Indonesia’s Cybersecurity: An Opportunity for Deeper Cooperation
November 26, 2013
The experience of recent years has shown that uncoordinated, individual cyber-attacks have become an inevitable response to real or perceived crises between nations. The actions of individual hackers should not be conflated with those of governments, but they are still harmful and cannot be ignored. States must secure their networks to protect national interests. Indonesia is beginning to seriously develop its cybersecurity capabilities, and this presents a unique opportunity for deeper cooperation with its partners, including the United States.
In the past two years, analysts both inside and outside the Indonesian government have called for the country to boost its cybersecurity and defense networks. Earlier this year, Minister of Defense Purnomo Yusgiantoro and the Defense Ministry’s director-general of security potentials Pos M. Hutabarat each raised the idea of a “cyber army”—an elite group, embedded in the navy, army, and air force, that could defend Indonesia’s networks against cyber-attacks.
Minister of Communications and Information Technology Tifatul Sembiring said in September that Indonesia “needs to be wary of cybersecurity threats” and called on the government to “include cybersecurity under its national security police.”
Indonesia faces numerous challenges in developing its cybersecurity capabilities, including coordinating across a large and diffuse government. Currently, the government has no coordinated strategy for cybersecurity, although it is in the process of developing one. It remains to be seen if Indonesia will promote one branch of its security structure to manage cybersecurity across the government, or if it will develop a coordinating body to allow agencies to manage their own networks autonomously but coordinate efforts when needed.
If Indonesia chooses the latter option, the United States can provide one model of how such a system can work in a federal structure. The United States utilizes a cybersecurity coordinator, currently Michael Daniel, to direct and oversee coordination among federal government agencies, states, local governments, and the private sector. Given Indonesia’s federal organization and the tensions underlying the relationship between its police and military forces, this method could be the easiest for Jakarta to put into immediate practice.
A second challenge is cooperation with regional partners. Ongoing dustups regarding information collection in the region make this contentious, but such cooperation is a crucial step in establishing regional norms, protections, and standards as the Asia Pacific grows more interconnected. Issues such as cybercrime can create a jumping-off point for regional efforts. Akamai, a U.S.-based Internet content provider that monitors roughly a third of global Internet traffic, reported in October that Indonesia overtook China as the number one source of cyber-attacks in the second quarter of 2013. The ability to hijack IP addresses means not all the attacks necessarily originated from Indonesia, but the report demonstrated the country’s vulnerability to cybercrime.
Indonesia has recognized the need to establish international norms on cybersecurity. For example, it participated in a 15-member UN group examining norms and state behavior, which agreed to a consensus report in June stating that international law applies to state actions in cyberspace.
Regional cooperation on cybersecurity is becoming more prevalent. Major mechanisms include the Asia Pacific Computer Emergency Response Team (APCERT), which provides technical assistance, best-practice sharing, and training and includes 30 groups from 21 economies, including two from Indonesia. The country’s national police opened a second joint cybercrime office with their Australian counterparts in Jakarta in April. And while Indonesia has cut off cooperation efforts with Australia in response to recent revelations that Canberra used its Jakarta embassy for intelligence gathering, it is likely that cooperation will renew and expand in the future.
The U.S.-Indonesia Comprehensive Partnership includes some initial mechanisms for bilateral cybersecurity cooperation, but these need to be strengthened. The United States has used the ASEAN Regional Forum to engage countries on cyber-threats and security, and is currently seeking to partner with an ASEAN country to conduct a series of cyber workshops, according to the State Department. Such efforts between the United States and Indonesia would help to boost Jakarta’s own cybersecurity efforts while building on regional norms and engagement.
Whatever form its cybersecurity takes, Indonesia will require general education and awareness. A strong cyber defense system requires consistent adherence to protective measures across the government. Broad-based education of government officials on basic security techniques and preventative measures would go a long way toward establishing basic security, as would better education for the general population on safe Internet practices. Here the United States can play a role in assisting with training and best practices.
Indonesia’s cybersecurity presents a complex challenge, but the country is no stranger to asymmetric security challenges. Coordination across government sectors combined with the development of an elite, anti-terrorism squad, Densus 88, severely disrupted domestic terrorist networks in the years following the 2002 Bali bombings. While terrorist networks, including Jemaah Islamiyah, remain active, their capabilities are greatly reduced and remain at a manageable level.
Cybersecurity presents a similar test. But it also presents an opportunity for greater U.S.-Indonesian engagement through organizational assistance and cooperation. While countries across the globe are on high alert as revelations of information gathering by the United States and its allies mount, best practices and basic joint training can help to reestablish trust among partners. No security system will ever be perfectly secure, but Indonesia can develop one that allows it to manage attacks, mitigate risk, and prevent most infiltration and insecurity.
(This Commentary originally appeared in the November 26, 2013, issue of Southeast Asia from the Corner of 18th & K Streets.)
Kathleen Rustici is associate director of the Sumitro Chair for Southeast Asia Studies at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2013 by the Center for Strategic and International Studies. All rights reserved.