Spate of cyberattacks in Indonesia shines spotlight on complacency, public education

JAKARTA: Many Indonesian journalists were waiting for an online press conference by the National Agency for Disaster Management (BNPB) to begin last week, but its Youtube channel showed a foreigner giving a live presentation on cryptocurrency.

Puzzled by this, reporters sought an explanation from the agency’s spokesperson, only to be informed that BNPB’s Youtube channel has been hacked.

The incident was among 1.4 billion Internet traffic anomalies or cyberattacks in Indonesia this year, said Mr Anton Setiyawan, spokesman of the National Cyber and Crypto Agency (BSSN).

“Traffic anomalies are something we can technically classify as cyberattacks because they are something abnormal. Like scanning and sending malware, that is an attack," Mr Setiyawan explained to CNA on Thursday (Dec 16).

He noted that cyberattacks in Indonesia have significantly increased this year. The number of traffic anomalies stood at around 495 million in 2020.

Mr Setiyawan and other experts interviewed by CNA noted that there has been a spate of cyberattacks on government agencies and corporations recently. 

When asked about the root causes, they said that complacency, low digital literacy and lack of human capacity may be among the major factors involved.

Stringent measures must be taken immediately to prevent further cases, they also said.

SPATE OF ATTACKS ON GOVERNMENT AGENCIES, CORPORATIONS

Apart from the BNPB incident last week, the public was also concerned when it was reported that the personal data of thousands of police officers were allegedly stolen by a hacker last month.

A now-suspended Twitter account, claiming to be run by a hacker believed to be from Brazil, announced that data on 28,000 officers was stolen.

When asked by CNA, national police spokesman Inspector General Dedi Prasetyo said that the case is currently being handled by its cybercrime unit. 

In late October, BSSN’s website was also hacked, said Mr Setiyawan.

“It was one of our subdomains and we immediately evaluated it. Yes, in several parts we were careless. We should have really taken care of everything.”

He added: “This had a tremendous effect on BSSN not in terms of data leakage and physical loss but in terms of reputation.”

No data was taken as the subdomain did not contain anything important, Mr Setiyawan said. However, the hacker defaced the appearance of the website. 

It appeared that the hacker was based in Brazil who wanted to retaliate against Indonesian hackers who previously launched similar attacks, according to the spokesman.

Meanwhile, data of about 1.3 million people in a health ministry’s COVID-19 app was leaked in August. 

The month before, data of thousands of customers of insurance provider BRI Life was leaked and sold online, said the company.  

The biggest data breach this year reportedly took place when information on 279 million people was stolen from the social health security administration (BPJS) in May.

COMPLACENCY, LACK OF PUBLIC EDUCATION AMONG ROOT CAUSES

What are the root causes?

Cyberattacks in Indonesia will continue to persist because people underestimate them and do not understand their characteristics, said Mr Ardi Sutedja, head and founder of  Indonesia Cyber Security Forum (ICSF).

“The various technologies that we use today are not the work of Indonesians. We are all only users of technology. 

“Today's technology changes in seconds so we don't have the luxury of time to learn all the technology and its risks,” he said. As a solution, he suggested more human capacity building as well as better digital literacy education. 

Mr Pratama Persadha, chairman of cyber security NGO Communication and Information System Security Research Center (CISSReC) concurred. 

He said that people need to be constantly educated on the dangers of uploading their personal data including pictures online. He also espoused the need to set personal social media accounts to private mode, constantly change passwords and minimise the use of public wifi.

There is also the risk of personal data being leaked via electronic platform services.

“That’s why we need better regulations so those who are responsible for our data leaks can be punished,” he said. 

Mr Yihao Lim, a principal intelligence advisor with cybersecurity firm Mandiant Threat Intelligence said that since many businesses moved online amid the pandemic without much lead time, they might not have the best security measures in place to ensure that information is kept secure. 

He also said that many organisations have increased their reliance on cloud-hosted third-party providers for their primary business tasks. This has put more pressure on the third parties to ensure availability and security. 

Mr Lim urged companies to “invest in training and awareness among internal staff, keep them updated on latest happenings and phishing methods that attackers use to prevent any successful intrusion”.

“PEOPLE MUST ALWAYS BE ALERT”: CYBER AGENCY

Mr Setiyawan of the BSSN admits that the cybersecurity situation in Indonesia is a vulnerable one, since more people are getting online especially amid the pandemic. 

He stated that educating everyone on cybersecurity, including the top leaders in government organisations as well as the private sector, remains key as these are the decision makers who decide on budget, organisational structure and policies.

In 2016, Indonesia was ranked 70th out of more than 150 countries in a Global Cybersecurity Index published by UN specialised agency International Telecommunication Union.

Since then, Indonesia’s ranking has been improving, the spokesman pointed out. Last year, it was ranked 24th. 

He said the agency has been actively providing training to various institutions, but acknowledged that more needs to be done.

BSSN has been tasked to develop 121 computer security incident response teams (CSRIT) by 2024. These teams will work with the government, digital economy sector and information infrastructure sector. 

He added that there are regulations available to punish institutions responsible for data leaks or hacking, but the problem lies in the implementation. 

“For example, BPJS, the information and communication ministry and BSSN are now being sued in court for the leaked data of BPJS users,” he said.

The harshest sanction can be suspension of service. But in many instances, that would be quite impossible since it would affect a lot of users, said Mr Setiyawan.

“When we talk about national cases, there are principles or risks which we have to bear in mind. For example, BPJS is being used by people to access healthcare every day. 

“If we suspend it for a week, a lot of people won’t be able to be hospitalised, they won’t be able to get surgery, they won’t be able to get medicines.”  

But in the end, Mr Setiyawan, who is also BSSN’s head of research and development centre, said that it all comes down to the people.

“People must always be alert, think rationally when online and giving out their data, have good literacy, understand technology and be aware of their digital traces.”