The government concerns about the NIS’s enforcement ordinance to increase cybersecurity

Cho Tae-yong, head of the National Security Council, presides over a meeting to follow up on a government computer network failure incident and strengthen cyber threat preparedness at the presidential office in Yongsan on Tuesday. Courtesy of the Office of the President

Concerns have been raised within the government over the National Intelligence Service's push to revise the enforcement ordinance, which significantly strengthens its security authority in cyberspace. The government worried that offensive measures against foreign countries and North Korea could cause diplomatic problems, and strengthening the checks and controls of cybersecurity could increase the burden of each agency.

According to data received from the National Intelligence Service on December 20, the NIS announced a legislative preview of the amendment to the enforcement ordinance of “Cybersecurity Business Regulations” from October 27 to December 6, asking for opinions from all central administrative agencies and local governments.

They pointed out that the NIS could take offensive measures against foreign countries and North Korea to preemptively identify and block the activities of state-sponsored or international hacking organizations, saying, "Considering the ripple effect of diplomacy, a detailed review is needed during the examination by the Ministry of Government Legislation.”

They also raised the issue of strengthening the "actual evaluation," which allows the NIS to look at the current status of the cybersecurity work of the government, local governments, and public agencies. They say, "Considering the burden of agencies that are subject to an examination, we ask the NIS to minimize the frequency of on-site visits and get rid of procedures to check the site in advance and reconfirm whether corrective measures are implemented.”

There was also an opinion that the NIS should have a preliminary procedure related to “the measurement of security" that discovers and improves cybersecurity vulnerabilities of each agency. They asked to add a requirement that the NIS notify the agencies, which are subject to an examination, the subjects and timing of the measurement in advance so that they can prepare for it, just like the Enforcement Decree of the E-Government Act.

The NIS said that "there are no factors that infringe on people's privacy,” citing the Personal Information Protection Committee’s decision that agreed to the original amendment during the review of the "Evaluation of Personal Information Infringement Factors" last month. It seems that the NIS refuted the criticism that the statement, saying Cloud service providers should comply with the NIS' request for security control cooperation unless there is a justifiable reason, could lead to private intervention.

Lawmaker Yoon Gun-young said, “As it has been confirmed that the government and local governments are fairly concerned about it, the NIS should stop trying to amend the enforcement ordinance to indiscriminately increase its authority on the pretext of cyber security."

※This article has undergone review by a professional translator after being translated by an AI translation tool.