Two years later, Indonesia has been hit by an unprecedented campaign of doxxing — the targeted, malicious publication of individuals’ personal information — and wholesale data leaks. Perpetrated by an anonymous hacker or team of hackers using the alias ‘Bjorka’, sensitive data from intelligence agencies, state-owned enterprises, businesses and millions of ordinary citizens was exposed.
While questions remain about the identity and motivations of Bjorka — which claims to be Warsaw-based and seeks to redress abuses of power by security officials — their attack has resulted in the passage of the long-delayed Personal Data Protection (PDP) Bill. The leaks have also highlighted ongoing problems with the institutional basis of cybersecurity governance. This is seen in the failure of Indonesia’s National Cyber and Encryption Agency (BSSN) to realise its vision and mandate.
The PDP Bill had been languishing in Indonesia’s formal parliamentary to-do list since 2020 but was first mooted in 2012. It includes greater safeguards and rights for citizens and compels data custodians to inform individuals about ‘what data they possess, who they are sharing it with and why’. But doubts remain over the efficacy of the mooted oversight body and its responsibilities towards existing agencies
The PDP Law has also been criticised for uncertainty over ‘what constitutes a crime’. Such ambiguity risks further overreach by law enforcement agencies, as evident in use of the Information and Electronic Transactions Law as an instrument to silence critics under its criminal defamation provisions.
The PDP Law still requires a suite of enabling regulations to be effective and cannot by itself remedy Indonesia’s cyber security weaknesses. Indonesia’s cyber security problems are complex and can be attributed to a number of factors, including lack of political will, interagency rivalries and patronage politics. These variables hinder progress on the strategic, legal and policy foundations of Indonesia’s cybersecurity. They also erode bureaucratic professionalism.
Established in 2017 by presidential regulation, the vision for BSSN was to be an internationally respected, versatile organisation that possesses strong technical expertise. Yet when benchmarked against the International Telecommunication Union’s Guide to Developing a National Cybersecurity Strategy, Indonesia only partially achieves the principles of ‘Cybersecurity Good Practice’.
The importance of a national cybersecurity strategy was noted in a subsequent Government Regulation order on the Organisation of Electronic Systems and Transactions. Yet three years later, this strategy — which provides guidance for policy formulation and implementation — remains in draft form. Meanwhile, the overarching Cyber Security and Resilience Bill, which would codify all aspects of cyber resilience, was included in the House of Representative’s 2020 legislative program but has never materialised.
Lack of progress on the Cyber Security and Resilience Bill is partly attributable to negative reactions from the business community and legitimate concerns from civil society about some onerous provisions. Indonesia’s authoritarian past and recent democratic regression makes national security legislation highly contentious — particularly regarding powers that may enhance authorities’ ability to monitor and stymie online expression.
Reportedly, the bill has also been hampered by opposition from powerful rival agencies, including the Ministry for Communication and Information and the Indonesian National Police and State Intelligence Agency. All these agencies could potentially lose out to an empowered BSSN and its political patrons.
The problems with Indonesia’s cybersecurity governance are rooted in the country’s political culture. Bjorka made their views on the perceived lack of executive competency clear when they tweeted, ‘The supreme leader in technology should be assigned to someone who understands, not a politician and not someone from the armed forces because they are just people — stupid people’.
Bjorka’s criticism reflects current executive appointments in BSSN and beyond. The agency is top-heavy with retired and serving Indonesian Armed Forces (TNI) officers and Police officers, including its Head, Vice Head and four deputies.
Nothing indicates that the TNI and police officers are less competent than their civilian counterparts. But critics and international indices identify a lack of cybersecurity policy proficiency in Indonesia’s public sector. The National Cyber Security Index, a global index which measures countries’ preparedness to prevent and manage cyber incidents, ranks Indonesia 84th and its cybersecurity policy development at zero ‘fulfilment percentage’. This contrasts with fellow ASEAN state Thailand, which is ranked 40th and its cybersecurity policy development at 86 per cent.
Some view BSSN appointments as sinecurial or promotional opportunities for retiring military officers — the latter symptomatic of a broader logjam in the TNI’s organisational structure.
The Bjorka case reveals the Widodo Government’s disturbing apathy toward the fundamentals of internet security. Cybersecurity policy coherence is important not only for safeguarding Indonesia’s national security, but also the country’s sovereignty and prosperity.
In light of the Bjorka attacks, the president and cabinet should make cybersecurity governance a national priority. In addition to strategic and legislative fundamentals, this includes appropriate funding for the BSSN, merit-based appointments of technically proficient agency heads and strategic development of Indonesia’s cybersecurity workforce.
It remains doubtful whether the humiliations from Bjorka will positively impact Indonesia’s cybersecurity governance. For now, the house is built but still remains empty.
Dr Greta Nabbs-Keller is Research Fellow at The University of Queensland’s Centre for Policy Futures.
Dr Wibawanto Widodo is Director for International Programs at Democracy and Integrity for Peace (DIP) Institute.