Commentary: Indonesia’s digital ambitions get a reality check with ransomware attack
A major cyberattack in June took out a national data centre and crippled public services in Indonesia. Cybersecurity efforts must live up to Jakarta’s lofty digital ambitions, says NTU’s Sulfikar Amir.
This audio is generated by an AI tool.
SINGAPORE: Queues snaked through major airports on Friday (Jul 19) as a global tech outage disrupted services, as airlines processed check-ins manually and even cancelled flights. For Jakarta’s Soekarno-Hatta International Airport, it was the second time in a month.
On Jun 20, travellers waited for hours to go through immigration at Indonesia’s busiest airport. The sudden loss of immigration data on the server forced officers to rely on manual checks and dozens of international flights were delayed. Other major airports like Surabaya’s Juanda International Airport and Bali’s Ngurah Rai Airport suffered similar disruptions.
Days later, the authorities revealed that this was caused by a breach of the country’s national data centre temporary server (PDNS). The group Brain Cipher claimed responsibility for the cyberattack, using the infamous LockBit 3.0 ransomware, and demanded US$8 million from the Indonesian government to unlock the data.
Over 280 government agency systems lost access to data stored on the national servers, such as national identification numbers and addresses. Citizens affected by the cyberattack included students receiving grants for university tuition. With no access to the students’ data, the education ministry was forced to postpone disbursement and request resubmissions.
Alarmingly, there was no backup for almost all of the compromised data. The consequences for Indonesians could have been considerably more profound had the hacker group not unexpectedly released the decryption key for free.
Despite the anti-climax ending, it is worth asking why and how these data breaches have transpired, given Indonesia’s lofty digital ambitions.
INDONESIA’S DIGITAL AMBITION
Indonesia’s ambition of a digital nation has its roots in 2019, when President Joko Widodo, popularly known as Jokowi, signed a presidential decree to pave the way for the Satu Data Indonesia (SDI) or One Data Indonesia policy. SDI aimed to integrate and standardise data systems in the massive country of 280 million people.
The Indonesian government’s chronic inefficiency was attributed to its disorganised and inaccurate data systems: Every ministry had its own system that was incompatible with one another. At the local government level, data systems were unstructured if they were even implemented. Discrepancies between data used to formulate policy and reality on the ground meant several development programmes failed as a result.
Digitalisation has always been a major development agenda for Mr Jokowi. A strong believer in e-government, he pushed for digital adoption in all sectors, especially those related to investment and public services.
His vision led to establishment of the national data centre (PDN). PDN was designed based on the belief that centralised data systems would remove hindrances and bottlenecks, and allow central and local district governments to use data more effectively.
The plan was to consolidate government data in a single data centre with four centrally-controlled servers located in Cikarang, West Java; Batam, Riau Islands; Labuan Bajo, East Nusa Tenggara; and the new capital Nusantara, East Kalimantan.
The Cikarang server was due to be completed in October, with the remaining three to be developed gradually. However, the Ministry of Communications and Informatics (Kominfo) built a temporary server in Surabaya – the PDNS compromised in the June attack – so it could be launched during Indonesia’s upcoming independence day celebration on Aug 17.
This haphazard approach is how the problem emerged.
VULNERABILITIES IN CENTRALISED SYSTEM
On the surface, weak server protection and administrator password (allegedly “Admin#1234” on a document that circulated after the hack) appear to be the flaws exploited in the cyberattack.
The startling lack of backup data was also because it was optional for government agencies to do so, according to Hinsa Siburian, head of the National Agency for Cyber and Crypto (BSSN) which oversees the cybersecurity of all government digital infrastructures. In response, the chair of the commission looking into the incident called it a “stupidity”, not governance issue.
However, a deeper analysis highlights the vulnerabilities of a centralised data system. While centralisation may improve efficiency, the entire system becomes an easy target when all national data systems can be compromised merely through a single server.
Cyberattacks have been more commonplace than the government would like. Past major incidents compromised bank details and financial documents by the state-owned Bank Syariah Indonesia in 2023, as well as health status and personal data collected by the health ministry in 2021.
Indonesia is one of the largest digital markets in Asia today and digital technologies remain fundamental for the country to pursue stable economic growth. Such data breaches hurt both commercial and public interests.
INSTITUTIONAL REVAMPS NECESSARY
Yet, the solution is less about technology and more about institutions. This may mean revamping the institutions overseeing its digital infrastructures, namely Kominfo and BSSN.
Kominfo needs stronger institutional capability, technocratic experience and technological vision. Its authority covers all areas of communication and information technology, but its leaders lack competence and expertise in this field. In organisational studies, it is widely acknowledged that meritocracy in leadership shapes a stronger institution.
It is therefore odd that such an important ministry has been led by political figures in the past decade, instead of professionals with proven credentials. This is perhaps due to the view that the minister position is seen as mere political barter, and current minister Budi Arie Setiadi has faced growing calls to resign after the PDNS attack.
As for BSSN, it is in need of restructuring and proper resourcing to act as the agency for cybersecurity, a task it took over from Kominfo. Since its inception in 2021, BSSN has lacked capacity to oversee the task due to insufficient staff, resources and authority. It receives relatively a small amount of annual budget only enough for maintenance but not for improving expertise in cybersecurity.
The recent cyberattack revealed the institutional disarray between Kominfo and BSSN during a digital crisis. Kominfo held BSSN responsible for the incident, while BSSN insisted the protection of the temporary server would be under Kominfo’s authority. Perhaps it would be in Indonesia’s interest to return cybersecurity under the management of Kominfo.
Indonesia is without a doubt capable of acquiring the best possible cybersecurity systems. What will be more challenging is to ensure its institutions can live up to its digital ambitions.
Sulfikar Amir is Associate Professor of Science, Technology, and Society at the School of Social Sciences, Nanyang Technological University, Singapore, and author of The Technological State In Indonesia: The Co-constitution Of High Technology And Authoritarian Politics.
