Jakarta – What an anticlimactic end to the hyped cyberattack on Indonesia's frail data system. Brain Cypher, the hacker group that claimed responsibility for hacking a temporary national data center recently, apologized for its action and handed over encryption keys to the government for free on July 3, after previously demanding a ransom of US$8 million.
The incident, however, only laid bare the country's defenseless data system under the government's auspices, raising many eyebrows as to why the government did not learn from previous attacks. Public pressure on government officials responsible for data protection to resign is therefore justified as a specialist field like cybersecurity requires people with specific competencies.
The officials are lucky enough as the Personal Data Protection (PDP) Law passed in 2022 will only take effect in October, otherwise they, as personal data controllers, would face justice for failing to protect the citizens' personal data.
To some extent we should thank the hacker group not because of their generosity, but because of their wake-up call. The attack served as yet another reminder about the vulnerabilities of our data centers and data system in general to cyber threats and the urgent need to revamp our data protection arrangements.
If we fail to take lessons from the humiliating ransomware incident, the country's transformation to a digital world will be at stake. Furthermore, public trust in the government's ability to protect our personal data, which is recognized as a fundamental right according to the Constitution, will be eroded unless improvements are put in place.
The damage done by Brain Cypher cannot be understated. Brain Cypher used LockBit 3.0 ransomware to lock all the data in the temporary data center in Surabaya, East Java. Among the affected public services were immigration activities, student enrollment, Indonesia Smart Cards and Tax Identification Number (NPWP) validation.
The center stored data from 282 government agencies, including ministries, state agencies and local governments, 239 of them simply lost their data as they did not have backups.
Next time cyber criminals launch their attacks the consequences may be more devastating and pervasive, if no mitigation efforts are made.
The National Cyber and Encryption Agency (BSSN) has actually formulated a national cybersecurity strategy road map that helps various cybersecurity stakeholders develop cybersecurity policies in their respective agencies. Few, however, are aware of the road map as it is not well publicized.
During the first phase between 2019 and 2025 the focus is on the stabilization of cybersecurity technology. This includes building cybersecurity technology capabilities at the BSSN, preparing regulations and management systems and developing human resources in the field.
The second period (2026-2035) emphasizes the integration of national cyber and encryption technology to encourage regulations in the economic sector related to automation, organic and cyber transformation in banking and economic transactions. Development of smart government and efforts to ensure the sovereignty of the cyber dimension will be the highlights of this period.
In the final period, 2036-2045, the government will prioritize ensuring the independence of our cyber and encryption technology. The objective is to safeguard the national interests and state sovereignty in the cyber domain.
Given the vital role of data center infrastructure in supporting the digital transformation of government services, it is important to resolve the security incident at the temporary data center thoroughly and in a transparent and accountable way.
The way this cyberattack is handled will affect the continuation of the digital transformation of government services, especially with regard to public trust in the management of citizens' personal data, which is the basis for providing public services. Following the ransomware incident, the government has to make sure all the data centers adopt the highest security standards. This should be manifest in the regulations the government is now preparing to implement the PDP Law, which will come into force in mid-October.
To ensure the highest security standards, the persons who will sit in the institution responsible for overseeing personal data protection as mandated by the PDP Law should have expertise in cybersecurity. Meanwhile, a campaign to raise public awareness about data protection is imperative.
Source: https://www.thejakartapost.com/opinion/2024/07/09/ransomwares-hard-lesson.htm