Analyzing Indonesia’s National Cybersecurity Strategy
July 28, 2021 12:03 pm ||
Irnasya Shafira, Research Associate of Center for Digital Society Universitas Gadjah Mada
As the world becomes increasingly more digital, the need for a national-scale cybersecurity strategy is now higher than ever. The world has seen more and more cyberattacks against both businesses and states. The pandemic has pushed governments all over the world to encourage us to work from home and as a consequence, technology has become more and more prevalent in our work and personal lives. The increase of remote working then exposes us to higher cyber risk. Cyber-attackers exploit this opportunity to step up their criminal activities. Between February and May 2020, more than half a million people globally were affected by breaches that cause personal data of video conferencing users stolen and sold on the dark web[i]. Not just video conferences, the state has also recorded the increase of cyberattacks during the pandemic. Lohrmann has summarized the many headlines covering such attacks and even dubbed the year 2020 as The Year COVID-19 Crisis Brought a Cyber Pandemic[ii].
Indonesia is not exempt from this so-called cyber pandemic. The National Cyber and Encryption Agency (Badan Sandi dan Siber Nasional—BSSN), Indonesia’s current national cyber institution, has reported that there have been 88.414.296 cyberattacks from January 1st to April 21st of the year 2020. The most common attack is trojan-activity at 56%, followed by information gathering at 43%, and another 1% at web application attack[iii]. By the end of 2020, the number of attacks has risen to 423.244.053 attacks and has been predicted to rise even more in 2021[iv].
According to research done by Frost and Sullivan, which was initiated by Microsoft in 2018, cybercrime has caused Indonesia approximately 478.8 trillion IDR deficit or as much as 34.2 billion USD[v]. This was before the pandemic. Pratama Persadha, a cybersecurity expert, has predicted that the global deficit caused by cyberattacks may reach 84.000 trillion IDR or as much as 6 trillion USD[vi]. These facts serve as a harsh reminder that Indonesia is in dire need of a national-scale cybersecurity strategy.
The effort to increase the world’s commitment to cybersecurity has been done through the rankings of Global Cybersecurity Index (GCI) by International Telecommunication Union (ITU) to 193 member states. Said rankings are based on 5 pillars of: 1) legal, 2) technical and procedure, 3) organizational structure, 4) capacity building, and 5) international cooperation. Based on GCI’s assessment on 2020, Indonesia is ranked 77 out of 193 members[vii]. It is certainly worrying to see that Indonesia’s cybersecurity policy development sits at 0% despite the staggering number of cyber attacks Indonesia has suffered in the last 5 years. Thus, this writing is meant to explain Indonesia’s future and existing national cybersecurity strategy.
Indonesia’s Existing Cybersecurity Strategy
It can be inferred from the 0% cybersecurity policy development mentioned by the ITU that Indonesia does not have a comprehensive law that governs its national cybersecurity. Instead, it exists in multiple Laws that are currently used as the main guidelines for cyber-related affairs such as Law No. 11 Year 2008 on Information and Electronic Transactions (UU ITE) and its subsequent revision UU ITE No. 19 Year 2016. These laws govern data protection offenses, unauthorized access to computer systems to get certain information, and illegal takeover and surveillance of a computer or other electronic systems. And yet UU ITE does not touch upon important elements of cybersecurity such as information infrastructure[viii] or addressing the need for human capital in the field of cybersecurity[ix].
It does not mean that Indonesia does not have any cybersecurity measures in place, only that it is still in development. In 2017, Islami, a staff from Indonesia’s Ministry of Communication and Informatics, has written about the challenges in implementing Indonesia’s existing national cybersecurity strategy[x]; from said research, we can see the scattered elements of Indonesia’s national cybersecurity strategy categorized by the five pillars of GCI.
1. Creating the Talent Pool Born to Control: Gladiator Cybersecurity Indonesia program, which is aimed at ten thousand candidates to increase cybersecurity skills (Press Release No. 12/HM/KOMINFO/01/2017)
2. Technical guidance for information security (KAMI index, APRISMA, SNI ISO 27001, ISO 22301) for government bodies
3. Awareness program for legislative, institution heads, and industry leaders of the strategic sectors via coordination with LAN and LEMHANAS
4. Application of accredited education program for information security human capital according to standard industry competence via the center of excellence in universities
5. Indonesia National Standard Work Competency (Standar Kompetensi Kerja Nasional Indonesia—SKKNI) for information security sector
6. Educating the public on quality content, knowledge on diversity, and anti-terrorism. Targeting 40 regions and, through social media, targeting Indonesian Twitter users at 19.1 million users and 232 thousand Instagram users.
7. Creating 1500 agents of Smart, Creative, and Productive Internet (Internet Cerdas, Kreatif, dan Produktif—i-CAKAP) based at the border and outermost regions that are behind in Indonesia’s development.
1. Law No. 19/2016 on the amendment of Law No. 11/2008 on Information and Electronic Transactions (ITE)
2. Telecommunication Law No. 36/1999
3. Ministry of Communication and Informatics’ Ministerial Regulations No. 5 Year 2017 on fourth amendment of Ministry of Communication and Informatics’ Ministerial Regulations No. 26 Year 2007 on Securing Internet Protocol-based Telecommunication Network (PERMENKOMINFO No. 5, 2017)
1. The formation of the National Cyber and Encryption Agency (BSSN) based on Presidential Regulation No. 53 Year 2017. A non-ministerial governmental body that is directly responsible to the President. It is to strengthen National Encryption Agency (Lembaga Sandi Negara—LSN) along with Directorate General of Information Security and Directorate General of Informatics Application of the Ministry of Communication and Informatics
2. The function of BSSN is the technical implementation of policies such as identification, detection, protection, countermeasure, recovery, surveillance, evaluation, e-commerce protection control, encryption, screening, cyber diplomacy, cyber crisis center, cyber contact center, information center, mitigation support, risk recovery countermeasure, incidents and/or cyberattack
1. Indonesia Computer Emergency Response Team (ID-CERT) is the first CERT team in Indonesia, formed in 1998. It is an independent community-based technical coordination team that handles incidents that involve both Indonesia and foreign countries
2. Indonesia Security Incident Response Team on Internet Infrastructure (ID-SIRTII) is an assisting/supporting team that increases the securitization and security of Indonesia’s critical infrastructure in Indonesia; Coordination Center for initiatives from domestic and foreign as the single point of contact
Technical and Procedural Measures
1. Indonesia’s National Standard (Standar Nasional Indonesia—SNI) IEC/ISO 27001:2013 which contains requirements for establishing, implementing, maintaining, and sustainable improvement of Information Security System Management
2. SNI ISO/IEC 27018:2016, Information technology – Security techniques – Practical guidelines for personal information protection within the public cloud which acts as the processor of personal information
3. Trust Positive (Trust+); workshop on safe and healthy Internet, Nawala DNS filtering, Ministry of Communication and Informatics’ program
4. Information Security Index (Indeks Keamanan Informasi—KAMI Index). An evaluation tool to analyze the readiness of information security system of government bodies based on ISO/IEC 27001:2009
Analysis of Indonesia’s Existing National Cybersecurity Strategy and the Recommendation for the Future
If we are to analyze the overview of this strategy, it can be inferred that Indonesia’s national cybersecurity strategy is still in the growing awareness and creation of standardized practices. From the People aspect of GCI, the lack of capable human capital to act as important initiating actors for other aspects of the strategy is apparent. Both government and industry do not have the necessary human capital to initiate and enact any concrete cybersecurity policy and practices, hence the first strategy is to ready the human capital that can do so.
From the Process aspect of CGI, Indonesia’s lack of Law on Cybersecurity affects the organizational structure which should be governing cybersecurity. In the absence of legal standings of cybersecurity, it is almost impossible to enact a national-scale cybersecurity practice. It also causes confusion in coordinating responsibilities regarding cybersecurity[xi]. The most up-to-date draft of Cybersecurity Law itself is currently unavailable for the public, the last version updated in May 2019[xii], but there is an academic text available[xiii]. BSSN’s functions have also been criticized as overlapping with other bodies such as the Ministry of Communication and Informatics, Cybercrime Unit of Indonesia Police Force, and the Ministry of Defense’s Cyber Operation Center[xiv]. In the future, Indonesia has to expedite the passing of Cybersecurity Law to provide legal standings. The Law’s existence will also propel a comprehensive national cybersecurity strategy and redefines the function of BSSN better.
From the Technology aspect of CGI, Indonesia is currently in the process of creating a national standard for how information security should be conducted by both government bodies and the industry along with its evaluation tool. It is also interesting to note that Indonesia implements a form of internet censorship in their Trust+ and Nawala filtering programs. Debates on Internet censorship/filtering are also a very important topic in Indonesia’s cyber landscape[xv] and should be included in future national cybersecurity strategy discussions.
In the first part, we have seen just how badly Indonesia needs a comprehensive national cybersecurity strategy. The current overarching challenge is the absence of proper legal standings for cybersecurity and the lack of human capital capable of securing Indonesia’s cybersecurity landscape. Thus, the government needs to invest more in the human capital of Indonesians to prepare talents needed in an increasingly digital world. The Cybersecurity Law should be passed as soon as possible to spearhead Indonesia’s defense against the rising cyberattacks, especially when the pandemic shows no signs of stopping anytime soon.
[i] Deloitte. ____. Impact of COVID-19 on Cybersecurity accessed from https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html# on 20 July 2021
[ii] Daniel Lohrmann. 2020. 2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic accessed from https://www.govtech.com/blogs/lohrmann-on-cybersecurity/2020-the-year-the-covid-19-crisis-brought-a-cyber-pandemic.html on 20 July 2021
[iii] National Cyber and Encryption Agency Indonesia. 2020. Rekap Serangan Siber (Januari – April 2020) accessed from https://bssn.go.id/rekap-serangan-siber-januari-april-2020/ on 20 July 2021
[iv] Pito Agustin Rudiana. 2021. Serangan Siber di Indonesia Diprediksi Meningkat, Perlindungan Lemah accessed from https://tekno.tempo.co/read/1473578/serangan-siber-di-indonesia-diprediksi-meningkat-perlindungan-lemah/full&view=ok on 20 July 2020
[v] Kompas.com. 2019. RI Rugi Rp 478,8 Triliun akibat Serangan Siber, DPR Siapkan RUU accessed from https://nasional.kompas.com/read/2019/08/12/13454311/ri-rugi-rp-4788-triliun-akibat-serangan-siber-dpr-siapkan-ruu-kks?page=all on 20 July 2021
[vi] Fikri Kurniawan. 2020. Kerugian Serangan Siber Tahun 2021 Diprediksi RP 84.000 triliun accessed from https://tekno.sindonews.com/read/284040/207/kerugian-serangan-siber-tahun-2021-diprediksi-rp84000-triliun-1609240357 on 20 July 2021
[viii] Indonesia’s information infrastructure regulations fall under the Telecommunication Law No. 36 Year 1999
[ix] Center for Indonesian Policy Studies (CIPS). 2021. Ringkasan Kebijakan | Perlindungan Keamanan Siber di Indonesia accessed from https://id.cips-indonesia.org/post/ringkasan-kebijakan-perlindungan-keamanan-siber-di-indonesia on 21 July 2021
[x] Islami, M.J. 2017. Tantangan Dalam Implementasi Strategi Keamanan Siber Nasional Indonesia Ditinjau dari Penilaian Global Cybersecurity Index. Jurnal Masyarakat Telematika dan Informasi Vol. 8 No. 2 (Oktober-Desember 2017) pp. 137-144
[xi] Aprilianti, I., & Dina, S.(2021. Pengaturan Bersama Ekonomi Digital Indonesia. Center for Indonesian Policy Studies accessed from https://repository.cips-indonesia.org/publications/332998/co-regulating-the-indonesian-digital-economy on 21 July 2021
[xiii] Downloadable from http://dpr.go.id/doksileg/proses1/RJ1-20190617-025848-5506.pdf.
[xiv] Steffani Dina. 2018. Tumpang Tindih Tugas Badan Siber dengan Lembaga Lain accessed from https://www.kominfo.go.id/content/detail/12355/tumpang-tindih-tugas-badan-siber-dengan-lembaga-lain/0/sorotan_media on 21 July 2021
[xv]Ray Walsh of Pro Privacy has written an excellent overview about Indonesia’s internet censorship. He mentions that ‘Pretty much any content relating to illegal activity, or which violates Indonesia’s highly conservative social norms is formally blocked in Indonesia.’. Article could be read on https://proprivacy.com/guides/indonesia-privacy