South Korea’s 56 hours of paralysis is a cyber resilience cautionary tale

Last November, South Korea’s (ROK) digital government network suffered an outage of unprecedented scale, when a “glitch in the network” caused a service disruption in the Saeol Administrative System – a computer network exclusively for civil servants – that reverberated across the government for nearly two days.

Later the same day, the Government24 portal – which provides citizens with information on thousands of government services – also broke down, followed a week later by an outage of one of the country’s mobile ID services.

By the time the network system was fully restored after “56 hours of paralysis”, it did so with 240,000 citizen complaints.

Criticism of the government was scathing, with an opposition party spokesperson asking, “Since when did the world-class level digital government become inferior to a corner shop?”

There were calls for the interior minister Lee Sang Min, who has ultimate oversight over South Korea’s digital government, to step down. Comparisons were made to the resignation of Kakao Corp’s CEO Whon Namkoong, who stepped down after heavy government criticism following a widespread outage of Korea’s most popular social media service.

Sub-par for an ‘Asian Tiger’

This is, of course, far from par for the course for South Korea, one of the four “Asian Tigers” - the others being Singapore, Hong Kong and Taiwan - that saw rapid economic growth between the 1960s and the 1990s.

Since former president Roh Moo-Hyun introduced a roadmap for administrative reform and e-government, the country has evolved into a world leader in the space, ranking third for the seventh consecutive edition of the United Nation’s e-government survey in 2022.

It is a founding member of international fora such as Digital Nations, and signed a Memorandum of Understanding with the United Kingdom to share best practices on the opportunities of emerging technologies such as AI on the very same week as the outage.

The shutdowns, and the criticism surrounding them, are a setback for South Korea’s digital reputation. But with the country’s transition to a “Digital Platform Government” - an attempt to break down silos between ministries to create integrated and pre-emptive digital services - well underway, it need not be permanently damaging.

Instead, this episode offers valuable lessons to both South Korea’s Interior Ministry and other governments around the world. After all, if it can happen to a world leader, it can happen to anyone.

Building system monitoring into digital government

The ROK has a rigorous approach to cybersecurity, a priority since the early 1980s, with a national cybersecurity strategy continuously in place since 2009. In 2019, the publication of a new National Cybersecurity Strategy led to redoubled efforts to strengthen digital infrastructure, including safeguards relating to 5G networks and anti-drone messages.

But despite these measures taken against external threats, the Saeol system was ultimately brought down by a flaw in its own internal systems.

For a user to log into the Saeol system, they must first be authenticated using a digital signature. In the aftermath of the outages, the government found that the original problem was caused by a failure of the "L4 switch" responsible for exchanging information in part of the authentication system.

The slow discovery of this failure was heavily criticised. In an interview in the weeks after the outages, Seoul Women’s University professor Kim Myuhng-joo told the Korea Herald that “it shouldn’t take four days to replace the L4 switch with a new switch”.

A later article will cover challenges around communications and rapid response protocols, but such a challenge is also exacerbated by lax monitoring of digital systems for vulnerabilities.

After the service disruption, the ROK’s Interior Ministry promise preliminary checkups on old equipment – as well as improving its manual on service errors – but on this occasion it was too little too late. Pre-emptive foresight of any L4 vulnerabilities could have avoided any challenges from arising, or at least helped to identify the problem faster when it did occur.

To this end, South Korea is a study in contrast to nearby Singapore, as covered by GovInsider last year. There, Singapore’s Cyber Security Group combines offensive and defensive cybersecurity capabilities in multidisciplinary “purple teams”, combining “blue-teaming” employees that detect and respond against cyber threats with “red-teaming” employees who uncover vulnerabilities in government digital infrastructure.

These internal capabilities are further complemented by a set of crowdsourcing vulnerability disclosure programmes that invite the public to find and report weaknesses in government systems, which are in turn benchmarked against global technology firms such as Google and Microsoft.

If proactive system scanning might identify vulnerabilities, backup systems or controlled testing environments can help limit their potential impact when they arise.

When asked about the presence of backup equipment to avoid the Saeol malfunction, the head of ROK’s Digital Government Office Seo Bo-Ram explained how “on the day of the accident, the two identical, duplicated equipment continued to cause problems sequentially, which ultimately resulted in failure”.

Clearly, nor were updates or changes to the system adequately tested, creating greater susceptibility to shutdowns than comparable sites like Gov.UK, where updates are subject to multi-stage UI tests, health checks, and cross-platform smoke tests.

A culture of cyber conscientiousness

For proactive scanning to have an impact, it must be combined with a conscious focus on system security across government. Earlier this year, South Korea’s National Information Resources Service produced a manual detailing service standards, as well as protocols for service improvement, monitoring and overload response.

However, despite the manual specifying that updates to services should be made on weekends when the servers were less busy, the update which triggered the malfunction was implemented on a weekday.

The challenge here is in creating a whole-of-government accountability system for cybersecurity, through both training and due process. Returning to Singapore, GovTech Singapore’s training arm Digital Academy has modules designed to inspire risk assessment and incident response, as well as the likes of product management and design thinking.

And while chief information security officers are ultimately responsible for strengthening the resilience of their departments, there is also a centralised Government IT Security Incident Response unit that proactively publishes alerts and directives on vulnerabilities and threats across government.

As the saying goes, South Korea should ensure that “a good crisis does not go to waste”. Updating manuals and testing old infrastructure is a start, but should form the basis of wider efforts at monitoring and resilience, serving as a reminder that cybersecurity is more than a box-checking exercise.

Also read: South Koreans were told to ‘simply wait’ – a lesson in digital government incidence response