Strengthening South Korea’s national security by adopting the cloud

To improve its national security, South Korea must improve its ICT infrastructure. Knowing this, the government has begun to move towards cloud computing.

The public and private sectors are now taking a holistic national-security approach that includes the country’s military capability and cybersecurity. Success in this approach will require an improved competitive edge across emerging technologies to project and defend national power.

Cloud-based ICT infrastructure provides scalable computing capacity by managing vast quantities of data and adapting to varying workloads. From a defence perspective, flexible computing capacity enables rapid scaling during different mission phases.

Beyond modernising internal ICT infrastructure and military readiness, increasing South Korea’s cloud uptake could improve the country’s military interoperability with regional partners by facilitating real-time sharing of data at lower levels of classification and sensitivity.

Such information sharing is particularly important considering the international growth of South Korea’s defence industrial base, which includes Hanwha’s facility in Australia and Korea Aerospace Industries’ ongoing support to the Philippine Air Force to enhance its air combat capabilities. Furthermore, if South Korea participates in specific AUKUS Pillar 2 projects, a common federated cloud-based platform could foster secure information-sharing, advancing collaborative development of advanced technological capabilities.

The South Korean government has introduced initiatives and policies to catch up on cloud adoption, including the 2015 Act on the Development of Cloud Computing and Protection of its Users, the 2022 Digital Strategy and a series of plans in 2024. But to improve cloud uptake in line with these policies and strengthen national security, the South Korean government must overcome several barriers.

The first of these barriers relates to the Cloud Security Assurance Program, a certification that cloud service providers (CSPs) must receive before working with South Korean government agencies. Despite a reformation in 2022, the certification process remains complex and lengthy. Australia’s Certified Cloud Services List program faced similar criticism for its complexity, and was terminated in June 2020 following an independent review by the Australian Signals Directorate.

ASD’s review into Australia’s cloud services list outlined a need for greater industry engagement, for example through co-designed cloud security guidelines and the establishment of industry consultative mechanisms. In South Korea, regulatory reform processes—sparked by uptake challenges in the public sector—must engage CSPs to better meet provider needs.

This will require a careful balancing act. Although international CSPs can now serve government agencies, their ability to support public systems managing sensitive or private data—labelled as mid-risk and high-risk tier segments—is limited. Conversely, domestic CSPs have argued that the entry of international CSPs into the government market threatens their survival.

While market competition is healthy, the concerns of domestic CSPs mustn’t be understated—the government plays an important role in the success of domestic tech companies, such as Samsung and Naver, which are now points of national pride.

To meet the commercial interests of both international and domestic CSPs, international-domestic collaborations must continue to be brokered in South Korea. One recent example is between KT Corporation and Microsoft Corporation, which involves the development of a sovereign cloud solution to drive cloud and AI innovation in the public sector and regulated industries.

The second barrier to cloud uptake is the country’s relatively low level of necessary expertise. Cloud-specific skills are required for organisations to assess the benefits of implementing cloud services. Despite the country’s technologically advanced status, a 2021 OECD report stated that less than 15 percent of South Korean small and medium enterprises provided general ICT education to employees.

The third barrier, also linked to inadequate cloud expertise, is perceived security concerns. South Korean enterprises are conscious of the risks that cyberattacks pose, such as those that North Korea’s Lazarus group has been conducting since 2009.

Many leading CSPs offer cyber protections through mitigation as well as response and recovery at scale, which would become particularly important in major combat operations near the Korean Peninsula, such in the South China Sea. However, organisations with limited cloud expertise often stick to existing systems due to misconceptions around cloud security and the perceived burden of data protection under the shared responsibility model.

To overcome these final two barriers, ICT professionals must upskill. Beyond government-led initiatives, such as a 2021 plan to nurture a talent pool of 10,000 cloud-trained professionals, CSPs are taking the lead. For example, Amazon Web Services Korea offers free cloud-computing education to South Korean jobseekers.

South Korea’s slow adoption of cloud computing presents a gap in its national security and technological competitiveness. The government has recognised cloud infrastructure as essential to strengthening national power and interoperability with allies and partners—ultimately supporting defence, economic growth and emerging technologies. This has pushed South Korea to develop uptake strategies, but regulatory hurdles, low digital literacy and security concerns are persistent challenges. Encouraging collaboration between CSPs and improving digital literacy will only become more important as cloud technology becomes central to South Korean security.