South Korea to take stab at bot law

Country preparing draft legislation to empower ISPs to take compromised end-user PCs offline, with government likely to pass law by year-end, according to academic.
Written by Vivian Yeo, Contributor

SINGAPORE--The South Korean government is preparing draft legislation that would, among other provisions, accord ISPs (Internet service providers) and appointed government agencies the necessary powers to prevent compromised computers from accessing the Internet, according to an academic from the country.

Having initiated consultation with the private sector since July 2009, the South Korean administration is now set to commence public consultation on the proposed zombie PC prevention law next month, Heung Youl Youm, professor in Soonchunhyang University's Department of Information Security Engineering, said Tuesday. He was speaking on the sidelines of the Regional Collaboration in Cyber Security Conference held here this week, organized by the National University of Singapore's Institute of Systems Science and the U.S. National Defense University iCollege.

Zombie PCs, or bots, are malware-infected systems that can be remotely controlled by cybercriminals. These machines are typically hijacked systems of unsuspecting users and used as part of a botnet for to launch spam, identity theft or denial-of-service (DoS) attacks.

Heung, who is part of a committee established by the Korea Internet & Security Agency (KISA) to look into the legislation, added that the law could be enacted by year-end.

The main purpose of the legislation, he explained, is to grant ISPs and government agencies such as the Korea Communications Commission the "right to shut down communications from infected computers" in an "emergency state". The committee is looking at four different levels of emergency states, or warning levels, but these have yet to be finalized, he told ZDNet Asia.

According to the professor, the legislation will likely cover only systems operated by individual users as Korean companies typically have adequate security measures in place to prevent bot infections.

If the law is enacted, South Korea could become the first country in the world to pass such legislation. Australia last month launched a code of practice that will kick in come December, allowing ISPs to quarantine user PCs that have been malware infected. However, ISPs in the country have the option not to adopt the practice since the code will be implemented on a voluntary basis.

Security experts and industry observers have in recent months been calling for greater intervention from ISPs as well as mandatory regulations to keep networks healthy. Without formal legal instruments in place, ISPs have to rely on their own resources to handle infected systems on their networks.

South Korea's impetus to introduce legislation for combating zombie machines follows a massive distributed denial-of-service (DDoS) against the country last July. Dubbed the 7.7 DDoS attacks, government and commercial sites were systematically targeted and suffered long periods of downtime over a span of three days starting Jul. 7, 2009.

Public and private sector sites in the United States were also affected during the first wave of attacks, said Heung.

Privacy, budget concerns
While the proposed law will play an "important role" in preventing DDoS attacks, there are some issues that officials in South Korea have to first address.

For example, Heung cited the end-user's right to access the Internet as a hot area of debate around the legislation. If implemented, the legislation could strip user of such rights, he said.

Hwang Sung-Hwan, market analyst in IDC Korea's enterprise research group, noted in an e-mail interview that privacy will also be a key concern.

Disconnecting infected end-user PCs and analyzing them can be a violation of personal privacy since a third-party can, for example, monitor the Web sites the user had accessed, Hwang explained.

In addition, he said the law may also require the use of antivirus regardless of the individual's willingness to do so.

To mitigate blame for the privacy violation, the analyst said the appropriate pre-education and a pilot project should be carried out.

Monetary issues, he added, may also come to the forefront. If the government mandates that ISPs offer antivirus to clean infected machines, it should allocate sufficient budget so the providers are not burdened with the extra costs, he said.

According to Hwang, the South Korean government will run a pilot project in the fourth quarter of 2010 before enacting the law. The actual legislation is therefore likely to kick in during the first half of 2011, he said.

Editorial standards