Data and AI in a time of crisis

 

Son Do-il
The author is a managing partner at Yulchon LLC.
 
 
Recent years have shown that state crises are no longer confined to traditional territories such as land, sea and air. They unfold in cyberspace, targeting the digital systems that underpin modern societies. In Ukraine, ministries, banks and hospitals came under sustained cyberattacks designed to cripple essential services. Yet the country’s digital infrastructure proved resilient. A decisive factor was its ability to migrate government data swiftly to the cloud, often hosted outside its borders, in cooperation with global providers. That digital flexibility allowed the state to keep functioning even as its physical infrastructure was under attack.
 
For Korea, such lessons are urgent. Surrounded by regional security challenges, the country must prepare for the possibility of a crisis where cyberattacks precede, or even replace, conventional military strikes. Hospitals, airports, banks and defense systems could be paralyzed not by physical bombardment but by malicious code. The question is whether Korea’s most vital digital systems would remain operational — or whether they would be compromised, restricted or inaccessible at the very moment they are needed most.
 

Naver Cloud CEO Kim Yu-won announces a partnership with Nvidia at Nvidia’s GTC 2025 event held in San Jose, California. [NAVER CLOUD]

 
This dilemma lies at the core of the debate over the sovereign cloud. Just as a nation must control its land, seas and airspace, it must also safeguard its digital territory. Cloud infrastructure is no longer just a tool for storing files or running applications. It is the backbone of national resilience: Financial stability, energy grids, health care records and emergency communications all depend on it. With the rapid rise of artificial intelligence, reliance has deepened further. AI systems used in defense logistics, financial monitoring and health care management require immense computing power and massive datasets. Whoever controls the cloud also shapes the future of AI.
 
The United States has many hyperscalers dominating the global cloud and AI market. Under the CLOUD Act, U.S. authorities can compel providers to hand over data in their custody, even if stored overseas, subject to certain conditions. For other states that need hyperscaler cloud systems, this creates a paradox. On the one hand, U.S. providers offer scale, resilience and cutting-edge AI services. On the other, dependence on them means sensitive national data — and potentially the algorithms governing critical functions — may be subject to foreign jurisdiction.
 
Europe has taken a different course. Anchored by the General Data Protection Regulation, the European Union has advanced digital sovereignty through strict rules on data transfers and initiatives like GAIA-X, which promotes a federated infrastructure where global players can participate only if they comply with European law.
 
Korea already has one of the world’s strongest privacy regimes under the Personal Information Protection Act, and its regulator has been active in enforcing penalties against violations. At the same time, Korea is a global hub that depends on seamless data flows. Export-oriented industries like semiconductors, mobility, e-commerce and gaming all rely on global platforms.
 
 
Korea has already experienced cyber intrusions into banks, media outlets and energy operators. What makes the landscape more volatile now is the rise of digital assets, stablecoins and central bank digital currencies in the future.
 
Various regulations toward sovereignty already exist. Financial institutions must comply with network separation rules physically or logically dividing internal systems from internet-facing networks. Government agencies must store sensitive data in domestic facilities under strict connectivity limits. These requirements reflect the principle that some systems are too vital to leave exposed, regardless of cost. They provide the foundation for sovereign cloud as a pillar of both cybersecurity and financial resilience.
 
Another Korean element is the expectation that regulators and clients can directly inspect cloud operations. Banks and other regulated entities must allow supervisors to audit how data is stored and processed. This underscores a core belief: Outsourcing infrastructure cannot mean outsourcing accountability. Yet global hyperscalers have difficulty accepting such inspections due to security concerns and operational uniformity. This clash has slowed cloud adoption in sensitive sectors.
 
The way forward is a strategic hybrid model. Korea should establish a sovereign cloud dedicated to its most critical functions: defense operations, nuclear power management, election systems, emergency response and core government records. Less sensitive data and commercial workloads can still be hosted on global platforms under reasonable sovereign zone arrangements: governed by Korean law and open to regulatory inspection subject to agreeable conditions.
 

Attendees at Amazon’s annual cloud computing conference walk past the Amazon Web Services logo in Las Vegas on Nov. 30, 2017. [REUTERS/YONHAP]

 
The next emergency may not begin with troops crossing borders but with code designed to paralyze hospitals, banks or payment networks. In an era where AI shapes decision-making and stablecoins threaten to bypass national currencies, the vulnerabilities are magnified.
 
Just as Korea’s economic miracle was built on balancing autonomy with global integration, its digital and financial future must strike the same balance. Sovereignty must be the foundation; globalization must provide the reach. In the age of AI, whoever controls the cloud will control resilience. Preparing now — before the next crisis arrives — is not optional. It is a national imperative.