Björka’s Effective Hacktivism and Lessons for Indonesia

Introduction

One of the most pertinent questions in Indonesia today is whether data controllers can securely store users’ personal data. This is evident from past data breaches, which have yet to be resolved definitively. These cases, among others, include Tokopedia, Lion Air Group, e-Hac, and the Social Security Agency for Health (BPJS Kesehatan). Unfortunately, the government’s responses have been lacklustre with none of the government bodies involved in cybersecurity wanting to claim responsibility and have resorted to finger-pointing. In Indonesia, these bodies include the Ministry of Communication and Information, Cyber Police, and National Cyber Security Body. These together with negative public sentiments towards rising living costs have further declined trust towards the government.  

Against this backdrop, a new actor arose and casted a strong spotlight on the elites. A hacker (or a group of hackers?) with the handle “Björka” gained prominence by not only gaining access to troves of personal data, but also revealed sensitive information that further instilled shock and awe among the public. These included doxing several ministers, revealing the president’s confidential letters and stealing data from critical government agencies such as the Election Commission and the State Electricity Company. 

Regardless of the government’s denial and the authenticity of the data Björka stole, the hacker has successfully unmasked the government’s ineptitude to address a cybersecurity crisis.

Twisted Chain of Executive Command

The Head of the National Cyber Security Body explained that Björka’s attacks were still categorized as low-level offences. However, simultaneously,  President Joko “Jokowi” Widodo convened several bodies such as the Ministry of Communication and Information, the National Police, the National Cyber Security Body, and the Intelligence to bring Björka to justice. Such convening by the president goes against Björka’s hacktivism to be classified as a low-level offence. Additionally, the gravity of this offence led to the creation of a task force.

However, the creation of this task force is perceived to simply be a public relations exercise. To date, the Minister of Communication and Information Johnny G Plate and Coordinating Minister of Political, Legal, and Security Affairs Mahfud MD have yet to explain how this task force operated. Additionally, the DPR has not received any details on how exactly the government will be addressing the Björka conundrum. With such uncertainties, this conundrum would remain unresolved just like past data breaches. Such a hands-off approach is unfavourable for users.  

Noticeably, since the inception of the task force, President Jokowi has remained silent on the issue. Instead, enquiries and developments on this issue is to be addressed by his ministers. This is not the first time the president has done so. This was previously seen when the country was tackling illegal fishing in its waters. Particularly for enquiries on the destruction of captured foreign fishing boats, then Minister of Maritime and Fisheries Affairs Susi Pudjiastuti was left to address the issue. What could truly be behind such silence when clear, unified responses are needed?

As investigation into the case progressed, the police arrested a 21-year Madiun youth on suspicions of being Björka’s assistant on a Telegram channel named Björkanism. This move initially confused the public as the youth resided in a village and did not possess a laptop. At the time of writing, he has been released to his family though still deemed a suspect. It was later discovered that he was a fan of Björka, admitted to reposting three of Björka’s public messages and sold the admin rights of the telegram channel to Björka for US$ 100. According to investigation, the sale of the channel proceeded after the real Björka contacted the youth. In response to the youth’s arrest, Björka told his followers that the Indonesian government had wrongly arrested the youth. To further suggest the government’s incompentence, he claimed that the government’s attempt to identify him was based on being misinformed by DarkTracer, a darkweb intelligence platform.

Bumbling on such serious issues affects the credibility of the Indonesian government, particularly as the country prepares for the G20 Summit later this year. Losing credibility on the international stage is detrimental to Indonesia as the country seeks to promote the country’s portfolio internationally. Previous efforts such as the president’s recent visits to the Ukrainian and Russian leaders become undone by the country’s digital insecurity.  In light of its digital insecurity, the Indonesian government has a huge homework to develop its cybersecurity capabilities which are critical to its digital economy framework.

Lessons Learnt

Björka exposes the very weakness of the Indonesian government, especially in addressing the rising issue of digital insecurity. While other actors conducted anti-government demonstrations or walked out of the Dewan Perwakilan Rakyat (DPR) Plenary Meeting, Björka operates in the shadows. Nothing is known about Björka yet he has captured the public’s attention, indirectly assisted by the government’s lack of effective responses. Recently, Björka has even posted political messages against the government.

It is likely that such actions be repeated especially by those seeking a change in Indonesia. These actions highlight that demonstrations and street protests are not the only means to catch the government’s attention. This assumption holds true if the situation remains status quo. Not helping the situation is that the pace of this learning process is swift and the government does not have past experiences to leverage on. Additionally, it would be unwise to solely depend on the Personal Data Protection Act that was recently passed. Sole reliance on this Act is akin to using a small water gun to extinguish a raging forest fire.

The importance of human resources in building an effective cybersecurity system has been highlighted by a police expert. This may be overlooked as the general understanding that digitalization is mainly about technological advancement. Having a strong cybersecurity technology without capable individuals is not a desirable outcome. Based on the recent hacking, the Indonesian government has yet to develop capabilities in both technology and people. The rapid development of such capabilities, coupled with an effective crisis communication strategy, would go a long way to soothe the public’s anxiety.

A final lesson is that every single data controller has to independently protect its stored data in order to maintain its own credibility and reliability. Björka has indirectly demonstrated the need to be aware of personal data breaches that could be a precursor to criminal actions against them. Björka has shown that data could be used for blackmail and instigate terror among the public. That means that people will have to learn to judge which data controllers are reliable before engaging their services. Through such learning, private corporations and government bodies would no longer arbitrarily manage stored data. In other words, development of cybersecurity in Indonesia could be a  bottom-up process post-Björka.


The views expressed are those of the authors and do not necessarily reflect those of STRAT.O.SPHERE CONSULTING PTE LTD.

This article is published under a Creative Commons Licence. Republications minimally require 1) credit authors and their institutions, and 2) credit to STRAT.O.SPHERE CONSULTING PTE LTD  and include a link back to either our home page or the article URL.

Author