Indonesian Government Under Fire Following String of Cyber Breaches

The Takeaway

In June, several Indonesian government offices were hit by a series of cyberattacks, including a ransomware attack on the country’s Temporary National Data Centre. These attacks exposed the vulnerabilities in Indonesia’s data security systems and have prompted calls for the minister of communications and information to resign. 

These breaches raise fresh questions about Indonesia’s cybersecurity readiness, which could make it less attractive to foreign investors, especially if Jakarta does not demonstrate that it is taking steps to tighten its cyber defences.

The Indonesian government intends to review the cybersecurity practices of data centres in countries, including Canada, to better defend itself against future cyberattacks.

In Brief

• On June 20, the Indonesian Temporary National Data Centre was compromised by the hacker group Brain Cipher. The resulting data loss disrupted services for nearly 300 central and local state agencies, including immigration services and major airports. The hacker group demanded a ransom of C$11 million to unlock the data, which the government refused to pay. (In a mysterious turn of events, Brain Cipher apologized and released the decryption key for free on July 3.)
   
• On June 22, the Indonesia Automatic Fingerprint Identification System (INAFIS) was hacked, followed by another hack on June 24 of the Indonesian National Armed Forces Strategic Intelligence Agency. While the compromised data from the latter was outdated, the INAFIS, which is managed by the Indonesian National Police, resulted in the theft of fingerprint images and email addresses.
   
• This succession of hacks and the lack of protocol around data backups was an embarrassment for the Indonesian government, especially given other major cyberattacks it has experienced in recent years. In 2023, 1.5 terabytes of data was stolen from state-owned Bank Syariah Indonesia, including customer and employee contact details, financial documents, card information, and passwords. In 2022, the country’s central bank faced a ransomware attack, although it did not appear to impact public services. However, in 2021, a hack of Indonesia’s health ministry compromised the personal data and health status information of 1.3 million people.
   
• According to the 2020 Global Cybersecurity Index (GCI), which measures countries’ commitment to addressing cyber challenges, Indonesia ranked 24th out of 194 countries, higher than Vietnam (25th), Thailand (44th), and the Philippines (61th). 

Implications

Political fallout is likely. Since the June cyberattacks, the appointment of Minister for Communications and Informatics, Budi Arie Setiadi, has come under public scrutiny. There have been suggestions that he is a “giveaway” minister — that is, he was appointed to the role despite his lack of technical knowledge because of his political connections to the president, Joko Widodo (known as “Jokowi”). Setiadi headed a group that supported Jokowi’s run for the presidency in 2014 and 2019. There have been calls for Setiadi’s resignation, and a petition demanding that he step down has garnered more than 20,000 signatures.

The volatility in Indonesia’s cybersecurity landscape has cast doubts on the government’s commitment to and transparency in managing these cyber breaches. It may also put a dent in the government’s reputation and ability to attract and retain foreign investment in the tech industry. In late April, Microsoft announced that it would invest C$2.3 billion in Indonesia to develop cloud and artificial intelligence infrastructure to enhance the country’s digital economy. However, this investment could encounter speedbumps if the country’s cybersecurity remains weak, with ongoing issues of data breaches and disruptions in operations. This could lead to the loss of investors’ faith in the country’s information protection capacity, deterring new investments. 

What’s next

1. Greater Canadian support and co-operation

In response to the recent data breach and the public backlash, the Ministry of State Apparatus Utilization and Bureaucratic Reform announced that the data safeguarding practices of Canada, India, and other states will be benchmarked and reviewed for possible application in Indonesia’s national data centres. (Canada ranked eighth in the 2020 GCI report.) 

As part of its Indo-Pacific Strategy, Canada allocated C$47.4 million over five years to strengthen cyber capabilities and regional cyber co-operation in the Association of Southeast Asian Nations (ASEAN), of which Indonesia is the largest member. Ottawa plans to do this by stationing “dedicated cyber attachés” in partner countries, which could include Indonesia. Details have yet to be disclosed on the exact roles these attachés will play.

2. New president, new cybersecurity policy?

In October, Prabowo Subianto will be inaugurated as Indonesia’s next president, which could be an opportunity to make cybersecurity a major priority. As defence minister from 2019-24, Prabowo pushed for the implementation of cybersecurity education as an area of study at the ministry-affiliated Indonesian Defense University. During his presidential campaign, he also proposed integrating cybersecurity education into the curriculum of schools and universities on a national scale. 

• Edited by Erin Williams, Senior Program Manager, Asia Competencies; Ted Fraser, Senior Editor