19 minute read

An unofficial English translation of the proposed South Korean National Cyber Terrorism Prevention Act.

The recently proposed South Korean National Cyber Terrorism Prevention Act: [Korean PDF]|[English PDF]


National Anti-Cyberterrorism Act (Legislative Bill)
(April 9, 2013)
*Rationale
The cyberspace, which is a virtual space connecting computers and other information technology
devices through networks, now has not only become a common space for the daily lives of all
citizens, but also transcends borders among states and public/private sector.
Due to its uniqueness, both public and private sectors cannot unilaterally block all cyber-attacks
that occur beyond space and time. Furthermore, unlike disorder in the physical world, a single
person can potentially cause national crisis by launching a cyber terror attack.
Cyber crisis can have enormous influence on the whole society. Attacks on national major
information communications network as shown in the case of 1.25 Internet crisis(Slammer Worm),
and organized cyber terrorism from overseas that can lead to leakage of national secrets and
technology, is increasing everyday, and is more likely to occur in the future.
However, Korea has yet to establish a systematic national anti-cyberterrorism plan or policies and
specific procedures to manage such crises. In case of a cyber crisis, this situation may lead to severe
danger and serious damage to national security and national interest.
Therefore this bill proposes the establishment of a national comprehensive response system
involving the government and the private sector, hence detect cyber terror attacks in advance to
prevent national cyber crisis and concentrate national capacity in times of crisis to take prompt
action.
*Executive Summary
A. The Director of the National Intelligence Service (hearafter NIS) may organize and operate a
public-private consultative body in order to efficiently manage cyber crisis and mutually share
information related to cyber-attacks (Article 5).
B. The Director of the NIS should establish the master plan of national cyber terror prevention and
crisis management and construct an implementation plan to distribute to the Heads of responsible
agencies (Article 7).
C. Establishment of the National Cyber Security Center under the Director of the NIS for a
comprehensive and systematic national response to cyber terrorism and management of cyber crisis
(Article 9).
D. Heads of responsible organizations should either establish and operate a Security Management
Centre capable of detecting and analyzing cyber-attack information and promptly response to such
1threats, or depute the task to a Security Management Centre established and operated by other
institutions (Article 12).
E. Heads of central administrative agencies should immediately carry out investigations when
damage occurs due to a cyber terror attack, and should notify the Heads of related administrative
agencies and the Director of the NIS in cases of critical damage (Article 13).
F. The Director of the NIS can issue the Cyber Crisis Alert in the interest of systematic response to
cyber terrorism, and the Heads of responsible organizations should take appropriate measures to
minimize or restore damage (Article 15).
G. The government may organize and operate Cyber Crisis Response Headquarters consisting of
related institutions and professionals for analysis, investigation, immediate response, and damage
restoration when a Cyber Crisis Alert higher than Alert state is issued (Article 16).
H. The government may carry forward policy measures necessary for cyber crisis management,
such as technology development, international cooperation, industry development, and human
resource development (Article 19, 20, and 21).
I. The government may give monetary reward to those who provide information on cyber terror
attempts or report cyber terrorists (Article 24).
J. Those who divulge official secrets are sentenced to maximum five years in prison or fined to
maximum 30 million won. Those who have not established a Security Management Centre may be
charged with maximum 20 million won for negligence (Article 25 and 26).
*Legislative Bill for National Anti-Cyberterrorism Act
Chapter 1 General Provisions
Article 1 (Purpose)
The purpose of this Act is to contribute to national security and national interest by stipulating the
fundamental situations of national cyber terror prevention in order to prevent cyber terror which
threatens national security and enable prompt response by concentrating national capacity in cases
of cyber crises.
Article 2 (Definitions)
1) The definition of the terms used in this Act is as follows.
1. “Cyber Terrorism” refers to all offensive actions that intrude, disturb, paralyze, or destroy
information telecommunication infrastructure, or actions related to information theft, damage and
2dissemination of distorted information by electronic means such as hacking, computer virus,
denial of service, and electromagnetic wave.
2. “Cyber Security” refers to measures and responses through administrative, physical,
technological means in order to protect information telecommunication infrastructure and
information from cyber terrorism, and includes cyber crisis management.
3. “Cyber Crisis” refers to a situation in which a cyber terror attack causes serious disruption to the
function of the state and society or could potentially spread damage nationwide.
4. “Cyber Terror information” refers to information of certain actions determined by information
systems and information security system (including software) as cyber terrorism, and includes IP
addresses and MAC addresses used to identify the source of the cyber attack.
5. “Cyber Crisis Alert” refers to alerts issued in order to provide cyber threat information when a
cyber crisis is expected to occur, thereby enabling related organizations to take appropriate
measures according to the threat level.
6. “Cyber Crisis Management” refers to all national level measures and actions pertaining to cyber
terror detection, response, investigation, restoration of damage, mock exercise, issuance of
warning and cooperation among agencies in order to prevent cyber crisis and systematically take
prompt action in case of cyber crisis.
7. “Agencies Responsible of Cyber Terror Prevention and Crisis Management (“Responsible
Agencies”)” refers to the following agencies performing tasks related to cyber terror prevention
and crisis management.
a. <Constitution (대한민국헌법)>, <Government Organization Act (정부조직법)>, other
national agencies and local autonomous entities established by other legislation, and public
institutions according to Article 3, paragraph 10 of <Framework Act on National
Informatization (국가정보화 기본법)>
b. Agencies in charge of managing major information and communications infrastructure
according to Article 5, paragraph 1 of <Act on the Protection of Information and
Communications Infrastructure (정보통신기반 보호법)>
c. Business operator of clustered information and communications facilities according to Article
46, paragraph 1, and major providers of information and communications services according
to Article 47-3, paragraph 2 of <Act on Promotion of Information and Communications
Network Utilization and Information Protection, etc.(정보통신망 이용촉진 및 정보보호
등에 관한 법률)>
3d. Corporations or research institutes which hold National Core Technology according to
Article 9 of <Act on Prevention of Diligence and Protection of Industrial Technology
(산업기술의 유출방지 및 보호에 관한 법률)>
e. Defense contractors according to Article 3, paragraph 9, and specialized research institutes
according to Article 3, paragraph 10 of <Defense Acquisition Program Act (방위사업법)>
8. “Support Institution for Anti-Cyberterrorism and Crisis Management (“Support Institution”)”
refers to the following institutions or corporations which support prompt detection, response,
investigation, and damage restoration of cyber terror.
a. Electronics and Telecommunications Research Institute (ETRI) Affiliated research institute
according to Article 8 of<Act for the Establishment, Management and Promotion of
Government-supported Research Institutes in the Science and Technology Sector
(과학기술분야 정부출연연구기관 등의 설립 운영 및 육성에 관한 법률)>
b. Korea Internet Security Agency (KISA) according to Article 52 of <Act on Promotion of
Information and Communications Network Utilization and Information Protection, etc.
(정보통신망 이용촉진 및 정보보호 등에 관한 법률)>
c. Software business operators who produce or sell antivirus software according to Article 24 of
<Software Industry Promotion Act (소프트웨어산업 진흥법)>
d. Producers or importers of information protection system according to Article 3, paragraph 9
of <Framework Act on National Informatization (국가정보화 기본법)>
e. Designated consulting companies specialized in knowledge and information security
according to Article 9 of <Act on the Promotion of Information and Communications
Infrastructure (정보통신기반보호법)>
f. Companies specialized in security management designated by the Head of related
administrative agencies
2) Apart from the terms defined above, other terms used in this Act accords to <Act on the
Protection of Information and Communications Infrastructure (정보통신기반 보호법)>, <Act
on Promotion of Information and Communications Network Utilization and Information
Protection, etc (정보통신망 이용촉진 및 정보보호 등에 관한 법률)>, <Framework Act on
National Informatization (국가정보화 기본법)>, <Telecommunications Business Act
(전기통신사업법)>.
Article 3 (Relations to other legislations)
4This Act shall be applied with the exception of clauses of other legislations that regulate the
prevention of cyber terror and crisis management. However, if a cyber crisis occurs, this Act shall
supercede other legislations in application.
Article 4 (Obligation of Responsible Agencies)
Chief of Responsible Agencies are responsible for maintaining safety of information
communications facilities within their jurisdiction in order to prevent cyber terror. Accordingly,
they should devise measures to secure professional workforce dedicated to and budget necessary for
the prevention of cyber terrorism and crisis management.
Article 5 (Public-Private Cooperation)
1) The government may organize joint consultative bodies with private institutes according to the
Presidential decree in order to efficiently manage cyber crisis and cooperate to prevent cyber terror
and take appropriate countermeasures.
2) Other considerations necessary for paragraph 1 shall be prescribed by Presidential Decree.
Chapter 2 National Cyber Terror Prevention and Crisis Management System
Article 6 (National Cyber Security Strategy Council)
1) The National Cyber Security Strategy Council (hereinafter refer to as“Strategy Council”) shall be
established under the Director of the NIS to deliberate important matters regarding national anti-
cyberterrorism and crisis management.
2) The Director of the NIS chairs the Strategy Council.
3) The Strategy Council shall have vice-minister class officials of central administrative agencies
and those appointed by the Chairman of the Strategy Council (= Director of the NIS).
4) The Strategy Council shall deliberate the following.
1. Establishment and improvement of cyber terror prevention and crisis management strategies,
policies, and institutions
2. Problems pertaining to role adjustment among agencies related to cyber terror prevention and
crisis management
3. Problems pertaining to sharing and protecting cyber threat information according to Article
12, paragraph 2
4. Other problems presented by the Chairman of the Strategy Council (= Director of the NIS) or
submitted by council members
55) The Strategy Council may set up a National Cyber Security Countermeasure Council (hereinafter
refer to as “Countermeasure Council”) in order to efficiently operate the Strategy Council.
6) Other specific matters pertaining to the organization and operation of the Strategy Council or the
Countermeasure Council shall be prescribed by Presidential Decree.
Article 7 (Establishment of a Master Plan for National Anti-cyberterrorism and Crisis
Management)
1) The Government should establish and implement National Anti-cyberterrorism and Crisis
Management Master Plan (hereinafter refer to as “Master Plan”) in order to efficiently and
systematically push forward measures for cyber terror prevention and crisis management.
2) The Master Plan shall be outlined by the deliberation of the Strategy Council and discussion
among the Director of the NIS and Heads of related central administrative agencies according to
Presidential Decree.
3) The Head of central administrative agency should devise and disseminate National Anti-
cyberterrorism and Crisis Management Implementation Plan (hereinafter refer to as
“Implementation Plan”) to Heads of sub-agencies in order to enable them to utilize the Master
Plan according to paragraph 1.
Article 8 (Confirmation of Compliance to the Implementation Plan and Report to the
National Assembly)
1) The Head of central administrative agency should annually confirm the compliance of its sub-
agencies to the Implementation Plan.
2) The Director of the NIS gather the confirmation results of paragraph 1 and conduct an inspection
of the actual condition of national cyber terror prevention and crisis management, and report the
results to the National Assembly. However, inspection and assessment of the National Assembly,
Court, Constitutional Court, National Election Commission shall be conducted only when
requested by each entity.
3) Procedures and means necessary for paragraph 1 and 2 shall be prescribed by Presidential Decree.
Article 9 (Establishment of National Cyber Security Center)
1) For a comprehensive and systematic state- level prevention of and response to cyber terrorism
and cyber crisis management, National Cyber Security Center (hereinafter refer to as “Security
Center”) shall be established under the Director of the NIS.
2) The Security Center shall undertake the following duties.
1. Establishment of national anti-cyberterrorism and crisis management policies
62. Support for the Strategy Council and the operation of the Countermeasure Council
3. Collect, analyze and disseminate information related to cyber terror
4. Secure the safety of national information communications network
5. Devise and disseminate national cyber terror prevention and crisis management manual
6. Investigate cyber terror cases and support recovery from damage
7. Cooperation with other countries in sharing cyber attack information
3) The Director of the NIS may set up and operate a Private-Public-Military Joint Response Team
(hereinafter refer to as “Joint Response Team”) in order to support comprehensive judgment,
situation management, threat causation analysis, investigation, etc. according to paragraph 1
when necessary.
4) The Director of the NIS may request the Head of central administrative agency or other support
agencies to dispatch workforce and provide equipment necessary for the establishment and
operation of the Joint Support Team when needed.
Chapter 3. Anti-cyberterrorism and Cyber Crisis management ac
Article 10. (Establishment and Operation of Anti-Cyberterrorism policy)
1) To secure the safety and reliability of information and its network, heads of Responsible
Agencies shall establish Anti-cyberterrorism policy.
2) The Director of the NIS may prepare and deliver a necessary guideline for establishment of Anti-
cyberterrorism prevention policy. In this case, The Director of NIS shall consult with a head of
central administrative agencies concerned in advance.
3) In the case of paragraph 2) applied to central administrative agencies of the National Assembly,
court, constitutional court and national election commission, it is applied only in a case that the
head of concerning agency or institution considers it necessary.
Article 11 (Precluding spread of malicious program)
1) If the Government becomes aware of websites or software including malicious program, it shall
provide related information to operators so that they can take measures for security necessary to
preclude spread of malicious program.
2) The Government may, if it judges the compromised websites or software is highly likely to be
misused and potentially dangerous despite measures under paragraph 1), delete or block them by
using anti-virus program.
3) Specific details necessary measures pursuant to paragraph 10 or paragraph 2) shall be prescribed
by the Presidential Decree.
7Article 12 (Establishment of Security Control Center etc)
1) Head of a Responsible Agency shall establish and manage an organization which is able to detect
and analyze cyberterrorism information, and immediately response, or entrust the work to a security
control center which agencies, following subparagraph, establish and manage. Provided,
Information Sharing & Analysis Center, in accordance with Article 16 of Act on the Protection of
Information and Communications Infrastructure, is deemed as a security control center
1. Relevant Central Administrative Agencies
2. National Intelligence Service
3. Specialized Security Control Corporation in accordance to Article 2-Paragraph 1) -
Subparagraph f
2) Head of Responsible agencies shall share cyberterrorism information, and vulnerability of
information networks or software etc, in accordance with Paragraph 1) (hereinafter refer to as
“Cyber Threat information”), with heads of relevant agencies and the Director of the NIS
3) For efficient management and operation of Cyber Threat information, in accordance with
Paragraph 2, The Director of the NIS may establish and manage Cyber Threat information
integration system with heads of relevant agencies.
4) Any person shall fairly use and manage the information shared in accordance with paragraph 2, ,
only within the scope of Cyber Crisis management.
5) Security Control Center, in accordance with paragraph 1, establishment and management of
Cyber Threat information integration system’s establishment and management, and matters
concerning information management, in accordance with paragraph 3, scope, process and method of
Cyber Terror information sharing, in accordance with paragraph 2, shall be prescribed by the
Presidential decree.
Article 13 (Incident investigation)
1) In the case when damages made to the jurisdiction of a central administration agency, the head of
the central administration agency shall conduct incident investigation swiftly on the cause and
damages, and in the case of severe damages or concerns over the possibility of expansion of
damages, he/she shall immediately notify the results to the head of related central administration
agency and the Director of the NIS.
2) Despite the paragraph 1), when the case is deemed to cause severe impacts on national security
and interest, the Director of the NIS can consult the related central administration agency and
conduct the investigation on its own.
83) In the case when swift actions are deemed to be necessary for restoration and prevention of
further damages according to the notification of the investigation result regarding paragraph 1) or
the NIS’s own investigation regarding paragraph 2), the Director of the NIS may request necessary
measures to heads of responsible agencies. The responsible agency's heads must abide by the
request if there is no substantial reason not to.
4) No person shall delete/damage/modify data related to cyber terror before the incident
investigation regarding paragraph 1) and 2)
Article 14 (Response Training)
1) The Government shall execute training programs to prevent cyber terror from happening and
respond systematically and efficiently.
2) Trainings regarding paragraph 1) may either be executed regularly every year or be conducted as
occasion demands, and regular training may be executed together with Emergency Preparedness
Training regarding Article 14 of <Emergency Preparedness Resources Management Act
(비상대비자원관리법)>
3) The necessary issues including the execution method and procedure of the training regarding
paragraph 1) etc. shall be prescribed in the Presidential Decree.
Article 15 (Announcement of Cyber Crisis Alert)
1) To systematically prepare and respond to cyber terror, the Director of the NIS may announce
four-stage Cyber Crisis Alert (moderate/substantial/secure/critical), based either on the request of
the head of a responsible agency or on the complement/ judgment of intelligence gathered regarding
Article 12 paragraph 2).
2) In the case when a cyber terror is deemed to cause serious damage to national security, the
Director of the NIS may consult the Senior Secretary to the President for National Crisis Control in
the National Security Department to announce critical-level alert, and in the case of the
announcement of a critical-level Alert, it shall inform the reason of the announcement to the
National Assembly.
3) The Director of the NIS shall consult the level of Cyber Crisis Alert prior to the announcement.
4) The head of responsible agencies should take measures to minimize occurring damages and to
foster restoration immediately after the announcement of Cyber Crisis Alert regarding paragraph 1).
5) The necessary issues regarding the procedure, criteria, measures by heads of responsible agencies,
etc. shall be prescribed in the Presidential Decree.
Article 16 (Organizing Cyber Crisis Response Headquarters)
91) In the case of a Cyber Crisis Alert above the “Caution-level”, the Government may organize and
operate Cyber Crisis Response Headquarters (hereinafter refer to as “Response HQ”), in which
experts from private sectors, the Government and the Military participate to concentrate national
capacity, for swift responding measures such as analysis of causes, investigation, emergency
response, recovery of damages, and etc.
2) The head of Response HQ (hereinafter refer to as “Head”) shall be the Director of the NIS, and
the necessary issues regarding the organization and operation of Response HQ shall be determined
after the Director of the NIS consults with related central administrative agencies’ heads.
3) The Head may request needed workforce and equipment from responsible agencies and
supporting agency heads in order to organize/operate the Response HQ stated in paragraph 1). The
responsible agencies and supporting agencies’ heads must abide by the request if there is no
substantial reason not to.
4) The Head may provide occurred expenses to the head of agencies that dispatched workforces and
equipments to the Response HQ.
Article 17 (Technical Assistance)
1) In the case the head of a responsible agency need support to operate on duties regarding Article
12 paragraph 1) and Article 15 paragraph 4), he/she may request support from the head of the
related central administrative agency or the Director of the NIS.
2) The head of related central administrative agency or the Director of the NIS shall provide
necessary measures including technical assistance when it received the request regarding paragraph
1), so to insure swift responses.
3) Regarding the support in paragraph 2), the head of related central administrative agency or the
Director of the NIS may request support of the requesting agency, and shall provide the content and
period of support beforehand.
4) The head of related central administrative agency or the Director of the NIS may provide
incurred expenses to the head of agencies for the support regarding paragraph 3).
Chapter 4. R&D, Support etc
Article 18(Provision for Responsible Agency)
The Government may provide the Responsible agencies necessary technical assistance, equipments
and other needed support in order to protect information & communications network.
10Article 19(R&D)
1) The Government may promote the following policies for technology development and
improvement necessary for the prevention of a Cyber Terror and Cyber Crisis management;
1. Establishment and operation of national research and development plan for Cyber Terror
prevention and Cyber Crisis management
2. Survey on the needs of Cyber Terror prevention and Cyber Crisis management technology /
project about trend analysis
3. Cyber Terror prevention and Cyber Crisis management technology’s development, supply and
distribution project
4.
And so forth, necessary matters concerning Cyber Terror prevention and Cyber Crisis
management technology’s development and improvement
2) In accordance the paragraph 1, the Director of NIS may establish research institute or designate
agency established by other act as a specialized agency.
3) The Director of the NIS may settle detailed matters concerning process and method of Cyber
Terror prevention and Cyber Crisis management technology
Article 20(Industry Promotion)
1) For industry promotion support on Cyber Terror prevention and Cyber Crisis management
technology, Government shall establish and operate policies as follow, and find necessary finance
securing method.
1. Support for policy establishment about Cyber Terror prevention and Cyber Crisis
management industry
2. Support of market invigoration for Cyber Terror prevention and Cyber Crisis management
technology development
3. Establishment of industry-academic cooperation for Cyber Terror prevention and Cyber
Crisis management industry promotion
4.
Support for International exchange and cooperation, and overseas expansion of Cyber Terror
prevention and Cyber Crisis management industry
2) Government may let a research institute or a specialized agency, stated in Paragraph 2) of Article
19, operate a necessary task for industry promotion, stated in paragraph 1).
Article 21(Education, Training and Public Awareness)
For base-establishment of Cyber Terror prevention and Cyber Crisis management, and
improvement of public awareness about Cyber Crisis, Government shall devise measures as follow;
111. Manpower training about Cyber Terror prevention and Cyber Crisis management
2. Publicity and education about Cyber Terror prevention and Cyber Crisis management
3.
And so forth, necessary matters concerning education, training and public awareness about
Cyber Terror prevention and Cyber Crisis management
Article 22 (International Cooperation)
The Government may execute the following matters to strengthen cooperation with international
organizations, agencies and foreign countries in the case of Anti-cyberterrorism and Cyber Crisis
management.
1. Construct mutual cooperation system for prevention of cyber terror and Cyber Crisis
management
2. Sharing of Information and response coordination in technologies regarding Anti-
cyberterrorism and Cyber Crisis management
3.
Secondment/training of personnel-in-charge for Anci-cyberterrorism and Cyber Crisis
management
Article 23 (Confidentiality)
Any person who engages or engaged in a job related to the prevention of cyber terror and Cyber
Crisis management affairs shall not divulge to another person any secret that he/she has learned
while performing his/her duties, nor use it for any purpose other than performance of his/her duties.
Article 24 (Reward, etc.)
1) Regarding the prevention of cyber terror and Cyber Crisis management, the Director of the NIS
may award a prize to a person that suits the followings, and may provide rewards within the
boundary permitted by its budget.
1. Person who provided information on the attempt of a cyber terror
2. Person who reported on the actor(s) of cyber terror
3. Person who provided an outstanding service in detecting, responding to, and recovering
from a cyber terror
2)The criteria, manner and procedure, concrete amount of the money paid, and other necessary
issues in awarding a prize and reward will be determined by the Director of the NIS.
Chapter 5. Penal Provisions
12Article 25 (Penal Provisions)
1) Any person falling under any of the following subparagraphs shall be punished by imprisonment
with prison labor for at most five years or by fine not exceeding 30 million won;
1. Any person in violation of Article 12 paragraph 2) and Article 12 paragraph 4)
2. Any person in violation of Article 13 paragraph 4)
3. Any person in violation of Article 23
2) Any person falling under any of the subparagraph 1. due to negligence in the conduct of business
shall be punished by imprisonment with prison labor for at most two years or by fine not exceeding
10 million won.
Article 26 (Penalty)
1) Any person falling under any of the following subparagraphs shall be charged not exceeding 20
million won for penalty;
1. Any person in violation of Article 13 paragraph 1)
2. Any person in violation of Article 16 paragraph 3)
2) Any person in violation of Article 13 paragraph 3) shall be charged not exceeding 10 million
won for penalty.
3) Penalty being charged due to paragraphs 1) and 2) shall be imposed and collected by related
National Administration Agency as prescribed in the Presidential Decree.

This unofficial translation is made for academic researches and reviews.

Any comments and/or suggestion will be very helpful for the improvement of cyber-security of
Korea and the World. Please leave a comment, or email me.