"Cloud Security Certification Relaxation Benefits Only Overseas Operators"

On the 23rd, discussants are conducting a discussion at the National Assembly policy forum titled "Cloud and IDC Seen Through the Kakao Outage Incident, Government's Role and Limitations," held in Yeouido, Seoul.

[Asia Economy Reporter Seungjin Lee] As the government is pushing for a reform of the Cloud Security Assurance Program (CSAP) grading system, experts have diagnosed that the introduction of the grading system will weaken the competitiveness of domestic cloud service providers.

On the 23rd, a National Assembly policy forum titled “Cloud and IDC Seen Through the Kakao Outage Incident: The Government’s Role and Limitations,” hosted by Democratic Party lawmaker Seungrae Cho of the Science, Technology, Information and Broadcasting Communications Committee and organized by the ISD Corporate Policy Research Institute, discussed the CSAP reform.

Currently, the government is promoting the introduction of the CSAP grading system. It plans to divide public institution systems and data by importance into three grades, significantly lowering security regulations for lower grades to increase the use of private cloud services. A key point is easing the requirement that data centers must be physically separated within the country.

Concerns have been raised that instead of expanding demand for domestic companies, global providers such as Amazon Web Services (AWS), Microsoft (MS), and Google Cloud?which occupy 80% of the domestic cloud market?will monopolize even the public sector.

Regarding this, Professor Minseo Kim of Seoul Women’s University said, “The policy’s intention is good, but it is questionable how much consideration has been given to private providers before activating the public sector,” adding, “Since AWS already holds over 50% of the domestic cloud market, it seems necessary to review how opening the public sector can benefit private companies.”

Jonghyo Kim, a specialist at Infostock Daily, pointed out the issue of reverse discrimination between domestic and foreign providers. He said, “Unlike domestic companies that can take various measures when problems occur, the government can do nothing when companies like Google cause issues,” and criticized, “It is unreasonable to expect domestic companies to compete with global companies under conditions where equal benefits and regulations are not applied.”

Professor Heedong Yang of Ewha Womans University, who presented at the forum, expressed a similar view. He argued, “Data ownership should be clearly stated to belong to customers and the government, and strong control must be demanded,” and insisted, “Punitive damages systems that strengthen post-incident accountability should be introduced.”

Professor Yang also pointed out, “The government is currently pursuing a grading reform following the U.S. public security certification system ‘FedRAMP,’ but the criteria for each grade are not objective.” FedRAMP classifies grades into four categories based on data importance. Each grade is divided by subjective expressions such as ‘may cause significant adverse effects’ and ‘limited negative impact,’ which means sensitive public sector data could be transferred to global providers.

Concerns were also raised about domestic providers who have expanded investments in line with previous security certification systems. Cloud Industry Association team leader Sewoong Park explained, “Domestic providers have made investments based on existing policies, and for those who trusted the government and invested, the current relaxation discussions are very discouraging.”

Meanwhile, the government had planned to prepare detailed criteria and measures for implementing the grading system by October and to promote revision of related notifications to support this, but the introduction of the CSAP grading system was postponed due to opposition from the industry and the National Assembly. Although there were claims that discussions on the reform might have been suspended, it is known that discussions are ongoing.

Jeongsam Kim, Director of Information Security Network Policy at the Ministry of Science and ICT, said, “Various ministries and stakeholders are conducting discussions, and there are differences of opinion that are being coordinated,” adding, “We expect the Digital Platform Government Committee to publicly discuss this soon.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.