The “DarkSide” ransomware cyber-attack on the US-based gasoline facility Colonial Pipeline, which has disrupted East Coast fuel supplies and invoked emergency legislation, has once again highlighted the vulnerability of a nation’s critical infrastructure to malicious cyber activity. In Australia’s immediate region, recent policy developments in Indonesia also suggest a growing awareness about the vulnerability of national critical infrastructure to cyber-attack, and the need to hasten comprehensive regulatory and policy responses. Australian security agencies are well-placed to play a key role in partnership with Indonesia as it moves to strengthen its cyber security fundamentals.
On 13 April, Indonesian President Joko (Jokowi) Widodo, moved to augment the institutional authority of Indonesia’s National Cyber and Crypto Agency (BSSN) via presidential executive order, also known as a “presidential decree” (perpres). Presidential Decree 28/2021 cements BSSN’s status as an agency reporting directly to the president, enhancing both its agility and authority outside individual ministry, and coordinating ministry frameworks. The decree specifically strengthens the agency’s structure, functions, responsibilities and funding base. It aims to boost the “efficiency and effectiveness of BSSN”, and in so doing, enhance “national security, sovereignty, and data protection” provisions.
Importantly, the BSSN decree is set to be followed by an additional three related decrees pertaining to: 1) the release of Indonesia’s first national cybersecurity strategy 2020–24; 2) the management of national cyber crises; and 3) vital national information infrastructure. Through these decrees, Indonesia aims to further build, secure and utilise cyberspace for the advancement of Indonesia’s national interests, and better position the country in terms of geopolitics and global economic competitiveness.
Leveraging cooperation with Australia and other Indo-Pacific states is essential for Indonesia to achieve its cyber security objectives
Although, presidential decrees and government regulations in lieu of law (perppu) in Indonesia can be controversial based on their circumvention of legislative processes, their utility to national security lies in the executive’s ability to respond rapidly to shifting policy imperatives. Prior to Jokowi’s signature of the BSSN decree, two legislative bills, one related to Cyber Security and Resilience, and the other on Personal Data Protection, had been included in Indonesia’s priority legislative agenda (prolegnas) for 2020. However, these were later excluded with the impact of Covid-19 on Indonesia’s legislative processes cited for the delay.
Strengthening the legal and policy fundamentals of cybersecurity and cryptology is essential if Indonesia is to grow its digital economy, embrace the so-called fourth industrial revolution, and protect critical infrastructure and information security assets. The country is home to approximately 175 million internet users, the sixth largest user base in the world. Its unicorns Tokopedia, Gojek, Traveloka and Bukalapak represent some of the biggest start-ups in Southeast Asia. Yet Indonesia is also the victim of an increasing number of cyber-attacks with over 423 million recorded to the end of 2020, according to BSSN figures. Moreover, the country ranks poorly on digital civility, with a recent index compiled by Microsoft, placing Indonesia at the lowest position among Asian countries.
As Indonesian scholars and officials readily acknowledge, the efficacy of Indonesia’s national security policies has long been hampered by the absence of an overarching legislative framework, institutional rivalries, and overlap in responsibilities. Moreover, dynamics between the military and police, between rival security agencies, and in civil-military relations have undermined strategic clarity and policy coherence in a range of national security policy areas including counter terrorism, maritime security, and cyberspace. And despite positive developments in the policy and institutional foundations of Indonesia’s cyber security, BSSN officials and cyber security experts readily concede much remains to be done.
In fact, the presidential decree on Indonesia’s cyber security strategy should have preceded the BSSN and two remaining decrees, as it provides foundational strategic guidance on Indonesia’s conception of, and approach to, the cyber domain. It also aligns cyber security goals with broader strategic, economic and foreign policy objectives. Moreover, the strategy details priority areas for policy implementation and includes performance metrics with respect to governance mechanisms, readiness and resilience, vital infrastructure, capability and capacity, legislation and regulation, and international cooperation. Clearly, approval of the remaining decrees on strategy, crisis management and vital information infrastructure is pressing in 2021 if Indonesia is not to suffer further negative consequences of policy and regulatory lag.
Enhancing Indonesia’s cyber security by leveraging cooperation with Australia and other Indo-Pacific states is essential for Indonesia to achieve its cyber security objectives. We recently contributed to a University of Queensland think piece on “Cybersecurity Governance in the Indo-Pacific: Policy Futures in Australia, Indonesia and the Indo-Pacific” alongside experts from BSSN, Australia’s Department of Home Affairs and Indonesia’s National Defence University (Unhan), which recommended a number of innovative and practical solutions to enhance regional cyber security resilience. One of the more interesting ideas included producing a cyber security television series modelled on the highly popular Seven Network’s “Border Security: Australia’s Frontline”, which could be streamed into Southeast Asia and the Pacific and subtitled.
Preparation in partnership with regional countries for a national and regional communication scenario with minimal or complete internet outage was also recommended, as were the introduction of key performance indicators on cyber security literacy for public sector officials. Access to university-delivered online micro-credentialled programs can also quickly build policy makers and legislators’ knowledge base and awareness.
In terms of regional defence and diplomatic engagement, Indonesian contributors saw value in a more institutionalised approach to regional coordination and communication among regional cyber security agencies in order to enhance emergency response, including during live incidents. The establishment of an ASEAN Centre of Excellence modelled on the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, adapted to the local context for ASEAN, Australia, New Zealand and Pacific Island countries, could also facilitate collaborative research. In addition, replicating a conference similar to the NATO International Conference on Cyber Conflict (CyCon) in this region would allow participants to engage in red team exercises, live-fire challenges, and provide a safe and unclassified platform for interdisciplinary training and network building. An ASEAN Centre of Excellence could further establish a database of publications and national cyber security policy and legal documents, and an international cyber law interactive toolkit for regional policy makers and legislators.
Jokowi’s presidential decree on BSSN has sought to better position Indonesia’s principal cyber security agency for the opportunities and risks represented by what is referred to as a fifth domain of warfare. Achieving broader policy coherence and unity of action, however, both between government agencies and between government and non-government stakeholders, remains a challenge. In partnership with universities, Australian foreign policy and national security agencies are well-placed to adopt practical and innovative solutions, which can support Indonesia to advance its national cyber security objectives.