By Dr. Kartina Sury, Senior Fellow at the Center for Indonesian Policy Studies
With the country’s digital transaction value amounting to $77 billion (or 40% of the region’s total) in 2022, Indonesia continues to be a key player in Southeast Asia’s digital economy. The total digital transaction value is expected to double to $130 billion by 2025, further establishing Indonesia as a significant contributor to the region’s dynamic digital economy. In addition, Indonesia fosters a healthy startup ecosystem and is ranked 6th globally in terms of the number of startups, with over 2,400 businesses. Over the next few years, the country continues to prioritise digital transformation as one of its national priorities.
However, Indonesia’s rapid digitalisation also increases its exposure to challenges such as cyber threats. This includes risks in data breaches in government departments, state-owned enterprises, and financial services sectors which could potentially affect millions of customers. For example, data leaks and identity theft are major concerns, accounting for 88% of cyber attacks in the past three years. A 2021 report by the Ministry of Communications and Informatics (MoCI) revealed that 93% of data leak cases were due to underlying cyber security issues. This highlights the need for Indonesia to pursue efforts that would promote cyber resilience.
Challenges to Indonesia’s Cyber Resilience
Indonesia’s cyber resilience is a concern due to uncertainties in its preparedness for digital transformation across industries. In 2022, National Cyber and Crypto Agency (BSSN) recorded almost a billion cyber attack cases, with over half being malware-related, data leaks accounting for 15%, and trojan activity making up around 10%. In the first half of 2023 alone, Indonesia is recorded to have experienced more than 347 million cyber attack cases, with the highest number of cases being due to ransomware incidents.
In addition to the threats of cyber attacks, there is room for improvement in Indonesia’s regulatory landscape. Currently, laws related to cyber resilience are fragmented. For instance:
- Government Regulation No. 71/2019 focuses on cybercrimes related to electronic transactions, neglecting critical infrastructure attacks
- Ministry of Defence (MOD) Regulation No. 82/2014 addresses military cyber defence but not public cybersecurity
- The Strategic Plans 2020–2024 of MoCI divides responsibilities between MoCI and BSSN for cyber defence and private data protection. The plan includes frameworks for emerging technologies like AI and machine learning, as well as the importance of electronic-based government services and implementing technologies such as big data, machine learning, and blockchain. However, specific action steps to support e-government are not specified, except for the need to collaborate at different governance levels.
- The latest Presidential Decree No. 47/2023 emphasises the National Cyber Security Strategy and Cyber Crisis Management, and part of the key objectives are to protect the national digital economy ecosystem, enhance the strengths and capabilities of Cyber Security resilience, and prioritise national interests while supporting the creation of the global cyberspace. However, there is a need for further governance in the implementation of Cyber Risk and Mitigation. The Cyber Crisis Management of the stakeholders involved, particularly the Electronic System Providers (PSE), demands more comprehensive instructions and audited plans to protect consumers.
A CIPS study revealed shortcomings, including the need for skilled human resources within MoCI, standardised response mechanisms, co-regulation with non-governmental representatives, and clarifying mandates between ministerial bodies.
In terms of personal data protection, the regulation lacks clarity on how the public receives information in case of cyber crimes or data breaches. Communication mechanisms other than Otoritas Jasa Keuangan (OJK), which is the Financial Services Authority of Indonesia’s annual and tri-monthly financial reporting, are unclear. Furthermore, there is no consistent understanding of practical steps for businesses, consumers, and organisations to implement and enhance cybersecurity.
Towards Improved Cyber Resilience in Indonesia
As such, there are key considerations for Indonesia to strengthen its cybersecurity posture. These policy recommendations aim to increase the country’s capability to adapt to the constantly evolving cyber threats.
