Lee Jae-woo, Chair Professor at Dongguk University Graduate School of International Affairs & Information (IAI), delivered a keynote speech on the past, present and future of information security at the 5th International Conference on Information Security (ICIS).
Professor Lee served as the first president of the Center for Information Security (now the Korea Internet and Security Agency (KISA)) in 1996. Lee, considered as a living witness to Korea’s 20-year history of information security, stressed, “Now is the time for us to redefine the word hacker. All the hacking and hacking attempts are tantamount to a crime and hackers are criminals.”
Lee also said the way cyber defense competitions are held should be changed.
“Those who are good at foiling hacking attempts should take home awards. However, most cyber defense competitions honor the first to hack into target computers.” He introduced the SANS NetWars Competition in the US and Europe’s Locked Shields, in which both launching attacks and devising defenses to fend off attacks from others are covered and players’ scores are displayed on a dynamic real-time scoreboard.
“South Korea also has to upgrade hacking competitions to cyber defense exercises. And we have to participate in Cyber Storm, the U.S. Department of Homeland Security (DHS)’s annual cybersecurity exercise series. Cyber Storm, which had begun as biennial exercise series, has been held annually since 2012, dividing participants into attackers and defenders. South Korea also needs to expand cyber defense exercises and comprehensively evaluate both responses to attacks and tactics of attacking target computers.”
“When it comes to cybersecurity, what we are going to do is more important than what we’ve done so far.” Lee mentioned that our future cybersecurity goal should be upgrading to cyber defense exercises, establishing discipline in cyber society, internationalizing the Korean cybersecurity industry, reinforcing cyber diplomacy and strengthening cyberwarfare capabilities.
As for establishing discipline in cyber society, Lee talked about the need for the standardization of cybercrime terminology and concepts. “This is not an issue of dividing hackers into white hat and black hat hackers and condoning ‘white hat’ hacking. There is no legal boundary between white hat and black hat hackers. Therefore, we need to reach a social consensus that computer hacking is a crime.”
The Information and Communications Network Act and the Information and Communications Infrastructure Act stipulate that the hacking of computers is a crime.
Lee probably intended to highlight the downside of white hat hacker programs carried out by the South Korea government. The Korea Information Technology Research Institute (KITRI) has been running a cyber security elite training program called ‘BoB (best of the best)’ and BoB trainees have been taking part in numerous hacking competitions in and outside South Korea.
As regards the practice of sorting hackers into black hat, white hat and ethical hackers, Lee said: “Hackers and hacker communities, not the government or public institutions, have made such classifications to defend themselves. Black hat hackers can turn into white hat hackers anytime; and vice versa.”
“People frequently fall victim to hackers. Nonetheless, hacking books are openly selling at bookstores; people can easily download hacking tools from many websites. This is a paradox.”
“The Certified Ethical Hacker (CEH) certification, issued by the EC-Council, has been known as an international ethical hacker qualification. However, the truth is that the CEH certification is a private qualification issued by a Malaysian e-commerce company. The company has billed it as an international qualification. As a result, lots of people are trying to obtain the CEH certification.”
“To achieve the internationalization of the Korean cybersecurity industry, we need to develop unique technologies and become the envy of the world that other countries want to benchmark against. As for cyber diplomacy, it is imperative to reinforce international cooperation on national security, improve responses to cybercrimes and cooperate in the cybersecurity market,” Lee added.
