Fraud Management & Cybercrime
,
Geo Focus: Asia
,
Geo-Specific
Government Plans Audit in Wake of Major Ransomware Attack, But Will That Be Enough?
Indonesian President Joko Widodo ordered an audit of government data centers this week. It came after a ransomware attack on the Temporary National Data Center, or PDNS, which is crucial to the government’s e-governance initiative. This system integrates all central and state digital services to enhance interoperability and speed up service delivery (see: Indonesia Data Center Hack Threatens Transformation Efforts).
See Also: Identity Security Clinic
While the audit announcement is a welcome step, it is inadequate for an incident that affects over 200 institutions, including local states and key public services. The audit came after a closed-door government meeting last Friday. The government’s seriousness is questionable since it failed to provide an audit timeline, merely stating, “The sooner, the better.” What’s needed is a comprehensive action plan.
Lessons in Rapid Digitization
This incident offers several lessons for countries pursuing rapid digitization. Digitization is the future, but neglecting cybersecurity for greater efficiency could cause more harm than good.
In his latest announcement, Hadi Tjahjanto, coordinating minister for political, legal and security affairs of Indonesia, said backups are now mandatory. But this effort will be insufficient if cybersecurity budgets for government departments do not increase. Imagine storing national data without a backup plan. Indonesia’s National Cyber and Crypto Agency revealed that 98% of data wasn’t backed up because disaster recovery was optional, and many skipped it because of budget constraints.
According to public information, the Ministry of Communications and Informatics of Indonesia operates data centers per Presidential Regulation 95 of 2018 on the Electronic-Based Government System. This regulation mandates that government agencies use PDNS. Currently, Kominfo runs a temporary PDNS using third-party infrastructure while developing permanent facilities in Batam and Cikarang.
The Importance of a Thorough Audit
Audits are critical for identifying loopholes and providing a well-documented report on needed corrections. But auditors often lack the technical capability to gather artifacts or evidence of implementation. A checkbox audit wastes time and resources.
“Auditors often do not have the mindset of a cyberwarrior. Financial audits occur quarterly, yet scams and gaps persist. They can’t find end-to-end gaps because audit scopes are not comprehensive,” said Angel Redoble, former field vice president and group CISO, PLDT Group and Smart Communications.
To make the audit effective, the government should look beyond traditional auditors and engage an organization with a strong cybersecurity background in risk, governance, audit and operations.
Processes need to be in place to ensure that audit results are unbiased and that no government departments have interfered.
The Way Forward
Most government agencies use PDNS and eventually they will all use it to deliver public services. The recent attack underscores the importance of service availability, making backup and recovery crucial. A previous ransomware attack hit Bank Syariah Indonesia, disrupting its mobile banking services.
The government should follow the NIST Cybersecurity Framework, which defines identification, protection, detection, response and recovery as information security life cycle functions. These are all part of an overall business continuity or business resilience program.
Another essential step is to classify data and store it accordingly, rather than keeping everything in the Temporary National Data Center. Cloud storage can hold statistical data, while important data such as PII should be stored on government servers. “Once it was centralized, it turned out that once it was hacked, everyone was affected. I didn’t think hacking was so devastating in the past,” Indonesian Vice President Ma’ruf Amin told the press.
Indonesia needs a comprehensive cybersecurity strategy to prevent loss of public trust. An audit is fine, but it must be complemented by continuous monitoring and real-time threat detection. Evaluating existing resources and their reliability is also necessary. “Referring to the PPT framework, the implementation of digital government security through SPBE already has a strong foundation in the process aspect, with comprehensive policies enshrined in regulations which need to be further strengthened with more technical procedures,” said Fiddo Hafied Rum, senior analyst at the executive management of the National Committee for Islamic Economy and Finance, Republic of Indonesia.
“In terms of the people and technology aspects, it is necessary to re-evaluate whether the current level of human resources and devices is adequate and reliable to support security governance implementation in the process aspect,” he said.
The government should collaborate with private companies and adopt their best practices. As the saying goes, Rome wasn’t built in a day. By the same token, massive digitization cannot be completed in a year without proper security checks.
