The National Cyber and Encryption Agency (BSSN) has informed the government what caused the data breach. This problem must be resolved through tough regulations and qualified human resources.
By
KURNIA YUNITA RAHAYU, NIKOLAUS HARBOWO
·5 minutes read
JAKARTA, KOMPAS - The lack of optimal human resources, technology and governance are what allows hacking and data breaches to occur in government agencies. The National Cyber and Encryption Agency (BSSN) said that this vulnerability has been repeatedly conveyed but never followed-up by the related agency.
To this day, hacking and data breaches in government agencies and private institutions continue to occur. President Joko “Jokowi” Widodo is particularly concerned with the issue and asked what caused the data breach.
Indonesia ranks third in the world as the country with the most data breaches, after Russia and France, according to the Global Data Breach Stats (Surfshark) report for the third quarter of 2022. The report states that between July-September 2022, there were 12.7 million breaches in Indonesia. Russia reported 14.7 million breaches while France reported 12.9 million breaches.
BSSN head Hinsa Siburian, at his office in Depok, West Java on Tuesday (13/9/2022), said cybersecurity development cannot be separated from three things; human resources, procedures related to governing regulations as well as the use of technology. Generally, these three things are not optimally implemented by all government agencies. Hence, each government agency’s cybersecurity system has vulnerabilities.
As a result, data breaches continue to occur in government agencies as the manager of electronic system providers (PSE), including the alleged breach that occurred in the past week. Personal data of citizens, public officials and even information on the President’s correspondence documents from the State Intelligence Agency (BIN), which were labeled as classified, were traded in the online forum Breached.to by a hacker account known as Bjorka.
“[Human resources, governing regulations and technology] needs to be [optimized], honestly. Especially with the issue of digitalization, which has been driven by the Covid-19 pandemic, we are entering cyberspace on a large-scale manner,” said Hinsa.
He added that BSSN has monitored and conducted annual evaluations concerning the three basic aspects of cybersecurity. Reports detailing the evaluation results are also sent to each PSE on a regular basis.
[Human resources, governing regulations and technology] needs to be [optimized], honestly.
BSSN, said Hinsa, also monitors the vulnerabilities of cybersecurity systems in PSEs. When suspicious attempts aimed at infecting cybersecurity systems or internet traffic anomalies are found, BSSN will notify the PSE. According to the 2021 Cyber Security Monitoring Annual
Report published by BSSN, there were 1.6 billion traffic anomalies throughout 2021. However, the warnings sent to PSEs have never been followed up in a concrete manner.
Still weak
BSSN spokesperson Ariandi Putra said that until now, the agency does not have enough authority to encourage PSEs to amend their cybersecurity system vulnerabilities, as regulated by Government Regulation (PP) No. 71/2019 concerning the implementation of electronic systems and transactions. In order for BSSN to have more authority, he said, there needs to be a personal data protection law.
According to him, the personal data protection bill specifically regulates PSEs’ obligations and responsibilities in protecting the data they manage.
“Several of the articles in the personal data protection bill gives BSSN more authority than PP No. 71/2019 does,” said Ariandi.
Referring to the personal data protection bill draft produced by the formulation and synchronization team on 29-20 August 2022, it is stipulated that data controllers have an obligation to refuse access to data changes, assess the impact of data protection in potential high-risk processing as well as protect and ensure the security of the data being processed. Additionally, data controllers are required to maintain confidentiality, supervise all parties involved in the data processing and protect the data from unauthorized processing.
This bill has been thoroughly deliberated at the House of the Representatives Commission I. Furthermore, the bill is waiting to be deliberated at the level II House plenary session to be passed into law.
House Commission I member of the Golkar Party faction, Dave Akbarshah Fikrano, said that the personal data protection bill would give the government greater authority to protect data. However, this does not mean that the issue of data breaches will be immediately resolved if it is not accompanied by development in cybersecurity systems and human resources, both in government and private agencies that are PSEs.
“If government regulations and policies don’t align with the latest technological developments, if the government does not cooperate with ministries or educational institutions to recruit and create new human resources, and if no new systems are created, then yes, data breaches will certainly continue to occur,” Dave said.
Investigation needed
Airlangga University Communications Professor Henri Subiakto added that these repeated data breaches should create the momentum for law enforcement to take action against hackers. So far, perpetrators of data breaches and their methods in leaking data have never been revealed.
The responsible authorities, such as the Communication and Information Ministry, BSSN, and the National Police must investigate the data breach.
Hinsa stated that his party is coordinating with the National Police’s Criminal Investigation Department (Bareskrim) to investigate Bjorka’s actions, as the account hacked and traded government data.