1 of 18

Early Cyber Security Ecosystem in Korea

2022.06.29

Kim, Myungchul

mck@kaist.ac.kr

KAIST

2022 KR4050 Workshop 2021.11.15rev2022.06.23

2 of 18

Table of Contents

  1. Scope and Definitions
  2. Timeline
  3. Public Certificates (공인인증서)
  4. Active X
  5. Cases of User Authentication (국내외 사용자인증)
  6. Issues
  7. Remarks

References

2

3 of 18

1. Scope and Definitions�1.1 Scope

  •  Information security is a type of cybersecurity specific to data security, and cybersecurity is a more general term that encompasses information security as well as security related to internet-connected devices, hardware, software, and data. 
  • Types of information security
    • Application Security
    • Cloud Security
    • Cryptography
    • Infrastructure Security
    • Incident Response
    • Vulnerability Management

  • User authentication in this presentation

[Source: Auditboard.com/blog/types-of-information-security-incidents/]

3

4 of 18

1.2 Ecosystem, Technology Neutrality

  • “An ecosystem(생태계) consists of all the organisms and the physical environment with which they interact” as defined by Wikipedia.

  • Technology neutrality(중립): 시장주도, “the freedom of individuals and organizations to choose the most appropriate technology adequate to their needs and requirements for development, acquisition, use or commercialization, without knowledge dependencies involved as information or data” as defined by Wikipedia.
  • Technology specificity(특정): 정부주도

4

5 of 18

1.3 The Internet Ecosystem

means the organizations and communities that help the Internet work and evolve.

Organizations that make up the Internet Ecosystem include:

    • Technologists, engineers, architects, creatives, and organizations
    • Global and local organizations
    • Operators, engineers, and vendors
    • Internet users
    • Educators
    • Policy and decision-makers

[Source: Internet Society, Who makes the internet work: Internet Ecosystem, 2014.2.3]

5

6 of 18

1.4 Ecosystems in business strategy

  • Modularity (모듈성) enables ecosystem emergence as it allows a set of distinct yet interdependent organizations to coordinate without full hierarchical fiat (컨트롤없이).
  • Supply chains has hierarchical control—not by owning its suppliers, but by fully determining what is supplied and at what cost”, whereas ecosystems tend to be rather modular.
  • Behavior in an ecosystem, and ultimately, its success, is affected by the rules of engagement and the nature of standards and interfaces - open versus closed.
    • Symbian failure due to differences in organization efficiency, governance, and nature of co-specialization.
    • The end user in the Apple/iOS and Google/Android phones ecosystem decides which apps to buy and from which provider, instead of buying a single, combined offering provided by a single firm.

[Source: Jacobides, M.G., Cennamo, C., & Gawer, A. “Towards a theory of ecosystems,”

Strategic Management Journal, 39 (8), 2255-2276, 2018]

6

7 of 18

1.5 Technology Neutrality

In the Internet, telecoms and data protection regulation, technology neutrality means that

  1. (최소한 규정) technical standards designed to limit negative externalities (eg. radio interference, pollution, safety) should describe the result to be achieved, but should leave companies free to adopt whatever technology is most appropriate to achieve the result.
  2. (기술에 독립적인 동일 원칙) the same regulatory principles should apply regardless of the technology used. Regulations should not be drafted in technological silos.
  3. (규제기관 시장선도 금지) regulators should refrain from using regulations as a means to push the market toward a particular structure that the regulators consider optimal. In a highly dynamic market, regulators should not try to pick technological winners.

[Source: Technology neutrality in Internet, telecoms and data protection regulation, Winston Maxwell and Marc Bourreau, Global Media and Communications Quarterly, 2014]

7

8 of 18

2. Timeline (Internet, Public Certificates (공인인증서), Technology Neutrality (기술중립성))

  • USA
    • Morris worm(‘88.2): the first computer worms via the Internet
    •  Computer Emergency Response Team/Coordinating Center (CERT/CC) at CMU by DARPA(‘88)
    • Active X was provided in Internet Explore of Microsoft Windows (‘96)
    • U.S. government should use Performance Standards(= Technology Neutrality) whenever feasible (’11).

  • EU
    • Technology Neutrality was firstly introduced in electronic communications (‘02)
    • Directive 2009/140/EC으로 제정(‘09).

  • Korea
    • SDN(System Development Network) was connected with UUCPnet/CSNET (‘83)
    • 국가기간전산망사업 Korean National Basic Computer Network Project (‘87~’96): 금융, 교육연구, 행정 등
    • Korea Information Security Center 설립(‘96)
    • 전자서명법 발효로 공인인증서 도입 introduction of Public Certificates(‘99)

8

9 of 18

3. Public Certificates (공인인증서)

    • 전자서명법 발효로 Internet Explorer의 ActiveX 기능을 활용한 공인인증서 도입(‘99): 다른 웹 브라우저는 설치 안됨 Introduced public certificate using ActiveX function of Internet Explorer with the entry into force of the Electronic Signature Act ('99): Other web browsers were not installed
    • 인터넷뱅킹에 공인인증서 의무사용 (‘02.9) Mandatory use of public certificates for Internet banking ('02.9)
    • 온라인 증권거래에 공인인증서 의무사용(‘03.3) online securities transactions ('03.3)
    • 전자상거래에서 신용카드 결제 시 공인인증서 의무사용(‘09) Mandatory use of public certificates for credit card payments in e-commerce ('09)
    • 이후 인터넷 주택청약, 전자민원, 연말정산 및 소득신고, 전자조달 등 모든 전자상거래로 확산 Since then , it has spread to all e-commerce such as internet housing subscription, electronic civil petitions, year-end settlement and income reporting, and electronic procurement

    • 전자금융거래법 개정으로 다양한 인증방법 도입(‘14): 공인인증서 의무사용폐지 Electronic Financial Transactions Act ('14): Abolition of mandatory use of accredited certificates
    • 공인인증서제도를 규율하고 있는 전자서명법 개정(‘20) -> 기술중립성 accredited certificate system ('20) -> Technology neutrality

9

10 of 18

4. Active X

    • Function: plugin for content downloading from the World Wide Web.
    • Problem: 이용자 보안위협, 웹의 확장성 상실 (초기부터 거론되었던 문제: security issues and lack of portability)
    • Current Status(현황): ActiveX is provided in Windows 10/Internet Explorer 11, however, Microsoft’s default web browser - Microsoft Edge doesn’t provide it.

    • 전자금융거래법 이용자 중대과실조항(9, 10조): 금융위원회

이용자가 보안 프로그램 설치하지 않았다거나, 공인인증서 등 보안 관리를 소홀히 한 경우 등 이용자 과실이 있는 경우 금융사가 책임을 지지 않아도 되는 예외 조항 -> PC 보안 프로그램 설치

 Articles 9 and 10 of the Electronic Financial Transactions Act User’s Gross Negligence : Financial Services Commission

Exception clause that the financial institution does not have to be held responsible if there is a user's negligence, such as when the user did not install the security program or neglected security management such as public certificates -> customers need to install the PC security program

10

11 of 18

5. Cases of User Authentication (국내외 사용자인증)�5.1 Install programs for public certificates in your computer (공인인증서 보안 프로그램을 PC에 설치)

11

12 of 18

5.2 amazon.com

12

13 of 18

5.3 bankofamerica.com

13

14 of 18

6. Issues

  • 정부가 주도하는 Active X 를 통한 공인인증서 도입 및 사용

Introduction and use of public certificates through Active X led by the government

    • Good
      • 전자정부, 전자상거래, 전자금융 조기 도입 Early introduction of e-government, e-commerce, and e-finance

      • 개인인증, 은행간거래 활성화 Personal authentication, activation of interbank transactions

    • Bad
      • 기술중립성 훼손으로 시장과 기술 혁신 저해 Inhibits market and technological innovation by undermining technology neutrality

      • 프로그램 설치로 보안취약, 복잡, PC속도 저하 Security vulnerability, complexity, and PC speed decrease due to program installation

      • 사용자 불편 user discomfort

14

15 of 18

7. Remarks

  • 교훈 Lesson:
    • 인터넷, 사이버보안, 통신 등 분야에서 정부주도 기술기반 시장 구조 형성시도는 급변하는 시장에 득보다 실. Internet, cyber security, and telecommunications led by the government do more harm than good in a rapidly changing market.
    • Technology architect(설계자) 필요 (e.g., Apple/iOS and Google/Android)
      • Sets a system-level goal
      • Defines the hierarchical differentiation of members’ roles
      • Establishes and manages standards and interfaces
      • Governing membership and relationship

15

16 of 18

7. Remarks (continued)

  • Similar cases 유사경우 처리방안:
    • 마이데이터 My Data project 2022
    • 탄소중립 Carbon neutrality 2050: Carbon neutrality is a state of net-zero carbon dioxide emissions.
      • EU to be completed by 2050 with the European Climate Law
      • Korea도 전세계 국가 중 14번째로 탄소중립 입법 Korea also ranks 14th among countries in the world for carbon-neutral legislation
      • 운송, transportation

16

17 of 18

References

  • Korea Internet History, InternetHistory.kr.
  • An Asia Internet History – Third Decade (2001-2010).
  • Internet Ecosystem, Kilnam Chon, KR4050 Workshop, 2021.
  • Morris worm in Wikipedia.

- 전자정부 50년 (1967-2017), 행정안전부.

- Global Cyber Security Ecosystem, TR 103 306, ETSI, 2017.

  • 표준웹과 공인인증서, 김대영, 23 Aug 2013.
  • 공인인증서·액티브X, 확실히 폐기하라, 김우용 등, ZDNet Korea, 2017.

17

18 of 18

References (continued)

  • Technology neutrality in Internet, telecoms and data protection regulation, Winston Maxwell and Marc Bourreau, Global Media and Communications Quarterly, 2014.

- Towards a theory of ecosystems, Jacobides, M.G., Cennamo, C., and Gawer, A., Strategic Management Journal, 39 (8), 2255-2276, 2018.

- 운송 전환의 맥락에서 기술 중립성, De. Paul Lehmann, et al., Agora Verkehrswende, 2020.

- 이용자 보호 강화와 금융보안 합리화를 위한 전자금융거래법 개정안, 박지환, 오픈넷, 2015.03.

- 인터넷 이용자가 체감할 수 있는 변화를 만들기 위해, 공인인증서 의무사용 정책은 어떻게 폐기될 수 있었을까요?, 박지환, 오픈넷, 2020.

18