By Dain Oh, The Readable
Apr. 10, 2023 6:40PM GMT+9
Talent shortage has been a deep-seated challenge in every industry, but it gets worse when it comes to information security. It was reported that an additional 3.4 million cybersecurity professionals were needed to protect organizations from threats worldwide, a 26 percent increase in the deficiency compared to the previous year, according to the (ISC)2 Cybersecurity Workforce Study 2022.
The workforce gap in cybersecurity is not just an economic issue, but is currently a national security concern as well. Based on this understanding, the United States government created a multi-agency initiative last year—a plan that established hundreds of apprenticeship programs to close the cybersecurity talent gap. Announcing the initiative, the U.S. Commerce Department stated that there were more than 700,000 unfilled cybersecurity positions in its nation as of last year.
In South Korea, there has been an apprenticeship program for more than a decade. Young people who dream of becoming white hat hackers swarm to this program, which offers world-class, quality training for over nine months without any participation fees. Trainees have the chance to learn from one of the best hackers in the nation while shaping themselves to be the next generation of cybersecurity leaders.
Behind the success of this project is Yoo Joon-sang, an 80-year-old politician-turned educator. Yoo started the cybersecurity talent program “Best of the Best (BoB)” in 2012 and has trained over 1,600 white hat hackers so far. The trainees in the BoB program won the DEF CON Capture the Flag (CTF) three times, (in 2015, 2018, and 2022), proving their capacity through the world-class hacking competitions.
◇ From politics to cybersecurity
“I am not a cybersecurity expert.” It was the first sentence that Yoo mentioned during the interview with The Readable. He defined himself as a supporter who fosters cybersecurity professionals, especially the ones early in their careers.
As his statement asserted, he originally had no connection with the field of cybersecurity. Yoo was a politician who won elections four times from the early 1980s to the mid-1990s. He served as a member of the National Assembly from 1981 to 1996, being elected for four consecutive terms. During his tenure, Yoo participated in diverse committees, including home affairs, finance, national defense, information, and construction, leading the economy and science committee in 1988 and the policy committee in 1991. He also served as the special advisor for economy for Kim Dae-jung, who was the president of the Democratic Party and later became the president of South Korea. Yoo kept his feet in the South Korean politics until the early 2000s.
It was 2010 when Yoo first stepped into the cybersecurity industry. After losing in elections twice in the early 2000s, he looked for other opportunities to serve national interest, instead of pursuing his career in politics. Cybersecurity, the field that was somewhat neglected by the mainstream industries, but significantly important for future generations, was a good fit for him. Yoo took office as the president of the Korea Information Technology Research Institute (KITRI) in July of 2010. At the time, the small public organization that had only 13 employees in total. On the day that he entered the office at KITRI, he ordered one of his staff to find three books that best represented cybersecurity and started to research a subject which he did not have any background knowledge of before that day.
The more he learned about the reality that the country was facing regarding the cybersecurity industry, the more shocking it was to him. “The cybersecurity workforce, which was already insufficient, was leaving the industry, calling their job ‘Three D (an acronym for dirty, dangerous, and difficult jobs).’ The national cybersecurity risk was high, and private companies were reluctant to invest in cybersecurity because they saw the investment as a waste,” recalled Yoo. “It was an ironic situation, particularly considering that South Korea was named as an ‘information technology powerhouse.’”
◇ Creation of BoB: organizing people and securing funding
Yoo wanted a change. The first thing he did was to knock on the doors of high-profile cybersecurity professionals’ offices in the country. Even though he was a former member of the National Assembly for 15 years, it was not easy to have one-on-one meetings with the experts because his organization, KITRI, was hardly recognized as a well-established educational institution at that time. Before Yoo expanded the institution, KITRI was thought of as an old-fashioned computer training center which was established in 1985. However, Yoo strived to talk to the experts, pulling all the strings that he could until he finally formed a group of experts and hackers to initiate an apprenticeship program.
Then, he went out to acquire funding. Yoo visited members of both parties in the National Assembly, encompassing the ruling and opposition parties, and asserted the importance of cybersecurity and the need for government funding. His unique career path in South Korean politics helped. Yoo was one of the rare politicians who had experience in both parties in the nation, the democratic party and the conservative party. The Special Committee on Budget and Accounts was key to receiving the government funding. After persistently persuading the chairman of the committee, he was able to secure government support for the cybersecurity project with initial funding of 10 billion won (approximately $760,000). In the following year, he succeeded in doubling the national cybersecurity budget, securing 20 billion won (approximately $1.5 million) solely to nurture the young talent in information security.
Powered by the national funding, KITRI launched its first training program “BoB” in 2012 with 60 trainees who were carefully selected. They were recruited from high schools, universities, and private institutions, with 22 teenagers making up 37 percent of the entire class of 2012. The second class of BoB had 120 trainees in total, doubling the previous year’s number. The training size kept growing every year, and since 2019, KITRI now selects 200 trainees annually. The eleventh class graduated on March 30, making the total number of BoB graduates more than 1,600.
◇ Equipping 100,000 top talents in cybersecurity
The accomplishments of BoB were made not only in the quantity, but also in the quality of cybersecurity talents. The BoB trainees won the DEF CON CTF in 2015, just three years after the creation of the program. It was the first time that an Asian team won the hacking competition. And it happened again and again. In 2018, the trainees in BoB made history once again, winning the DEF CON CTF championship. Last year, the first place and the third place in the same hackers’ event were awarded to teams that trained in the BoB program.
Besides winning world competitions, the young white hat hackers have reported 1,702 security vulnerabilities to organizations and published 369 theses during their training at KITRI. The graduates of BoB have been primarily hired by government agencies and IT conglomerates which seek top talents in cybersecurity. “Recruiters at the leading companies come to KITRI and deliver presentations to attract our trainees,” said Yoo with pride.
This year, KITRI is preparing to launch a new program called “Pre-BoB” or “White Hat School.” The new initiative will train people who are under 24 years old for over six months. It is less intense than the regular BoB curriculum, providing much of the training through an online platform, but it is more focused on cultivating younger talents and students who do not have basic knowledge about information security.
“It is impossible to equip top talents in cybersecurity in our nation without investing in their cultivation,” said Yoo, making a reference to Yul-gok, a 16th-century Korean philosopher. When Korea was suffering from foreign attacks and a national security crisis, Yul-gok proposed that an army of 100,000 soldiers be created to protect the nation. “It is not a definite number, but I believe that we need at least this volume of cybersecurity professionals to defend the country,” added Yoo. His journey to nurturing 100,000 cybersecurity talents for the nation is still in progress as one of his books says in its title: “The marathon of my life is not finished yet.”
The photos of this article were taken by Sukwoon Ko.
Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.