For the last two days, I’ve been filling my plate with bulgogi instead of sashimi. Korea has more of an Internet culture than Japan—people, with more than a little trace of pride, noted that almost everyone in Korea has at least some hacking skills—but the themes from my discussions in Seoul resonated with what I heard in Japan.
Americans need to get out more: Many of the people I spoke with were incredulous that I was actually interested in Korean cyber policy, looking for some other purpose to my trip.
The threat: Much of the discussion in Tokyo was of targeted attacks—malicious emails or other exploits directed at specific firms—and while Korean firms are also subject to attacks on their corporate secrets, the focus is on the emerging threat to smart phones. Registration numbers are already a very attractive target for Chinese hackers, who use them for Korean online games, and they will become even more in demand as banking and other financial transactions are moving to smart phones. So far, Beijing has been uncooperative when Korean agencies have tried to track down criminal attacks that appear to emanate from China.
Did I say China? When people say China, they actually seem to mean China and North Korea since it is widely believed that the DPRK routes attacks, both criminal and political, through Chinese networks.
More on coordination: Korean ministries are constantly being renamed and restructured. Previously, all cyber security for the private sector was handled out of the Ministry of Information and Communication. The MIC was eliminated and authority for cyber issues in the private sector was distributed to at least three agencies: Korean Communication Commission, Korea Internet & Security Agency, and the Ministry of Knowledge Economy. (National Intelligence Service is responsible for public sector networks, the Ministry of Defense for the defense networks.) This move “was good and bad,” I was diplomatically told; the bad was that having everyone under one roof made information sharing and emergency response much easier, and that had been lost. No one ever told me the good.
You lose it, you pay for it: If there is a breakdown of security and a hack releases massive personal information, Korean firms have to pay a fine. They don’t want to pay the fine, so they have invested more in IT security.
That said, just because it’s on the books: The Act on Promotion of Information & Communication Network Utilization requires Korean information and communication service providers to report “without delay” cyber incidents. Surprise, not everyone follows the laws, because they don’t want to admit to vulnerabilities or errors.