Indonesia has unleashed a new cyber and encryption agency as a weapon in its long war on cybercrime, online radicalism and fake news, but the Southeast Asian nation still needs to define the office’s scope of authority to prevent bureaucratic overlap and to shake off privacy concerns.
A plan to establish the National Cyber and Encryption Agency (BSSN) was put forth four years ago when President Joko Widodo took office, but the agency only started work in January after Major General Djoko Setiadi was installed as its leader. The agency faces myriad tasks, such as squeezing terrorist cells’ online communications, curbing radical content and hoaxes on the internet, securing digital payments and e-commerce systems, tracking cybercrimes and consolidating the nation’s vast cybersecurity elements. BSSN itself is a revitalisation of the country’s existing national encryption agency, and it reports directly to Widodo.
“We have to work together to address cyber threats,” Setiadi said during a panel discussion held by the Jakarta Foreign Correspondents Club. “BSSN will coordinate with all of the [existing] governmental cyber units, including those in the police and armed forces.”
The agency currently has no operating budget, but it has requested 3 trillion Indonesian rupiah (US$217 million) from parliament, which would be used to hire hundreds of information technology experts. The lack of an operating budget creates concerns that cyber units working under the direction of BSSN will be forced to stop temporarily, including the crucial Indonesia Security Incident Response Team on Internet Infrastructure.
“We need [the incident response team] to come back to life, it’s a very important response unit. When the WannaCry virus was first detected in Indonesia they quickly notified us and gave us directions on how to handle it,” said Sylvia Sumarlin, chairman of Jakarta-based Indonesian Information Technology Federation, referring to last year’s global ransomware attack that crippled England’s National Health Service and two large hospitals in Indonesia, among others.
Another concern is that the agency’s scope of authority is too broad, tasked with coordinating all the existing cyber response teams when it is unclear whether it has the authority to enforce the law.
“What we want to know now is the [agency’s] authority,” Sumarlin said. “If they do have the authority to enforce the law then they need a law enforcement unit, like the National Security Agency in the United States, but now we don’t know whether to report an attack to the police’s cybercrime unit or to the ministry of communications and information.”
Setiadi said that among Indonesia’s biggest cyber threats this year were online hoaxes on social media, which are predicted to proliferate during the election season.
“Indonesia will hold simultaneous local elections this year, then a presidential election next year, and BSSN has the responsibility to maintain political stability and communications security [during those periods] so we have to fend off fake news,” Setiadi said.
Setiadi didn’t respond to This Week in Asia’s question about whether the agency would resort to monitoring private chats on messaging applications such as WhatsApp and Line, where fake news could easily be distributed.
Like the rest of the world, Indonesia has grappled with the spread of fake news. It has played a major role in inflaming political, racial and religious tensions in the Muslim-majority nation. Half of Indonesia’s 250 million people are connected to the internet and have at least one account on social media platforms such as Facebook and Twitter. Indonesians also spend an average three hours per day on messaging apps, which have been used by Islamic militants to spread their ideology and raise donations.
Last year’s gubernatorial election in Jakarta highlights the struggle to contain doctored news in Indonesia.
Incumbent Basuki Tjahaja Purnama, an ethnic Chinese Christian, was imprisoned for two years on a blasphemy charge after a video purportedly showing him insulting the Koran during a speech went viral. The video prompted a massive protest by hardline Islamic groups that demanded Purnama be jailed.
Widodo has also fallen victim to fake news assaults, including those that claimed he was of Chinese-Christian descent and a member of the now-defunct Communist Party during his 2014 presidential campaign.
In August, Indonesian police detained three people who allegedly operated a business to create and distribute politically charged phoney stories, in what could be the country’s biggest fake news-related bust to date. The group, called Saracen, distributed false content through hundreds of thousands of social media accounts, mainly on Facebook, the police said.
Indonesian lawmakers have proposed a revision to the country’s outdated criminal code to include provisions about fake news, but critics say the law is too broad and would be oppressive if passed. In the draft, any person who distributes fake news resulting in upheaval would be handed a maximum of six years in prison, although definitions of what constitutes “upheaval” and “fake” remain vague.
“The high level of state control of online content and activity has continued to increase, without a commensurate increase in Indonesia’s transparency on cyber issues,” Australian Strategic Policy Institute’s International Cyber Policy Centre said in its latest cyber maturity research, which tracks nations’ approaches to cyber policy and cybersecurity. “A more coordinated, transparent and contestable approach to cyber issues would improve Indonesia’s cyber maturity.”
Fake news is also causing headaches among other Southeast Asian regulators. Malaysia’s de facto law minister, Datuk Seri Azalina Othman Said, told local media that Kuala Lumpur may introduce a new regulation to tackle fake news. In Singapore, a new committee will be established by parliament to study and respond the growing trend of online falsehoods.
Among Southeast Asian countries, Indonesia’s cyber maturity is ranked fourth behind Singapore, Malaysia and Brunei, according to ASPI research. Indonesia, however, fares better than Thailand, Vietnam, the Philippines and Cambodia.
“We observed attacks by state-sponsored cyber espionage operations against organisations in Indonesia last year. China, for one, continues to demonstrate an interest in Indonesian affairs through its attacks, and we have observed Chinese groups launching attacks during this period,” said Bryce Boland, Asia-Pacific chief technology officer at California-based cybersecurity company FireEye. “China is one of the most active actors in Asia, but we’ve even seen Vietnam direct attacks on its neighbours and on foreign multinationals.”
Financially motivated cybercrimes are also rampant in Indonesia, with actors using ransomware, bank fraud and spear phishing attacks on the financial services industry, Boland said. Last year, Indonesia arrested 153 Chinese nationals who operated an online fraud syndicate in the country. The group raked in US$450 million in 2017.
“We sometimes see attackers resort to using ‘watering hole’ attacks, where they use a website of interest to their targets to profile victims and then launch secondary attacks based on what they learn,” Boland said.
Critics say that until the cyber agency’s role is clearly defined and gets funding, Indonesia’s efforts are likely to be hobbled by bureaucratic overlap and a lack of national governance on its road map for cybersecurity. That road map, analysts say, is an urgent priority that can’t rely on foreign cybersecurity standards alone.
“More effective coordination and governance frameworks, such as a national-level cyber strategy, would prove beneficial for Indonesia’s cyber maturity,” ASPI research said. “Indonesia continues to be a leading source of malware in Southeast Asia, which suggests that Indonesia’s law enforcement efforts against cybercrime could be improved.”