After new data law, cybersecurity fears in Indonesia higher than ever

Indonesia has just passed its historic first data protection law, but they’re not allaying cybersecurity concerns. If anything, observers in Southeast Asia’s largest economy are worried that the new legislation leaves critical loopholes, ripe for attack by opportunistic intruders.

The new law, six years in the making, mainly revolves around the protection of personal user data, criminal charges for data breaches, as well as administrative sanctions for violators of various offences. Under the new ruling, both private and public sector data processors will be given two years grace period to establish encryption and other cyber protection measures for their organizations, as well as gather permission from users before harvesting or sharing their data. They will also have to prominently notify users on how (and for what purposes) their data will be leveraged.

The new cybersecurity laws came into effect in Indonesia following a string of high-profile cyber incidents, including one where the perpetrator attempted to sell supposed correspondence to and from President Joko Widodo, and another where the data was stolen from over a billion Indonesia SIM cards.

Other data breaches targeting the country’s critical infrastructure – including attacks on the Elections Commission (KPU), the Ministry of Communication and Information, healthcare and social security agency BPJS, telecommunications giant Telkom, and on state-owned power utility Perusahaan Listrik Negara (PLN) – have all gone down in the extremely recent past.

In the first two months of 2020 alone, the National Cyber and Encryption Agency of Indonesia (BSSN) reported 88.4 million cybersecurity incidents between January and February 2020. That figure rose to 423.4 million before the year was out, and over 50% resulted from malicious trojan activity. The deepening and increasingly savvy cyber intrusions indicate a troubled data protection landscape in the nation, one that critics say the new legislation barely begins to cover adequately.

For personal data offences, violators can be jailed between a period of four to six years, with fines ranging from four to six billion rupiah ((US$266,000 to $399,000) along with additional compensation damages. In the event of a breach, affected organizations only need to notify affected parties within 72 hours, while facing sanctions amounting to written warnings, temporary suspensions, and fines of no more than 2% of annual income or revenues – steps that are not seen as punitive enough to function as an effective deterrent against future lax countermeasures.

Much of the issues appear to stem from regulations that many feel will not be fairly enforced over governmental and administrative organizations as much as private enterprise. For instance in the case of a regulated oversight agency, one Indonesian cyber researcher told the Asia Times that should the agency fall under the supervision of the communications ministry, offenders who practiced poor data hygiene from government agencies would be treated differently than those from the private sector.

Existing cybersecurity specialists in Indonesia believe that the politicians drafting the legislation do not understand enough about IT systems, nor security or privacy issues, to effectively craft regulations with understanding or with the safeguards in place that circumvent the notoriously graft- and corruption-prone political and judicial systems in the country. One cyber specialist mentioned how most ministries only take short-term steps when a data breach occurs, instead of placing mitigation systems in place to root out future mishaps.

Digital and mobile banking systems are also under threat, with Indonesia’s central bank, Bank Indonesia, reporting a ransomware attack that had affected its network but had been prevented from causing operational damage. And in mid-2021, hackers managed to evade BJPS security protocols to procure the personal information of the entire 279 million-strong population. The data gained included nation ID numbers, salary information and phone numbers.

---

---

---

---