The government is defining the surge in cyber intrusions as an emergency tantamount to a crisis and will change the system so authorities can launch investigations without corporations' reports when hacking indications exist.
It will also raise the amounts of fines and penalty surcharges imposed for violating security obligations and toughen sanctions by introducing enforcement charges and punitive penalty surcharges. A sweeping inspection will begin for more than 1,600 information technology (IT) systems.
The Ministry of Science and ICT, the Ministry of Economy and Finance, the Financial Services Commission (FSC), the Ministry of the Interior and Safety, the National Intelligence Service, and other related ministries announced on the 22nd at Government Complex Seoul a pan-government comprehensive information security plan reflecting these measures.
The government said it views the recent, repeated hacking incidents across both the private and public sectors as a serious crisis and will operate an organic response regime led by the Office of National Security.
First, to stop the practice of concealing cyber intrusions such as hacking, the system will be improved so the government can conduct on-site investigations without corporations' reports when indications of hacking are secured.
For actors that violate security obligations—such as delayed hacking reports, failure to implement recurrence prevention measures, and repeated leaks of personal or credit information—sanctions will be strengthened, including raising fines and penalty surcharges and introducing enforcement charges and punitive penalty surcharges.
In Korea, a penalty surcharge equal to 3% of sales is imposed for incidents such as personal information leaks, and the government is reviewing ways to expand the scale of sanctions by referencing cases such as the United Kingdom, which levies 10%.
It will review creating a fund so that penalty surcharge revenue from personal information leak incidents can be used for personal information protection, including support for victims.
The government will begin a sweeping inspection of more than 1,600 IT systems used by the vast majority of the public, including in the public, financial, and telecommunications sectors. In particular, for telecom companies, which have seen a spate of recent hacking incidents and where secondary damage is significant when information is leaked, unannounced, intensive inspections that simulate actual hacking methods will be pursued.
Major corporations in sectors other than telecom, such as the platform industry, must submit their internal inspection results to the government after confirmation by the chief executive officer (CEO). The government will then sequentially launch post-inspections.
The telecommunications industry will be required to establish identification and management systems for key IT assets, and small base stations (femtocells) cited as being exploited for hacking will be immediately discarded unless their stability is ensured.
When hacking occurs, the burden of proof on consumers will be eased, and user protection manuals will be prepared in key sectors such as telecommunications and finance.
Starting in the first half of next year, as the information security disclosure obligation is expanded to all listed corporations, the number of obligated entities will increase from the current 666 to more than 2,700. Based on the disclosure results, security capability levels will be graded and made public.
In addition, the security certification system (ISMS, ISMS-P), long criticized as toothless, will be shifted to on-site inspections to strengthen post-management, and the principle of security responsibility for corporations' CEOs will be codified.
Addressing criticism that the existing cyber security environment was limited to domestic conditions, security software that financial and public institutions force consumers to install will be gradually restricted starting next year. In addition, uniform physical network separation rules that do not align with global changes such as the spread of cloud and AI will be changed to focus on data security.
The government also said it will strengthen cooperation on cyber threat prevention and response between the National Intelligence Service (NIS)'s National Cyber Crisis Management Center, a joint public–private–military body, and government ministries.
While jointly using the NIS's investigation and analysis tools with the private sector, it will establish an AI-based intelligent forensics lab to cut analysis time per case from the current 14 days to about five days.
In addition, the government will expand public budgets and personnel for information security, elevate the rank of the government chief information security officer from Director General to Deputy Minister, and double the cyber security score in public institution management evaluations.
To foster the security industry, it plans to nurture 30 next-generation AI security corporations annually and produce more than 500 white-hat hackers each year.
The government added that, beyond these short-term strategies, it will establish a national cyber security strategy within the year that encompasses mid- to long-term tasks.
Bae Kyung-hoon, Deputy Prime Minister and Minister of Science and ICT, said, "The government views the continued public harm from successive security incidents as an emergency tantamount to a crisis," and added, "We will prepare remedies so hacking damage is not shifted onto consumers and make every effort to build an information security system that underpins an AI powerhouse."