[W Forum] Fintech Network Separation Regulations and the Principle of Technological Neutrality

Despite fintech being a globally acclaimed technology, it has recently struggled to attract developers due to widespread dissatisfaction with government regulations. This is because many developers are reluctant to work in the electronic financial industry due to physical network separation regulations in the financial sector. Physical network separation refers to the practice of dividing networks into business and non-business networks, requiring all hardware resources to be additionally allocated according to each network. Domestic network separation regulations were introduced as a solution to various cyberattacks such as DDoS and have spread from local governments and public institutions to the private sector.

In particular, financial companies in the private sector must block internet access on business PCs and physically separate PCs used for system operation, development, and security according to the Electronic Financial Supervisory Regulations. Even developers who do not directly access customer information find it difficult to connect to the internet, making it hard to utilize essential development environment elements such as open source, APIs, and other libraries.

However, despite network separation, the Stuxnet malware attacked Iran's nuclear facilities in 2010, Korea Hydro & Nuclear Power was hacked in 2014, and the Ministry of National Defense was hacked in 2016. This shows why regulations should not be biased toward a specific technology. No matter how excellent physical network separation is as a security technology, legally mandating a specific technology can lead to overreliance on that technology and cause security vulnerabilities. The principle of 'technology neutrality,' which calls for laws to be technologically neutral so they can adapt well to rapidly changing technological environments and maintain normative power, reflects the relationship between technology and law well.

The reason for adhering to the principle of technology neutrality in legislation is that laws biased toward specific technologies lose their normative power as technology evolves. Moreover, legislation biased toward certain technologies benefits the developers and providers of those technologies while discriminating against those who develop or provide services using non-adopted technologies, violating the principle of equality and leading to market distortion that ultimately hinders technological innovation. A representative case violating the technology neutrality principle was the 'Public Certification.' By mandating a specific technology for public certification, it reduced the competitiveness of the electronic signature certification market, increased inconvenience for citizens, and was eventually abolished, fading into the annals of certification history.

Physical network separation regulations for financial companies should also be reconsidered based on the principle of technology neutrality. Overseas financial and security authorities rarely mandate a specific technology like network separation uniformly for the private sector. Whether to adopt network separation and the scope of its application are left to corporate discretion, but if appropriate security measures are not implemented and incidents occur, companies face severe consequences such as class-action lawsuits and punitive damages.

Furthermore, such physical network separation policies are inappropriate in the current situation where remote work has become routine. In ongoing infectious disease crises like COVID-19, remote work is no longer optional. Network separation regulations that prevent external access to business networks are labor-unfriendly and counterproductive to work efficiency. It is welcome news that last year the Financial Services Commission allowed remote access only to the internal business network system for general employees and recently announced plans to rationalize network separation regulations for development work in stages. Network separation is just one of many technical methods for information security. The government should create an environment where innovative security technologies can be continuously developed and avoid mandating specific technical methods.

Hyunkyung Kim, Professor, Graduate School of IT Policy, Seoul National University of Science and Technology