To establish a solid cyber security system, the government should ensure that its digital infrastructure is secure.

Cybersecurity for Indonesia: what needs to be done?

Indonesia, a country with the fourth-largest growth in internet users in the world, is facing both great opportunities as well as significant threats with the development of digital technology and internet.

Management consultancy firm McKinsey argues that, by embracing digital technology, Indonesia can increase its economic growth by US$150 billion, or 10% of its Gross Domestic Product (GDP), by 2025.

Other research also suggests that digital technology can increase the country’s annual economic growth by 2% as it supports the growth of small to medium enterprises.

However, without solid cybersecurity systems, 150 million internet users in Indonesia are at risk of being caught up in tragic Black Mirror episodes.

In 2018, Indonesia had more than 200 million cyber-attacks.

To deal with these attacks, the government has issued regulations and set up a number of institutions in the Defence Ministry and National Police. Those measures are not enough. Indonesia needs to arm itself with a stronger law and build its digital security systems and industry.

Mapping the threats

As at January 2019, 56% of the Indonesian population, or around 150 million people, are using the internet. The number represents 13% growth from the previous year. The increase is the fourth-biggest in the world after India, China and the United States.

Due to Indonesia’s poor cybersecurity system, the country is subject to frequent attacks. As an illustration, in one week in February Indonesia experienced 1.35 million web attacks.

These cyber attacks are mostly hacking cases, targeting government and corporate websites.

Some government institutions, including the General Elections Commission, Defence Ministry, Indonesian Child Protection Commission, Indonesian Association of Muslim Intellectuals and the chairman of its advisory board, have become targets.

The hackers also target the corporate sector. Cellular telecommunication company Telkomsel was hacked in 2017.

The list goes on.

Aside from attacks by hackers, Indonesia has also suffered from cyber espionage attacks. Australia was accused of spying on the then Indonesian president, Susilo Bambang Yudhoyono, his wife, Ani Yudhoyono, and other senior officials via their mobile phones in 2007 and 2009.

The most recent major cyber-attacks in Indonesia happened during the WannaCry ransomware attack in May 2017. Those attacks infected at least 200,000 computers across 150 countries with the attackers demanding ransoms.

Communication and Information Minister Rudiantara reveals that 12 institutions in Indonesia were attacked, including plantation and manufacturing companies as well as universities.

Strengthening the law

Those cyber attacks occur despite the government’s existing cyber security system, signalling that it may not be effective.

The only current regulations on cyber security are the 2016 Law on Electronic Information and Transactions and 2012 Government Regulation on the Implementation of Electronic Systems and Transactions.

These laws and regulations do not cover procedures to handle cyber interception nor e-commerce governance. They also do not regulate the government’s roles in the cyber security system.

To fill this gap, the government needs to push for the passing of a cyber security bill in the House of Representatives.

The bill is important to help the government differentiate between dealing with attacks on cyber defence and cyber crimes.

Attacks on cyber defence target our national security. These attackers are mostly terrorists or hostile foreign states.

Cyber crimes refer to any criminal offence in cyberspace.

Currently, the government can’t seem to differentiate between the two.

For instance, a 2014 Ministerial Regulation on Cyber Defence Guidelines identifies hacking activists and organised crime groups as cyber defence attackers.

In fact, those actors conventionally do not attack government targets nor national critical infrastructure, nor do they posses any ability to effectively harm the state. They are usually regarded as cyber crime threats.

The misleading identification of the attackers will potentially confuse which institutions should respond to the attack: the Defence Ministry or police.

The boundaries between the two should be clarified so that in the long term there will be no overlapping between government institutions in responding to these attacks.

Establishing good coordination between institutions

The Defence Ministry and the police are among various institutions guarding the country’s cyber security system.

In 2017, the government established the National Cyber and Crypto Agency to lead the coordination of various institutions in implementing cyber security.

The Defence Ministry handles cyber defence, establishing a cyber defence centre to oversee governance of this role. The Armed Forces under the Defence Ministry has set up a cyber unit to carry out cyber defence activities and operations.

Meanwhile the police deal with cyber crimes and have established a cybercrime directorate.

Adding to the mix, the Foreign Affairs Ministry has started employing cyber diplomacy, the use of diplomatic instruments and methods to find solutions for cyberspace issues. For instance, Indonesia is playing an active role discussing cyber norms and cyber crime issues in the United Nations Group of Governmental Experts (UNGGE) and the UN Office on Drugs and Crime (UNODC).

Lastly, to respond to cyber attacks, the Communication and Information Ministry has established a response team to ensure internet security in Indonesia.

Since the coordinating agency was established just two years ago, coordination between these institutions is still at an early stage. In addition, the agency has yet to establish solid infrastructure and designate agencies responsible for each sector.

Developing secure digital infrastructure

To establish a solid cyber security system, the government should ensure its digital infrastructure is secure.

Indonesia is still in the early stage of developing secure digital infrastructure. A 2014 study found that just under 3% of government agencies were secure.

Meanwhile, the development of machine-to-machine (M2M) technology, Internet of Things (IoT) and cloud computing continuously make these institutions more prone to a variety of cyber-attacks.

The development of a digital security system starts with updating cyber security technology to accommodate new cyber threats.

Developing the industry

Lastly, the government should develop the local cybersecurity industry.

Indonesia’s cybersecurity industry is underdeveloped. Foreign hardware and software products still dominate its market. Only the local consulting industry has grown well, providing services such as digital forensics and security.

The National Cyber and Crypto Agency should coordinate with various institutions to create a road map for the development of the industry. Such an objective requires long-term research and planning with large capital backing.