중국 사이버안보 패러다임 변화와 시사점

Abstract

Korea announced the ‘National Cybersecurity Strategy’ in April 2019, and ‘Strengthening national cyber security response capabilities’ was also included in the ‘110 Key Policy Tasks’ released in May 2022. However, the legislation of basic cybersecurity law to establish a legal foundation is at a standstill due to several concerns raised. This is why there is no cybersecurity control tower.
 In the case of China, three laws(Cyber Security Law, Data Security Law, and Personal Information Protection Act) were enacted on the basis of the National Security Law(2015), which expanded the scope of national security to cyberspace, thereby establishing basic legal systems for cybersecurity. Through this, the legal basis for data governance centered on the Central Leading Group for Cybersecurity and Informatization of the Chinese Communist Party(CCP), and the Cyberspace Administration of China was provided. To ensure that core technologies of the 4th industrial era do not pose a threat to cybersecurity, the Anti-Espionage Law(2023) expanded the scope of the law to include data related to national security. In addition, generative AI was regulated through the implementation of the Interim Administrative Measures for Generative AI Services. Following these legislative changes, governance was expanded from the Central Leading Group for Cybersecurity and Informatization of the Chinese Communist Party(CCP) → National Security Commission of the CCP → Central Science and Technology Commission. At the center of this paradigm shift is the CCP, providing the impetus for the shift.
 If we apply the implications of China's paradigm shift to our situation, first, Korea must establish a basic cybersecurity law and quickly establish a cybersecurity control tower based on the law. Considering that cybersecurity issues must be supported by the ability to govern all ministries, the structure of a Presidential Council is appropriate. Additionally, considering that AI technology is closely related to cybersecurity and that discussions on AI regulation are taking place together, a governance system that encompasses both cybersecurity and AI must be established.
 In other words, the Presidential Council will be responsible for ‘cybersecurity and AI’ must be established. Through the Presidential Council, the fragmented cybersecurity command system should be integrated, and it must become the control tower that considers and decides on diplomatic, security, economic, and technological policies regarding AI. In-depth discussions on establishing governance that embraces the two values of ‘cybersecurity’ and ‘AI’ should be conducted during the legislative process of the basic cybersecurity law and AI law in order to reach the result. In order to improve transparency, a review of processes that can be checked by the National Assembly regarding the Presidential Council’s major policies, budget, etc. must also be conducted.