Indonesia has launched a strategic initiative by discussing a draft cybersecurity bill. However, the government and parliament have not yet reached agreement on some of the contents of the bill. However, the urgency of a strategic and comprehensive cybersecurity approach has never been more important than it is today. Several cyber attacks against official government websites have been confirmed, raising concerns about how to trust the country’s cyber security situation. The National Cyber Cryptography Board/Badan Sibel Dan Sandy Negara (BSSN) recorded over 370,022,283 cyber attacks in 2022, up from 266,741,784 in 2021. Strategic policies for ensuring a secure cyber environment must address the serious consequences caused by these malicious cyber intrusions, but in the absence of cybersecurity legislation to guide the risks associated with the cyber domain. How should it be mitigated?
current approach
The government has enacted several regulations addressing cybersecurity. For example, Law No. 11 of 2008 on Electronic Information and Transactions addresses cyber protection by imposing obligations on electronic system providers. Protecting the confidentiality, availability, authenticity, and accessibility of electronic information is part of the electronic system provider’s obligation to ensure a safe and healthy cyber environment within its systems. Additionally, the government through the BSSN has enacted the BSSN Regulation No. 8 of 2020 on Electronic Security Systems. This regulation emphasizes that all electronic system providers must conduct a self-assessment to determine which risk classification their systems fall into. Results must be reported to the BSSN, which must comply with cybersecurity obligations according to its category. If you fall into the high-risk category, you will need to obtain the specific SNI ISO.IEC 27001 and other applicable standards determined by the respective sector ministries. This approach requires adopting a risk-based approach and properly managing cyber controls through a risk management approach. Indonesia has enacted Presidential Regulation No. 82 of 2022 on Critical Information Infrastructure, which determines nine critical information infrastructure sectors. All electronic service providers must be managed by the relevant ministries regarding cybersecurity obligations. Additionally, the government also issued Presidential Regulation No. 47 of 2023 on Cyber Crisis Management and National Cybersecurity Strategy. The BSSN is authorized to implement an action plan to implement national cybersecurity focus areas, including a risk management plan. A risk management plan focuses on risk identification, risk analysis, and mitigation actions.
Risk approach in cyber resilience
Strategically, digitally active countries need to create and implement a cyber resilience framework. It is a system for appropriately managing the cyber environment from planning to maintenance. It will also serve as a reference for determining what policies the government will implement in the future. Risk management in cyber resilience is part of the planning process. Risk management in this area consists of risk assessment systems, governance, and cyber recovery strategies. Rating systems are important for determining standardized risk assessment methodologies and risk mapping. The results of risk mapping must be enforced through a set of policies and regulations outlined in a cyber resilience strategy. Cyber governance is influenced by risk mapping and mitigation planning, and any type of support measures must be government-led. This means establishing cyber authority, imposing obligations, defining prohibitions, and managing cross-functional digital processes such as unified licensing and reporting and remediation of cyber incidents. Unfortunately, this approach has not yet been established in Indonesia, and many experts believe that a strategic cyber resilience focused on critical sector risk management approach is needed.
Cybersecurity in critical sectors
Cybersecurity protection in critical areas is critical because a compromised system through a cyberattack can disrupt government services and put the country in a dangerous position. To give you a visual imagination, look at Die His Hard 4, starring Bruce Willis, where a terrorist cyberattack shuts down water, electricity, and military security systems, causing chaos, confusion, and chaos in the economy and politics. You can see that Cyber processes in critical areas impact national stability and require specific protection and mitigation plans. In the UK, key sectors are managed through a risk management approach based on the Network and Security Regulations 2018 and the National Risk Assessment. These two policies undermine certain national cyber security centers under the Government Communications Headquarters as the single point of contact and cyber security incident reporting. Additionally, this assessment forms the basis for risk management strategies and mitigation plans that must be implemented by all stakeholders, from ministries to relevant digital service providers. Ireland is one of the leading countries in cyber security, applying continuous risk assessments in conjunction with other government agencies such as the Garda Síochána and the Department of Ireland’s National Security Analysis Center. , which also implements national cyber risk management. , Central Bank of Ireland, Commission for Utilities Regulation (CRU), and Communications Regulatory Commission (Comreg).
what you need now
Implementing a risk-based approach to cybersecurity policy requires at least two considerations. First, governments must ensure that this process is carried out equally by all stakeholders. This requires proper identification of stakeholders to fully address the current capabilities of all actors in the field, especially providers working in any sector under critical information infrastructure. means. If the provider is a start-up, the government, through his BSSN and relevant ministries, should ensure an incubation policy so that the provider gradually complies with the policy. Regulatory sandboxing or start-up incubators could be alternative solutions in the procurement incubation process. This allows startups to survive while maintaining cybersecurity benefits. Second, it is necessary to ensure that the mutual coordination and implementation of risk management carried out by the BSSN is consistent with the risk management policies of the relevant ministries. This is a difficult process because we have seen a lot of departmental egos within government in almost every department. If you can find the right approach to improve coordination, half the problem is already solved.