Following the fire at the National Information Resources Service's Daejeon headquarters, calls are growing for the public sector to also expand adoption of private cloud services. Observers say service restoration would have been faster if a private cloud with a disaster recovery (DR) system, which can operate as an alternative in disasters such as fires and earthquakes, had been used alongside. Korea is also pushing forward with a cloud migration project for administrative and public institutions, but critics say the effectiveness of the cloud security certification system that underpins it is lacking, delaying the adoption of private clouds.
According to the government and industry on the 1st, for a private cloud service provider (CSP) to supply cloud services to public institutions, it must obtain Cloud Security Assurance Program (CSAP) certification overseen by the Ministry of Science and ICT. Introduced in 2023, CSAP is divided into three grades: upper, middle, and lower. The "upper" grade applies to internal administrative operating systems that include sensitive information such as national security and diplomacy, the "middle" grade applies to systems handling nonpublic work materials, and the "lower" grade applies to systems operating public data that does not include personal information.
The grading system's core is to vary security requirements for cloud systems according to the importance and sensitivity of information. The "lower" grade allows "logical network separation" in addition to "physical network separation" so that overseas providers can participate. Physical network separation strictly separates business and internet networks and requires servers to be located in Korea, whereas logical network separation allows cloud servers to be built in a virtual, not physical, space. Overseas providers can obtain only the "lower" grade among these, and to date, Amazon Web Services (AWS), Google Cloud, and Microsoft have received the "lower" grade.
However, some say that the transition to private clouds is also being delayed as the revision of the notice containing detailed criteria for the upper and middle grades has been postponed. Initially, the Ministry of Science and ICT planned to prepare a notice containing the evaluation criteria for the upper and middle grades by September last year, but as the National Intelligence Service pushed the National Network Security Framework (N2SF) and concerns arose about overlapping regulations, the revision was delayed by nearly a year.
N2SF, overseen by the National Intelligence Service, is a framework that classifies public institution computer networks into confidential (C), sensitive (S), and open (O) grades according to business importance and applies differential security. The National Intelligence Service only released the official version of the N2SF guidelines on the 30th of last month, and the Ministry of Science and ICT says it will supplement CSAP grading criteria accordingly.
Criticism is mounting that because the authority over public cloud policy is divided among the Ministry of the Interior and Safety, the Ministry of Science and ICT, and the National Intelligence Service, operational consistency suffers and responses to incidents such as the National Information Resources fire are inevitably slow. Under Korea's current e-government framework, the Ministry of Science and ICT handles CSAP, the National Intelligence Service handles N2SF, and the Ministry of the Interior and Safety handles the public-private partnership cloud (PPP). Experts said this siloed structure has hindered the activation of the private cloud market and led to patchwork maintenance of existing systems, increasing the risk of accidents.
PPP is a model in which the government and the private sector cooperate to build and operate a cloud infrastructure dedicated to public institutions, with the government controlling operations as the key. The government is transferring 96 systems that were completely burned in the fire at the National Information Resources Daejeon headquarters to the Daegu Center PPP. The Daegu Center PPP, built last year, houses Samsung SDS, KT Cloud, and NHN Cloud, which have obtained the National Intelligence Service's "upper" grade security certification. The three companies are expected to participate in reinstalling the work systems that were destroyed at the government's request.
Experts agree that to build a DR environment where computer networks do not go down even in disasters, cloud policies scattered in silos must first be overhauled. This is because when policy authority is divided by ministry as it is now, it is difficult for public institutions to accelerate the adoption of private clouds. With the CSAP certification system for the upper and middle grades not yet concretely in place, even domestic cloud providers face limits in participating in the public cloud market.
As criticism over the "siloed e-government" grew after the fire, President Lee Jae-myung ordered, "Report swiftly on solutions to structural problems, including governance," and said, "Even now, a dual operating system is necessary, and if needed, we must rebuild the system in collaboration with the private sector."
In response, the National AI Strategy Committee formed the "AI infrastructure governance and innovation task force" and plans to prepare and announce by Nov. 2025 a comprehensive plan containing fundamental structural improvement measures for the national digital infrastructure.