Defenses against hacking badly neglected, says repThe government's main defense development agency hasn't conducted on-site investigations since last year to prevent North Korean cyberattacks on key defense companies, according to an opposition lawmaker Monday.
Han Ki-ho, a lawmaker from the opposition People Power Party (PPP), reviewed reports from the Defense Acquisition Program Administration (DAPA) and found that the agency conducted inspections into defense companies’ security safeguards only through written communications between last year and the first half of the year.
The revelation that the agency neglected to visit the companies to inspect their networks and data security for over a year comes after Korea Aerospace Industries (KAI), the country’s sole aircraft manufacturer, and Daewoo Shipbuilding & Marine Engineering both reported late last month that they had suffered hacking attempts by organizations probably backed by North Korean intelligence, which may have resulted in the theft of domestically developed naval vessels and aircraft designs.
According to Han, the reason given by DAPA for skipping on-site inspections of defense companies was the Covid-19 pandemic.
The government since last year has only conducted what it calls “integrated surveys,” which combined and replaced previous security audits and on-site investigations into defense technology protection.
Experts criticized this change as having reduced the number of opportunities to diagnose the state of security of defense companies’ data and communications.
“Security leaks can occur even if we stay at the site for one to two weeks,” said Sohn Young-dong, a visiting professor at Hanyang University's Department of Integrated Defense, who previously served as the head of the National Security Research Institute.
“An [on-site] fact-finding mission must be dispatched to identify possible threats and weaknesses. Inspecting a company’s cyber security using documents submitted by the company is tantamount to doing nothing,” he added.
A government official who spoke on the condition of anonymity admitted to the JoongAng Ilbo, “In the case of the hacking of Daewoo Shipbuilding & Marine Engineering –– a company that had been subject to [written] inspections since last year –– [on-site inspections] would have spotted weaknesses earlier and led to corrective action.”
Both government insiders and outsiders point to lack of expertise and manpower at DAPA, which coordinates and supports defense technology development, as a more fundamental reason for the recent security breaches.
Under the administration of President Moon Jae-in, security oversight of defense companies by the former Defense Security Command –– now the Defense Security Support Command (DSSC) –– was transferred to DAPA after the former was found to have spied on civilians registered under the National Health Insurance Corporation.
Although DAPA can request assistance from the National Intelligence Service (NIS) and the DSSC if needed, an anonymous source within the government noted that “legal responsibility for safeguarding the security of defense companies no longer lies with the NIS or the DSSC.”
Furthermore, while there are currently five DAPA employees tasked with inspecting the security of defense companies, there are 133 physical locations and 86 companies that must be regularly checked.
Although DAPA requested an additional 18 people last year along with the establishment of a dedicated department to conduct security audits, the request was rejected, ostensibly due to lack of available personnel. However, the agency’s other requests to expand its other branches may have played a role in the rejection.
Earlier this year, DAPA expanded and reorganized its internal education center to take on 22 students. According to another government source, “The education sector is a project preferred by government departments that want to create a place for retiring government employees to go.”
However, the project remains in legal limbo, with the bill for the center’s establishment currently pending in the National Assembly. The source added, “That project just doesn’t seem urgent, but DAPA and other government departments are keen to see it passed.”
The source suggested that the reason behind the rejection of the DAPA’s request for a dedicated security department lies in its pursuit of a project that will create a comfortable post-retirement workplace for civil servants, but not a security department that is actually needed.
BY MICHAEL LEE, KIM SANG-JIN [firstname.lastname@example.org]