‘Indonesia is one of the most dynamic economies in the region and is poised to become one of the region’s largest and most vibrant digital economies.’ That was Prime Minister Malcolm Turnbull’s message to the Indonesia–Australia Digital Forum (IADF), held in Jakarta on 31 January and 1 February. At the same event, President Joko ‘Jokowi’ Widodo said that ‘the digital age increasingly present[s] challenges for [Indonesia] from a social, economic and governance perspective. This era demands that everything be digitalised with increased speed and efficiency.’
This was one reason that Jokowi ordered the establishment of the National Cyber and Encryption Agency (Bandan Siber dan Sandi Negara, or BSSN) last May. Its nearest Australian counterpart might be the Australian Signals Directorate (ASD). The BSSN combines the former national encryption agency, the Indonesia Security Incident Response Team on Internet Infrastructure and some resources from the Ministry of Communications and Informatics (KOMINFO). The BSSN is set to become the central authority for coordinating and driving improved cybersecurity in Indonesia.
Like Australia, Indonesia is reshuffling its bureaucratic machinery that deals with cyber issues. Three years ago, a presidential decree mandated that the Coordinating Ministry for Political, Legal and Security Affairs (POLHUKAM) would lead on cyber issues. Over the last few years, Australia and other nations have been working intensively with the Cyberdesk at POLHUKAM to develop a national cybersecurity strategy for Indonesia.
The new division of responsibilities and reporting lines are still being fleshed out. But the move raises some fundamental questions. For example, will policy development and executive functions be separated? Will cybersecurity be organised in a decentralised way or pushed down from the president’s office? Will the necessarily secretive culture of cryptographers be opened up so that BSSN serves as a cybersecurity centre for government, industry and Indonesian citizens?
As Jokowi noted, cyber presents a multitude of challenges and opportunities for Indonesia. The archipelago has more than 130 million users who access the internet primarily through mobile phones and Facebook. In the region, Indonesia is one of the greatest sources of cyberattacks, as well as the largest target of attacks, as a result of its developing internet infrastructure (it ranked 73rd of 139 countries in the World Economic Forum’s 2016 Network Readiness Index), combined with narrowly applicable regulations and lax cyber hygiene standards. Even so, Indonesia’s IT industry and internet-based start-ups are booming. At the IADF, Indonesian leaders proudly pointed to billion-dollar start-ups GO-JEK (transport), Tokopedia and Bukalapak (online marketplaces), and Traveloka (online bookings).
While there’s an important economic angle to Indonesia’s cyber engagement, the government’s main focus seems to be on threats rather than opportunities. Last January when he was appointed head of the BSSN, Major General Djoko Setiadi emphasised that his priority would be to counter internet hoaxes and fake news. At a capacity-building workshop for Indonesian officials organised by ASPI’s International Cyber Policy Centre in late January, similar online threats were identified as the primary concerns for Indonesian society. Cybercrime, the vulnerability of critical infrastructure and privacy loss remain second-order priorities for the moment.
Like in many other developed and developing states, the government has introduced more robust legislation and giving greater power to security agencies. Indonesia’s well-known, and all too often referred to, Electronic Information and Transactions Law from 2008 was only revised in 2016. It authorises the Ministry for Communications and Informatics to terminate access to online material—by blocking websites or ordering internet service providers to do so—containing immoral content, hate speech, insults or defamation.
Indonesia will figure prominently in Australia’s international cyber agenda. DFAT’s international cyber engagement strategy, which ‘champions an open, free and secure cyberspace’, targets the entire Indo-Pacific region. The Indonesia–Australia Cyber Dialogue, inaugurated in 2017, serves as a channel to discuss issues of mutual concern. But there’s the bigger question as to how much Australia can support Indonesia in promoting a free, open and secure cyberspace while accommodating Jakarta’s concern about exercising sovereignty.
During the IADF, the head of the Australian Cyber Security Centre (ACSC) welcomed the opportunity to work with BSSN. This is an obvious bond to be cultivated. Both ASD (under which the ACSC sits) and BSSN will face similar challenges in transitioning from running high-secrecy operations to serving as a platform for collaboration between government, industry and civil society.
At the policy level, the situation is blurrier. It’s unclear whether Indonesia’s strategic direction will come from the president’s office or from the agency itself. If it’s the agency, which will also implement the strategy, that would surely affect the checks and balances within the administration and the parliament’s ability to exercise oversight. Alternatively, the remaining skeleton desk at the Coordinating Ministry for Political, Legal and Security Affairs could play a role.
While the roles and responsibilities of Indonesia’s domestic agencies are being debated (and challenged), opportunities are slipping away. As a country that’s forecast to rocket into the world’s top global economies, Indonesia will gain enormous benefits if it can provide conditions that foster a free, open and secure internet. Its tech-savvy population and sizeable e-market are already flourishing, but the growth of its e-economy could dramatically accelerate if the government gets its settings right.
In broader strategic terms, Indonesia is also vital. If it chooses a stifling Chinese approach, it would be hugely damaging to efforts to keep the internet in the region dynamic, open and secure. Handily, as a young, vibrant democracy, an open approach makes much more sense.