National-level cyber risk control needed

It has become a national duty to control and manage risks in cyberspace and build a powerful system against cyber disasters.

Lim Jong-in

The author is a professor at the Graduate School of Information Security, Korea University. In mid-October, Korea experienced unprecedented chaos from the sudden crash of the Kakao chat app. Families, friends and colleagues were cut off due to repeated failures of text deliveries. There was no way to reach people you communicated with exclusively via Kakao.

Documents saved on Kakao Talk and mail could not be accessed. Due to suspension of cab-hailing through the Kakao platform, transportation was affected. The damage was not restricted to Kakao platforms. Services using ID verification through Kakao were hampered. A wide range of public services such as military enrollment notices and National Pension notices relying on Kakao messaging became disrupted.

Widespread social confusion resulted not from a North Korean threat or a natural disaster. It was caused by a fire at a dater center housing the Kakao server. Lack of readiness for such a contingency by Kakao caused colossal social ramifications.

South Korea is dubbed the most advanced IT nation with highest standards in IT services. The country has been ranked first or second on the ICT development index in the annual Measuring Information Society survey by the International Telecommunication Union (ITU). South Korea also topped a UN review on electronic government. All of that shows a society heavily relying on cyberspace. Cyberspace has become a major stage for everyday economic activities as the physical and virtual space have converged.

The World Economic Forum (WEF) points to a cyber-physical system as a key driver in the fourth industrial revolution. That means traditional physical factors like factories and automobiles become connected with the cyber domain to be controlled remotely or by artificial intelligence. Cyber risks can spill over to the physical world, causing danger to people, societies and nations. It has become important to examine the risks in cyber space and control them on the national level.

There is no perfect protection against all threats and risks in the cyber domain. A fire at a data center that causes a server crash might be rare, but nevertheless can happen. According to materials submitted for an audit of the government by the Information Committee of the National Assembly in 2020, the public sector had come under 1.62 million hacking attempts.

Most of them could be prevented, but they cannot be entirely blocked as cyberattacks have become more sophisticated. Cases of advanced persistent threats (APT) — a stealthy threat with the capacity of cracking into computer networks undetected for a lengthy period — have become common. They extract information over a long period from a specific target.

As a result, resilience has become a key factor in cybersecurity. It refers to a paradigm in which a fast response and recovery can take place after an accident and cyberattack. After the data center fire, it took Kakao up to 11 hours to get its messaging service back up. But Naver, which had servers in the same data center, was able to restore most of its online services within four hours. Resilience capability was the difference between the two. There should be a national-level system to support all parties, including companies, to strengthen such resilience.

Despite the need for resilience, however, our systems and policies still remain lacking.

The United States has long understood the concept of resilience in cyberspace. The National Institute of Standards and Technology has been developing the framework and guidelines. The European Union in 2017 stressed cyber resilience in a report on cybersecurity strategy. In September, it drafted a bill on cyber resilience, which calls for manufacturers of devices connecting to cyberspace to have greater responsibility for security.

Korea, too, must establish a national response system to strengthen its cyber resiliency. The public sector, infrastructure facilities and key services should be evaluated for their readiness to respond to various threats and cyberattacks and checked to make necessary improvements. A key to a national response system is governance and legislation. The roles and liabilities of each government office in charge of cyber security must be accurately defined. A command center should be activated for comprehensive action to unite the capabilities and functions divided among government offices. Offices must share information and cooperate with one another. Since such an interaction requires a legal mandate, a basic law on cybersecurity must be enacted.

A systematic response system also needs to be set up. The state must draw up response guidelines for various scenarios and make authorities familiar with them. The guidelines must be checked to see if they are workable through cyber crisis drills. The Yoon Suk-yeol administration has specified institutionalization of a cybersecurity committee through the law in its 110 national agendas. But the formation of the committee and legal procedures have not taken place. Necessary manpower, technology and an industrial ecosystem should be built. The government proposed to nurture 100,000 cybersecurity experts and strategically promote the security industry. But more detailed and effective actions must follow to build a practical foundation for cybersecurity.

It is foolish to hope to avoid all cyber threats. There is a limit to defenses, as North Korea and other states with malign motives continue to carry out sophisticated cyber offensives. That raises the need to secure cyber deterrence so that the other party is aware of the risk if it carries out a cyberattack. The U.S. has been enhancing cyber deterrence to fend off any potential cyberattacks.

In 2018, the U.S. Defense Department established a preemptive strategy against an imminent threat of cyberattack. It would preemptively interfere — and take action ― before an enemy launches a cyberattack. The U.S. employs so-called “persistent engagement” with adversaries to constantly interfere with malicious activities to destabilize their attack capacity. For instance, the U.S. adopted the Hunt Forward strategy to remove threats in the cyber domain against the U.S. and its allies in advance. South Korea does not have any cyber defense and operation strategies and plans, tactics or combat rules. The government must set a clear direction in developing strategies and technologies for the military to deal with cyber threats.

In his “Theory of Risk Society of Modernity,” German sociologist Ulrich Beck projected that risk checking will become a regular habit in 21st century society. A major factor for risks is science and tech development, particularly cyberspace. That space has become a hotbed for national interests where the people, companies and society all rely on. The government has set its digital strategy to upgrade the economic and social foundations to meet the environment where digital has become a norm. But a digital environment without control over risks can turn Korea into a dangerous society. It has become a national duty to control and manage risks in cyberspace and build a powerful system against cyber disasters.

Translation by the Korea JoongAng Daily staff.