Tae Seung Lee (Korea Internet & Security Agency, KR)
Dr. Tae-seung Lee is a chief researcher currently working for KrCERT/CC of KISA and he has a Ph.D. in computer engineering from SungKyunKwan University(SKKU). He worked as a project leader or researcher at Samsung Electronics for 6 years and he has worked as a team director or researcher in the areas of Common Criteria(CC), personal information protection, KrCERT/CC, etc for 22 years in KISA. His current interests are global cybersecurity policies and laws, cybersecurity incident and vulnerability response, zero trust architecture, and software supply chain security.
---
Recently, the cybersecurity paradigm is moving toward a proactive response focusing on vulnerability, and as a result, the vulnerability treatment is locating as a survival factor to manufacturer or provider of ICT products or services. To keep pace with this shift, in this paper, we suggest how we should improve cybersecurity legislation for enhancing vulnerability treatment. In the first step, we analyze the recent global cybersecurity policies and laws published by the US and the EU as well as OECD to identify newly introduced cybersecurity requirements for enhancing vulnerability treatment. In the second step, we find the requirements for legal improvement by comparing the previously identified requirements with currently enforcing cybersecurity laws. In this paper we apply the second step to the law, titled “Act on Promotion of Information and Communications Network Utilization and Information Protection”, which is one of cybersecurity laws in Korea. As a result, we find five requirements for legal improvement : vulnerability reporting and notification, vulnerability remediation, as well as safe harbor, vulnerability disclosure policy, and coordinator designation for implementing coordinated vulnerability disclosure(CVD). Finally, in the third step, we suggest a preliminary draft of legal improvement proposal based on the analysis and application of domestic and foreign cybersecurity legislative cases regarding legal improvement requirements found in the previous step.
8 май 2024
