Over 100 hours after immigration services in international airports across the country were totally paralysed, the Indonesian government admitted that its newly-established National Data Centre (PDN) had fallen victim to cyberattack. A malicious Lockbit 3.0 ransomware has encrypted vital data stored in the centre and the hacking group behind it demanded an 8 million USD payment as ransom. Unfortunately, most data had not been properly backed up and until this article was written, the Indonesian government had failed to fully recover data in at least 282 compromised institutions.
This incident was barely the first and likely won’t be the last. Indonesian internet users still vividly remember when the health ministry’s Covid-19 tracking app was hacked in 2021 and when an anonymous hacker known as “Bjorka” breached state institutions and businesses in 2022, exposing millions of their personal data. Even worse, within days after the recent Lockbit attack, the Indonesian Armed Forces Strategic Intelligence Agency was breached and had its sensitive data leaked onto internet forums.
Within the Indonesian hacking community, state institutions have been known to maintain the weakest protections of its own data, compared to private enterprises.
In an increasingly digitally connected world, cyberattacks are a clear, major threat to national security. The Indonesian government’s failure to protect its own citizens’ data online reflected the country’s dangerously weak and ineffective cybersecurity governance. It leaves Indonesia is barely able to defend itself against ever-evolving threats in the digital world and millions of Indonesians online extremely vulnerable to bad actors. Furthermore, if the overall state of digital safety remains uncertain, foreign investors would become reluctant to enter Indonesia, an issue of particular concern for the government.
According to the Guide to Developing a National Cybersecurity Strategy published by the International Telecommunication Union, countries must have a competent cybersecurity authority at the highest level of government to provide direction, coordinate action, and monitor the implementation of cybersecurity strategy. Resources—financial, material, and human—must be provided sufficiently and continuously. Moreover, governments must guarantee accountability and transparency in the usage of resources in developing the most effective cybersecurity capabilities to counter any possible threat. These good practices should ideally serve as reference for Indonesian policymakers.
However, the reality in Indonesia has long been far from ideal. Noor Anjani from the Center of Indonesian Policy Studies noted that Indonesia’s cybersecurity regulations had created fragmented responsibilities across different institutions and they remain ineffective in preventing cybercrime. The lack of a dedicated personal data protection law (UU PDP) for example, reflected a long-standing situation of poor regulatory framework until one was finally passed by parliament in 2022, after years of stagnation since it was first brought up in 2016. Even then, measures mandated by the law, such as the establishment of an overarching data protection oversight agency, have yet to be realised.
Presently, cybersecurity governance in Indonesia is the responsibility of two main agencies: the Ministry of Information and Communications (Kominfo) and the National Cyber and Crypto Agency (BSSN). In recent history, these agencies’ leading officials have been politicians, police and military officers with no knowledge or background in information technology. Their lack of competence in digital affairs and concerningly low cybersecurity proficiency has severely hindered inter-institutional coordination, an effective national cybersecurity strategy, and swift and accurate response to disasters.
Outdated (or rather, primitive) approaches to security are still being employed by Indonesian authorities in response to cybersecurity threats. In the aftermath of the 2022 Bjorka case for example, the government focused on “hunting down” the hacker and bringing them to justice as if it was an ordinary case of robbery or theft, instead of evaluating institutional and technical weaknesses in data protection that made the breach possible in the first place.
During the parliamentary hearing with Kominfo and BSSN on the latest PDN breach, it became clear that weak regulatory enforcement, lack of technical oversight, and human resource inadequacies caused the failure of many institutions to properly back up their data. By law, backing up user data is the responsibility of each government agency and private enterprise, facilitated by Kominfo and BSSN. However, coordination between agencies and enterprises had been unclear, leaving many cases of non-compliance unprocessed. Further complicating the matter, BSSN was not fully involved from the beginning in the PDN project’s planning, even though it is nominally the primary enforcer of data protection.
Consequently, after the recent ransomware attack, the government admitted that much of Indonesian citizens’ crucial data could not be reacquired. This catastrophic incident must be reflected upon as a grave signal for Indonesia to immediately improve its cybersecurity governance.
Firstly, the formulation, monitoring, and evaluation of cybersecurity regulations must involve all stakeholders in a structurally-coordinated manner, from all levels of state institutions to private enterprises possessing millions of user data. At the national level, potential risks must be routinely assessed, followed by formulating and socialising a nationwide disaster response and recovery plan to ensure minimal damage to user data and related systems in case of future incidents.
Furthermore, technologically-illiterate officials occupying strategic positions related to cybersecurity governance—especially Kominfo and BSSN—must be replaced by younger generations with experience in digital technology affairs. More space for technical experts should be given to directly influence policymaking processes and push forward more progressive policies. That way, future policies could be underlined by improved understanding of the importance of cybersecurity and approaches that are more relevant to tackle sophisticated incidents in the digital environment.
Observers have repeatedly advocated for “merit-based appointments of technically proficient agency heads” and “development of Indonesia’s cybersecurity workforce”. Minimising bureaucratic and political obstacles to improve coordination between stakeholders have also been voiced by analysts. However, to this day, progress towards more meritocracy in high offices and better cross-sectoral coordination has not been seen.
As such, significantly greater political will and strong-handed coordination needs to be invested into reforming Indonesia’s cybersecurity institutions, upgrading their capabilities, and improving regulatory enforcement and oversight. Otherwise, over 270 million Indonesian citizens will remain unsafe online and the state of Indonesia’s digital sovereignty will remain uncertain.
