What do we want? More technology! When do we want it? Now!
There is no actual protest song with these lyrics, but regular readers of Commsrisk will appreciate my meaning. The chant of ‘more technology, new technology’ is routinely offered as the stock answer to the question of how to improve security, safeguard privacy, and protect the public from the harms caused by hackers and scammers. Telcos in many countries continue to reduce the number of employees dedicated to protecting their customers, but the rationalization is always that this is justified by ‘more technology, new technology’. You never hear complaints from the people who run these downsized departments because they know their jobs could also disappear if they object to cuts in the number of staff or budgets for training. Photographs of the events run by associations supposedly arranged for the benefit of fraud professionals employed by the comms sector reveal how far they have shrunk, though they can still afford to run those events thanks to the income they get from vendors of ‘more technology, new technology’. However, one cybersecurity professor recently went on the record about why the procurement of systems is not a reliable way to enhance security. Speaking to The Korea Herald in the wake of data breaches at SK Telecom and KT, South Korea’s two largest telcos, Professor Kim Yongdae of the Korea Advanced Institute of Science & Technology (KAIST) explained why procurement frequently falls short.
Regulations are often designed to encourage companies to focus on buying specific tools or equipment just to pass certification, instead of addressing deeper architectural flaws. Firms start to treat compliance as a procurement exercise, and once they meet their obligations, they forget about vulnerabilities. This also leads to perverse outcomes, such as the mandatory use of certain tools, which has created a lowest-bidder market culture. Companies buy the cheapest solution that satisfies the rule, not the one that genuinely improves security.
Kim was discussing regulations in South Korea but the same observation applies to many other countries too. Consider the deliberate and aggressive push by American businesses who wanted regulators around the world to mandate STIR/SHAKEN technology despite it being an overhyped flop. The level of international gaslighting was extraordinary, with one former Telstra executive resorting to brazen lies about the adoption of STIR/SHAKEN, including the claim that Australians would suffer more scams as a consequence of scammers abandoning hope of defrauding Americans. The reality is that Australia’s effective anti-scam policies, which did not demand the purchase of specific technologies, have delivered an enormous fall in the number of complaints about scam calls and messages. Americans would envy such an improvement if their rulers ever dared to tell them about it instead of feeding them bogus statistics instead.
Kim also highlighted the extent to which bad actors are being helped to circumvent controls by the open way information about security is made available to anyone who wants it.
Besides, Korea Internet & Security Agency’s penetration testing tools are publicly available, which means hackers can download them, run the same scans and design their attacks to avoid detection. In reality, a company with thousands of servers may rely on a single KISA tool scan to “pass” inspection while the majority of its infrastructure is still exposed.
Kim may criticize the Korea Internet & Security Agency (KISA) but the same criticism also applies more generally. KISA’s policies align with those of many of the aforementioned professional associations for fraud managers. Telcos defraud other telcos. Telcos profit from scams by consciously defeating the controls that other telcos implement. But many associations place no limits on which telcos, or which employees within those telcos, are allowed to receive the information they share. They do not care because all that really matters is obtaining the largest possible audience of potential suckers customers of the ‘more technology, new technology’ being sold by vendors.
Simplistic reasoning about how to tackle risk inevitable leads to brain-dead and selfish decision-making, as Kim also points out.
These policy approaches have encouraged firms to treat cybersecurity as a box-ticking exercise. KISA officials once offered to visit a prominent router maker in person to explain a discovered flaw; the company rejected the offer, kept the door closed when the officials arrived, and later declined to patch the vulnerability even after it was demonstrated.
Kim’s astute analysis of how bureaucratic inspections of security can fail to deliver the intended results has come at an especially uncomfortable time for South Korean officials. The government has recently promised the launch of new ‘national inspections’ for all of South Korea’s leading telcos and financial firms in the hope they will restore the public’s faith. It will take more than a box-ticking exercise to deliver the level of security actually needed in a society where everyday life is as networked as it is in South Korea.
I find Kim Yongdae to be one of the most insightful commentators on the cybersecurity challenges faced by South Korea, a society that has adapted to technological change in ways that many others have yet to experience. More countries need academics with the confidence to speak out like Kim does. Until they do, you can read the whole of Kim’s interview with The Korea Herald by looking here.



