Indonesia’s Cyber Resilience: At the Epicenter of ASEAN Digital Economy Growth

Dr. Kartina Sury, Senior Fellow at the Center for Indonesian Policy Studies (CIPS), examines the gaps and challenges that Indonesia faces in tackling cybersecurity threats and shares her recommendations. This article builds on Tech For Good Institute’s (TFGI) latest research on cyber resilience.

This copy is also available in Bahasa Indonesia, click here to read

By Dr. Kartina Sury, Senior Fellow at the Center for Indonesian Policy Studies

With the country’s digital transaction value amounting to $77 billion (or 40% of the region’s total) in 2022, Indonesia continues to be a key player in Southeast Asia’s digital economy. The total digital transaction value is expected to double to $130 billion by 2025, further establishing Indonesia as a significant contributor to the region’s dynamic digital economy. In addition, Indonesia fosters a healthy startup ecosystem and is ranked 6th globally in terms of the number of startups, with over 2,400 businesses. Over the next few years, the country continues to prioritise digital transformation as one of its national priorities.  

However, Indonesia’s rapid digitalisation also increases its exposure to challenges such as cyber threats. This includes risks in data breaches in government departments, state-owned enterprises, and financial services sectors which could potentially affect millions of customers. For example, data leaks and identity theft are major concerns, accounting for 88% of cyber attacks in the past three years. A 2021 report by the Ministry of Communications and Informatics (MoCI) revealed that 93% of data leak cases were due to underlying cyber security issues. This highlights the need for Indonesia to pursue efforts that would promote cyber resilience. 

Challenges to Indonesia’s Cyber Resilience

Indonesia’s cyber resilience is a concern due to uncertainties in its preparedness for digital transformation across industries. In 2022, National Cyber and Crypto Agency (BSSN) recorded almost a billion cyber attack cases, with over half being malware-related, data leaks accounting for 15%, and trojan activity making up around 10%. In the first half of 2023 alone, Indonesia is recorded to have experienced more than 347 million cyber attack cases, with the highest number of cases being due to ransomware incidents.

In addition to the threats of cyber attacks, there is room for improvement in Indonesia’s regulatory landscape.  Currently, laws related to cyber resilience are fragmented.  For instance: 

  • Government Regulation No. 71/2019 focuses on cybercrimes related to electronic transactions, neglecting critical infrastructure attacks 
  • Ministry of Defence (MOD) Regulation No. 82/2014 addresses military cyber defence but not public cybersecurity 
  • The Strategic Plans 2020–2024 of MoCI divides responsibilities between MoCI and BSSN for cyber defence and private data protection. The plan includes frameworks for emerging technologies like AI and machine learning, as well as the importance of electronic-based government services and implementing technologies such as big data, machine learning, and blockchain. However, specific action steps to support e-government are not specified, except for the need to collaborate at different governance levels.
  • The latest Presidential Decree No. 47/2023 emphasises the National Cyber Security Strategy and Cyber Crisis Management, and part of the key objectives are to protect the national digital economy ecosystem, enhance the strengths and capabilities of Cyber Security resilience, and prioritise national interests while supporting the creation of the global cyberspace. However, there is a need for further governance in the implementation of Cyber Risk and Mitigation. The Cyber Crisis Management of the stakeholders involved, particularly the Electronic System Providers (PSE), demands more comprehensive instructions and audited plans to protect consumers.

A CIPS study revealed shortcomings, including the need for skilled human resources within MoCI, standardised response mechanisms, co-regulation with non-governmental representatives, and clarifying mandates between ministerial bodies.

In terms of personal data protection, the regulation lacks clarity on how the public receives information in case of cyber crimes or data breaches. Communication mechanisms other than Otoritas Jasa Keuangan (OJK), which is the Financial Services Authority of Indonesia’s annual and tri-monthly financial reporting, are unclear. Furthermore, there is no consistent understanding of practical steps for businesses, consumers, and organisations to implement and enhance cybersecurity.

Towards Improved Cyber Resilience in Indonesia

As such, there are key considerations for Indonesia to strengthen its cybersecurity posture.  These policy recommendations aim to increase the country’s capability to adapt to the constantly evolving cyber threats. 

  • Establish the National Cyber Agency to enhance cyber resilience and align with digital economy growth.
  • Clarify data and network policies for personal data protection and security through a standardised blueprint, facilitating effective responses from various governmental bodies. 
  • Set up frameworks and governance for cyber incident reporting, management, and post-incident reviews that stakeholders must adhere to. This includes personal data governance and mitigation to achieve a cyberspace that is open, secure, stable, and responsible.
  • Forge international partnerships to cope with the ever-shifting nature of cyber attacks. In relation to this, it is important to utilise the ASEAN Cybersecurity Cooperation Strategy 2021-2025 to adopt standardised cyber measures, including information-sharing, coordination, norms implementation, capacity-building programs, and multilateral engagement.
  • Government Regulation No. 27/2022 has been enacted and officially enforced; however, a two-year transition period is applied for personal data controllers. Thus, ensuring the full implementation of Personal Data Privacy is crucial, and a data policy framework should be introduced to protect the nation.
  • Consider incorporating TFGI’s resilience framework approach into the development of Indonesia’s framework, bolstering cyber resilience across protection, identification, detection, response, and adapt aspects.
  • Creating a platform for the private sector and civil society organisations to share insights and perspectives on cybersecurity. Collaboration among key stakeholders can help protect critical infrastructure from cyber attacks, enhance personal data privacy, and safeguard consumers. 
  • Sectoral cybersecurity regulations for e-commerce, the financial sector, and relevant industries that involve data collection in day-to-day business activities should include clear mechanisms for coordinating, reporting, and resolving cyber incidents.
  • For businesses, encouraging investments in cybersecurity technologies attracts funding and builds customer trust and confidence. 
  • For regulators, it is important to consider a detailed framework on a risk-based approach to data classification, serving as guidelines for stakeholders to adhere to.
  • As emphasised by Indonesia’s major Financial Services and Payment Associations, cooperation between regulators and industry players can help build Indonesia’s cyber resilience.
  • Streamlining digital literacy efforts across ministries like MoCI and Ministry of Education and Culture is crucial. This involves improving education from K12 to university. Enhancing teacher skills through comprehensive training is also vital. Businesses and industry associations can provide technical materials to the public for better understanding of digital technology.
  • Digital literacy strengthens cyber resilience. Community awareness and cyber security skills are important. Businesses, regulators, and communities should intensify public information campaigns on data protection. 
  • While the potential of the digital economy is impressive, Indonesia continues to lack digital talents as the first gate to pave the way for growing cybersecurity talents. This urges effective collaboration of programs across ministries
  • Addressing the shortage of skilled cyber security professionals is urgent. Leveraging education, immigration, and accreditation pathways can align with the establishment of the National Cyber Agency.

In conclusion, building cyber resilience is a necessary pillar for Indonesia to maintain its position as a key digital economy hub in Southeast Asia. To enhance resilience, harmonising cybersecurity regulations, establishing the National Cyber Agency, and implementing a standardised blueprint for data protection are essential. International partnerships will strengthen Indonesia’s capability to address cyber threats and vulnerabilities. It is important to encourage a whole-of-society approach through creating platforms where governments, businesses, and the civil society can work together. Finally, promoting digital literacy can help address shortages in cybersecurity professionals and also raise the awareness of the public on corresponding cyber risks.  

About the writer

Dr. Kartina Sury, Senior Fellow at the Center for Indonesian Policy Studies. Her interest lies in intersection of the Digital Economy, Financial Education, Digital and Digital Financial Literacy and Inclusion, Consumer Protection). 

The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.

Download Report

Download Report

Latest Updates

Latest Updates​

Keep pace with the digital pulse of Southeast Asia!

Never miss an update or event!

Mouna Aouri

Programme Fellow

Mouna Aouri is an Institute Fellow at the Tech For Good Institute. As a social entrepreneur, impact investor, and engineer, her experience spans over two decades in the MENA region, South East Asia, and Japan. She is founder of Woomentum, a Singapore-based platform dedicated to supporting women entrepreneurs in APAC through skill development and access to growth capital through strategic collaborations with corporate entities, investors and government partners.

Dr Ming Tan

Founding Executive Director

Dr Ming Tan is founding Executive Director for the Tech for Good Institute, a non-profit founded to catalyse research and collaboration on social, economic and policy trends accelerated by the digital economy in Southeast Asia. She is concurrently a Senior Fellow at the Centre for Governance and Sustainability at the National University of Singapore and Advisor to the Founder of the COMO Group, a Singaporean portfolio of lifestyle companies operating in 15 countries worldwide.  Her research interests lie at the intersection of technology, business and society, including sustainability and innovation.

 

Ming was previously Managing Director of IPOS International, part of the Intellectual Property Office of Singapore, which supports Singapore’s future growth as a global innovation hub for intellectual property creation, commercialisation and management. Prior to joining the public sector, she was Head of Stewardship of the COMO Group and the founding Executive Director of COMO Foundation, a grantmaker focused on gender equity that has served over 47 million women and girls since 2003.

 

As a company director, she lends brand and strategic guidance to several companies within the COMO Group. Ming also serves as a Council Member of the Council for Board Diversity, on the boards of COMO Foundation and Singapore Network Information Centre (SGNIC), and on the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

In the non-profit, educational and government spheres, Ming is a director of COMO Foundation and Singapore Network Information Centre (SGNIC) and chairs the Asia Advisory board for Swiss hospitality business and management school EHL. She also serves on  the Council for Board Diversity and the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

Ming was educated in Singapore, the United States, and England. She obtained her bachelor’s and master’s degrees from Stanford University and her doctorate from Oxford.