Introduction
The recent Brain Cipher ransomware attack on Indonesia’s Temporary National Data Center (PDNS) blatantly highlights the state’s continued lack of appreciation for cybersecurity. The attack successfully paralyzed 282 government institutions, creating massive problems to public service such as the immigration check points at several international airports.
Of most harrowing is the revelation that the affected data cannot be recovered – only 2% of the data stored are backed up.
As its name suggests, PDNS are intended to be the temporary data storage solution while the Ministry of Communications and Informatics (Kominfo) is building the National Data Center (PDN). PDN aims to be the main hub of data storage system for all government institutions in the country as mandated by the state.
While waiting for its completion, three PDNS are in use at the moment, located in Surabaya, South Tangerang and Batam. It was the first of these PDNS, the one located in Surabaya, that was affected by the disastrous ransomware incident, first detected on 17 June 2024.
The Blame Game Begins
The confusion that ensued showcases the classical problem in Indonesia’s governance system, one that relates to jurisdictional uncertainty and overlap.
Instead of admitting its oversight during its meeting with the House of Representative (DPR), Kominfo instead pointed the finger at the “tenants”, government institutions that store data in PDNS but fail to back up their own data. The National Cyber and Crypto Agency (BSSN) strengthened this argument, stating that tenants should be responsible for their electronic system. Meanwhile, server provider Telkomsigma maintained that the system in place was already sufficient.
There is a need to breakdown each stakeholder’s responsibilities to obtain a deeper understanding of what really transpired.
In the PDNS ecosystem, there are at least four actors, namely Kominfo, BSSN, Lintas Arta and Telkomsigma as providers (the latter operates the Surabaya PDNS), and tenants. Kominfo and BSSN have the broadest power and responsibilities.
Per Government Regulation No. 71 Year 2019 (GR 71/2019), Kominfo is responsible to regulate, supervise and coordinate any electronic government system, which includes PDN and PDNS. Furthermore, Presidential Regulation No. 95 Year 2018 (PR 95/2018) explicitly mentions that PDN is a strategic project under Kominfo, which must ensure operational eligibility before the PDN finally operates.
Reflecting on all these legal grounds, there are at least three essential roles played by Kominfo in the PDN system: “owner,” “regulator” and “expert”.
Despite these big roles, Kominfo’s attitude since the attack has appeared to be hands-off. This is reflected in Kominfo’s lackadaisical statement regarding the lack of back-up data. Stating that the back-up facility is already in place, Kominfo mentioned that the decision to back up data lies on each tenant.
Such statement indicates Kominfo’s seeming detachment from its responsibility as a regulator – to instruct its tenants to back up their data – and as an expert that must be cognizant of the basic necessities in the cybersecurity of e-governance.
Ideally, Kominfo should have ensured that all security measures are met before mandating government institutions to store their data in PDNS and, in the future, PDN.
Operational-wise, Telkomsigma is the service provider. We cannot precisely know what its actual responsibility is since there is no accessible legal document detailing its exact relationship with Kominfo.
We can infer that the responsibility of Telkomsigma is technical-related, which means that it is an operator that can only act with Kominfo’s instructions. However, Telkomsigma plays a huge role in ensuring security and data protection, such as implementing strong password and multi-factor authentication.
BSSN is another crucial actor. It has a strategic role and remarkable power because it operates directly under the president. Presidential Regulation No. 28 Year 2021 (PR 28/2021) states that BSSN has the responsibility to establish technical policy standards in cybersecurity implementation. Thus, BSSN should ideally maintain the cybersecurity of all e-governance systems, including PDN and PDNS.
PR 95/2018 also mentions that BSSN has the responsibility to give its assessment on a system’s cybersecurity eligibility. Despite this vast power and responsibility, BSSN was curiously not involved by Kominfo in the development of PDNS, indicating a lapse in judgement on the part of the government. Perhaps its role and significance are not yet acknowledged by Kominfo, even though BSSN’s position is on ministerial level.
There are also tenants – such as the Ministry of Law and Human Rights; Ministry of Education, Culture, Research and Technology; National Public Procurement Agency, and; some regional government institutions – that are often scapegoated by Kominfo and BSSN. Tenants, according to PR 95/2018, are obligated to use PDN, which means they have no choice but to store their data in the government’s appointed server. Specifically, Kominfo issued Circular Letter No. 3 Year 2021 (CL 3/2021) urging institutions to maximize the use of PDNS until PDN is fully operational.
Tenants have less technical knowledge about PDNS and are only storing their data there because they are compelled to do so. On top of that, they are also made responsible for the protection of their data, which can be a source of inconvenience.
Putting the Attack into Context
It is imperative to put this ransomware incident in the context of personal data protection. This is because PDNS contains and processes citizens’ personal data that have been collected by the state over the years.
Fortunately, Indonesia’s Personal Data Protection Law – which would only come to force in October 2024 – could inform us about how the state is responsible for the protection of citizens’ personal data.
The Law establishes three actors in a data processing system – data subjects, data controllers and data processors.
In the PDNS ecosystem, the data subjects are individuals whose data are stored in the system by each government institution. They have some rights which allow them to be informed about how their data are being collected, stored and processed by the data controller – the government institutions in this context.
In this case, it is more likely that the data subjects, the citizens, do not even know that their data are stored in the PDNS. The state might argue that this measure was taken to ensure public interest is met.
However, even with this argument, the decision to store data in PDNS should be subject to other safeguards to protect the rights and interests of the data subjects. These include the principles of fairness and transparency as well as a data protection impact assessment.
Moreover, when there is a violation of personal data protection, such as a ransomware attack, the data controller should effectively respond. If the violation affects the rights of the data subjects, the data controller should properly inform them in a transparent manner.
In this ransomware incident, unfortunately the state has failed to ensure the data subjects’ rights are met because the data are not even backed up in the first place. This means each affected government institution cannot exactly determine whose data is compromised.
But the problem compounds when we consider the fact that these government institutions are merely the “tenants” in the PDNS system. Indeed, on one hand, as data controller they have the responsibility to protect the data they collect. On the other end, these institutions have no control or power over how the PDNS system is governed and protected.
To some extent, Kominfo’s claim as the data processor is valid because they are not determining the purpose and controlling the data stored inside PDNS. However, in the ideal relationship between data controller and data processor, the latter could only process personal data with a mandate or permission from the former.
In reality, in this PDNS system tenants have not mandated Kominfo to process the data, even though they are compelled to store their data in PDNS. Indeed, Kominfo is the one body that operates the system because by law it receives the mandate to manage the country’s data storage system. However, it has largely failed to ensure the protection of stored data, even though it has the authority to compel other institutions to use its service.
Put simply, this whole episode highlights a classical problem in Indonesia’s governance system – jurisdictional overlap. Moreover, the urge to “digitalize and modernize” has propelled the state to establish new laws and institutions as well as adopt new technologies, but these are not coupled with an effort to cover the most basic necessities in its e-governance system, i.e., erecting sufficient cybersecurity regime.
The failure to ensure all data are backed up is just too big to notice. Worse, PDNS system employed ridiculously weak password and did not implement multi-factor authentication process. All of these are testament of a statement made at the beginning: that the state has a continued lack of appreciation towards cybersecurity.
Urgency to Reform
The ransomware incident should not be seen as a standalone event. This incident is part of a structural cyber-related issues in Indonesia. The country experiences cyber attacks too frequently but the state has not been able to address the issue sufficiently.
Currently, Indonesia has implemented Law 27/2022, which should be a standard for data processing. BSSN, as an institution responsible for cybersecurity, has also had numerous strategic plans and policies that aim to mitigate cyber-attacks. However, the root of the problem is the willingness of the government institutions to evaluate, relearn and update their knowledge as well as expertise. Ultimately, this ransomware incident should become a momentum to reform the cybersecurity regime in Indonesia. It can be first started by formulating and implementing a cybersecurity bill.