Short-Term Measures Activated Ahead of December Release of the "National Cybersecurity Strategy"
Punitive Fines for Major Violations, Mitigation for Voluntary Reporting
Comprehensive Inspection of 1,600 Telecom, Financial, and Public Systems... Fiel
The government has classified the recent series of hacking incidents as a state of emergency, comparable to a crisis, and has begun a comprehensive review and overhaul of regulations across all sectors, including telecommunications, finance, and public services. The authorities are activating a robust response system to prevent the concealment and recurrence of such incidents, strengthening their authority to conduct ex officio investigations into companies showing signs of hacking, even if no official report has been filed.
At a cross-ministerial briefing on comprehensive information security measures held at the Seoul Government Complex on the 22nd, Baek Kyunghoon, Deputy Prime Minister for Science and Technology and Minister of Science and ICT, stated, "We will immediately inspect approximately 1,600 IT systems that are closely tied to the daily lives of citizens and conduct real-world penetration testing for the three major telecommunications companies, based on their consent." During the inspection process, small base stations (femtocells) that are found to be insecure will be immediately decommissioned, and access to the network by unidentified devices will be blocked through whitelist registration.
Deputy Prime Minister Baek said, "We will establish a consumer-centered damage relief system to ensure that the damages from corporate hacking are not passed on to consumers. If signs of hacking are detected, the government will be able to initiate ex officio investigations even without a report from the company, and we will strengthen sanctions such as punitive fines and enforcement penalties for companies that delay reporting or fail to implement recurrence prevention measures." He added, "However, our approach is not solely focused on sanctions; we are also developing measures to encourage security investments. We are considering incentives for companies that actively invest in security."
During the Q&A session, Ryu Jemyoung, Second Vice Minister of Science and ICT, stated, "We have already obtained consent from the three major telecommunications companies for real-world penetration testing. We will deploy public-private experts to conduct unannounced inspections of actual operational networks and perform a comprehensive analysis of vulnerabilities in key IT assets." Regarding femtocells, he explained that a system has been established to block equipment that has been left unattended for long periods or falls outside the authentication range from connecting to the network.
The Financial Services Commission recently completed on-site inspections of credit card companies following a recent data breach and plans to finish inspecting 260 financial systems by the end of this month. Shin Jinchang, Secretary General of the Financial Services Commission, stated, "We will amend the Electronic Financial Transactions Act to raise fines to 3% of revenue and introduce a punitive fine system." The Personal Information Protection Commission also announced, "We will apply aggravated penalties for serious violations such as data concealment and offer mitigation for voluntary reporting or prompt action," adding that the same standards will be applied to global platforms.
In the public sector, the government will upgrade the rank of the Chief Information Security Officer from director-general to assistant minister and ensure that a certain percentage of the IT budget is allocated to security. The weight of the cybersecurity category in public institution management evaluations will also be increased. In the private sector, the obligation to disclose information security status will be expanded to all listed companies, and a security rating system will be introduced based on disclosure results. Deputy Prime Minister Baek stated, "We are preparing to implement information security disclosures in the first half of next year." Secretary General Shin added, "We are also pursuing legal amendments to include unlisted companies in the financial sector."
The ISMS certification, which has been criticized as being merely procedural, will be shifted to an on-site, practical approach. Deputy Prime Minister Baek explained, "We will strengthen practical indicators, such as the actual control and budget execution authority of Chief Information Security Officers (CISO) and Chief Privacy Officers (CPO). We will institutionalize the participation of white-hat hackers and introduce continuous simulated hacking." The National Intelligence Service is currently piloting next-generation incident investigation tools equipped with artificial intelligence (AI) capabilities, with a full rollout planned soon.
To eliminate redundant procedures in hacking reports, the government also plans to introduce a 'one-stop reporting system.' When a company notifies the authorities of a hacking incident, relevant ministries will immediately share information and respond on-site.
In addition, in response to the spread of AI and cloud technologies, the traditional physical network separation will be replaced with a 'data-centric security system,' which categorizes network separation in stages according to data sensitivity. The National Intelligence Service has already distributed new network security guidelines (N2SF) and plans to develop a defense system based on the zero-trust principle, assuming internal breaches.
During the briefing, the government also previewed the direction of the upcoming 'National Cybersecurity Strategy,' which is scheduled to be released later this year. Deputy Prime Minister Baek stated, "The comprehensive measures announced today focus on short-term tasks that can be implemented immediately. By the end of the year, we will establish a national cybersecurity strategy that includes mid- to long-term tasks and complete the prevention, response, recovery systems, and governance." He added, "We will closely monitor the effectiveness of short-term measures in the field, while formulating a comprehensive long-term strategy that encompasses legislation and industry infrastructure development." The government has set next year's information security budget at 401.2 billion won, a 7.7% increase from this year.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
