Introduction
The rise of China has prompted the Middle Kingdom to challenge the United States’ supremacy on a number of dimensions, be it geopolitical influence, trade and investment, as well as the cyberspace.
Unfortunately, in the process, this has also put China at odds with other countries, complicating their intertwined and interdependent bilateral relations.
As exemplified by South Korea and the Philippines, their pursuit of fulfilling respective national interest has made them an ample target of China’s cyber operations. Their stories serve as a warning flag for other countries, particularly those that are still bent on state-building objective.
As a multidimensional partner to China, Indonesia could learn a few lessons from the experience of the two aforementioned countries.
China Cyber Operations in South Korea and the Philippines
In March 2017, South Korea’s Lotte Group became a target of administration investigation, business boycotts and cyber-attacks by China owing to its land being used as a site for Terminal High Altitude Area Defense (THAAD). A virus was planted on Lotte’s China branch website which successfully suspended its operation for several days. The cyber-attack could be considered as part of retaliatory attacks that cost Lotte’s supermarket a 95% loss in 2017.
It may seem trivial to blame Lotte’s financial loss solely on this cyber-attack, considering other business- and financial-related factors were also at play. However, it shows the extent to which China is ready to pursue its interest and shape the environment to be favorable to its vision.
This is reminiscent of the term “doghouse diplomacy”, referring to a state’s exercise of aggravated act towards disobedient party in order to reap profitable circumstances or gains. It also indicates a reversal of the touted best bilateral period between China and South Korea in modern history, which lasted from 2013 to 2016.
The Philippines faced a similar conundrum recently. A cyber-attack against a government institution was detected earlier in 2023 and findings by Palo Alto Network, a US-based cybersecurity firm, attributed the attack to Stately Taurus group from China.
The government of Philippines was hardly able to muster an appropriate response as the Department of Information and Communication Technology was only manned by 35 personnel. Budgetary restraint has hindered the country to build a sufficient measure to respond and counteract against such cyber-attacks.
Geopolitical factor also comes into play. Since coming into power, President Ferdinand “Bongbong” Marcos Jr. has pursued policies aimed at safeguarding the Philippines’ land and resources. This has necessitated some realignments in its relationship with the United States. For example, bilateral talks in November 2022 produced a few initiatives to further foster the alliance. Besides, a $7.5 million additional financial assistance was conferred to enable the Philippines Coast Guard acquire more patrol ships. In addition, a development grant under USAID helps the Philippines to embark on nature conservation and sustainable fishing agendas, with targeted area around the South China Sea.
Manila does not stop with just the United States. For example, the Philippines partnered with Australia for a joint patrol in the South China Sea in November 2023.
These steps, unfortunately, have caused discomfort among some in China’s security establishment. The aforementioned cyber-attack on a government body is also believed to be part and parcel of China’s displeasure. This should not have come as a surprise. After years of former President Duterte’s China-leaning foreign policy, the new administration suddenly took steps that signals its moving away from China’s orbit.
Lessons Learned for Indonesia
There are some valuable takeaways for Indonesia.
Firstly, the Philippines’ case shows the importance of capable human resource in the field of cybersecurity. Officials of the targeted government body were reportedly unable to respond to the threat properly.
Indonesia has taken the right step forward by establishing a national cyber agency called Badan Siber dan Sandi Nasional (National Cyber and Crypto Agency – BSSN). Whether BSSN would prove as an effective bulwark against cyber-attacks remains to be seen.
A formal infrastructure is not a cure-all solution, considering Indonesia’s digital protection ecosystem continues to be substandard. There have been some remedies to ameliorate this, such as the relatively new Personal Data Protection Act Number 27 2022, which stipulates the creation of a new data protection authority and calls for a structured, transparent and reliable data regime in commercial purpose.
Still in its transition process today, the Act will come into force in October 2024, a full two years after it was passed. Last year, the Ministry of Communication and Informatics (Kominfo) also announced that the government has drafted a derivative regulation that will administer the Act’s scope and aims in more details. The ball is now in the executive branch’s court to realize this vision of a more secure digital ecosystem in Indonesia.
Next, interagency cooperation, such as between BSSN and Kominfo, remains convoluted. As evidenced from a data breach case in July 2021, both agencies tended to be reactive in their response, failing to cut off the root of the problem in the country’s frequent personal data leak cases.
Further complicating the picture is the presence of two bodies tasked to carry out cyber-intelligence activities. While BSSN’s oversees the public sphere, Badan Intelijen Strategis (Strategic Intelligence Agency) operates foreign and military cyber-intelligence under the auspices of the Indonesian Armed Forces.
Meanwhile, both agencies are separate from Badan Intelijen Negara (State Intelligence Agency – BIN), an independent body that carries out general intelligence operations on behalf of the state.
Any effort to improve interagency cooperation must be cognizant of the jurisdictional maze controlled by either of these agencies. Since overlap is a risk, ensuring a clear standard of operation and procedure as well as data sharing mechanism are crucial. Clear boundaries between the two would also assist the prospective data protection authority to identify and remove gaps as well as executing its task efficiently.
Will all of these issues, it might be too tall an order to expect BSSN to safeguard our data and systems in Indonesia, especially if multiple cyber incidents occur simultaneously. Therefore, there is an importance to enable the private sector, civil societies and the grassroots to learn the most basic cybersecurity and cyber-hygiene skills. Local universities could serve as an important partner to advocate for and administer such agenda.
Linked to that is the importance to tweak the ICT curriculum in schools and universities, which must now incorporate some elements of cybersecurity. This will prepare young Indonesians to better equip themselves against potential cyber incidents.
In an era where cyber-attacks can be used as a bargaining chip in a geopolitical game, Indonesia must uphold its guiding foreign policy principle of bebas aktif (free and active). This principle continues to bestow Indonesia with a large strategic room to manoeuvre the uncertain geopolitical landscape, allowing Indonesia to avoid being overdependent on a single partner.
As indicated above, a previous alignment (the Philippines) or a golden bilateral relationship era with China (South Korea) did not spare the two countries from being targeted by China’s cyber activities. These should serve as a warning alarm to other middle powers such as Indonesia, that must undertake a selective alignment process to balance its approach to different powers in today’s geopolitical flux.
For example, Indonesia should consider enhancing its cooperation with partners in the Mexico, Indonesia, the Republic of Korea, Turkey and Australia (MIKTA) grouping. The last of these three countries are open for collaboration with others in the regulation of the cyberspace. It is thus to these three countries that Indonesia could potentially turn in order to elevate its cyber capacity through close consultations and exchange of best practices.