Indonesia’s journey towards a robust cybersecurity framework is marked by strategic initiatives and regulatory developments. The Draft Bill of Cyber Security Act, still under deliberation, underscores the urgency for a comprehensive cybersecurity strategy. This need is amplified by the rise in cyber-attacks on government websites, shaking public confidence in the country’s cyber safety. The National Cyber and Cryptography Board (BSSN) recorded over 370 million cyber-attacks in 2022, a significant increase from the previous year. These figures highlight the critical need for strategic policies to secure Indonesia’s cyber environment, especially in the absence of a dedicated cybersecurity law.

Despite the absence of a specific cybersecurity law, the Indonesian government has implemented various regulations to strengthen cyber defenses. Law Number 11 of 2008 on Electronic Information and Transaction mandates electronic system providers to protect the confidentiality, availability, authenticity, and accessibility of electronic information. It places a significant responsibility on these providers to maintain a secure cyber environment. BSSN Regulation Number 8 of 2020 on the Electronic Security System requires electronic system providers to conduct self-assessments for risk classification. The results, reported to BSSN, determine the compliance obligations according to the system’s risk category. High-risk systems must adhere to specific standards, such as the SNI ISO.IEC 27001. Presidential Regulation Number 82 of 2022 on Vital Information Infrastructure identifies nine vital information infrastructure sectors. It mandates the management of electronic service providers under relevant ministries for cybersecurity obligations. Presidential Regulation Number 47 of 2023 on Cyber Crisis Management and National Cyber Security Strategy, BSSN is tasked with executing a national cybersecurity action plan. The plan includes risk identification, analysis, and mitigation actions.

While these regulations provide a framework for cybersecurity, the absence of a specific cybersecurity law leaves a gap in Indonesia’s cyber defense strategy. The Draft Bill of Cyber Security Act is expected to fill this void by offering comprehensive guidelines and strengthening the legal basis for cybersecurity measures. However, disagreements between the government and parliament on several contents of the bill have delayed its enactment.

In the interim, the focus remains on strengthening existing measures and enhancing coordination among various stakeholders. The risk-based approach introduced by current regulations is a step in the right direction. It ensures that cyber management is administered properly through a risk management framework. Additionally, sector-specific standards and a national cyber security strategy play vital roles in mitigating cyber risks.

This involves standardizing risk assessment methodologies and mapping risks. The results of risk mapping inform the policies and regulations within the cyber resiliency strategy. Influenced by risk mapping and mitigation plans, cyber governance includes establishing cyber authority, imposing obligations, stipulating prohibitions, and managing cross-departmental digital processes.

Indonesia has yet to fully establish a risk management approach in cyber resiliency. Experts advocate for a strategic focus on risk management, especially in critical sectors. This gap highlights the need for more comprehensive cyber resiliency policies.

The security of critical sectors is paramount as cyber-attacks can disrupt government services and national stability. Manages critical sectors through the Network and Security Regulation 2018 and National Risk Assessment, with the National Cyber Security Centre as the focal point. Implements continuous risk assessment and engages with various government entities for a cohesive cyber security strategy.

The government should ensure that the risk-based approach in cyber security policies involves all stakeholders proportionally, considering the capabilities of all participants, including start-ups. For start-ups, the government could provide nurturing policies, such as regulatory sandboxing or incubation programs, balancing cyber security interests with the growth of new companies. Effective risk management requires alignment between BSSN’s strategies and the risk management policies of relevant ministries. Addressing sectoral ego within the government is crucial for successful coordination and execution.

Indonesia’s path towards a resilient cyber environment necessitates a strategic focus on risk management, particularly in critical sectors. Learning from international best practices and addressing the current gaps in policy execution and inter-departmental coordination are vital steps. By incorporating these elements, Indonesia can enhance its cyber resiliency and safeguard its digital landscape against emerging cyber threats.