TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
Popular Reads
Top Results
No results found. Please check your search term and try again
Can't find what you're looking for?
View all search results
Popular Reads
Top Results
No results found. Please check your search term and try again
Can't find what you're looking for?
View all search resultsIndonesia's cybersecurity needs more than a law
It is not simply that BSSN has lacked authority but that existing instruments, where they do exist, have gone unused.
Change text size
Gift Premium Articles
to Anyone
Share the best of The Jakarta Post with friends, family, or colleagues. As a subscriber, you can gift 3 to 5 articles each month that anyone can read—no subscription needed!
A stock illustration of cyberattack. (Shutterstock/SomYuZu)
I
ndonesia first attempted to pass a cybersecurity law in 2019, and the effort has only now gained formal traction. In March, President Prabowo Subianto submitted a presidential letter to the House of Representatives, triggering deliberation on the draft of the Cybersecurity and Cyber Resilience (KKS) Bill. A working committee met in late May, and three further sessions are scheduled before the legislative term closes in July.
By the time this bill passes, Singapore will have had its Cybersecurity Act for the better part of a decade, having passed it in 2018 and revised it in 2024 after finding that the original version did not anticipate how quickly the threat environment would shift, and built up years of enforcement practice in between. Malaysia enacted its own cybersecurity law in 2024.
The gap matters not as a point of embarrassment but as a question of whether the intervening years produced any clarity about what works, what does not, and what Indonesia should do differently.
The case for legislation is solid. The National Cyber and Encryption Agency (BSSN) has long carried broad responsibilities with limited legal authority to act on them. Indonesia already has a National Cybersecurity Strategy, enacted through Presidential Regulation No. 47/2023, along with its implementing action plan. But the action plan was issued as an agency regulation, an instrument with no binding force over other ministries.
Meanwhile, Indonesia's National Action Plan on Human Rights and its Anti-Corruption Strategy are both presidential regulations, instruments that carry cross-government reach. BSSN's roadmap was not, which meant it could not compel the compliance it needed from the institutions it was meant to coordinate.
That said, the need for a law and the merits of this particular law are separate questions. The more instructive problem over the past several years is not simply that BSSN has lacked authority but that existing instruments, where they do exist, have gone unused.
The June 2024 ransomware attack on the national data center showed what that looks like in practice. A ransomware group hit the Temporary National Data Center (PDNS 2) in Surabaya, encrypting government data and asked for US$8 million in ransom. Immigration services and the national student enrolment system both went down, with disruptions lasting weeks.
