The first installment of “Leadership on a Safe and Secure Cyberspace” series
The Korea IT Times will run the series “ Leadership on a Safe and Secure Cyberspace” from April to December. The first installment sets forth shortcuts to arming the SouthKorean cyber security industry with international competitiveness,and explores ways towards intentional cooperation.
The installment revolves around an interview with Kang Seong-ju,director-general of the IT Strategy Bureau at the Ministry of Science, ICT and Future Planning, to shed light on the Korean government’s policy directions following the passing of amendments of the Personal Information Protection Act.
The building of a virtuous cycle in the Korean data protection industry necessitates the nurturing of talent, developing technology,amending laws and institutions.
Recently, red flags have been raised about South Korea’s handling of cyber security. Korean banks, credit card companies,and telecommunications operators have had stolen customer personal information in the recent massive data leaks, caused by either web hacking or managerial negligence or both. New cyber security solutions have been initiated following such large-scale cyber security breaches, but shown to be ineffective by another round of data breaches. Fears of data leaks damaging national defense, in addition to individuals, have intensified. Yet, there is an upside: they served as a wake-up call to the government and the private sector. This very expensive lesson has prompted the nation to come to grips with cyber “security”before a potentially much worse cyber attack occurs.
Kang Seong-ju, director-general of the IT Strategy Bureau at the Ministry of Science, ICT and Future Planning, takes a three-pronged approach towards information protection. First: nurture talent. “Experts on data protection technology are in high demand. Universities need to set up departments related to data protection to ensure a steady supply of cyber security experts to the market. And the nation’s cyber defense command needs to recruit more experts on protecting military data,” said Kang.
The private sector also offers programs designed to train experts on data protection. For example, the Korea Information Technology Research Institute (KITRI)’s BOB (Best of best) program aims to produce cyber security leaders. BOB graduated 120 counter white hackers this year. BOB, the nation’s leading cyber security expert training program, was launched last year to produce quality cyber security experts with a sense of duty and a positive view about national security. Under the guidance of renowned cyber security experts, both domestic and international, those admitted to BOB are taught key technologies in each information protection area and go through cyber security awareness training.
Second: develop technology. With studies on ubiquitous cyber threats like wiretapping, spamming,and smithing ,endeavors to develop new solutions to foil the latest evolving cyber threats should be urgently made. Governmentlevel efforts are underway in the country. The government is thrashing out ways to scale up budgetary support for the Electronics and Telecommunications Research Institute (ETRI),a government-backed agency, and for KAIST, and to assist universities and companies in nurturing talent and developing data protection technologies.
Third: reform legal bodies and institutions. Moves to revise the Personal Information Protection Act are again afoot at the National Assembly in order to impose tougher penalties on companies and organizations guilty of negligent data protection. Above all, Director-General Kang underlined the importance of adopting an “information protection rating system,” whereby companies are rated based on their data protection level. The information protection rating system, based on voluntary self-regulation, is devised to encourage private companies,prone to cyber attack,to enhance their cyber security systems.
Once this rating system is put in place, protected companies can use their high cyber security scores as a consumer marketing tool, thereby boosting sales and market share. On the whole, this rating system is expected to significantly improve Korean companies’ data protection levels.
Taking on the global market by narrowing the gap with cyber security powerhouses and collaborating with developing nations.
Varied missteps, such as technical limitations and personnel mismanagement, can be blamed for the previous data leaks. Despite continued monitoring, the leakage of specific traffic went undetected for a year. Furthermore, employees at cyber security contractors, hired to manage the customer databases for large companies, were poorly supervised.
In response to continued public outcry about shoddy management of customer databases, affected companies’ top management bowed low in apologized to their angry customers. From a long-term perspective, South Korea must learn something from such bitter experiences in order to take the domestic data protection industry and technologies to the next level and to nurture the industry into one of the nation’s key export industries.
To that end, domestic companies that specialize in data protection technology and home-grown technologies related to data protection must stay competitive. As global cyber security companies become notable names around the world after the investiture of time and energy to underscore their competitiveness, domestic cyber security companies have to strengthen their competitiveness;and the Korean government has to aid them in entering overseas markets through the provision of government assistance and global cooperation projects.
Preparations for global cooperation projects have occurred. A number of projects are occurring to help Korean cyber security companies make forays into overseas markets - for instance, a Korean-Kazak joint project for data protection and support for domestic companies’ participation in global data protection exhibitions. Such efforts will help reduce the gap between South Korea and advanced nations well prepared for cyber attacks,expediting the growth of domestic cyber security companies.
At the Declaration Ceremony for Mutually-beneficial Cooperation on National Informatization, held in March, Director-General Kang mentioned, “Today’s declaration ceremony is designed to offer all participants in national informatization an opportunity to focus their minds before setting about the building of an ICT industry ecosystem and the advancement of national informatization.” In other words,the government, clients, suppliers and the public should communicate with one another for close cooperation at a critical juncture when the nation’s data protection industry is in bad need to make a stride forward.
Hopes are pinned on the possibility that the South Korean data protection industry morphs into one of the nation’s key economic growth engines, which can lead the global market and enhance national competitiveness.
KISIA actively supports Korean information security firms that advance into newly emerging markets
The Korea Information Security Industry Association (KISIA) will place its 2014 focus on helping Korean information security companies advance into newly emerging markets, including Israel and the African continent.
"With the importance of overseas projects by domestic information security companies growing, KISIA strives to expand their overseas markets from existing Japan, the U.S. and Southeast Asia, in to Israel and Africa this year," said KISIA chairman Shim Jong-heon.
In an interview with Korea IT Times, Shim said, "In particular, domestic firms' entry into overseas markets is indispensible this year, considering the sluggish domestic market that resulted from the current economic slump.
"Related to this, KISIA plans to participate in such global information protection exhibitions as the Security Show 2014 (Japan), ISC West 2014 (U.S.), IST 2014 (Japan) and Security China this year, while dispatching market exploration teams to Vietnam, Malaysia, Singapore, and Israel," he said.
Noting that Korea's information security-related exports to Southeast Asia are steadily growing, Shim said, "I expect the domestic information security industry to achieve tangible results this year.
"Through expansion of exchange cooperation between Korea and Israel, two leaders in information security, we plan to seek joint business opportunities and find bilateral cooperation models in the global market this year."
Operation of a monitoring center to keep information protection
KISIA plans to operate a monitoring center this year to help domestic information security companies receive due payment for maintaining information protection by strengthening monitoring activities for bidding offered by government agencies and public institutions, Shim stressed.
"In line with this, KISIA will develop a guideline to calculate a proper ratio to maintain information protection and prepare a standard contract for information protection products and services," added Shim.
In a separate move, KISIA is moving to expand skill-enhancing education and mentor school programs this year.
"Last year, about 80% of graduates of the KISIA-operated mentor school succeeded in getting a job and over 400 incumbent workers in the information security sector finished the skill-enhancing education program, upgrading their skills and knowledge in the sector," he explained.
KISIA plans to start the 2014 skill-enhancing education and mentor school programs on June 1 after developing on-the-spot curricula that reflect current technology trends.
"Fostering talent in the information security field is very important as manpower shortage is serious for smaller, domestic, companies at present, despite the fact that information protection is emerging as a promising area," he noted.
Steps to prevent security accidents
As a measure to prevent security accidents, Shim said, "As we acknowledged from the 2013 Korea Credit Bureau (KCB) case, enterprises should strengthen their supervisory function on staff members and enhance employees' ethics, while preparing institutional tools such as the bolstering of punishment against those who steal data, and compensation for damages."
An employee from personal credit ratings firm KCB was arrested and accused of data theft from customers of three credit card firms while working for them as a temporary consultant last year.
"For prevention of important data leakage, users' rights and responsibilities should be defined exactly and such rights and obligations should be managed through documentation and systematization," he pointed out.
Mentioning that financial companies tend to excessively collect customers' information and manage them poorly, Shim said that they need to minimize the gathering of customers' information by removing unnecessary items and destroying information on personal affairs instantly, except those necessary for storage for a certain period.
"Actually, most general companies are poor at investment and management in information security. Accordingly, if they pay more attention to basic facility investment, including firewall and virus vaccines, the ratio to prevent hacking will go up," he said.
"The most important matter is the mind of all executives and staff, considering the fact that most information leakage has been made not on the outside but by in-house staff. As a result, a persistent education on information security is necessary," Shim said.
Measure for development of domestic security software industry
"For development of domestic information security technology and software industry, securing enough of a budget related to information protection is very important. For instance, the U.S. has invested over 9% of the budget for informatization into the security field since 2007. In particular, the U.S. has increased the cyber security budget by a factor of six in 2013, from a year earlier," said the KISIA chairman
"On the contrary, Korea's budget for information protection has so far witnessed no significant change from ₩270 billion in 2010. To develop information security technology, a drastic hike in the budget is essential," he said.
Meanwhile, domestic information security companies exported products and services worth ₩70 billion in 2013, according to a KISIA survey.
The breakdown is 70% or ₩49 billion to Japan; 7% or ₩4.9 billion to China; and 5% or ₩3.5 billion to the U.S.
KISIA's role for international cooperation
"To secure leadership in the information security sector of a global society, KISIA has concluded a memorandum of understanding with information protection public institutions of many countries since 2009 including Malaysia, Japan, Vietnam, Thailand, the Philippines, Indonesia, Taiwan, and Singapore" he said.
"Through close cooperation with such foreign institutions, KISIA plans to hold consultation meetings and help domestic information security companies expand business-to-business projects this year as part of its efforts to enhance their global competitiveness," he mentioned.
Commenting that a growing number of Korean companies are showing a strong will to exchange technology and products with their counterparts in Israel, Shim said, "They seem to advance into the European market through close cooperation with Israel, not simply aiming at the Israeli market. The association plans to dispatch a market exploration team for information protection to Israel for the first time this year."
Asked about his policy direction as a new KISIA leader, Shim said, "I plan to make KISIA an association covering not only member companies but also general information security firms. To this end, we will activate various section gatherings, including meetings of information protection-specialized companies, control specialists, export-oriented departments and common criteria certification councils."
