South Koreans were told to ‘simply wait’ – a lesson in digital government incidence response

In the aftermath of a “glitch of the network” that left South Korea’s digital government services paralysed for 56 hours last November, leading to some 240,000 citizen complaints, the country’s opposition party took aim at the government, who they say reduced the country’s “world-class digital government” to the level of “a corner shop”.

But in their statement was a criticism of the government’s speed of response: “while the systems were paralysed”, they said, “the government told South Koreans to simply wait”.

In a previous article, GovInsider examined how greater proactivity in cyber security and resilience – as demonstrated by the likes of Singapore – could have helped prevent the error in the first place.

But the malfunction of the Saeol civil service portal and the Government24 platform is equally a lesson in digital government incident response. In spite of any organisation’s best interests, technology is not always reliable, and being able to deal with a crisis is just as important as preventing one.

Eight days between incident and public response

There were eight days between the South Korean government first reporting the challenges with its digital government platform and then providing the public with a comprehensive answer as to what caused the problem. During that time, Korean news was rife with rumours.

One source told the Korea Herald that “it’s hard to believe that it could take so long to recover from a network malfunction”, while Yonhap News Agency reported that “there was even talk that it might be an external act, such as hacking”.

Certainly, there is a lesson for policymakers here around clear and consistent communication with the public throughout a crisis, communicating what you know as soon as you know it.

Consider Estonia, where 99% of state services are digital and 70% of the country uses digital ID cards to interact with the government. In 2017, the hardware behind the ID cards was found to be vulnerable to attacks, theoretically leaving the identity of 750,000 Estonian citizens vulnerable to theft.

Then-Prime Minister Juri Ratas immediately called a special press conference to inform the public of the threat, and to lay out a roadmap for closing the security loophole. When the government made the drastic decision to block the certificates of all ID cards at risk two months later – any cards issued after October 2014 could be used only for identification and travel – the Estonian public had already been fully briefed with the surrounding context.

Also important in Estonia’s response to the 2017 crisis was the use of multiple channels to communicate with the public. As well as streaming the press conference on television, Ratas' speech was broadcast across social media, and guides for updating digital IDs were circulated via email.

In the event that all digital government services are taken offline, as in the case of Korea, capacity for an omnichannel approach becomes all the more important. As the Korea Herald reported, “central and municipal government operations had to rely on pre-digitalisation paperwork processes for a full day” after the systems went down.

The UK government’s Government Digital Service (GDS) regularly talks about being “digital by default” in its service delivery, an approach which maintains digital services alongside analogue versions for those who need them. Civil servants are trained to facilitate both digital and analogue interactions with citizens, ensuring that those who are without access or ability to use digital platforms are not left behind.

Such an approach has also proved fruitful in countries like Slovenia, Thailand and Bangladesh, where variations of “government counters” provide physical premises for government-citizen interactions. Elderly citizens and those in rural areas are able to go in person to be supported in their digital transactions, providing an alternative option in case of outages.

Building a digital government incident response plan

Rapid communication and omnichannel backups might both form part of a strong broader incident response plan. In a telling anecdote, the Korea Herald noted that while “the computer system went down even before government employees began to work on Friday” during November’s cyber incident, it was not until “close to the end of the workday when the ministry admitted the problem and notified the public by text message”.

The reason for this, according to officials, was that they “only send messages during disasters”.

The Korea Times was sceptical, writing that “the government’s computer system outage constitutes a disaster in this tightly-wired era”. The solution here, at least in part, is clearly defining and transparently publishing a transparent incident response plan in the mould of Australia, New Zealand or the UK.

Clear definitions around what constitutes an emergency, incident management processes, clear responsibilities and guidance around escalation – as set out by the UK’s Local Government Authority – can enable rapid response in times of crisis, and avoid accusations of “foot-dragging”.

It can also ensure that surge capacity is on hand when needed. The UK government’s Cabinet Office – within which sits its principal digital government bodies GDS and CDDO – signed a deal with defence prime BAE systems and professional services firm Deloitte in 2022 for on-demand cybersecurity response in the event of a “cyber incidents”.

A similar strategy from Korea could form part of a wider cyber incident response plan, ensuring that future challenges are proactively anticipated.

Cyber secure preparation and strong incident response protocols are two sides of the same coin. It is tempting when thinking about digital government to focus on shining examples of artificial intelligence and cloud computing.

But South Korea’s crisis is a reminder of the human, cultural and technical demands of cybersecurity, which will only become more important in a “tightly-wired era”.

Also read: South Korea’s 56 hours of paralysis is a cyber resilience cautionary tale