0
The National Intelligence Service (NIS). / Yonhap News

As cyber threats from international hacking rings intensify against private corporations as well as government agencies, discussions on expanding the authority of the National Intelligence Service (NIS) are expected to begin in earnest. Recently, a legal foundation was established to broaden the scope of the NIS's intelligence collection and extend its cyber attack response capabilities to cases where attacks on the private sector are merely "suspected." This defines activities by state-sponsored or international hacking groups as "national security issues" from the early stages of detection, even before a cyberattack on the private sector is definitively confirmed. However, as the intelligence agency's investigative reach extends into the private sector, balancing "corporate surveillance" against "effective response" is anticipated to be a key challenge.

On May 7, the National Assembly Intelligence Committee passed an amendment to the National Intelligence Service Act. The amendment integrates "economic security" into the NIS's scope of duties and expands its cyber security mandate to include cases "suspected to be activities of international or state-sponsored hacking organizations based on hacking methods or damage patterns." This amendment is expected to serve as the legal basis for implementing the "Pan-Government Comprehensive Information Protection Measures" announced by the government in October last year and January this year. Jointly announced by relevant ministries including the Ministry of Science and ICT, the National Security Office, and the NIS, the core of the measures allows entities like the National Cyber Security Center under the NIS to monitor the potential for private-sector data leaks and conduct ex-officio investigations. Previously, the NIS could not intervene if the target was a private entity during the stage where a state-sponsored or international hacking ring was merely "suspected." However, the new measures and amendment aim to enhance integrated public-private response capabilities.

This shift stems from the reality that the private sector faces limits in preemptive defense. Last year, private companies reported 319 cases of personal data leaks to the Personal Information Protection Commission (PIPC), a 57% increase from the previous year (203 cases). Cyber hacking incidents targeting corporations tripled over three years, surging from 640 cases in 2021 to 1,887 cases in 2024. Crucially, most of these incidents occurred in sectors directly linked to economic security and national supply chains, such as information technology, manufacturing, and construction. However, these figures are highly likely just the tip of the iceberg. According to an analysis by security firm SK Shieldus spanning five years from 2021 to last year, it took domestic small and medium-sized enterprises an average of 106.1 days—and up to 700 days—from a hacker's initial penetration to actual detection. This implies that a substantial number of attacks go entirely unnoticed, outside of reported statistics. In response, the PIPC announced the "Transition Plan for a Prevention-Centered Personal Information Management System" on May 12, allowing the government to preemptively inspect the private sector and impose punitive fines of up to 10% of total revenue for data protection violations. The objective is to shift toward proactive measures by incentivizing corporate security investments.

Nevertheless, because these measures alone make it difficult to fundamentally detect and counter attacks by state-sponsored or international hacking groups in advance, leveraging the NIS's overseas intelligence capabilities is increasingly emphasized. Consequently, the authoritative interpretation of the NIS's intelligence-gathering and investigative powers, along with democratic oversight, will become crucial. Kim Hyun-joong, a research fellow at the Institute for National Security Strategy, noted in his report "The Amendment to the NIS Act and the Transformation of the National Intelligence System in the Era of Economic Security" that "given recent international dynamics, it is desirable to transform from a traditionally defense- and counterintelligence-oriented agency into an 'economic security-oriented intelligence agency.'" However, he underscored that "legal clarity regarding its role and scope of activity, oversight by elected officials, and the establishment of a public-private cooperative framework must be secured."

A source familiar with internal NIS affairs explained, "Previously, even if an attack was suspected to be the work of a state-sponsored or international hacking group, the NIS was excluded from the investigation unless it was definitively proven." The source added, "This does not mean intervening in the private sector; rather, it should be interpreted as granting legitimate investigative authority over the movements of external attacking forces."