Indonesia has started their strategic initiatives by discussing the Draft Bill of Cyber Security Act. However, the government and the parliament have yet to agree on several contents of the bill. On the other hand, the urgency of having a strategic and comprehensive cybersecurity approach has never been as important as today. We have seen several cyber attacks on the government’s official website, raising concern about how we trust the country’s cyber safety situation. National Cyber and Cryptography Board/Badan Siber dan Sandi Negara (BSSN) recorded over 370, 022, 283 cyber attacks in 2022, which increased from 266, 741, 784 in 2021. The strategic policies on procuring a safe cyber environment must be needed to tackle any severe impacts caused by these malicious cyber penetrations, but with the absence of cyber security law as our guidance, how should we mitigate any risk associated with the cyber realm?
Current Approach
The Government has enacted several regulations that address cyber security. For example, Law Number 11 of 2008 on Electronic Information and Transaction accommodates cyber protection by imposing obligations to the electronic system providers. Protecting the confidentiality, availability, authenticity, and accessibility of electronic information is part of the electronic system providers’ obligations to procure a safe and sound cyber environment within their system. Furthermore, the government, through BSSN, has enacted the BSSN Regulation Number 8 of 2020 on the Electronic Security System. This regulation emphasizes that all electronic system providers must conduct a self-assessment to determine which risk classification that their system would fall. The result must be reported to BSSN and they must comply with cyber security obligations according to their category. If they fall into the high-risk category, they must obtain the specific SNI ISO.IEC 27001 and other applied standards determined by sectoral ministries. This approach introduces the risk-based approach to ensure that cyber management should be administered properly through a risk management approach. Indonesia has enacted Presidential Regulation Number 82 of 2022 on the Vital Information Infrastructure which determines nine vital information infrastructure sectors. All electronic service providers must be managed by their relevant ministries for any cyber security obligations. Furthermore, the Government also issued Presidential Regulation Number 47 of 2023 on the Cyber Crisis Management and National Cyber Security Strategy. BSSN is given a mandate to conduct an action plan to execute the area focus of the national cyber security, including the risk management plan. The risk management plan focuses on the risk identification, the risk analysis, and mitigation action.
The Risk Approach In Cyber Resiliency
Strategically, any country who have digital activities must create and implement the cyber resiliency framework. This framework is made to ensure that the cyber environment is managed properly, from planning to the maintenance process. It also becomes a reference for the government to determine a set of policies that they would do. Risk management in cyber resiliency falls into the planning process. Risk management in this sector consists of a risk assessment system, governance, and cyber resiliency strategy. The assessment system is important to determine standardised risk assessment methodology and risk mapping, which the risk mapping result should be enforced through a set of policies and regulations stated in the cyber resiliency strategy. Cyber governance is influenced by risk mapping and mitigation plans that any types of supporting measures must be led by the government i.e. establishing cyber authority, imposing obligations, stipulating prohibition, managing cross-department digital processes such as integrated licensing or cyber incident report and rectification. Unfortunately, Indonesia have yet to establish this approach and many experts believe that strategic cyber resiliency by focusing on the risk management approach for critical sectors is needed.
Cyber Security For Critical Sector
The protection of cyber security in the critical sector is very important because any system compromised by cyber-attacks may deter the government’s public services and put a country in a dangerous position. To give a visual imagination, if we watch Die Hard 4 starring Bruce Willis, we can see that cyber attacks conducted by terrorists make water, electricity, and military security systems down, causing disruption, chaos, and turmoil in the economic and politics. The cyber process in critical sectors influences a country’s stability and specific protections and mitigation plans must be needed. In the United Kingdom, the critical sectors are managed through a risk management approach under the Network and Security Regulation 2018 and National Risk Assessment. These two policies undermine the specific National Cyber Security Centre, under the Government Communication Headquarters as the Single Point of Contact and Cyber Security Incident Report. In addition, the assessment will be the basis of a risk management strategy and mitigation plan that should be executed by all stakeholders, from ministries to related digital service providers. Ireland, as one of the leading country in cyber security, also implement national cyber risk management by applying continuing risk assessment by engaging with other government entities such as An Garda Siochana (the police institution), the National Security Analysis Centre di Department of the Taoiseach, Central Bank of Ireland, Commission for Regulation of Utilities (CRU), dan Commission for Communications Regulations (Comreg).
What We Need Now
The execution of a risk-based approach for cyber security policies should embrace at least two points. First, the government must ensure that the process must be carried out by all stakeholders proportionally. It means that proper identification of stakeholders must sufficiently address the current ability of all players in the field, especially any providers who engage in any sector under the vital information infrastructure. If the provider is a start-up, the government, through BSSN and related ministries, must ensure any nurturing policies for them to gradually comply with policies. Regulatory sandboxing or incubator of start-ups might be an alternative solution in the procuring nurturing process. This enables the longevity of the start-ups while preserving cyber security interests. Second, we have to ensure that cross-coordination and execution of risk management that would be made by BSSN must align with relevant ministries’ risk management policies. This is a challenging process because we have seen a lot of ego sectoral within government in almost every sector. If we can find the right approach in making the coordination better, we already resolve half of our problem.
