연구보고서
Ⅰ. Purpose and Scope of Research
□ Cyber risks especially cyber attacks are new and modern risks which were not intended to occur along with the technology development at all. And under cyber attack cases it is difficult to find out what the exact cause and effect is.
□ Korea has been significantly exposed to cyber attacks due to advanced internet infrastructure, widely spreaded smart-phones and has accumulated experiences in response to cyber attacks from North Korea.
□ Under this situation, cyber security experts and governmental officers from all over the world very interested in Korean cyber security laws and regulations. Nevertheless, the interest was not satisfied because of lacking of the materials introducing our cyber security legislations.
□ Therefore by this research we would like to introduce Korean cyber security legislations. To do this, we shall research related Korean materials which introduce and analysis the legislations, and have a interview many experts in this field.
Ⅱ. Contents
□ Computer networks and information systems have governed daily human lives in this society. But a lot of cyber attacks, this society have been suffered, have made great threats on core functions operated by the networks and systems. This society has also been threaten by a lot of cyber attacks including from North Korea.
□ To respond cyber attacks, a state shall design appropriate legislations and national plans. Korea has also been struggle to make efficient legislations and policies to combat cyber attacks and enhance digital economy based on advanced information and communication technologies.
□ Nationwide responding system against cyber attacks shall be described in National Cyber Security Management Regulation. Following the regulation, Korean government authorities shall develop, establish, and perform the policies and initiatives related with cyber security. The regulation shall describe roles, duties and liabilities of government authorities such as Office of National Security in Blue House and National Cyber Security Center in National Intelligence Service. It also describe information sharing among government authorities.
□ Protecting Critical Information Infrastructure(CII) from cyber attacks is very important in National Security, because it can maintain core functions to operate a state and daily human lives, such as energy, banking, health, water and so on. Korean government has enacted Critical Information Infrastructure Protection Act since 2002. The Act has made national structure to protect CII from cyber attacks and described the provisions on designation on CII, evaluating vulnerabilities and establishing protection plans, responding cyber incidents, and penalties.
□ Protecting nuclear power plants from cyber attacks has been national agenda in Korea after North Korean cyber attacks against Korea Hydro & Nuclear Power Co. Ltd.(KHNP). Korea has enacted Nuclear Protection and Prevention Act to strengthen the protection system of nuclear facilities. Under the Act, the Korea Institute of Nuclear Nonproliferation and Control(KINAC) shall establish KINAC/RS-015 to protect nuclear facilities from cyber attacks.
□ Following the Comprehensive Measures to enhance National Cyber Security, Korean policy makers and legislators heard many voices from individuals, vendors, and governmental institutes agencies that cyber security industry shall be encouraged to support robust cyber security activities with best technologies. Hence, Cyber Security Industry Enhancement Act was newly enacted. According to the Act, Korean central and local government, and municipals shall establish and perform policies to encourage cyber security industry and prepare measures to allocate budgets to fulfill that policies.
□ Electronic financial transaction is the convenient and quick ways to transact in the area of finance, so that it enables the financial companies or an electronic financial business entities to provide the user with new service and to enhance their profit. Notwithstanding this merits, the electronic financial transaction might cause big problems and turmoil if the hacking incidents on the IT network system occurs. Therefore it becomes more important to ensure the confidence of user by keeping the safety of information network system - its authenticity, confidentiality, integrity, availability and legitimate use should be provided without errors. To make secure and reliable electronic financial transactions, the “Electronic Financial Transactions Act” has been enacted.
□ After suffering several significant personal information disclosed cases, National Assembly members proposed a bill to independently and wholly focusing on personal information protection. The bill enacted to be an Act at March 29, 2011. and has been effected since 2011. 9. 30. To protect the personal information, the Act describes that a personal information manager shall establish an internal administration plan, keep access records, and take technical, administrative and physical measures necessary for securing safety. He/she shall also have to establish and disclose of Personal Information Management Policies, and to designate Personal Information Protection Managers. Ministry of Interior certificate personal information protection measures in accordance with the Act. When a personal information manager becomes aware that personal information has leaked out, he/she shall notify the relevant holder of the information.
Ⅲ. Expected Effects
□ By understanding Korea’s national structure to responding cyber attacks, law and policies related to critical information infrastructure including nuclear power plants, enhancing information security industry, securing electronic financial transactions, and protecting personal information, the other countries could establish robust cyber security laws and policies to responding cyber attacks.
□ By supporting the other countries to establish the laws and policies, Korea is also able to expand its role to the emerging markets, especially Asian countries, and strength cooperation on relevant industry with increasing demands for products and services related to cyber security. Therefore, it is likely to encourage sustainable cooperation on cyber security sector among Asian countries and the other countries in the world, after this research introducing Korean cyber security legislations.
□ Besides, the research is likely to assist materializing the value of creative economy and accompanied growth through the cyber security.
Ⅰ. Introduction 13
A. Purpose of Research 13
B. Scope and Methods of Research 14
Ⅱ. Cyber Security Initiatives and Legislations 17
A. Overview of Recent Cyber Attacks 17
B. Cyber Security Policies 20
C. Development of Cyber Security Laws and Regulations 24
Ⅲ. Legislations related with Establishing National Cyber Security Structure and Protecting Critical Infrastructure 27
A. Overview 27
B. National Cyber Security Management Regulation 28
C. Critical Information Infrastructure Protection Act 39
D. Act on Measures for the Protection of Nuclear Facilities, etc. and Prevention of Radiation Disasters 53
Ⅳ. Legislations related with Enhancing Cyber Security Industry, Securing Electronic Financial Transaction and Protecting Personal Information 61
A. Cyber Security Industry Enhancement Act 61
B. Electronic Financial Transaction Act 71
C. Personal Information Protection Act 90
Ⅴ. Conclusion 103
References 107