research

The Korean Way With Data: How the World’s Most Wired Country Is Forging a Third Way

This volume digs deeply into what we call “the Korean way with data.” It explores Korea’s distinctive experiences, successes, failures, and recalibrations. And it aims to address the question of what can and should be learned from innovative Korean policies and practices.

Published on August 17, 2021

Summary

The emergence of a deep-seated, multidimensional strategic competition between the United States and China has led many to argue that the world is fracturing into two spheres—a Sinocentric order and a U.S.-centric one. One result of this fragmentation, some suggest, could be that Beijing sets the terms of data and internet governance and technology standards in Asian countries and beyond. As the world moves into the next phase of the digital transformation, what was once viewed as a purely commercial and technological competition is increasingly being framed as an existential geopolitical one.

But the United States and China are not, in fact, the world’s only major digital players. There has been a proliferation of policy and regulatory models, and international internet governance is up for grabs as countries experiment, innovate, and share their policy experiences and practices.

Data governance is one critical area of contention because it is increasingly central to next-generation industries and the future of rulemaking in the global economy. Countries such as South Korea and India have developed distinctive national approaches to data governance. Neither country aims to imitate or adopt wholly American, much less Chinese, data policies and practices. They, too, have the potential to drive debates about technology business models and regulatory frameworks.

Korea, in particular, is a digital pacesetter because it is perhaps the world’s most connected country. Indeed, precisely because Korea is such a wired country, much can be learned by examining its policies and regulations in more detail.

Unfortunately, however, Korea’s digital policies are still not widely known, in part because little has been written in English about Korea’s distinctive frameworks, standards, and models. Yet Korea has over the past two decades pioneered important approaches to data governance while accumulating a body of experience with best practices—and sometimes not-so-best practices that it has had to tweak, amend, or replace. These experiences provide useful lessons.

This volume digs deeply into what we call “the Korean way with data.” It explores Korea’s distinctive experiences, successes, failures, and recalibrations. And it aims to address the question of what can and should be learned from innovative Korean policies and practices.

The chapters in this volume illustrate how the Korean government has tried to craft coherent and consistent policies in three important areas related to data: (1) online authentication and data access control; (2) cyber defense and data resilience; and (3) data localization. In each case, Korean policies have evolved by trial and error. Different approaches have been tried. When found to be inadequate, more workable approaches were found.

The resulting frameworks could have broad resonance for countries struggling to address these three issues. Indeed, one reason Korean leadership could be so important is that the bifurcation of the world into a Sinosphere or an American sphere would not serve the interests of most countries. Many countries, even well-established democracies, are developing a hybrid approach. And on data governance, in particular, there has been no putative American-led “Team Democracy” vs. a Chinese-led “Team Autocracy.” The chapters in this volume demonstrate that the future will be much more complex than a battle between U.S.- and China-centric approaches.

The intensifying U.S.-China battle is leading to trade disputes, restrictions on foreign investment, and, increasingly, wholesale bans on the use of foreign web services and apps. Yet countries like Korea have pioneered their own unique approaches to technology governance and regulation.

Korea may offer a third way—one that relies on practices and experiences developed and incubated in a successful democracy that has also carved out an important role for the state and sought a balance between public and private interests and state and market-based approaches.

Introduction: How Korea Can Unleash the Power of Data

The emergence of a deep-seated, multidimensional strategic competition between the United States and China has led many to argue that the world is fracturing into two spheres—a Sinocentric order and a U.S.-centric one. One result of this fragmentation, some suggest, could be that Beijing sets the terms of data and internet governance and technology standards in Asian countries and beyond.1 As the world moves into the next phase of the digital transformation, what was once viewed as a purely commercial and technological competition is increasingly being framed as an existential geopolitical one.

The fact is, however, that the United States and China are not the world’s only major digital players. There has been a proliferation of policy and regulatory models in recent years, and international internet governance is up for grabs as countries, from India to Japan to South Korea, experiment, innovate, and share their policy experiences and practices, successes, and failures.

Data governance is one critical area of contention because it is increasingly central to next-generation industries and the future of rulemaking in the global economy. Countries such as South Korea (hereinafter Korea) and India have developed distinctive national approaches to data governance. Neither country aims to imitate or adopt wholly American, much less Chinese, data policies and practices. They, too, have the potential to drive debates about technology business models and regulatory frameworks.

Korea, in particular, is a digital pacesetter because it is perhaps the world’s most connected country. Korea’s internet access, according to the Pew Research Center,2 reached a staggering 96 percent of adults in 2018, and the country boasts the world’s highest 4G telecommunications availability and highest fixed broadband upload speed, according to a recently published connectivity index.3

Much has already been learned from Korean experiences with technology. Korean consumer electronics companies, such as LG Electronics and Samsung, have grown quickly to become household names around the world. In many areas, from manufacturing to business services, the rest of the world has seen the results of Korean approaches to policy and regulation. Indeed, precisely because Korea is such a wired country, much can be learned by examining those policies and regulations in more detail.

Unfortunately, Korea’s digital policies are still not widely known, in part because little has been written in English about Korea’s distinctive frameworks, standards, and models. In most countries, policymakers tend to look to the United States, Europe, or China for templates as they craft their own digital policies and regulations. Yet Korea has over the past two decades pioneered important approaches to data governance while accumulating a body of experience with best practices—and sometimes not-so-best practices that it has had to tweak, amend, or replace. These experiences provide useful lessons.

This volume digs deeply into what we call “the Korean way with data.” It explores in detail Korea’s distinctive experiences, successes, failures, and recalibrations. Above all, it aims to address the question of what can and should be learned from innovative Korean policies and practices. The chapters in this study highlight the elements of distinctively Korean approaches, establishing a firm foundation on which to compare and contrast what is emerging there with other countries’ experiences and choices.

Korean approaches have demonstrated that persistence, a consistent vision, and innovative policy frameworks can shape a promising digital future. For more than twenty years, policymakers in Seoul have done much to build out national broadband networks and spur the use of digital technologies.

And yet for all of Korea’s successes, much work remains to be done if Seoul is to address three critical challenges:

  • Intensive commitment to online government, banking, and healthcare services requires an online authentication ecosystem that Korea has struggled to create.
  • Intensive digitalization across industries and society makes Korea susceptible to cyber threats and disruptions; several governments and cyber-hacktivist groups have regularly targeted Korea, and will, no doubt, continue to do so.
  • Intensive dependence on cross-border flows of goods, capital, people, and technology in one of the world’s most trade-dependent economies requires a data regulatory framework that meshes with those of Korea’s principal economic partners.

In Korea, as in almost every country, competing ministries with competing priorities often prevent consensus on how best to design policies for the internet and the cloud. This can lead to what could be referred to as “multiple-policy disorder,” a pathology that leads to confusion among both technology companies and technology users.

The three chapters in this volume illustrate how the Korean government has tried to craft coherent and consistent policies in three important areas related to data:

  • developing effective online authentication systems for protecting data and information technology (IT) systems;
  • dealing with cyber threats and improving data resilience; and
  • facilitating the free flow of data internationally while protecting the privacy of Korean citizens.

In each case, Korean policies have evolved by trial and error. Different approaches have been tried. When found to be inadequate, more workable approaches were found.

In all three of these areas, executive leadership from the Korean president’s office helped to overcome inertia and compel ministries to work together. Further refinement and clarification of policies is needed, especially in the area of data localization rules. But, taken together, the resulting frameworks constitute a Korean way with data that could have broad resonance for countries that are also struggling to address these three issues.

Data-Enabled Online Authentication

The first chapter by Jang GyeHyun and Lim Jong-in of Korea University focuses on online authentication and data access, which are essential for improving cybersecurity. An easy-to-use online authentication ecosystem could provide secure access to e-government services, online banking, and healthcare services—all areas where Korea has excelled. And better authentication could go a long way toward making phishing, spamming, disinformation, malicious hacking, and insider cyber theft more difficult and less profitable.

The authors detail a process of trial and error and persistent experimentation with various online authentication initiatives in Korea over the last twenty years. Initial efforts based on the Resident Registration Number resulted in widespread sharing and disclosure of sensitive, personally identifiable information (PII) and had to be shut down. An alternative, I-PIN Korea, was developed fifteen years ago, but could only be implemented using Microsoft’s ActiveX technology, limiting its usefulness. In both cases, it again took intervention by the president himself to stop both efforts and push for better alternatives.

That yields a straightforward lesson: even in an advanced economy like Korea’s, presidential leadership can be the prerequisite of progress. It would have taken much longer for the Korean government officials involved in these efforts to admit that changes were needed without the president’s intervention.

What resulted, however, was an effort to provide a wider, more flexible range of online authentication approaches: In 2012, the Korean government authorized three mobile network operators to provide authentication services. Five years later, the Korea Communications Commission designated seven major credit card companies as new identity-verification agencies. The solutions they have deployed, which have been much more widely adopted and used than earlier government-led approaches, have facilitated e-commerce, e-government, and mobile applications in Korea.

One conclusion is that the Korean government recognized earlier than almost any other government in the world that e-mail and social media platforms could facilitate defamation, fraud, and doxing. It also recognized that better online authentication could reduce these serious and growing problems. In July 2007, a real-name system was launched to prevent anonymous posts on popular internet websites. This led to complaints by privacy and free speech advocates and a lawsuit claiming that the law was not consistent with the Korean Constitution. What is more, because the law could not be enforced on foreign websites like YouTube, Korean domestic websites argued that the law disadvantaged them. Ultimately, in August 2012, the Constitutional Court ruled this law unconstitutional.

This raucous Korean debate over real-name authentication provides a valuable lesson on the need to design online authentication schemes that can meet the need to improve cybersecurity and data access control while respecting the need of internet users and corporations to protect their private information. Unfortunately, in the Korean case, advocates for privacy and civil liberties were not very involved in designing the specifications and policies for online authentication.

So, as Korea and other countries continue to refine their approaches to authentication, they will need to consider how systems and procedures might enable citizens to verify what they are but without providing details on who they are. This might mean that internet users can protect their privacy by using a pseudonym or by sharing personal information with a trusted third party: this could verify that particular user’s attributes, such as age, income, and nationality, without revealing who they are. A number of cryptographic techniques, including homomorphic encryption, are making such privacy-enhancing techniques more practical and secure.

Another lesson of the Korean experience with schemes for online authentication is that the most successful ones will be those that leverage the infrastructure and business relationships of the private sector, including mobile companies and credit card companies. Developing a system solely for a few government applications is unlikely to be very successful, since not many citizens interact with their government on a weekly or monthly basis. If, on the other hand, governments accept the authentication tools that their citizens are already using for online banking or e-commerce, users are more likely to adopt and trust them. And if these private sector–based approaches are being used in more than one country, the potential applications (and economies of scale) will be much larger.

This is another reason that the latest Korean approach could position the country as a champion of better authentication around the world. Estonia and India, which have invested both money and political capital in their national authentication systems, have demonstrated the benefits that effective online authentication can provide. But their government-led approaches are less likely to lead to third countries embracing their approaches as national, much less global, models. As Jang and Lim note, governments that fail to find international partners will suffer from the so-called Galapagos syndrome because their approach to online authentication will not be interoperable with those used by other countries. If governments cannot overcome this challenge, their citizens might need to rely instead upon authentication services provided by global companies like Apple, Facebook, and Google.

Korea also provides an important set of lessons for the United States. Unlike Korea, Washington has been unable to develop a coherent strategy for online authentication despite trying for more than ten years. The National Strategy for Trusted Identity in Cyberspace (NSTIC) announced by former president Barack Obama’s administration in 2011 engaged the full range of stakeholders but failed to agree on how to address such key questions as how to protect users’ privacy; how to leverage private sector solutions; and how to avoid narrow solutions and ensure interoperability and flexibility?4 The good news is that the U.S. Department of Commerce’s National Institute of Standards and Technology is working to build on the work of NSTIC.5 As the United States undertakes this and other cybersecurity efforts, it would do well to learn from Korea’s experience.

Data Resilience

The second chapter by So Jeong Kim and Sunha Bae of Korea’s National Security Research Institute describes in detail how the Korean government has designed a management structure for defining and coordinating cybersecurity policy and improving the resilience of Korean government and corporate information and communications technology (ICT) systems. The chapter documents how the many cyber attacks targeting South Korea over the last twenty years—often originating in North Korea—have triggered a number of narrow policy responses.

But this reactive approach resulted in a patchwork of initiatives rather than the development and implementation of a comprehensive strategy to reduce the number and severity of attacks. So, in 2019, Korea finally adopted a full-blown National Cybersecurity Strategy and an implementation plan.

Today, responsibility for cyber defense is split between the National Cyber Security Center under Korea’s National Intelligence Service (for government and public sector data) and the Ministry of Science and Information and Communications Technology (for private sector data). In addition, several agencies run their own response systems, such as the one at the Ministry of National Defense for the military sector’s data. Successful implementation of this plan will depend critically on the National Security Council under the Office of the President. It must serve as the control tower for policy coordination across the government and between the public and private sectors.

Yet that is no simple task. It will require a multistakeholder approach that reflects not just the needs of the ministries and offices involved but also addresses the diverse and distinctive needs of Korean companies and Korean citizens. Policies that provide multiple solutions that are flexible, affordable, and easy-to-use will work far better than the kind of one-size-fits-all approaches that some other countries have tried. Korea may well show the way.

The authors of this chapter cite recent surveys showing that Korean businesses and government agencies have accelerated efforts to secure their IT systems, protect against denial-of-service attacks, and install systems to back up data and facilitate recovery after an attack. Over the last few years, this has successfully reduced the amount of damage caused by cyber attacks despite a steady increase in the number of attacks. One approach that other countries might wish to emulate, then, are Korean regulations that require data backup systems. This effort is supported by Korean policies pushing for more use of cloud storage, particularly in the public sector through Korea’s Cloud Service Assurance Program, which parallels U.S. government programs like FedRAMP, the Federal Risk and Authorization Management Program.

Data Localization and Privacy

The third chapter by Nohyoung Park of Korea University Law School examines Korean approaches to data protection and data localization, and especially the framework of laws and treaties that Korean policymakers, legislators, bureaucrats, and negotiators have painstakingly assembled over the last two decades. These related issues—protection and localization—are among the thorniest digital policy issues that national governments everywhere are trying to address. And no country has yet found an approach that works for its citizens and businesses and is also both interoperable and consistent with data policies of other countries. The different, often poorly defined and inconsistently applied rules resulting from the Chinese and Indian approaches to localization and the European Union’s General Data Protection Regulation (GDPR) indicate how much work remains to be done.

This is a high bar to clear, but it is especially important for Korea—a country that is incredibly dependent on trade and cross-border economic flows of goods, capital, people, technology, and data—to do so. Despite some slippage during the coronavirus pandemic, Korea’s trade dependency index (the total trade volume proportion of gross domestic product) still came in at a whopping 63.51 percent in 2020, according to the Korean Statistical Information Service run by Statistics Korea of the Ministry of Economics and Finance.6

As a major trading partner with China, the United States, the European Union, and Japan, Korea has a particularly difficult task. Korean firms are exposed to a variety of emerging global data laws, including the different ways European nations are choosing to enforce the GDPR, as well as the California Consumer Privacy Act (CCPA) and the new Indian data protection law, among others. And they must deal, too, with especially tight controls over the regulation of data in China, the country’s largest trading partner.

Yet this is where Korea’s opportunity lies: Korea has the potential to be a model for all of its trading partners and to shape and harmonize policies for cross-border data flows. If Korea can find ways to demonstrate that it has effective data protection measures, Korean firms can earn the trust of both Koreans and foreign companies, which might then be willing to team up with Korean partners. With new advancements in artificial intelligence, machine learning, the Internet of Things, robotics, and bioinformatics, the free flow of data across international borders will become even more important. For Korea to be well-positioned to capture these innovation opportunities, it needs to actively build on its experiences by helping to shape the evolving global regime on cross-border data flows and access.

Park’s chapter lays bare the very real tensions between Korean citizens’ desire for privacy—reflected in the strong Korean data protection laws—and the desire of Korean businesses to take advantage of non-Korean online tools and services and partner with foreign companies. There is also a tension between Korean privacy laws, on the one hand, and, on the other, the desire of both the Foreign Ministry and the Office of the President to be able to sign onto several bilateral and multilateral treaties that impose tight limits on how national law can enforce its data localization requirements. One result has been complaints from the United States—its second-largest export partner after China,7 and second-largest source of foreign direct investment (FDI) stock after Japan8—that Korea is not living up to some of its treaty commitments to allow data from Korea to be exported, especially in the case of sensitive data, such as map data.

The coronavirus pandemic has highlighted the benefits of sharing and analyzing both health data and geolocation data. From Taiwan and China to Korea and Israel,9 major economies have used geolocation data from cellphones for coronavirus-related contact tracing. Data on who has and has not been vaccinated or infected has likewise helped to assess the utility of different types of vaccines and different protection measures.

Park’s chapter traces how Korea enacted the Personal Information Protection Act (PIPA) in 2011, which applies to the processing of personal information in both the private and public sectors. This was followed by the so-called Network Act—the Act on Promotion of Information and Communications Network Utilization and Information Protection—which applies to the protection of personal information processed by information and communications service providers. The most recent data protection legislation, Korea’s so-called three data laws amendments, were adopted in January 2020, combining the data protection provisions of both of these acts into PIPA.

Park explains how implementation of Korean privacy laws can limit the export of data to countries judged to have less rigorous data protection laws than Korea. An additional constraint on cross-border data transfers is the desire for reciprocal treatment of data. If foreign countries do not allow transfer of their citizens’ data to Korea, then Korea may, in turn, block transfer of Koreans’ data to those countries to pressure them to lift their data localization requirements.

The collision of these different policy goals will necessitate some new thinking—and perhaps new business models and new technologies.10 But Korea has seen a high-level push to find ways to maximize the potential of data and emerging technologies, such as machine learning and location-based services. This crystallized in President Moon Jae-in’s June 2020 announcement of what he calls the Digital New Deal to promote expansion and new uses of Korea’s DNA—data, network, and artificial intelligence—ecosystem.11 Still, the Digital New Deal’s ambitious goals to harness digital data for improving health, safety, government services, and business will only be achievable with more consistent and effective data protection regulations and more clear-cut data localization policies.

Korean Policymaking as a Model?

A willingness to shift course after a process of trial and error is not the only reason that Korea has succeeded. The country has also done well with the deployment of specific technologies.

One example is Korea’s rollout of broadband internet over the last thirty years. Here again, Seoul made digital policy a presidential priority. And this involvement by the Blue House made a huge difference. Other world leaders, including U.S. President Joe Biden, have, in the last year or two, accelerated broadband development by making it a priority for their administrations.

Executive leadership at the topmost ranks of government was also important to Korean success because bold-thinking politicians can help to drive or at least entrench broad and consistent political support for a strategic goal. Korea did this by, for example, forging ahead with the ambitious goal of building a national fiber optic network to serve all Korean citizens.

As both the World Bank and,12 more recently, the Electronic Frontier Foundation,13 have explained, the result of Korea’s push for broadband has been to achieve some of the highest internet penetration in the world and, until a few years ago, low costs per megabit for connectivity. The key to this effort was a decision in 1999 to spur competition among the two telecommunications companies that dominated the Korean network business then. What resulted was a vibrant market with four major players and several smaller ones. And the resulting competition and innovation, when combined with state funding for government networks and subsidies for rural broadband, led to one of the fastest and earliest buildouts of fixed broadband networks in the world. Today, Korean companies are among the world leaders in 5G wireless broadband.

Many challenges remain when it comes to Korea’s digital policies. Since early 2016, the Korean telecommunications regulator responded to lobbying from the three largest network services providers, who argued that they were bearing more than their fair share of carrying internet traffic than the smaller networks with whom they interconnected.14 The rapid growth of video streaming services like Netflix had led to a rapid increase in traffic and necessitated more investment in network infrastructure. So, a complex (and frequently revised) internet interconnection fee structure has been imposed,15 which favors the three largest Korean network service providers at the expense of smaller players.16

The idea of government-mandated interconnection fees runs counter to the norm in almost every other country in the world where there is a competitive broadband market. In those countries, we have seen a preference for negotiated contracts between networks. Recently, Netflix, which has challenged the fees, was sued by the Seoul-based SK Broadband in a Korean court. The court found Netflix liable for unpaid fees that could amount to more than $85 million per year.17 This may seem like an arcane dispute between telecommunications companies, yet the fact that the Korean government explicitly favors just three such companies will result in less vigorous competition and less investment. Most importantly, several innovative new online services, such as certain content distribution network and cloud computing services, are not being offered in Korea because of the dramatic increase in networking costs resulting from these new fees. In an afterword at the end of this volume, Kyung Sin “KS” Park and Michael R. Nelson explain in detail the possible adverse consequences of these Korean efforts to impose interconnection fees.

This is an example of where Korean experiences may have gone awry. It is also an area ripe for the kind of digital leadership by Korea’s president that has been such a necessary ingredient of success in the past. From both a political and policy standpoint, such leadership is needed so that Korean internet users and digital innovators are given priority over the interests of just three companies.

These are the choices and trade-offs that face democracies. Korea’s democracy, much like the United States, has struggled with other shared challenges, not least how to contain the damage done by disinformation.18 North Korea has used the internet to deliver disinformation and propaganda to South Korea. But disinformation and rumors generated by South Koreans themselves are also having a major impact, especially on Korean politics.19 For example, Korean internet companies have aggressively blocked websites that spread rumors and bogus news stories. But free speech advocates in Korea (and elsewhere) have fought against government efforts that could limit discourse online.

Korea has the opportunity to find new approaches, perhaps by using the kinds of authentication technologies that Jang and Lim outline in their chapter to validate social media accounts associated with real people while spotting phony accounts used to amplify posts containing disinformation. Of special concern are so-called deep fakes—deceptive images and video created by machine learning algorithms.20 Companies like Microsoft and Adobe are hard at work on new approaches to verifying the authenticity and provenance of online content.21

Another, even thornier, digital issue that is ripe for Korean leadership is encryption. For more than twenty-five years, the governments of major democracies have struggled to craft policies that would enable the use of strong encryption to protect ICT systems and the data they contain while dealing with the threat from criminals and adversaries who use encryption to conceal their activities. This is made difficult because of the very different priorities of the law enforcement and intelligence agencies that want easy and inexpensive access to data, on the one hand, and the agencies responsible for data protection and cybersecurity, on the other.22 There has been little public debate over encryption policy in Korea but there is a clear understanding of how encryption is an essential tool for protecting privacy. In fact, Korea’s Personal Information Protection Act explicitly encourages companies to use encryption to protect sensitive data.

Korea in the Geopolitical Storm

One reason Korean leadership could be so important is that the bifurcation of the world into a Sinosphere or an American sphere would not serve the interests of most countries.

For decades, technology policies have been shaped by two competing approaches: models that empower individual users and innovators (particularly at start-ups) and respect human rights and models designed to give governments more control over what technologies develop, how they are deployed, and which companies profit most (usually large incumbents and national champions).

To some extent, the United States today views itself as the champion of the former. China, by contrast, has both practiced and increasingly argued for elements of the latter.

But many countries, even well-established democracies, are developing a hybrid approach. From Europe to Asia, many democratic governments rely on industrial policies and promote national champion firms. They are taking a strategic approach to the development of technology and the governance of domestic and cross-border data access and transfers, and sometimes disagree on the best path forward.

On data governance, in particular, there has been no putative American-led “Team Democracy” vs. a Chinese-led “Team Autocracy.” Indeed, when former Japanese prime minister Abe Shinzo tried to push forward a cross-border data initiative at the 2019 Osaka G20—the so-called Osaka track,23 which Abe’s government based on a concept of “data free flow with trust” (DFFT)24—India and Indonesia, two prominent G20 democracies that Washington views as key like-minded partners in Asia, refused to sign up.25

Ironically, for all their ideological and strategic differences, Beijing and Washington are approaching the region in similar ways. Both have framed the competition over global rules in increasingly stark terms. Each is suspicious of any regulatory ideas developed by the other. Each is encouraging third countries to accept its preferred norms, standards, and rules. And each has framed the technology challenge, including over data flows, in geopolitical, not just commercial, terms. Each has sometimes coerced others to forestall closer integration with its rival.

Korea could offer a third way—one that relies on practices and experiences developed and incubated in a successful democracy that has also carved out an important role for the state and sought a balance between public and private interests and state and market-based approaches.

The intensifying battle between Beijing and Washington is leading to trade disputes, restrictions on foreign investment, and, increasingly, wholesale bans on the use of foreign web services and apps. Yet as this Carnegie volume clearly demonstrates, countries like Korea have pioneered their own unique approaches to technology governance and regulation.

It is important to highlight these alternative models—and to compare and contrast their distinctive features. The chapters in this volume demonstrate that the future will be much more complex than a battle between U.S.- and China-centric approaches.

Notes

1 Debby Wu, Henry Hoenig, and Hannah Dormido, “Who’s Winning the Tech Cold War? A China vs. U.S. Scoreboard,” Bloomberg, June 19, 2019, https://www.bloomberg.com/graphics/2019-us-china-who-is-winning-the-tech-war/; DealBook, “Inside the New Tech Cold War,” New York Times, October 1, 2020, https://www.nytimes.com/2020/10/01/business/dealbook/tech-cold-war-us-china.html; Adam Segal, “The Coming Tech Cold War With China,” Foreign Affairs, September 9, 2021, https://www.foreignaffairs.com/articles/north-america/2020-09-09/coming-tech-cold-war-china; Stu Woo, “The U.S. vs. China: The High Cost of the Technology Cold War,” Wall Street Journal, October 22, 2020, https://www.wsj.com/articles/the-u-s-vs-china-the-high-cost-of-the-technology-cold-war-11603397438; and Robert D. Kaplan, “A New Cold War Has Begun,” Foreign Policy, January 7, 2019, https://foreignpolicy.com/2019/01/07/a-new-cold-war-has-begun/.

2 Jacob Poushter, Caldwell Bishop, and Hanyu Chwe, “Social Media Use Continues to Rise in Developing Countries but Plateaus Across Developed Ones,” Pew Research Center, June 19, 2018, https://www.pewresearch.org/global/2018/06/19/across-39-countries-three-quarters-say-they-use-the-internet/.

3 Ryan Daws, “Research: These Countries Are the ‘Most Connected’ in the World,” Telecoms Tech News, July 6, 2021, https://telecomstechnews.com/news/2021/jul/06/research-these-countries-are-the-most-connected-in-the-world/.

4 White House, “National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and Privacy,” April 2011, https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf.

5 National Institute of Standards and Technology, “Identity & Access Management,” U.S. Department of Commerce, accessed July 2021, https://www.nist.gov/identity-access-management.

6 Bae Hyunjung, “South Korea's Trade Dependency Slips in 2019 Amid Sluggish Reports,” Korea Herald, October 18, 2020, http://www.koreaherald.com/view.php?ud=20201018000119.

7 World Integrated Trade Solution, “Country Snapshot: Republic of Korea,” World Bank, accessed July 2021, https://wits.worldbank.org/countrysnapshot/en/KOR.

8 Santander, “South Korea: Foreign Investment,” accessed July 2021, https://santandertrade.com/en/portal/establish-overseas/south-korea/foreign-investment.

9 Human Rights Watch, “Mobile Location Data and Covid-19: Q&A,” May 13, 2020, https://www.hrw.org/news/2020/05/13/mobile-location-data-and-covid-19-qa.

10 Alex Pentland, Alexander Lipton, and Thomas Hardjono, eds., “Building the New Economy,” MITP Works in Progress, accessed July 2021, https://wip.mitpress.mit.edu/new-economy.

11 Born2Global Centre, “Ministry of Science and ICT Rolls out Digital New Deal to Leap Forward Into a New Economy Beyond COVID-19,” PR Newswire, June 15, 2021, https://www.prnewswire.com/news-releases/ministry-of-science-and-ict-rolls-out-digital-new-deal-to-leap-forward-into-a-new-economy-beyond-covid-19-301312248.html.

12 Ovum Consulting, “Broadband Policy Development in the Republic of Korea: A Report for the Global Information and Communications Technologies Department of the World Bank,” October 2009, https://www.infodev.org/infodev-files/resource/InfodevDocuments_934.pdf.

13 Ernesto Falcon, “Why Is South Korea a Global Broadband Leader?,” Electronic Frontier Foundation, March 16, 2020, https://www.eff.org/deeplinks/2020/02/why-south-korea-global-broadband-leader.

14 “South Korea’s Network Infrastructure May Be State of the Art, but the Country’s ‘Pay to Play’ Regime for Delivering Traffic Is an Unprecedented Threat to the Free and Open Internet,” Open Net Korea, September 17, 2020, http://opennetkorea.org/en/wp/3122?ckattempt=3.

15 Michael Kende and David Abecassis, “IP Interconnection on the Internet: a White Paper,” Analysys Mason, May 21, 2020, https://www.analysysmason.com/consulting-redirect/reports/ip-interconnection-korea-white-paper/.

16 Kyung Sin “KS” Park, “The World’s Only Attempt to Legislate ‘Network Use Fees’ Will Further Damage Consumers – the Illusion of Charging ‘Delivery Fees’ on the Internet Will Disincentivize Investment in Network Expansion,” Open Net Korea, May 11, 2021, http://opennetkorea.org/en/wp/3265.

17 Song Su-hyun, “[News Focus] Netflix’s Net Neutrality Logic Loses Ground in Korea,” Korea Herald, June 28, 2021, http://www.koreaherald.com/view.php?ud=20210628000798.

18 Casey Corcoran, Bo Julie Crowley, and Raina Davis, “Disinformation Threat Watch the Disinformation Landscape in East Asia and Implications for US Policy,” Belfer Center for Science and International Affairs, 2019, https://www.belfercenter.org/sites/default/files/2019-06/PAE/DisinfoWatch%20-%202.pdf.

19 Choe Sang-hun, “South Korea Declares War on ‘Fake News,’ Worrying Government Critics,” New York Times, October 2, 2018, https://www.nytimes.com/2018/10/02/world/asia/south-korea-fake-news.html.

20 Charlotte Stanton, “How Should Countries Tackle Deepfakes?,” Carnegie Endowment for International Peace, January 28, 2019, https://carnegieendowment.org/2019/01/28/how-should-countries-tackle-deepfakes-pub-78221.

21 Eric Horvitz, “A Promising Step Forward on Disinformation,” Microsoft on the Issues, February 22, 2021, https://blogs.microsoft.com/on-the-issues/2021/02/22/deepfakes-disinformation-c2pa-origin-cai/.

22 Encryption Working Group, “Cyber Policy Initiative: Encryption Working Group,” Carnegie Endowment for International Peace, accessed July 2021, https://carnegieendowment.org/programs/technology/cyber/encryption.

23 Digital Watch, “The G20 Osaka Track Raises Controversy,” July 1, 2019, https://dig.watch/updates/g20-osaka-track-raises-controversy.

24 World Economic Forum, “Data Free Flow With Trust (DFFT): Paths Towards Free and Trusted Data Flows,” June 2020, https://www.weforum.org/whitepapers/data-free-flow-with-trust-dfft-paths-towards-free-and-trusted-data-flows.

25 Scroll Staff, “G20 Summit: India Does Not Sign Osaka Declaration on Cross-Border Data Flow,” Scroll India, June 29, 2019, https://scroll.in/latest/928811/g20-summit-india-does-not-sign-osaka-declaration-on-cross-border-data-flow.

Technologies of Trust: Online Authentication and Data Access Control in Korea

Introduction

Information and communications technologies (ICT), particularly the internet and cloud computing, are becoming the substrate for economies and societies. They allow individuals and organizations worldwide to connect, exchange information, and collaborate. They have had a profound impact on industries, politics, and the media. The coronavirus pandemic has only accelerated the shift of business, education, government, and other core activities to the online world, with potentially lasting effects.

Digital technologies provide many conveniences, but they have also enabled crime; disinformation; the theft of private information, confidential business information, and intellectual property; cyber attacks; and cyber espionage. ICT companies are racing to address vulnerabilities in their hardware and software and trying to keep ahead of malicious hackers who are constantly finding new ways to exploit these vulnerabilities.

It is much harder to establish identity and trust online than in a face-to-face environment, resulting in identity fraud and unauthorized access to computer systems and the data they contain. As in other countries, internet users in the Republic of Korea (hereinafter the ROK or Korea) expect and often demand better and easier methods for online authentication and data access control. As a major economy and one of the most “connected” countries in the world,1 Korea’s experience in delivering these services can provide important lessons, both for peer economies and for other countries searching for models they can learn from.

Online authentication is a crucial security measure for identifying users and for validating the online apps they access. Invariably, there is a trade-off between the conflicting goals of usability, innovation, reliability, standardization, and consumer protection. A successful and broad deployment of authentication tools and techniques can lead to greater trust online, enabling user identification, electronic signatures, and nonrepudiation. However, rigorous online authentication may require additional (and sometimes inconvenient) security measures and information such as multifactor authentication.

In Korea—and everywhere else—data access control is a matter of balancing utilization and data protection. The openness and utilization of data improve access to information across society, creating substantial value, such as transparency and data-driven decisionmaking in government, marketing, healthcare, and other areas. However, the collection and sharing of data will inevitably lead to problems such as the misuse of personal data, infringement of privacy, and loss of control by the users, which should also be considered. In addition, there are fears that data transferred abroad will not be properly protected. This is leading to conflicting goals: international data flows, which enable Koreans to use cloud services from hundreds of different providers, conflict with data localization requirements designed to help Korean companies and the government leverage data about Korean citizens and entities.

In developing its strategy for online authentication and data access, the Korean government and the ICT companies operating in the country have had to make several difficult choices, which reflect their conflicting values. This path to a so-called Korean model has not been smooth. And like elsewhere in the world, Korean decisionmakers and stakeholders have had to learn by trial and error.

This chapter explores how the core policies related to online authentication and data access control have been developed and implemented in Korea, focusing on the major changes and the reasons behind them. The chapter first analyzes the drivers of those policies, such as Korea’s ICT policy, cybersecurity incidents, cybersecurity policies, and the major actors working to improve cybersecurity. The challenges of online authentication are divided into two parts: online identification (user validation) and authentication online (activity validation). The challenges of data access control are likewise divided into two parts: public data and private data.

The Origins and Evolution of a Korean Approach to Online Data

Korea’s approach to online authentication and data access control reflects several unique characteristics of the country’s economy, infrastructure, and development. For one, Korea has invested heavily in ICT infrastructure as a national priority, building broadband networks and extending their reach into almost every home. With an average of more than 200 megabits per second for fixed broadband speed,2 the country’s broadband networks have created a powerful platform for innovation.

Korea has been a divided country for more than sixty years, and the Republic of Korea’s neighbor, North Korea, is known as a major malicious actor online worldwide. This has made ROK’s online authentication and data access control policies and implementation even more important.

Of course, Korea is not alone in facing a hostile external environment. Other countries, like Estonia and Taiwan that face acute cyber threats from threatening neighbors, have also invested heavily in cybersecurity.

However, Korea’s experience is also anchored by historical experiences and practices that are unique to the country’s development trajectory since the 1960s. During that decade, Korea launched its drive for rapid industrialization, which included a national-level personal identification system that became especially important as the country’s economy began to move online in subsequent decades. Moreover, Korea established and enforced a national-level authentication infrastructure superior to many other certificates called the National Public Key Infrastructure-based Authorized Certificate (NPKI-based AC). Unfortunately, several problems have emerged with the certificate because it is difficult to use and dependent upon a single technology platform. As a result, the use of these identification and authentication methods has been limited, and the government has had to introduce alternative methods.

In the main, Korea’s approach to data accessibility has been conservative. Yet, that is changing today due to a clear recognition by government officials, corporate leaders, and citizens alike of the need for a more flexible, open policy to reflect social demands and changes in the business environment.

The Information and Communications Technologies Environment of Korea

Korea is recognized as having one of the most advanced ICT infrastructures in the world,3 and it has become a testing ground for leading-edge applications. The country has consistently ranked first or second among 176 countries on the International Telecommunication Union ICT Development Index since 2009 and also ranked second in 2017, the most recent survey.4 Korea is also among the world’s top in terms of internet and smartphone penetration as of 2020.5 In addition to the ICT infrastructure, it is also top-notch in utilization and service. In the UN E-Government Development Index, Korea is consistently near the top, ranking first three consecutive times (2010, 2012, 2014) and second in the most recent announcement in 2020.6 Moreover, Korea’s proportion of e-commerce transactions has reached 30 percent,7 and the proportion of online banking has reached 66 percent.8

In addition to Korea’s rapid economic growth and so-called “ppalli ppalli” (faster, faster) culture, geographic and demographic advantages and its government-driven policies have been major factors in its ICT development (see table 1). In the 1970s, a national public administration initiative led to the establishment of a resident registration system and computerization of administrative information. In the 1980s, policies for the spread and expansion of telecommunication networks were implemented in earnest. In the 1990s, ultra-high-speed information communication networks were developed. And in the 2000s, the change to an information society led to the development and dissemination of internet-based technologies, laying the foundation for e-government services and improving information security.

Korea’s ICT policy was implemented under a clearly defined, government-driven strategy, which was effective in terms of infrastructure construction and foundation building. However, one limitation of this approach was that technology was often developed according to government specifications rather than market demand. For instance, the WiBro wireless broadband technology that was developed, generously funded, and promoted by the Korean government failed. This technology could not succeed in the market and failed to compete against the LTE (Long-Term Evolution) in 4G network.

Korea’s geographic and demographic advantages were also important factors. In evaluating the ICT development environment of states, factors like population, gross domestic product, area, and particularly population density affect the availability of broadband and mobile networks. Korea ranks twenty-third in terms of population density, but fourth among countries with an area of over 2,000 square kilometers and first among the Organisation for Economic Co-operation and Development (OECD) countries. In addition, Korea is highly urbanized: 47.5 million people (91.8 percent of the country’s 51.8 million population) live in cities as of 2020.9 This has clear advantages for ICT development, deploying online services, and addressing the connectivity divide and other types of digital divides.

Entities and Laws Related to Trust in Online Services

A number of government entities have shaped Korea’s efforts to foster trust online (see table 2). An important factor in the study of Korean public administration is the analysis of the relevant ministries and the legal system under their jurisdiction. In Korea, for each issue, the law stipulates in detail which ministries have roles and responsibilities for them, and how they are regulated and responded to. In areas of online authentication and identification, the Ministry of Interior and Safety is a key organization and oversees the Resident Registration Act, the E-Government Act, and the Information Disclosure Act. In the past, it was also in charge of the Personal Information Protection Act, which was changed to the jurisdiction of the Personal Information Protection Commission in 2020. Another major entity is the Ministry of Science and ICT, which is in charge of Korea’s most important security-related law, the ICT and Security Act. It deals with various internet-related issues such as online security, protection of personal information, and countermeasures against illegal information. In addition, the Ministry of Science and ICT is also in charge of the Electronic Signature Act, which is the core of online authentication. In the financial sector, the Financial Services Commission deals with electronic financial transactions and credit information protection.

Major Cyber Incidents

Although Korea has succeeded in deploying a highly developed, digital infrastructure, the country still faces many difficulties in terms of cybersecurity. In particular, North Korea has launched frequent major cyber attacks against both government offices and corporations in ROK. And precisely because Korea is highly dependent on ICT, the resulting damage has amounted to billions of dollars as well as widespread disruption of key services. Microsoft estimates that Korea’s economic loss from cyber threats amounted to $72 billion in 2017 alone.10 And the damage to Korea’s economy caused by a distributed denial-of-service (DDoS) attack in 2009 and the March 20 and June 25 cyber terrorism attacks in 2013 was estimated to $746 million.11

Korea has experienced cyber attacks continuously since 2009, including DDoS attacks and cyber terrorism (see table 3). Most of these cyber attacks are presumed to originate in North Korea, but that is not always the case. For example, in the case of the 2018 PyeongChang Olympics cyber attack, Russia was suspected of retaliating for its punishment by the International Olympic Committee for a national doping scandal. After experiencing such cyber incidents, the Korean government established new policies and countermeasures to identify problems, improve response time, and reduce the damage these attacks cause.

Korea has also experienced several major, personal data breaches in the private sector. After the Auction incident in 2008, when millions of users’ personal data records, including real names and encrypted Resident Registration Numbers (RRNs), were revealed by a security breach,12 efforts to improve protection of personal data and reduce the damage caused by data breaches became a major focus of public and regulatory attention. Since then, Korea has experienced many large-scale incidents, such as breaches of SK Communications in 2011, of major credit card companies in 2014, and of Interpark in 2016. One response was the Personal Information Protection Act, which became a general law in 2012, prohibiting the collection of RRNs online and strengthening the right to self-determination of personal information.

Online Identification

The system of online identification in Korea has centered, in the first instance, around a range of government initiatives.

Resident Registration Number

Korea’s identification online was centered on the RRN until the mid-2000s. The RRN is a unique lifelong identification number given to all Koreans at birth, much like the Social Security number in the United States and is used for a wide range of government and private-sector purposes. The Korean RRN and Resident Registration Card (RRC), a nationally recognized identification card that includes the RRN, were established by the enactment of the Resident Registration Act in 1962 (see table 4).

This act was amended in 1968 to establish a twelve-digit Personal Identification Number (PIN) system, the predecessor of the RRN system. In addition, an RRC was issued to citizens over the age of eighteen. Later, in 1975, this obligation was changed to seventeen years of age, converted to the RRN’s current thirteen-digit number system, and the RRC was updated (see figure 1). The RRC has been maintained until now after the second renewal in 1983 and the third renewal in 1999.

Because the RRN is a unique identification number assigned to each citizen of Korea, it was widely used for identification online in the early 2000s. Private websites that are not legally mandated to collect and verify the RRN also requested the RRN when individuals signed up. They could not verify the legitimacy of the RRN, but they performed verification using the RRN checksum algorithm. Moreover, most of them used the RRN as the key value for identification for their website database.13

After 2004, as the internet was expanding, the problem of excessive collection of RRNs and the theft of personal data increased. A survey conducted by the country’s top certification body, the Korea Internet and Security Agency (KISA), in 2003 found that out of 448 websites, 447 had requested the collection of RRNs.14 This was done to discourage illegal activities, but RRN data was excessive, making them vulnerable to theft and abuse. The National Public Key Infrastructure-based Authorized Certificate was launched in 2004 as a way to enable substitutes for the RRN identification (for example, the I-PIN) and began to be discussed as a way to limit the collection of the RRNs online.

After the 2008 Auction personal data leak, several provisions related to personal information were revised in the Act on Promotion of Information and Communications Network Utilization and Information Protection, and associated legislation. In Article 23-2 of this amendment to the act, a new provision was adopted that obliges Korea’s online service providers with more than a specified number of page views to introduce a means of replacing the RRN.

In August 2012, the collection of the RRNs online was prohibited outright, and in August 2014, the so-called RRN collection legalism was introduced to prohibit collections of RRNs except where specific laws require them to be collected, such as for e-government services, financial transactions, contract signings, and medical information verification.

With the introduction of the RRN collection legalism and the implementation of alternative identification measures, there was a demand for changes in the RRN system itself. Discussions emerged around how to solve chronic problems with the current RRN system, such as the possibility of exposure of personal information and the fact that it is impossible to change a permanent identity number that is meant to be used throughout a citizen’s lifespan. Ultimately, the RRN system was revised to allow for the reissue of a new RRN in cases of possible exposure of personal data and to protect victims of domestic violence and sexual violence. Thus, the RRN, in thirteen-digit form, was revised in 1975 and has been maintained to this day, but it is used today as a means of identification online only in limited circumstances.

I-PIN

Due to the risk of data breaches and the reckless collection and use of RRN data, the Korean government established and distributed an Internet Personal Identification Number (I-PIN) system as an alternative means of identification. The I-PIN is an alternative means to identify individuals on the internet. Credit bureau companies such as the Korea Credit Bureau, National Information and Credit Evaluation, and SCI Information Service were designated by the government in October 2006 as official I-PIN issuing entities. When identification is requested at a specific site, the result is delivered by verification using the information they have, including the RRN.

In June 2010, the Korean government introduced the I-PIN 2.0, which added functions such as connecting information (CI), a connection value of different services, and duplicated joining verification information (DI), to prevent duplicate subscription. The core of the I-PIN 2.0 system is the CI that creates a unique universal key value for online identification, which replaces the RRN for a specific individual. The CI is a unique value that corresponds directly with the RRN. It is made into 88-byte through a SHA-512 hash function of the RRN and several paddings and key values that are shared by the KISA and I-PIN issuing entities (see figure 2). The CI is used not only for the I-PIN but also for the public identification services established later in 2012. And the DI is a 64-byte number generated from the RRN and the information of the internet service provider (ISP), providing a unique value linked to each ISP.

With the implementation of the RRN collection legalism, the demand for I-PINs that can replace it also increased. In addition, MyPin, formed with a thirteen-digit random number derived from the I-PIN (see figure 3), was introduced in the case that identity verification and linkage are required offline.

However, because the I-PIN adopted ID/password-based authentication, it required additional forced security measures, such as CAPTCHA and installation of ActiveX to prevent keylogging. These complementary security measures caused great inconvenience. Despite these security measures, in early 2015, a public I-PIN operated by the Korea Local Information Development Institute was hacked, resulting in 750,000 fraudulent issuances.15 In response to this, in May 2015, all existing I-PINs were reissued, and an expiration date was introduced so that each I-PIN must be renewed every year. Also, it was changed to require an additional authentication measure such as a secondary password, key pattern, and biometric authentication.

These additional security measures made it more inconvenient to use I-PIN compared to private identification services, slowing adoption of I-PIN. According to a survey by the Ministry of Science and ICT and the Korea Internet Promotion Agency, 37.7 percent of websites (2,783 of 7,371 websites surveyed) that provided I-PIN based identification reported that no website visitor had used it in over a year.16 This reduction in the use of I-PIN led to the government’s decision to abolish the I-PIN system. New issuances and renewals were stopped in October 2018, and a decision was made to terminate the program in 2021 when the last public I-PINs, which were valid for three years, will expire.17

Private Identification Services

Since August 2012, online identification through the RRN has been prohibited in Korea, and the government I-PIN and the NPKI were not widely used, so the government considered other alternative means that can be used easily and inexpensively. In August 2012, the government established rules for identity verification agencies, and in December 2012, the Korea Communications Commission (KCC) determined that three mobile network operators (MNOs) could be designated as identity verification agencies in the private sector.18 Identity verification by the MNOs was initially conducted in the form of a challenge and response through text messages.

The online service provider (OSP) handles the user’s request for identity verification through the verification agencies designated by the MNOs. The agency transmits a challenge to the user’s mobile phone using the personal information stored by the MNO, and the user sends a response to the verification entity. The verification entity provides the personal information of the identity verification requester and the CI and DI that were provided by the credit bureau companies to the OSP to verify the identity. As the use of smartphones spread, app-based authentication methods, such as QR code and biometric authentication, were added.

At the end of 2017, the Korea Communications Commission designated seven major credit card companies as new identity verification agencies, and they started their identification operations in April 2018.19 These credit card companies, like MNOs, are allowed to collect and retain personal data, including RRNs. They offer identification in three forms: mobile card application payment, automated response system authentication, and verification through card company website access, providing personal information, CI, and DI to the OSP (see figure 4). These credit card companies are reliable and secure entities, so they could be expanded as identity verification agencies.

Such private identification services will be expanded further when the I-PIN expires. In March 2021, major OSPs, such as Naver, Kakao, and the fintech company Toss, applied for status as identity verification agencies but were rejected by the KCC due to concerns about account and identity theft.

Identity Verification of Users of Online Message Boards

Since 2003, Korean society has discussed the introduction of an internet real-name system to address many problems with internet and online services, and in 2004, an amendment to the Public Official Election Act included a provision for real-name verification for internet media sites to prevent false slander during the election process. As the use of the internet expanded, the former Ministry of Information and Communication (MIC), the agency in charge, worried about how the anonymity of internet users could facilitate defamation, fraud, and doxing—all of which were already happening in Korea, in sometimes highly publicized cases.

In January 2007, the government of Korea proposed an amendment to the ICT and Security Act, which included the so-called limited identity verification provision, which required users of some large online services to verify their real names. Despite some opposition from civic groups and the public, this amendment eventually was enacted by the National Assembly, resulting in the launch of an internet real-name system in Korea in July 2007.

Article 44-5 of ICT and Security Act stipulated that the entity operating an open message board should take measures to verify users’ identities on boards that have a large impact on Korean society. Initially, according to Article 30 of the ICT and Security Act, online service providers such as portal sites and user-generated content service providers with more than 300,000 page views per day and internet media sites exceeding 200,000 page views per day were targeted.20 Later in January 2009, this regulation was revised, and the target was expanded to all websites exceeding 100,000 daily page views (see table 5).21

After the implementation of the limited identity verification rules, malicious content was reduced on internet bulletin boards as well as comment and reply sections, but the effect was not large. According to the results of a 2007 survey led by the MIC and the KISA, the proportion of malicious comments on these boards decreased from 15.8 percent to 13.9 percent.23 In addition, according to a 2010 study by Woo, a professor at Seoul National University, who compared the ten-day periods before and after the implementation of the limited identity verification rules on July 27, 2007, found that slanderous posts decreased slightly from 13.9 percent to 12.2 percent. However, the number of internet protocol addresses significantly decreased from 2,585 to 737 during the same time.24 This suggests that although the regulation had no significant effect on the type of comments posted, it adversely impacted internet participation.

In addition, some overseas service providers refused to abide by the new regulations. In 2009, the YouTube website in Korea recorded more than 100,000 average page views per day and became the target of the identity verification rule. In response, Google, which runs YouTube, decided to bypass the regulation by restricting YouTube video uploads in Korea and closing the comment feature.25 As a result, Korean users had to change their country settings to use YouTube sites of other countries. Since then, the Korea Communications Commission, which oversaw the identity verification system, decided to exempt overseas websites.26 This decision, however, led to complaints of reverse discrimination against domestic sites.

In August 2012, the Constitutional Court of Korea unanimously ruled that the internet real-name system was unconstitutional in a ruling on a lawsuit filed by internet media companies, civic groups, and some users.27 The court ruled that it was not in the public interest to limit freedom of expression, particularly considering that illegal postings did not decrease significantly after the implementation of the internet real-name system. The court also noted adverse side effects, such as users fleeing to overseas sites and reverse discrimination against domestic companies. As a result of this court decision, the limited identity verification was abolished in Korea.

In addition, in January 2021, the Constitutional Court ruled as unconstitutional the provision for real-name verification on internet media sites, which had been enacted to prevent false slander during elections since 2004, under Article 82-6 of the Public Official Election Act. Accordingly, the regulations on websites related to the two major internet real-name systems in Korea have been abolished. As a result, the game shutdown law, which restricts teenagers from accessing online games from midnight to 6 a.m., is the only law in Korea related to the online real-name system.28

Authentication Online

National Public Key Infrastructure-Based Authorized Certificate (NPKI-based AC)

In the late 1990s, with the progress of information technology, it became necessary to prepare an infrastructure to implement social activities in traditional social activities in non-face-to-face electronic environments for e-commerce, e-government, and similar services. These activities included financial transactions, contracts, and identity verification online. In response to this need, internationally, the Working Group on Electronic Commerce of the United Nations Commission on International Trade Law conducted standardization studies related to online authentication.

This was both timely and useful because high-speed communication network technologies such as ISDN and ADSL quickly spread through Korea during the late 1990s, and policymakers recognized the necessity of creating a foundation for e-commerce and other services, which were growing very rapidly. Annual growth of e-commerce-based transactions was 400 percent from 1997 to 1999.29

To meet this growing need, Korea enacted an array of laws, such as the Electronic Signature Act and the Basic Act on Electronic Transactions, promulgated as Act Nos. 5792 and 5834, respectively, in February 1999 and taking effect in July 1999. Subsequent legislation included the Act on Promotion of Electronic Administration for E-Government Realization of 2001 (E-Government Act), ensuring the legal status of electronic signatures, seals, and stamps. Under this provision, an authentication function is provided for electronic signatures to assess the authenticity of documents and electronic transactions.

The institutional basis for digital signatures was established in Korea in 2001, and the NPKI-based AC system has been implemented in earnest since then. Architectures, technical specifications, and so on had already been discussed in 1999, focused on the government and financial sectors separately and were integrated into the current NPKI system in 2001.

Public key infrastructure (PKI) is a technology used for digital certificate implementation or public key encryption in an online environment. In ITU-T, the PKI standard is specified in the X.509 standard and is used for secure sockets layer encryption or the implementation of electronic certificates. PKI is a widely used technology, but Korea built a PKI at the national level to provide a robust authentication technique that could be used in a wide range of situations. It is characterized by mandatory use in electronic financial transactions and e-government-related activities.

Korea’s NPKI system issued certificates through the KISA and five private organizations designated as certificate authorities (CAs).30 In the issuing process, when a user requests certificate issuance to a registration authority (RA), such as a bank that generally performs certificate issuance, the RA makes a request to the CA for validation and certification issuance. The CA verifies whether the user is legitimate based on the personal information it holds. Based on the certificate granted by the root CA to the CA, the user’s authorized certificate is issued by the CA and delivered to the user through the RA. The verification and signing process is undertaken in reverse order. When the OSP requests the user to sign through the RA, the user signs the certificate with a private key and sends it. The RA verifies it by the CA, and the CA verifies it by the root CA (see figure 5).

When the NPKI-based AC is issued, it is saved as files such as signCert.der and SignPri.key in the NPKI folder on the user’s computer. If a site requires an AC, a certificate in the form of these files is loaded through the AC Manager, and authentication is performed through a signature act in which the user inputs a private key. In addition, since the certificate is managed in the form of files, it can be copied and used on other computers or smartphones.

Here, the Korean model provides a lesson for other countries because its authorized certificate system may have several advantages as a national-level infrastructure, and is mandated for use in online transactions, such as online banking, payments over 300,000 Korean won (about $265), and e-government-related services.31 In addition, the AC is widely used as a means of online identification. Thus, by 2010, the AC had come to dominate the online authentication market (see figure 6), and other types of certificates were rarely used in Korea. Still, some problems cropped up that those who seek to emulate Korea’s example can learn from.

Specifically, the idea of establishing an NPKI system and the AC may have several advantages, and there were no issues with designing the architecture and technical specifications. However, in implementing and developing an actual system for specific online applications, several security vulnerabilities or useability problems emerged.

The essence of this problem is that the implementation relied on ActiveX, a plug-in for Internet Explorer (IE) provided by Microsoft. The NPKI system itself is technology neutral, but it was implemented by security companies using ActiveX, which works only in Windows and IE environments. In the early stages of NPKI, Korea’s standard encryption algorithm called SEED was used, and most Korean users at that time used Windows and IE environments. To improve ease of use, the encryption algorithm was changed to one based on AES, but ActiveX continued to be used.

The first problem with this is the dependence on a specific computing environment. In many other operating systems or web browser environments, where ActiveX did not work, AC was impossible to use. This issue became even worse with the advent of the smartphone environment and Microsoft’s decision to remove ActiveX from its browsers in 2015.

The second problem is the security problem of ActiveX itself. To implement ActiveX requires that the certificate authority be granted operating system administrator privileges. This makes it easy to install capabilities, including a keylogging prevention tool, which can be implemented only with ActiveX and was widely adopted and used in Korea. However, this meant that many people at the CAs and solution providers had access to internal computer files, resulting in many security vulnerabilities.

Due to growing antipathy against the NPKI-based AC, in March 2014, then president Park Geun-hye proposed abolishing the mandatory use of AC for payments. Afterward, mandatory AC use for payments over 300,000 Korean won was abolished, and the mandatory provisions for AC in internet banking were also abolished in March 2015. Nevertheless, the NPKI-based AC and the ActiveX-based security measures were used continuously given path dependence and legacy software.

In 2017, presidential candidate Moon Jae-in proposed abolishing NPKI-based AC as part of the ICT pledge, and the majority of the public and relevant civic groups supported the proposal.32 After Moon took office in May 2017, his government promoted the withdrawal of AC, which led to a complete amendment to the Electronic Signature Act, abolishing the mandate for use of the NPKI-based AC.

Mixed Online Certification Environment

In its place, in December 2020, the government adopted a joint certificate environment, enabling various authentication means to be used together (see table 6).

The joint certificate enables secure communications and is also used in identity verification services and provides personal information, such as CI, DI, and birth date, after verification. Although the joint certificates are no longer the sole means of government-endorsed authentication, cases exist in many high-level authentication environments where it is still the only authentication method in use, for example, certificate issuances, such as registration and social insurance verification. Even the private sector still requires the joint certificate, and it is requested often, such as for self-certification of online education.

Financial institutions jointly issued a financial certificate, a cloud-based certificate authenticated with six digits or biometric authentication in device level, which is valid for a three-year period and has an automatic renewal function. In addition, major banks provide their own certificates. Various private individual certifications have also been released, used, and adopted in many services, including e-government services. The MNOs’ Pass service was used as an existing identity verification. Moreover, Kakao and Naver (representative OSPs in Korea) and Payco and Toss (fintech companies) also provide authentication services.

Data Access Control

Korea has also pioneered several methods of access control for public databases under an architecture of open government data policies.

Increasing the accessibility of public data can be advantageous, not least by meeting right-to-know requirements, enabling better analysis, and fostering new services that lead to job creation and add value to the economy. But as Korea, like many countries, has discovered, excessive public information disclosure can have several adverse effects. These include the infringement of rights (such as privacy), fraud, and unfair and deceptive sales techniques. As a robust democracy with extensive platforms for citizen engagement, Korea has had to address such issues as data management, access-related systems, and guaranteeing the availability of data and services when the government put the regulations and policies in place.

Public Data

In the past, public data in Korea was processed and managed by the government, which guaranteed the public’s right to know through information disclosure requests. In 1996, the Act on the Disclosure of Information by Public Organizations was enacted to stipulate the rights and forms of public requests for disclosure of information held by public institutions and stipulated matters necessary for the disclosure obligations of public institutions. This act has aimed to ensure the public’s right to know, citizen participation in national affairs, and government transparency.

Requests for disclosure of information in public institutions were processed by the National Archives of Records starting in 2004, and requests for disclosure of information have increased every year, showing steady growth from 104,024 in 2004 to 756,342 in 2016.34 On average, the information disclosure acceptance rate is maintained at around 95 percent every year.35 However, there are criticisms that this figure is overinflated, since the government agencies often partially disclose information excluding crucial data for reasons such as invasions of privacy or damage to public interests.36

The paradigm of public information also changed dramatically due to the introduction of smartphones in 2010 and the flood of data and new apps that resulted. Restrictions on public information became a problem due to the increase of applications accessing information on a smartphone. For instance, a simple bus location app required real-time government data. To cope with issues like these, Korea established a plan to promote the private use of public information in 2010. In 2011, guidelines for the provision of public information and public data portal services were established, which led to the Government 3.0 Basic Plan and the Act on Providing and Utilizing Public Data in 2013.37

In 2016, the government established the E-Government 2020 Basic Plan, as well as five strategies to reflect the social demands due to the advent of a hyperconnected society.38 Better access to public data was enabled by increased funding for government IT systems and a shift to cloud-based administrative information infrastructure. In February 2021, the government established the Data 119 Project and announced a data strategy to revitalize the digital economy by promoting open data utilization.39 The strategy called for amending and updating the so-called three data laws’ amendments and launching nine new data services and outlined eleven action tasks, including the establishment of a special data committee. The three data laws’ amendments refers to amendments to the Personal Information Protection Act, the ICT and Security Act, and the Credit Information Protection Act. These laws were promoted to meet the needs of industry, by introducing the concept of pseudonymous information and helping certify adequacy with the European Union’s General Data Protection Regulation (EU GDPR).

To implement public data access control, meanwhile, the government has pursued various lines of effort, such as establishing a management system, managing accessibility, and securing availability. In 2002, the E‑Government Special Committee was established to research policies and implementation to establish e-government services. An Innovation Plan for Efficient Operation of the Pan-Government Computer Environment was later selected as one of the thirty-one tasks in the E‑Government Roadmap in 2003. In 2004, a plan for establishing and promoting an integrated computing environment-related ISP project was prepared. In 2005, the Government Integrated Computing Center was established in Daejeon under the Ministry of Information and Communication (MIC). The Government Integrated Computing Center was renamed the National Information Resource Management Service in 2017 and is currently in operation. Since 2007, the Gwangju Center has been the core of this architecture, and a Gongju Center for backup and Daegu Center for Cloud have been under construction since 2019 (see figure 9).

Private Data

The most complex issue regarding data access in the private sector is the use of personal information, and Korea has had to find and adopt a pathway that reflects its national conditions. Today, Korea’s personal data-related regulations are like EU-style regulations emphasizing protection in the form of detailed provisions limiting the collection and unauthorized use of personally identifiable information.

But in the early days of its ICT development, Korea did not have regulations related to personal information protection at all. It addressed the problem in earnest only in 2001 by revising the ICT Promotion Act, which is now called the Act on Promotion of Information and Communications Network Utilization and Information Protection. Chapter 4 of the revision stipulated various provisions related to personal information protection. And in a 2008 revision, after the Auction incident, regulations related to personal information protection were reinforced, by, among other things, introducing the concept of a conforming business operator to stipulate entities other than OSP.

With the enactment of the Personal Information Protection Act (PIPA) in 2011, Korea established a regulatory system for personal information. The PIPA is a general law regulating overall subjects and personal information protection in Korea, and the ICT and Security Act specifically regulates OSPs. The Credit Information Protection Act specifically regulates financial institutions.

The PIPA broadly defined personal information as information that, by itself or in combination with other information, could be used to identify the person linked to the information. Accordingly, various types of information, such as the Internet Protocol address and media access control address, are recognized as personal information; therefore, their use is restricted. Adoption of big data tools by Korea’s companies is only 7.5 percent, putting it fifty-sixth out of sixty-three countries in 2017, according to a study by the International Institute for Management Development.40 Also, according to the Korea Data Industry Promotion Agency, the size of the Korean data markets as of 2017 was $443 million, which was only 0.25 percent of the U.S. market ($177 billion).41

In response to the EU GDPR and in preparation for the Fourth Industrial Revolution, there have been demands for improvements to Korean privacy regulations. Accordingly, in January 2020, the government revised the so-called three data laws’ amendments to improve protection of personal information. By revising these three laws, the government introduced the possibility of using nonidentifying personal information and enabled social access to data with the expectation that new commercial services would be established, such as MyData. This is a one-stop service relying on data portability that was created by an industry-university consortium to provide various financial-related information and is expected to launch by August 2021.

Data Localization

Another major issue regarding personal data access in Korea concerns cross-border access and transfers. Korea had earlier provisions covering personal information abroad in its ICT and Security Act, but this didn’t respond to questions about overseas transfers, and individual consent was required. In the PIPA, Article 17 also only allows transferring personal data outside of Korea in provisional cases.

Due to Korea’s conservative regulatory environment, Article 17 only stipulates that the consent of the data subject must be obtained when transferring data about them to other countries. It does not specify in detail the level of protection that must be provided by data processors in other countries or additional protection measures that must be implemented. This is due to Korea’s conservative regulatory environment. The Asia-Pacific Economic Cooperation forum established the Cross-Border Privacy Rules System in Asia, which is different from the EU’s Adequacy and Safe Harbor (Privacy Shield) provisions established under the GDPR (see table 7).

A gap also exists in the regulations related to cross-border transfer in the revision of the three data-related laws. Discussions on this continue between Korea and other major economies, and the cross-border transfer using a mutual-adequacy approach, such as EU GDPR’s adequacy and other options, will need to be continually reviewed.

Conclusion

The importance of the internet, cloud computing, and other information technologies is increasing rapidly due to the coronavirus crisis and the Fourth Industrial Revolution transformation. As business activities, financial transactions, and education continue to shift online, security measures related to online identification, authentication, and nonrepudiation will become even more important. In addition, access to information is contributing a large part of new value creation in almost every sector of the economy. Furthermore, if Korea is to fully leverage data-centric services developed elsewhere, data localization and cross-border data flow issues will need to be better addressed in a consistent manner.

Korea has one of the most advanced ICT infrastructures in the world. Both government and industry have worked hard to make that infrastructure (and the applications that rely upon it) more secure and reliable. Korean efforts to improve online authentication can provide useful case studies that can inform many other countries facing similar challenges.

Korea has a unique political system characterized by a government-driven, conservative process for making and implementing policy that reflects the peculiar character of its bureaucracy. This resulted in the establishment of national-level infrastructure such as NPKI-based AC in Korea, while other countries entrusted ICT policies and security measures, including online authentication, to the market.

The history of online authentication in Korea began with the use of RRNs, which were used for online authentication without adequate privacy safeguards. As e-commerce and e-government developed, Korea experienced various personal data breaches, leading to limits on the number of cases where RRN collection and processing is allowed. The government introduced the I‑PIN to replace the RRN, but it was not adopted in the market because it was difficult to deploy and use, and it was ultimately abolished. In contrast, online identification through mobile phones and credit cards has become mainstream due to their convenience.

Between 2001 and 2015, online authentication in Korea focused on a government-mandated NPKI-based AC system, a national PKI-based digital signature system. Although it had the advantage of providing a national-level authentication infrastructure, one disadvantage was that the government required use of specific technologies, and that policy probably held back progress of online authentication by five years or more.

In addition, during the implementation process, the contractors and security solution vendors forced a specific technology, the NPKI-based AC system, that did not meet users’ needs. Users thus faced problems such as being reliant on Microsoft Windows and IE or being required to use ActiveX. This resulted in complaints from the public, who wanted more options and flexibility. Eventually, the mandate requiring use of the NPKI-based AC was abolished and changed to a joint certification, and the environment changed to the mixed use of various authentication methods. Unfortunately, the development and introduction of other authentication methods such as browser SSL certificate and FIDO have been relatively delayed in Korea, and they are still not mainstream in the market.

Korea’s data access policy has also changed from the initial conservative approach to a more open, innovative approach. Access to public data was limited in the past by a cumbersome request process, but new approaches have led to the expansion of public data access and an open application programming interface and the establishment of a public data portal service, enabling access to much more data, sometimes on a near-real-time basis. Although it is not as developed as Estonia’s Data Embassy, the Korean government is preparing to move key government resources to a cloud-based data repository, using a national convergence network design and a recovery system through the Daegu and Gwangju centers.

Until just a few years ago, Korea’s online authentication and data access control–related policies and implementations were conservative. New market demands, especially users’ expectation of new online services, and the changing business environment are gradually pushing policy in the direction of increasing usability and openness. This is one of the most important lessons that digital policymakers in other countries can learn from both Korea’s successes and failures.

Another key lesson is that trust is one of the most important ingredients for successful policies for the internet. Developing standards or technologies for securing trust benefits from sustained, consistent, high-level, political leadership. In the early days of internet development, Korea built a platform for online authentication and identification by the government that played a key role in the development of the Korean internet environment, such as e-government services, online transactions, and other services. However, the dissemination of trust-related technologies led by the Korean government also had obvious problems, resulting in an iterative, trial and error process that created the current environment. This history can provide other countries lessons on the merits and limits of government-centered dissemination of trust-related technologies.

The national approach to online authentication demonstrates the clear benefits of economies of scale and rapid adoption. If a well-designed technology or platform is developed by key government agencies, it can accelerate adoption cost-effectively at the national level. In the case of Korea, as the state established an online authentication system and mandated it for many public sector and online transactions, it could quickly enable better authentication for much of the Korean internet environment. However, Korea’s state-led online trust technologies were developed for a unique Korea system, failing to secure interoperability at the international level, and resulting in an isolated system—an example of the so-called Galápagos syndrome.

Even if the policy and architecture are well designed, it is also necessary to carefully monitor issues that may arise in the process of development, implementation, and use. In the case of Korea’s online authentication-related technologies such as NPKI-based AC and I-PIN, the architecture itself did not have any problems, but security issues appeared in the process of implementing and managing them by the responsible agencies or security solution contractors. Therefore, the state should carefully establish the specifications of security- and privacy-related technologies, and continuously supervise (and adjust) the process of implementation and operation.

In the processes of policy and technological decisionmaking, arbitrary government decisions can be dangerous. Although civic groups, industries, and users expressed concerns about NPKI-based AC, RRN, I-PIN, and data access control in Korea, they did not significantly influence decisionmaking. Korea’s internet real-name system is a representative example of a controversial policy that was later restrained when the judiciary ruled it was unconstitutional. Even if the government leads certain policies and technologies, it needs to gather opinions from all stakeholders and address them as much as possible.

A key lesson in Korea’s online authentication is that government-led policies and implementations can be effective, but government mandates can have side effects. In Korea, specific online authentication and identification methods were deployed by the government, mandated in some areas, and therefore given priority over other authentication methods. As a result, the overall online environment depended on the public authentication methods, and development of the authentication industry was stymied. Eventually, a pivot to various authentication methods, including private certifications and a focus on evaluating the security of authentication methods, made government efforts to increase trust online much more effective.

In hindsight, it is clear that the Korean government should have pursued a different path. If, from the beginning, it had distributed and utilized the NPKI-based AC but used it as just one of various authentication methods and allowed users to choose one of several authentication methods, a sounder internet trust environment would have been created. Rather than mandating one solution, it is best practice to set general standards for online authentication, which could be met by various services, giving companies and users options and flexibility.

Key factors to consider in this process are usability and listening to the opinions of all the stakeholders of the internet. No matter how good the security of a specific authentication method, if its usability is poor, it may not be used widely, and technologies dependent on the certain environment, specific operating system, or browser, it may be neglected by users. To avoid this, it is necessary to listen to the opinions of internet service providers who need to introduce these technologies and the security companies that actually implement them. Most importantly, it is necessary to engage with the users themselves and use their feedback to set the direction of security and data related policies and their implementation.

Notes

1 OECD, “Broadband Portal,” last updated July 29,2021, https://www.oecd.org/sti/broadband/broadband-statistics/.

2 Speedtest, “South Korea’s Mobile and Fixed Broadband Internet Speeds,” https://www.speedtest.net/global-index/south-korea#fixed.

3 Economist Intelligence Unit, “The Asian Digital Transformation Index 2018,” http://connectedfuture.economist.com/wp-content/uploads/2018/12/ADTI-whitepaper.pdf.

4 ITU, “ICT Development Index 2017,” https://www.itu.int/net4/ITU-D/idi/2017/index.html.

5 Statista, “Penetration Rate of Smartphones in Selected Countries 2020,” https://www.statista.com/statistics/539395/smartphone-penetration-worldwide-by-country/.

6 UN Department of Economic and Social Affairs, “E-Government Survey 2020,” https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2020.

7 Statistics Korea, “Monthly Online Shopping Survey,” http://kostat.go.kr/portal/eng/surveyOutline/2/5/index.static.

8 Kim Jee-Hee, “To Borrow Money, Koreans Go Online,” Korea JoongAng Daily, April 5, 2021, https://koreajoongangdaily.joins.com/2021/04/05/business/finance/bank-of-korea-internet-banking-mobile-banking/20210405163900371.html.

9 Korean Ministry of Land, Infrastructure, and Transport, “Ratio of Population in Urban Areas” (in Korean), Korean National Indicator System, last updated 2020, https://www.index.go.kr/potal/main/EachDtlPageDetail.do?idx_cd=1200.

10 Microsoft News Center, “Microsoft Korea Announces ‘Cyber Security Threat Report’” (in Korean), June 18, 2018, https://news.microsoft.com/ko-kr/2018/06/18/cybersecurity-report/.

11 Yonhap News Agency, “Damage from N.K. Cyber Attacks Estimated at 860 Bln Won: Lawmaker,” October 15, 2013, https://en.yna.co.kr/view/AEN20131015003200315.

12 Korea Times, “It’s Urgent to Wage War on Cyber Terror,” July 8, 2009, http://www.koreatimes.co.kr/www/news/opinon/2009/07/137_48133.html.

13 Sang-hee Han, Eun-Woo Lee, Byeong-il Oh, and Hyun-sik Yoon, “Status of the Usage of Resident Registration Numbers: Research Findings” (in Korean), National Human Rights Commission of Korea, 2005, https://www.humanrights.go.kr/site/inc/file/fileDownload?fileid=1055872&filename=05_78.pdf.

14 Min-ok Han, “12 Percent of Netizens ‘Experienced Resident Registration Number Theft’” (in Koream), Digital Times, December 1, 2003, https://news.naver.com/main/read.naver?mode=LSD&mid=sec&sid1=105&oid=029&aid=0000049852.

15 Lee Kyung-min, “I-PIN Identification System Hacked,” Korea Times, March 5, 2015, https://www.koreatimes.co.kr/www/news/nation/2015/03/116_174690.html.

16 Tae-jin Kim, “I-PIN Usage, 4 Percent Compared to Mobile Phone Authentication” (in Korean) October 9, 2017, ZD Net Korea, https://zdnet.co.kr/view/?no=20171009111654.

17 Public I-PIN, “Notice of Suspension of New Issuance or Renewal Due to Phase Out” (in Korean), October 31, 2018, http://www.gpin.go.kr/center/customer/noticeView.gpin?currentPage=2&no=27420.

18 Korea Communications Commission, “Three Companies Designated as Identity Verification Agencies by the Korea Communications Commission” (in Korean), December 28, 2012, https://kcc.go.kr/download.do?fileSeq=36847.

19 Kyung-ha Kwon, “Credit Card Identity Verification Service Method Policy Direction” (in Korean), Korea Communications Commission, October 20, 2016, https://kcc.go.kr/user.do?boardId=1008&page=A02020600&dc=&boardSeq=44056&mode=view.

20 Ministry of Information and Communication, “Portals With More Than 300 Users Daily…Limited Identity Verification” (in Korean), Korea Policy Briefing, February 23, 2007,

https://www.korea.kr/news/pressReleaseView.do?newsId=155178693.

21 Yeong-ju Kim, “Businesses Subject to Limited Identity Verification System in 2009” (in Korean), Korea Communications Commission, January 30, 2009, https://kcc.go.kr/user.do?mode=view&page=A05030000&dc=&boardId=1113&cp=376&boardSeq=15512.

22 Jeong-hoon Lee, “Impact of the Decision on the Unconstitutionality of the Identity Verification System on Internet Regulation” (in Korean), Korea Internet and Security Agency, 2013, https://www.kisa.or.kr/uploadfile/201306/201306101706190871.pdf.

23 Kyeong-shin Park, “Constitutional Review of Anonymity Regulation and Review of 2015 Constitutionality Decision on Election Internet Real Name Law” (in Korean), Republic of Korea National Election Commission Election Studies 7, no. 1 (2016), https://www.nec.go.kr/common/board/Download.do?bcIdx=15433&cbIdx=1133&streFileNm=BBS_201701160247379835.pdf.

24 Ji-sook Woo, Hyeon-soo Na, Jeong-min Choi, “Empirical Study of the Effect of Using Real Names on Internet Bulletin Boards” (in Korean), Korean Journal of Public administration 48, no. 1 (2010), https://s-space.snu.ac.kr/bitstream/10371/69064/1/48-1_04%EC%9A%B0%EC%A7%80%EC%88%99_%EB%82%98%ED%98%84%EC%88%98_%EC%B5%9C%EC%A0%95%EB%AF%BC.pdf.

25 Hankyoreh, “Google Refuses South Korean Government’s Real-Name System,” April 10, 2009, http://english.hani.co.kr/arti/english_edition/e_international/349076.html.

26 Hankyoreh, “YouTube Korea Now Exempt From Real Name System,” April 7, 2010, http://english.hani.co.kr/arti/english_edition/e_national/414784.html.

27 Constitutional Court of Korea, Decision on case number 2010 Heon Ma 47, 252 (consolidated). Hosted by Open Net Korea. See: http://opennetkorea.org/en/wp/wp-content/uploads/2014/03/Korean-real-name-law-decision-english.pdf.

28 Kyung-Sin Park, “Establishing Game Users’ Constitutional Right in Light of the Constitutional Court’s Recent Decisions on Game Shutdown Case and Game Real Name Case,” Korea Citation Index, 2020, https://www.kci.go.kr/kciportal/ci/sereArticleSearch/ciSereArtiView.kci?sereArticleSearchBean.artiId=ART002561011.

29 IT Find, “Market Trends by E-Commerce Business Type” (in Korean), https://www.itfind.or.kr/WZIN/jugidong/933/93303.html.

30 Korea Internet Security Agency, “Authorization Practices” (in Korean), https://www.rootca.or.kr/kor/accredited/accredited01.jsp.

31 Yeong-Kwan Song, “2016 Modularization of Korea’s Development Experience: Korea’s E-Commerce Policy Experiences,” Knowledge Sharing Program, 2016, https://www.ksp.go.kr/api/file/download/11457?downloadFilename=Korea%E2%80%99s%20E-commerce%20Policy%20Experiences%20(English).pdf.

32 Joon-kyung Geum, “Moon Jae-in Highlights the Core of His Promise to Abolish Authorized Certificates” (in Korean), Media Today, http://www.mediatoday.co.kr/news/articleView.html?idxno=135414.

33 Financial Services Commission of Korea, “(Q&A) After Abolishing the Authorized Certification System on December 10, How Will Financial Transactions Be Different?” (in Korean), Korea Policy Briefing, December 11, 2020, https://www.korea.kr/news/visualNewsView.do?newsId=148880842.

34 Information Disclosure Center, “When Will the Continuous Omission of Target Organizations in the Information Disclosure Annual Report Be Improved?” (in Korean), February 5, 2018, https://www.opengirok.or.kr/4555.

35 Bong-su Kim, “In the Government 3.0 Era, the Trap of ‘Information Disclosure Rate of 95%’” (in Korean), Asian Economy, July 8, 2013, https://cm.asiae.co.kr/article/2013070810494738241.

36 Information Disclosure Center, “When Will the Continuous Omission of Target Organizations in the Information Disclosure Annual Report Be Improved?”

37 Ministry of Interior and Safety, “Government 3.0 Basic Plan” (in Korean), June 19, 2013, https://mois.go.kr/cmm/fms/FileDown.do?atchFileId=FILE_000000000027748&fileSn=0.

38 Ministry of Government Administration and Home Affairs, “2020 E-Government Basic Plan” (in Korean), 2016, https://www.mois.go.kr/cmm/fms/FileDown.do?atchFileId=FILE_000791371GzYtix&fileSn=0.

39 Korea Data 119 Project, “Presidential Committee on the Fourth Industrial Revolution of Korea,” 2021, https://www.4th-ir.go.kr/article/download/757.

40 IMD, “IMD World Digital Competitiveness Ranking 2017,” https://www1.imd.org/globalassets/wcc/docs/release-2017/world_digital_competitiveness_yearbook_2017.pdf?MRK_CMPG_SOURCE=sm_lk_pp_wall_sv_exp.

41 Korea Data Industry, “2017 Data Industry White Paper” (in Korean), July 12, 2017, https://www.kdata.or.kr/info/info_02_download.html?dbnum=224.

42 Kyung-hwan Kim, “Issues of Cross-Border Data Transfer and the Countermeasures” (in Korean), PIS Fair, 2013, https://www.slideshare.net/ssuserbd0159/l-49862245.

Korean Policies of Cybersecurity and Data Resilience

Introduction

South Korea is one of the most digitally connected countries in the world. Like other digital societies, it is vulnerable to cyber attacks. These attacks can wreak havoc on institutions, disrupt the economy, and erode social trust. Cyber attacks suspected of originating from North Korea, in particular, have become increasingly sophisticated. North Korea has used cyber attacks to achieve its political goals in South Korea (hereinafter Korea or the Republic of Korea—ROK) by stealing information and millions of dollars, sowing a sense of vulnerability in Korean society. Attacks from North Korea and other malicious actors have disrupted information and communications technology (ICT) systems in the ROK government and the country’s private sector. In response, over the last three decades, Korea has developed better and more comprehensive cybersecurity policies aimed at ensuring the capability to prepare, respond, and recover in both the public and private sectors. However, much more remains to be done.

Korea’s cybersecurity effort began in earnest in the 1980s when the government first began to actively promote informatization of the economy, government, and society.1 Furthermore, the government focused on improving e–civil service and enhancing national competitiveness through the implementation of e-government services. Yet, until the early 2000s, this effort was primarily focused on document security and physical security, aimed at providing a blanket of information protection or information security. These cybersecurity-enhancing goals were defined by Korea’s National Intelligence Service (NIS) for the public sector and by the Ministry of Science and ICT (MSIT) for the private sector. But rather than developing a proactive, comprehensive, and nationwide cybersecurity policy or strategy, these agencies mostly limited themselves to responding to malicious activities and working to develop practical countermeasures.

However, the cyber threat had grown exponentially. Actors supposedly associated with Pyongyang had become capable of routinely launching successful attacks on information technology (IT) systems in South Korea. As the damage and disruption from these attacks intensified, public awareness of the need to improve cybersecurity put new pressures on both government and the private sector to develop a more robust set of tactics and tools.2

In 2009, the government at last made its first attempt to publish a national cybersecurity strategy. Three subsequent attempts followed, but these were more like lists of policy action items rather than strategic vision documents. By this point, however, Korea was also engaging in international efforts to address cyber threats and joining intergovernmental partnerships in cybersecurity. For example, South Korea participated in the first and second United Nations (UN) Groups of Governmental Experts (GGE) on information security, was part of the London Process, and hosted the Organisation for Economic Co-operation and Development (OECD) Ministerial Meeting on the Future of the Internet Economy in 2008, which produced the Seoul Declaration.3 Particularly, because of the links between cyber threats and national security, the government in Seoul held discussions with other countries through the framework of both ad hoc multinational and bilateral mechanisms and channels. One result was the Seoul Conference on Cyberspace, held in 2013, which was an important opportunity to reflect on the importance of digital issues in the diplomatic and security fields. The Seoul Framework and Guidelines for an Open and Secure Cyberspace and Best Practice was produced by that conference.4

An attempt was made in 2009 to establish a single, national cybersecurity strategy, and cyber attacks were identified as a serious threat in the National Security Strategy published in July 2014.5 It was not, however, until 2015 that the government announced comprehensive measures to strengthen Korea’s cybersecurity posture and appointed a cybersecurity officer in the National Security Council directly under the president of Korea. With this position, the government tried to provide a focal point for better cybersecurity policymaking and coordination. However, three consecutive officers were not fully effective in that role for varying reasons: from their expertise with cyber issues to political differences on who should have overarching authority on cyber-related matters. In the years since 2015, the role of the independent presidential officer of cybersecurity has been merged with that of the secretary of information convergence.

Despite increased awareness of the importance of cybersecurity, there has been very little research by Korean social scientists about how institutions and practices related to cybersecurity have evolved in the country. Instead, the research on cybersecurity has been mostly limited to the writings of a few jurists on narrow legal aspects and the highly technical discussions of cybersecurity practices shaped by engineers, technologists, and security practitioners. This narrow focus on technological solutions has meant that much policy work needs to be done to ensure that such solutions will be effectively deployed and managed.

Different Korean agencies have pushed different messages and competing tools and programs to address cybersecurity. The result has, until very recently, been a lack of effective strategy and institutionalized policy practice. The Korean-convened ­Global Cyberspace Peace Regime (GCPR), a major platform facilitating highly professional track 1.5 discussions, embracing academic and governmental experts from the Asian region and around the globe, is a step in the right direction.6 Still, contributions from the social science community are lacking. This chapter aims to fill that gap and share lessons learned from Korea’s more recent experience.

Interministerial competition for cybersecurity oversight has been an additional challenge in Korea. Government policies have helped make Korea a high-growth, high-income economy, so the economic ministries have a good deal of clout. But their views of digital issues and particularly cybersecurity are very different from the security agencies. Their priorities and even their cybersecurity language sometimes differ. That said, it is encouraging that internal efforts have started to develop a common terminology or lexicon in this field. It should lead to more coordinated policymaking and action in the future.

The evolution of Korean institutions, policies, and practices and the country’s experience as a target of malicious cyber activity can inform an understanding of its own experiences with cyber defense and data resilience. It can also aid other countries in their approach to cybersecurity.

For more than two decades, major cyber attacks have triggered new initiatives meant to reduce the likelihood of future attacks and reduce the damage and disruption they can cause. After attacks such as the distributed denial-of-service (DDoS) attack in 2009, the attack on broadcasting systems in 2013, and the ransom attack on Korea Hydro and Nuclear Power in 2014, the Korean government responded by announcing new comprehensive measures.7

Cybersecurity Governance

Over the years, the Korean government’s statements about cyber attacks raised awareness among policymakers and the public about the need for more government action to address the threat. Cybersecurity governance was composed of three agencies: the National Cybersecurity Center (NCSC) under the National Intelligence Services for the government and public sector; the Ministry of Science and ICT for the private sector; and then individual response systems for a diverse group of agencies, such as the one at the Ministry of National Defense for the military sector. The NCSC, established in 2004, was named as a general manager, and the National Cyber Safety Management Regulations enacted in 2005 defined each organization’s roles (see figure 10).8

Korea has, in recent years, made significant changes to its framework for cybersecurity. The National Security Council (NSC), which reports directly to the president, has been coordinating cybersecurity since 2015.9 Under the NSC, the NCSC leads practical efforts for cybersecurity across the national government and the public sector where more than 70 percent of the nation’s critical information infrastructure facilities are located.10 Within the NCSC, the Ministry of Science and ICT and the Cyber Command of the Ministry of National Defense are responsible for the private sector and the military sector respectively.

This system has made a positive contribution to the overall improvement of the initial cybersecurity capabilities. There is no doubt as to the effectiveness of many of the measures that were first introduced by public institutions. The state and public sectors actively led the cybersecurity technologies policies and expanded the application to the private sector, supporting the improvement of technical and managerial capabilities. For example, Korea has cybersecurity regulations that provide the basis for strengthening cybersecurity for both the central government and public institutions. With that, for example, collecting and sharing information needed to strengthen cybersecurity is specified as a unique duty of the NIS. The NCSC is establishing and operating a National Cyber Threat Information–sharing system for incident investigation and information sharing in public institutions.11 But some have pointed out that a reexamination of the effectiveness of the existing system is necessary due to the recent technological development and expansion and convergence of cyberspace.

To protect critical information infrastructure from cyber threats and attacks, Korea enacted the Critical Information Infrastructure Protection Act (hereafter CIIP Act) in 2001, which has been subsequently amended. Under the CIIP Act, Korea established a Critical Information Infrastructure Protection Committee under the Office of the Prime Minister to coordinate CIIP-related activities among several governmental authorities. The CIIP Act mandates that the NCSC, for the government and public sector, and the Ministry of Science and ICT, for the private sector, have key roles in CIIP activities in each sector. The NCSC, which has developed advanced technologies and trained experts, has taken the lead in the government’s CIIP-related activities and coordinated the activities of other ministries.12 As a result of the CIIP Act, more than 400 facilities, including nuclear power plant systems, transportation systems, and commercial bank networks, have been designated as critical information infrastructure (CII).13

National Cybersecurity Strategy and National Cybersecurity Basic Plan of 2019

In 2019, the publication of a new National Cybersecurity Strategy by the presidential National Security Office was widely regarded as the most important and effective policy document on cybersecurity produced in more than thirty years in Korea.14 It led to redoubled efforts to strengthen the resiliency of Korea’s digital infrastructure and was followed by the establishment of a basic plan and an implementation plan. The strategy identified 5G design and deployment and anti-drone measures as the most critical areas of government focus, both of which were new issues for priority emphasis in Korean cybersecurity and national security.

The goals of this 2019 strategy are to ensure stable operations of the state, respond to cyber attacks, and build a strong cybersecurity foundation in Korea. For this purpose, the strategy sets out three basic principles: balance individual rights with the need for better cybersecurity, conduct security activities based on the rule of law, and build a system of participation and cooperation among domestic stakeholders and foreign counterparts. The strategy encourages individuals, business, and the government to participate in cybersecurity activities, and pursue close cooperation with the international community. It outlines how Korea will ensure it can continue reaping the benefits provided by ICTs while minimizing risks. The strategy is built around six strategic pillars: secured national critical infrastructure, enhanced cyber attack defense capabilities, trust- and cooperation-based governance, cybersecurity industry growth, fostering a cybersecurity culture, and strengthened international cooperation.

The strategy was followed by the National Cybersecurity Basic Plan, which outlines 100 tasks to be accomplished over the next two to three years.15 The strategic tasks and detailed tasks of the strategy are included in the 2019 National Cybersecurity Strategy. Those 100 tasks have, in turn, been categorized as either policy tasks or technological tasks. Policy tasks make up almost 70 percent of the whole plan and include international collaboration, international norm setting, CIIP, crisis management, and information sharing. In addition to the National Cybersecurity Basic Plan, each agency contributes to an annual National Cybersecurity Implementation Plan.

It is very encouraging that various efforts are being made to achieve the vision presented by the strategy through the basic plan and implementation plan. However, revising and refining the plans will require more research in some key areas. For instance, it is necessary to develop deterrence strategies to discourage cyber attacks, but the strategy does little to make headway in this area. In particular, in-depth discussions with the national security agencies should reflect the scope, intensity, and impact of the increasingly serious cyber attacks—in both military and economic terms. In this regard, the strategy needs to more clearly articulate goals and define terms, as well as explain how responsibilities are assigned to government agencies as well as to private sector organizations. An improved strategy should start with a thorough threat analysis, which would be then be updated as necessary, to enable well-informed, data-driven decisionmaking.

Revision of the National Intelligence Service Act

Since 2006, the ROK has worked to implement the so-called Cybersecurity Basic Law to make clear each agency’s role and responsibility and the nationwide cybersecurity framework. The National Intelligence Service, in particular, has pushed for the enactment of the Cybersecurity Basic Law, revised the National Intelligence Service Act, and established the basis for its role regarding cybersecurity. On that basis, the government revised the National Intelligence Service Act in 2020 and enacted the Cybersecurity Business Regulations in 2020 that stipulated the National Intelligence Service’s role in cybersecurity.

The revision of the National Intelligence Service Act that established the scope of the NIS’s cybersecurity operations, Article 4 of the National Intelligence Service Act, defined three main tasks: collection, analysis, and distribution of cybersecurity-related information; countermeasures related to cybersecurity performance; and preventing and responding to cyber attacks and threats against government agencies and public sector institutions.

In addition, the name of the National Cybersecurity Center was changed from “cyber safety” to “cybersecurity” in Article 3(3) of the Cybersecurity Business Regulations.16 The National Intelligence Service Act emphasized that the security of cyberspace is an important national security issue. The act therefore defined cybersecurity as one of the key tasks of the National Intelligence Service (NIS). Therefore, the name of the center was changed to the same as the name of the NIS task. In addition, when the National Cybersecurity Center was established (in 2004), the term “national security” was often translated as “safety” in Korea, but more recently it has been generally translated as “security.”17

The basis for establishing and implementing basic measures for cybersecurity led by the NIS in the consultation of National Security Council and other central government agencies was provided in Article 8 of the Cybersecurity Business Regulations. The National Security Research Institute was designated as a research-and-development (R&D) specialized institution for cybersecurity affairs to expand its work to develop the strategies, policies, and technologies necessary to improve cybersecurity (in Article 17).

Nevertheless, much like the national cyber strategy, the NIS law and the enforcement ordinance of the law also have room for improvement. First, some terms are not defined under these regulations in a consistent way—not least, the very definition of “cybersecurity.” The National Cyber Safety Management Regulations defined this as encompassing three things—cyber attacks, cyber safety, and cyber crisis—but the revised NIS law and the newly enacted enforcement ordinance have no clear definition of “cybersecurity.”18

It is also necessary to clarify the duties of the different offices and agencies involved in cybersecurity and cyber resilience. For instance, the NIS can collect, create, and distribute “cybersecurity-related information including information on international hacking group and state-sponsored group” according to the law’s Article 4.19 But the scope of “international and national hacking groups” has not been defined in the law.20

Korean New Deal

Various fields in Korea, including ICT and cybersecurity, have changed due to the coronavirus pandemic that hit in 2020. With the explosive growth of telecommuting and online services such as telemedicine (which some Koreans refer to as “untact”—a new word combining “un” and “contact”), Korea’s dependence on ICT technology is expanding more rapidly than ever before. The government announced the Korean New Deal in July 2020 to overcome the economic recession after the pandemic and to change the paradigm across Korea’s economy and society.21 The Korean New Deal applies to both the public (excluding the military) and the private sectors and consists of three projects: the Digital New Deal, the Green New Deal, and the Strong Safety Net. Cybersecurity is included in the Digital New Deal project.

The Digital New Deal is a policy aimed at promoting and spreading digital innovation and dynamism across the economy by expanding the digital divide based on ICT, such as e-government infrastructure services. Cybersecurity is mainly related to the first project on “stronger integration of DNA (data, networks, and artificial intelligence) throughout the economy.” That project consists of four subprojects, and two of them deal with cybersecurity.

The first subproject is focused on “making a smart government that utilizes 5G and AI.” The government will implement pilot projects based on blockchain technology, establish 5G at all government complexes, and transition to cloud computing for public information system by 2025. Systems for citizen services, such as homepages for public disclosure, will be transferred to a private cloud center. And systems for public administration are scheduled to be relocated and integrated into a public security cloud center with enhanced security functions.

And the second subproject is focused on “advancing cybersecurity.” Cybersecurity threats are becoming more sophisticated and causing widespread damage due to digitalization and the spread of untact services. So, the goal of the project is to make the digital environment safer, enable untact services in daily life, and to foster the security industry.

The “advancing cybersecurity” initiative is divided into three domains: firms, people, and industry. First, for firms, the government helps unprepared SMEs make the security investments needed to strengthen cyber defense, diagnose threats, and improve response. In addition, special emphasis is put on addressing vulnerabilities in untact services. For people, the government supports major public facilities for software and website inspections, remote security checks, and safety measures to enhance cybersecurity for people’s daily lives. Lastly, for industry, in order to revitalize the cybersecurity industry ecosystem, the government is promoting the application of new technologies such as blockchain and fostering promising AI-based security companies.

The Evolution of Korean Cybersecurity Policy

Notions of cybersecurity—and the challenges it presents—have evolved significantly in Korea over the last twenty years. This is reflected through the development of concepts and terminology used to describe digital technologies and cyber threats.

Research and Development Trend Analysis (by Keyword Comparison)

This chapter’s analysis of keywords in cybersecurity-related academic journals demonstrates how research trends in cybersecurity have changed during the last two decades in response to new threats and to the increased attention being paid to this issue.22 The papers analyzed are limited to highly respected Korean-language journals registered in the Korean Citation Index (KCI).23 The National Research Foundation of Korea, which manages research journals (including papers published by domestic academic societies), does an annual ranking of journals to determine which will be recognized as KCI-registered journals.

To analyze research trends, the authors divided the catalogue of published papers into four time periods based on when major cyber attacks hit Korea after 2001. The major cyber attacks during this period were the 2003 internet disruption, the 2009 DDoS attack, and the KHNP hacking in 2014.

From 2001 to 2003, keywords related to the information society, laws, ethics, and passwords frequently appeared. Information security terms began to be used in the 2004–2009 period. For example, keywords and phrases such as “personal information protection,” “privacy,” “self-regulation,” “government regulation,” “RFID,” “risk analysis,” and “biometrics” began to creep into Korean academic and policy discussions. It was during this period that the Korean government began to regulate the internet. Measures such as an online identification system were implemented, but this led to controversy about freedom of expression on the internet. As a result, the need for self-regulation emerged and the Korea Internet Self-Governance Organization was established in 2008.

For 2010–2014, as in previous time periods, “information protection,” “information security,” and “personal information protection” appear at the top of the rankings. But keywords such as “security policy,” “information protection governance/management system,” and “cybersecurity” appear at the top for the first time, suggesting a further evolution in Korean thinking. Finally, from 2015 to September 2019, the top keywords were “information protection,” “information security,” “and “cybersecurity.” Related keywords such as “security,” “basic law,” “cyber terrorism,” and “cyber crime” were also widely used.

This study shows that terms with similar meanings to cybersecurity, such as “information protection” and “information security,” were incorporated into the research over time. Such terms often lacked clear definitions. Part of the reason for this is that due to interministerial competition, a cyber glossary was not (and still has not been) clearly defined by the government. The development of a cyber glossary, drawing on U.S. and other international research, is essential for the future development of Korea’s cybersecurity policy.

Strategic Training and Competition

In South Korea, the Cyber Conflict Exercise (CCE) is a competition sponsored by NIS and NSR and includes a so-called strategy game.24 During the CCE, situation report procedure and media response training are part of the strategy game to highlight the importance of comprehensive crisis response capabilities during a cyber crisis, and to improve not only technical response capabilities but also policy response capabilities.

Situation reporting is an activity that promptly “reports a summary of the current situation and related response activities accurately.”25 It is essential in the event of a cyber crisis. Quick, accurate analysis is needed to identify the cause of the accident and establish countermeasures, support rapid recovery, prevent further spread of damage, and promote coordination and cooperation in response with related domestic organizations.

Media response refers to the activities of participants in the competition to analyze trends in media such as newspapers and social networking services, and to respond to direct inquiries from media parties. In order to limit the cascading effects caused by attacks and minimize social confusion in a crisis, participants need to create content and prepare efficient and consistent communication measures that build and maintain the trust of the public and the media in peacetime as well as in crisis situations.

The policy training scenario consisted of a cyber attack on government agencies and infrastructure in a virtual city called Hope City, Korea, and simulated the response of government officials and other key players. A status report provided a cyber warning at each stage of the exercise. Participants briefed the “media” in the middle of the competition process, and via inquiries and answers on social media.

Most of the participants had no history of work related to situation reporting or media response, but they received positive evaluations, having gained experience in crisis communication and policy decisionmaking through strategic games. These games and simulations helped participants realize the need to improve policymakers’ ability to respond to a cyber crisis.

In 2021, the ROK joined the North Atlantic Treaty Organization’s Locked Shields exercise.26 Korea’s participation in the exercise was led by the NIS,27 which combines technical exercise and strategic exercise, and the government placed great significance in participating in strategic exercise.28

Strengths and Weaknesses of Korean Cybersecurity Capabilities

Korea is among the most connected economies in the world. This is expected only to intensify with the arrival of the Fourth Industrial Revolution (4IR) and its expansion of machine learning and artificial intelligence. Many Koreans view the 4IR as a new driving force for innovative growth in one of the world’s most innovative economies. Better cybersecurity will be a prerequisite to the success of the 4IR. That is why Korea is investing, including in international cyber partnerships, to promote better cybersecurity policies and practices at home while offering its distinctively Korean contributions to other countries.

K-Global Cybersecurity Capability Assessment and Applicability

Korea has developed a tool to make basic data available for cyber-related decisionmaking: the Korea Global Cybersecurity Capability Assessment (GCCA) tool.29 It assesses the national competency level through comparison and analysis with other countries according to selected criteria.

As interest in the GCCA has increased and research has continued, the scope of the project has expanded. Initially, the main purpose of the GCCA was to focus on understanding the current state of cybersecurity and suggest new directions for policy development and capability-building measures. Recent additions to the GCCA can help foster global cooperation, information sharing, and awareness raising. These additions facilitate sharing of policies, technical standards, and best practices between countries. Due to the global nature of cyberspace, the boundaries between countries are blurring and attacks using cyber infrastructures in other countries are easy to carry out and harder to attribute. For that reason, Korean government officials and corporate leaders tend to emphasize how international security is affected by cyber attacks to critical national infrastructure. Through capability assessment, Korea aims not only to strengthen cybersecurity, but also to lay the foundation for strengthening cybersecurity through cross-border cyber defense programs with international partners, enabling cooperative responses to global cyber threats. This trend is well reflected in the International Telecommunication Union’s Global Cybersecurity Index 2018.30

The GCCA was developed by the NSR using a national cybersecurity assessment methodology that reflects Korea’s own unique and distinctive characteristics. The assessment is conducted through expert surveys, with seventeen assessment criteria in five categories: policy, legislation, organization, technology, and education/training.

The policy category provides an assessment of the will and direction to strengthen cyber capabilities at the national level, and consists of five criteria, including cybersecurity policy and infrastructure protection policy. The legislation category provides an assessment of the legal basis for policy promotion, and consists of four criteria, including the level of development of cybersecurity regulations and critical infrastructure protection legislation and regulations.

The categories of organization, technology, and education and training assess the level of implementation of national cybersecurity policies and laws. In the organizational category, there are four criteria, including the level of development of the Korean organizations responsible for cybersecurity and the role of critical infrastructure protection organizations. In the technology category, there are three criteria: the level of development of cybersecurity R&D programs, the establishment of standards, and technology adoption. In the category of education and training, there are three criteria, including education programs for training professional manpower.

As assessment result indicators, rankings by country were derived for comparative analysis with leading countries. This helps decisionmakers to identify the strengths and weaknesses of each country. In comparison to other countries that have used the assessment tool, Korea was assessed relatively high in terms of the establishment of infrastructure protection standards and implementation of cybersecurity technologies. However, it was assessed to be relatively low with respect to governance and cybersecurity R&D education programs.

Strengths and Weaknesses of Korea’s Cybersecurity Capabilities

To analyze the strengths and weaknesses of Korea’s cybersecurity capabilities, therefore, the authors conducted an importance performance analysis (IPA). The IPA is a method that sets priorities by using the importance and performance of an analysis target.31 It has been used in various social science fields, such as public administration, policy studies, and business administration.

The IPA displays the results in a quadrant centering on the average value of importance and performance. In the GCCA, the x-axis was defined as the importance of each criterion and the y-axis was defined as the score for each criterion. The IPA matrix was derived by crossing the two axes using the median value for the x-axis and the average value for the y-axis as the origin. Quadrant I (“Keep up the good work”) are criteria with high importance and high scores, and it is desirable to maintain the current status. Quadrant II (“Possible overkill”) are criteria that scored higher than their importance and require passive management. Quadrant III (“Low priority”) reflect both low importance and performance, requiring mid- to long-term improvement. Quadrant IV (“Concentrate here”) includes criteria that have a high importance but a low score, so they involve items that need intensive improvement in the future.32

The importance of each criterion for the IPA was scored by surveying domestic experts in Korea. The IPA analysis of GCCA results for Korea show that the elements that need to be improved to bolster its cybersecurity capabilities mainly include national crisis management policies and legislation, and cybersecurity regulations. Criteria that need improvement in the medium to long term include cyber crime regulations, standards establishment and implementation, and education programs.

The Korean government announced its National Cybersecurity Strategy in 2019 and soon afterward announced its associated implementation plan, including eighteen key tasks and 100 detailed tasks in the National Cybersecurity Basic Plan. However, the government failed to assign priorities to each task in the strategy and the basic plan. In the future, according to the analysis of Korea’s global cybersecurity capability evaluation, it will be important for the efficiency of the implementation of each task to be improved by identifying the assessed criteria that need to be given a priority focus (quadrant IV).

Key Features of Cybersecurity Governance and Best Practices in Korea

Cybersecurity Governance

The ROK has continuously encountered cyber attacks. Cyber attacks have occurred at various scales—from simple phishing attacks to infrastructure paralysis. Therefore, the ROK has clarified the responsibilities of organizations addressing cyber threats and established laws and policies to prevent and respond to cyber attacks in both peacetime and crisis periods.

Most components of critical infrastructure in the ROK, including energy, water, and transportation, are designated as public institutions and are operated centrally by the state (almost 70 percent). So, the role of the private sector in strengthening the cybersecurity of critical infrastructure, while essential, is smaller than in many other countries. The state leads the collection and sharing of threat information regarding infrastructure, and the response to cyber attacks on critical infrastructure. Therefore, the establishment and implementation of cybersecurity policies for critical infrastructure could be quickly accomplished with active cooperation without significant opposition or extended negotiations.

Lastly, cybersecurity governance in the ROK involves the public sector, the private sector, and the military, with the National Security Council as the control tower. There is a cooperation framework covering the three sectors. In particular, the NIS, an intelligence agency, has been central since the beginning of the nation’s cybersecurity policy establishment in the early 2000s, and the Joint Cyber Threat Response Team (representing the three sectors) is also under the NIS. The NIS viewed cyber attacks as a national security issue and actively collected threat information. On the other hand, the illegal collection of information using software by the NIS has led to its role in cybersecurity being contentious and led to public distrust.

Good Practices

Over the years, the ROK has taken several measures to prevent recurrences of the damage caused by cyber attacks.

After the 2003 internet disruption, Korea established a mandatory system for constant backup.33 The central government introduced a backup solution near the end of 2003, and it became mandatory for local governments in 2004. After other incidents, countermeasures were focused on the development of defense technologies, such as a proactive response system for DDoS attacks that was established after the 2009 DDoS attack, as well as improving a rapid cyber treatment system for zombie computers following the 2011 DDoS attacks.34

In response to these incidents, the government also acted to strengthen information protection in the private sector. In January 2004, the government revised the Information and Communication Network Act to make safety checks of information protection mandatory.35 The safety check evaluates whether every provider of information and communications services and every business operator of agglomerated information and communication facilities complies with the government’s information protection guidelines to prevent intrusion incidents in the private sector.36 There were complaints from target companies regarding the burden of costs, but the government saw this as an opportunity to raise the security awareness and security level of internet-related companies overall.37

Given Korea’s extensive history with DDoS attacks, the network environment is well equipped with a DDoS attack response system. DDoS response solutions are installed throughout the network infrastructure, and regular simulation exercises are conducted to prepare for attacks. Also, the government distributes DDoS attack response guides to the public and private sector actors and provides blocking measures tailored to the type of attack.

In addition, the network separation system was introduced in central government ministries in 2006 and the network separation of the public sector was completed in 2010. The necessity of network separation in the private/financial sector emerged after the DDoS attacks in 2011, and the scope of the network separation regulations was expanded. The regulations are defined in relevant legislation by sector. According to this legislation, the public sector should separate internal and external networks, and companies, which have more than 1 million personal information records, should separate the computer network where personal information is stored.38 It further states that financial companies should block internet access from their business computers, and ensure that computers for system operation, development, and security are on separate networks.39

Cyber attacks can occur anytime. So thorough preparations are carried out when hosting large-scale events at the national level, such as the Olympics. Despite that, when Korea hosted the Winter Games at PyeongChang in 2018, information systems related to the Olympics were damaged and most services were stopped due to an attack by an advanced persistent threat (APT) that had been carefully prepared for a long time.

The organizing committee for the Olympics considered the possibility of a cyber attack during preparation and strengthened security when designing the system. In addition, high-intensity hacking exercises, penetration testing, training, information protection pre-diagnosis, and personal information impact assessments were also conducted.40 In particular, the committee installed a very advanced defense system against DDoS attacks, which are the main type of attack. The committee organized and operated on an information protection system that cooperated with government departments such as the NIS, the Cyber Police Agency, and Cyber Command, as well as an advisory organization composed of private companies and white hat hackers.

A quantitative evaluation of the effectiveness of various cybersecurity policies of the Korean government has not been conducted. However, the results of an annual survey targeting public organizations and private companies in charge of information protection show that the number of cyber attacks that cause damage is decreasing, and activities for preventing and responding to accidents are being strengthened.41

The National Intelligence Service annually surveys the number of cyber attacks in the public sector targeting 130 central administrative agencies.42 According to the survey, the number of cyber attacks that caused damage is continuously decreasing even though the number of cyber attacks is increasing.

The Ministry of Science and Technology also annually surveys more than 9,000 businesses to establish and implement information protection policies.43 According to this survey, the ratio of system and network security check and backup of important data has been increasing (see figure 18).

The ROK’s experiences could be useful for other countries to refer to when establishing cyber attack prevention and response systems. Until the last few years, the ROK has been a follower, adopting the cybersecurity policies of other advanced countries, but it is increasingly positioned to become a pioneer.

Further Considerations

Due to Korea’s tendency to focus on defense technologies and the fact that different agencies are responsible for different aspects of cybersecurity, the need for a systematic, national cybersecurity strategy was not given high priority. For years, there was no long-term plan or high-level coordinator capable of overseeing an effective national cybersecurity initiative. Instead, after each attack, narrow policy changes were adopted to improve incident response, based on the analysis and experiences with the recent attack.

But preparing to fight the last war does not provide better defenses against new and different threats. And in Korea, it has often seemed that the new policies were aimed primarily at responding to public sentiment and public opinion and showing that policymakers had learned from the postmortems after the incidents.44 Policies and institutions focused only on recovery and defense from severe attacks, not on fundamental improvements to the legal base or addressing related constitutional issues. The establishment of a basic cybersecurity law or strategy to specify essential elements for cybersecurity functions for national security purposes has not been promoted, leaving uncertainty about the direction of cybersecurity policy at the national level, who coordinates cybersecurity policy, the roles and responsibilities by each department, the authority and resources available for rapid response and prevention against cyber threat, and the scope of information collection and sharing.

After recognizing the problem, the NIS, which has a key role in cybersecurity in public institutions, promoted the Basic Cybersecurity Act in 2016, but it was not enacted due to disagreements with other ministries about their roles and responsibilities, and public distrust of the intelligence agency. It wasn’t until 2019 that the government established the first National Cybersecurity Strategy.

The NIS also promoted the preparation of related legislation but encountered opposition and ended up focusing on countermeasures. Time after time, there would be a push for new, far-reaching legislation, but the process would get bogged down, and momentum was lost. This is because there was a culture of “development first, security later,” since IT development was judged to be more important, and policymakers had questions about whether cyber attacks were really serious or threatened national security. Worse, because the various strategy documents were not useful, after each new attack, the narrowly focused policy solutions and systems created resulted in a patchwork of overlapping policies and systems.45

Finally, there has been no response to instigators of cyber attacks. Through government-led investigations, the reason and background of attacks are evaluated, and if the culprit is North Korea, it is ROK practice to have it be publicly attributed. There are few cases of public attribution in the event of attacks from other countries. Indeed, to date, in cases unrelated to North Korea, no prosecution or separate sanctions have been imposed on the attackers. For example, South Korea has not publicly confirmed that the PyeongChang Olympics incident was due to a cyber attack originating from Russia. Nor have there been cases of public attribution or sanctions to help deter frequent cyber attacks originating from China.

There are various reasons specific to Korea for the absence of public attribution.46 One is that the reliability of the results from investigations has been low because the technology to conduct these investigations has not been available in Korea and/or the Korean government has been unwilling to hire foreign computer forensics experts. Another is that there is simply no standing procedure in Korea for public attribution, especially when it comes to foreign actors other than North Korea. However, the ROK has shown willingness to take countermeasures in national cybersecurity strategy and is currently making efforts to identify culprits and prepare procedures for disclosure to deter cyber attacks.47

How Korea Can Improve Cyber Security Policy and Data Resilience

Korea clearly needs to overcome gaps in its cybersecurity policy in light of these challenges to its current policy approach and governance. Indeed, recent cyber attacks show the strengths and weaknesses of Korea’s current cybersecurity capabilities.

The government needs to begin by changing its posture both to deter and to respond to future cyber attacks. Even though Korea has been the target of several large-scale cyber attacks, an analysis of twenty years of major cyber attacks reveals no evidence of active responses against the attackers. In the case of an attack that caused anxiety to the entire nation, such as the attack on KHNP, there was no diplomatic response or action taken to respond to the attackers at all, even though a government joint investigation team analyzed the malicious code and Internet Protocol data used in the attack and found the source.

This should change in the future. The Korean government has announced its willingness to actively respond to attacks that undermine public trust. And the goal of ensuring a proactive deterrent against cyber attacks was included in the National Cybersecurity Strategy in 2019. As part of this, the government announced plans to actively respond to all cyber attacks that infringe upon national security and national interests by concentrating national capabilities and acquiring effective means to analyze causes of cyber attacks and identify the culprits.

Such a proactive response to cyber attacks would be welcome: it can contribute to raising awareness of cybersecurity among decisionmakers—in both the public and private sectors—and to raising the priority of cybersecurity when crafting future policies.

Second, it is necessary to expand the government’s effort to address issues of economic and security threats caused by cyber attacks. The Korean government’s established policies focus on political and military security in response to cyber attacks. However, cyber attacks on Korean cryptocurrency exchanges to steal financial profits are increasing, as demonstrated by the recent attacks on of Coinrail (2018), Bithumb (2018), and Upbit (2019).48 In addition, it was revealed that Korean universities were included in the cyber attacks when China took over IT systems used for marine science and technology research at three universities around the world in 2019.49 Chinese cyber attacks to steal intellectual property from other countries are also increasing.50

This shows that although cyber attacks are not equivalent to war or armed attacks, they can still cause billions of dollars of economic harm or lead to the theft of critical intellectual property in peacetime, threatening Korea’s economic security. For this reason, policymakers need to focus on economic, political, and military security in tandem. They must recognize that the internet and the cloud have become a space for military operations and that better defenses against cyber attacks are needed. In Korean cybersecurity policy, expanding the priorities for securing economic security and establishing cybersecurity policies that consider economic security seem to be ways to pursue effective benefits in establishing a cybersecurity framework.

Ultimately, Korea needs a national cybersecurity risk management system and many more concerted efforts to strengthen cybersecurity resilience in national public institutions. According to research by Specops Software, Korea ranked fifth in the world in terms of the number of cyber attacks between 2006 and 2020, and these attacks are occurring more and more frequently.51 Korea is also highly dependent on electronic government, ranking second in the UN’s 2020 Global E-government Development Index.52 Since cyber defenses will never be bulletproof, it is necessary to build tolerance and strengthen resilience against cyber attacks in order to prevent and respond to cybersecurity at the national level.

Backup systems are essential to minimizing damage. A key part of improving cyber resilience of national public institutions is expanding the introduction of cloud solutions through the Cloud Service Assurance Program (CSAP). The CSAP supplies public institutions with private cloud services that have verified safety and reliability, and it has a similar purpose to the United States’ Federal Risk and Authorization Management Program. The scope of certification covers all cloud services for public institution work and services including assets (such as ICT systems, facilities, and so on), organization and management, operations, and support services. There are fourteen categories of control for certification, including cybersecurity policy and organization, supply chain management, and incident management.

If the cloud service is expanded in government agencies, high-quality security solutions (such as antivirus, intrusion detection, and response systems) can be made available at a low cost. In addition, strengthening the security of cloud computing systems can prevent damage and destruction of important data, which will contribute to resilience. This will help the Korean public sector ensure a more rapid response in the event of a future cyber crisis.

Notes

1 Korea has been making continuous efforts to realize an information society, first introduced the internet in 1982, and commercialized it in 1994. NIS, “National Cybersecurity White Paper 2004” (in Korean), 2004, p. 3.

2 Awareness of information protection has increased across the country, including government agencies and telecommunication companies after the 2003 internet disruption. NIS, “National Cybersecurity White Paper 2004” (in Korean), 2004, pp. 6–7.

3 OECD, “Declaration for the Future of the Internet Economy (The Seoul Declaration),” OECD/LEGAL/0366, adopted on June 17, 2008.

4 “Seoul Framework for and Commitment to Open and Secure Cyberspace,” United Nations, 2013,

https://www.un.org/disarmament/wp-content/uploads/2019/10/ENCLOSED-Seoul-Framework-for-and-Commitment-to-an-Open-and-Secure-Cyberspace.pdf.

5 JinKyu Kang, “NIS, National Cyber Security Strategy to Be Implanted in the Second Half of Year,” Digital Times, June 11, 2009, https://www.dt.co.kr/contents.html?article_no=2009061202010560739004.

6 The National Security Research Institute has hosted the GCPR since 2014 five times with NCSC and Ministry of Foreign Affairs (three times).

7 Sea Min, “Significantly Strengthen National Cybersecurity” (in Korean), BoanNews, March 18, 2015, https://www.boannews.com/media/view.asp?idx=45697&kind=2.

8 NIS et al., “White Paper on Information Security 2004” (in Korean), 2004, p. 7.

9 From 2015 to 2018, the NSC designated the cybersecurity adviser to lead the cybersecurity efforts nation-wide, however, this position was merged with the cyber information convergence adviser under the same NSC.

10 NIS et al., “White Paper on Information Security 2021” (in English), 2021, p. 64.

11 The NCSC investigates the causes and attack vector of cyber incidents that occur in the national computer network and shares information to prevent and respond to cyber attacks in the public sector.

12 Most critical infrastructure in the ROK is owned by public institutions and is operated by the government. In fact, the Korean government continued to promote the privatization of public enterprises to enhance the competitiveness of public institutions, and as a result, some infrastructure such as finance, power generation, telecommunications, airports, and transportation were privatized. However, due to various problems such as resistance from stakeholders and lack of information on the privatization of public enterprises, partial privatization happened rather than absolute privatization, and in many cases, the ownership could not be transferred. As a result, the company manages and operates the infrastructure, but the government budget is injected and the government can intervene in the management. As a result, the government is leading efforts for infrastructure cybersecurity, but management and operating companies are also actively participating in the development and implementation of government policies.

13 Supra note 12, p.6

14 National Security Office of Cheong Wa Dae, “National Cybersecurity Strategy” (in Korean), April 2019.

15 National Security Office of Cheong Wa Dae, “National Cybersecurity Basic Plan” (in Korean), September 2019.

16 In English, the NCSC has been represented as the National Cyber Security Center, however, it was originally named the National Cyber Safety Center. This has resulted in some confusion about the NCSC among Koreans.

17 Kum Hyun, “How Did Security Become ‘Security’ (An-bo in Korean)? Focusing on the Process of Transition to ‘Safety’ (An-jeon in Korean), ‘Ensure Security’ (An-Jeon Bo-Jang in Korean), and ‘Security’ (An-bo in Korean),” Korea Journal of International Relation 60, no. 4 (2020): 41–77.

18 The National Cyber Security Management Decree defines as follows: The term “cyber attack” means any attack that illegally invades, disrupts, paralyzes, destroys, or intercepts information on the national information and communications network by electronic means, such as hacking, computer viruses, logic bombs, mail bombs, service interruptions, etc. The term “cyber safety (security)” means the state of maintaining stability, such as the confidentiality, integrity, availability, etc. of national information and communications networks by protecting the national information and communications network from cyber attacks. The term “cyber crisis” means a situation in which information distributed and stored through information and communication networks from cyber attacks is leaked, changed, or destroyed, affecting national security, creating social and economic chaos, or undermining or suspending key functions of the national information and communication system.

19 Korean National Law Information Center, “National Intelligence Service Act” (in Korean), https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EA%B5%AD%EA%B0%80%EC%A0%95%EB%B3%B4%EC%9B%90%EB%B2%95.

20 Supra note 23, p.10.

21 Ministry of Economy and Finance, “Korean New Deal: National Strategy for a Great Transformation,” April 2020. See https://english.moef.go.kr/pc/selectTbPressCenterDtl.do?boardCd=N0001&seq=4948.

22 Minkyung Song, “Trend Analysis of Information Protection Research in Korea,” Korea Institute of Information and Security and Cryptology, Chungcheong Chapter (KIISC CC), 2019.

23 The KCI is a system to analyze citation relationship among articles in a database of domestic journals, articles (including original papers), and other references.

24 It was conducted at the CCE 2019 by the authors.

25 “Situation Report (SITREP) Template,” Persimmon Group, April 3, 2016, https://www.thepersimmongroup.com/situation-report-sitrep-template/.

26 Locked Shields is NATO’s cyber defense exercise. See more at https://www.ccdcoe.org/exercises/locked-shields.

27 The NIS formed a joint team with the Korea Electric Power Corporation and the National Security Research Institute. Technical training to defend against attacks on systems and strategic training to introduce Korea’s cybersecurity policy were conducted by dividing manpower by sectors such as energy, defense, and network.

28 ByungChul Won, “NIS Participates in Locked Shield, Which Is World’s Largest Cyber Defense Exercise, for the First Time,” BoanNews, April 14, 2021, https://www.boannews.com/media/view.asp?idx=96502.

29 Sunha Bae and Minkyung Song, “K-Global Cybersecurity Capacity Assessment and Application,” GCPR 2019, September 30, 2019.

30 The Global Cybersecurity Index (GCI) is a multi-stakeholder initiative to raise cybersecurity awareness and to measure the commitment of countries to cybersecurity and its wide field of application cutting across industries and sectors. Find the 2018 edition at https://www.itu.int/pub/D-STR-GCI.01-2018.

31 John A. Martilla and John C. James, “Importance-Performance Analysis,” Journal of Marketing 41, no. 1 (1977): 77–79.

32 Supra note 37, p.18.

33 Gayong Moon, “2003: 1.25 Internet Disruption, Changing the Frame of Information Protection,” BoanNews, May 12, 2019, https://www.boannews.com/media/view.asp?idx=79427.

34 Gilju Lee, “Established a DDoS Response System for Public Institutions,” Korea Information Telecommunication News, October 2009, http://www.koit.co.kr/news/articleView.html?idxno=32885; Chulsun Park, “3.4 DDoS Cyber-Attack Response and Future Countermeasures,” Korea policy briefing, March 2011, https://www.korea.kr/news/policyNewsView.do?newsId=18709693.

35 Act on Promotion of Information and Communication Network Utilization and Information Protection, etc. (January 29, 2004) Article 46(30), see https://www.law.go.kr/LSW//lsInfoP.do?lsiSeq=58583&chrClsCd=010203&urlMode=engLsInfoR&viewCls=engLsInfoR#0000.

36 The Safety Check of Information Protection System was changed to the ISMS (Information System Management System) in 2012.

37 Sujeong Sin, “Issues and Implications for the Safety Check of Information Protection System,” BoanNews, March 13, 2006, https://www.boannews.com/media/view.asp?idx=1688&direct=mobile.

38 Enforcement decree of the Act on Promotion of Information and Communication Network Utilization and Information Protection, etc. (August 18, 2012); National Information Security Basic Guideline (Confidential).

39 Dain On, “Network Separation Regulations Need to Be Reorganized in Accordance With Data Importance,” ETNews, June 28, 2020, https://etnews.com/20200626000119.

40 Kyungae Kim, “PyeongChang Olympic Target Attack! Defense With Real-Time Detection and Sharing System,” BoanNews, January 9, 2018, https://www.boannews.com/media/view.asp?idx=65988&kind=2.

41 The results of survey are published annually through the “White Paper on Information Security.” The English version of the “White Paper on Information Security” will be published this year, and more detailed information can be found in this.

42 NIS et al., “White Paper on Information Security 2021” (in Korean), 2021, p. 218.

43 NIS et al., “White Paper on Information Security 2021” (in Korean), 2021, p. 243.

44 Final research report for commissioned project in KISA, “A Study on the Comparative Method of Information Protection Legislation to Strengthen the Cyber Security Framework (KISA-WP-2015-0042),” 2015.

45 In order to address the lack of a single point person to lead responses to cyber attacks, the NCSC was designated as a “control tower” by the National Cyber Crisis Comprehensive Countermeasures (2009) and the National Cyber Security Master Plan. Nevertheless, criticisms of the lack of coordination continued until the National Cyber Security Comprehensive Measures (2013) designated the Blue House National Security Office as the “control tower.”

46 Public attribution in its most elementary form is the blaming of a particular actor as responsible for a cyber incident. It can be done by a variety of actors, including governments, companies, and NGOs. But public attribution by the government is mainly considered in this chapter because government action to assign blame is an inherently political act. Florian J. Egloff, “Contested Public Attributions of Cyber Incidents and the Role of Academia,” Contemporary Security Policy 41, no. 1 (2020): 55–81.

47 National Security Office of Cheong Wa Dae, “National Cybersecurity Strategy,” April 2019, p. 16.

48 HyungJoong Yoon, “Coinrail Hacking, 10 Types of Coins Such as Ethereum Leaked Worth 45 Billion Won,” Coindesk Korea, June 11, 2018, http://www.coindeskkorea.com/news/articleView.html?idxno=22904; BBC News Korea, “Exchange Hacking Continues to Steal 35 Billion Won Worth of Virtual Currency,” June 20, 2018, www.bbc.com/korean/news-44543609; GeunMo Park, “Upbit Hack Ethereum About 20,000 Out of 342,000 Can Be Washed,” Coindesk Korea, January 16, 2020, http://www.coindeskkorea.com/news/articleView.html?idxno=65024.

49 Emily Price, “Chinese Hackers Targeted 27 Universities to Steal Maritime Research, Report Finds,” Fortune, March 5, 2019, https://fortune.com/2019/03/05/chinese-hackers-targeted-27-universities-to-steal-maritime-research-report-finds/.

50 According to the Council on Foreign Affairs’ Cyber Operations Tracker, in 2017, the Bronze Butter Group spied on companies in the fields of biotechnology, electronics manufacturing, and chemistry. In 2018 and 2020, China’s Winnti Group conducted cyber attacks targeting Korean game and software companies. In 2020, malicious hackers used Bisonal malware to attack Korean companies and also appeared to use spear phishing to attack government research institutes in Korea.

51 Lanna Deamer, “Which Countries Have Been Most Targeted by Cyber Attacks?,” Electronic Specifier, July 21, 2020,

https://www.electronicspecifier.com/products/cyber-security/which-countries-have-been-most-targeted-by-cyber-attacks.

52 See https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2020.

A Korean Approach to Data Localization

Introduction

Access to and the sharing of data are increasingly critical to achieve digital transformation and data-driven innovation. In the last few years, countries have focused on “data governance,” in particular how, where, and when data, including personal data, should be collected, stored, combined, and analyzed.1 In June 2020, President Moon Jae-in of the Republic of Korea (hereinafter the ROK or Korea) announced the Digital New Deal to spearhead a forward-looking innovative economy. The Digital New Deal envisioned an accelerated transition to a digital economy by extensively digitalizing the national infrastructure while fostering the DNA—data, network, and artificial intelligence (AI)—ecosystem and non-face-to-face industries.2 The government’s new focus on data governance reflects both technological and social dynamics: the growing importance of global cloud computing services; the emergence of new, powerful big data and machine-learning algorithms; and increasing public concerns about data protection and cybersecurity.

Despite the growing need for access to data and the resulting economic and social benefits, data access and sharing have not realized their full potential due to ever-growing barriers to data access. Many countries have practiced data localization (also known as data localism or data nationalism), such as requiring data, particularly personal data, be stored and accessible inside their borders. This has certainly complicated cross-border data flows with the effect of restricting the development of digital economy. The privacy, data protection, and cybersecurity concerns used to justify data localization are real and important.3

Korea is often listed among those countries with significant data localization requirements.4 Privacy or data protection is certainly a major driver of the controls on cross-border data flows in Korea. However, Korea joined the Cross-Border Privacy Rules (CBPR) system of the Asia-Pacific Economic Cooperation (APEC) in June 2017. Korea has been bolstering privacy protections and diminishing barriers to data flows among the APEC economies that joined the CBPR, including Canada, Japan, and the United States. This chapter focuses on the evolution of Korean policy of data protection and cross-border data flows by analyzing the relevant Korean laws.5 It explores how Korea has been making efforts to balance between the use of personal data and the data protection internally and to successfully facilitate cross-border data flows.

The Korean Legal Framework for Data Protection and Privacy

Privacy and data protection in Korea are addressed generally by Articles 17, 16, and 18 of the Korean Constitution and specifically by various laws. These articles in the Korean Constitution track Article 12 of the Universal Declaration of Human Rights and Article 17(1) of the International Covenant on Civil and Political Rights: The privacy of citizens must not be infringed, all citizens must be free from intrusion into their place of residence, and the privacy of correspondence of citizens must also not be infringed. Although data protection or the protection of personal information is not explicitly stipulated in the Korean Constitution, in 2005, the country’s Constitutional Court recognized the existence of the right to self-determination of personal information as a fundamental right.6

Over the last twenty years, several laws on privacy and data protection have been enacted in Korea that flow from these constitutional and legal strictures. Korea enacted the Personal Information Protection Act (PIPA) on March 29, 2011, which became effective on September 30, 2011. This was supposed to be Korea’s general law on data protection as it applied to the processing of personal information in both the private and public sectors.7 However, the Act on Promotion of Information and Communications Network Utilization and Information Protection (known as the Network Act) in 2016 ultimately had a larger impact on the private sector because it applies to the protection of personal information processed by information and communications service providers in the internet environment. Through the so-called three data laws’ amendment adopted by the National Assembly on January 9, 2020, the PIPA has become at last a truly general law on data protection by taking those provisions on data protection under the Network Act.8

Korea has adopted special laws on data protection covering different sectors or types of personal information (see table 10).

Implementation of Korean Privacy and Data Protection Laws

The Personal Information Protection Commission

Through the three data laws’ amendments of 2020, the Personal Information Protection Commission (PIPC) has become a genuinely independent supervisory authority, similar to those found in European Union (EU) countries under the General Data Protection Regulation (GDPR).9 The PIPC sits under the Office of the Prime Minister and is charged “to independently conduct work relating to the protection of personal information.”10 The PIPC chairperson is subject to the direction and supervision of the prime minister, according to the president’s orders. Nevertheless, the following missions are not subject to the prime minister’s direction and supervision: matters concerning investigation into infringement upon the right of data subjects and the ensuing dispositions; the handling of complaints or remedial procedures relating to personal information processing and mediation of disputes over personal information; and matters concerning the assessment of data breach incident factors.11

Balancing the Use and Protection of Personal Information

The PIPA purports to protect personal information. Its purpose is “to protect the freedom and rights of individuals, and further, to realize the dignity and value of the individuals, by prescribing the processing and protection of personal information.”12 Like many data protection laws around the world, the PIPA was enacted by referring to the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which are regarded as model data protection principles in most countries. Unlike the OECD guidelines, the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (108 Convention) of the Council of Europe and the GDPR, however, the purpose of the PIPA does not explicitly mention the use or cross-border flows of personal information.13 The PIPA has been dubbed “Asia’s toughest data privacy law” by the scholars Graham Greenleaf and Whon-il Park, as it tilts the balance in favor of the protection of personal information.14

Still, the approach to and the level of data protection provided in the PIPA have been criticized for obstructing the advancement of the Fourth Industrial Revolution, which relies on big data analytics and artificial intelligence. Thus, the revision of the legislative framework for data protection has been a hotly debated part of regulatory and institutional reforms suggested by the Presidential Committee on the Fourth Industrial Revolution (PCFIR). There were several hackathons and deliberations by the PCFIR to reform data protection laws in early 2018. The results were reflected in the amendment to major laws relating to data protection introduced in the National Assembly on November 15, 2018. The three data laws’ amendment enacted in February 2020 expanded the PIPA and gave the PIPC independent and stronger enforcement powers. Yet industry representatives used the slogan of the Fourth Industrial Revolution and blocked the efforts of nongovernmental organizations trying to stick to stronger protection of personal information.15 It remains to be seen whether the application and implementation of Korean data protection laws (including the PIPA) will really encourage more active and innovative use of personal information.

Korea has not been an island in developing its data protection regime. Indeed, Korean laws on data protection have developed by referring to the international documents as well as foreign laws like the European Union’s GDPR. Through the three data laws’ amendment, for example, new concepts like pseudonymization were adopted by the PIPA and the Credit Information Act, and data portability by the latter law.16 These concepts had already been introduced by the GDPR. Moreover, the PIPC is designed to be precisely the type of supervisory authority provided for in the GDPR, as Korea has been trying to meet the GDPR’s adequacy criteria.17 On March 30, 2021, the PIPC and the European Commission jointly announced the successful conclusion of the adequacy talks between Korea and the EU. The adequacy decision is expected to be made by the European Commission sometime in 2021.18 The adequacy dialogue confirmed the high degree of convergence in data protection between Korea and the European Union. Achieving an adequacy decision from the European Commission may imply that Korean laws on data protection will correspond to the developments of the GDPR if Korea intends to keep an adequacy status.

Cross-Border Transfer of Personal Information and Data Localization Under Korean Laws

Korea’s data protection laws, including the PIPA, constrain any company or government agency wishing to transfer personal information outside Korea. The data, other than personal information, is protected under the laws governing intellectual property in Korea.19 The U.S. government and industry have argued that the restrictions the PIPA imposes on the transfer of personal information outside of Korea are too strict, and this has become a subject of contention between the two countries.20

Cross-border transfer of personal information may be classified into two types for regulatory purposes: providing personal information to third parties abroad and outsourcing personal information processing abroad. In most cases, providing personal information to third parties is conducted for the benefit of the transferee, while outsourcing of personal information processing is conducted for the benefit of the transferor.21 The differences between the two types of cross-border transfer are substantial, especially for the personal information of information and communications service users (hereinafter IT service users). The prior consent of and some form of notice to IT service users are required for providing personal information to third parties abroad, whereas outsourcing does not necessarily require prior consent of IT service users.22 For outsourcing the processing of personal information, the notice and consent may be replaced, inter alia, by the posting of the required notice in the controllers’ privacy policies.23

Providing Personal Information to Third Parties Abroad

Under the PIPA, when providing data subjects’ personal information to third parties abroad, the controller must obtain the prior consent of those data subjects.24 To do this, a controller must follow the same procedure used to notify data subjects about how their personal information might be transferred to domestic third parties. In both cases, data subjects must be notified: the entity to which the personal information is provided; the purpose of using the personal information by the entity to which such information is provided; the particulars of the personal information to be provided; the period of time when the personal information will be used and retained; and the fact that the data subject is entitled to refuse consent, and the disadvantages, if any, resulting from the refusal to give consent.25 These requirements are regarded to be “stringent” on service providers seeking to transfer customer data outside Korea.26

Transferring IT Service Users’ Personal Information Abroad

The PIPA has special provisions applying to the transfer of personal information abroad by information and communications service providers (hereafter IT service providers).27 Thus, the general provisions applicable to providing personal information to third parties abroad, as provided in Article 17(3), do not apply to transferring personal information of the IT service users abroad. IT service providers must obtain IT service users’ consent if they intend to provide, outsource the processing of, or store IT service users’ personal information abroad. IT service providers must notify IT service users of the following information in advance before obtaining such users’ consent: the particulars of the personal information to be transferred; the country to which the personal information is transferred, the date of transfer, and transfer methods; the name of the entity to which the personal information is transferred; and the purpose of using the personal information and the period of retaining and using such personal information by the entity to which such information is transferred.28

IT service providers must implement safeguards as prescribed by the Enforcement Decree of the Personal Information Protection Act (hereinafter Presidential Decree 30892) if they intend to transfer the personal information of IT service users abroad with the prior consent of the latter.29 The safeguards to be implemented are measures to ensure the safety for protecting personal information in accordance with internal management plans, measures to handle the complaints relating to data breach and dispute resolution, and other measures necessary to protect IT service users’ personal information.30 IT service providers intending to transfer personal information abroad must in advance consult the safeguards mentioned above with the entity to which such information is transferred and reflect them in the terms of any contract.31

IT service providers need not obtain IT service users’ consent to outsource the processing of or storage of such personal information. However, if all the items, which must be notified to IT service users, are made public in the privacy policy of the IT service providers or if the IT service users are notified using a method such as email, or by another method prescribed by Presidential Decree 30892, including written notices.32 IT service providers must obtain IT service users’ consent, however, when providing, including accessing, IT service user’s personal information to third parties abroad.

Onward Transfer of IT Service Users’ Personal Information to a Third Country

The entity to which the personal information of IT service users is transferred, when transferring such information to a third country, must comply with the provisions of the PIPA applicable to transferring such information abroad.33 Thus, for the onward transfer of IT service users’ personal information, Articles 39-12 (1 through 4) for the cross-border transfer of personal information discussed above must be observed by such IT service providers transferring to another third country. The data protection during onward transfer is an element for the adequacy decision by the European Commission.34

Designation of Domestic Agents

IT service providers with no address or business office in Korea that meet the criteria prescribed by Presidential Decree 30892 must designate a domestic agent in writing.35 A foreign IT service provider is required to designate a domestic agent if it has sales for the preceding year that reached or exceeded 1 trillion Korean won, roughly equal to $890 million; its sales from IT services for the preceding year reached or exceeded 10 billion Korean won, roughly equal to $8.9 million; it stored or maintained at least 1 million domestic users’ personal information on an average daily basis over the three months immediately before the end of the preceding year; or it caused or is likely to cause a data breach incident in violation of the PIPA and was required by the PIPC to submit relevant articles, documents, and so on as part of an investigation.36

On behalf of the IT service provider, the domestic agent does the following: fulfilling the role of a data protection officer; notifying and reporting data breaches, including the loss, theft, or divulgence of personal information; and submitting related articles, documents, and so on when required by the PIPC.37 If the domestic agent violates the PIPA, its IT service provider is deemed to have committed such a violation.38 A domestic agent must have an address or business office in Korea.39 When a domestic agent is designated, contact information for the agent must be included in the privacy policy.40 Through the designation of a domestic agent, the PIPA may have de facto extraterritorial effect by indirectly controlling those foreign IT service providers abroad.41

Reciprocity and the Transfer of Personal Information Abroad

When implementing data protection laws, countries must deal with a tension between the desire to encourage the inbound cross-border data flows and the need to ensure their citizens’ personal data is protected at home and abroad. Countries with equivalent levels of data protection will allow and encourage cross-border data flows between each other.42

Recently, countries like China, Russia, and Vietnam have restricted cross-border flows of personal information. In reaction to these actions, Korea has embraced the reciprocity principle to encourage and enable the cross-border transfer of personal information. Thus, personal information may not be allowed to be transferred to foreign IT service providers located in a country that restricts the transfer of personal information abroad.43 This provision was designed to respond to the different levels of data protection in different countries. However, the requirement of reciprocity is not applicable when the transfer of personal information abroad is necessary to implement a treaty or other international agreement.44 The proper application of the reciprocity principle would require detailed internal guidelines so as not to impair bilateral relations with those countries to be subject to the restrictions applied by Korea. Although there needs to be a flexible and reasonable response to other countries’ restrictions on cross-border flows of personal information, there must be clear guidelines for the reciprocity principle to apply consistently and proportionately. The implementation of the reciprocity principle is also to be added to the missions of the PIPC.

Export of Location-Based Data Disputed by the United States

The Act on the Establishment, Management, etc. of Spatial Data (Spatial Data Act) prescribes matters concerning the standards and procedures for the surveying of land and waterways as well as the preparation, management, and so on of cadastral records and comprehensive real estate records.45 The Spatial Data Act has a provision that may affect the cross-border transfer of information, particularly location-based data. No person can take abroad the results of a fundamental land survey: when it is likely to harm national security (or other important national interests) or when the land survey data are confidential as defined by other statutes.46 In addition, no person can take abroad the results of a publicly available survey in cases where it is likely to harm national security (or other important national interests) or where the data are confidential.47 Nevertheless, a consultative body may make a decision to allow the results of a fundamental survey to be taken abroad after the national security implications of doing so are considered.48

There is no general legal prohibition on exporting location-based data in Korea. Nevertheless, Korea has not approved the exportation of location-based data, although there have been numerous applications by foreign suppliers.49 U.S. companies, including Google, seeking approval to export location-based data in order to offer competitive mapping and navigation services, have argued that Korea is linking such approval to individual companies’ willingness to blur satellite imagery of Korea on their global mapping service sites for national security concerns.50 As a matter of fact, Article XXI of the General Agreement on Tariffs and Trade (GATT) provides for the security exceptions, which are supposed to be judged by the claiming World Trade Organization (WTO) member itself.51 Nevertheless, the United States argues that Korea is the only significant market in the world that maintains such restrictions on the export of location-based data.52

Cross-Border Transfer of Personal Information and Data Localization Under Korean Foreign Trade Agreements

Korea has been an assertive player in negotiating bilateral, plurilateral, and multilateral trade agreements. As such, it has negotiated some data-specific provisions that have influenced, or been influenced by, its domestic paradigm. Since the conclusion of its first free trade agreement (FTA) with Chile in 2003, Korea has concluded twenty-one FTAs.53 The Korea-Chile FTA does not have provisions on cross-border data flows and data localization as such, but its subsequent FTAs generally do. Those data localization provisions, except for the Regional Comprehensive Economic Partnership (RCEP), address the location of computing facilities in the context of financial services.

Under the Korea-EU FTA and the Korea-U.S. FTA, Korea expressed its intent to undertake modification to its regulatory regime that will result in its adoption of approaches that will permit the transfer of financial information across borders while addressing such areas as the protection of sensitive information of consumers, prohibitions on unauthorized reuse of the sensitive information, the ability of financial regulators to have access to records of financial service suppliers relating to the handling of such information, and requirements for the location of technology facilities.54

Under the Korea-U.S. FTA, the parties recognize the importance of the free flow of information in facilitating trade, and thus they must endeavor to refrain from imposing or maintaining unnecessary barriers to electronic information flows across borders.55 This “endeavor” obligation for free flows of electronic information across borders, although not being directly binding, must be a commitment by the parties, in principle, to not impose data localization requirements. Notably, there are no provisions on data localization in the Korea-China FTA. The rigid requirements of data localization provided in China’s various laws and regulations may explain why no provision was agreed on data localization in the Korea-China FTA.56

The RCEP includes provisions on the location of computing facilities in Chapter 12 on electronic commerce.57 First, the parties recognize that each party may have its own measures regarding the use or location of computing facilities, including requirements that seek to ensure the security and confidentiality of communications.58 Second, any party must not require a covered person to use or locate computing facilities in that party’s territory as a condition for conducting business in that party’s territory.59 Third, a party is not prevented from adopting or maintaining any measure inconsistent with the obligation not to require the use or location of computing facilities that it considers necessary to achieve a legitimate public policy objective.60 The measure taken above must not be applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.61 In addition, a party is not prevented from adopting or maintaining any measure that it considers necessary for the protection of its essential security interests.62 Such measures must not be disputed by other parties.63 Thus, the essential security interests may work as a definite and decisive excuse for adopting or maintaining the measures regarding the use or location of computing facilities.

Lessons From Korea’s Experience

Korea has become a major manufacturing powerhouse and, like other countries, seeks to anchor its next economic surge in the deployment of data and the development of a digital economy. To make breakthroughs in the Fourth Industrial Revolution and cultivate new industries and growth paths, Korea has adopted several national strategies and policies to fully use data including personal information. Thus, the Personal Information Protection Act was recently amended to cover pseudonymization of personal information to facilitate more use of personal information, following the example of the EU’s GDPR. Korea has also supported free cross-border flows of personal information in the development of digital trade rules in the WTO and the G20 as well as its FTAs.

Korea needs more good quality data, including personal information, ready and fit for uses in the global digital economy. This means Korea needs both stronger data protection within its borders and free cross-border data flows with limited data localization requirements outside its borders.

The challenge, then, is that Korea needs to keep its data protection laws effective to protect data subjects while enabling more use of personal information and developing the digital economy. The digital economy can develop stably only with the trust of customers or clients who willingly provide their personal information. The good news is that after four years of negotiation, the European Commission is expected to make an adequacy decision in Korea’s favor later in 2021, as it already issued a draft decision on the adequate protection of personal data by Korea on June 14, 2021. After the PIPA is formally recognized to have an equivalent level of data protection to the GDPR, Korea will be able to import more good quality personal information from the EU. And, in a sense, the EU, for its part, will be able to export its data protection rules to Korea. Korea’s data protection laws, including the PIPA, are very likely to be affected by the developments in the EU.

Data protection laws protect data subjects in processing their personal information. Data protection is considered a fundamental right both in the EU and in Korea. Thus, the collection and use of personal information must be based on the consent of data subjects in principle from the perspective of the right to self-determination of personal information. However, the consent of data subjects is not given priority in comparison to other legal bases for the collection and use of personal information both in the EU and in Korea. Critics of Korean privacy laws argue that Korea allows the cross-border transfer of personal information only upon the consent of the data subjects concerned. This rule in the PIPA would indeed restrict the cross-border transfer of personal information, but the PIPA is expected to be amended later in 2021 to cover other legal bases for cross-border transfer of personal data, like those in the GDPR. As the PIPA has the reciprocity principle to discourage the restriction of the cross-border flows of personal information, Korea will have to facilitate the outbound flow of personal information.

Privacy and data protection and cybersecurity in the digital economy need to be understood in a different way from the current WTO rules, which were negotiated and agreed without knowing the digital economy or trade in data properly. These concepts have been an important exception to free trade in the GATT and the General Agreement on Trade in Services (GATS), but in the digital economy and digital trade, privacy and data protection are important to obtain and sustain the trust of individuals. Cybersecurity is also important to protect the flows of data. Thus, privacy and data protection and cybersecurity are to be recognized as essential elements positively supporting the stable operation of digital trade where data, including personal information, flows cross country borders. In this respect, privacy and data protection and cybersecurity measures should not be viewed as unjustifiable or unreasonable causes of data localization, although they must not be unjustifiably misused or abused intentionally.

The problem is that there are not yet international agreements governing privacy and data protection, on the one hand, and cybersecurity, on the other. Indeed, there is a conspicuous gap in data protection levels even between democratic allies such as the United States and EU countries. Even after almost twenty years of negotiation on cybersecurity in the United Nations, there is no hope of reaching an international agreement in the near future.

One of the main tacit purposes of the GATT and the GATS was a need for governments not to interrupt international free trade by prescribing what they are allowed to do or not. Likewise, there is a good and urgent need for an international agreement for digital trade where governments are not allowed to unjustifiably interrupt cross-border flows of data. Privacy and data protection and cybersecurity are most common and plausible justifications that governments may raise for the sake of human rights and national security, respectively. Thus, a plurilateral agreement on trade-related aspects of electronic commerce, or on digital trade, being negotiated in the WTO can only be successful if it covers privacy and data protection and cybersecurity sufficiently to support digital trade or trade in data. Then, it seems that the digital trade provisions in the RCEP would affect the negotiations of digital trade rules in the WTO, as China is a major supporter of those provisions on its own. It remains to be seen whether the digital trade provisions to be agreed in the WTO would advance further in favor of free cross-border data flows than those of the RCEP. Newly negotiated digital trade rules of the WTO must be better than the United States-Mexico-Canada Agreement (USMCA), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), and the RCEP in dealing with privacy and data protection and cybersecurity at least in the context of digital trade.

Considering that many contracting parties to both the RCEP and the CPTPP are in the same boat, the difference in forging a way forward may come from countries that become first-movers. In a sense, China was the driving force behind the rather restrictive digital trade rules in the RCEP, while the United States was the driving force of the rather free digital trade rules in the Trans-Pacific Partnership agreement, the forerunner to the CPTPP. Korea has to push this debate and rule-making process forward. After all, the RCEP and its digital trade rules, in particular, may not satisfy Korea’s desire to develop digital trade. Thus, Korea needs to go further. For one, it must join the CPTPP in order to benefit from its much freer digital trade rules. If the United States also joins, the CPTPP may become a more influential instrument for digital trade than the RCEP. And that is not all. Korea and its democratic trading partners must also be more ambitious in negotiating and agreeing to freer digital trade rules in the WTO. Those digital trade rules must have more meaningful and effective rules on privacy and data protection and cybersecurity to support the stable operation of digital trade even for a limited number of WTO members in the beginning.

Korea has an important role to play in this effort because it has successfully developed data protection laws over the past ten years. And the impending PIPA amendment will further facilitate the use of personal information by adopting new elements like data portability and the right to respond to automated decisions. The PIPA amendment will also cover other legal bases for cross-border transfer of personal information in addition to the consent of data subjects. In this way, Korea, both by its own example and as a prospective leader in plurilateral and multilateral trade negotiations, could drive forward a new architecture of digital trade including data localization rules.

Acknowledgments

I would like to express my deepest appreciation to the Carnegie Endowment for International Peace, in particular Tim Maurer for inviting me to write the chapter, Evan Feigenbaum for encouraging the conduct of research, Michael Nelson for giving me good suggestions after a thorough review, and Alexander Taylor for taking care of administrative matters.

Notes

1 For example, on November 25, 2020, the European Commission published the Data Governance Act (DGA) in response to a public consultation on the European Strategy for Data. The DGA aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. See also Australian Government, “Data Governance Framework 2020,” approved on August 24, 2020, https://www.aihw.gov.au/getmedia/a10b8148-ef65-4c37-945a-bb3effaa96e3/AIHW-data-governance-framework.pdf.aspx. This chapter uses the terms “personal data” and “personal information” in the same way. The latter is more often used in the context of Korean laws.

2 Cheong Wa Dae (President’s Office of Korea), “Opening Remarks by President Moon Jae-in at 6th Emergency Economic Council Meeting,” June 1, 2020, https://english1.president.go.kr/Briefingspeeches/Speeches/833. The Korean government has been pursuing digital economic policies based on the “Fourth Industrial Revolution Action Plan” made in November 2017.

3 For discussing the causes or reasons for data localization, see Joshua P. Meltzer, “Data and the Transformation of International Trade,” Brookings Institution, March 6, 2020, https://www.brookings.edu/blog/up-front/2020/03/06/data-and-the-transformation-of-international-trade/.

4 United States Trade Representative, “2021 National Trade Estimate Report on Foreign Trade Barriers,” March 2021, pp. 323–35; International Regulatory Strategy Group, “How the Trend Towards Data Localisation Is Impacting the Financial Services Sector,” December 2020, https://www.irsg.co.uk/assets/Reports/IRSG_DATA-REPORT_Localisation.pdf; and Nigel Cory, “Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?,” Information Technology and Innovation Foundation, May 2017, http://www2.itif.org/2017-cross-border-data-flows.pdf?_ga=2.45773412.1159173050.1620277743-1412413491.1620277743.

5 The following analysis of Korean laws is effective as of June 2021.

6 On May 26, 2005. See decision 99Hun-Ma513.

7 The PIPA was in fact developed from the Act on the Protection of Personal Information Maintained by Public Institutions where the Interior Ministry was responsible for its implementation. Thus, although the PIPA covers the processing of personal information by private sectors, the Interior Ministry, not the Personal Information Protection Commission, was responsible for the PIPA until the so-called three data laws’ amendment in 2020.

8 The three data laws’ amendment refers to the amendment to the PIPA, the Network Act, and the Credit Information Act. The PIPA was amended on February 4, 2020, and effective on August 5, 2020. This amendment records as the tenth since its enaction in March 2011. The Network Act is currently similar to the e-Privacy Regulation to be adopted by the European Union.

9 Before the amendment in February 2020, the enforcement powers under the PIPA were entrusted not to the PIPC but to the Interior Ministry. The PIPC had only deliberation powers on data protection policymaking until that amendment.

10 PIPA, Art. 7(1). The Korea Internet and Security Agency (KISA) performs the functions, including receiving reports of data breaches and collecting relevant materials from a controller in case of an alleged violation of the PIPA, delegated by the PIPC.

11 PIPA, Art. 7(2). First, the investigation power, given to the PIPC by the three data laws’ amendment in 2020, used to be conducted by the Interior Ministry. Those foreign-related companies were imposed administrative fines for violating the provisions of the PIPA. For example, Audi-Volkswagen Korea was imposed a fine of 12 million Korean won, roughly equivalent to $11,000, for violating the obligation of destruction after the expiry of the retention period in February 2018. In February 2019, along with other foreign-related companies, DHL Korea was fined 32 million Korean won, roughly equivalent to $28,000, for violating the obligation of notifying the required items to data subjects for obtaining their consent. Second, the Personal Information Dispute Mediation Committee has dealt with mediation over personal information disputes. The disputes subject to mediation have mainly involved the out-of-purpose use and provision to third parties of personal information, the collection of personal information without the consent of data subjects, and the denial of access to personal information or failure of taking measures necessary to correct or erase personal information, etc. Third, the PIPC may advise the head of central administrative agencies over matters necessary to improve the relevant statutes in terms of data protection by analyzing and reviewing the data breach incident factors of such statutes. It has been reviewing most of the statutes subject to enactment or amendment since September 2016. For example, the National Intelligence Service (NIS) submitted a proposal on the Framework Act on Cyber Security to the PIPC for assessment on October 25, 2016. The PIPC recommended the NIS, inter alia, to prevent the misuse and abuse of personal information by accurately defining the scope of data to be collected and used in cybersecurity activities. The proposal was automatically discarded, however, as the session of the National Assembly was closed in May 2020.

12 PIPA, Art. 1.

13 The 108 Convention is the first legally binding international instrument for data protection. On May 18, 2018, the Committee of Ministers of the Council of Europe adopted the protocol amending the 108 Convention. Korea, like Japan, the Philippines, and Indonesia in Asia, is accredited as an observer to the Consultative Committee established by the 108 Convention. Joining the Consultative Committee as an observer may imply that Korea would ultimately accede to the 108 Convention.

14 Graham Greenleaf and Whon-il Park, “Korea’s New Act: Asia’s Toughest Data Privacy Law,” Privacy Laws & Business International Report, no. 117 (June 2012): 1–6, (UNSW Law Research Paper No. 2012-28).

15 Mediaus, “Three Data Laws Criticized as the Law Stealing Human Rights in Information” (in Korean), July 17, 2020, http://www.mediaus.co.kr/news/articleView.html?idxno=188321.

16 The provisions on data portability and the right to respond to automated decisions are also included in a proposed amendment to the PIPA that was circulated in January 2021.

17 In January 2017, the European Commission adopted a communication on the international aspects of privacy, which set out the EU strategy in the field of international data flows and protection. In this communication it was announced that the European Commission would actively engage with key trading partners in East and Southeast Asia, starting with Japan and Korea. After the conclusion of the EU-Japan talks on adequacy decision in July 2018, the mutual EU-Japan adequacy decision was adopted on January 23, 2019.

18 The European Commission issued a draft decision on the adequate protection of personal data by Korea on June 14, 2021.

19 For example, trade secrets are protected under the Unfair Competition Prevention and Trade Secret Protection Act, where trade secret is defined as “information, including a production method, sale method, useful technical or business information for business activities, which is not known publicly, is managed as a secret, and has independent economic value.”

20 U.S. Department of State, “2020 Investment Climate Statements: South Korea,” https://www.state.gov/reports/2020-investment-climate-statements/south-korea/. A proposed amendment to the PIPA, covering the provisions on cross-border transfer of personal information, was circulated by the PIPC in January 2021. It remains to be seen whether this amendment would be successful throughout the legislative process in 2021.

21 Providing personal information to third parties includes sharing personal information with third parties. PIPA, Art. 17(1).

22 PIPA, Art. 39-12(2).

23 PIPA, Art. 39-12(2). Administrative fines not exceeding 20 million Korean won, roughly equivalent to $18,000, may be imposed for outsourcing the processing of, or storing, users’ personal information overseas in violation of this provision.

24 PIPA, Art. 17(3). Providing personal information to third parties abroad is more restricted than providing to domestic third parties in that there are other legal bases in addition to the consent of data subjects for the latter. See PIPA, Art. 17(1).

25 PIPA, Art. 17(2). For the prevention and combating of crime, including terrorism, the US and Korea may, in compliance with their respective national laws, in individual cases, supply with the personal data of the data subject(s), inter alia, that will commit or has committed a criminal offense, or participates in an organized criminal group or association, or will commit or has committed terrorist or terrorism-related offenses in the other country, or offenses related to a terrorist group or an association in the other country. The Agreement between the Government of the Republic of Korea and the Government of the United States of America on Enhancing Cooperation to Prevent and Combat Crime, signed on November 7, 2008, Art. 8(1). Public institutions may provide personal information to third parties abroad for other purposes than collected where it is necessary to perform a treaty or other international agreement; or where it is necessary for the investigation of a crime, indictment, and prosecution. PIPA, Art. 18(2)(vi) and (vii) respectively.

26 U.S. Trade Representative, “2017 National Trade Estimate Report,” p. 284.

27 For the protection of IT service users’ personal information transferred abroad, providing, outsourcing the processing of, or storing IT service users’ personal information abroad are collectively referred to as transferring. Providing IT service users’ personal information abroad includes accessing to such information. PIPA, Art. 39-12(2).

28 PIPA, Art. 39-12(3).

29 PIPA, Art. 39-12(4).

30 Presidential Decree 30892, Art. 48-10(1).

31 Presidential Decree 30892, Art. 48-10(2).

32 Presidential Decree 30892, Art. 48-10(3).

33 PIPA, Art. 39-12(5).

34 When assessing the adequacy of the level of data protection, the European Commission must take account of the elements including “rules for the onward transfer of personal data to another third country or international organization which are complied with in that country or international organization.” GDPR, Art. 45(2)(a).

35 PIPA, Art. 39-11(1). For example, Netflix, a global OTT service provider, has not been required to designate a domestic agent, because it has its own business office in Korea.

36 Presidential Decree 30892, Art. 48-9(1).

37 PIPA, Art. 39-11(1).

38 PIPA, Art. 39-11(4).

39 PIPA, Art. 39-11(2).

40 PIPA, Art. 39-11(3).

41 On September 9, 2020, the PIPC decided to recommend seven foreign IT service providers to improve the management of a domestic agent. Those IT service providers included Facebook, Microsoft, and TikTok. For reference, the GDPR provides for the designation of a domestic agent to exert its extraterritorial effect explicitly. The controller or the processor, which are not established in the EU, are required to designate a representative in the EU in the following two cases: (1) where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or (2) the monitoring of their behavior as far as their behavior takes place within the EU. GDPR, Art. 27.

42 For example, the 108 Convention of the Council of Europe seeks to reduce restrictions on transborder data flows between the contracting parties on the basis of reciprocity. Though, “an equivalent protection” provided in Art. 12(3)(a) of the convention needs to be carefully determined.

43 PIPA, Art. 39-13.

44 PIPA, Art. 39-13.

45 Spatial Data Act, Art. 1.

46 Spatial Data Act, Art. 16(2). See also Art. 14(3).

47 Spatial Data Act, Art. 21(2). See also Art. 14(3).

48 Spatial Data Act, Arts. 16(2) and 21(2). A consultative committee is organized by the minister of land, infrastructure and transport with the heads of the relevant agencies, including the minister of science and ICT, the minister of foreign affairs, the minister of unification, the minister of national defense, the minister of the interior, the minister of trade, industry and energy, the director of the national intelligence service, and so on.

49 U.S. Trade Representative, “2020 National Trade Estimate Report,” p. 320.

50 U.S. Trade Representative, “2019 National Trade Estimate Report,” pp. 324–25. The precise satellite imagery of certain facilities is argued to pose a threat to the national security of Korea, which is still technically in an armed conflict with North Korea.

51 According to Art. XXI(a), a contracting party (WTO Member) must not be required to furnish any information the disclosure of which it considers contrary to its essential security interests. In addition, according to Art. XXI(b)(iii), a contracting party must not be prevented from taking any action that it considers necessary for the protection of its essential security interests taken in time of war or other emergency in international relations. The “self-judging” principle seems to apply in this case. In the dispute raised with respect to Section 232 of the Trade Expansion Act of 1962, the United States argued that “the tariffs imposed pursuant to Section 232 are issues of national security not susceptible to review or capable of resolution by WTO dispute settlement.” Panel Report, United States-Certain Measures on Steel and Aluminum Products, Communication from the United States, WT/DS544/2, April 17, 2018. Although a ceasefire and armistice agreement brought the fighting to an end in 1953, the Korean War is technically still ongoing.

52 U.S. Trade Representative, “2020 National Trade Estimate Report,” p. 320.

53 Korea has concluded FTAs with Chile, Singapore, the EFTA, the Association of Southeast Asian Nations (ASEAN), India, the EU, Peru, the United States, Turkey, Australia, Canada, China, New Zealand, Vietnam, Colombia, the Republics of Central America, the UK, Indonesia, Israel, and Cambodia in chronological order. Korea is also a signatory to the Regional Comprehensive Economic Partnership (RCEP). The FTAs with Indonesia, Israel, Cambodia, and the RCEP have not yet entered into force.

54 The Korea-EU FTA, Annex 7-D on the additional commitment on financial services, para. 1, and the letter from Hyun Chong Kim and Sung Jin Kim on June 30, 2007, attached to Chapter 13 on financial services of the Korea-U.S. FTA. This kind of deference in regard to the requirements for the location of technology facilities is also provided in the Korea-Turk