위험분배의 관점에 기초한 정보통신기반보호법 개선 방안

Risks shall be allocated to a person, an institute or an organization which would have a power to control them. Cyber risks including cyber attacks, cyber threats and cyber crimes shall not be assigned to a person, institute an institute or an organization because cyber space shall not be controled. Cyber security, responding and making measures standards and policies against cyber risks, shall be regarded as public good and under market failures. A person, an institute or an organization will not be willing to take actions against cyber risks. Therefore, cyber risks shall be allocated to a state. In Korea, to protect critical information infrastructures from cyber risks, “Critical Information Infrastructure Protection Act” has been enacted since 2002. According to the Act, cyber risks on critical information infrastructures shall be allocated to the Management Agencies, some of which are from public parts but others are form private sectors. However, cyber risks shall be distributed to a state, under the principle of the risk allocation. In considering the principle, the Act shall describe duties of a state in order to support the Management Agencies especially from the private parts. Article 25 of the Act depicts that a state shall support the Management Agencies by providing equipments, technical assistance and other supports to protect critical information infrastructures. This article shall not illustrate any detailed procedures and programs. Therefore, the Management Agencies shall not have any actions or claims against a state to enforce the duties. In this paper, I recommend amending the title of this article to “financial support to the Management Agencies” and insert clauses with which state shall provide “government subsidies” and “loans” directly to the Agencies. Furthermore, I recommend establishing Mutual Benefit Association of the Agencies to support each other. The Management Agencies have a right to require ‘technical assistance’ to authorities of a state, such as ‘Ministry of Science, ICT and Future Planning’, ‘National Intelligence Service(NIS)’ and other institutions, when they suffer from cyber risks and prepare to establish Responding Plan or taken ‘vulnerability analysis and assessment’ according to the article 7 of the Act. However, the NIS, the best expert technical authority on cyber security in Korean government, shall be excluded on technical assistance when a required Management Agency has a critical information infrastructure including personal information. It is because all of the Management Agencies’ critical information infrastructures contain personal information, NIS shall not aid ‘technical assistance’ even if it has a technical priority on this field. Therefore, I advocate to amend the article 7, allowing NIS to make technical assistance. Additionally, I recommend a new clause to the article 7-2 which mandates a duty for NIS to maintain and protect personal information comprised in the critical information infrastructures. Under the article 7-2, I recommend describing other clauses that National Assembly shall control the technical assistance activities made by NIS, to depend personal information.