[IT Cafe] Government Puts Corporate Security Systems Under the Microscope After Successive Hacks... Companies Frustrated

Companies Warn:
"Excessive Inspections May Discourage Security Investments"

Following a series of large-scale hacking incidents, the government has begun scrutinizing corporate security systems as if under a microscope, leading to complaints within the IT industry that "security teams have now become reporting teams." There is growing dissatisfaction that, as public sensitivity to personal data leaks has increased and comprehensive government countermeasures have been announced one after another, the government's demands for internal security disclosures from companies have reached an unprecedented level.

According to industry sources on November 13, some companies have recently been required by the government to submit routine security detection logs, such as those from Endpoint Detection & Response (EDR) solutions, and to report the results of penetration tests. EDR is a solution that detects and blocks malware intrusions, suspicious activities, and policy violations in real time on endpoints and servers, such as PCs and servers. Even in normal work environments, minor warnings or detection events occur frequently.

An IT company’s chief security officer commented, "It is normal for security solutions to generate warnings," and added, "Requiring us to submit all of them essentially means we must operate a 24-hour reporting system." He went on to say, "Some in the industry are even saying it would be better not to implement such solutions at all under these circumstances." The government’s request for some companies to submit penetration test results is also causing concern in the industry. Penetration test results contain detailed lists of vulnerabilities and are classified as highly sensitive information. One security expert pointed out, "Companies invest significant resources to identify vulnerabilities as part of internal improvement processes, but if they are required to submit these externally, it will inevitably discourage penetration testing itself."

Some have testified that, if companies hesitate to submit such data, there have even been threats that "the government will obtain it directly from the external security firms that conducted the penetration tests." Lee Hyungtaek, CEO of Innotium, commented, "It is difficult for companies to willingly hand over materials that could reveal all internal detections and employee behavior logs," and added, "If the government wants to make this mandatory, the common-sense view in the industry is that a warrant should be required."

Grievances in the industry are also mounting over the 'Information Security Grading System' that the government declared it would introduce last month. Although this grading system, included in the government-wide comprehensive information security plan, was not in the original draft by the Ministry of Science and ICT, it is rumored in the industry that it was pushed through at the presidential office level. The plan is to classify companies’ security levels into several grades, but on the ground, there are complaints such as "Is it a system where you get the highest grade if you spend the most money?" and "It will only increase comparisons and stigmatization among companies."

Security experts are concerned that this trend could ultimately weaken the information security ecosystem in the long term. One security firm expert remarked, "While I understand the government’s intention to collect data for hacking cause analysis, excessive demands for sensitive internal data will not only burden frontline departments but also have significant negative effects across the entire industry."