Concerns rising over lax security management on national asset
By Jung Da-min
Defense technology is an important asset for a country as it is a gauge of the level of a nation's security, and can lead to high revenue through exports.
In Korea, however, such important technology and confidential information have been subject to lax security management, with a series of confidential information leaks found at the state-run arms development agency.
Last month, an audit by the Defense Acquisition Program Administration (DAPA) into its subsidiary, the Agency for Defense Development (ADD), discovered that two former senior researchers had found work abroad after copying a massive amount of data from computers at its research center onto portable USB storage devices.
One of them reportedly joined a research center affiliated with Khalifa University in the United Arab Emirates. He is believed to have taken with him key technology for South Korea's Low-Cost Guided Imaging Rocket (Bigung in Korean) designed to counter North Korean fast boat swarm attacks.
The audit was conducted over a month following suspicions of data theft. DAPA examined all the logs of portable storage devices use by 1,079 retired and incumbent employees between January 2016 and April 2020.
Following the audit, DAPA requested a police investigation into the case, but this may not be easy as the two former researchers have already found work abroad.
In a separate case in April, DAPA requested a police investigation into another retired employee who is also suspected of having stolen confidential data from the ADD using portable storage devices. The suspect has been working at a local private university after leaving the ADD.
DAPA's own investigation confirmed three former researchers used portable storage devices over nearly 1 million times to open or transfer data files. But the DAPA said while it found there was theft it has not yet confirmed what data was involved, and the police investigation will determine this.
Adding to concerns is that there are dozens more retired employees who are suspected of having copied confidential data onto portable storage devices without permission, although it has not been confirmed whether they offered the data to institutions or used them for other purposes.
Erroneous security system
The question is, how such confidential data at the country's top arms development agency could be stolen by its members so easily without detection over the years.
The DAPA audit found the ADD has been operating without proper security systems, while its data has been poorly managed with old security software that should have been updated several years ago.
Saved information has been poorly managed as well ― about 62 percent of the 6,882 research computers at the ADD have been operated without a security program called Data Loss Prevention, which prevents information theft by limiting the use of unauthorized storage devices. About 35 percent of the computers were not even registered as ADD information assets, and there were 3,635 unauthorized storage devices used despite such portable devices only being allowed in exceptional cases according to the ADD regulations.
There were no security check points at the gates of the ADD, nor security guards checking visitors. Anyone with a registered pass could come in and out without their photos checked at the gates and vehicle security screenings were not conducted.
The ADD is supposed to check security-related issues for its soon-to-retire employees, but hasn't conducted any checks for the past three years.
Poor customs and loose sense of security
DAPA has now vowed to upgrade its security system and strengthen screening at its entry points, as well as intensifying supervision on prospective retirees and researchers engaged in key defense technology work. It also said it is considering establishing a new regulation that requires former ADD researchers to apply for permission when seeking jobs overseas.
But despite such a pledge for a system improvement and stronger punishment for security rule violators, the problem of defense technology theft is not a one-time matter but rather a chronic issue stemming from customary activity, according to Shin Jong-woo, a senior researcher at the Korea Defense and Security Forum.
"Such loopholes in managing confidential information at the ADD are not new, but rather have been tolerated in the name of customary practice. It has been usual for researchers in the field of arms development to personally carry such data for their references and it has also been common for those who once worked at state-run research agencies to later join other research institutions at universities or private companies in the defense industry," Shin said.
However, he said the recent case of the former ADD researcher joining a research center with the UAE's Khalifa University is worrisome, as this means that the country's key technologies could be given to other countries. He said, despite such a lax sense of security, there had been no such technology "leakage" to other countries before this.
He said the matter of information theft could be prevented if strict regulations and procedures are put in place and adhered to.
Shin also pointed out the problem of current restrictions, which ban senior researchers at state-run arms development agencies from working at local defense firms after retirement ― a rule for ranking public officials designed to prevent corruption through ties with private organizations or companies whose work is related to public organizations. Shin said such a regulation could lead to retired senior researchers giving technology to foreign companies or research centers.
"Retired employees from state-run arms development agencies have nowhere to go," Shin said. "Overall, the matter of information theft is linked to this structural problem."