October 23, 2025
JAKARTA – As Indonesia digitizes its economy, infrastructure and democratic processes, robust cybersecurity legislation is an utmost necessity due to imminent threats from both inside and outside of the country.
In drafting laws intended to protect the digital realm, a democracy like Indonesia must exercise extra prudence to avoid creating provisions that can instead stifle the fundamental right to freedom of expression and silence legitimate criticism. The nation deserves a cybersecurity law that secures both the network and the rights of its citizens.
Such an aspiration, however, seems to have fallen on deaf ears as the government has tabled a cybersecurity and resilience bill that grants the Indonesian Military (TNI) power to investigate cybercrime. The provision has raised concerns about threats to civil liberties and the militarization of cyberspace.
The controversial revision of the TNI Law in March has already broadened the military’s mandate, paving the way for its increased involvement in the civilian sphere, evidenced in the military’s active roles in the free meals and food estate programs, even in state-owned enterprises.
The legislative change did more than just allow active soldiers to fill specific civilian government positions; crucially, it also expanded the military’s authorized non-combat operations. Among these newly defined duties is the ambiguous job of supporting the government in responding to so-called cyberattacks, which critics fear will further enable the military’s encroachment into Indonesia’s civil and digital spaces.
Article 56 of the cybersecurity bill allows the TNI to act as investigators in cyber-related crimes, alongside the police, the Communications and Digital Ministry and other government agencies tasked with cybersecurity and resilience. The bill authorizes investigators to collect evidence, examine individuals and digital systems, restrict access to electronic data as well as request temporary takedowns of social media accounts and financial assets, some of them pending prior court approval.
Law Minister Supratman Andi Agtas has said military investigators under the bill would only handle offenses committed by military personnel and have no authority over cybercrimes involving civilians. The bill, he claims, aims to protect cyberspace and the nation’s critical digital infrastructure from growing cyber threats.
But the problem with the bill is that it fails to provide a clear demarcation between cybersecurity and cyber resilience. The aspect of resilience is interpreted solely as a matter of national defense. Consequently, the resulting articles are heavily state-centric.
Furthermore, when examining cybercrime, the draft bill appears to focus exclusively on crimes against the state, leading to the inclusion of articles specifically addressing sedition in cyberspace. The bill barely demonstrates a commitment to citizen rights, including privacy, freedom of expression and personal data protection. The entire focus is directed toward state security, rather than human security.
We have already grappled with the problematic implementation of the Electronic Information and Transactions (ITE) Law, where ambiguous articles related to defamation and hate speech have been systematically deployed to criminalize citizens for their online commentary.
Indonesia’s digital rights score is notably low when viewed in light of global trends. Data from the World Justice Project records Indonesia’s value at only 0.9. This figure clearly indicates that the protection of digital rights remains a serious and persistent problem.
Now with the military joining cyber-surveillance efforts in the name of national security, there are strong reasons for us to fear an impending democracy firewall as a direct consequence of the democratic regression we are now enduring. As one analyst put it, the bill will only change the method of suppression; whereas in the past silencing was achieved through military intelligence operations, it can now be done via cyber patrols.
Lessons from established democracies highlight the critical need for a balanced approach. While countries like the United States and European Union member states have prioritized mandatory security standards for critical infrastructure, they have also created strict regulatory boundaries to protect privacy and civil liberties.
A bill driven by a security mindset, instead of a human rights approach, as in the case of the cybersecurity draft law, will inevitably be a source of fear, not security.