Introduction

The recent Brain Cipher ransomware attack on Indonesia’s Temporary National Data Center (PDNS) blatantly highlights the state’s continued lack of appreciation for cybersecurity. The attack successfully paralyzed 282 government institutions, creating massive problems to public service such as the immigration check points at several international airports.

Of most harrowing is the revelation that the affected data cannot be recovered – only 2% of the data stored are backed up.

As its name suggests, PDNS are intended to be the temporary data storage solution while the Ministry of Communications and Informatics (Kominfo) is building the National Data Center (PDN). PDN aims to be the main hub of data storage system for all government institutions in the country as mandated by the state.

While waiting for its completion, three PDNS are in use at the moment, located in Surabaya, South Tangerang and Batam. It was the first of these PDNS, the one located in Surabaya, that was affected by the disastrous ransomware incident, first detected on 17 June 2024.

The Blame Game Begins

The confusion that ensued showcases the classical problem in Indonesia’s governance system, one that relates to jurisdictional uncertainty and overlap.

Instead of admitting its oversight during its meeting with the House of Representative (DPR), Kominfo instead pointed the finger at the “tenants”, government institutions that store data in PDNS but fail to back up their own data. The National Cyber and Crypto Agency (BSSN) strengthened this argument, stating that tenants should be responsible for their electronic system. Meanwhile, server provider Telkomsigma maintained that the system in place was already sufficient.

There is a need to breakdown each stakeholder’s responsibilities to obtain a deeper understanding of what really transpired.

In the PDNS ecosystem, there are at least four actors, namely Kominfo, BSSN, Lintas Arta and Telkomsigma as providers (the latter operates the Surabaya PDNS), and tenants. Kominfo and BSSN have the broadest power and responsibilities.

Per Government Regulation No. 71 Year 2019 (GR 71/2019), Kominfo is responsible to regulate, supervise and coordinate any electronic government system, which includes PDN and PDNS. Furthermore, Presidential Regulation No. 95 Year 2018 (PR 95/2018) explicitly mentions that PDN is a strategic project under Kominfo, which must ensure operational eligibility  before the PDN finally operates.

Reflecting on all these legal grounds, there are at least three essential roles played by Kominfo in the PDN system: “owner,” “regulator” and “expert”.

Despite these big roles, Kominfo’s attitude since the attack has appeared to be hands-off. This is reflected in Kominfo’s lackadaisical statement regarding the lack of back-up data. Stating that the back-up facility is already in place, Kominfo mentioned that the decision to back up data lies on each tenant.

Such statement indicates Kominfo’s seeming detachment from its responsibility as a regulator – to instruct its tenants to back up their data – and as an expert that must be cognizant of the basic necessities in the cybersecurity of e-governance.

Ideally, Kominfo should have ensured that all security measures are met before mandating government institutions to store their data in PDNS and, in the future, PDN.

Operational-wise, Telkomsigma is the service provider. We cannot precisely know what its actual responsibility is since there is no accessible legal document detailing its exact relationship with Kominfo.

We can infer that the responsibility of Telkomsigma  is technical-related, which means that it is an operator that can only act with Kominfo’s instructions. However, Telkomsigma plays a huge role in ensuring security and data protection, such as implementing strong password and multi-factor authentication.

BSSN is another crucial actor. It has a strategic role and remarkable power because it operates directly under the president. Presidential Regulation No. 28 Year 2021 (PR 28/2021) states that BSSN has the responsibility to establish technical policy standards in cybersecurity implementation. Thus, BSSN should ideally maintain the cybersecurity of all e-governance systems, including PDN and PDNS.

PR 95/2018 also mentions that BSSN has the responsibility to give its assessment on a system’s cybersecurity eligibility. Despite this vast power and responsibility, BSSN was curiously not involved by Kominfo in the development of PDNS, indicating a lapse in judgement on the part of the government. Perhaps its role and significance are not yet acknowledged by Kominfo, even though BSSN’s position is on ministerial level.

There are also tenants – such as the Ministry of Law and Human Rights; Ministry of Education, Culture, Research and Technology; National Public Procurement Agency, and; some regional government institutions – that are often scapegoated by Kominfo and BSSN. Tenants, according to PR 95/2018, are obligated to use PDN, which means they have no choice but to store their data in the government’s appointed server. Specifically, Kominfo issued Circular Letter No. 3 Year 2021 (CL 3/2021) urging institutions to maximize the use of PDNS until PDN is fully operational.

Tenants have less technical knowledge about PDNS and are only storing their data there because they are compelled to do so. On top of that, they are also made responsible for the protection of their data, which can be a source of inconvenience.

Putting the Attack into Context

It is imperative to put this ransomware incident in the context of personal data protection. This is because PDNS contains and processes citizens’ personal data that have been collected by the state over the years.

Fortunately, Indonesia’s Personal Data Protection Law – which would only come to force in October 2024 – could inform us about how the state is responsible for the protection of citizens’ personal data.

The Law establishes three actors in a data processing system – data subjects, data controllers and data processors.

In the PDNS ecosystem, the data subjects are individuals whose data are stored in the system by each government institution. They have some rights which allow them to be informed about how their data are being collected, stored and processed by the data controller – the government institutions in this context.

In this case, it is more likely that the data subjects, the citizens, do not even know that their data are stored in the PDNS. The state might argue that this measure was taken to ensure public interest is met.

However, even with this argument, the decision to store data in PDNS should be subject to other safeguards to protect the rights and interests of the data subjects. These include the principles of fairness and transparency as well as a data protection impact assessment.

Moreover, when there is a violation of personal data protection, such as a ransomware attack, the data controller should effectively respond. If the violation affects the rights of the data subjects, the data controller should properly inform them in a transparent manner.

In this ransomware incident, unfortunately the state has failed to ensure the data subjects’ rights are met because the data are not even backed up in the first place. This means each affected government institution cannot exactly determine whose data is compromised.

But the problem compounds when we consider the fact that these government institutions are merely the “tenants” in the PDNS system. Indeed, on one hand, as data controller they have the responsibility to protect the data they collect. On the other end, these institutions have no control or power over how the PDNS system is governed and protected.

To some extent, Kominfo’s claim as the data processor is valid because they are not determining the purpose and controlling the data stored inside PDNS. However, in the ideal relationship between data controller and data processor, the latter could only process personal data with a mandate or permission from the former.

In reality, in this PDNS system tenants have not mandated Kominfo to process the data, even though they are compelled to store their data in PDNS. Indeed, Kominfo is the one body that operates the system because by law it receives the mandate to manage the country’s data storage system. However, it has largely failed to ensure the protection of stored data, even though it has the authority to compel other institutions to use its service.

Put simply, this whole episode highlights a classical problem in Indonesia’s governance system – jurisdictional overlap. Moreover, the urge to “digitalize and modernize” has propelled the state to establish new laws and institutions as well as adopt new technologies, but these are not coupled with an effort to cover the most basic necessities in its e-governance system, i.e., erecting sufficient cybersecurity regime.

The failure to ensure all data are backed up is just too big to notice. Worse, PDNS system employed ridiculously weak password and did not implement multi-factor authentication process. All of these are testament of a statement made at the beginning: that the state has a continued lack of appreciation towards cybersecurity.

Urgency to Reform

The ransomware incident should not be seen as a standalone event. This incident is part of a structural cyber-related issues in Indonesia. The country experiences cyber attacks too frequently but the state has not been able to address the issue sufficiently.

Currently, Indonesia has implemented Law 27/2022, which should be a standard for data processing. BSSN, as an institution responsible for cybersecurity, has also had numerous strategic plans and policies that aim to mitigate cyber-attacks. However, the root of the problem is the willingness of the government institutions to evaluate, relearn and update their knowledge as well as expertise. Ultimately, this ransomware incident should become a momentum to reform the cybersecurity regime in Indonesia. It can be first started by formulating and implementing a cybersecurity bill.

Introduction

Two months ago, the European Parliament have finally passed the long-awaited Artificial Intelligence (AI) Act that was first introduced in 2021. The regulation was endorsed by the members of Parliament with 523 votes in favor, 46 against and 49 abstentions.

The EU’s AI Act is considered as the final technology-related legislation passed under the 2019-24 European Parliament and Commission, as a part of their mission to create a “Europe fit for the Digital Age”.

With the aim of creating a “futureproof” legal framework for AI regulation in all sectors, some pertinent questions arise. How will the act be implemented? Which key stakeholder would be most impacted by the regulation? Finally, will the legislation have any influence towards AI governance outside of the EU?

Impacts of the Act

Various countries have different approaches to governing AI. The United States prioritizes national competitiveness in AI development, often at the expense of individual rights and privacy. In contrast, China uses AI to maintain social harmony and control through their social credit system. However, both lack significant public criticism of AI systems, hindering the development of trustworthy and accountable AI.

Meanwhile, the EU’s identity is grounded in political values such as freedom and democracy, setting it apart from other global actors like the United States, China, Russia, and the United Kingdom.

The EU AI Act aims to regulate AI use with a focus on human-centric and ethical principles. It is envisioned to address such policy problems as potential violations of fundamental rights due to AI systems, including breach of privacy, bias, inequality and security issues.

The Act sets a broad definition on AI. The act defines it as “a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”

Concerningly, this definition appears rigid and thus could be detrimental for the legislation’s adaptability in the future, considering the constant evolution of AI every day. 

The adoption of this landmark law will have several legal consequences.

First, the new rules will prohibit certain AI systems that poses threats to citizens fundamentals’ rights such as biometric categorization system. This means that any AI application that manipulates human behavior or exploits vulnerabilities will be banned. Examples for these are social scoring system, emotion recognition or predictive policing.

Second, the Act will impose transparency obligations on the use of AI and sets certain restriction on the use of general-purpose AI models. If an AI system is designed and deployed to interact with humans, its provider and employer must inform the human users – in a clear and distinguishable manner – that they are interacting with an AI system.

The Risk-Based System

The Act attempts to balance between innovation and risk-based approach with a degree of flexibility, so as to ensure adaptability and legal certainty. To do so, it imposes risk-based categories on AI providers depending on the level of risk that their AI system employs. These range from unacceptable risk, to high risk, to limited risk and to low or minimal risk.

Applications and systems that are considered as unacceptable risk will be banned; such as real-time biometric identification in public areas. AI systems that pose direct threat to people falls under “high risk” and will be strictly prohibited. These include systems that encourage dangerous behavior in children, apply social scoring and classify people based on their behavior, socio-economic status, or personal characteristics.

Additionally, AI systems are always considered high-risk if it profiles individuals based on collected data. In other words, these are the systems that automatically process personal data to assess various aspects of a person’s life, such as work performance and education. Examples for these include systems that determine access, admission or assignment to educational and vocational training or systems that are used for recruitment or selection, particularly targeted job ads, analyzing and filtering applications and evaluating candidates.

Chatbots and generative AI texts are considered “limited risks” and are subject to transparency obligations. “Minimal” or “no risk” systems, such as AI-enabled video games or spam filters, will be free to use and only subject to a voluntary code of conduct.

Implementing the Act

Once published in the EU’s Official Journal, the AI Act will come into force after 20 days, with full applicability expected in two years, except for certain provisions. Prohibitions will take effect six months after publication, while governance rules and obligations for general-purpose AI models will be applicable after 12 months. Additionally, rules for AI systems embedded in regulated products will apply after 36 months.

To aid the transition to the new regulatory framework, the Commission has introduced the AI Pact, an optional initiative encouraging AI developers worldwide to adhere to the key obligations of the AI Act in advance of its full implementation.

Additionally, the EU has also established the “European AI Office” that will oversee the Act’s enforcement implementation within member states. In doing so, it will have the authority to conduct evaluations of general-purpose AI models, request information and measures from model providers, as well as apply sanctions. The Office will collaborate with member states, expert and scientific community, industry and civil society in executing its mandate. This is a testament to EU’s multi-stakeholder approach to AI governance.

Implications for Non-EU Member States

A so called “Brussels Effect” is expected to occur after the adoption of the EU AI Act. It is a situation whereby EU’s introduction of its laws has a worldwide effect in shaping the international business environment and standards. An obvious example can be seen from the not-so recent enactment of the General Data Protection Regulation (GDPR) which sets a benchmark for data protection rules around the world, including Indonesia.

The EU AI Act will highlight the importance of public scrutiny towards AI application in daily life such as surveillance, health, education and law enforcement. It will prompt other countries to assess whether existing AI systems that have been applied within their territory may have caused harm or imposed risks on their citizens.

A definite outcome is that the Act will serve as a strong statement that the EU is able to regulate AI while ensuring that economic interests are still met. This is a manifestation of EU’s underlying legal policy and framework that are always based on the foundation of trade liberalization. This will encourage companies and investors of AI systems in the EU to adapt and comply with the Act. There is a likely chance that the EU will become a global standard for technology regulation which could lead to a greater degree of global coordination on AI.

Implications for Indonesia

While different countries have already progressed in initiating draft policies on AI governance, Indonesia’s progress seems to be on pause due to the recent presidential election. Outgoing President Joko “Jokowi” Widodo’s administration introduced the National AI Strategy, but it is up to President-elect Prabowo Subianto to carry this agenda forward. The concept of trust in AI is important for Indonesia. It involves strategically framing the narrative to unify societal skepticism towards AI while acknowledging its importance for national development. Like the EU, AI initiatives for Indonesia must be guided by national values, emphasizing trustworthiness and human-centric approach. Indonesia’s AI governance must focus in ensuring that AI programs align with overarching goals of not only economic progress, but also digital and citizens welfare, thereby emphasizing ethical considerations and societal well-being.

Introduction

The rise of China has prompted the Middle Kingdom to challenge the United States’ supremacy on a number of dimensions, be it geopolitical influence, trade and investment, as well as the cyberspace.

Unfortunately, in the process, this has also put China at odds with other countries, complicating their intertwined and interdependent bilateral relations.

As exemplified by South Korea and the Philippines, their pursuit of fulfilling respective national interest has made them an ample target of China’s cyber operations. Their stories serve as a warning flag for other countries, particularly those that are still bent on state-building objective.

As a multidimensional partner to China, Indonesia could learn a few lessons from the experience of the two aforementioned countries.

China Cyber Operations in South Korea and the Philippines

In March 2017, South Korea’s Lotte Group became a target of administration investigation, business boycotts and cyber-attacks by China owing to its land being used as a site for Terminal High Altitude Area Defense (THAAD). A virus was planted on Lotte’s China branch website which successfully suspended its operation for several days. The cyber-attack could be considered as part of retaliatory attacks that cost Lotte’s supermarket a 95% loss in 2017.

It may seem trivial to blame Lotte’s financial loss solely on this cyber-attack, considering other business- and financial-related factors were also at play. However, it shows the extent to which China is ready to pursue its interest and shape the environment to be favorable to its vision.

This is reminiscent of the term “doghouse diplomacy”, referring to a state’s exercise of aggravated act towards disobedient party in order to reap profitable circumstances or gains. It also indicates a reversal of the touted best bilateral period between China and South Korea in modern history, which lasted from 2013 to 2016.

The Philippines faced a similar conundrum recently. A cyber-attack against a government institution was detected earlier in 2023 and findings by Palo Alto Network, a US-based cybersecurity firm, attributed the attack to Stately Taurus group from China.

The government of Philippines was hardly able to muster an appropriate response as the Department of Information and Communication Technology was only manned by 35 personnel. Budgetary restraint has hindered the country to build a sufficient measure to respond and counteract against such cyber-attacks.

Geopolitical factor also comes into play. Since coming into power, President Ferdinand “Bongbong” Marcos Jr. has pursued policies aimed at safeguarding the Philippines’ land and resources. This has necessitated some realignments in its relationship with the United States. For example, bilateral talks in November 2022 produced a few initiatives to further foster the alliance. Besides, a $7.5 million additional financial assistance was conferred to enable the Philippines Coast Guard acquire more patrol ships. In addition, a development grant under USAID helps the Philippines to embark on nature conservation and sustainable fishing agendas, with targeted area around the South China Sea.

Manila does not stop with just the United States. For example, the Philippines partnered with Australia for a joint patrol in the South China Sea in November 2023.

These steps, unfortunately, have caused discomfort among some in China’s security establishment. The aforementioned cyber-attack on a government body is also believed to be part and parcel of China’s displeasure. This should not have come as a surprise. After years of former President Duterte’s China-leaning foreign policy, the new administration suddenly took steps that signals its moving away from China’s orbit.

Lessons Learned for Indonesia

There are some valuable takeaways for Indonesia.

Firstly, the Philippines’ case shows the importance of capable human resource in the field of cybersecurity. Officials of the targeted government body were reportedly unable to respond to the threat properly.

Indonesia has taken the right step forward by establishing a national cyber agency called Badan Siber dan Sandi Nasional (National Cyber and Crypto Agency – BSSN). Whether BSSN would prove as an effective bulwark against cyber-attacks remains to be seen.

A formal infrastructure is not a cure-all solution, considering Indonesia’s digital protection ecosystem continues to be substandard. There have been some remedies to ameliorate this, such as the relatively new Personal Data Protection Act Number 27 2022, which stipulates the creation of a new data protection authority and calls for a structured, transparent and reliable data regime in commercial purpose.

Still in its transition process today, the Act will come into force in October 2024, a full two years after it was passed. Last year, the Ministry of Communication and Informatics (Kominfo) also announced that the government has drafted a derivative regulation that will administer the Act’s scope and aims in more details. The ball is now in the executive branch’s court to realize this vision of a more secure digital ecosystem in Indonesia.

Next, interagency cooperation, such as between BSSN and Kominfo, remains convoluted. As evidenced from a data breach case in July 2021, both agencies tended to be reactive in their response, failing to cut off the root of the problem in the country’s frequent personal data leak cases.

Further complicating the picture is the presence of two bodies tasked to carry out cyber-intelligence activities. While BSSN’s oversees the public sphere, Badan Intelijen Strategis (Strategic Intelligence Agency) operates foreign and military cyber-intelligence under the auspices of the Indonesian Armed Forces.

Meanwhile, both agencies are separate from Badan Intelijen Negara (State Intelligence Agency – BIN), an independent body that carries out general intelligence operations on behalf of the state.

Any effort to improve interagency cooperation must be cognizant of the jurisdictional maze controlled by either of these agencies. Since overlap is a risk, ensuring a clear standard of operation and procedure as well as data sharing mechanism are crucial. Clear boundaries between the two would also assist the prospective data protection authority to identify and remove gaps as well as executing its task efficiently.

Will all of these issues, it might be too tall an order to expect BSSN to safeguard our data and systems in Indonesia, especially if multiple cyber incidents occur simultaneously. Therefore, there is an importance to enable the private sector, civil societies and the grassroots to learn the most basic cybersecurity and cyber-hygiene skills. Local universities could serve as an important partner to advocate for and administer such agenda. 

Linked to that is the importance to tweak the ICT curriculum in schools and universities, which must now incorporate some elements of cybersecurity. This will prepare young Indonesians to better equip themselves against potential cyber incidents.

In an era where cyber-attacks can be used as a bargaining chip in a geopolitical game, Indonesia must uphold its guiding foreign policy principle of bebas aktif (free and active). This principle continues to bestow Indonesia with a large strategic room to manoeuvre the uncertain geopolitical landscape, allowing Indonesia to avoid being overdependent on a single partner.

As indicated above, a previous alignment (the Philippines) or a golden bilateral relationship era with China (South Korea) did not spare the two countries from being targeted by China’s cyber activities. These should serve as a warning alarm to other middle powers such as Indonesia, that must undertake a selective alignment process to balance its approach to different powers in today’s geopolitical flux.

For example, Indonesia should consider enhancing its cooperation with partners in the Mexico, Indonesia, the Republic of Korea, Turkey and Australia (MIKTA) grouping. The last of these three countries are open for collaboration with others in the regulation of the cyberspace. It is thus to these three countries that Indonesia could potentially turn in order to elevate its cyber capacity through close consultations and exchange of best practices.