South Korea Cyber Security Vulnerability
South Korea Cyber Security Vulnerability
Introduction
In the past decade, South Korea has since become one of the emerging middle powers when it comes to world politics, meaning the country is expected by different stakeholders to not only play strategic roles but also explore its physical capabilities in enhancing cybersecurity. The present-day’s information technology (IT) leaders face a broad range of challenges, which result from rapid changes in the internet of things (IoT). In response, individual IT leaders should emphasize increasing cybersecurity public awareness in addition to the much-needed coordination among all the responsible stakeholders. In essence, they must prioritize the protection of employee, enterprise, citizen, infrastructural, and customer data, while at the same time, thwarting existing and potential cyber attacks and associated threats.
The main problem revolves around the fact that current legislation in South Korea overemphasizes regulatory compliance, failing to advice organizations and the public on the vital aspects of information security. For this reason, many enterprises continue to have difficulty understanding their information security obligations, as well as infrastructure. Moreover, the government through responsible agencies have failed to adopt and integrate international standards into its cybersecurity systems and associated laws. Following an overemphasis on regulatory guidelines do not necessarily offer the desired system security, which means South Korea remains more vulnerable to cyber attacks.
Problem History
South Korea’s National Cybersecurity Maintenance Regulation (NCMR) defines cyberattack as a variety of attacks undertaken through different electronic means, such as denial of service, hacking, logic bombs, computer viruses, as well as email bombs. Sensibly speaking, these attacks unlawfully destroy, infringe, and paralyze data, steal information, harm data, and disturb communication networks (Kim, 2014). In this context, cybersecurity refers to the whole process and associated activities that play a central role in maintaining the availability, security, as well as security of communication networks or infrastructures and national information. Despite these clear and concise definitions, South Korea lacks an effective cybersecurity strategy to address both internal and external cyber attacks, which continue to have far-reaching adverse effects on the country’s economy, stability, and general security.
In the immediate aftermath of the infamous Cold War, the Korean Peninsula continues has and continues to experience a great deal of an ideological confrontation between now-democratic South Korea and their communist counterpart, North Korea. Having embraced and integrated the Internet into its networked society, South Korea has since become more vulnerable to cyber attacks from North (Bradshaw, 2015). As a way to secure and ensure that South Korean society is safe, the country’s military in collaboration with its national intelligence agencies remains tasked with the responsibility of manning cybersecurity (Lee & Park, 2017). Although the approach in question seems straightforward and viable, South Koreans and other stakeholders tend to lack the much-needed trust with this arrangement since the entities in question have, in the past, played a leading role in supporting and advocating authoritarian regimes.
Given the public concern with the national intelligence-military combination, it is evident that South Korea’s cybersecurity vulnerability and the problem is twofold. Internally, the country’s cybersecurity initiatives and associated measures face a great deal of resistance or opposition due to the ugly past characterized by state organizations, which supported authoritarianism (Kim, 2014). Externally, South Korea faces cybersecurity threats from North Korea. In particular, the main cyberattack targets have been the country’s critical infrastructures, well-established enterprises, as well as local and government sites. For example, the infamous Distributed Denial of Service attacks (DDoS), which occurred in 2009 saw a group of North Korean hackers repeatedly attack and paralyze essential infrastructure, government, and financial websites (Bradshaw, 2015). Concisely, these attacks had far-reaching adverse effects on the country, leading to financial losses and loss of trust in the country’s current cybersecurity system.
South Korean cybersecurity vulnerability attracted global attention in 2014 when North Korea attacked Sony Pictures Entertainment (SEP), hacking and making public the corporation’s confidential data, such as personal information. According to one of North Korea’s hacking organizations, their attack was in response to “The Interview,” a famous film that depicted the end of Kim Jong-un’s era. The incident served as part of massive data leaks involving a variety of South Korea’s major credit card companies. In response, the country’s financial sector invested in cybersecurity capabilities with the sole purpose of preventing similar incidents from occurring again. Despite these security measures, South Korea still lacks an effective particular statutory system, which could allow private entities only to prevent cyber threats (Bradshaw, 2015). Although the country does not restrict the whole process of sharing any cyber threat information, it has failed to officially adopt and enforce any international standards, like the ISO 27001.
Policy Analysis
Current guidelines, laws, as well as regulations in South Korea that play a leading role in promoting cybersecurity, tend to criminalize a broad range of principal cyber activities. The important laws include the Personal Information Protection Act (PIPA), THE Credit Information Act (CIA), and the Network Act (Lee & Park, 2017). Broadly speaking, the various PIPA provisions define a variety of severe penalties, including a fine of 100 million won and 10-year jail time for attackers, who either delete or change any personal information under the jurisdiction of public institutions and business organizations. At the same time, this law provides that a person who causes loss, damage, theft, falsification, as well as leakage of personal information due to insufficient security measures, should be imprisoned for up to five years or pay 20 million fine. Accordingly, the PIPA protects individuals from malicious third parties, especially those who acquire their personal information through illegal means.
In addition, the Network Act provides that a person who either intrudes into a given information system or causes unnecessary disruption to a communication system should either pay to serve five-year jail time or fined 50 million won or both. Concerning interference with personal information due to inadequate security mechanisms, the Network Act penalizes the attacker up to 20 million in fine or two-year imprisonment. Besides the two Acts, the CIA prohibits cyber attackers from engaging in ill-informed activities, such as deleting or altering a person’s data in their credit information systems (Lee & Park, 2017). Anyone who deletes or alters such information risks five-year imprisonment or paying a fine of 50 million won or less.
Given this brief policy analysis, it is evident that South Korea’s current cybersecurity system places great emphasis on punitive measures. However, these punishment driven strategies have failed a great deal in improving the country’s two-fold vulnerability to cyber attacks (Kim, 2014). The approaches in question have proved ineffective since they do not address the root causes of cyber attacks and associated threats. Additionally, they do not provide a transparent and result-oriented framework through which the country can identify the real attackers. For this reason, there is a need for change-driven alternative strategies, which will go a long way in ensuring South Korea’s safety in the long run.
Alternatives
Developing the Patriotic Act. Rather than taking the futile and unproductive punitive approach to addressing cyber threats, South Korea should consider developing the Patriot Act, which, like in the case of the United States (U.S.), will improve the country’s cybersecurity capabilities. The Act in question remains broadly-scoped since its provisions play a central role in not only governing internet usage but also offering the much-needed critical infrastructure protection, as well as computer security (Smith et al., 2002). In the U.S., for instance, the law presents law enforcers with the best possible opportunity to intercept communications involving individual computer trespassers. At the same time, the Act allows cybersecurity agencies to track ill-intentioned cyber activities, such as potential disruptions to the country’s critical information and communication infrastructures. Additionally, the adoption of this law would positively affect e-government by improving the various data collection, as well as sharing practices and associated systems (Smith et al., 2002). With this improvement, South Korea would be well positioned to establish government-wide best practices and associated technical standards.
Public-private sector partnership. The South Korean government and any given public institutions should cooperate with private organizations with the sole purpose of developing appropriate cybersecurity standards. In particular, the country’s National should facilitate public and private sectors’ active participation in policy formulation and amendments (Chen & Cotoranu, 2013). When individual citizens and critical players or interest groups find the opportunity to submit their comments, lawmakers can define and oversee the implementation of effective cybersecurity procedures. For example, security agencies, including the Financial Security Institution (FSI) should collaborate with industry players when it comes to identifying and addressing existing and potential cybersecurity issues.
Engaging hackers. Underworld investigators have since suggested that the best possible solution for cybersecurity vulnerability and threats involves hiring hackers as opposed to jailing them. The South Korean government, just like the Obama administration, continues to push and support an opposing viewpoint: imprisoning hackers for up to 20 years or applying heavy fines (Libicki, Senty, & Pollak, 2014). In China or Russia, for instance, the government recruits hackers even after or before they engage in industrial espionage activities. As a result, Russia has developed and continues to better its cyber-offensive capabilities (Bradshaw, 2015). In this sense, South Korea should place much emphasis on mobilizing perceived, known, and unknown hackers to serve the country and the government’s interests by employing them. Failure to do so, the country will continue nurturing and breading an internal threat.
They are developing the future cybersecurity workforce. Typically, people tasked with the responsibility of leading the cyber domain requires a variety of social intelligence, technical skills, as well as domain-specific knowledge (Dawson & Thompson, 2018). They, like any of the networks they operate and manage, demonstrate high-level resilience, reliability, and trustworthiness. Despite the need for cyber-specific behaviors, recent research has only focused on technical skills, as they overlook key attributes that individuals charged with cybersecurity should possess. In their study, Dawson and Thomson (2018) propose what they firmly believe should constitute features of the future cybersecurity experts: life-long learners, systematic thinkers, socio-technical skills, team players, strong communication abilities, and nationalism. Accordingly, South Korea should invest in training a new generation for holistic cyber professionals, who has the much-needed ability to address social, technical, as well as economic challenges.
Setting minimum data protective measures. Although under the PIPA the government has defined and continues to implement different forms of physical, technical, as well as administrative data protection strategies, there is an urgent need for the country’s NCMR to introduce more effective information protective mechanisms. For instance, an entity that plays a role in managing personal information should prioritize the development and implementation of a change-driven private management plan (Ani, He, & Tiwari, 2016). At the same time, each of the organizations should engage a qualified and trustworthy chief privacy officer (CPO). Additionally, other security methods should include data encryption, frequent update of information systems and programs.
Increasing penalties for negligence. The government through law enforcing agencies, including police and judiciary should focus on implementing stringent penalties and associated regulations. For example, they should consider increasing the current fines and jail terms for difficult hackers. According to Maple (2017), ensuring compliance with the already established and new cybersecurity laws should serve as the first step in addressing cyber threats. In essence, the ability to comply with rules is a preventive measure as opposed to other methods that do not deter attackers from destroying personal information.
Recommendations
Additional cybersecurity protections. Other than what the South Korean Law recommends, the government through relevant authorities should publish new and updated guidelines to increase other stakeholders’ ability to create and use customized cybersecurity strategies. For instance, mobile companies should be allowed to take a leading role in creating more effective security features for applications.
Incentivize organizations. Many for-profit and non-profit organizations lack the resources necessary for developing sophisticated cybersecurity programs. For this reason, the government in conjunction with other grant firms should fund and provide tax credits, especially for organizations that invest in research, as well as the development of data privacy.
Setting applicable industry standards. The government through lawmakers and other policymakers should introduce more effective codes of practice with the sole purpose of promoting industry-specific cybersecurity guidelines. In this way, organizations will be in the best possible position to understand their cybersecurity systems, as well as roles in preventing cyber attacks.
Implementation Challenges
The government, cybersecurity agencies, and individual organizations face a variety of barriers when it comes to the implementation of alternative and recommended cybersecurity strategies. One of the most common challenges includes a lack of appropriate and change-driven organizational measures (Collins et al., 2017). For instance, many organizations are unable to manage outsourced service providers properly. At the same time, they do not have adequate internal administrative organizers devoted to ensuring information safety. In addition, most public, as well as private institutions rely on old password encryption software and associated technical security tools. In other words, these organizations lack the much-needed capacity to properly manage log-in data, account access control, and hardware maintenance. Moreover, some organizations lack effective physical security measures, such as modern CCTV systems and unauthorized access to sensitive computer server rooms. In response to these barriers, responsible stakeholders, including company managers should hire professional and reputable cybersecurity firms to monitor their cybersecurity systems.
References
Ani, U., He, H., & Tiwari, A. (2016). Review of cybersecurity issues in critical industrial infrastructure: Manufacturing in perspective. Journal of Cyber Security Technology, 1(1), 32-74.
Bradshaw, S. (2015). Combating cyber threats: CSIRTs and fostering international cooperation on cybersecurity. Retrieved Apr. 13, 2019 from https://www.cigionline.org/sites/default/files/gcig_no23web_0.pdf
Chen L. & Cotoranu A. (2013). Enhancing the Interdisciplinary Curriculum in Cybersecurity by Engaging High-Impact Educational Practices. New York, NY: Pace University.
Cherdantseva, Y., et al. (2016). A review of cybersecurity risk assessment methods for SCADA systems. Computers & Security, 56, 1-27.
Collins, J., et al. (2017). Cyberattack attribution. Retrieved Apr. 13, 2019 from https://jsis.washington.edu/wordpress/wp-content/uploads/2017/07/ARP-2017-Report-FINAL.pdf
Dawson, J. & Thomson, R. (2018). The future cybersecurity workforce: Going beyond technical skills for successful cyber performance. Frontiers in Psychology, 9, 744.
Kim, S. (2014). Cybersecurity and middle power diplomacy. The Korean Journal of International Studies, 12-2, 323-52.
Lee, A. & Park, C. (2017). Korea’s middle power diplomacy for human security: A global and regional approach. Journal of International and Area Studies, 24(1), 21-44.
Libicki, M., Senty, D., & Pollak, J. (2014). Hackers wanted: An examination of the cybersecurity labor market. Retrieved Apr. 13, 2019 from https://www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR430/RAND_RR430.pdf
Maple, C. (2017). Security and privacy in the internet of things. Journal of Cyber Policy, 2(2), 155-184.
Sharkasi, O. (2015). Features: Addressing cybersecurity vulnerabilities. ISACA Journal, 5. Smith, M., et al. (2002). The internet and the USA Patriot Act: Potential implications for electronic privacy, security, commerce, and government. Retrieved Apr. 13, 2019 from https://epic.org/privacy/terrorism/usapatriot/
