hankyoreh

calling for an investigation into the agency’s recent hacking

The National Intelligence Service (NIS) is responsible for assessing the safety and security conformance of the network equipment and software that South Korean companies provide government agencies or export abroad. The fact that an agency with those responsibilities asked a foreign company to hack this software has critics arguing that the fox was put in charge of the chicken coop.

According to current law, the NIS is authorized to certify security products made by South Korean companies according to the Common Criteria international standards. Domestic security firms have to receive this certification before they can supply software to government agencies or export it to other countries. In the process, the NIS can access the source code of the programs in question, which is equivalent to their blueprints.

Despite this, on Feb. 3 the NIS sent V3 source code by AhnLab, the most widely-used anti-virus program in South Korea, to Italian security company Hacking Team, noting that the program was detecting attacks by Remote Control System (RCS) and asking the company to look into it. In effect, the NIS was asking Hacking Team to break through V3’s security wall.

Certification of security software was the sole responsibility of the NIS’s National Cyber Security Center until Oct. 2014. While certification is now the responsibility of the Ministry of Science, ICT and Future Planning, the NIS is still in charge of assessing security conformance and encryption modules.

“Because of the certification work, the NIS is in a position to assess the vulnerabilities in all of the security programs in South Korea. In the case of the certification system for domestic security programs, it looks rather like the fox was put in charge of the chicken coop,” said Park Ju-min, a lawyer.

The reason that domestic security companies and security experts are not making an issue of the fact that the NIS essentially interfered with the business of those companies is because of the unparalleled influence that the agency wields in the area of security, some analysts think. Since the NIS controls the funding and the personnel networks and even has an influence on the community of security experts, a sort of “cybersecurity mafia” has came into being at the agency.

In fact, the response of security experts to the NIS‘s purchase of the hacking program has been unusual. Despite the security crisis that ensued after the leak of internal documents at Hacking Team - including “zero day” attacks that use undetected vulnerabilities and a variety of other hacking techniques - domestic security firms and experts have had little to say.

This is notably different from what happened in every previous security crisis - such as the Denial of Service (DDoS) attack on July 7, 2009; the collapse of Nonghyup Bank’s computer system in 2011, and the cyber terrorist attack on Mar. 20, 2014 - when AhnLab, Hauri, and other domestic security firms took the lead in explaining the situation and preparing a response.

“The National Intelligence Service exerts immense influence in the cybersecurity industry. The agency handles the assessment of security conformance for security solutions. If it decides that there is a problem with a given company‘s technology, that company can no longer supply products to government organizations and may have to close,” said an executive in the security industry with 20 years of experience who preferred to remain anonymous.

“Concern about the National Intelligence Service is making it impossible for any security company to talk about the Hacking Team scandal. If a company’s relationship with the agency deteriorates, there’s no telling how this would affect not only its relationship with the government but also its sales to government organizations and even companies in the private sector,” said an executive at a different security company.

The system also makes it difficult for experts who are working at institutes or universities to publically criticize the National Intelligence Service.

“The National Intelligence Service is the biggest client for professors. While the projects that are assigned by most government agencies are around 50 million won (US$43,180), projects from the agency are worth hundreds of millions of won. Furthermore, because of security agreements, these are not released to the public or even reported to the school. From the perspective of professors, maintaining a positive relationship with the agency is necessary for them to continue to receive these projects,” one security expert said.

The Center for Information Security Technologies (CIST) at Korea University, which was actively promoted during the administration of former president Lee Myung-bak, is regarded as the birthplace of the “security mafia.”

“As graduates from the Center for Information Security Technologies have been hired as cyber security supervisors not only at leading companies but also at the National Intelligence Service, the police, the prosecutors, and the military, they have taken over the domestic security industry,” another security expert said.

Lee Jong-in, special aid for security at the Blue House, was a former director of CIST.

In interviews with the press, a large number of experts who are currently working at CIST have backed up the claims of the NIS, arguing that RCS was a test program and that raising questions about the program is not in the national interest.

By Lim Ji-seon and Heo Seung, staff reporters

Please direct questions or comments to [english@hani.co.kr]