By Dr. Kartina Sury, Senior Fellow at the Center for Indonesian Policy Studies
With the country’s digital transaction value amounting to $77 billion (or 40% of the region’s total) in 2022, Indonesia continues to be a key player in Southeast Asia’s digital economy. The total digital transaction value is expected to double to $130 billion by 2025, further establishing Indonesia as a significant contributor to the region’s dynamic digital economy. In addition, Indonesia fosters a healthy startup ecosystem and is ranked 6th globally in terms of the number of startups, with over 2,400 businesses. Over the next few years, the country continues to prioritise digital transformation as one of its national priorities.
However, Indonesia’s rapid digitalisation also increases its exposure to challenges such as cyber threats. This includes risks in data breaches in government departments, state-owned enterprises, and financial services sectors which could potentially affect millions of customers. For example, data leaks and identity theft are major concerns, accounting for 88% of cyber attacks in the past three years. A 2021 report by the Ministry of Communications and Informatics (MoCI) revealed that 93% of data leak cases were due to underlying cyber security issues. This highlights the need for Indonesia to pursue efforts that would promote cyber resilience.
Challenges to Indonesia’s Cyber Resilience
Indonesia’s cyber resilience is a concern due to uncertainties in its preparedness for digital transformation across industries. In 2022, National Cyber and Crypto Agency (BSSN) recorded almost a billion cyber attack cases, with over half being malware-related, data leaks accounting for 15%, and trojan activity making up around 10%. In the first half of 2023 alone, Indonesia is recorded to have experienced more than 347 million cyber attack cases, with the highest number of cases being due to ransomware incidents.
In addition to the threats of cyber attacks, there is room for improvement in Indonesia’s regulatory landscape. Currently, laws related to cyber resilience are fragmented. For instance:
- Government Regulation No. 71/2019 focuses on cybercrimes related to electronic transactions, neglecting critical infrastructure attacks
- Ministry of Defence (MOD) Regulation No. 82/2014 addresses military cyber defence but not public cybersecurity
- The Strategic Plans 2020–2024 of MoCI divides responsibilities between MoCI and BSSN for cyber defence and private data protection. The plan includes frameworks for emerging technologies like AI and machine learning, as well as the importance of electronic-based government services and implementing technologies such as big data, machine learning, and blockchain. However, specific action steps to support e-government are not specified, except for the need to collaborate at different governance levels.
- The latest Presidential Decree No. 47/2023 emphasises the National Cyber Security Strategy and Cyber Crisis Management, and part of the key objectives are to protect the national digital economy ecosystem, enhance the strengths and capabilities of Cyber Security resilience, and prioritise national interests while supporting the creation of the global cyberspace. However, there is a need for further governance in the implementation of Cyber Risk and Mitigation. The Cyber Crisis Management of the stakeholders involved, particularly the Electronic System Providers (PSE), demands more comprehensive instructions and audited plans to protect consumers.
A CIPS study revealed shortcomings, including the need for skilled human resources within MoCI, standardised response mechanisms, co-regulation with non-governmental representatives, and clarifying mandates between ministerial bodies.
In terms of personal data protection, the regulation lacks clarity on how the public receives information in case of cyber crimes or data breaches. Communication mechanisms other than Otoritas Jasa Keuangan (OJK), which is the Financial Services Authority of Indonesia’s annual and tri-monthly financial reporting, are unclear. Furthermore, there is no consistent understanding of practical steps for businesses, consumers, and organisations to implement and enhance cybersecurity.
Towards Improved Cyber Resilience in Indonesia
As such, there are key considerations for Indonesia to strengthen its cybersecurity posture. These policy recommendations aim to increase the country’s capability to adapt to the constantly evolving cyber threats.
- Establish the National Cyber Agency to enhance cyber resilience and align with digital economy growth.
- Clarify data and network policies for personal data protection and security through a standardised blueprint, facilitating effective responses from various governmental bodies.
- Set up frameworks and governance for cyber incident reporting, management, and post-incident reviews that stakeholders must adhere to. This includes personal data governance and mitigation to achieve a cyberspace that is open, secure, stable, and responsible.
- Forge international partnerships to cope with the ever-shifting nature of cyber attacks. In relation to this, it is important to utilise the ASEAN Cybersecurity Cooperation Strategy 2021-2025 to adopt standardised cyber measures, including information-sharing, coordination, norms implementation, capacity-building programs, and multilateral engagement.
- Government Regulation No. 27/2022 has been enacted and officially enforced; however, a two-year transition period is applied for personal data controllers. Thus, ensuring the full implementation of Personal Data Privacy is crucial, and a data policy framework should be introduced to protect the nation.
- Consider incorporating TFGI’s resilience framework approach into the development of Indonesia’s framework, bolstering cyber resilience across protection, identification, detection, response, and adapt aspects.
- Creating a platform for the private sector and civil society organisations to share insights and perspectives on cybersecurity. Collaboration among key stakeholders can help protect critical infrastructure from cyber attacks, enhance personal data privacy, and safeguard consumers.
- Sectoral cybersecurity regulations for e-commerce, the financial sector, and relevant industries that involve data collection in day-to-day business activities should include clear mechanisms for coordinating, reporting, and resolving cyber incidents.
- For businesses, encouraging investments in cybersecurity technologies attracts funding and builds customer trust and confidence.
- For regulators, it is important to consider a detailed framework on a risk-based approach to data classification, serving as guidelines for stakeholders to adhere to.
- As emphasised by Indonesia’s major Financial Services and Payment Associations, cooperation between regulators and industry players can help build Indonesia’s cyber resilience.
- Streamlining digital literacy efforts across ministries like MoCI and Ministry of Education and Culture is crucial. This involves improving education from K12 to university. Enhancing teacher skills through comprehensive training is also vital. Businesses and industry associations can provide technical materials to the public for better understanding of digital technology.
- Digital literacy strengthens cyber resilience. Community awareness and cyber security skills are important. Businesses, regulators, and communities should intensify public information campaigns on data protection.
- While the potential of the digital economy is impressive, Indonesia continues to lack digital talents as the first gate to pave the way for growing cybersecurity talents. This urges effective collaboration of programs across ministries
- Addressing the shortage of skilled cyber security professionals is urgent. Leveraging education, immigration, and accreditation pathways can align with the establishment of the National Cyber Agency.
In conclusion, building cyber resilience is a necessary pillar for Indonesia to maintain its position as a key digital economy hub in Southeast Asia. To enhance resilience, harmonising cybersecurity regulations, establishing the National Cyber Agency, and implementing a standardised blueprint for data protection are essential. International partnerships will strengthen Indonesia’s capability to address cyber threats and vulnerabilities. It is important to encourage a whole-of-society approach through creating platforms where governments, businesses, and the civil society can work together. Finally, promoting digital literacy can help address shortages in cybersecurity professionals and also raise the awareness of the public on corresponding cyber risks.
About the writer
Dr. Kartina Sury, Senior Fellow at the Center for Indonesian Policy Studies. Her interest lies in intersection of the Digital Economy, Financial Education, Digital and Digital Financial Literacy and Inclusion, Consumer Protection).
The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.