Introduction

The recent Brain Cipher ransomware attack on Indonesia’s Temporary National Data Center (PDNS) blatantly highlights the state’s continued lack of appreciation for cybersecurity. The attack successfully paralyzed 282 government institutions, creating massive problems to public service such as the immigration check points at several international airports.

Of most harrowing is the revelation that the affected data cannot be recovered – only 2% of the data stored are backed up.

As its name suggests, PDNS are intended to be the temporary data storage solution while the Ministry of Communications and Informatics (Kominfo) is building the National Data Center (PDN). PDN aims to be the main hub of data storage system for all government institutions in the country as mandated by the state.

While waiting for its completion, three PDNS are in use at the moment, located in Surabaya, South Tangerang and Batam. It was the first of these PDNS, the one located in Surabaya, that was affected by the disastrous ransomware incident, first detected on 17 June 2024.

The Blame Game Begins

The confusion that ensued showcases the classical problem in Indonesia’s governance system, one that relates to jurisdictional uncertainty and overlap.

Instead of admitting its oversight during its meeting with the House of Representative (DPR), Kominfo instead pointed the finger at the “tenants”, government institutions that store data in PDNS but fail to back up their own data. The National Cyber and Crypto Agency (BSSN) strengthened this argument, stating that tenants should be responsible for their electronic system. Meanwhile, server provider Telkomsigma maintained that the system in place was already sufficient.

There is a need to breakdown each stakeholder’s responsibilities to obtain a deeper understanding of what really transpired.

In the PDNS ecosystem, there are at least four actors, namely Kominfo, BSSN, Lintas Arta and Telkomsigma as providers (the latter operates the Surabaya PDNS), and tenants. Kominfo and BSSN have the broadest power and responsibilities.

Per Government Regulation No. 71 Year 2019 (GR 71/2019), Kominfo is responsible to regulate, supervise and coordinate any electronic government system, which includes PDN and PDNS. Furthermore, Presidential Regulation No. 95 Year 2018 (PR 95/2018) explicitly mentions that PDN is a strategic project under Kominfo, which must ensure operational eligibility  before the PDN finally operates.

Reflecting on all these legal grounds, there are at least three essential roles played by Kominfo in the PDN system: “owner,” “regulator” and “expert”.

Despite these big roles, Kominfo’s attitude since the attack has appeared to be hands-off. This is reflected in Kominfo’s lackadaisical statement regarding the lack of back-up data. Stating that the back-up facility is already in place, Kominfo mentioned that the decision to back up data lies on each tenant.

Such statement indicates Kominfo’s seeming detachment from its responsibility as a regulator – to instruct its tenants to back up their data – and as an expert that must be cognizant of the basic necessities in the cybersecurity of e-governance.

Ideally, Kominfo should have ensured that all security measures are met before mandating government institutions to store their data in PDNS and, in the future, PDN.

Operational-wise, Telkomsigma is the service provider. We cannot precisely know what its actual responsibility is since there is no accessible legal document detailing its exact relationship with Kominfo.

We can infer that the responsibility of Telkomsigma  is technical-related, which means that it is an operator that can only act with Kominfo’s instructions. However, Telkomsigma plays a huge role in ensuring security and data protection, such as implementing strong password and multi-factor authentication.

BSSN is another crucial actor. It has a strategic role and remarkable power because it operates directly under the president. Presidential Regulation No. 28 Year 2021 (PR 28/2021) states that BSSN has the responsibility to establish technical policy standards in cybersecurity implementation. Thus, BSSN should ideally maintain the cybersecurity of all e-governance systems, including PDN and PDNS.

PR 95/2018 also mentions that BSSN has the responsibility to give its assessment on a system’s cybersecurity eligibility. Despite this vast power and responsibility, BSSN was curiously not involved by Kominfo in the development of PDNS, indicating a lapse in judgement on the part of the government. Perhaps its role and significance are not yet acknowledged by Kominfo, even though BSSN’s position is on ministerial level.

There are also tenants – such as the Ministry of Law and Human Rights; Ministry of Education, Culture, Research and Technology; National Public Procurement Agency, and; some regional government institutions – that are often scapegoated by Kominfo and BSSN. Tenants, according to PR 95/2018, are obligated to use PDN, which means they have no choice but to store their data in the government’s appointed server. Specifically, Kominfo issued Circular Letter No. 3 Year 2021 (CL 3/2021) urging institutions to maximize the use of PDNS until PDN is fully operational.

Tenants have less technical knowledge about PDNS and are only storing their data there because they are compelled to do so. On top of that, they are also made responsible for the protection of their data, which can be a source of inconvenience.

Putting the Attack into Context

It is imperative to put this ransomware incident in the context of personal data protection. This is because PDNS contains and processes citizens’ personal data that have been collected by the state over the years.

Fortunately, Indonesia’s Personal Data Protection Law – which would only come to force in October 2024 – could inform us about how the state is responsible for the protection of citizens’ personal data.

The Law establishes three actors in a data processing system – data subjects, data controllers and data processors.

In the PDNS ecosystem, the data subjects are individuals whose data are stored in the system by each government institution. They have some rights which allow them to be informed about how their data are being collected, stored and processed by the data controller – the government institutions in this context.

In this case, it is more likely that the data subjects, the citizens, do not even know that their data are stored in the PDNS. The state might argue that this measure was taken to ensure public interest is met.

However, even with this argument, the decision to store data in PDNS should be subject to other safeguards to protect the rights and interests of the data subjects. These include the principles of fairness and transparency as well as a data protection impact assessment.

Moreover, when there is a violation of personal data protection, such as a ransomware attack, the data controller should effectively respond. If the violation affects the rights of the data subjects, the data controller should properly inform them in a transparent manner.

In this ransomware incident, unfortunately the state has failed to ensure the data subjects’ rights are met because the data are not even backed up in the first place. This means each affected government institution cannot exactly determine whose data is compromised.

But the problem compounds when we consider the fact that these government institutions are merely the “tenants” in the PDNS system. Indeed, on one hand, as data controller they have the responsibility to protect the data they collect. On the other end, these institutions have no control or power over how the PDNS system is governed and protected.

To some extent, Kominfo’s claim as the data processor is valid because they are not determining the purpose and controlling the data stored inside PDNS. However, in the ideal relationship between data controller and data processor, the latter could only process personal data with a mandate or permission from the former.

In reality, in this PDNS system tenants have not mandated Kominfo to process the data, even though they are compelled to store their data in PDNS. Indeed, Kominfo is the one body that operates the system because by law it receives the mandate to manage the country’s data storage system. However, it has largely failed to ensure the protection of stored data, even though it has the authority to compel other institutions to use its service.

Put simply, this whole episode highlights a classical problem in Indonesia’s governance system – jurisdictional overlap. Moreover, the urge to “digitalize and modernize” has propelled the state to establish new laws and institutions as well as adopt new technologies, but these are not coupled with an effort to cover the most basic necessities in its e-governance system, i.e., erecting sufficient cybersecurity regime.

The failure to ensure all data are backed up is just too big to notice. Worse, PDNS system employed ridiculously weak password and did not implement multi-factor authentication process. All of these are testament of a statement made at the beginning: that the state has a continued lack of appreciation towards cybersecurity.

Urgency to Reform

The ransomware incident should not be seen as a standalone event. This incident is part of a structural cyber-related issues in Indonesia. The country experiences cyber attacks too frequently but the state has not been able to address the issue sufficiently.

Currently, Indonesia has implemented Law 27/2022, which should be a standard for data processing. BSSN, as an institution responsible for cybersecurity, has also had numerous strategic plans and policies that aim to mitigate cyber-attacks. However, the root of the problem is the willingness of the government institutions to evaluate, relearn and update their knowledge as well as expertise. Ultimately, this ransomware incident should become a momentum to reform the cybersecurity regime in Indonesia. It can be first started by formulating and implementing a cybersecurity bill.

Introduction

The past few months have been especially alarming in Indonesia’s cybersecurity landscape. A data breach discovered on 21 August 2022 saw the stealing of 1.3 billion SIM Card data, consisting of national identity number (NIK). NIK is especially sensitive as it is linked to users’ personal data, phone number, telecommunication provider and SIM Card’s registration date.

This massive data breach incident was committed by Björka, who later instigated other scandalous cybercrimes such as stealing confidential data from state bodies (including the General Elections Commissions [KPU]) and doxing public officials.

Regrettably, the Coordinating Minister for Political, Legal, Security Affairs Mahfud MD, one of the doxed officials, responded with a statement lacking sensibilities in the subject of personal data protection. He stated that “I am not troubled or concerned. My personal data is not confidential. You may grab it from Wikipedia (Google), the back cover of books I’ve written and from LHKPN KPK. My personal data is open (to the public), no need to be leaked.”

Fundamentally, personal data protection is a subset of the right to privacy. Prof Daniel J. Solove from the Law School of the George Washington University argues that one of the elements of the right to privacy is secrecy. In the context of Indonesia, the right to privacy is constitutionally protected in Article 28G (1) of the 1945 Constitution. It is also guaranteed by the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, both of which have been adopted by the country.

Unfortunately, Björka’s series of data breach is not the first in Indonesia. During Covid-19 pandemic, we experienced a multitude of incidents including Tokopedia, BRI Life, Social Security Administrative Body (BPJS), Diponegoro University, e-HAC and others.

Thus, a pertinent question arises: how does the government of Indonesia protect personal data of everyone in the country? Answering this requires a scrutiny of the laws and regulations, public policy, as well as the government’s response to answer such fundamental concern.

Laws and Regulations on Personal Data Protection

Indonesia has been responding to data breach incidents with insufficient legal instruments for the whole time. The country has only utilized the following three instruments: 1) the Electronic Information and Transactions Law (ITE Law); 2) Government Regulation No. 71 Year 2019 on Electronic System and Transaction Operation (GR 71/2019), and 3) Minister of Communication and Information Technology Regulation No. 20 Year 2016 on Protection of Personal Data in Electronic Systems (Permenkominfo 20/2016).

Why are these not enough? First, the ITE Law does not focus on personal data protection and only dedicates limited sections on personal data, one of which states that “the use of each information through electronic media which related to individual personal data should be done by the consent of that individual, unless otherwise stipulated by laws and regulations.” In practice, the ITE Law is often only used to criminalize legitimate expression against individuals (particularly public officials), the business sector and the government.

Second, the GR 71/2019 was originally a derivative of the ITE Law, so it does not diverge radically from the ITE Law.

Third, the Permenkominfo 20/2016 is merely a minister’s regulation, which has lesser authority. According to Article 7 (1) of the Laws on the Establishment of Laws and Regulations, a minister regulation lies outside the laws and regulations hierarchy. Such regulations tend to have effect on government officers only.

On 20 September 20, 2022, the House of Representatives and the President of the Republic of Indonesia passed the Personal Data Protection Act (PDPA) and will soon come into force on the date of its promulgation (within 30 days of its passing, according to the Laws on the Establishment of Laws and Regulations). This step is breath of fresh air for Indonesians with personal data protection, despite some footnotes to the content and scope of the PDPA.

According to the press release by Advocacy Coalition on Personal Data Protection (KA-PDP), there are 10 critical issues on PDPA. One of the major weaknesses is the establishment of the Data Protection Authority (DPA) which will be under the control of the government. It will surely be ineffective considering that the law applies not only to the private sector but also to the public sector such as the government. The government’s dual role will thus be marked with a conflict of interest. On one hand, the government is the very institution that enforces and supervises the personal data protection law, but on the other hand the government is also the object of the supervision because its bodies or agencies could be a data controller or data processor. Furthermore, some of DPA’s responsibilities such as supervisory, administrative sanctioning and investigation would be hard to implement if the DPA is controlled by the government. That is why the DPA should be independent – without it, the enactment of the PDPA would be lacking effectiveness.

Reluctance, Half-Hearted Response and Buck Passing

The aforementioned e-HAC data breach incident illustrates the government’s ineptitude in responding to this problem. The first e-HAC data breach incident was discovered by vpnMentor on 15 July 2021, which they tried to convey to the Ministry of Health on 21 and 26 July 2021, but did not receive any response. The follow-up to the incident was only carried out a month later on 24 August 2021, when vpnMentor informed the findings to the National Cyber and Encryption Agency (BSSN). On 30 August 2021, vpnMentor published findings related to the occurrence of e-HAC data breach. The next day, the Ministry of Health responded by stating that the data breach occurred in the old e-HAC application, which had not been in use since July 2021, the exact month when vpnMentor discovered the data breach for the first time.

This account shows that the government will take a further step only if there is a massive and public information about data breach, insinuating their lack of consideration towards users’ rights. The statement “which has not been used” was especially questionable, considering the timing of the data breach detection in July 2021, which means the old application and its stored data were still in use at the time. Regardless, the Ministry of Health should have carried out thorough investigation from the first time the breach was reported, since medical data is sensitive data and thus, requires protection.

Moreover, medical data is defined as all data pertaining to the health status of a data subject which reveals information relating to the past, present and future of the data subject’s physical or mental health status (EU GDPR). Hence, the term “which has not been used” may indicate that the application’s stored data include the past and present health status of the users’ – the Ministry of Health should thus take responsibility for that breach. Unfortunately, the Ministry and the application’s developer has failed to notify users of the data breach until now.

In this and other incidents, the government seem puzzled as to how best to solve the issue. The core problem is the sectoral regulation in regulating personal data protection. There are so many sectors and actors inside—they usually pass responsibilities to each other. According to a yet to be published ELSAM study in 2020, there are at least 46 sectoral regulations (spread in multiple sectors such as health, telecommunication, administration and others) which are related to data protection.

Furthermore, the government does not tackle the root of the problem. The government’s responses thus far are limited to: 1) the blocking of sites and/or accounts that hack the system; 2) investigation, but one that is not transparent and accountable, and; 3) frequent buck passing among relevant bodies or agencies, including National Cyber and Crypto Agency (BSSN), the Ministry of Communication and Information Technology (Kominfo) and others. To solve the root of the problem, however, the government should improve on data protection governance, build an ecosystem of laws and regulations centered on the interests of data subjects, and establish the personal data protection infrastructure.

Government’s Response to Björka

Against this backdrop, it is then not a surprise that the government’s response to Björka’s hacktivism was reactive and insufficient, further accentuating the poor data protection ecosystem in Indonesia.

Kominfo  released Press Release No. 377/HM/KOMINFO/09/2022 on 1 September 2022 in response to Björka’s activities. It states that the source of the personal data was not from within Kominfo, highlighting the Ministry’s denial of responsibility. Moreover, the response by the Head of BSSN was even more bizarre. He stated that Indonesians should remain calm because none of the electronic systems was attacked. These statements are problematic since evidently users’ personal data was misappropriated and potentially misused by unauthorized actors. Here there is a lack of emphasis by the government on the rights of the data subjects. Furthermore, after massive attacks from Björka, the government established an emergency response team which consists of BSSN, Kominfo, the National Police and the State Intelligence Agency (BIN), but this seems to be a reactive action and it remains to be seen whether the team would address the core problem effectively.

The passing of PDPA should not be seen as the final answer to all data breach incidents that could amount to a national crisis as Björka has demonstrated. Rather, it should be considered as a first step to a more effective response. The government wants to have a complete authority in carrying out the measures, but history and users would judge whether it has the capacity and capability to do so.