September 16, 2022
JAKARTA – Critics are lamenting a “clear lack of understanding” in the state’s latest cybersecurity measures, after a quick response team established to address a recent spate of data leaks played down the sensitivity of the information being circulated.
Following a presidential instruction to address the rampant cyberattacks, Coordinating Political, Legal and Security Affairs Minister Mahfud MD kicked off the first meeting of the Data Protection Task Force on Wednesday. The group consists of data regulators, law enforcement officers and intelligence officials.
At a press conference following the meeting, Mahfud waved off the recent cyberattacks perpetrated by hackers like Bjorka, who over the past few weeks has claimed to have breached state cybersecurity defenses, compromised billions of pieces of citizens’ personal data and put them up for sale online.
“We will take this seriously and have already started to address the issue at hand. But we also want the public to remain calm because so far there have not been any leaked state secrets,” the minister said, claiming that the recent leaks were nowhere near as dangerous as the top-level Australian espionage attempts on Indonesia from the 2010s exposed by WikiLeaks.
The formation of the task force was the result of a limited Cabinet meeting called by President Joko “Jokowi” Widodo on Monday, where he demanded that his ministers deal with the data leaks of the past month, which had exposed the ease with which state infrastructure could be bypassed.
While there was no official announcement on the matter, the task force consists of representatives from the Communications and Information Ministry, the Home Ministry, the National Police’s cybercrimes division, the State Intelligence Agency (BIN) and the National Cyber and Encryption Agency (BSSN).
Mahfud, the highest-ranking official on the team, did not elaborate on the task force’s scope of authority.
Cybersecurity experts remain unconvinced that such an ad hoc group can bring about significant changes to the state’s approach, particularly in light of inconclusive results from previous cases of data breaches handled by government agencies.
Wahyudi Djafar, executive director of the Institute for Policy Research and Advocacy (Elsam), said it remained unclear whether the new task force’s scope of authority would be to coordinate government institutions or to take action against data theft and online leak perpetrators.
“We have never received any clear reports [from the communications ministry or the BSSN] on cyberattack incidents so far, and now they are effectively shifting the burden of responsibility against each other,” he told The Jakarta Post on Wednesday.
“So now when the government forms [another] task force, what kind of capacity will it have?”
Accusations of complacency
Prior to the President’s instruction, the BSSN held the primary authority to enact cybersecurity policy.
Originally known as the National Encryption Agency (Lemsaneg), the BSSN’s scope of work was expanded in 2017 to consolidate overlapping cybersecurity responsibilities from various state institutions, including the BIN, the National Police, the communications ministry, the Defense Ministry and the Foreign Ministry.
However, instead of cracking down on cybersecurity incidents, the BSSN has focused more on reporting them in an annual monitoring study and serving warnings and administrative sanctions to electronic services providers.
Just over a year ago, when President Jokowi’s COVID-19 vaccination certificate was leaked online, government officials claimed that the individual data points needed to obtain the document could have been sourced from publicly available information on the President.
Earlier this week, Mahfud deflected criticism on the alleged data leaks by tweeting that his own personal data was not confidential and could easily be found on the internet or in the books he had written.
On Wednesday, he repeated this line of reasoning, saying that the data that was reportedly leaked was “general stuff”. This alarmed some experts, who believed that a senior state official was making light of a serious situation.
“If we look at the coordinating minister’s statement, then it is as if he only considers state secrets important [to protect and not] the personal data of the greater public, which has been leaked, sold off and circulated freely since 2019,” digital forensics expert Ruby Alamsyah told Kompas TV on Wednesday. “Does this not concern the coordinating minister or the BSSN?”
Elsam’s Wahyudi also criticized the statement, saying data protection was not just about confidentiality but also about control over one’s own data.
“It shows the government lacks a clear understanding of the concept of personal data and its protection,” he said.
At the unveiling of the new task force, Mahfud said it had been set up to help bring about a more sophisticated cybersecurity system and to prepare for the personal data protection bill, which is expected to be passed into law in the coming months.
“[The bill] also requires there to be a team that works on cybersecurity,” Mahfud said.
He did not clarify whether the task force would take on the role of the data protection oversight agency called for in the bill.