Why Was Twenty-Year Network Separation Abolished Now?
For a long time, the default of Korean security was to cut the connection. Since 2006, the belief was that physically separating the internet network from the work network kept things safe, so two computers sat on every desk. This May, the clause mandating separation of internal and internet networks was deleted from the national cybersecurity baseline guideline, a turn that took twenty years.
The reason for the abolition is the crux. It was not that blocking kept us safe, but that blocking was no longer possible. A look into last year's telecom and card-company breaches showed that supposedly closed networks all had internet contact points. A Microsoft survey found that 75% of workers use generative AI, and 78% of them use tools their company never approved. The network had long been connected; only the company did not know.
The Real Bottleneck Is Not Security but Data Classification
Opening the network means every piece of data must be sorted into three tiers: classified, sensitive, and open. But Korea has never done this properly. Ask people in the field and almost everything gets labeled national security. Since misclassifying could mean taking the blame for an incident, they conservatively choose the highest tier. This is also why it took the UK three years to cut its six-tier scheme down to three and widen the share of openly usable data.
The unit of classification is a problem too. If a single medical certificate mixes a patient's openly shareable name with a sensitive resident registration number, the whole file gets bound as sensitive and loses usability. Grading by item, such as name, address, and identifier, lets the same document appear differently by permission. A market for this automatic classification exists abroad but not in Korea. Having never put data on the cloud, there was never an occasion to classify it.
What Does the Obsession with Sovereign AI Miss?
As network separation lifts, the claim that every domain must be filled with domestic AI follows. But forcing sovereign AI across all domains repeats the path of Korea's public certificate system. Coercion kills competition, and without competition technology decays. Sovereign AI is truly needed where a foreign model must not be cut off and information must not leak, the national security domain. In general industry, what to use is the company's choice.
A security AI that drew attention recently reached top-tier performance without any proprietary foundation model, simply by weaving together already-public LLMs, and the core of that team was Korean. It is proof that competitiveness comes not from owning something of our own but from the capability to combine well. So in the space left by lifted network separation, the first thing a company should do is not adopt AI. It is to classify what kind of data we actually hold.