Indonesia needs to take hard decisions on its cybersecurity posture

With nearly a month passing since a ransomware attack crippled most of its public services, the Indonesian government is yet to announce any strategic plans to strengthen the cyber resilience of the country, and this raises the question of what the government will do if it is faced with a similar or larger attack.  

The government is yet to restore all public services affected by the attack on the Indonesia’s Temporary National Data Centre (PDN) 2 despite obtaining the decryption keys for free from the hacker group.  

On July 13, the Coordinator-Minister for Political, Legal and Security Affairs, Hadi Tjahjanto, gave an update that they managed to restore 86 services from 16 service owners while promising that all affected services (282) will be restored this month.  

It has been obvious for a long time now that Indonesia’s cyber resilience posture has gaps with several largescale security breaches having occurred over the past three years. In 2023, there was a ransomware attack on Bank Syariah Indonesia; in 2022 an alleged data leak at the Ministry of Health's Health Alert Card application happened; and in 2021 BPJS Kesehatan patients' data was hacked).  

This explains why Indonesia's cybersecurity ranking is langushing at 49 in the world and number five in ASEAN behind Malaysia, Singapore, Thailand and the Philippines.  

Closing the security gap  

The hard lesson learnt from the cyberattack on Temporary PDN 2 has been how a lack of awareness of cyber threats, coupled with the absence of compliance with industry standards, dramatically increased security risks.

The first call for action should be the government mandating that every data centre manager complies with their obligation to “maintain a reliable and secure electronic system and be responsible”, as stated in Article 3 of Government Regulation No 71/2019 on the Implementation of Electronic Systems and Transactions.   

The preliminary investigation concluded that passwords negligence had opened a security hole in the Temporary PDN 2 network and triggered the attack. The investigation, however, gave no further explaination  regarding what the negligence was, and whether it was, as reported in the media, a silly mistake such as an “easy-to-guess" password or was actually an attempt at sabotage.

A security audit of all data centre facilities should be conducted as soon as possible and the audit should focus on improving governance, standard security protocols and ensure that all frontline staff adhere to compliance standards.   

Adopting a Zero Trust approach to network access, which includes strictly limiting user access to key systems and the use of multifactor authentication, is a simple protocol that is easy to implement if there is a will to comply.

Make data backup mandatory  

A meeting between the House of Representatives and the Head of BSSN and Minister of Communication and Information on June 27 revealed an astonishing fact: since the Temporary PDN was launched in 2021, only two per cent of the data has been backed up. The reason cited: the extra cost of data backup.

The regulation that places PDN data backup as “optional” is an unnecessary compromise that ultimately harms all stakeholders. This regulation must be changed as soon as possible.

An official recounted how this incident had triggered immense panic among PDN tenants from the central and local governments as they did not have backup data storage facilities. They were looking at losing decades worth of data, which was gone in an instant.   

Is personal data safe?  

The government has not been transparent in explaining the extent of the damage caused by the failure of their cloud computing services and the implications of the attack on potential data leaks, particularly personal data.   

Till now, the public has not received adequate information about whether there was any personal data leaked due to the attack, what steps the authorities have taken to save or recover the data and what the mitigation plans are.   

Of the 210 national and local government agencies that use the Temporary PDN 2 facility, some are government agencies that provide vital services and manage personal data.   

The Ministry of Education reported that the ransomware attack caused them to lose access to the Student Indonesia Smart Card (KIP) service domain and over than 800,000 scholarship candidates' data were lost.  

Meanwhile, the Directorate of Immigration manages data on travellers in and out of Indonesia – including processing data on applicants for 60,000 pending passports.   

Under the provisions of Article 46 of Law No 27/2022 on Personal Data Protection, personal data managers are obliged to notify data subjects in the event of a data breach within 72 hours. This notification must contain information regarding what personal data was disclosed, when and how the personal data was disclosed, and recovery efforts by the personal data manager.  

Allowing the public to be overwhelmed by the confusion of information related to the fate of their personal data without any certainty of when this problem can be resolved only increases public distrust of the government in dealing with cybercrime.  

Urgency requirement for a cybersecurity law  

Indonesia must immediately pass the Cybersecurity Bill, which has been stalled since 2019. This law is important as a foundation for strengthening cybersecurity infrastructure, creating more binding responsibilities from an institutional perspective, and establishing penalties for violations. 

For institutions such as BSSN, the law will provide a strong foundation to increase resources to detect threats. For data centre facility managers and users, it will increase organisational discipline in safeguarding and managing data and services.   

In this regard, neighbouring countries such as Singapore and Malaysia are already ahead in the game. Singapore has updated its Cyber Resilience Act this year to keep pace with the evolving cyber threat landscape.   

Meanwhile, Malaysia has passed the Cybersecurity Bill on April 3, in a bid to improve its cybersecurity posture and devote more resources to combat cyberattacks, which includes the establishment of a government agency to lead the effort along with the private sector.  

Senior technology officials in the government shared that Indonesia's Cybersecurity Bill also needs to address aspects of cyber cooperation with the private sector, given the government's demand for technology and the greater need for cyber talent in institutions.