President Calls for Heightened Curb Against Data Leakage
President Joko “Jokowi” Widodo has hosted a closed meeting to discuss data security against cyberattacks. Civil society has stepped up regular audits and implementation of data-security standards.
By
Kompas Team
·6 minutes read
JAKARTA, KOMPAS - Responding to the rife hacking of public personal data, including those of public figures and the Presidential Palace's correspondence records, President Joko “Jokowi” Widodo has instructed an in-depth scrutiny over the causes of the breach. The government has also designated a cross-institutions rapid-reaction team to anticipate future cyberattacks.
The meeting, which was held at the Merdeka Palace, Central Jakarta, on Monday (12/9/2022), was attended by Coordinating Political, Legal and Security Affairs Minister Mahfud MD, Communication and Information Minister Johnny G. Plate, Home Affairs Minister Tito Karnavian, National Police Chief Gen. Listyo Sigit Prabowo, State Intelligence Agency (BIN) head Budi Gunawan and National Cyber and Encryption Agency (BSSN) head Lieu. Gen. (ret.) Hinsa Siburian.
Quoting a report from the BSSN and an analysis of deputy VII of the Coordinating Political, Legal and Security Affairs Ministry, Mahfud MD confirmed that state data had been leaked although the circulating data did not carry “confidential” status with it accessible from any source.
The meeting was called in Previously,the wake of a claim by account user named “Bjorka” on the online forumplatformBreached.to, Bjorka's account that it traded 1.3 billion cellular-phone card-registration data. It said the data had been procured from all telecommunications operators at the end of August 2022. Six days later, the account user said it traded 105 million citizenship data, which was claimed to have been hacked from the General Election Commission’s website.
The account also appeared to be trading records of incoming and outgoing letters and documents sent to the President, including the letters from the State Intelligence Agency (BIN) labeled as being confidential. The account uploaded personal data belonging to the Communications and Information Minister Johnny G. Plate, House of Representatives (DPR) Speaker Puan Maharani and State-Owned Enterprises Minister Erick Thohir.
“In the meeting, we discussed the circulating data, among them being that by Bjorka. However, having been examined, it was public data, not specific, and not the latest data," Johnny G. Plate said during the post-meeting media conference.
However, the planned rapid-reaction team, which will consist of representatives from several ministries and government institutions, is going to examine it more deeply with a view to anticipating cyberattacks further.
“There needs to be a rapid-reaction team to ensure good governance in Indonesia and to maintain public trust. The team [members] will come from BSSN, the information ministry, National Police and BIN. They are to carry out the investigation," Johnny said.
He appealed to the public to remain calm, wary and restrained. He hoped for cooperation from the communities in dealing with dangers in the digital space.
On a separate occasion, Presidential Secretariat head Heru Budi Hartono assured the public that no contents of incoming and outgoing letters at the Presidential Palace had been leaked. "Even if it did, it was only about the table of contents," he said.
He was sure that none of the contents of the palace's letters and documents had been leaked. "I'm sure they haven’t, because I know if it had been hacked, it would have gone as far as to the window, from which [further breach] faces a high-security system. That’s the way it is," he said.
Factors of vulnerability
BSSN head Hinsa Siburian refused to respond to a question about what factors had caused the vulnerability to personal data leaks and how the leaks had come about. He only said he would explain later.
"I'll explain it later, because it's technical, isn’t it? We'll explain later," he said as he rushed to the car parked in the courtyard of the Presidential Palace compound.
Wahyudi Djafar, executive director of the Institute for Community Studies and Advocacy, pointed to government institutions’ poorly implemented security system in data processing and storing. A thorough and accountable investigation was never conducted in the event of a data-hacking incident, which he said resulted in the perpetrators being undisclosed and their motives unknown.
The failure to implement a tight security system enables outsiders to break in and accrue the data. This can be prevented when the data controllers or electronic-system operators implement a strong security system with regular monitoring, in addition to the utilized security standards in data processing.
Communication and Information System Security Research Center (CISSReC) chairman Pratama Persadha said data leaks were not new in Indonesia. "The risk of data leakage has been increasing because of vastly available entrances to the office [software] system of corporate institutions, both public and private, which are accessible from home or other locations outside the office," he said.
Increased risk becomes more likely, especially when corporate employees access the data via unsecured networks, such as in cafes and other public spaces via free Wi-Fi connection.
Pratama said the pathetic data security in Indonesia was exacerbated by the absence of the Personal Data Protection Law (PDP), which resulted in the state being deprived of coercive measures for electronic-system operators to secure obligatorily the data-management system to the maximum or according to the standards.
It comes as no surprise if there have been many instances of data leaks, despite widely perceived threats of hacking. No one has been held responsible. Everyone seems to find an excuse by behaving like a victim themselves.
Christina Aryani, a member of DPR Commission I, which oversees information, expressed her concern about the situation, hoping that the rife incidents of personal-data hacking, which affected both civilians and government employees, would be able to push an acceleration to the ratification of the PDP Bill. This bill contains provisions of administrative or criminal sanctions against data providers and controllers who fail to manage public data well. It is expected to bring public confidence about data protection.
Minister Johnny said that the PDP Bill had been finalized at the first-level hearing between the working committee of Commission I and the government. “We are now awaiting the schedule of level II hearing, which is the DPR plenary session, for its ratification. Hopefully, with the bill passed into law, there will be a new, better legal umbrella to protect our digital space," he said.