Information Security Basic Guideline (Confidential).

39 Dain On, “Network Separation Regulations Need to Be Reorganized in Accordance With Data Importance,” ETNews, June 28, 2020, https://etnews.com/20200626000119.

40 Kyungae Kim, “PyeongChang Olympic Target Attack! Defense With Real-Time Detection and Sharing System,” BoanNews, January 9, 2018, https://www.boannews.com/media/view.asp?idx=65988&kind=2.

41 The results of survey are published annually through the “White Paper on Information Security.” The English version of the “White Paper on Information Security” will be published this year, and more detailed information can be found in this.

42 NIS et al., “White Paper on Information Security 2021” (in Korean), 2021, p. 218.

43 NIS et al., “White Paper on Information Security 2021” (in Korean), 2021, p. 243.

44 Final research report for commissioned project in KISA, “A Study on the Comparative Method of Information Protection Legislation to Strengthen the Cyber Security Framework (KISA-WP-2015-0042),” 2015.

45 In order to address the lack of a single point person to lead responses to cyber attacks, the NCSC was designated as a “control tower” by the National Cyber Crisis Comprehensive Countermeasures (2009) and the National Cyber Security Master Plan. Nevertheless, criticisms of the lack of coordination continued until the National Cyber Security Comprehensive Measures (2013) designated the Blue House National Security Office as the “control tower.”

46 Public attribution in its most elementary form is the blaming of a particular actor as responsible for a cyber incident. It can be done by a variety of actors, including governments, companies, and NGOs. But public attribution by the government is mainly considered in this chapter because government action to assign blame is an inherently political act. Florian J. Egloff, “Contested Public Attributions of Cyber Incidents and the Role of Academia,” Contemporary Security Policy 41, no. 1 (2020): 55–81.

47 National Security Office of Cheong Wa Dae, “National Cybersecurity Strategy,” April 2019, p. 16.

48 HyungJoong Yoon, “Coinrail Hacking, 10 Types of Coins Such as Ethereum Leaked Worth 45 Billion Won,” Coindesk Korea, June 11, 2018, http://www.coindeskkorea.com/news/articleView.html?idxno=22904; BBC News Korea, “Exchange Hacking Continues to Steal 35 Billion Won Worth of Virtual Currency,” June 20, 2018, www.bbc.com/korean/news-44543609; GeunMo Park, “Upbit Hack Ethereum About 20,000 Out of 342,000 Can Be Washed,” Coindesk Korea, January 16, 2020, http://www.coindeskkorea.com/news/articleView.html?idxno=65024.

49 Emily Price, “Chinese Hackers Targeted 27 Universities to Steal Maritime Research, Report Finds,” Fortune, March 5, 2019, https://fortune.com/2019/03/05/chinese-hackers-targeted-27-universities-to-steal-maritime-research-report-finds/.

50 According to the Council on Foreign Affairs’ Cyber Operations Tracker, in 2017, the Bronze Butter Group spied on companies in the fields of biotechnology, electronics manufacturing, and chemistry. In 2018 and 2020, China’s Winnti Group conducted cyber attacks targeting Korean game and software companies. In 2020, malicious hackers used Bisonal malware to attack Korean companies and also appeared to use spear phishing to attack government research institutes in Korea.

51 Lanna Deamer, “Which Countries Have Been Most Targeted by Cyber Attacks?,” Electronic Specifier, July 21, 2020,

https://www.electronicspecifier.com/products/cyber-security/which-countries-have-been-most-targeted-by-cyber-attacks.

52 See https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2020.