Password negligence suspected to have caused Indonesia cyber attack

Indonesia’s Politic, Law and Security Affairs Coordinating Minister, Marshal (Ret.) Hadi Tjahjanto revealed the forensic results on the cause of the cyberattack on the Temporary National Data Centre (PDN)-2 located in Surabaya, East Java.  

"From the forensic results, we have been able to find out who is the user who [negligently] used his password and eventually caused these very serious problems," said Tjahjanto after a coordination meeting with the Minister of Kominfo and the Chief of the National Cyber and Crypto Agency (BSSN), in Jakarta, July 1. 

The government will take legal action against the person in accordance with the applicable rules. 

Tjahjanto emphasised that cybersecurity protocols in each government agency must be tightened immediately following this incident. In the future, users accessing the Temporary PDN system will be monitored directly by BSSN, including in terms of password usage.  

"When determining and using passwords, we must be careful, we cannot be careless anymore," he said. 

The brain chiper ransomware attacked the Temporary PDN-2 in the early hours of June 20, crippling more than 200 central and local government services, including immigration checks and autogate services at five overseas arrival points.  

BSSN detected an attempt to disable security features in the system three days before the attack, which allowed malicious activity to proceed. 

All services are expected to be restored this month 

Minister Tjahjanto explained that the government is currently running Temporary PDN-1 located in Batam, Riau Islands, as a disaster recovery centre (DRC). "With the capability upgraded to a hot site, the affected strategic public services can be restored this month." 

The Government will also prepare data placement and backup arrangements in layers according to the level of data classification ranging from strategic data, limited data, and open data.  

Tjahjanto highlighted that this data backup will be carried out using cloud services. "General data such as statistical data and so on will be stored in the cloud, so that it does not fill up the PDN capacity," he added. 

Data backup will be mandatory 

When the House of Representatives summoned the BSSN Chief, Hinsa Siburian, and Kominfo Minister, Budi Arie Setiadi, on June 27 to a hearing on the incident, it was revealed that the agencies' compliance with cybersecurity protocols and data governance was low.  

Siburian revealed that only two per cent of Temporary PDN-2 data was backed up. This means it is almost certain that most of the data will be lost. "This is the result of our checking; the cause is the absence of backups." 

He further referred to BSSN Regulation Number 4 of 2021 on Guidelines for Information Security Management of Electronic-Based Government Systems. The guideline states: "each tenant is required to periodically backup information and software in PDN".  

Meanwhile, Setiadi explained that many government agencies do not have data backups because there is no budget, or due to difficulties in explaining the need and urgency of having data backups to auditors.  

"We will soon make a regulation that data backup is mandatory, no longer optional," he said. 

However, both officials agreed to sit down together to quickly determine the next steps in developing a PDN ecosystem architecture that has a sustainable and permanent level of cybersecurity. 

Weak password indicates PDN management unprofessional 

Communication and Information System Security Research Centre Chairman, Pratama Persadha, said to Kompas that the password omission showed that the PDN manager was not professional. This was because creating strong passwords is a basic networking lesson.  

"If it is true that the Ministry of Kominfo or tenants use passwords that are easy to guess, easy to crack, it means their class is not an IT management class," said Pratama. 

Pratama emphasised that creating a strong password is a basic lesson when one uses the network. Among other things, it must be at least eight characters, consist of upper- and lower-case letters, use symbols, two-factor authentication, change passwords regularly, and so on. In addition, access to passwords must be restricted.