Major Issues of the National Cyber Security System in South Korea, and its Future Direction

( Young Do Kim ),( Jin Sung Kim ),( Kyung Ho Lee ) 한국국방연구원 2013 The Korean Journal of Defense Analysis Vol.25 No.4

The National Cyber Security System (NCSS) of South Korea came under criticism when North Korean cyber-terrorists attacked the office computers and servers of major South Korean broadcasting and financial companies on March 20, 2013.The NCSS had evolved up to that time by addressing problems that arose from incidents dating to the January 25, 2003 Internet crisis, the March 4, 2011 distributed denial of service (DDoS) crisis, and other events occurring between those attacks. The above 2013 cyber-terrorism incident magnified the limits of NCSS leadership, expertise, and collaborative systems, while revealing that past reforms were nothing more than stopgap measures. Cyber security is a problem that is no longer restricted to cyberspace. At the U.S.-China Summit of June 2013, U.S. President Obama and Chinese President Xi Jinping for the first time initiated discussions on cyber security, resulting in the summit centering on cyber safety. Additionally, the release of the "National Cyber Security Framework Manual" and the "Tallinn Manual" by the NATO Cooperative Cyber De fence Centre of Excellence (NATOCCD COE) produced widespread agreement among many countries that cyber security is core to preserving national security. It is important for South Korea to discard its stopgap measures, recognize that a centralized cyber security system is an integral aspect of national security, and develop a comprehensive cyber security plan.

A Cyber Security Enhancement Method for Non-direct CDAs

In Hyo Lee 한국방사성폐기물학회 2023 한국방사성폐기물학회 학술논문요약집 Vol.21 No.1

Nuclear Safety and Security Commission (NSSC) and KINAC review a Cyber Security Plan (CSP) by「ACT ON PHYSICAL PROTECTION AND RADIOLOGICAL EMERGENCY」. The CSP contains cyber security implementation plans for the licensee’s nuclear power plant, and it shall meet the requirements of KINAC/RS-015, a regulatory standard. The KINAC/RS-015 provides more detailed information on the legal requirements, so if licensees implement cyber security under the approved CSP, they can meet the law. To protect nuclear facilities from cyber-attacks, licensees should identify their essential digital assets, so-called “Critical Digital Assets” (CDAs). Then, they apply cyber security controls (countermeasures for cyber-attacks) on CDAs consisting of technical, operational, and management security controls. However, it is hard to apply cyber security controls on CDAs because of the large amounts of CDAs and security controls in contrast to the shortage of human resources. So, licensees in the USA developed a methodology to solve this problem and documented it by NEI 13-10, and US NRC endorsed this document. The main idea of this methodology is, by classifying CDAs according to their importance, applying small amounts of security controls on less important CDAs, so-called non-direct CDAs. In the case of non-direct CDAs, only basic cyber security controls are applied, that is, baseline cyber security controls. The baseline cyber security controls are a minimum set of cyber security controls; they consist of control a) from control g) a total of 7 controls. Although non-direct CDAs are less critical than other CDAs (direct CDAs), they are still essential to protect them from cyber-attacks. This paper aims to suggest a cyber security enhancement method for non-direct CDAs by analyzing the baseline cyber security controls. In this paper, baseline cyber security controls were analyzed respectively and relatively and then concluded how to apply small amounts of cyber security controls on non-direct CDAs rather than direct CDAs without scarifying cyber security.

연구논문 : 보안기관의 사이버 보안 활동 강화에 대한 법적 고찰

오일석 ( Il Seok Oh ) 한남대학교 과학기술법연구원 2014 과학기술법연구 Vol.20 No.3

과학기술의 발전이 의도하지 않았던 현대적 위험인 사이버 위험은 그 결과를 즉시 알 수 없는 경우가 대부분이고 원인규명도 명확하게 할 수 없는 경우가 대부분이다. 이러한 사이버 위험은 개인이나 특정 기관에 의해서 대응할 수 없기 때문에, 기술적 우위를 바탕으로 그 위험을 조정하고 통합할 수 있는 기관을 중심으로 국가차원의 대응 체계가 구축되어 운영되어야 한다. 각국의 보안기관들은 사이버 공간에서의 기술적 우위를 바탕으로 사이버 보안에 있어 핵심적인 역할을 수행하고 있다. 특히 각국의 보안기관들은 사이버 보안에 대한 국가적 정책이나 계획의 수립에 참여함은 물론 사이버 보안과 관련된 원천기술의 개발에 참여하거나 적극적으로 관여하고 있다. 나아가 암호기술에 기반하여 국가 암호체계를 수호함은 물론, 암호를 이용한 정보보호제품에 대해 직접 평가·인증을 담당하거나, 조달 절차를 통해 안전한 암호제품이 도입되도록 관여하고 있다. 또한 각국 보안기관들은 기술적 우위를 바탕으로 정부부처에 대하여 사이버 보안과 관련한 기술적 지원을 수행하고 있다. 나아가 이들 기관들은 국가의 핵심기능 유지와 관리를 위하여 정보통신기반보호와 관련된 국가적 과제의 실현을 위해서도 중요한 역할을 수행하고 있다. 이러한 각국 보안기관의 활동을 고려할 때, 우리 보안기관의 사이버 보안 활동을 강화할 필요가 있다. 우리의 경우 국가정보원이 중심이 되어 사이버 위험에 대한 대응을 국가안보 활동의 하나로 지속적으로 수행해 왔다. 특히 국가 및 공공부문에서 발생할 수 있는 사이버 위험에 대응하기 위해 기술적 우위를 바탕으로 관련 정책을 조정하고 운영해 왔다. 그러나 우리 보안기관의 과거의 잘못에 대한 고정된 관념에 기초하여, 국가 안보 문제인 사이버 위험 대응 활동에 대한 회의적인 시각이 많은 것도 사실이다. 그런데 국가정보원은 보안업무 조정 권한을 가지고 있는바, 사이버 위험과 관련된 안보 위기 상황에서 관련 정부부처 등에 대한 신속한 조정으로 보다 탄력적으로 사이버 위험에 대해 대응할 수 있다. 아울러, 보안기관의 사이버 보안 활동은 내부적 통제는 물론 외부 기관에 의한 합리적 통제의 가능성에 더욱 노출되는 결과 그 투명성과 신뢰성을 담보할 수도 있다. 그러므로 국가정보원으로 하여금 다른 국가의 보안기관들과 마찬가지로 사이버 보안 활동을 더욱 적극적으로 수행할 수 있도록 하여야 한다. 다만 국가정보원의 사이버 보안 활동에 대하여 국회의 보고와 승인 등의 민주적 통제절차를 더욱 강화함으로써, 사이버 보안 활동이 국민적지지 하에 중요한 국가적 과제로서 보안기관에 의하여 지속적으로 추진되도록 하여야 한다. Cyber risks, such as cyber attacks and electronic intrusions, shall have many features of modern risks. Modern risks, which include cyber risks and others arising from nuclear power, GMOs, and Chemical medicines, shall happen unexpectedly in diverse areas then they are rapidly and simultaneously distributed. It is very difficult to find out the causes and results of risks and to respond against the risks properly. These modern risks including cyber risks shall not only threaten individual lives but also sustainability of a state. Therefore a state shall design appropriate structures and national plans to react against cyber risks using Security Authorities`` advanced information and technologies and cumulated practices. Security Authorities in advanced countries, such as NSA of U.S.A, MI5 and GCSQ of the UK, BSI of Germany and CES of Canada, shall have great interests and play key roles in cyber security. They have established national cyber security plans, developed source security technologies and assess the information assurance equipments used in their state``s agencies and institutions. They have also put their best efforts in order to protect critical information infrastructures. As a Security Authority of Korea, National Intelligence Service(NIS), has also played a key roles in cyber security activities in Korea. Moreover, NIS has elaborated national cyber security plans, protected critical information infrastructures, assisted technical supports to other governmental ministries and agencies, developed security technologies, and compromising inter ministry and agency activities. However, due to the dismally experienced under the dictatorships in 1970s and 1980s, Koreans have been cold towards NIS`` cyber security activities even though they protect and support Koreans and Korean government against cyber risks. In responding cyber risks, compromised efforts of ministry and agency activities and effective and timely actions shall be the most important. As a Security Authority, NIS has developed advanced technologies and great hot channels with other agencies through its authority on negotiating interests between ministries and agencies on the security matters. Compared with cyber security activities operated by other ministries and agencies, NIS has strengthened competitiveness in cyber security activities with its advanced cyber security technologies, experimental practices and rapid decision making processes. Therefore NIS``s cyber security activities shall be advanced and depicted in laws and regulations. As a way of enhanced interests of NIS in cyber security activities, I have offered to amend the article 7 of the Act on Critical Information Infrastructure Protection to allow NIS to make a technical assistance. However, enhanced interests of NIS in cyber security activities would bring a big brother in cyber space of Korea, I have also suggested that National Assembly should control over the NIS with the rights in terms of monitoring and approving on the NIS`` cyber security activities. National Assembly‘s control over NIS shall guarantee transparency and trust on the NIS`` cyber security activities.

헌법과 사이버 안보

박인수 전남대학교 법학연구소 2018 법학논총 Vol.38 No.1

In the 4th industrial age, cyber attacks, terrorism or crime are physical attacks by intelligent and evolved robots, machines and objects, physical terrorism, physical crimes and even real wars, and the degree of destruction is no less than nuclear war. In any country, the Constitution does not have an explicit provision on Cyber-security, but the constitution can not be seen as consistently silent on Cyber-security. Because the value of the Constitution pursues Cyber-security is essential, and the institutional devices for implementing it are enriched within the constitution. Cyber-security is enriched in the constitutional values of the security of the nation and the people, the guarantee of human rights, the rule of law, and international pacifism. The security problem in cyberspace should be approached not as a separate logic from the security problem that arises in the physical space but as a logic supplementing the security problem in the physical space. The Constitution, which guarantees security in the physical space, includes several articles in the general principles of Chapter 1, in Chapter 2 (the rights and duties of the people), in Chapter 4 Section 1 (the President), as well as the special provisions in the current Constitution. As a guarantee by additional supplementation, it may be possible to consider establishing a Cyber-security provision through Constitutional amendment. However, even before the constitutional amendment, it should consider the way of positively guaranteeing Cyber-security through constitutional interpretation and constitutional trial. Although the constitutional guarantee of Cyber-security can be found by the actively supplementing method of the present Constitution, more concretely, the establishment of Cyber-Security Basic Law based on the constitutional value of Cyber-security is needed. At present, the National Cyber-security Act is not expected to be enacted in the near future, but the urgency of Cyber-security is growing. As a result, the government is not only focused on enacting the National Cyber-security Law, but on concrete alternatives to strengthen Cyber-security I think it should be sought seriously. Furthermore, Cyber-security is now becoming a vital area for cooperation and a technical tie-up on the international level as well as on the domestic level. 제4차 산업시대에서 사이버 공격이나 테러 또는 범죄는 지능화되고 진화된 로봇과기계 그리고 사물에 의한 현실 공격이 되며 현실 테러・현실 범죄 나아가 실제전쟁이되는 것이며, 그 파괴의 정도는 핵전쟁에 못지 않을 수 있는 것이라 하겠다. 어느 국가에서도 헌법에서 사이버 안보에 관한 명시적 규정을 두고 있지는 못하지만, 사이버 안보에 대하여 헌법이 침묵으로만 일관하고 있다고 볼 수는 없다. 왜냐하면헌법이 추구하는 바의 가치 속에는 사이버 안보가 필수적으로 자리잡고 있으며, 이를구현하기 위한 제도적 장치들이 헌법전 속에는 농축되어 있다고 보아야 할 것이다. 사이버 안보는 국가와 국민의 안전보장, 기본권 보장, 법치주의, 국제평화주의의 헌법적 가치 속에 농축되어 이를 구체화하는 내용이라 할 수 있다. 사이버 공간에서의 안보 문제는 현실 공간에서 발생하는 안보 문제와 별개의 논리로 접근할 것이 아니라 현실공간에서의 안보 문제를 추가적으로 보완하는 논리로 접근하여야 할 것으로 본다. 현실공간에서의 안보를 보장하고 있는 헌법 규정은 현행 헌법에서도 전문을 비롯하여 제1장 총강・제2장 국민의 권리와 의무・제4장 제1절 대통령에 관한 조항들을 들 수 있다. 추가적 보완에 의한 보장 방법으로는 개헌을 통하여 사이버 안보 규정을 신설하는것을 생각해 볼 수 있을 것이지만, 개헌 이전이라고 하더라도 헌법해석과 헌법재판을통하여 사이버 안보를 적극적으로 보장하는 방법을 고려하여야 할 것으로 본다. 현행 헌법의 적극적 보완 방법에 의해 사이버 안보에 대한 헌법적 보장의 근거를 찾을 수 있으나, 보다 구체적인 내용은 사이버 안보에 대한 헌법적 가치를 토대로 한 사이버안보기본법을 제정하는 것이라 할 수 있다. 현재로서는 국가사이버안보법안이 가까운 시일내에 제정될 것으로 보기 어려운데반해 사이버안보의 긴급성은 더욱 증대되고 있는 만큼 정부에서도 국가사이버안보법의제정에만 몰두할 것이 아니라, 사이버안보를 공고히 할 수 있는 구체적 대안에 대하여도 진지하게 모색하여야 할 것으로 본다. 나아가 사이버 안보는 이제 더 이상 국내적차원뿐만 아니라 국제적 차원에서의 협력과 공조도 필수적 영역이 되고 있다.

사이버 안보위협의 문제와 전략적 의미, 그리고 대응방안에 대한 연구

윤민우 국가안보전략연구원 2014 국가안보와 전략 Vol.14 No.4

The emergence of cyber space as another space caused various cyber security issues threatening individual and national security. The current article examines such cyber security issues including crime in micro-level through terrorism in meso-level up to war in macro-level and proposes their strategic meaning and responses. International society and many major states including the United States perceive cyber security threats as a grave danger to the 21st century global security. This could be the same true to the South Korea which faces the North Korea that is a critical security threat and possesses the capabilities of cyber crime, cyber terrorism, and cyber warfare. The state needs a comprehensive understanding on cyber security threats and a holistic approach in her response. Beyond just a technical and superficial approach, the state needs to ensure its security assurance capability in a new cyber space and strengthen its future security build-up with the respect of the adaptation of the future war environment. Thus, the current article (1) discusses the essential and strategic meaning of security that cyber space and cyber security threats raises; (2) understands the existential threats of today’s cyber issues and outlooks its developmental trends; (3) examines the cyber security threats, readiness, and developmental trends of important actors including the North Korea and non-state entities; (4) overviews other major states’ cyber security policy responses including the U. S. case; and (5) proposes a strategic perspectives and measures for the meaningful response of cyber security threats with the perspectives of a comprehensive remodeling of the national security framework in the preparation of the future war environment. 또 다른 하나의 공간으로서 사이버 공간의 등장은 국가와 개인의 안보를 심각하게 위협할 수 있는 사이버 안보위협의 문제를 만들어 냈다. 국제사회와 미국 등 세계의 주요 국가들은 사이버 안보위협을 21세기 글로벌 안보의 매우 주요한 이슈로 받아들이고 있다. 특히 주요 테러 지원 국가이며 사이버 전쟁 및 테러, 범죄 능력을 갖추고 있는 안보 위협 세력인 북한과 대치하고 있는 우리에게 있어서 사이버 안보위협은 현실적으로 매우 중요한 문제이며 이에 대한 대응방안 수립역시 중요한 과제이다. 사이버 위협에 대응하여 국가안보의 궁극적인 주체인 국가는 위협에 대한 통찰력 있는 이해와 혁신적, 전략적, 전일적 대응을 필요로 한다. 사이버 안보위협에 대한 기술적이고 단편적인 접근을 넘어서서 전반적인 새로운 공간에서의 공권력 확보와 미래전장환경에의 적응과 대비를 통한 미래안보역량 강화라는 거시적 전략적 틀에서 위협에 대응해나가야 한다. 따라서 이 연구는 (1) 사이버 공간과 사이버 안보위협이 가지는 안보와 관련된 본질적이고 전략적인 의미를 논의하고; (2) 오늘날 사이버 안보위협의 실존적인 위협에 대해 이해하고 미래의 사이버 안보문제의 발전추이를 전망하며; (3) 북한을 포함한 한반도의 주변의 주요한 사이버 안보위협 세력의 실태와 현황, 그리고 추이에 대해 살펴보고; (4) 미국 등 해외 주요 국가의 대응 사례를 중심으로 다른 나라의 사이버 안보위협 대응방안의 추이를 정리하며; 그리고 (5) 미래전장환경에 대비한 전반적인 국가와 군의 안보전략의 혁신과 개혁이라는 관점에서 사이버 안보위협에 대응한 효과적인 전략시각과 모델, 그리고 방안을 제시함으로써 국가안보의 강화에 기여하고자 하는 목적이 있다.

Securing the National Security and Re- inforcing the Cyber Crisis Management System in Asia

Jae Eun Lee 위기관리 이론과 실천 2008 Crisisonomy Vol.4 No.1

The purpose of this study is to reinforce the cooperative cyber crisis management system for securing the national security against the cyber attack and cyber-terrorism in Asia. For accomplishing the research purpose, this paper begins with the con- ceptual frameworks of comprehensive security and cyber security crisis for suggesting the future direc- tions to reinforce the cyber crisis management system. For improving the cyber security from various cyber crises, it is necessary that international cooperative system have to be established. In this paper, the organizational approach, communication and decision- making approach, planning approach, and mechanisms for operational coordination have been emphasized to suggest the future directions and the policy impli- cations for building up the international cooperative systems of cyber security crisis management. The suggested future directions for cyber security crisis management in Asia are as follows: organizing for the coordination and cooperation, statutory authority, communication channels, function- and program- centered decision-making mechanism, preparing first responders, working with private owners of critical infrastructures.

사이버안보 법제의 입법 동향과 향후 과제 - 개정「국가정보원법」에 따른 법제변화를 중심으로 -

김도승 충북대학교 법학연구소 2021 과학기술과 법 Vol.12 No.1

Since the late 2000s, as the importance of political, social, and cultural activities in cyberspace has been emphasized, interest in cyberspace safety and security has expanded. Therefore, in order to take systematic and prompt action in case of an accident while preparing measures against the threat, the role of intelligence agency is important. Cyberattacks taking place in cyberspace are technical and information security issues that need to be addressed at the individual or organizational level, and it is a problem that requires an immediate and comprehensive response at the national level, and the need for international cooperation is growing. Korea, a divided country, has a strong dependence on ICT and a high vulnerability to cyber safety, but it is criticized that the legal system in the field of cyber security to prepare for this is still insufficient. In this situation, it was pointed out that it is difficult to respond systematically and efficiently in the event of a cybersecurity crisis, and the legal basis for performing the mission is insufficient. Various types of cyber security related bills have been submitted according to the need to enact the Cyber Security Act, but they have not been enacted due to opposition from the opposition parties and civil society for privacy violations. While sympathizing with the importance of cybersecurity and the need for related laws, the lack of trust in the National Intelligence Service, which will obtain authority through the law, is acting as a stumbling block to the establishment of the legal system. It should be remembered that there cannot be a distinction between the public and private sectors in national security and that protection of all constitutional institutions, including the executive branch as well as the legislative and judicial branches, is important. Currently, there is no cybersecurity-related law that regulates both the public and private sectors and encompasses all other constitutional institutions such as the judiciary and legislative branch. In the meantime, the recent revision of「NATIONAL INTELLIGENCE SERVICE KOREA ACT」as an opportunity to clearly stipulate the cyber security mission of the National Intelligence Service and to enact the first presidential decree-related cyber security-related norms is an encouraging change. Therefore, this paper analyzes the recently reorganized Legislative Trends and Future Tasks for Cybersecurity Legislation- Focusing on changes in legislation according to the amended「National Intelligence Service Act」, 「Cyber Security Work Regulations」 and「Cyber Security Act Bill」 from the perspective of establishing an effective response system for cyber security, and analyzes the problems of current regulations and future cyber security A legal task was proposed to strengthen the legal system.

코로나19 관련 사이버 공격 및 대응현황 분석

이용필(Yongpil Lee),이동근(Dong-Geun Lee) 한국IT서비스학회 2021 한국IT서비스학회지 Vol.20 No.5

Since the global spread of COVID-19, social distancing and untact service implementation have spread rapidly. With the transition to a non-face-to-face environment such as telework and remote classes, cyber security threats have increased, and a lot of cyber compromises have also occurred. In this study, cyber-attacks and response cases related to COVID-19 are summarized in four aspects: cyber fraud, cyber-attacks on companies related to COVID-19 and healthcare sector, cyber-attacks on untact services such as telework, and preparation of untact services security for post-covid 19. After the outbreak of the COVID-19 pandemic, related events such as vaccination information and payment of national disaster aid continued to be used as bait for smishing and phishing. In the aspect of cyber-attacks on companies related to COVID-19 and healthcare sector, we can see that the damage was rapidly increasing as state-supported hackers attack those companies to obtain research results related to the COVID-19, and hackers chose medical institutions as targets with an efficient ransomware attack approach by changing spray and pray strategy to big-game hunting . Companies using untact services such as telework are experiencing cyber breaches due to insufficient security settings, non-installation of security patches, and vulnerabilities in systems constituting untact services such as VPN. In response to these cyber incidents, as a case of cyber fraud countermeasures, security notices to preventing cyber fraud damage to the public was announced, and security guidelines and ransomware countermeasures were provided to organizations related to COVID-19 and medical institutions. In addition, for companies that use and provide untact services, security vulnerability finding and system development environment security inspection service were provided by Government funding programs. We also looked at the differences in the role of the government and the target of security notices between domestic and overseas response cases. Lastly, considering the development of untact services by industry in preparation for post-COVID-19, supply chain security, cloud security, development security, and IoT security were suggested as common security reinforcement measures.

The Strategy to Secure Cyber Security in the Age of Cyber Crisis

Gi Geun Yang 위기관리 이론과 실천 2008 Crisisonomy Vol.4 No.2

In this paper I seek to strategies to secure cyber security. First of all, In this paper I explore overview of strategies to secure cyber security in the U.S.. and in South Korea. The purpose of this article is to describe an ongoing cyber security policies that explores the analysis between U.S and Korea cyber security national preparedness. To achieve purpose of research, First, we examines the strategy of Cyber Security Research and Development Policies in the U.S. and then, this study makes several suggestions to improve cyber security in Korea.

사이버안보 강화를 위한 전문인력 양성교육 방안 법제 연구 - 「사이버안보법」 제정을 중심으로 -

조영희,김훈희 국민대학교 법학연구소 2023 법학논총 Vol.36 No.1

Recently, cyber security is recognized as the fifth space after land, sea, air, and space, and is recognized as very important in terms of national security. Major foreign countries recognize the acquisition of cyber experts as an important task for cyber security, and are establishing and operating comprehensive national policies. China is concentrating on recruiting talent by building cyber education and infrastructure through active national financial investment to foster hackers. The United States is trying to secure professional manpower early by operating a cyber talent development program through the National Security Agency (NSA)'s 'NICE' program targeting teenagers from the 6th grade of elementary school to the 3rd grade of high school. North Korea is also training operatives to carry out cyber information warfare through intensive education from elementary school under the leadership of the state. Compared to the demand for manpower, Korea's cyber expert training is focused on cyber professional training at higher educational institutions, higher than universities. It is difficult to secure talented people early. In addition, it is expected that in the future, it will be more difficult to secure human resources due to the decrease in the school age population. To this end, it is necessary to focus nationally on acquiring cyber experts through the enactment of the 「Cyber ​​Security Act」. Currently, the 「National Cyber ​​Security Management Regulations」 and the 「Cyber ​​Security Business Regulations」, which are cyber security laws, have many limitations. The 「National Cyber ​​Security Management Regulations」 cannot regulate the private sector as a presidential order. It is difficult to come up with measures to secure practical cyber experts because only job competency improvement training for incumbents in the 「Cyber ​​Security Business Regulations」 is reflected. Therefore, the enactment of the 「Cyber ​​Security Act」 needs to be enacted as a basic law of cyber security in order to secure comprehensive and systematic cyber experts. In addition, specialized cyber education programs are operated at science high schools and gifted schools, which are secondary educational institutions, while cyber professional education is currently concentrated in higher education institutions above universities. It is necessary to establish a policy that can eventually foster advanced cyber manpower through an education system that is connected to higher education institutions (universities and graduate schools) in the future. 최근의 사이버안보는 육ㆍ해ㆍ공ㆍ우주에 이어 제5의 공간으로 인식되며, 국가안보 차원에서도 매우 중요하게 인식되고 있다. 해외 주요 국가는 사이버 전문인력 획득을 사이버안보의 중요 과제로 인식하여 국가적으로 종합적인 정책을 수립하여 운영하고 있다. 중국은 해커 양성을 위해 국가적으로 적극적인 재원 투자를 통해 사이버 교육 및 기반시설을 구축하고 인재 선발에 집중하고 있으며, 미국은 우리의 초등학교 6학년에서부터 고등학교 3학년 시기 청소년을 대상으로 국가안보국(NSA)의 ‘NICE’ 프로그램을 통해 사이버 인재 육성 프로그램을 운영하여 조기에 전문인력 확보에 노력하고 있다. 북한도 국가 주도로 소학교부터 집중교육을 통해 사이버정보전 수행을 위한 공작원을 양성하고 있다. 우리나라의 사이버 전문인력 양성교육은 인력 수요에 비해 대학교 이상 고등교육기관의 사이버 전문교육에 집중되어 있어, 우수인재 조기 확보가 어렵다. 게다가 앞으로 학령인구의 감소에 따라 인재 확보에 더욱 어려움을 겪을 것으로 전망된다. 이를 위해 「사이버안보법」 제정으로 사이버 전문인력 획득 역량을 국가적으로 집중해야 한다. 현재 사이버안보 법제인 「국가사이버안전관리규정」과 「사이버안보업무규정」은 제한사항이 많다. 「국가사이버안전관리규정」은 대통령훈령으로 민간 부문을 규율할 수 없고, 「사이버안보업무규정」 재직자 대상 직무역량 향상 교육만은 반영하고 있어 실질적인 사이버 전문인력 확보를 위한 대책 마련에는 어려움이 있다. 그래서 「사이버안보법」 제정은 종합적이고 체계적인 사이버 전문인력 확보를 위해서라도 사이버안보의 기본법으로 제정될 필요가 있다. 또한 현재 대학교 이상의 고등교육기관에서 사이버 전문교육이 집중되어 있는 것을 중등교육기관인 과학고등학교 및 영재학교에서 전문교육 프로그램을 운영하고, 차후 고등교육기관(대학교ㆍ대학원)으로 연결되는 교육 시스템을 통해 최종적으로는 사이버 고급 인력을 육성할 수 있는 정책 수립이 필요하다.