[Exclusive] Government to Mandate Submission of Security Plans by Telecom Companies...Aims to Prevent Recurrence of SKT Hacking

The government has confirmed that it is pushing for a plan to legally mandate the submission of security plans by major telecommunications companies following the SK Telecom USIM hacking incident. Until now, telecom companies including SKT, KT, and LG Uplus have independently established and implemented their own security plans, but the government intends to shift to a system in which it directly receives and reviews these plans. The government has stated that companies will be penalized if they fail to comply. The mobile telecommunications industry has expressed a negative stance, saying this will result in "regulation for the sake of regulation," and legislative efforts are expected to face difficulties.

According to materials obtained by Asia Economy on the 25th through the office of Representative Lee Haemin of the National Innovation Party, the Ministry of Science and ICT has prepared a plan to either enact the "Telecommunications Network Information Protection Act" (tentative name) or to add provisions to the Information and Communications Network Act and the Telecommunications Business Act that specifically regulate the network security of major telecommunications companies. This plan was reported to the National Assembly's Science, ICT, Broadcasting and Communications Committee in mid-June.

The core of the government's policy is to explicitly state security obligations tailored to telecom companies in the law, thereby making them mandatory. Until now, telecom companies have managed security in accordance with the Information and Communications Network Act (the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.) and the Telecommunications Business Act, but there has been no legal obligation to submit security plans to the government. The current guidelines on "Information Protection Measures" (as notified by the Ministry of Science and ICT) under the Information and Communications Network Act allow telecom companies to establish and monitor their own security measures, and Article 32-10 of the Telecommunications Business Act simply states that "key telecommunications service providers must take technical and managerial measures that meet technical standards to ensure stable service provision," without specifying any concrete obligation to establish or submit security plans.

The government's decision to mandate the submission of security plans by these telecom companies is based on the judgment that there are limits to prevention under the current system. The existing self-inspection structure is seen as inadequate for detecting and preventing security incidents in advance. SKT, which experienced a hacking incident, had obtained the Information Security Management System-Personal Information Protection (ISMS-P) certification from the government but failed to prevent the hacking of its Home Subscriber Server (HSS). According to ISMS-P certification standards, telecom companies are required to establish systems for incident prevention, conduct vulnerability scanning and analysis, operate security monitoring services, and regularly back up important data. However, even though SKT had all these procedures in place and had received certification, it failed to detect the HSS server hacking in advance and was unable to block the hacker's infiltration of core systems.

The National Assembly Research Service pointed out in its report "Measures to Strengthen Information Protection for the Prevention of Mobile Carrier Hacking" published last month that "the procedures required by certification standards did not function properly in practice."

Self-regulation by companies has also widened the gap in security investments among telecom companies. In 2023, SKT's investment in information security, combined with its subsidiary SK Broadband, amounted to 86.7 billion won, accounting for only 4.2% of its IT investment.

To significantly strengthen the security obligations of telecom companies, the government plans to require the preparation and submission of security management plans to the government and to make regular mock drills mandatory. The government also plans to implement security measures specifically tailored to telecommunications network infrastructure. In addition, a new system will be established to continuously monitor whether telecom companies are properly implementing security measures. Telecom companies that fail to comply with security obligations will be subject to corrective orders or enforcement fines. In this regard, it has been reported that the government referenced the UK Communications Act, which imposes penalties of up to 10% of sales revenue for violations of security obligations.

The government also plans to change information security certification reviews from a document-based review to an on-site technical review and to introduce new inspection items specifically for telecom companies to enhance effectiveness. Proposed new inspection items for telecom companies include mandatory retention and management of backup data for critical systems for at least one year, implementation of two-factor authentication systems for access to public web servers, and the formation of dedicated in-house teams for vulnerability analysis and assessment.

The government plans to prepare the bill and complete the collection of opinions within this year. To this end, a research group composed of university, research institute, and industry experts will be formed in the second half of the year, and the final legislative direction will be determined after gathering opinions.

However, there are concerns within the telecommunications industry that these measures could become "regulation for the sake of regulation." An industry official stated, "In light of the recent SKT hacking incident, it seems the intention is to make what was previously voluntary mandatory, so that telecom companies cannot reduce their security investments. If, after submitting security plans, the government demands additional extensive documentation or raises issues with the results of mock drills, it would require a significant workforce and become a burden."

Representative Lee emphasized, "The security of key industries that affect all aspects of people's lives cannot be adequately addressed with ordinary measures. This is an opportunity to ensure that comprehensive improvements to laws and systems are implemented."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.