July 3, 2024
JAKARTA – Authorities are scrambling to restore public trust in the security of the country’s digital infrastructure and citizens’ personal data after a recent ransomware attack on a temporary national data center (PDN) disrupted a slew of public services over the past week.
Communications and Information Minister Budi Arie Setiadi has repeatedly apologized to the public for the nationwide disruption to services connected to the attack, with the latest apology made on Monday at a media event.
These were followed by the announcement of mitigation steps overseen by Coordinating Political, Legal and Security Affairs Minister Hadi Tjahjanto, who visited the National Cyber and Encryption Agency’s (BSSN) cyber monitoring system control center in South Jakarta on Tuesday.
During his visit, he held an online meeting with various state and regional bodies’ computer security incident response teams (CSIRTs) to check on their capacity to safeguard their respective databases.
“I want to interact directly with all CSIRTs in Indonesia so that I know how prepared they are to face threats both from outside and within,” Hadi said, as quoted in a statement issued by the office of the coordinating minister.
He determined that 93 of the central government’s 160 bodies as well as 156 of 552 regional administrations had established tech response teams. The senior minister later said the figures represented “significant progress” in enhancing the country’s cybersecurity.
Read also: Calls mount for communication minister’s resignation over cyberattack
Hadi urged all CSIRTs to consistently adhere to regulations on cybersecurity and the management of digital attacks issued by the BSSN.
“These CSIRTs should not merely serve as symbols that they exist but must actively fulfill their functions [by] continuously monitoring, promptly responding and being prepared to handle cyber issues.”
He added that Indonesia was “a great nation with amazing and intelligent” people and that, therefore, the country should be able to “master” the tech sector.
Backing up the backup
Hadi’s Tuesday meeting came as the government works to mitigate the impact of the ransomware attack against the PDN in Surabaya, East Java, two weeks ago and improve the country’s cybersecurity against future attacks.
The latest attack, which was carried out with an updated version of the LockBit 3.0 ransomware that previously hit state sharia lender Bank Syariah Indonesia (BSI), crippled various public services from immigration to school enrollment.
In addition to aiming for full recovery of the impacted data by the end of July, Hadi introduced several policies on Monday to beef up preparation against future cyberattacks.
One of the new policies was to require all government bodies and regional administrations to store their data on regional cloud servers, rather than storing all the information at PDN facilities. Hadi also required the databases to be backed up regularly.
“At least we’ll have three to four layers of backup for these databases, which will be supported by secondary cloud storage,” Hadi said on Monday.
The government also designated its PDN facility in Batam, Riau Islands, as a disaster recovery center for the breached site in Surabaya.
While the government set its own deadline for full recovery of the data, the Brain Cipher ransomware operation group, which claimed responsibility for the PDN attack, issued a statement on Tuesday that it would issue the decryption key to recover the data by Wednesday.
The group previously demanded a ransom of US$8 million in cryptocurrency for the data. But in the Tuesday statement, it announced a plan to give the key for free.
“We hope that our attack made it clear for you how important it is to finance [cybersecurity] and industry and recruit qualified specialists,” the statement read, adding that the attack was not politically motivated.
“Citizens of Indonesia, we apologize for the fact that [our attack] affected everyone.”
The Jakarta Post was unable to verify the statement, including the claim of the key’s disbursement by Wednesday. Officials at the Communications and Information Ministry and BSSN were not immediately available for comment.
Read also: Indonesia in need of better cybersecurity skills, Fortinet says
Unfinished tasks
Experts are calling on the government to properly follow up on the country’s prevailing cybersecurity and data protection regulations, rather than focusing on introducing new measures.
A strong security system that protects people’s personal, sensitive data requires synchronization between various policies to ensure they are in line with the Personal Data Protection (PDP) Law, the Institute for Policy Research and Advocacy (ELSAM) wrote in a statement on Sunday.
The rights group called for a thorough audit of the government’s governance of public data, which would be followed by new policies, if relevant, to ensure that standards complied with the prevailing laws.
ELSAM added that President Joko “Jokowi” Widodo and relevant ministries should follow through with the implementation of the PDP Law, including the establishment of a long-awaited data protection oversight agency by October, as mandated by the law.
