Common Challenges for Indonesia in the Cyber Realm

JANUARY 15, 2015

The government announced last week that it will form the National Cyber Agency, or NCA, to defend Indonesia from cyber attacks.

Tedjo Edhy Purdijatno, the coordinating minister for political, security and legal affairs, said the NCA is imperative if Indonesia is to be resilient against future cyber threats.

Rudiantara, the minister of communications and information technology, has similarly said that Indonesia is currently vulnerable to cyber attacks.

Although the NCA will consist of various national agencies, they should possess a common perspective and understand that cyber attacks cannot be addressed by a single agency alone, but rather through coordinated policy and operations.

The NCA’s formation may likely have been prompted by the 2013 revelation, and subsequent absence of action regarding, Indonesia’s meteoric rise as the world’s largest source of cyber attacks, according to US-based Akamai Technologies. Indonesia’s rise to surpass China as the leading root of online attacks has startled observers.

“We have … concerns,” said Gatot Dewa Broto, spokesman for the ministry of communications, said at the time. “Almost every day Indonesia gets 1,225,000 attacks coming not from outside, but from inside Indonesia.”

Defense analysts said the finding that Indonesia was responsible for 38 percent of the world’s malicious traffic in 2013 was not attributable to a sudden increase in the nation’s hacking prowess, but rather its relative security naivety and vulnerability to exploitation by foreign hackers, who use poorly secured servers in Indonesia as a base from which to launch their attacks.

It is important to note that, paradoxically, national security in Indonesia is conceptualized principally in terms domestic issues, with external threats only factoring in a broader, secondary concept of national security.

In July 2011, then-Indonesian Military chief Adm. Agus Suhartono sagely acknowledged that threats to national security have become widespread, and include both internal an external issues.

Indonesia’s Defense White Paper of 2008 noted that the objective national defense is to counteract traditional as well as non-traditional security threats. The decision of Joko Widodo’s administration to form the NCA is a reflection of the need to emphasize the external dimension of national security.

Its seems that Joko’s formation of the NCA marks a departure in his handling of national security issues from that of Susilo Bambang Yudhoyono’s administration. Cyber threats, which were absent as a Yudhoyono administration security priority, are just one type of non-traditional threat on which defense forces need to focus.

The aim underpinning the NCA is to build a stronger sense among all national agencies that cyber attacks pose a threat across a range of national interests and stakeholders unless addressed in a coordinated manner.

In the fifth century BC, Chinese philosopher Sun Tzu advocated “foreknowledge,” or predictive analysis, as an essential element of a winning strategy. He warned that defense planners must have a precise understanding of active threats and not “remain ignorant of the enemy’s condition.”

The NCA would be wise to adopt Sun Tzu’s injunction to understand existing and future threats by networked computer systems’ vulnerabilities by seeking to understand their existing vulnerabilities.

The paradox of cyber defense and security, however, is that amassing foreknowledge of one’s own software vulnerabilities and others’ capabilities is tantamount to stockpiling offensive weapons.

The very knowledge of an exploitable vulnerability in one’s own systems, if kept secret and therefore unpatched, can be used as a clandestine offensive weapon against enemies, since virtually the entire world shares hardware and software systems in common.

The NCA should work collaboratively with the Defense Ministry’s Cyber Operations Center (COC), located in Pondok Labu, South Jakarta, which forms part of the ministry’s data and information unit.

Cyber threats can be asymmetrical, where conflicts take place between one nation, whose cyber unit is developing, and another nation’s, whose is already very advanced. That would be an apt description of Indonesia’s present situation; the nation is astonishingly vulnerable — and currently sits at the low end of the scale in terms of cyber security awareness and preparedness. It is against such background the Defense Ministry aims strengthen its cyber defense capabilities.

Many other nations already have their own armies to handle cyber threats. The United States, for example, has its US Cyber Command. China has its so-called Blue Army. Israel similarly operates such a force under the flag of Unit 8200.

Soon, Indonesia will have two distinct national agencies or units dealing with cyber threats, the civilian NCA and the Defense Ministry’s COC.

The existence of two national agencies dealing with cyber threats is a clear manifestation of the government’s move to identify cyber threats as a national security issue accurately and effectively address them.

The COC will be on the front lines, connected to TNI and cyber units in the Army, Navy and Air Force. But it’s not yet clear how NCA will work, or who will lead it.

To fulfill the promise of a robust defense against cyber threats, both the NCA and COC must work toward assessing the country’s vulnerabilities and develop response scenarios base on probable and credible threats.

The NCA in particular has much work cut out for it, in terms of improving the security of both government and private sector’s IT infrastructure. Lack of awareness, lax security procedures and misconfigured systems have likely left gaping vulnerabilities to key systems that remain ripe for exploitation by foreign hackers.

There will always be surprises, no matter how effectively, systematically and carefully the government aims to protect national security.

Cyber terrorism will be especially challenging to prevent, and risks ruining the international image of Indonesia, not to mention undermine national stability.

Perhaps, some sort of agreed common platform for dealing with cyber issues for the two agencies is not only necessary but imperative if either is to avoid overlapping functions, responsibilities, or even competition.

On the other hand, redundancy is a key feature of robust systems, and the Defense Ministry’s COC may offer a fitting, offensively oriented “red team” counterpart to its civilian cousin, the NCA, which may find its purpose in preventing attacks by patching known vulnerabilities.

Whatever these agencies do, there must be agreement at the national level that, at least on the domestic front, we cannot fight cyber threats simply through the unilateral action of individual agencies.

Bantarto Bandoro is a senior lecturer at the Indonesian Defense University’s School of Defense Strategy in Sentul, Bogor