Kadin’s Industry Report and Strategic Guide:

Cybersecurity for a Sustainable

and Resilient Digital Indonesia

by Kadin Kominfo

Cybersecurity for a Sustainable and Resilient Digital Indonesia 1

Table of Contents

Disclaimer 6

Foreword 8

Executive Summary 12

Chapter 1 Introduction 13

1.1 Background and Importance of Cybersecurity 14

1.2 Kadin’s Cybersecurity Industry White Paper and Implementation 14

Roadmap Strategic Objectives

Chapter 2 Current Cybersecurity Landscape 16

2.1 Global and National Cybersecurity Environment 17

2.2 Sector-Specific Landscape 20

2.3 Cost of Cybercrime in Indonesia 25

Chapter 3 Strategic Pillars for Cybersecurity 26

3.1 Pillar 1: Cyber Resilience in Critical Infrastructure 27

3.2 Pillar 2: Enhancing Cybersecurity Governance and Regulations 28

3.3 Pillar 3: Developing Cybersecurity Talent and Awareness 28

3.4 Pillar 4: Public-Private Partnerships 29

3.5 Pillar 5: Aligning Indonesia with Standardized Cybersecurity 29

Methodologies and Standard

3.6 Pillar 6: Strengthening Local Players in Indonesia Cybersecurity 29

Industry Growth s

Chapter 4 Sector-Specific Cybersecurity Insights 30

4.1 Asset Mapping and Attack Surface Management 31

4.2 Sector-Specific Cybersecurity Analysis 34

4.3 Recommendations Based on Sectoral Assessments 45

2 Table of Contents Cybersecurity for a Sustainable and Resilient Digital Indonesia

Table of Contents
Chapter 5 Regulatory and Governance Framework 47

5.1 Overview of Indonesia’s Current Cybersecurity Regulations 48

5.2 Proposed Regulatory Enhancements 52

5.3 Enhance The Governance Model and Institutional Roles 56

Chapter 6 Public-Private Partnerships & Industry 67

Collaboration

6.1 Developing a National Public-Private Partnership Program 68

6.2 Developing a Real-Time Threat Intelligence Sharing Platform 69

6.3 Establish a Cyber Incident Review Board or Similar Forum 70

6.4 Strengthening International Collaboration in Cybersecurity 70

Chapter 7 Cybersecurity Education and Talent 72

Development

7.1 Current Challenges in Cybersecurity Talent and Awareness 73

7.2 Designating a Lead Agency for Cyber Education and Awareness 74

7.3 Comprehensive Cyber Security Employee Training 75

7.4 Growing Cybersecurity Talent in Indonesia 76

7.5 Career Path and Occupation Mapping for Cybersecurity Talents 78

7.6 Certification Programs and Standards 78

7.7 Case Studies: Industry Support for Cybersecurity Education 81

Chapter 8 Cybersecurity Methodologies and Risk 83

Management Frameworks

8.1 Adopting a Standardized Cybersecurity Methodology 84

8.2 Security Controls Based on NIST Cybersecurity Framework 84

8.3 Tailoring Cybersecurity Methodologies to Organizational Categories 86

8.4 Advanced Cybersecurity Enhancement Recommendations 90

8.5 Enhancing Critical Infrastructure Protection 91

Cybersecurity for a Sustainable and Resilient Digital Indonesia Table of Contents 3

Table of Contents

Chapter 9 Strengthening Local Players in Cybersecurity 92

Industry Growth

9.1 Strengthening Policy and Regulatory Support for Local Industry 94

9.2 National Cybersecurity Industry Roadmap Strategic Objectives 95

9.3 Supporting Local Firms’ Participation in Government Projects 96

9.4 Encouraging Technology Transfer and Fair Competition 97

Chapter 10 Implementation Roadmap 98

10.1 Periodical Target 99

10.2 Measuring Success 105

Work Cited 110

Appendices 115

4 Table of Contents Cybersecurity for a Sustainable and Resilient Digital Indonesia

Kadin’s Industry
Report and Strategic Guide:
Cybersecurity for
a Sustainable and Resilient
Digital Indonesia

Kadin INDONESIA
Indonesian Chamber of Commerce and Industry

Jl. H. R. Rasuna Said Blok X-5 No.Kav. 2-3,

Kuningan, Jakarta 12950
www.kadin.id

Cybersecurity for a Sustainable and Resilient Digital Indonesia 5

Disclaimer

Kadin’s Industry Report and Strategic Guide: Cybersecurity for a Sus-

tainable and Resilient Digital Indonesia is an initiative owned and led by
Kadin Indonesia (the Indonesian Chamber of Commerce and Industry),
with support from the US-ASEAN Business Council where they serve
as the knowledge partner, providing expertise, and guidance throughout
the project.
This Report aims to provide a comprehensive framework and actionable
recommendations to enhance cybersecurity across Indonesia’s public
and private sectors. The objective is to strengthen national cyber resil-
ience, foster a secure digital economy, and protect critical infrastructure
from evolving cyber threats. The ultimate goal is to contribute to a safer
and more prosperous digital future for Indonesia.

6 Disclaimer Cybersecurity for a Sustainable and Resilient Digital Indonesia

Editorial Team

Firlie Rorian Mercy

Ganinduto Pratyaksa Simorangkir
Lead Editorial and Project Kadin Deputy Lead Editorial and Project Deputy Lead Editorial and Project
Indonesia Cybersecurity Report Kadin Indonesia Cybersecurity Kadin Indonesia Cybersecurity
and Strategic Guide Report and Strategic Guide Report and Strategic Guide

Mochamad Raihan Nizam

Andriansyah Zairah Syafik
Project Management Officer Kadin Project and Research Analyst Project and Research Analyst
Indonesia Cybersecurity Report Kadin Indonesia Cybersecurity Kadin Indonesia Cybersecurity
and Strategic Guide Report and Strategic Guide Report and Strategic Guide

Cybersecurity for a Sustainable and Resilient Digital Indonesia Editorial Team 7

M. Arsjad Rasjid P.M.
Chairman of Indonesian Chamber of Commerce
and Industry (Kadin Indonesia)

8 Foreword Cybersecurity for a Sustainable and Resilient Digital Indonesia

Foreword

Indonesia’s digital economy is growing rapidly, and its stability and business continuity. Therefore this docu-
size is projected to exceed $130 billion by 2025. With ment also serves as a valuable contribution from Kadin
internet penetration now exceeding 79%, sectors such Kominfo to the recent White Paper on Indonesia’s
as finance, healthcare, and energy are increasingly Strategic Economic Development and Policy Direc-
reliant on digital infrastructure. However, it is also crucial tion 2024-2029 which represents an essential contri-
to recognize that this growth comes with significant new bution from Indonesia’s business and industries toward
risks. Incidents of ransomware attacks, data breaches, achieving the new government’s target of 8% economic
and cyber espionage are now amongst the cyber growth.
threats which will cost Indonesia’s economy up to $4.79
billion annually by 2028. That is why, beyond regulatory emphasis, this document
explores the broader industry landscape, including the
Therefore, Kadin’s Industry Report and Strategic critical need for enhanced skills, heightened aware-
Guide: Cybersecurity for a Sustainable and Resil- ness, andi investment in cybersecurity education. Amid
ient Digital Indonesia is more than a set of guidelines. the complexities of our digital age, Kadin Indonesia is
Instead, it reflects a broader understanding of the committed to promoting collaboration between public
unique challenges and opportunities across various and private sectors to build a secure digital foundation
industries in Indonesia. This document provides a for Indonesia.
framework that enables organizations and particularly,
businesses and industries, to prepare for and respond It is clear that cybersecurity is no longer a technology
effectively to cyber threats. issue, it has become a business and national priority. By
working together, sharing knowledge, and implementing
As emphasized within this document, strong cyberse- best practices, we can ensure that Indonesian busi-
curity skills are essential and critical to our economic nesses and industries are not only prepared to defend
against cyber threats but are also positioned to thrive in
the digital age.

Sincerely,

M. Arsjad Rasjid P.M.

Chairman of Indonesian Chamber of Commerc
and Industry (Kadin Indonesia)

Cybersecurity for a Sustainable and Resilient Digital Indonesia Foreword 9

Firlie Hanggodo Ganinduto
Vice Chairman of Communication and Informatics
Indonesian Chamber of Commerce and Industry
(Kadin Indonesia)

10 Foreword Foreword
Cybersecurity for a Sustainable and Resilient Digital Indonesia
Foreword

As we embrace a digital revolution reshaping our ing stringent technical standards and regular updates,
society and economy, Indonesia faces unique cyber- aiming for a cybersecurity posture that is reactive, pre-
security challenges and opportunities. The “Kadin’s dictive, and proactive against current and future threats.
Industry Report and Strategic Guide: Cybersecurity for
a Sustainable and Resilient Digital Indonesia,” created Collaboration between the private sector, government,
in partnership with the US-ASEAN Business Council and academia is crucial for strengthening national
(US-ABC), evaluates our current state of cybersecurity cybersecurity resilience through the growth of the
and proposes a comprehensive strategy to bolster our domestic cybersecurity industry. In line with the report’s
defenses. Digital transformation has unlocked vast recommendations, the “Asosiasi Digitalisasi dan
innovation potential but has also introduced significant Keamanan Siber Indonesia (ADIGSI)” is being estab-
risks. Sectors such as financial services, healthcare, lished as a strategic initiative to enhance collaboration
and manufacturing increasingly depend on digital sys- between the private sector and government in advanc-
tems, exposing them to cyber threats. Data indicates a ing national cybersecurity. This association will support
concerning rise in the frequency and sophistication of Kadin Indonesia and all stakeholders in finalizing and
cyberattacks, posing threats to our national security and implementing the “Blueprint for the Development of
economic stability. Indonesia’s Cybersecurity Industry and Ecosystem.”

This report, based on thorough analysis and collabora- In conclusion, “Kadin’s Industry Report and Strategic
tion, examines the industry landscape to identify vulner- Guide: Cybersecurity for a Sustainable and Resilient
abilities and opportunities for proactive cybersecurity Digital Indonesia” serves as both a roadmap and a call
measures. It underscores the need to update regulatory to action, urging stakeholders—government, indus-
frameworks to align with technological advancements try leaders, and citizens—to strengthen our cyber
and address global compliance requirements to protect defenses. Together, we can secure Indonesia’s digital
citizens and stakeholders. Central to the strategy are future and ensure our nation thrives in the face of future
education and training to build a skilled workforce, along cyber challenges.
with public-private partnerships that enable the sharing
of threat intelligence and best practices. The report Let us commit to this vital endeavor, as the security and
advocates for a layered defense strategy incorporat- prosperity of our digital future depend on our actions
today.

Sincerely,

Firlie Hanggodo Ganinduto

Vice Chairman of Communication and Informatics
Indonesian Chamber of Commerce and Industry
(Kadin Indonesia)

Cybersecurity for a Sustainable and Resilient Digital Indonesia Foreword 11

Executive Summary

To support the existing Indonesia government initiatives developing a skilled workforce by investing in cyber-
in building a secure and resilient national cybersecurity. security education, training, and public awareness.
Kadin’s Industry Report and Strategic Guide: Cyberse- It advocates for adopting standardized cybersecurity
curity for a Sustainable and Resilient Digital Indonesia methodologies to ensure Indonesia’s practices are
emphasizes the urgent need for a robust and adaptive competitive globally. Although Indonesia has made
cybersecurity framework to support the nation’s rap- strides in addressing cyber threats, challenges remain,
idly growing digital economy. As Indonesia expands particularly in the form of sophisticated attacks like
its online services, protecting national critical infra- ransomware, data breaches, and cyber espionage. The
structure—such as energy, telecommunications, and government, through its cybersecurity agency, is work-
healthcare—has become essential to ensure service ing to improve national resilience, but further efforts are
continuity and mitigate the impact of cyber incidents. needed to enhance collaboration and talent develop-
The report outlines strategic pillars, including enhanc- ment. Furthermore, this white paper also explores the
ing cybersecurity governance through improved regu- role of Kadin Indonesia in accelerating the implemen-
latory frameworks aligned with international standards, tation of proposed cybersecurity pillars. Overall, the
and fostering public-private partnerships to strengthen white paper provides a strategic roadmap for securing
threat detection, response, and mitigation. Indonesia’s digital future, ensuring it remains resilient in
the face of growing cyber risks.
This report also introduces six main strategic pillars of
cybersecurity for Indonesia inter alia 1) cyber resilience
in critical infrastructure, 2) enhancing cybersecurity
governance and regulations, 3) developing cyberse-
curity talent and awareness, 4) public-private partner-
ships, 5) aligning Indonesia with standardized cyberse-
curity methodologies and standards, and 6) building a
competitive and resilient local cybersecurity industry.
Additionally, the Report stresses the importance of

12 Executive Summary Cybersecurity for a Sustainable and Resilient Digital Indonesia

Chapter

01

Introduction

Cybersecurity for a Sustainable and Resilient Digital Indonesia 13

1.1 Background and Importance of Cybersecurity

Cybersecurity has become a critical element for nations, businesses, and individuals in an increasingly
digital world. As one of Southeast Asia’s fastest-growing digital economies, Indonesia stands at a pivotal point
where immense opportunities are decorated with significant risks.

With over 270 million people, Indonesia’s online services are growing rapidly, from e-commerce to financial
services and online healthcare to Government platforms. This spread of digital has disrupted every aspect of
industries. However, all these developments come with increased vulnerabilities, and failure to address them can
put the entire digital ecosystem at risk of instability and compromise.

These cyberattacks have graduated from ransomware attacks on critical infrastructures to highly sophisti-
cated phishing schemes against citizens and businesses. Critical infrastructure sectors in Indonesia, including
energy, telecommunications, health care, and financial services, are pretty vulnerable to such emerging threats,
which could bring immense financial losses, disruptions in operations, and even threats to national security.

With cyber incidents increasing in frequency and severity, cybersecurity can no longer remain an IT issue;
it is a priority concerning national security. As Indonesia continues to expand its digital economy, the need for a
robust, adaptive, and comprehensive cybersecurity framework becomes more urgent.

Why Cybersecurity is Critical for Indonesia:

1. Safeguarding National Critical Infrastructure 3. Fostering Trust in Digital Systems

Critical infrastructure, such as energy grids, health- Indonesia’s digital economy can only develop with
care services, financial systems and telecom- public confidence in the security of its online activ-
munications networks are the foundation of the ities, data, and transactions. Breaches and cyber-
Indonesian economy. A ransomware attack that attacks further break that trust, and in this aspect,
disrupted any of these sectors would cause wide- cybersecurity is an enabler that aids a nation in
spread damage to critical services, disrupt daily balancing its move towards the digital age.
activities and endanger lives.

2. Protecting Citizens and Businesses

As more Indonesian citizens and businesses
engage with cyberspace, they are exposing them-
selves to potential cybersecurity threats. Millions
of Indonesians have already been affected by
personal data breaches, financial fraud and identity
theft. They need an effective cybersecurity frame-
work to protect them.

1.2 Kadin’s Cybersecurity Industry White Paper and Implementation Roadmap Strategic
Objectives

The cybersecurity challenges in Indonesia can only be resolved through the implementation of unified and
coordinated solutions. This report acts as a foundational guideline for addressing existing vulnerabilities while
building long-term resilience in the Indonesian Cybersecurity Industry, combining public and private sector best
efforts to build a strong and resilient cybersecurity ecosystem.

14 Introduction Cybersecurity for a Sustainable and Resilient Digital Indonesia

The report is designed to realize the following important objectives:

1. Enhancing the Resilience of National Critical sionals in the workforce. Through targeted actions
Infrastructure at all levels of the education system, training, and
Protecting key assets in critical sectors (finance, upskilling initiatives, Indonesia can address this
healthcare, manufacturing, energy) is vital for In- challenge. In addition, awareness of cybersecurity
donesia. A secure and resilient infrastructure is the issues should be elevated in every layer of Indone-
basis of assuring an uninterrupted supply of goods sia’s local society, covering ordinary citizens to the
and services and the minimal economic impact of large corporations, as this is essential for building a
cyber incidents culture of security awareness in Indonesia.

2. Enhancing Cybersecurity Governance and Reg- 5. Aligning Indonesia with Standardized Cyberse-
ulatory Frameworks curity Methodologies and Standards
A strong regulatory framework is essential for gov- In an attempt to effectively handle cyber incidents,
erning cybersecurity practices in Indonesia’s sev- we should encourage the establishment of stan-
eral different sectors – which can only be achieved dardized cybersecurity methodologies and risk
by implementing and enforcing modernized cyber- frameworks that align with existing best global
security law and synchronizing Indonesian national frameworks. The harmonization of Indonesia’s
law with international standards. A robust legal cybersecurity standards ensures consistency and
framework ensures that Indonesia’s cybersecu- continuity in cybersecurity practices across in-
rity practices are standardized, enforceable, and dustries. Moreover, with this alignment, Indonesia
adaptable to new threats. will become the regional leader in cybersecurity
and, most importantly, ensure the nation’s security
3. Fostering Public-Private Partnerships and Col- frameworks remain globally competitive.
laboration
To achieve a secure and resilient digital nation in 6. Strengthening Local Players in Indonesia Cy-
2045, strong collaboration between the govern- bersecurity Industry Growth
ment, private sector, academic sector and any Competitive and resilient local cybersecurity indus-
international partners is essential. Developing try is crucial to reducing dependence on foreign
public-private partnerships where resources and enterprises and ensuring national digital sovereign-
knowledge are combined can be an effective ty. Key to this will be creating favorable regulations,
approach to creating a secure and resilient digital offering financial incentives for local R&D, estab-
nation in 2045. The partnerships ensure that every lishing a certification framework for local compa-
stakeholder plays a role in securing the cyber land- nies, and encouraging public-private partnerships
scape in Indonesia. to eventually support the growth of Indonesian
cybersecurity companies, creating a more sus-
4. Growing Cybersecurity Talent and Awareness tainable ecosystem for fulfilling the needs of both
Growing a pool of highly qualified cybersecurity domestic and global markets. A reinforcement of
talent is one of the key foundations in an attempt the local capacity bolstered Indonesia’s national
to address the shortage of cybersecurity profes- security and promoted economic prosperity and
technological leadership within the region.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Introduction 15

Chapter

02

Current
Cybersecurity
Landscape
16 Cybersecurity for a Sustainable and Resilient Digital Indonesia
2.1 Global and National Cybersecurity Environment

The threat landscape of global cybercrime continues to evolve. Attacks on both public and private sectors are
becoming increasingly sophisticated. These are increasingly dependent on new attack vectors empowered by AI
and ML, while ransomware-as-a-service attacks boast very focused and destructive breaches. Then, there is cyber
espionage and cyber war carried out by nation-state actors, further complicating this threat environment. Indeed,
against a background of increasing incidence and intensity of data breaches, ransomware incidents, and supply
chain compromises, robust cybersecurity is an issue that takes on an international dimension of imperatives.

Global Cybersecurity Threats

Nation-State Actors
They often linked to government-sponsored cyber
activities for espionage, sabotage or strategic advan-
tage.

Organized Cybercriminal Groups

Sophisticated, profit-driven organizations
Main Cyber resembling corporate structure use varied
Threat Actors attack methods for financial gain.

Hacktivists
Individuals or organizations are driven by politics
or ideologies and seeking to further their objectives
online.

Exhibit 2.1 The Main Threat Actor Categories

More specifically, nation-state actors, organized cybercriminal groups, and hacktivists are continuous-
ly evolving new attack methods at the global level. With AI and ML in cyberattacks, attackers can automate
large-scale campaigns and amplify their reach and impact. Moreover, with ransomware-as-a-service platforms,
the barriers to entry have been lower for less-skilled attackers; thus, the scale of ransomware attacks globally has
increased. Taken in concert with the sustained cyber espionage from nation-states, this set of trends creates a com-
plex, rapidly changing threat environment that is difficult for governments and businesses.

National Cybersecurity Landscape in Indonesia

Indonesia faces unique cybersecurity challenges as adversaries operate at speed, scale, and sophistica-
tion. Indonesia, the largest economy in the region with its fast digital growth, has emerged as the prime target for
cyberattacks in Southeast Asia. With the growing dependency on digital infrastructure among its people, its rapid
gains in Internet and mobile usage are widening the attack surface area of the country substantially.

A rapid surge of ransomware attacks, data breaches, and online fraud against businesses and state entities
has marked the Indonesian cybersecurity landscape. During the past year, ransomware attacks have targeted

Cybersecurity for a Sustainable and Resilient Digital Indonesia Current Cybersecurity Landscape 17
the financial service sector more than any other industry, proving it to be vulnerable to cyber threats. This includes
the ransomware attack against the country’s national data center, which brought down several public services; the
leakage of the Indonesia Automatic Fingerprint Identification System (INAFIS); and the National Armed Forces
Strategic Intelligence Agency. Data shared by Palo Alto Networks Unit 42 shows the following industries were most
affected in Indonesia because of ransomware activities during the last year:

15.1% Manufacturing
24.7% Professionals & Legal Services
Wholesale & Retail
10.5% Construction
High Technology
4.7% Healthcare
10.5% Financial Services
4.9% Transportation & Logistics
Education
5.2%
8.9% Others
7.4%
8.2%

Exhibit 2.2 Indonesia’s Most Impacted Industries by Ransomware Attacks in 2023

Source: Palo Alto Unit 42 Threat Intelligence Team

Key Cyber Threat Actors

Data provided by Palo Alto Networks Unit 42 shows that different ransomware activities have caused
damage to several industries in Indonesia this year. Indonesia also remains one of the favorite targets of cyber
adversaries driven by state-based teams. Some of the recent reported cases include:

• AlloyTaurus (aka GALLIUM, Softcell): The activities coincide with the ASEAN-Australia
This Chinese advanced persistent threat group Special Summit on March 4-6, 2024. ASEAN en-
customarily runs cyber espionage campaigns tar- tities are natural targets for espionage operations
geting telecommunications, financial institutions, because they contain sensitive diplomatic and
and Government entities across Asia, Europe, and economic information.2
Africa, including Indonesia.1
• February 2024 Data Leak:
• March 2024 Incident: I-Soon, a Chinese enabler, was involved in a data
This report points out two Chinese APT groups breach that revealed access to critical information
involved in cyber espionage activities across from Indonesia’s Department of Commerce.3
ASEAN-affiliated entities and member countries.

18 Current Cybersecurity Landscape Cybersecurity for a Sustainable and Resilient Digital Indonesia
Ongoing Government Efforts
The Indonesian Government is already taking steps to develop its cyber capacities, the most prominent
of which is the creation of the National Cyber and Crypto Agency. However, there are few challenges that still
need to be addressed, including a deficiency of skilled cybersecurity talent and a general absence of the in-depth
coordination of public-private collaboration necessary for strengthening cyber defenses.

Overcoming these challenges will require comprehensive action that improves cyber risk management prac-
tices across Indonesian sectors, harmonizes the regulatory framework towards International cybersecurity
standards-compliant maturity level, invests in capacity-building by establishing a more sustainable model of
over-arching education & awareness campaign as well as skill creation mechanism thereby shaping behavioral
changes and increasing the future talent pool, and strengthening technical capacities for effective response against
attacks on CIIs.

By prioritizing these cybersecurity issues, Indonesia can secure its digital future, increase resilience across critical
sectors, and contribute to regional and global cybersecurity efforts.

1
Unit 42, “GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool.” Unit 42,
June 13, 2022. https://unit42.paloaltonetworks.com/pingpull-gallium/
2
Unit 42, “ASEAN Entities in the Spotlight: Chinese APT Group Targeting.” Unit 42 (blog), March 26, 2024. https://unit42.paloaltonetworks.
com/chinese-apts-target-asean-entities/
3
Christian Shepherd et al., “China’s Hacking Operations Exposed by Document Leak.” *The Washington Post*, February 21, 2024. https://
www.washingtonpost.com/world/2024/02/21/china-hacking-leak-documents-isoon/

Cybersecurity for a Sustainable and Resilient Digital Indonesia Current Cybersecurity Landscape 19
2.2 Sector-Specific Landscape

Exhibit 2.3 Sector-Specific Threat Matrix

2.2.1 Financial Services Sector

The global financial services sector continues to be threatened by an ever-evolving cyber threat land-
scape. Threat actors continue evolving tactics to exploit vulnerabilities within this critical industry. This sector
includes various organizations, from credit unions and small insurance companies to large cryptocurrency
exchanges and stock exchanges. Each industry subgroup has threats specific to its unique characteristics; how-
ever, opportunistic and financially motivated cybercriminals, especially ransomware groups and IABs, are the most
significant adversaries.

According to intelligence by Palo Alto Networks, a variety of critical threats have emerged as being of particular
significance both globally and within Indonesia:

20 Current Cybersecurity Landscape Cybersecurity for a Sustainable and Resilient Digital Indonesia
 • Spear Phishing and Unpatched Vulnerabilities: tutions, and threat actors find them increasingly
Spear phishing emails and unpatched vulnerabili- attractive.
ties remain essential methods of initial access for
threat actors. These phishing attacks are usually • Ransomware:
made to revolve around current events or business Ransomware remains one of the most preva-
activities and are very effective. The attackers lent threats to the financial services sector. In
often use the “spray-and-pray” method, exploiting Indonesia, this vulnerability is particularly acute.
publicly known vulnerabilities and exposing inter- Over the past year, Palo Alto Networks Unit 42
net-facing assets to breach financial institutions. has observed 271 ransomware attacks targeting
the financial sector, originating from 44 distinct
• Rapid Weaponization of Vulnerabilities: ransomware groups. These groups exhibited
The fast exploitation of zero-day and one-day vul- opportunistic behavior, targeting the sector without
nerabilities is one of the critical risks to the financial displaying significant preference toward specific
services sector. Cybercriminals take little time to sub-industries. The following chart shows the top
exploit these weaknesses, sometimes even when ransomware operators impacting the financial
patches are available or applied. In this, an under- sector in Indonesia. Sub-industries such as finan-
ground market exists for ready-to-use tools, thus cial and investment consulting, banking and secu-
setting the enabling actors of all skill levels with an rities, and investment management were affected.
acquisition tool, source code, and other resources
that increase the frequency and impact of cyber- • Banking Trojans:
criminal activity. Banking trojans have become one of the growing
threats as attackers expand their target base to
• Malvertising and SEO Poisoning: embrace a wider selection of financial institutions
Another significant threat is Malware and SEO poi- and a variety of data types. While banking trojan
soning. These tactics redirect users to malicious malware has become increasingly sophisticated,
websites with the aim of downloading romanized stealing highly sensitive information across multi-
versions of popular software. These actions ple financial services and amplifying the potential
compromise security among both users and insti- impact of these attacks continues unabated.

In Indonesia, these global threats are even more pronounced because of the rapid digital transformation
of the sector. The attack surface keeps growing as financial services are delivered utilizing digital infrastructure.
This will call for the financial services industry to invest more in continuous monitoring, rapid patching of vulnerabil-
ities, and proactive sharing of threat intelligence across the sector. In Indonesia, the inability of financial institutions
to safeguard against the ever-changing cyber world calls for concerted efforts from both the public and private
sectors.

20% 20%
Transforming Scorpius (Medusa Locker)
Spoiled Scorpius (Ransomhub)
RansomHouse
20% 20% Flighty Scorpius (Lockbit)
Salty Scorpius (Trigona)

20%

Exhibit 2.4 Top Ransomware Operators Impacting the Financial Sector in Indonesia, Source: Palo Alto Networks Unit 42

Cybersecurity for a Sustainable and Resilient Digital Indonesia Current Cybersecurity Landscape 21
2.2.2 Healthcare Sector

Numerous cybersecurity risks that could have severe consequences in Indonesia as well as globally
confront the healthcare sector. Due to the industry’s dependence on digital infrastructure and sensitive personal
data, it is a popular target for many types of cyberattacks.

Palo Alto Networks has noted the following actions that have an effect on the healthcare industry:

• DDoS attacks (Distributed Denial of Service): patient care being stopped, and closed access
In order to access patient records, telemedicine, to patient records for healthcare facilities, which
and vital internal communications, network con- might cause serious delays in life-saving treat-
nectivity is essential for the companies in the ments. Recent assaults in Indonesia demonstrate
healthcare sector. These Distributed Denial of Ser- the rising threat posed by ransomware as a result
vice (DDoS) assaults may cause system traffic to of the country’s fast digital transition in the health-
overload, interfering with emergency services and care sector.
potentially postponing patient care or even worse,
posing a threat to human life if left unchecked. The • Data Breach:
repercussions of such attacks could be gravely There may be dangerous repercussions if per-
severe, as our networks are crucial for coordinat- sonal health information is stolen or viewed without
ing lifesaving treatment and maintaining access to authorization. Data breaches can be exploited
timely medical help. for fraud, identity theft, or the black market. For
patients, this means a breach of privacy and even
• Supply Chain Attacks: financial loss; for institutions, it means legal trouble
For solutions ranging from medical supplies to IT and a decline in confidence. Like their international
infrastructure, many healthcare facilities rely on counterparts, Indonesian healthcare institutions
a network of outside vendors. Every link in this manage substantial volumes of personal data,
supply chain could have a security breach that which makes them desirable targets for hackers.
affects the entire network, resulting in compro-
mised medical devices, data leaks, and disruptions • Insider Threats:
to operations. The risk associated with supply Negligence or malicious intent may turn workers or
chain security is increased in Indonesia due to contractors with network and sensitive data access
the interdependence of suppliers and healthcare into threats. The repercussions of selling data,
providers. treating it improperly, or inadvertently disclosing
it can be disastrous, compromising patient safety
• Web Application Attacks: and resulting in problems with the law and large
In healthcare portals, interfaces for provider com- financial damages. Similar difficulties impacted
munication and patient data access are common- Indonesia’s healthcare industry, where insider
place. Online application hacks like cross-site threats seriously jeopardize data security.
scripting (XSS) and SQL injection can take advan-
tage of vulnerabilities in online applications to • Large Attack Surface of IoT Devices:
alter patient data, steal private information, or gain A typical mid-size hospital includes about 100
unauthorized access to healthcare systems. These imaging-related servers or workstations (such
attacks might have a major effect on patient data as PACS servers or DICOM image viewers) and
security and integrity. about 75 various kinds of medical imaging instru-
ments (like X-ray, MRI, CT, or ultrasound scan-
• Ransomware: ners). The attack surface is increased by these
This form of virus encrypts important data and IoT gadgets, which offer several ports of entry for
locks down computers until a ransom is paid. This cyberattacks.
may result in hospital operations being disturbed,

Healthcare organizations in Indonesia and throughout the world may better safeguard their digital infra-
structure, preserve patient data, and guarantee the continuation of vital healthcare services by being
aware of these dangers and putting strong cybersecurity measures in place.

22 Current Cybersecurity Landscape Cybersecurity for a Sustainable and Resilient Digital Indonesia
2.2.3 Manufacturing Sector

Due to its critical role in economic and strategic domains, manufacturing sector companies have emerged
as a prime global target for cyber threats. The sheer number of data points shows how severe and sophisticat-
ed the cyber attacks the industry is facing.

Palo Alto Networks has noted the following actions that have an effect on the manufacturing industry:

• Cyber Extortion and Ransomware: along with its partners and clients, can be disrupt-
The Manufacturing sector tops the list of targeted ed by these attacks, which can have wide-ranging
industries, accounting for 20% of all cyber extor- impacts. It is expected that nation-state actors and
tion, marking a 42% increase compared with 2022 hackers will continue to exploit software supply
figures.4 Palo Alto Networks Unit 42 assesses with chain vulnerabilities to compromise manufacturing
high confidence that ransomware poses the most networks.
significant threat to organizations in the manufac-
turing industry. With 16.8% of cases, extortion-re- • Initial Access Vectors:
lated ransomware is the most common type of The manufacturing industry’s top initial access
investigation observed in the sector. Ransomware vectors, according to data from the Palo Alto
primarily targets the Chemicals and Specialty Networks Unit 42 Incident Response case survey,
Materials sub-industry in Indonesia, with Squalid are software/API vulnerabilities, brute force at-
Scorpius (8Base) being the most common ran- tacks, social engineering, and insider threats. The
somware operator in this market.5 most popular first access channels, according to
reports, were phishing and vulnerabilities, under-
• Nation-State Attacks: scoring the necessity of strong security protocols
Nation-state actors frequently target this industry, and staff awareness programs.7
driven by diverse motivations, including geopo-
litical ambitions and economic interests. Recent • Incident Response and Impact:
data indicates that 17.7% of nation-state attacks Manufacturing accounted for 11% of all incident
have been directed at the manufacturing sector.6 response instances reported in 2023, ranking it as
These attacks often aim to gain access to critical the fourth most affected industry. In 2024, this per-
technologies, economic leverage, and strategic centage rose, highlighting the mounting danger.
advantages essential to national goals. The ransomware that seriously disrupted opera-
tions by encrypting important data and demanding
• Software Supply Chain Compromises: ransom payments was the subject of the most
Software supply chain compromises are likely an important investigations.
active, increasing threat to organizations in the
manufacturing industry. The targeted organization,

The soaring numbers of attacks on the manufacturing sector in Indonesia, these dynamics point to sig-
nificant urgent need for enhanced cybersecurity measures, including regular vulnerability assessments,
comprehensive incident response plans, and stronger collaboration between public and private sectors.

4
Kevin Poireault, “Manufacturing Top Targeted Industry in Record-Breaking Cyber Extortion Surge.” Infosecurity Magazine, October 5, 2024.
https://www.infosecurity-magazine.com/news/manufacturing-top-targeted-orange/
5
Unit 42. “Threat Actor Groups Tracked by Palo Alto Networks Unit 42.” Unit 42, June 27, 2024. https://unit42.paloaltonetworks.com/threat-ac-
tor-groups-tracked-by-palo-alto-networks-unit-42/
6
SentinelOne. “Risks Within the Factory Lines | Examining Top Threats Facing the Manufacturing Industry.” SentinelOne, September 19, 2023.
https://www.sentinelone.com/blog/risks-within-the-factory-lines-examining-top-threats-facing-the-manufacturing-industry/
7
Palo Alto Networks. “Incident Response 2024 Report,” n.d. https://www.paloaltonetworks.com.au/resources/research/unit-42-incident-re-
sponse-report

Cybersecurity for a Sustainable and Resilient Digital Indonesia Current Cybersecurity Landscape 23
2.2.4 Critical Infrastructure Sector

Protecting vital assets in the critical infrastructure sector will probably require more commitment – in par-
ticular, in areas such as energy, oil, and gas sectors. Over the past decades, as this sector is a vital part of the
global economy and national security, Indonesia’s growing reliance on digital infrastructure within the energy, oil,
and gas sectors has boosted the country’s attractiveness as a main target for a range of cyber threats. Moreover,
with their critical role in modern life and complex infrastructure, these sectors face complex, unique challenges.

Analysis from Palo Alto Networks Unit 42 has identified the following trends:

• Financially Motivated Cybercrime: actors typically target operational technology (OT)

Particularly because of their dependence on networks that manage key industrial assets in the
continuous operations and ability to pay substan- sector. However, until there is a high probability of
tial ransoms to avoid downtime. Business email active conflict, it is highly doubtful that state-spon-
compromise (BEC) and ransomware are almost sored cyber attackers would intentionally disrupt
certainly the primary cyber threats facing the en- or damage the infrastructure that supports the oil
ergy, oil, and gas sectors. And given the industry’s and gas industry.
low tolerance for downtime, cybercriminals can
yield significant financial benefits from disruptive • High-Profile Attacks and Media Coverage:
attacks. Attacks on the energy industry are common and
cause enough damage that they are often in
• Supply Chain Vulnerabilities: the headlines in various news outlets, not just
Threat actors are likely to adopt indirect targeting tech magazines. While many perpetrators are
strategies, often initiating attacks through the sup- nation-state actors, this does not exclude the
ply chain. The complex and multi-faceted supply possibility of cybercriminal activity or hacktivism.
chain is becoming the most significant threat The criticality of energy production to nearly every
facing the energy, oil, and gas industry. If a breach facet of modern life increases the industry’s vul-
in any part of this chain can happen, this would nerability to cybercrime and nation-state actors.
compromise the entire network, leading to signifi-
cant disruptions and financial losses. • Complex Technologies and Geopolitical Poli-
cies:
• State-Sponsored Cyber Espionage: The risks involved clearly extend beyond energy
For financial and commercial gain, state-spon- suppliers and producers. Recently, the industry’s
sored cyber espionage is likely to continue to tar- attack surface has increased dramatically due to
get the energy, oil and gas industries. Confidential complex technologies and the geopolitical pol-
research, corporate planning, and trade secrets icies that support them. Governments may be
are particularly at risk from such attacks. The interested in conducting cyberattacks to destroy
energy sector is expected to be a prime target for vital infrastructure, set the stage for future attacks,
state-sponsored cyber activity due to its associ- and find weaknesses in their adversaries’ energy
ation with Critical Infrastructure (CI), especially infrastructure for economic espionage.
during times of geopolitical crisis. State-sponsored

In Indonesia, the country’s growing reliance on digital infrastructure within energy, oil, and gas sectors
continues to make them attractive targets for cybercriminals and nation-state actors alike.

24 Current Cybersecurity Landscape Cybersecurity for a Sustainable and Resilient Digital Indonesia
2.3 Cost of Cybercrime for Indonesia

Global cybercrime continues to proliferate at alarming rates as projections indicate that damage from
cyberattacks will amount to about $10.5 trillion annually by 2025, a staggering increase from $3 trillion in
2015 at the current growth rate.8 Globally, the bulk of these losses stem from ransomware and data breaches,
with the financial services, healthcare, and manufacturing sectors being the hardest hit; in addition to immediate
financial losses, these sectors also confront recovery expenditures, legal accountability, and injury to reputation.
Furthermore, Operational disruptions also result from cyber attacks. For example, the loss of valuable intellectual
property and additional expenditures required for cybersecurity measures all factors that contribute to the widening
economic consequences.

Economic Impact of Cybercrime in Indonesia

As the Indonesian digital economy grows, high-profile cybercrime grows with it, and also significant
financial impacts in Indonesia, amount to about $4.79 billion annually by 2028 - a 35.7 percent increase
from 2018 level.9 Ransomware attacks on critical infrastructure and data breaches that expose personal and sen-
sitive Government data are some examples of common cybercrime that have occurred in Indonesia.

Exhibit 2.5 Projected Annual Cost of Cyber Crime in Indonesia from 2018 - 2028 (In Billion U.S dollars)
Source: Statista Technology Market Insights

Strategic Response to Mitigate Costs

Indonesia has the opportunity to substantially reduce the financial damage caused by cybercrime while
also becoming more resilient against future threats. In an attempt to reduce the financial damage, we have
found that it is a very demanding task to determine effective strategies to address economic costs of a lack of
cybersecurity in Indonesia. Such strategies include enforcing robust cybersecurity policies, public-private sector
collaborations, cybersecurity education investment, and robust incident response framework.

8
Mitangi Parekh, “Cybersecurity Ventures Report on Cybercrime.” eSentire, August 29, 2024. https://www.esentire.com/cybersecurity-funda-
mentals-defined/glossary/cybersecurity-ventures-report-on-cybercrime.
9
Statista, “Annual Cost of Cyber Crime Indonesia 2018-2028,” September 4, 2023. https://www.statista.com/forecasts/1411153/indone-
sia-cost-of-cyber-crime#:~:text=In%202022%2C%20the%20cost%20of%20cyber%20crimes%20in,from%202018%20to%202028%20
%28in%20billion%20U.S.%20dollars%29

Cybersecurity for a Sustainable and Resilient Digital Indonesia Current Cybersecurity Landscape 25
Chapter

03

Strategic
Pillars for
Cybersecurity
26 Cybersecurity for a Sustainable and Resilient Digital Indonesia
 As Indonesia accelerates its journey towards digitalization, it is also seeing an increasing range of cyber
threats that could hinder the country’s economic growth, national security, and critical infrastructure. To
address these challenges, Indonesia must establish cybersecurity strategic pillars to outline a firm foundation for
the national cybersecurity ecosystem that is resilient enough to confront ongoing challenges.

Indonesia’s Cybersecurity Vision

A Secure and Resilient Digital Nation 2045

Indonesia Cybersecurity 6 Strategic Pillars

Pillars

Critical Infra- Cybersecurity Cybersecurity Public-Private Cybersecurity Competitive &

structure Cyber Governance & Governance & Partnerships in Methodologies & Resilient Local
Resilience Regulations Regulations Cybersecurity Standardization Cybersecurity
Industry

Critical Focus

Strenghtening critical • Aligning national • Establishing talent Facilitating cross-sector • Adopting global • Policy and regulatory

sector defenses through: cybersecurity laws pipelines collaboration for: methodologies (e.g., support

• Regular audits with global standards • Certification program • Threat intelligence ISO, NIST) • Participation in govern-

• ncident response plans (GDPR, NIST) (professionals, compa- sharing • Adopting risk man- ment projects

• Security Operations • Ensuring centralized nies, etc) • Incident review boards agement frameworks • R&D grants, innovation

Centers (SOC) regulation • Educational programs • Joint R&D efforts across sectors hubs, and IP protection

• Establishing SRO • Public awareness for • Mandating regular • Technology transfer

cybersecuirty cybersecurity audits and fair competition

Cybersecurity Infrastructure & Framework

Exhibit 3.1 Strategic Pillars for National Cybersecurity

3.1 Pillar 1: Cyber Resilience in Critical Infrastructure

Strengthening the resilience of Indonesia’s critical infrastructure sectors (such as banking, healthcare,
and energy) is the aim of this pillar. In an attempt to protect these industries from cyberattacks, some key
actions such as implementing periodic sector assessments, cybersecurity framework tailored to each industry,
supported by an Advanced Security Operations Center (SOC) are essential to be implemented.

Critical Areas of Focus:

• Regular Cybersecurity Audits and Vulnerability Assessments
Provide a mechanism to conduct periodic risk assessments, penetration tests, and stress tests on infrastruc-
ture that simulates cyber attacks.

• Incident Response and Recovery Plans

Develop standard incident response and recovery methods for critical sectors. Each sector must have an inci-
dent management plan specific to the threat situation in that industry.

• Sector-Specific Security Operations Center Establish a dedicated SOC for each critical sector to ensure re-
al-time threat monitoring, analysis, and coordinated responses to cyber incidents that align with a centralized
national SOC to ensure unified defense mechanisms across sectors.

3.2 Pillar 2: Enhancing Cybersecurity Governance and Regulations

Developing and enforcing a robust cybersecurity governance and regulations is the second pillar’s ob-
jective. It stresses the importance of aligning national laws with international standards, strengthening existing
regulations, creating cybersecurity SROs, and ensuring regular updates in response to emerging cyber threats.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Strategic Pillars for Cybersecurity 27
Critical Areas of Focus:
• Align with International Standards
Adopts and adheres to global data privacy standards such as ISO/IEC 27001 and the General Data Protection
Regulation (GDPR) to drive seamless integration and trust in Indonesia’s cybersecurity procedures.

• Centralized Cybersecurity Regulations

Ensure that cybersecurity is elevated to the top levels of government, such as direct oversight by the President
of Indonesia, and centrally managed by a high-capable regulatory body such as the cybersecurity agency,
which would enforce policies, oversee compliance, and manage national incidents.

• Establish Self-Regulatory Organization (SRO) Create Indonesia’s local cybersecurity self-regulatory orga-
nization (SRO) to strengthen the nation’s cybersecurity posture by fostering collaboration, tailored standards,
and protecting local cybersecurity providers.

• Regular Updates and Legal Framework Enhancement

Ensure existing cybersecurity and data protection laws evolve as new cyber threats and technologies emerge.
Regulatory bodies must be empowered to update frameworks as necessary.

3.3 Pillar 3: Developing Cybersecurity Talent and Awareness

Building a pipeline of qualified cybersecurity professionals and a cybersecurity awareness culture is

the third pillar’s objective. It stresses the importance of increasing public awareness of cybersecurity risks and
ensuring institutions have access to well-trained personnel, further supporting the development of a resilient local
cybersecurity industry.

Critical Areas of Focus:

• Cybersecurity Education Initiatives
Collaborate with various existing academic institutions and technical centers, both domestic and foreign,
to create a particular cybersecurity curriculum with an emphasis on internships, certification programs, and
hands-on training.

• Upskilling the Workforce

Provide ongoing training and certification opportunities for existing IT professionals to sharpen their cyberse-
curity capabilities.

• Public Awareness Campaigns:

Launch a national initiative to educate companies, organizations and the general public about the importance
of cybersecurity, data privacy and safe online habits.

3.4 Pillar 4: Public-Private Partnerships

In an attempt to develop a more unified and successful national cybersecurity strategy, pillar four empha-
sizes the necessity of cooperation between government agencies and businesses in the private sector.
Public-private partnerships are crucial for exchanging resources, intelligence, and best practices.

Critical Areas of Focus:

• Real-Time Threat Intelligence Sharing
Provide a nationwide platform for the exchange of real-time threat intelligence between the public and private
sectors. This platform need to be an AI-enhanced system that assesses new risks and plans coordinated sec-
tor-wide responses.

• Cyber Incident Review Boards

Create a national board including representatives from major corporations, government agencies, and local
and global cybersecurity experts. This group will look at notable cyber incidents and provide suggestions for
enhancements.

28 Strategic Pillars for Cybersecurity Cybersecurity for a Sustainable and Resilient Digital Indonesia
 • Collaborative Research and Development: Encourage joint R&D projects between government organiza-
tions, educational institutions, and private companies to develop cutting-edge cybersecurity solutions, with a
focus on cutting-edge technologies like blockchain, AI, and quantum computing.

3.5. Pillar 5: Aligning Indonesia with Standardized Cybersecurity Methodologies and

Standards

Being able to apply globally accepted cybersecurity methods and standards (such as ISO and NIST) is the
objective of the fifth pillar. And to achieve the seamless integration and efficient defense systems, it will require
to developing an integrated approach to cybersecurity across industries.

Critical Areas of Focus:

• Adoption of Global Standards (ISO, NIST)
Must ensure that cyber security guidelines and practices in Indonesia are in line with global standards to im-
prove the smooth operations of companies that conduct business globally.

• Risk Management Frameworks

Drive the implementation of a comprehensive cybersecurity risk management framework in public and private
organizations.

• Compliance Audits and Reporting

Require cybersecurity assessments to be conducted periodically, especially for economic sectors that depend
on critical infrastructure, and require comprehensive reporting on compliance with established protocols.

3.6. Pillar 6: Strengthening Local Players in Indonesia Cybersecurity Industry Growth

The presence of a robust local cybersecurity market is fundamental to protecting Indonesia’s critical
infrastructure, minimizing reliance on foreign technologies, and encouraging economic development. This
pillar discusses primary approaches to creating a competitive, innovative, and independent local cybersecurity
ecosystem.

Critical Areas of Focus:

• Ideal Provision
Local companies are expected to focus on niche markets like threat intelligence and incident response and act
as value-added resellers (VAR) of external technologies. Positive government incentives, such as tax holidays
and grants for research and development, will encourage local development and allow them to compete glob-
ally.

• Transition to Innovation
It is a must for Indonesia to be able to expand its cyber security offerings and does more than just install off-
the-shelf solutions. RnD will run faster if innovation centers are built and collaboration between academia and
business is encouraged. This will enable solutions that better suit the unique needs of the country.

• SRO Standardization
To guarantee the credibility and competitiveness of local Indonesian businesses in the market, an SRO must
provide certification programs and industry standards. This attempt aims to encourage equal competition and
enable companies to take part in national initiatives.

• Policy and regulatory support

Improve regulations through local content mandates, preferential treatment, regulatory simplification, and
anti-dumping laws to directly help and improve the competitiveness of local cybersecurity companies.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Strategic Pillars for Cybersecurity 29
Chapter

04

Sector-Specific
Cybersecurity
Insights
30 Strategic
Cybersecurity for Pillars for Cybersecurity
a Sustainable and Resilient Digital Indonesia
 As Indonesia accelerates its digital transformation, attacks on sectors such as financial services, health-
care, manufacturing and energy, which are some of the main critical sectors in Indonesia, are increasingly
widespread, making them vulnerable to growing cyber risks. The following sections will discuss sectoral asset
mapping, attack surface management, and vulnerabilities specific to each critical sector.

4.1 Asset Mapping and Attack Surface Management

As the digital ecosystem accelerates its growth, it expands our exposure to cyber risk. It is becoming truly
essential for organizations to prioritize understanding and managing their attack surface as this would help them
to evaluate network infrastructure from an adversary’s perspective in an attempt to identify vulnerabilities that
exist and can be exploited by adversaries as attack vectors. Furthermore, organizations begin to accelerate the
modernization of their IT infrastructure—through cloud adoption, SaaS platforms, and distributed workforces—and
their attack surface, thus will grow dramatically. Effective Attack Surface Management (ASM) should thus
become an integral part of their strong cyber security posture.

The Need for Attack Surface Management (ASM)

Exhibit 4.1 Attack Surface Management , Source: Palo Alto Networks Cyberpedia

Organizations are increasingly unable to manage their sprawling IT environments due to the sheer
number of services added and updated. According to the Palo Alto Networks Unit 42 Threat Assessment
Report, the average organization adds or updates more than 300 services monthly, contributing to 32% of new
high or critical cloud exposures. This challenge is even greater in certain industries:

Exhibit 4.2 Indonesia’s Most Impacted Industries by Ransomware Attacks in 2023

Source: Palo Alto Networks Unit 42 Attack Surface Threat Report 2024

Cybersecurity for a Sustainable and Resilient Digital Indonesia Sector-Specific Cybersecurity Insights 31
 • It found out that the media and entertainment industry adds about 7,000 new services each month.

• The life sciences, insurance, telecommunications, and pharmaceutical industries all see significant
growth; each month, more than 1,000 new services are added to their attack surfaces.

• More than 200 new services are added to the attack surfaces of vital industries including finance,
healthcare, and manufacturing each month.

With a lack of centralized control across many public services in Indonesia, their complexity becomes increasing-
ly challenging, increasing the risk of misconfiguration, inconsistent exposure, and data breaches. Attack Surface
Management, which provides programmatic methods to detect, control, and mitigate risk through continuous
observation and evaluation of an organization’s exposed digital assets, is critical in this complexity.

Fundamental Principles of Attack Surface Management (ASM)

1. Visibility is Critical
• “You cannot secure what you do not know” is the foundational principle of ASM that needs to be
adopted in an attempt to prevent cyber attack. Therefore, it becomes necessary to consistently identify all
the unknown and known company’s existing assets that are exposed to the internet. These may include IP
addresses, domains, and cloud instances that potentially can be leveraged by attackers.

• With ASM organizations can use automated tools that are able to scan public-facing infrastructure and
point out vulnerabilities in real time. This would significantly reduce the window of opportunity for attackers.

2. The ASM Process:

• ASM is a non-invasive methodology based on domain names or IP ranges, furnishing insight into exposed
services, misconfigurations, and non-protected assets. With this non-invasive methodology, ASM has the
ability to provide crucial visibility into the possible attack vectors, from software vulnerabilities to misconfig-
ured cloud storage solutions.

3. Adversaries Act Fast; Organizations Must Act Faster

• When it comes to capabilities, organizations frequently come behind attackers. For instance, Palo Alto
finds that if a vulnerability is disclosed, attackers begin scanning the internet for vulnerabilities within 15 min-
utes. Nonetheless, it might take a company up to 12 hours to find and fix problems. The 2024 Palo Alto Unit
42 Incident Response Report also finds that most large-scale campaigns begin by exploiting systems visible
on the internet and that initial access is often gained through software vulnerabilities.

Rising Threats and the Importance of ASM

Organizations are exposed to a greater variety of risks as they expand, which may be divided into sev-
eral device business functions. Palo Alto Networks Unit 42 identified the following key trends in attack surface
exposures:

32 Sector-Specific Cybersecurity Insights Cybersecurity for a Sustainable and Resilient Digital Indonesia
Figure 2: Distribution of Exposure Categories Across the 265 Organizations in the 12 Months

1% Database
1% Potential Regulatory Violation
2% IOT and Embedded Devices
2% Weak or Insecure Cryptography 13%
2% Uncategorized Web
3% Insecure File Sharing Framework
3% Unpatched Misconfigured & End-of-Life
(EOL)

23%
26%
Business Operations
IT & Security
Applications
Infrastructure

24%
Remote Access
Services

Exhibit 4.3 Distribution of Exposure Categories Observed Across Organizations in the Last 12 Months
Source: Palo Alto Networks Unit 42 Attack Surface Threat Report 2024

• IT and Networking Infrastructure (25%) • Web Framework Takeovers (13%)

Systems that underpin core networking, such as Outdated or insecure web frameworks like
routers, VPNs, and firewalls, are a source of crit- Apache, PHP, and jQuery are critical vulnera-
ical vulnerabilities. Frequently, attackers attempt bilities that attackers intend to leverage. This
to breach sensitive data on these devices and happens because the patches are known but not
disrupt core business operations. applied.

• Remote Access Services (24%) • Insecure File Sharing (3%)

Today’s remote work is possible using Virtual Net- Attackers can exfiltrate public file-sharing ser-
work Computing (VNC), Secure Shell (SSH), and vices, poorly configured classic FTP servers, and
Remote Desktop Protocol (RDP). However, these misconfigured cloud storage. In fact, these pose
components leave companies vulnerable to large- a very serious risk in sectors with strict regulatory
scale ransomware campaigns and brute force requirements for data protection.
attacks if they are misconfigured or exposed. RDP
has become one of the primary attack vectors for
significant ransomware incidents.

• Business Operations Applications (23%)

Collaboration tools, CRMs, and project man-
agement software are vulnerable, leading to
disruptions in business continuity. Such breaches
in industries that handle PII and PHI pose huge
regulatory and financial risks.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Sector-Specific Cybersecurity Insights 33
Emerging Vulnerabilities and Critical Risks

As organizations and businesses work to modernize their IT infrastructure further, new risks pop up. Several
areas need special attention over the following years:

1. Unpatched, Misconfigured, and End-of-Life 3. IoT and Operational Technology (OT):

(EoL) Systems: This increased integration of IoT devices and OT into
Systems that operate with end-of-life software or corporate environments has significantly broadened
those that are not correctly patched are soft targets. the attack surface. Because many of these devices’
Using a critical vulnerability in an outdated router, an security features are inadequate, many of them are
attacker can intercept network traffic, steal data, or attractive targets for DDoS and botnet recruitment,
disrupt services. which could have an adverse effect on both business
operations and individual safety.
2. Weak or Insecure Cryptography:
Weak encryption protocols leave sensitive communi- 4. Development Infrastructure:
cations susceptible to decryption, compromising con- Development environments include source code re-
fidentiality and regulatory compliance. Organizations positories, build servers, and other high-value targets
are supposed to audit and advance their encryption for adversaries who use this position to steal intellec-
practices on a routine basis to avoid data interception. tual property or inject malicious code. Compromising
these environments could undermine trust in an orga-
nization’s software and disrupt business operations.

4.2 Sector-Specific Cybersecurity Analysis

Each industry faces unique cybersecurity issues in terms of cyber risk, so different risk mitigation
strategies must be implemented for different sectors. Due to their unique cybersecurity issues, in the follow-
ing section, sector-specific vulnerabilities and risks (Financial services, healthcare, and manufacturing) will be
examined in detail, and, in the end, develop strategic actions to strengthen cybersecurity resilience in each of the
three key sectors.

4.2.1 Financial Services Sector

Due to its accessibility to sensitive financial data and exhibit 4.4, Indonesian financial institutions under-
other important services closely related to banking performed their regional peers in five of nine critical
institutions and other financial organizations, the security domains.
financial services industry is often becoming the main
target of cyber attacks. In this sector, cybersecurity
breaches can result in significant financial losses,
legal fines, long-term damage to reputation, and other
permanent harm.

In a recent cybersecurity evaluation by Mastercard

(Appendix 1: Mastercard RiskRecon Overview), which
benchmarked 10 Indonesian financial institutions
against 50 in the Asia-Pacific region, found mixed
cybersecurity performance across the sector, with sev-
eral areas needing improvement.

Financial Sector Cybersecurity Performance

Overview
Indonesia’s financial institutions received an overall
rate of B, or 8.4 out of 10, in general cybersecurity
performance, slightly below the average regional Exhibit 4.4 Financial Sector Cybersecurity Performance
Comparison Between Indonesia and Asia Pacific
grade of 8.8 for the Asia Pacific region. As in the
Source: US-ABC

34 Sector-Specific Cybersecurity Insights Cybersecurity for a Sustainable and Resilient Digital Indonesia
Evaluating Indonesia’s Financial Sector

Exhibit 4.5 Indonesia’s Financial Sector Security Performance, Source: Mastercard

The Performance Summary diagram by Mastercard demonstrates the following:

• Five institutions achieved an A rating (8.5-10), indicating strong cybersecurity practices.

• Four institutions fell into the B-rating range (7.0-8.4), this score reflecting moderate security performance.
• One institution scored in the lower range of C (5.5-6.9), this core indicating substantial security
weaknesses.

Strengths and Weaknesses

Based on the evaluation carried out by Mastercard in the exhibit 4.5, we identified the following areas of strength
and improvement needed for Indonesia financial service sector:

Strengths:
• No reported breach incidents: Indonesian financial institutions have managed to avoid significant breaches
in recent years.
• System Reputation: Few organizations showed infected devices or malware activities associated with their
infrastructure, which indicates malware controls are in place.

Weaknesses:
• Application Security, Email Security, and DNS Security are the domains where most institutions score
poorest in the Security Domain Ratings Diagram. Each of these areas presents critical vulnerabilities that
should be targeted with immediate action to enhance the general cybersecurity posture in the sector.

These findings reveal that more attention needs to be paid to the security of web applications and email vulnera-
bilities, which are vital components in the financial sector’s overall cybersecurity resilience.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Sector-Specific Cybersecurity Insights 35
Key Vulnerabilities Identified in Financial Sector

Unsafe Network Services DNS Security

Exposed Network Services Domain Hijacking
The system is exposing a network This domain also enumerates the
service to the internet that is not DNS hosting providers to determine
safe or not appropriate to operate on level of fragmentation. Control of
the internet. Operating unsafe and DNS records is essential to keeping
inappropriate network services on the systems accessible.
internet exposes the organization to
compromise through various methods 6%
such as credential guessing, commu- 10%
nications, intecept, and vulnerability
Others
exploitation.

20%
19% Web Encryption
Insecure Protocols
Insecure protocols have fundamental
flaws that allow miscreants to break
Software Patching the encryption process, exposing the
authorized parties to risk of data theft
End-of-Life-Software and fraud.
The web server software running 45%
on the system is end of life and no
Invalid Certificate Subjects
longer supported by the vendor.
Websites operating HTTPS have
invalid X.509 encryption certificate
subjects. Systems with an invalid
certificate subject are not trustworthy
and cause the browser to display
security warnings to the user.

Exhibit 4.6 Security Vulnerabilities by Category in Indonesia’s Financial Sector, Source: Mastercard

A total of 1,696 issues within nine security domains were found, as represented in the exhibit 4.6. The most
critical vulnerabilities identified include:

• Web Encryption (45%):

Weak encryption techniques and insecure protocols exposed financial data to fraud and intercepting, which
was a major problem in the Indonesian banking system. This vulnerability constituted nearly half of the iden-
tified issues.

• End-of-Life Software (19%):

It was discovered that several financial institutions in Indonesia were still utilizing outdated software, such
PHP, Apache, and IIS, which was not receiving security upgrades. This greatly broadens the attack surface
available to cybercriminals.

• Unsafe Network Services (10%):

Several vulnerable services, including MySQL, were found to be lacking the required security measures.
These services’ open ports and susceptibility to exploitation increase the likelihood of unauthorized access.

36 Sector-Specific Cybersecurity Insights Cybersecurity for a Sustainable and Resilient Digital Indonesia
Risk Classification and Mitigation Prioritization

Exhibit 4.7 Indonesia’s Financial Sector Risk Prioritization Matrix, Source: Mastercard

The exhibit 4.7 categorizes the 1,696 vulnerabilities by asset value and issue severity to enable institutions to
prioritize remediation work efforts by risk impact. Key risk categories include:

• High Priority:
On critical issues, some 25 identified high-value systems, such as those dealing in sensitive financial data,
were assessed. These should be immediately remediated to protect against data breaches and system com-
promise.

• Medium Priority:
Medium priority issues to systems immediately adjacent to high-value assets totaled 76. These are systems
that do not handle sensitive data directly but whose exploitation could grant the attackers lateral movement
onto more critical infrastructure.

• Low Priority:
These were the hosts of relatively low-risk systems, such as domains kept idle and non-essential services.
They should not pose any imminent danger, but the vulnerabilities should be patched to avoid future hacks.

The majority of the problems are related to out-of-date software (PHP, IIS, Perl, Apache, and Nginx) that has known
security vulnerabilities, as well as a system that exposes a network service (MySQL) to the Internet that is either
unsafe or inappropriate to use.

4.2.2 Healthcare Sector

The healthcare industry is becoming increasingly important to Indonesia’s national infrastructure as a

result of the industries’ massive storage of Personally Identifiable Information (PII) and Protected Health
Information (PHI). Cybercriminals see healthcare facilities to be an attractive target due to these information data-
bases. A cyberattack on this industry might endanger many lives by leaking data, interfering with hospital opera-
tions, or even affecting patient care.

In a recent cybersecurity evaluation, Mastercard evaluated 50 healthcare organizations in the Asia-Pacific area with
10 healthcare organizations in Indonesia. This study provides insight into Indonesia’s health sector’s current cyber-
security posture, pointing out strengths and vulnerabilities compared to regional counterparts.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Sector-Specific Cybersecurity Insights 37
Healthcare Sector Cybersecurity Performance Overview

Exhibit 4.8 Healthcare Sector Cybersecurity Performance Between Indonesia and Asia Pacific, Source: Mastercard

Indonesian healthcare institutions’ overall cybersecurity performance was rated at B (7.6/10), which is
slightly above the Asia-Pacific healthcare industry average score of 7.4. The exhibit 4.8 illustrates this com-
parison, revealing that Indonesian healthcare organizations performed better in six of nine critical security domains
than their regional peers.

Evaluating Indonesia’s Healthcare Sector

Exhibit 4.9 Indonesia’s Healthcare Sector Security Performance, Source: Mastercard

38 Sector-Specific Cybersecurity Insights Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Key points from the Performance Summary Diagram include:

• Four institutions were rated A (8.5-10), reflecting a strong cybersecurity posture.

• One institution scored in the C range (5.5-6.9), indicating areas for substantial improvement.
• One institution was identified with a score below 5.5, demonstrating critical cybersecurity vulnerabilities.

Strengths and Weaknesses

As highlighted in the exhibit 4.9, the key strengths and weaknesses in the Indonesian healthcare sector’s cyber-
security performance include:

Strengths:
• No publicly disclosed breach events: The healthcare institutions assessed have avoided significant data
breaches recently, indicating adequate controls to safeguard patient information.
• System Reputation: Regarding system reputation, none of the institutions in the healthcare sector men-
tioned any severe problems, such as infected devices or malicious activities within their infrastructure.

Weaknesses:
• Application Security, Email Security, and DNS Security were identified as the weakest areas across the
sector, highlighting a critical need for enhanced security measures in these domains. These vulnerabilities
can significantly impact the confidentiality and integrity of patient data.

Key Vulnerabilities Identified in Healthcare Sector

Software Patching Network Filtering

End-of-Life-Software Exposed Network Services

The web server software running on The system is exposing a network
system is end of life and no longer service to the internet that is not
supported by the vendor. safe or not appropriate to operate on
the internet. Operating unsafe and
inappropriate network services on the
8% internet exposes the organization to
19% compromise through various methods
such as credential guessing, commu-
nications intercept, and vulnerability
16%
Web Encryption exploitation

Insecure Protocols
Insecure protocols have fundamental
flaws that allow miscreants to break
the encryption process, exposing the
authorized parties to risk of data theft
and fraud. Others
57%
Invalid Certificate Subjects
Websites operating HTTPS have
invalid X.509 encryption certificate
subjects. Systems with an invalid
certificate subject are not trustworthy
and cause the browser to display
security warning to the user.

Exhibit 4.10 Breakdown of Security Vulnerabilities by Category in Indonesia’s He Sector, Source: Mastercard

Cybersecurity for a Sustainable and Resilient Digital Indonesia Sector-Specific Cybersecurity Insights 39
The assessment uncovered 354 vulnerabilities across nine security domains, as illustrated in the exhibit 4.10.
The most critical vulnerabilities identified include:

• Web Encryption (57%): Press, Nginx, and PHP, among other end-of-life
Ineffective encryption techniques and expired software. These systems are no longer supported
encryption certificates were the most frequent by security updates, thus known security flaws
issues jeopardizing the confidentiality of personal might take advantage of them.
health information. Outdated encryption methods
compromise confidentiality and regulatory compli- • Network Filtering (8%):
ance by making patient data susceptible to theft or Several healthcare facilities’ network services,
fraud. including MySQL, are accessible to the public due
to inadequate security procedures. This broad
• Software Patching (19%): attack surface increases the likelihood of data
It was discovered that many healthcare institu- breaches and unauthorized access.
tions were running outdated versions of Word-

Risk Classification and Mitigation Prioritization

Prioritizing remediation activities was achieved by classifying the 354 vulnerabilities using the Risk
Prioritization Matrix based on issue severity and asset value. Healthcare facilities may concentrate their
security efforts on the most important threats by following the clear route provided by the matrix.

Exhibit 4.11 Indonesia’s Healthcare Sector Risk Prioritization Matrix, Source: Mastercard

40 Sector-Specific Cybersecurity Insights Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Key findings include:

• High-Priority Risks: sensitive data. These vulnerabilities need to be

Eleven significant issues were discovered with addressed very once in order to stop future ex-
high-value systems that oversee personal health ploitation and the possibility of lateral attacks.
data. These must be corrected immediately to
prevent data breaches and maintain the integrity • Low-Priority Risks:
of healthcare operations. The remaining issues were related to low-val-
ue systems, such as brochure websites or idle
• Medium-Priority Risks: domains, which do not pose immediate security
Forty-seven issues were discovered in medi- risks but should be monitored to prevent future
um-value systems that are on the same network exposures.
as high-value systems but may not directly handle

Most of the issues revolve around using outdated software (PHP, WordPress, Perl, Nginx) with known security
vulnerabilities and exposing unsafe network services (such as MySQL) to the internet. These vulnerabilities pose
significant risks to healthcare institutions’ digital infrastructure integrity.

4.2.3 Manufacturing Sector

The manufacturing sector is essential to Indonesia’s economy due to its significant GDP contribution
and role in supporting critical infrastructure. This industry’s vital role makes it a great target for cybercriminals
looking to disrupt or exploit sensitive data. In a recent cybersecurity study, Mastercard compared 50 manufactur-
ing institutions in Asia-Pacific with 10 Indonesian manufacturing firms. Compared to its regional counterparts, the
evaluation provides insightful information about the industry’s cybersecurity posture.

Manufacturing Sector Cybersecurity Performance Overview

Exhibit 4.12 Manufacturing Sector Cybersecurity Performance Between Indonesia and Asia Pacific, Source: Mastercard

The overall cybersecurity performance of Indonesian manufacturing institutions was rated at B (8.2/10),
significantly higher than the Asia-Pacific manufacturing industry average of 7.2. As shown in the exhibit
4.12, Indonesia outperformed the regional average in eight out of nine security domains.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Sector-Specific Cybersecurity Insights 41
Evaluating Indonesia’s Manufacturing Sector

Exhibit 4.13 Indonesia’s Manufacturing Sector Security Performance, Source: Mastercard

Key takeaways from the Performance Summary include:

• Five institutions achieved an A rating (8.5-10), reflecting strong cybersecurity performance.

• Two institutions fell into the B-rating (7.0-8.4) range, indicating a solid but improvable security posture.
• Three institutions scored in the C-range (5.5-6.9), demonstrating areas for significant improvement in secu-
rity practices.

Strengths and Weaknesses

As highlighted in the Exhibit 4.13, the key strengths and weaknesses in the Indonesian healthcare sector’s cy-
bersecurity performance include:

Strengths:
• No recent publicly disclosed breach events: The absence of notable data breaches announced by Indo-
nesian manufacturing companies suggests that a strong control framework is in place to protect sensitive
data.
• No companies with issues involving System Reputation: The well-maintained network hygiene of all the
evaluated firms was demonstrated by the lack of issues pertaining to system reputation, such as infected
devices or malicious activities.

Weaknesses:
• Application Security:The manufacturing industry has a large number of underperforming firms when it
comes to application security, so there is definitely room for improvement.
• Network Filtering: Weaknesses in network filtering indicate that several organizations have improperly se-
cured or misconfigured network services, increasing the risk of unauthorized access.
• DNS Security: DNS security is another domain where many organizations are performing poorly, which
could expose their systems to attacks like DNS spoofing or man-in-the-middle attacks.

42 Sector-Specific Cybersecurity Insights Cybersecurity for a Sustainable and Resilient Digital Indonesia
Key Vulnerabilities Identified in Manufacturing Sector

As shown in figure 4.14, the evaluation found 419 vulnerabilities spread across nine security domains.
The following are the most important vulnerabilities found:

Network Filtering DNS Security

Exposed Network Services Domain Hijacking
The system is exposing a network This domain also enumerates the
service to the internet that is not DNS hosting providers to determine
safe or not appropriate to operate on level of fragmentation. Control of
the internet. Operating unsafe and 6% DNS records is essential to keeping
inappropriate network services on the 9% systems accessible..
internet exposes the organization to
compromise through various methods
such as credential guessing, commu-
14% 21%
nications intercept, and vulnerability
exploitation Others

Web Encryption
Software Patching Insecure Protocols
Insecure protocols have fundamental
End-of-Life-Software
The web server software running on
50% flaws that allow miscreants to break
the encryption process, exposing the
system is end of life and no longer
authorized parties to risk of data theft
supported by the vendor.
and fraud.

Invalid Certificate Subjects

Websites operating HTTPS have
invalid X.509 encryption certificate
subjects. Systems with an invalid
certificate subject are not trustworthy
and cause the browser to display
security warning to the user.

Exhibit 4.14 Security Vulnerabilities by Category in Indonesia’s Manufacturing Sector, Source: Mastercard

1. Web Encryption (50%):

It was found that many businesses were using insecure encryption protocols and out-of-date certifica-
tions. These vulnerabilities put sensitive production data privacy at risk and increase the likelihood of data
breaches.

2. Software Patching (14%):

Many companies were still utilizing outdated software, such as versions of PHP and MongoDB that were no
longer receiving security updates. These outdated systems provide significant risks and are vulnerable to
known assaults.

3. Network Filtering (9%):

Samba and MySQL were two examples of open and unprotected network services that were found to be
of serious concern. These services increase the risk of data theft or operational disruption since they allow
unauthorized access to sensitive systems when they are not adequately safeguarded.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Sector-Specific Cybersecurity Insights 43
Risk Classification and Mitigation Prioritization

Based on asset value and severity, the 419 found vulnerabilities are grouped using the Risk Prioritization
Matrix to provide a focused and effective remediation process. Based on this classification, manufacturing
organizations may concentrate their cybersecurity efforts where they will have the greatest impact.

Exhibit 4.15 Indonesia’s Manufacturing Sector Risk Prioritization Matrix, Source: Mastercard

Key findings from the matrix include:

directly handle sensitive data. These systems
• High-value systems that handle or store are susceptible to lateral movement attacks thus
private manufacturing data have seven main they must be addressed immediately to prevent
problems. Corrective action must be taken as unauthorized access to more crucial systems.
soon as possible to avoid any operational inter-
ruptions or violations. • Brochure sites and inactive domains with no
imminent risk to vital activities were discov-
• Fifty high-severity issues were found in medi- ered to have low-priority concerns. In order to
um-value systems, which are critical assets’ stop vulnerabilities from developing in the future,
network neighbors, even though they do not these systems still need to be observed.

Most of the problems are with software (PHP) that is getting close to the end of its life and contains known secu-
rity vulnerabilities. The system exposes a network service (MySQL, MongoDB, Samba) to the internet that is not
safe or appropriate to operate on the internet.

44 Sector-Specific Cybersecurity Insights Cybersecurity for a Sustainable and Resilient Digital Indonesia
4.3 Recommendations Based on Sectoral Assessments

1. Maintain Persistent, Comprehensive Visibility 6. Strengthen Remote Access Security

Having a thorough understanding of the attack Remote access remains among the key entry
surface of your company is essential for the iden- points for cyber threats. Stringent authentication
tification and mitigation of risks, especially those protocols should be implemented for all remote
related to recognized vulnerabilities. This may access services, using multi-factor authentication
be accomplished by consistently monitoring both (MFA) where appropriate. Monitoring systems
standard and nonstandard ports while maintaining should be installed to enable detection and re-
accurate fingerprints of the devices and services sponse, even brute-force attempts, to unautho-
in your environment. This strategy will improve rized access.
your capacity to recognize dangers and take pre-
ventative action. 7. Optimize Cloud Configurations
Periodically review the cloud configuration against
2. Implement Real-Time Monitoring for Unsanc- Industry Best Practices and perform updates to
tioned Services or Shadow IT decrease the security risk. Encourage Security
Regular monitoring of the known perimeter assets and Development teams to collaborate on devel-
will help distinguish between authorized assets oping secure cloud-native applications, including
and out-of-scope or shadow IT. The monitoring the correct setup and configuration of Cloud Re-
shall be further supported by common configura- sources for security.
tion baseline security on all systems. Assets not
meeting these baselines are the highest risk for 8. Enforce Secure Data Handling Practices
compromise and should be focused on for reme- Establish and maintain strict access controls and
diation. secure file-sharing protocols regarding databases
and shared resources. This will prevent unautho-
3. Focus on High-Priority Vulnerabilities rized access, preserve data integrity, and support
Prioritize remediation efforts on critical vulnerabil- compliance with related regulatory frameworks,
ities, particularly internet-exposed ones with high including data privacy laws.
severity and likelihood scores. Where necessary,
Engage appropriate external experts to identify 9. Stay Informed About Emerging Threats
the critical areas for improvement and address Create a more formal process to stay abreast
them swiftly. of emerging vulnerabilities, exploits, and threat
actors. Due to the ever-evolving threat landscape,
4. Remediate Critical Exposure Risks in Re- periodically reassess your organization’s attack
al-Time surface to ensure the efficiency of your security
Finding internet-exposed risks due to misconfigu- postures.
rations and vulnerabilities is not good enough. An
organization should have proper processes and 10. Adopt a Risk-Based Approach Aligned with
technologies that empower the security operation Leading International Standards
teams to identify the service owners quickly, com- A risk-based approach, aligned with international
municate the risk details, and track remediation standards like SNI/ISO/IEC 27001 and SOC2, is
progress in real-time. critical for building a resilient cybersecurity frame-
work. Implement essential controls, such as:
5. Seek Expert Guidance
Organizations new to Attack Surface Management ● Timely patching of applications and operating
(ASM) or wanting to advance their existing prac- systems
tices should consider external assessment. This ● Use of strong passwords and multi-factor au-
would be achieved by collaborating with cyberse- thentication
curity experts to identify significant vulnerabilities ● Restricting administrative privileges
and thus create a custom roadmap for remedia- ● Application control
tion. ● Regular backups
● Protection against brute force credential at
tacks - such as lockouts after a maximum
number of attempts

Cybersecurity for a Sustainable and Resilient Digital Indonesia Sector-Specific Cybersecurity Insights 45
 11. Drive Digital Transformation by Retiring Lega- Collaboration with stakeholders, vendor support,
cy Equipment and a phased approach will facilitate a smooth
To counter growing threats, Indonesian transition and strengthen defenses against cyber-
companies need to proactively migrate from attacks. Fully retiring the legacy system also can
outdated cybersecurity solutions. They have save environmental and financial costs. Several
to start by identifying which legacy system risks things should be considered when decommission-
are critical for business operations and then rank ing legacy systems. Maintaining outdated sys-
those risks appropriately. Then continued by tems up and running forever has security issues
developing a detailed transition plan that includes that can allow hackers to breach a company’s
data migration, integration, testing, and phased firewall and expose its sensitive data to potential
migration to modern solutions like cloud-based threats.10 There’s also a chance that maintaining
security and advanced threat detection systems. an outdated system may violate data privacy laws,
Furthermore, acquiring the required funds via which might result in fines, penalties, and other
grants, budgetary allotment, cost-benefit anal- legal issues.11
ysis, or cybersecurity insurance is also crucial.
Afterwards, allocate funds for employee training
to close skill gaps and ensure employees are
knowledgeable about emerging technologies and
incident response procedures. Continuous mon-
itoring, vulnerability management, and a strong
incident response plan are necessary for main-
taining security.

10
TJC Group. “Decommissioning Legacy Systems for Better Cybersecurity,” July 26, 2024. https://www.tjc-group.com/blogs/the-strategic-im-
perative-decommissioning-legacy-systems-for-better-cybersecurity/.
11
Ibid.

46 Sector-Specific Cybersecurity Insights Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Chapter

05

Regulatory and
Governance
Framework
Cybersecurity for a Sustainable and Resilient Digital Indonesia 47
For Indonesia’s national cybersecurity measures to be successful, strong governance and regulations are essen-
tial. This chapter examines the current regulatory environment in Indonesia, providing suggestions for improve-
ments, offering a framework for coordination, governance and ongoing monitoring across the sector.

5.1. Overview of Indonesia’s Current Cybersecurity Regulations

Level Regulation

Law/Act/Government • Electronic Information and Transactions (EIT) Law No. 11 of

Regulation in Lieu of Law 2008, Amended by Law No. 19 of 2016
• Personal Data Protection (PDP) Law No. 27 of 2022
• Criminal Code (KUHP)
• National Police Law 2022, Amended in 2024

Government Regulation • Government Regulation No. 71 of 2019

Presidential Regulation • Presidential Regulation No. 82 of 2022

• Presidential Regulation No. 47 of 2023

Specific Regulation • BSSN Regulation No. 1 of 2024

• BSSN Regulation No. 2 of 2024
• BSSN Regulation No. 5 of 2024

Exhibit 5.1 Glimpse Hierarchy of Indonesian Cybersecurity Regulations

Indonesia has made considerable progress in establishing a national cybersecurity framework, enacting several
laws and regulations to enhance cyber resilience across critical sectors. The following are vital regulations that form
the foundation of Indonesia’s cybersecurity governance:

• Criminal Code (KUHP) • Government Regulation No. 71 of 2019

Cybercrime cases can be brought under the Provides for the implementation of electronic
provisions of the Criminal Code (KUHP). How- systems and transactions, including specific cy-
ever, there are difficulties in applying the KUHP bersecurity requirements to be implemented by all
to cybercrime cases because of its nature as relevant parties operating within Indonesia’s juris-
general criminal regulation. Therefore, one of the diction, including the public and private sectors.14
main challenges is that the Criminal Code was not
designed to address the special characteristics of • Personal Data Protection (PDP) Law No. 27 of
cybercrime. Another challenge is that the status 2022
of the Criminal Code as a national law means that The PDP Law harmonized Indonesia’s national
cybercrimes committed outside Indonesia cannot data privacy law with internationally accepted best
be prosecuted under the law, so this creates other practices. This law demands explicit consent for
difficulties.12 access, correction, or deletion of personal data
and provides strict penalties for disobedience.15
• Electronic Information and Transactions Law
(EIT Law) No. 11 of 2008, Amended by Law No. • Indonesia’s Presidential Regulation No. 82 of
19 of 2016: ) 2022
This law controls E-Transactions, E-information, Strengthens cybersecurity by protecting Vital
and cybercrime in Indonesia. It provides a legal Information Infrastructure (VII) in critical sectors
framework to address cyber crimes and ensure like Government and finance. It tasks the National
integrity within electronic systems.13 Cyber and Crypto Agency (BSSN) with coordinat-

48 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
 ing these efforts, assigning clear roles to stake- • BSSN Regulation No. 1 of 2024
holders, and creating Computer Security Incident This regulation focuses on incident management
Response Teams (CSIRTs) at various levels to and crisis response, particularly for Vital Informa-
handle cyber threats.16 tion Infrastructure Providers. It aims to provide a
comprehensive framework, improve coordination
• Formed a Unique Cross-Departmental Team in or chain of command, and minimize the adverse
2022 impact of cyber incidents. This applies to Electron-
In 2022, President Jokowi formed a unique ic System Operators (ESOs), Sectoral Computer
cross-departmental team to investigate and han- Security Incident Response Teams (CSIRTs), and
dle data leaks. The team included representatives National CSIRT. There are several key provisions
from the State Cyber and
​​ Crypto Agency (BSSN), within this regulation including establishment of
the Ministry of Communications and Informatics, CSIRTs, incident reporting, incident response, and
the Indonesian National Police (Polri), and the information sharing.21
State Intelligence Agency (BIN).17
• BSSN Regulation No. 2 of 2024
• Presidential Regulation No. 47 of 2023 This regulation outlines the framework for cyber
This is the establishment of the National Cyber- crisis management. There are three phases of
security Strategy and Framework for Cyber Crisis crisis management which emphasized in the
Management, which mentions governance struc- document which are pre crisis (cyber incident re-
tures, risk management protocols, and incident sponse, early warning, and contingency planning),
response procedures, all aimed at increasing the crisis (declaration, management, and information
national cybersecurity resilience level.18 dissemination), and post-crisis (recovery, evalua-
tion, and lesson learned) through well-established
• Regulation of the Deputy for Cybersecurity procedure, coordinated action, and adequate
and Encryption (BSSN) in the Economic Sec- preparedness.22
tor No. 1 of 2023
Deputy Regulation’s primary objective is to estab- • BSSN Regulation No. 5 of 2024
lish a structured roadmap to develop and nurture This regulation focuses on the establishment of
Indonesia’s local cybersecurity industry over a cybersecurity national action plan 2024-2028
the next five years (2024 -2028). This roadmap which encompasses policy direction, challenges,
is planned to guide the Government, business strategic objectives, activities, indicator of suc-
sector, and other stakeholders in fostering the cess, achievement targets, roles and responsibili-
industry’s growth and encouraging collaboration ties as well as related institutions which should be
between the public and private sectors.19 involved. The national action plan itself outlines
four priority projects which must be executed with-
• Revision of Indonesian National Police Law in in a certain period of time such as establishment
2024 and enhancement of the cybersecurity response
This revision allows the police to slow down, team; strengthening cybersecurity infrastructure,
block, and monitor cyberspace for national se- human resources and regulations; preventing cy-
curity purposes. The Law has been revised and bercrime and increasing international cooperation;
authorized by the parliament. This consent was and solving the cybercrimes itself.23
granted on Tuesday, 28 May 2024, during the
18th parliament plenary meeting for the 5th period
of the 2023–2024 session year.20

12
Undang-undang (UU) Nomor 1 Tahun 2023 tentang Kitab Undang-Undang Hukum Pidana, Pemerintah Pusat. (2023)
13
Undang-undang (UU) Nomor 19 Tahun 2016 tentang Perubahan Atas Undang-Undang Nomor 11 Tahun 2008 Tentang Informasi Dan Tran-
saksi Elektronik, Pemerintah Pusat. (2016)
14
Peraturan Pemerintah (PP) Nomor 71 Tahun 2019 tentang Penyelenggaraan Sistem dan Transaksi Elektronik, Pemerintah Pusat. (2019)
15
Undang-undang (UU) Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi, Pemerintah Pusat. (2022)
16
Peraturan Presiden (Perpres) Nomor 82 Tahun 2022 tentang Pelindungan Infrastruktur Informasi Vital, Pemerintah Pusat. (2022)

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 49
 Currently, the primary reference for Indonesia’s cybersecurity regulatory framework is Presidential Regulation No.
47 of 2023. This regulation provides the basic guidelines for guiding the national cybersecurity Strategy and the
framework for cyber crisis management, then explained further through BSSN Regulation No. 5 of 2024. This regu-
lation outlines several key focus areas. These focus areas are as follows:

1. Governance 5. National Cryptographic Independence

2. Risk Management 6. Enhancing Capability, Capacity, and Quality
3. Preparedness and Resilience 7. Cybersecurity Policy
4. Strengthening the Protection of Vital Information 8. International Cooperation
Infrastructure

Additional Regulations
Several other essential laws and regulations play a role in shaping Indonesia’s cybersecurity landscape:

• Law No. 3 of 2002 on National Defence • Indonesia Central Bank Regulation No. 23 of
2021 on Payment Service Providers
• Ministry of Defence (MOD) Regulation No. 82
of 2014 on Cyber Defense Guidelines • OJK Regulation (POJK) No. 11/POJK.03/2022
on the Implementation of Information Technol-
• Presidential Regulation Number 95 of 2018 on ogy by Commercial Banks
Electronic-Based Government System
• Law No. 7 of 1992 on Banking and OJK Regu-
• Ministry of Communication and Information lation No. 22 of 2023
(MOCI) Regulation No. 5 of 2020
• Law No. 17 of 2023 on Health
• BSSN Regulation No. 10 of 2020 on Cyber Inci-
dent Response Team • OJK Regulation No. 3 of 2024 on Organization
of Financial Sector Technological Innovations
• BSSN Regulation Number 4 of 2021 on Guide- Challenges and the Need for Continuous Im-
lines for Information Security Management of provement
Electronic-Based Government Systems
• And others.

17
Kementerian Komunikasi dan Informatika Republik Indonesia, “Presiden Instruksikan Jajarannya Tindaklanjuti Kebocoran Data Pemerin-
tah”, Kementerian Komunikasi dan Informatika Republik Indonesia, September 14th, 2022, https://www.kominfo.go.id/berita/berita-pemerintah-
an/detail/presiden-instruksikan-jajarannya-tindak-lanjuti-dugaan-kebocoran-data-pemerintah
18
Peraturan Presiden (Perpres) Nomor 47 Tahun 2023 tentang Strategi Keamanan Siber Nasional dan Manajemen Krisis Siber, Pemerintah
Pusat. (2023)
19
Peraturan Deputi Bidang Keamanan Siber dan Sandi Perekonomian Nomor 1 Tahun 2023 tentang Peta Jalan Pembinaan Industri Keaman-
an Siber Tahun 2024-2028, BSSN. (2023)
20
Sari, Amelia Rahima, “Revisi UU Polri Bikin Polisi Bisa Awasi Ruang Siber hingga Blokir Internet, Pengamat: Jadi Dilema”, Tempo.co, May
30th, 2024, https://nasional.tempo.co/read/1873786/revisi-uu-polri-bikin-polisi-bisa-awasi-ruang-siber-hingga-blokir-internet-pengamat-jadi-
dilema
21
Peraturan Badan Siber dan Sandi Negara Nomor 1 Tahun 2024 tentang Pengelolaan Insiden Siber, BSSN. (2024)
22
Peraturan Badan Siber dan Sandi Negara Nomor 2 Tahun 2024 tentang Manajemen Krisis Siber, BSSN. (2024)
23
Peraturan Badan Siber dan Sandi Negara Nomor 5 Tahun 2024 Tentang Rencana Aksi Nasional Keamanan Siber Tahun 2024-2028, BSSN.
(2024)

50 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
Regulatory Gap

The Need to Have Unified Regulation: Cybersecurity Lack of Coordinated Authority and Oversight and
Law Divergent Threat Perceptions
Although Indonesia has several regulations which serve The lack of a central coordinating agency manifests in
as the foundation for the cybersecurity landscape, the the limited authority given to the cybersecurity agency.
country remains scrappy, lacking substantial depth, and Due to its lack of legal authority, the cybersecurity
clarity in terms of a solid regulatory framework.24 agency cannot position itself as a leading body in cyber-
There is a need to create and enforce unified cyberse- security governance, creating gaps between sectors in
curity law which is reflected through how the current terms of regulation and enforcement.26
parliament still has an ongoing discussion about cyber- While awareness of cyberattacks is on the rise, stake-
security and resilience although it has stalled since holders in Indonesia hold diverging views on the nature
2019. The cybersecurity and resilience law is expected and severity of cyber threats. This discrepancy leads
to have more depth on cybersecurity threats, protection to inconsistencies in risk assessment and mitigation
of critical infrastructure, data, information, and cyberse- strategies, undermining a unified approach to national
curity talent. The lack of unified and solid cybersecurity cybersecurity defense.27
law also posed an adverse impact towards the private
sector where most companies should adhere with Severe Underfunding and Resource Limitations
complex yet different laws that are handled by different The cybersecurity agency and other cybersecurity
stakeholders. units face chronic underfunding and lack the necessary
human capital to respond effectively to cyber threats.
The absence of a clear and overarching cybersecurity This resource deficit limits their capacity to combat
law and strategy creates ambiguity and overlaps in evolving cyber risks and proactively protect critical infra-
authority among government agencies. The complex structure and sensitive data.28
compliance bureaucracy could hinder the potential
economic value and investment opportunities. Other
than that, the presence of regulation is also expected to
further create good governance in cybersecurity while
also encouraging public-private partnership to facilitate
collaboration in strengthening cybersecurity and improv-
ing local cybersecurity talents.25

24
Dr. Kartina Sury, “Indonesia’S Cyber Resilience: At the Epicenter of ASEAN Digital Economy Growth” Tech for Good Institute, May 13th,
2024. https://techforgoodinstitute.org/blog/expert-opinion/indonesias-cyber-resilience-at-the-epicenter-of-asean-digital-economy-growth/.
25
Raihan Zahirah & Theo Gerald, “Digitalisasi, Teknologi, dan Inovasi” in Visi dan Peta Jalan Indonesia Emas 2045 Milik Pemuda, ed. Reza
Edriawan et al. (Jakarta: Indonesian Youth Diplomacy, 2024) 84, https://iyd.or.id/wp-content/uploads/2024/09/05092024_IYD_Report_All-Con-
tent.pdf
26
Gatra Priyandita, “Indonesia’s Cybersecurity Woes: Reflections for the Next Government”, CSIS, CSISCOM00624 (2024): 2-6, https://csis.
or.id/publication/indonesias-cybersecurity-woes-reflections-for-the-next-government/
27
Ibid.
28
Ibid.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 51
5.2. Proposed Regulatory Enhancements

Due to the increasingly complex nature of the cyber threat landscape, Indonesia’s regulatory framework must be con-
tinually updated to close regulatory gaps and achieve cyber resilience. Therefore, we will discuss several important
recommendations for regulatory improvement in this section.

5.2.1 Alignment with International Best Practices

The main action that must be taken to achieve cyber resilience is harmonizing national regulation with interna-
tional standards. Harmonizing the regulation will encourage international cooperation, increase competitiveness,
and provide strong protection for organizations and individuals. Therefore, harmonization of cyber laws with existing
frameworks, such as the European Union’s General Data Protection Regulation (GDPR), will be beneficial for cyber-
security governance and the digital economy in Indonesia.

Benefit of Aligning with International Best Practices

• Global Standard for Data Protection • Facilitating International Trade and Commerce
The GDPR serves as a global benchmark in data Harmonizing data protection laws like GDPR will
protection, emphasizing transparency of informa- enable Indonesian businesses to conduct seam-
tion flow, consent of users, and tight security mea- less activities with the international market. More
sures regarding personal information. Compliance importantly, since cross-border data flows under-
with these types of regulations thus may go on to pin most of the global commerce and collabora-
further develop Indonesia’s cybersecurity frame- tion that happens today, a lack of harmonization
work in ways that will help foster public confidence will only raise the risks to which businesses are
in digital services while improving their defenses exposed.
against cyber threats.
• Attracting Foreign Investment
• Improving Trust and Confidence Strong data privacy regulations that comply with
Strict regulations that protect personal informa- international standards will increase Indonesia’s
tion will increase public and company confidence recognition as a secure and reliable business
in national data security that will lead to better environment. This may attract more foreign
utilization of digital services and more economic investment, especially from companies that want
activity in the digital economy. to operate data-driven businesses in technology,
finance, and e-commerce.

Strategic Path to Alignment

The international best practices in the Laws of Indonesia could be aligned by considering the following steps:

1. Incorporate Key GDPR Principles into Indone- 3. Encourage International Data Transfers
sian Legislation We should develop mechanisms aligning with
Several important GDPR principles, such as global standards to facilitate international data
openness, user consent, data minimization, transfers. This may be by adopting Binding Cor-
rights of access, correction and deletion, must be porate Rules (BCRs) or even joining international
implemented by the Indonesian government and agreements on data privacy and protection so
make these important principles the basis for the Indonesian businesses are fully involved in the
regulatory framework. global digital economy.

2. Establish Data Protection Authorities (DPAs) 4. Continuous Monitoring and Updates

Give the DPAs the resources and enforcement For privacy regulations to keep up with changing
powers to ensure that the new privacy regulation global standards and new advances in technologi-
is adhered to. DPAs should be able to investigate cal development, they must be regularly evaluated
data breaches, impose penalties, and give busi- and updated. Indonesia will benefit from increased
nesses guidance on data protection matters. The competitiveness and ease of adaptation to chang-
cybersecurity agency may adopt this DPA role. es in international regulations.

52 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
 5. Risk-Based Approach ality and flexibility in responding to specific set-
Governments should implement risk-based laws tings and risk profiles. Regulations can efficiently
and regulations and align them with existing reg- protect society and promote economic progress
ulations to prevent contention and fragmentation. by striking a balance between risk management
This key action will provide a safe yet creative and the need to support technical progress, and
technology environment. This methodology rec- by prioritizing existing international standards over
ognizes that not all systems require the maximum those that have not yet been created.
level of security and instead advocates proportion-

5.2.2 Regularly Review Cyber, Data, and Privacy Laws

Indonesia needs to do regular and ongoing examinations of the law, and this will be necessary to ensure
that the national data, privacy, and cyber law framework is up to date and functional in the face of evolving
technological environments, shifting cyber threat landscapes, and rising social expectations. Technological
innovation gives rise to new threats and weaknesses. Therefore, the legal framework must be updated regularly to
protect society, the business world, and national security. Outdated laws may seriously weaken defenses against
data breaches, privacy violations, and cybercrime. The existence of a regulatory gap could jeopardize the legiti-
macy of the public for stronger protection and transparency. To address this regulatory gap, the Government must
regularly update the legislation to ensure that the legal basis and standards remain effective, responsive, and rele-
vant in addressing the complex modern challenges and keep it aligned with international best practices.

Critical Areas for Legislative Review

1. Data Breach Notification Laws and Penalties ● Ensure penalties for severe or repeated data
One critical review area is data breach notification breaches reflect public expectations, foster trust,
laws and their associated penalties. Indonesia and ensure accountability.
must ensure the penalties for non-compliance are
significant and severe enough to incentivize good 2. Incident Reporting Framework
cybersecurity practices, which are critical in pre- The existing incident reporting framework should
serving trust and accountability in the digital world. also put an obligation on all private organizations
in the critical sectors to report cyber incidents
Study Case: promptly to the national Computer Security Inci-
Australia’s Notifiable Data Breaches Act intro- dent Response Team (CSIRT), not just public or
duced a maximum of AUD 2 million for severe critical infrastructure operators. This would further
breaches as a penalty, but this penalty was much enhance the national incident response and in-
less than it would have cost organizations in crease transparency at all levels.
Australia to implement appropriate cybersecurity
measures. However, after significant breaches, 3. Legislation on Emerging Technologies and
the Australian Government introduced the Priva- Vulnerable Populations
cy Legislation Amendment (Enforcement and The legislation will move toward the specific risks
Other Measures) Bill 2022, allowing increased from emerging technologies, such as artificial
maximum penalties to the greater of AUD 50 mil- intelligence (AI), blockchain, and the Internet
lion, three times the value of any benefit obtained of Things (IoT), that are integral to digital eco-
through misuse of information or 30% of the systems. Additionally, we should improve online
company’s adjusted turnover during the relevant protection legislation for children, consumer, and
period. This legislative amendment ensures that intellectual property, where this should be re-
penalties reflect the severity of data breaches and viewed regularly to ensure its compatibility with
that consumer protection is of paramount interest. evolving international standards and for the safe
adoption of new technologies.
Focus for Indonesia:
● Review and improve data breach notification
laws to ensure timely reporting of cyber incidents
by private organizations, including non-Critical
Information Infrastructure (non-CII) operators.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 53
 Recommendations for the Legislative Review Process:

1. Adopt a Continuous Review Cycle 3. Benchmarking Against International Stan-

Create a regular cycle for examining and amend- dards
ing cyber, data, and privacy regulations in order to Conduct regular benchmarking of Indonesian laws
stay responsive to changing threats, technological against global frameworks such as the GDPR,
advancements, and public expectations. NIST, and other international standards to ensure
compliance with global data protection rules and
2. Consultation with Stakeholders cross-border collaboration.
Engage a wide range of stakeholders, including the
private sector, civil society, organizations, and inter-
national experts, in a review of the legal framework to
ensure that the legislative update follows best global
practices while reacting to sector-specific difficulties.

5.2.3 Ensuring Effective Compliance Monitoring Across Sectors

• Enforce Mandatory Incident Reporting and across industries, the cybersecurity agency may
Regular Audits: occasionally make information regarding cyber-
The cybersecurity agency or certified third-party security incidents or non-compliance publicly
auditors may undertake recurring cybersecurity available.
audits and assessments of organizations, espe-
cially those in important industries. These audits • Facilitate Threat Intelligence Sharing:
assess if regulations are being followed, find weak The cybersecurity agency will create channels
points, and suggest fixes.29 for exchanging cybersecurity best practices and
threat intelligence across many industries and
• Impose Sanctions for Non-Compliance: stakeholders so companies can keep up with new
The cybersecurity agency and sectoral regulators threats and proactively strengthen their cyberse-
have the power to apply administrative conse- curity system.
quences, such as warnings, fines, and license
suspensions should there be any violation to- • Deploy Automated Monitoring and Detection
wards cybersecurity regulations. These penalties Tools
serve as a disincentive and motivate businesses Automated technologies can be used by sectoral
to give cybersecurity a priority.30 authorities and the cybersecurity agency to track
network traffic, spot anomalies, and quickly identi-
• Promote Public Disclosure: fy possible cyber threats.
To promote awareness and better practices

5.2.4 Enhancing ICT Supply Chain Security in Government Procurement

ICT hardware and software are the core component yet foundational backbone for Indonesia’s national and eco-
nomic cybersecurity. This underpins the critical infrastructure, comprising energy grids, telecommunications net-
works, healthcare systems, and defense platforms. The era of growing digitization and global interconnectivity has
significantly increased the risks related to cyberattacks on ICT supply chains. Compromises in these supply chains
can provide adversaries with undetected access to networks or systems, posing severe threats to national security
and sovereignty.

29
Hukumonline, “Strengthening the National Cybersecurity Ecosystem: Unveiling New BSSN Frameworks on Cyber Incidents and Cyber-Cri-
sis Management” hukumonline.com, 868 (2024), https://pro.hukumonline.com/a/lt66165fbd50830/strengthening-the-national-cybersecuri-
ty-ecosystem--unveiling-new-bssn-frameworks-on-cyber-incidents-and-cyber-crisis-management.
30
Denny Rahmansyah, “Data Protection and Cybersecurity in Indonesia: Enforcement and Litigation”, SSEK, December 12th, 2019, https://
www.ssek.com/blog/data-protection-and-cybersecurity-in-indonesia-enforcement-and-litigation/

54 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
Rising Threat of ICT Supply Chain Attacks
Cyber attackers are increasingly targeting hardware and software development activities. By embedding malicious
code or vulnerabilities (often referred to as “backdoors”). They exploit this vulnerability for espionage, sabotage, or
other malicious activities. This threat is posed as a critical issue in the defense and national security sectors that
might disrupt critical activities, where software plays a critical role in data analytics, intelligence operations, and
security functions.

Prominent and high-profile incidents such as the SolarWinds attack (also known as SolarStorm) and NotPetya (a
devastating cyber attack on Ukraine in 2017) have brought attention to the growing sophistication and impact of
supply chain threats. These attacks have accelerated efforts around the world to intensify their cyber defense by
identifying and mitigating risks within their ICT supply chains.

Procurement Policies to Emphasize Cybersecurity and Supply Chain Integrity

Government procurement officials, especially those tasked with technology purchases, have to consider more than
the economic value a product is given. The procurement must be carried out with consideration of cybersecurity
and supply chain integrity to ensure national security. Appropriate procurement rules and policies can be done by
stating clearly that government agencies are responsible for ensuring cybersecurity and supply chain risks during
procurement while ensuring economic value.

Key areas to consider when updating procurement policies include:

• Product Security and Integrity • Global Best Practices

Government procurement processes should re- Indonesia can take the US Executive Order on
quire technology vendors to demonstrate adher- ICT supply chain security from March 2021 that
ence to secure development practices, including requires US government agencies to purchase
supply chain risk management. This should be only software that was created by secure devel-
treated as a prerequisite before allowing the opment standards. These standards lead the gov-
vendors to participate in the next stage of procure- ernment agencies to acquire adequate information
ment processes. from the vendors of the software for informed,
risk-based decisions about the security of the
• Non-Financial Benefits merchandise under purchase.
Beyond cost, procurement of the technology
should account for the security of the product and
the vendor’s exposure to supply chain risks.

Strategic Recommendations for Government Procurement

• Adopt Secure Development Standards • Incorporate Cybersecurity into Procurement

Procurement policy should be aligned with inter- Policies
national best practices, such as the US Executive Improving government procurement policies to
Order on secure software development, to ensure explicitly emphasize the importance of cyberse-
that all government software purchases meet curity and supply chain security in order to ensure
strict cybersecurity standards. all purchased ICT products meet stringent security
standards.
• Require Vendor Transparency
In the procurement process, require vendors • Conduct Regular Audits and Assessments
to provide information on their product integrity Implement continuous audits and assessments
practices, including compliance with frameworks to ensure security in the software development
like NIST’s Secure Software Development and lifecycle of vendors, right from development to the
secure supply chain standards. deployment phase.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 55
5.2.5 Government Policies Emphasize the Procurement of Commercial Off the Shelf
(COTS) Products

The term Commercial off-the-shelf (COTS) products refers to the software or hardware solutions that are avail-
able in the commercial marketplace which are designed specifically tailored to fulfill predetermined needs. COTS
products offer standardized functionality that can be swiftly deployed to all users.. In government procurement,
especially in cybersecurity, COTS solutions allow agencies to seamlessly adopt established technologies without
the delays and expenses associated with developing custom systems.

Advantages of COTS Solutions

• COTS products are supported by high vendor • COTS solutions help address the global chal-
R&D efforts, ensuring that these solutions remain lenges of the shortage of skilled cybersecurity
relevant with the latest technological innovation. professionals by reducing the need for internal
development expertise. Government agencies can
• It is critical to allocate the government’s finite cy- focus their skilled staff on high-impact cyberse-
bersecurity resources efficiently. COTS solutions curity tasks, leaving routine system updates and
procurement will enable the government to gain maintenance to external vendors.
resource efficiency by directing its cybersecurity
personnel to focus on essential functions, such as
protecting critical infrastructure, rather than build-
ing and maintaining custom-built systems.

5.3. Enhance the Governance Model and Institutional Roles

To guarantee an efficient cybersecurity management throughout Indonesia, a well-defined and well-coordinated

cybersecurity governance framework is essential. In this section, we outline the necessary steps to improve the
governance model of national cybersecurity architecture and define the roles of key institutions involved.

Elevate Cyber Security to the Highest Levels of Government

The President of Indonesia should have direct control for cybersecurity in Indonesia, and it should be brought to
the highest echelons of government. This strategic move acknowledges the reality that cybersecurity is no lon-
ger merely a technical issue but a national security priority affecting critical infrastructure, economic stability, and
public safety.

Key Actions:
• Appoint a Special Advisor to the President on • Make Cybersecurity a Top Agenda Item
Cybersecurity Elevating the cybersecurity agenda as a major
This role will ensure cybersecurity is integrat- focus will facilitate better coordination, resource
ed into all aspects of national strategy, offering allocation, and policy implementation to address
professional advice to the government, facilitating evolving cyber threats.
interagency cooperation, and fostering internation-
al partnerships to enhance national strategy.

Prioritize and Increase Funding for Cybersecurity Uplift in Government

There is a need for the government to step up and demonstrate its commitment in safeguarding sensitive data
and critical national functions by significantly increasing expenditure on national cybersecurity is crucial to protect
and defend government systems from sophisticated cyber threats.

Key Actions:
• Increase Budget for Cybersecurity Initiatives • Allocate Resources for Critical Functions
Invest more for education in talent development, Prioritize securing payment processes, national
public awareness campaigns, and modernizing security systems, and defense platforms against
cybersecurity infrastructure. cyber threats.

56 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
Review Organizational Cyber Roles and Responsibilities
To ensure effective cybersecurity, organizations need to clearly define who is responsible for online security within
their structure while ensuring that the leadership, board of directors, and financial officers understand the impor-
tance of cyber risk management.

Key Actions:
• Establish Clear Cybersecurity Accountability: • Launch Cyber Security Review Board:
Every organization should have a Chief Informa- Encourage public-private collaboration and open
tion Security Officer (CISO) or equivalent role, information sharing on incidents and investiga-
directly reporting to the CEO or Head of the orga- tions to strengthen overall cybersecurity resil-
nization, to manage cyber risks effectively. ience. Board members can consist of telecommu-
nication companies, technology companies, the
• Separate CISO from CIO Functions: Attorney General, and law enforcement bodies.
The CISO should not be the same person as the
Chief Information Officer (CIO) or Chief Operating
Officer (COO) to avoid conflicts of interest be-
tween data accessibility and data security priori-
ties.

Define Government Policy and Operational Roles, and Responsibilities

To enhance Indonesia’s national cybersecurity framework, there is a need for a clear role of the cybersecurity
agency and ID-SIRTII (National CSIRT); they are key in defending Indonesia from cyber threats, responding to
incidents, and fostering international cooperation. The following actions are crucial to improve their capabilities:

Key Actions:
• Conduct comprehensive reviews and regu- • Develop tracking tools and analyze key cy-
lar updates of internal policies to ensure roles, bersecurity metrics, including incident response
responsibilities, and operations are aligned with times and threat management efficiency. Regular
evolving cybersecurity threats and best practices. evaluations will help make informed decisions and
optimize resources.
• Conduct frequent cybersecurity drills to test
coordination and response capabilities, ensuring • Strengthen the technical capabilities of cy-
readiness for real-world incidents, financial resil- bersecurity agency and ID-SIRTII in threat intelli-
ience, and seamless stakeholder collaboration. gence, digital forensics, and international opera-
tions. This should be supported by legislation that
• Invest in the ongoing training for all staff expands their roles and functions.
levels with clear metrics to measure the effec-
tiveness of these programs, ensuring skills and • Ensure proper allocation of human, financial,
knowledge stay sharp to handle complex cyber and technological resources, along with updated
threats. awareness programs, to keep pace with emerging
threats and trends.

5.3.1 Role of Indonesian Chamber of Commerce and Industry (Kadin) in Cybersecurity

Governance

As the Indonesian government’s strategic partner, the Indonesian Chamber of Commerce and Industry
(Kadin) can play a role as a bridge between the private and government sectors in shaping the national
cybersecurity agenda. Through its extensive network, Kadin could align business interests with national security
objectives, ensuring the private sector actively participates in building a strong cybersecurity ecosystem. The ap-
proach will help Indonesia to create consistent cybersecurity policies, harmonize its cybersecurity policies across
industries, and support broader national objectives, including protection of critical infrastructure and digital trans-
formation.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 57
Key Roles of Kadin

Exhibit 5.2 Key Roles of Kadin

1. Public-Private Partnership (PPP) Leader cybersecurity talent. Then facilitate the intern-
Kadin will lead the development of a structured ships, apprenticeships, and certification programs
Public-Private Partnership (PPP) model that that integrate real-world industry needs with
facilitates and incentivizes businesses to par- academic training. In addition, Kadin can foster
ticipate actively in cybersecurity initiatives. The collaboration with global tech companies to bring
collaboration with the government would enable world-class expertise to Indonesia.
Kadin to facilitate information sharing, cyber inci-
dent coordination, and policy discussions. Such 4. Standards and Regulatory Compliance Facili-
a model has been successfully implemented in tator
other ASEAN countries like Singapore, where they Kadin should help businesses navigate the
enable business and government collaboration increasingly complex regulatory environment
under the Cybersecurity Act of 2018 to enhance around cybersecurity by providing the resources
critical infrastructure protection. they need to meet both national and internation-
al cybersecurity standards. This facilitator role
2. Cybersecurity Awareness and Advocacy includes offering guidance on data privacy laws
Kadin will drive industry-wide cybersecurity (such as Indonesia’s Personal Data Protection
awareness campaigns focusing on fostering a se- Law), cybersecurity risk assessments, and audit
curity-first culture within the business community. frameworks. Imagine Kadin creating an online
Kadin can encourage and promote internationally platform where businesses can access informa-
recognized best practices such as SNI/ISO/IEC tion on complying with cybersecurity laws, con-
27001 and the well-known NIST Cybersecurity duct self-assessments, and even get advice from
Framework. This helps Indonesian businesses cybersecurity experts.
align with global standards. Additionally, Kadin can
advocate for better cyber regulations by facilitating 5. Incident Response and Crisis Management
continuous dialogue between business leaders Coordinator
and policymakers. Given the extensive network and influence of
Kadin, it can play a central role in coordinating
3. Cybersecurity Talent Development Collabora- responses to sophisticated cyber incidents. By
tor acting as an intermediary between businesses
A major challenge for Indonesia is the shortage and government cybersecurity bodies (like cyber-
of skilled cybersecurity professionals. Kadin’s security agency and CSIRT), ensuring a faster
initiatives will initiate the collaboration effort with and more effective response to incidents.
educational institutions, training centers, and cy-
bersecurity agency to create a pipeline of

58 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
By taking on these roles, Kadin can significantly strengthen Indonesia’s cybersecurity, build trust between the
private sector and the government, and ensure that businesses actively contribute to national cybersecurity resil-
ience. This is not only important for protecting businesses but also for strengthening Indonesia’s digital economy
against cyber threats.

5.3.2 Role of the Cybersecurity Agency

The cybersecurity agency plays a role as the primary authority in developing and implementing Indone-
sia’s cybersecurity governance. The agency plays a very crucial role in developing a cohesive framework that
ensures the integrity, security, and resilience of the nation’s digital infrastructure. The mandate of the cybersecu-
rity agency includes capacity building, regulatory enforcement, coordination of incident response, and facilitating
public-private sector collaboration.

Strategic Roles of Cybersecurity Agency in Cybersecurity Governance

Exhibit 5.3 Key Roles of Cybersecurity Agency

1. Lead Architect of National Cybersecurity Pol- 2. Coordinator of National Incident Response

icy As the central entity for cybersecurity crisis man-
The cybersecurity agency should also lead the agement, the cybersecurity agency must establish
development and continually update Indonesia’s a comprehensive, nationwide incident response
national cybersecurity initiatives. This will involve framework. This will involve managing the estab-
aligning the national framework with international lishment and coordination of sectoral Computer
best practices and standards, including but not Security Incident Response Teams (CSIRTs) and
limited to ISO/IEC 27001, the NIST Cybersecurity integrating these into a national CSIRT. It should
Framework (CSF), the Risk Management Frame- be implemented centrally to ensure good commu-
work (RMF), and other relevant cybersecurity and nication and utilization of resources in cases of
privacy frameworks. The agency’s primary objec- cyber security incidents, especially those regard-
tive is to make Indonesia’s cybersecurity policies ing critical infrastructure sectors. Also, consider
adaptive to the new emerging threats and com- forming a public - private advisory or consultation
prehensive in its approach to deal with risks from board to get advice from a broad set of stakehold-
all sectors. ers. Hitherto, cybersecurity agency has ID-SIRTII

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 59
 which stands for Indonesia Security Incident 5. Facilitator of Public-Private Collaboration
Response Team on Internet Infrastructure/Coor- The cybersecurity agency plays a pivotal role in
dination Center which responsible for improving fostering collaboration between the public and pri-
the whole Indonesia’s cybersecurity landscape, vate sectors. The cybersecurity agency needs to
assisting both public and private sector in provid- facilitate knowledge sharing, best practice dissem-
ing security system, conducting series of works ination, and coordination of collective cybersecuri-
(early monitoring, detection, and warning), man- ty defenses through formalized partnerships.
aging laboratory facilities, supporting law enforce-
ment, acting as the central point of contact for the 6. Promoter of Cybersecurity Innovation and
domestic and international cybersecurity initiatives Technology Adoption
as well as carrying out research and development The cybersecurity agency should actively encour-
initiatives.31 age active adoption and the promotion of innova-
tion in cybersecurity with advanced technologies
3. Regulator and Enforcer of Cybersecurity Com- within the national cybersecurity ecosystem. The
pliance cybersecurity agency also must be involved in
The cybersecurity agency is responsible for the encouraging collaboration between technology
implementation of national regulations in the field providers, academia, and research institutions to
of cybersecurity across industries, including the ensure that the cybersecurity agency drives the
enforcement of the Personal Data Protection creation of solutions to suit Indonesia’s needs. It
(PDP) Law and other relevant cybersecurity laws. also needs to protect personnel and infrastructure
Regular audits, vulnerability assessments, and with cutting-edge technologies like artificial intel-
compliance checks are necessary to ensure ad- ligence; save the most important resources, such
herence to these standards, especially in sectors as AI and the models, training data, and real-time
critical to national security and economic stability. learning that it depends on; exchange knowledge
and skills to safeguard the AI technologies that
4. Capacity Builder for National Cybersecurity keep everyone safe.32 The cybersecurity agency
Talent and the overall country’s systems must priori-
In addressing the national need to develop a tize security by implementing technologies that
robust workforce for cybersecurity, the agency adhere to best practices. This can be achieved
must take a leading role through coordination with through three key recommendations: procuring
relevant educational institutions, industry players, secure-by-design systems and products, ensuring
and international partners. This includes designing security considerations are central to the pro-
cyber education via formal and informal avenues. curement process, and mitigating concentration
This involves creating training programs, certifica- risk to avoid over-reliance on single vendors or
tion pathways, and awareness on cybersecurity technologies.33 By embracing these recommenda-
for capability development in the public-private tions, governments can strengthen their defenses
sector. against cyber threats and safeguard sensitive
information.

These roles will solidify the cybersecurity agency position as the leading authority for cybersecurity governance in
Indonesia. Its leadership will ensure a structured system to maintain compliance and effectively handle incidents,
and at the same time will enable various stakeholders both from the public and private sectors to further develop
a resilient and secure digital ecosystem. By focusing on developing skilled professionals, encouraging innovation,
and collaborating internationally, the cybersecurity agency will help establish Indonesia as a key player in global
cybersecurity.

31
ID-SIRTII, “History Id-SIRTII/CC”, ID-SIRTII, https://www.idsirtii.or.id/en/page/history-id-sirtii-cc.html
32
Google, “How AI Can Reverse the Defender’s Dilemma”, Secure Empower Advance, February (2024):12 , https://services.google.com/fh/
files/misc/how-ai-can-reverse-defenders-dilemma.pdf
33
Royal Hansen & Christoph Kern, “Tackling cybersecurity vulnerabilities through Secure by Design”, Google, March 4th, 2024, https://blog.
google/technology/safety-security/tackling-cybersecurity-vulnerabilities-through-secure-by-design/

60 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
5.3.3 Establishing Self Regulatory Organization (SRO) for Critical Sectors
To bolster Indonesia’s cybersecurity against rising so it can boost trust and confidence. In addition, it can
threats, creating industry-led Self-Regulatory Orga- also provide incubation and mentorship for emerging
nizations (SROs) is crucial to develop and enforce and local cybersecurity businesses by helping them to
cybersecurity standards and best practices with- grow and succeed, also enhancing their credibility and
in a specific sector. These organizations would set marketability. This contributes to stronger growth for
industry-specific frameworks and guidelines, promoting cybersecurity businesses in the country.
knowledge sharing and collaboration, monitoring com-
pliance with established standards, facilitating incident There are few examples of SRO that have existed
response and information sharing about cyber threats, in some countries. For instance, Indonesia itself has
and advocating for cybersecurity interests within their specific SRO within the financial industry, which are
sector through training and educational resources. the Indonesia Stock Exchange, Indonesian Securities
Establishing a successful SRO in Indonesia can pose Underwriting Clearing (KPEI), and Indonesian Central
us to several potential challenges, primarily in building Securities Depository (KSEI). Similarly, the United
trust and cooperation among diverse stakeholders, States also has the New York Stock Exchange (NYSE)
securing adequate resources like funding, personnel, and Financial Industry Regulatory Authority (FINRA),
and technology for effective operation, and striking the which also serve as SRO. Another example specifically
right balance between self-regulation and government related to cybersecurity would be the United States,
oversight. However, these challenges can be effectively where both the Financial Services Information Sharing
addressed through strong partnerships and a shared and Analysis Center (FS-ISAC) and the Information
commitment to cybersecurity from all stakeholders, Sharing and Analysis Center for the Electricity Subsec-
paving the way for a robust and resilient SRO in Indo- tor (E-ISAC) in the US exemplify the SRO model, with
nesia. the former focusing on cybersecurity within the financial
sector and the latter dedicated to protecting the elec-
As we are facing the plethora of cyber threats tricity sector. The Institute of Nuclear Power Operations
targeting critical infrastructure, businesses, and (INPO) in the US focuses on safety and reliability in
individuals, establishing SROs for cybersecurity the nuclear sector, demonstrating an SRO dedicated to
in Indonesia would be significantly beneficial to critical infrastructure. The UK’s Advertising Standards
strengthen the nation’s cybersecurity posture. An Authority (ASA) tackles online safety and misleading
SRO can strengthen the nation’s overall cybersecurity content, showcasing an SRO addressing broader trust
posture by tailoring standards and best practices to the issues within its sector. Another example would be that
unique needs of each critical and non-critical sector. Canada’s CRTC collaborates with broadcasting and
Furthermore, an SRO can facilitate crucial collaboration telecommunications providers to implement security
and information sharing among stakeholders, including measures, illustrating a model where a government
government agencies, businesses, and cybersecurity agency partners with industry to achieve SRO-like
experts, while also drawing upon international best outcomes. Finally, the European Telecommunications
practices for optimal implementation. An SRO can play Standards Institute (ETSI) develops globally applicable
a pivotal role in driving the growth and development of cybersecurity standards, playing a crucial role in setting
the cybersecurity industry in Indonesia while also con- baseline security requirements. These varied examples
tributing to a safer and more secure digital environment offer valuable insights for Indonesia as it considers
for all. It can facilitate collaboration and knowledge which SRO model best suits its unique needs and
sharing through networking, information exchange, and priorities, highlighting the potential for sector-specif-
joint research initiatives that can foster innovation and ic approaches, public-private partnerships, and the
growth while also accelerating the development of new development of both broad and targeted cybersecurity
cybersecurity solutions. Furthermore, an SRO can ad- standards. These organizations highlight the sec-
vocate for supportive policies and promote the industry tor-specific approach that SROs can adopt to address
domestically and internationally to potential investors, unique cybersecurity challenges.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 61
5.3.4 Industry Self Regulation (ISR) for Non-Critical Sectors
Instead of strict regulations, Industry Self-Regu- Agreement for Mobile Content and Payment Services
lation (ISR) in cybersecurity empowers business- safeguards consumer interests in mobile content and
es within the non-critical sector to proactively payments.35 Other examples include the Entertainment
enhance their collective cybersecurity posture Software Rating Board in the United States, which
through voluntary collaboration, information provides age and content ratings for video games. In
sharing, and the development of tailored standards addition, the Electricity and Gas Complaints Commis-
and best practices. This approach is particularly sion in New Zealand, resolves consumer complaints
beneficial for non-critical sectors in Indonesia, allow- in the energy sector.36 Furthermore, initiatives like the
ing for tailored solutions that address each sector’s Code of Marketing of Food and Non-alcoholic Bever-
unique challenges and reduces the burden of following ages to Children in Mexico and the Children’s Food
one-size-fits-all rules. Furthermore, ISR can enhance and Beverage Advertising Initiative in the United States
industry reputation, build trust with customers, and demonstrate ISR’s role in promoting responsible food
establish a minimum cybersecurity baseline across the marketing to children.37 These examples underline
sector, preventing vulnerabilities caused by uneven se- how ISR can be implemented across various sectors
curity practices. To foster successful ISR in non-critical for a wide range of purposes starting from to protect
sectors, Indonesia can encourage industry associations consumers, ensure fair practices, and promote ethical
to lead the development of cybersecurity standards standards, offering valuable insights for strengthening
while the government provides support, resources, and cybersecurity in Indonesia’s non-critical sectors.
incentives for participation. Promoting awareness and
collaboration among businesses is crucial, and learn- For this to be successful and impactful, self-regula-
ing from international best practices can offer valuable tion initiatives must be carefully designed, adopt-
guidance. While challenges like ensuring widespread ed broadly, and monitored effectively to ensure
participation and consistent enforcement exist, a strong compliance and demonstrable results. To build
commitment from all stakeholders can enable effective trust and accountability, independent verification is
ISR implementation, ultimately strengthening Indone- key.38 Furthermore, self-regulation requires continuous
sia’s overall cybersecurity resilience. adaptation and improvement through ongoing moni-
toring, evaluation, and adaptation to remain relevant
Industry Self-Regulation (ISR) is used in many and effective in achieving its desired outcomes. These
different ways across the globe. For instance, the takeaways underscore the importance of designing and
Direct Selling Association Consumer Code in the implementing self-regulation initiatives carefully, with
United Kingdom which focuses on setting the ethical a focus on transparency, accountability, and demon-
standards for consumer protection. Similarly, in New strable results. There is also a need for collaboration
Zealand, the Advertising Standards Authority Adver- among industry players, regulators, and independent
tising Codes of Practice ensures responsible adver- verifiers to ensure that self-regulation truly serves its
tising across all media.34 In Denmark, the Framework intended purpose.

34
OECD, “Industry self regulation”, OECD Digital Economy Papers, 247 (2015): 40-63, https://doi.org/10.1787/5js4k1fjqkwh-en.
35
Ibid.
36
Ibid.
37
Ibid.
38
Martha Lagace, “Industry Self-Regulation: What’s Working (and What’s Not)?”, Harvard Business School, April 9th, 2007, https://hbswk.hbs.
edu/item/industry-self-regulation-whats-working-and-whats-not

62 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
5.3.5 Setting up a Cybersecurity Security Operations Center (SOC)
Security Operations Centers (SOCs) are fundamental for monitoring, detecting, and responding to secu-
rity incidents. This section outlines the strategic approach to establishing Indonesia’s SOC and sector-specific
SOCs, ensuring strong cybersecurity across Indonesia’s critical sectors. A Security Operations Center (SOC) is a
centralized facility for continuously monitoring an organization’s digital infrastructure to detect and respond to cy-
bersecurity threats. An SOC performs the functions of real-time monitoring, rapid incident response, and forensic
analysis after the incident.

Responsibilities of National SOC

National SOC
Incident Threat Proactive Policy and
Response Intelligence Security Regulation
Coordination Sharing Approaches Support

Exhibit 5.4 Responsibilities of National SOC

1. Incident Response Coordination: 3. Proactive Security Approaches:

● Acts as the main point of contact for cyber- ● Identify and manage vulnerabilities within
security incidents nationwide. national critical infrastructure.

● Leads the response to major incidents, from ● Conduct regular cybersecurity awareness
detection, analysis, containment, eradication, and campaigns and training programs to strengthen
recovery. the cybersecurity posture of organizations and the
public.
● Works with organizations and international
partners to manage and mitigate the impact of 4. Policy and Regulation Support:
cyber incidents. ● Advise policymakers on cybersecurity
matters and support the development of relevant
2. Threat Intelligence Sharing: policies and regulations.
● Collects, analyzes, and shares threat infor-
mation to stakeholders. ● Ensure Indonesian organizations comply
with all international and national cybersecurity
● Facilitate the exchange of threat intelli- laws and standards.
gence between government, critical infrastructure,
and the private sector.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 63
Importance of CSIRT/SOC

Having a Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) is real-
ly important for Indonesia’s cybersecurity because:

• Enhanced Cyber Resilience: • Public Trust and Confidence:

By providing a coordinated and efficient response Effective incident response and transparent
to cyber incidents, CSIRTs and SOCs enhance communication during cyber crises build public
the overall resilience of the country’s critical infra- confidence in the nation’s ability to protect its
structure and digital assets. digital environment.

• Improved Situational Awareness: • International Collaboration:

Continuous monitoring and threat intelligence Both CSIRTs and SOCs facilitate international
sharing improve situational awareness, enabling collaboration in cybersecurity, contributing to the
proactive measures to mitigate potential threats worldwide efforts to combat cyber threats.
before they materialize.

Establishment of Sectoral SOCs

Concept of Sectoral SOCs:

Coordination with the National SOC:
• Each sector (finance, energy, healthcare, etc.)
• Information Flow: Sectoral SOCs should main-
should establish its own SOC for industry-specific
tain continuous communication with the national
threat intelligence and response, possessing special-
SOC, ensuring coordinated efforts.
ized knowledge about their technologies and regula-
tions.
• Unified Response: Sectoral SOCs should main-
tain continuous communication with the national
SOC, ensuring coordinated efforts.

Phased Approach to Implementing a National SOC for Government Agencies

Phase 1

Initial Setup

Phase 2

Scaling

Phase 3

Automation and AI Integration

Exhibit 5.5 Phased implementation approach of national SOC

64 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Phase 1: Initial Setup • Implement Sector-Specific SOCs: Develop
• Core Agencies: Begin with key agencies like cyber- SOCs for each sector, which report back to the
security agency and ID-SIRTII to establish a central national SOC.
hub for detecting and responding to threats.
Phase 3: Automation and AI Integration
• Data Sources: Deploy tools like endpoint detection • Embrace Advanced Technologies: Incorporate
and response (EDR) and firewalls to collect the data AI and automation to boost the SOC’s ability to
needed for analysis. quickly detect and respond to threats.

Phase 2: Scaling • Improve Efficiency: Automation will reduce

• Extend to Critical Sectors: Expand the SOC’s Mean Time to Detect (MTTD) and Mean Time to
capabilities to cover important sectors like finance, Respond (MTTR), threat detection and response
healthcare, and energy. times, making the SOC more efficient overall.

Encourage Uptake of AI-Driven, Automated Security Tools in SOCs

Incorporating AI-driven automation in SOCs is essential for addressing the inefficiencies of manual security pro-
cesses, which often result in delayed responses and missed vulnerabilities.

Key Benefits of AI-Driven SOCs:

• Reduced Overwhelming Alert Volumes: AI-driv- Proven Results:
en SOCs can process massive amounts of secu- • Reduction of Response Time: From 2–3 days to
rity events daily, distilling them into a manageable under 2 hours.
number of actionable alerts that require human
analysis. • Increased Incident Closure Rate: By five times.

• Faster Incident Response: AI tools have been • Expanded Security Data Analysis: By four
proven to reduce Mean Time to Respond (MTTR) times.
from days to under two hours, significantly en-
hancing threat containment speed. Policy Recommendations:
• Incentivize AI Adoption: Provide incentives,
• Resource Optimization: By automating low-level such as tax breaks or subsidies, for organizations
alerts, AI enables cybersecurity professionals to adopting AI-driven SOC tools.
focus on critical, sophisticated threats, increasing
incident closure rates and expanding the amount • Set Performance Standards: Require orga-
of security data analyzed daily. nizations to include MTTD and MTTR in their
cybersecurity strategies to promote faster threat
resolution.

Adopting AI-driven automation will significantly improve the efficiency and resilience of Indonesia’s SOCs, en-
abling faster detection, better resource allocation, and a stronger overall cybersecurity framework.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Regulatory and Governance Framework 65
5.3.6 SOC Intervention Criteria

This outlines when Indonesia’s national SOC (Security Operations Center) should step in to handle cybersecurity
incidents, and how they would provide support.

1. National SOC Intervention Scenarios:: 2. Coordination and Support:

• State-Sponsored Attacks: • Resource Allocation:
Incidents involving attackers with state-level capa- The national SOC will allocate resources and
bilities and interests. expertise to support affected entities.

• Cross-Sectoral/Pandemic Events: • Incident Command:

Large-scale incidents affecting multiple sectors or Establish an incident command structure to coor-
resembling a cyber pandemic. dinate response efforts across sectors.

• Critical Infrastructure Attacks: • Information Sharing:

Incidents targeting entities defined as national Facilitate real-time information sharing between
critical infrastructure. affected entities and relevant stakeholders to
ensure a unified and cohesive response

66 Regulatory and Governance Framework Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Chapter

06

Public-Private
Partnerships &
Industry
Collaboration

Cybersecurity for a Sustainable and Resilient Digital Indonesia 67

6.1 Developing a National Public-Private Partnership Program

Building a resilient and collaborative cybersecurity ecosystem requires strong partnerships between the
public and private sectors. A structured multi-tiered cyber public-private partnership (PPP) program is essential
to Indonesia’s national cybersecurity resilience. This program will facilitate formal engagement between the gov-
ernment and industry stakeholders, ensuring aligned cybersecurity strategies, timely threat intelligence sharing,
and strengthened coordinated responses to cyber incidents.

Multi-Tiered Engagement Structures

The Indonesian government should establish multi-tiered engagement structures that categorize industry partners
based on their cybersecurity sophistication and relationship with the government. This approach ensures targeted
communication and appropriate engagement aligned with each organization’s capabilities and role.

Industry Partners Category

Unidirectional Bidirectional
Communication Communication
(Tier 1) (Tier 2)

Organizational Small and medium-sized Sophisticated organiza-

Types enterprises (SMEs). tions in critical infrastruc-
ture, technology, and
cybersecurity sectors.

Focus Receiving tailored threat Two-way communication

intelligence and guidance for sharing and receiving
from the government. threat intelligence.

Purpose Provide actionable Contribute valuable in-

information to bolster sights to the government,
cybersecurity defenses, enhancing the nation-
acknowledging that these al threat intelligence
organizations may lack landscape, and receive
resources to contribute detailed technical threat
significantly to threat data aligned with their
intelligence. response capabilities.

Tailored Provide detailed expla- Deliver granular data and

Communication nations of threat sig- actionable intelligence
nificance and potential suited to their advanced
impacts. capabilities.

Offer concrete steps to Encourage contributions

mitigate vulnerabilities, that enrich the govern-
ensuring guidance is ac- ment’s understanding
cessible and actionable. of the evolving threat
landscape.

68 Public-Private Partnerships & Industry Collaboration Cybersecurity for a Sustainable and Resilient Digital Indonesia
Outcomes of the Multi-Tiered Public-Private Partnership (PPP) Program

By creating a partnership program with different levels of engagement for various organizations, Indone-
sia can achieve the following:

• Enhanced Threat Intelligence Sharing: • Support for National Awareness Initiatives:

Enables timely sharing of actionable threat intelli- Amplifies national cybersecurity awareness cam-
gence and vital information between the govern- paigns, ensuring businesses of all sizes under-
ment and private sector, allowing everyone to be stand the threats they face and the necessary
prepared. actions to take.

• Strategic Alignment:
Creates a unified national cybersecurity strategy
by aligning efforts across sectors, reducing frag-
mentation and duplication.

6.2 Developing a Real-Time Threat Intelligence Sharing Platform

An effective framework for cyber threat intelligence sharing is essential for detecting, deterring, and
responding to cyber threats in real time. Since the government and private businesses each have unique
knowledge about these threats, combining their insights gives Indonesia a complete picture and strengthens its
defenses.

Key Features of the Threat Intelligence Sharing Platform

1. Real-Time Intelligence Sharing ● Both the government and private businesses

● Facilitates rapid and quick sharing of threat share what they know, creating a complete under-
intelligence, enabling swift responses to emerging standing of the threat landscape
threats.
3. Collaborative Response Options
● Provides customized guidance suited to the ● Enables members to collaborate on response
needs of different organizations, from large enter- strategies and share best practices.
prises to SMEs.
● Strengthens collective response capabilities
2. Bi-Directional Flow of Information and improves incident management across indus-
● Encourages both government and private sec- tries.
tor entities to share insights, ensuring a two-way
exchange of information.

● Allows SMEs to benefit from the advanced

threat intelligence contributed by larger organiza-
tions.

Benefits of the Threat Intelligence Sharing Platform

• Faster Detection and Response: • Enhanced Cybersecurity Resilience:

Equips organizations to detect and respond to Fosters collaboration and real-time intelligence
threats more effectively, reducing the time be- sharing, improving Indonesia’s overall cybersecu-
tween vulnerability identification and mitigation. rity posture.

• Broader Participation:
Engages organizations of all sizes, ensuring that
even smaller businesses benefit from high-quality
threat intelligence.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Public-Private Partnerships & Industry Collaboration 69
6.3 Establish a Cyber Incident Review Board or Similar Forum

As part of the Public-Private Partnership (PPP) Program, Indonesia should establish a Cyber Incident Re-
view Board to enhance its ability to analyze and learn from major cyber incidents. This board, composed of
government officials and trusted industry experts in cybersecurity and incident response, is responsible for:

1. Reviewing major cyber events 2. Offering concrete recommendations:

● Detailed Analysis: ● Improvement Strategies:
Conduct comprehensive evaluations of significant Provide actionable recommendations for en-
incidents, including causes, impacts, and contrib- hancements across the public and private sectors.
uting factors.
● Policy Development:
● Lessons Learned: Inform national cybersecurity policies and practic-
Identify incidents and recommend measures to es with insights from incident analyses.
prevent recurrence.

By establishing this formal incident review forum, it will enable Indonesia to enhance its cybersecurity posture and
foster stronger collaboration between government agencies and private sector partners, thereby strengthening the
strategic response to ensure a safer digital environment.

6.4 Strengthening International Collaboration in Cybersecurity

In order to tackle the growing complexity and state capacity building, incident response, and infor-
transnational character of cyber threats, Indonesia mation sharing. Furthermore, Indonesia is also actively
acknowledges the crucial need for international involved in Asia-Pacific Economic Cooperation to fight
collaboration in cybersecurity. To improve its cyber- cybercrime and contribute to building international
security posture, Indonesia should actively participate norms on cybersecurity.40
in alliances and cooperative projects with other nations
and international organizations. Globally, Indonesia is dedicated to promoting peace
and strengthening the development of cyber norms.41
Regionally, Indonesia is committed to further Indonesia has actively participated in UN Security
bolstering the role of regional organizations in Council, UN Group of Governmental Experts (GGE)
the cybersecurity landscape through Confidence on Advancing Responsible State Behaviour in Cyber-
Building Measure (CBMs) and the development of space, UN Open-Ended Working Group (OEWG) on
regional capacity.39 An important part of ASEAN’s Developments in the Field of Information and Telecom-
cybersecurity efforts is Indonesia’s participation in the munications in the Context of International Security,
ASEAN Regional Forum (ARF), ASEAN Political-Se- International Telecommunication Union (ITU), United
curity Community, ASEAN Cyber Capacity Program Nations Office on Drugs and Crime (UNODC), Organi-
(ACCP), ASEAN Cybersecurity Coordinating Com- zation of Islamic Cooperation (OIC), Global Commis-
mittee (ASEAN Cyber-CC), and the ASEAN-Japan sion on the Stability of Cyberspace (GCSC), and G20.
42
Cybersecurity Capacity Building Center (AJCCBC).
These programs put a strong emphasis on member

Bilaterally, Indonesia cooperates and collaborates on the cybersecurity landscape with the European Union,
Australia, the United States, China, Japan, South Korea, etc. The scope of cooperation encompasses security
dialogue, workshops, incident management, cybercrime investigations, capacity building programs, cybersecurity
strategy, joint exercises, cyber defense capabilities, information sharing, combating cybercrime, protecting critical
infrastructure, and promoting cyber norms.

39
MoFA Indonesia, “Indonesia Voices Cyber Stability in the UN”, MoFA ID, May 23rd, 2020, https://kemlu.go.id/portal/en/read/1327/berita/
indonesia-voices-cyber-stability-in-the-un
40
IISS, “Indonesia”, Cyber Capabilities and National Power: A Net Assessment, (2021): 143-147, https://www.iiss.org/globalassets/media-li-
brary---content--migration/files/research-papers/cyber-power-report/cyber-capabilities-and-national-power---indonesia.pdf
41
MoFA Indonesia, “Indonesia Voices Cyber Stability in the UN”, MoFA ID, May 23rd, 2020, https://kemlu.go.id/portal/en/read/1327/berita/
indonesia-voices-cyber-stability-in-the-un
42
Ibid.

70 Public-Private Partnerships & Industry Collaboration Cybersecurity for a Sustainable and Resilient Digital Indonesia
Several areas that can be explored for future collaborations would be:

• Information sharing mechanism to facilitate • Capacity building through training programs,

early warning of cyber threats, exchange threat scholarships, exchange programs, knowledge
intelligence, and improve incident response capa- transfer, mentorships, workshops, and knowledge
bilities sharing to develop local expertise in cybersecurity,
incident response, and digital forensics
• Joint exercise to improve coordination, test inci-
dent response plans, and building practical skills • Promote and encourage the development of
in handling cyberattacks cyber norms and responsible state behavior in
cyberspace

Key diplomatic agenda items that should be prioritized:

• Promoting Cyber Norms: • Protecting Critical Infrastructure:

In order to promote responsible state behavior Indonesia needs to emphasize how important it is
and avert cyber conflict, Indonesia must empha- for nations to work together to defend vital infra-
size the significance of creating and upholding structure against cyberattacks to encourage the
international cyber rules, thereby encouraging the exchange of best practices and the creation of
peaceful resolution of conflicts and supporting the global guidelines for the defense of vital infrastruc-
application of international law to cyberspace. ture.

• Enhancing International Cooperation: • Involving Non-State Diplomatic Actors:

Indonesia should actively and closely work to As the global issue is getting complex, it is im-
enhance global cybersecurity cooperation through portant for Indonesia to also have substantial and
information exchange, cooperative training, and practical leadership in international forums. To
capacity building to highlight the necessity of support this, Indonesia needs to harmonize the
working together to combat the transnational involvement of non-state diplomatic actors that
nature. have expertise in the cybersecurity landscape,
such as think tanks and the private sector.43 This
• Bridging the Digital Divide: ensures a more comprehensive and inclusive
Indonesia has to emphasize how critical it is to approach to cybersecurity diplomacy, incorporat-
close the digital gap, provide equal access to ing diverse perspectives and expertise. Non-state
technology, and help developing nations strength- actors possess specialized knowledge and inno-
en their cybersecurity capabilities to promote in- vative solutions that can contribute significantly to
ternational assistance to improve less developed addressing cyber threats. Indonesia can explore
countries’ cybersecurity capacities. this avenue by creating a specific cybersecurity
working group or task force that can be managed
under the Ministry of Foreign Affairs.

43
Abdurrahman Al-Fatih Ifdal & Kenzie Sultan Ryvantya, “Ketangguhan Diplomasi Internasional” in Visi dan Peta Jalan Indonesia
Emas 2045 Milik Pemuda, ed. Reza Edriawan et al. (Jakarta: Indonesian Youth Diplomacy, 2024) 58, https://iyd.or.id/wp-content/up-
loads/2024/09/05092024_IYD_Report_All-Content.pdf

Cybersecurity for a Sustainable and Resilient Digital Indonesia Public-Private Partnerships & Industry Collaboration 71
Chapter

07

Cybersecurity
Education
and Talent
Development

72 Cybersecurity for a Sustainable and Resilient Digital Indonesia

Indonesia must address its cybersecurity awareness and talent shortage through comprehensive edu-
cation reform, professional certification programs, and practical training initiatives. This means promoting
certifications, launching national awareness campaigns, and creating hands-on learning opportunities to bridge
the gap in cybersecurity knowledge and skills. Developing a skilled workforce is crucial to protect the country’s
critical infrastructure from cyber threats. By investing in cybersecurity, supporting government initiatives, and im-
proving digital literacy, Indonesia can reduce its losses from cybercrime by IDR 1,365 trillion by 2030.44

The cybersecurity agency and Kadin (Indonesian Chamber of Commerce and Industry) will lead these
efforts, ensuring that cybersecurity education and awareness reach everyone. By partnering with the private
sector, industry groups, and schools, Indonesia can build a strong cybersecurity foundation.

7.1. Current Challenges in Cybersecurity Talent and Awareness

The world is facing a growing shortage of cybersecurity experts. Indonesia is also facing a significant
shortage of cybersecurity professionals and a general lack of awareness about cybersecurity best prac-
tices. These gaps hinder the nation’s ability to effectively respond to cyber threats and adopt cybersecurity mea-
sures across industries.

Key challenges include:

• Cybersecurity Professional Shortage: • Limited Awareness and Training:

Indonesia faces a cybersecurity professional A significant portion of the general workforce,
shortage, especially in critical sectors like finance, particularly in SMEs, lacks basic cybersecurity
healthcare, and energy. awareness, which increases the risk of human
error leading to cyber incidents.
• Lack of Formal Cybersecurity Education
Programs:
Most universities and technical schools in Indone-
sia do not yet offer comprehensive degree pro-
grams or training pathways dedicated to cyberse-
curity.

To solve this, both the public and private sectors need to invest in training and supporting these profes-
sionals. It’s also important to maximize the effectiveness of the existing cybersecurity workforce. Building a robust
pipeline of skilled professionals, including those from unconventional backgrounds, will benefit the entire cyberse-
curity ecosystem. Governments should prioritize recruiting diverse talent and reconsider traditional hiring criteria,
such as rigid degree requirements and certifications, which often exclude capable individuals like hackers, vet-
erans, and those from underrepresented groups. Addressing challenges like cybersecurity knowledge and talent
gaps in Indonesia requires a multi-faceted strategy focused on educational reform, professional certification, and
continuous learning. Such an effort has to be performed comprehensively through collaboration between govern-
ment, private sector, and educational institutions in building a skilled cybersecurity workforce.

44
Access Partnership, “Google’s role in helping Indonesia build a safe and productive society through digital tools”, Economic Impact Report,
October (2023): 5, https://cdn.accesspartnership.com/wp-content/uploads/2023/10/ID-EN-FA-OnScn.pdf?hsCtaTracking=be48563c-9c59-4f6c-
9b6e-65c517502ef5%7C087a5bf8-c39f-4fb3-9c18-2aaf7af92354

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Education and Talent Development 73
7.2 Designating a Lead Agency for Cyber Education and Awareness

Indonesia needs a multi-pronged approach to raise cybersecurity awareness and knowledge across all
levels of society. A critical step towards enhancing Indonesia’s national cybersecurity framework is to designate
a central authority responsible for coordinating, developing, and delivering cybersecurity awareness programs.
This lead agency, ideally the cybersecurity agency) or the national CSIRT (or another designated body), would
be the key driver of all cyber education and awareness efforts, working across both the public and private sectors.
The designated agency would have several strategic responsibilities to ensure effective nationwide engagement
and alignment across stakeholders.

Key Responsibilities of the Lead Agency

Exhibit 7.1 Key Responsibilities of the Lead Agency

1. Coordinate and Develop Awareness Programs Portal Features:

● Stakeholder Engagement: ○ Audience Segmentation:
Collaborate with public institutions, private busi- Provide information tailored to different audienc-
nesses, critical infrastructure providers, and es, from SMEs to large corporations and critical
academia to create comprehensive awareness infrastructure operators.
programs.
○ Timely Updates:
● Tailored Content: Provide up-to-date best practices, threat alerts,
Design programs that address both general and and practical guidance
sector-specific cybersecurity threats, tailored to
Indonesia’s diverse industries. ○ Resource Library:
Include training materials like video tutorials, tool-
2. Establish a Centralized Online Portal kits, and self-assessment tools.
● Primary Platform:
Create and maintain a centralized online portal This platform would be distinct from a broader
consolidating all relevant cybersecurity informa- threat information-sharing portal and would serve
tion and resources. the specific purpose of public education and cyber
resilience awareness.

74 Cybersecurity Education and Talent Development Cybersecurity for a Sustainable and Resilient Digital Indonesia
 3. Launch a Whole-of-Nation Cybersecurity Edu- 4. Implement Evaluation Metrics for Awareness
cation Campaign Programs
● Collaborative Effort: ● Performance Indicators:
The Indonesian government partners with lead- Establish clear metrics to assess the effectiveness
ing industry associations such as USABC and of awareness campaigns, such as participation
Kadin to launch a national cybersecurity aware- rates and reductions in incidents linked to poor
ness campaign. This initiative will be pivotal in awareness.
educating the broader public on how to protect
themselves against cybercrime, with messaging ● Continuous Improvement:
tailored to all levels of society. Use evaluation data to refine content and distribu-
tion methods, keeping programs responsive to the
● Campaign Scope: dynamic cyber landscape.
○ National Messaging:
Develop messaging that resonates with everyone 5. Develop Executive-Level Awareness Programs
from business executives to students. ● Tailored Training:
Create specialized programs for executive manag-
○ Multiple Channels: ers in both the public and private sectors, focusing
Utilize social media, television, and radio to en- on the unique cyber risks their organizations face
sure broad reach. and the strategic countermeasures required.

○ Educational Content: ● Special Focus:

Cover basic cybersecurity hygiene, including Address the financial, operational, and reputa-
phishing detection, data safeguarding, and secure tional impacts of cybersecurity incidents, enabling
communication practices. executives to make informed decisions on invest-
ments and policies.
● Targeted Audiences:
○ Business Leaders: 6. Coordinate Existing Awareness Campaigns
Ensure top-level awareness and investment in ● Strategic Alignment:
cybersecurity. Align and coordinate existing cybersecurity aware-
ness initiatives to avoid duplication, maximize
○ Employees: resource utilization, and present a unified and
Instill daily cybersecurity practices across the consistent national message.
workforce. ● Regular Communication:
Facilitate ongoing dialogue between stakeholders
○ Students and Young Professionals: running these campaigns to ensure consistency
Foster the next generation of cybersecurity ex- and reinforce key messages.
perts.

7.3 Comprehensive Cyber Security Employee Training

To combat the ever-changing cyber threats, every organization in Indonesia needs to prioritize cyberse-
curity training for all employees. While many businesses have incorporated cybersecurity into their training
programs, there is a need for a more unified, mandatory approach, especially within government institutions and
state-owned enterprises.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Education and Talent Development 75
Key Recommendations for an Effective Cybersecurity Training Program

1. Inclusive Training for All Business Areas shaping an organization’s cybersecurity strategy
Cybersecurity training should be mandatory for and investments. This training should ensure they
all employees, from entry-level staff to senior are aware of the financial and operational risks
executives and CFOs. This ensures everyone posed by cyber threats, enabling informed deci-
understands the risks and can act as the first line sion-making regarding cybersecurity expenditure
of defense. and strategic initiatives.

2. Incentivize Positive Security Behavior 5. Foster a Culture of Security

Instead of solely penalizing mistakes, organi- Building a culture where employees feel safe re-
zations should reward employees for reporting porting cybersecurity incidents or mistakes is crit-
phishing attempts and other cyber threats. Posi- ical to an organization’s defense posture. Encour-
tive reinforcement encourages vigilance and pro- aging openness and continuous learning reduces
active engagement, fostering a security-conscious the likelihood of repeated errors and strengthens
culture. the organization’s ability to adapt to new threats. A
culture that prioritizes security from the top down
3. Tailor Training Based on Behavior Analysis fosters a sense of shared responsibility across the
To improve the effectiveness of training, organi- workforce.
zations should analyze why employees engage
with phishing emails or other security threats. This 6. Develop a Comprehensive Cyber Strategy
analysis should move beyond simple metrics like Cybersecurity strategies must acknowledge the
“click-through rates” and delve into behavioral fac- inevitability of human error and include preventive
tors such as the content or urgency of the email. measures and real-time threat responses, lever-
Tailored training that addresses the root causes of aging automation where possible. Organizations
risky behavior will be far more effective in foster- should maintain a clear understanding of their
ing strong cybersecurity practices. cybersecurity posture from the perspective of
potential adversaries, ensuring that their defenses
4. Provide Specialized Training for Executives evolve in response to changing threats.
and CFOs
Executives and CFOs must receive specialized
training that addresses their unique roles in

By implementing these recommendations, government institutions and businesses across Indonesia

will significantly enhance their cybersecurity posture. Extensive employee training programs that engage
all levels of the workforce—from frontline staff to senior executives—will help organizations mitigate risks more
effectively. This holistic approach to cybersecurity training not only strengthens defenses but also cultivates a
culture that prioritizes security at every level, which is fundamental for sustaining organizational and national cyber
resilience.

7.4 Growing Cybersecurity Talent in Indonesia

Addressing the shortage of cybersecurity professionals is crucial for Indonesia’s national security and
digital economy. A comprehensive strategy spanning all education levels is required to develop a robust pipeline
of skilled professionals. This talent pipeline will support both the public and private sectors, ensuring the country
has the expertise needed to counter evolving cyber threats.

76 Cybersecurity Education and Talent Development Cybersecurity for a Sustainable and Resilient Digital Indonesia
Key recommendations for growing Indonesia’s cybersecurity talent:

1. Align Government Entities on Shared Objec- the overall security posture of local communi-
tives ties. Furthermore, innovative training programs
The cybersecurity agency, the Ministry of Educa- leveraging technologies like generative AI can
tion, and other relevant entities should collaborate personalize the learning experience and efficiently
to define clear cybersecurity education priorities. expand the pool of qualified cybersecurity profes-
This will ensure a unified national approach and sionals.
efficient use of resources.
● Cyber Year of Service:
Actionable Initiatives: To bolster the cybersecurity workforce, we need
● Develop a national cybersecurity education both broader and deeper expertise. Mandating
roadmap as part of the National Cybersecurity standardized cybersecurity content in all computer
Strategy (NCSS). science programs through certification require-
ments can significantly increase baseline knowl-
● Ensure that a dedicated national budget is al- edge. Furthermore, initiatives like a “Cyber Year
located to fund cybersecurity education initiatives, of Service” can provide valuable experience and a
infrastructure development, and talent programs direct pathway to government cybersecurity roles
across all education levels. for graduates. These diverse training avenues,
coupled with equipping professionals with ad-
2. Implement Comprehensive Cyber Education vanced tools like AI and leveraging cloud-based
To ensure that Indonesia can meet its growing security solutions, will maximize their effective-
need for cybersecurity professionals, cybersecu- ness and efficiency in combating cyber threats.
rity education must be integrated across prima-
ry, secondary, and tertiary education levels. This Further Developments:
includes creating specialized cybersecurity cours- ● Regularly review and update the IT and cyber-
es and embedding cybersecurity content within security content taught in schools and universities
existing ICT and STEM curricula. Early exposure to align with current best practices.
cultivates interest and foundational knowledge,
while advanced programs at universities develop ● Allocate additional funding to public universities
specialized skills. to expand their cybersecurity infrastructure, in-
cluding labs and technical facilities, ensuring they
Actionable Initiatives: are equipped to meet the demands of increasing
● Teacher Training: enrollment in cybersecurity courses.
Provide educators with training and resources to
deliver current and industry-relevant cybersecurity 3. Incentivize ICT and STEM Courses
courses Encouraging students to pursue ICT and STEM
fields is key to fostering a steady flow of talent into
● Curriculum Expansion: the cybersecurity workforce. Providing financial
Embed cybersecurity modules across various incentives like grants and scholarships, can
university programs, including non-technical fields make these programs more attractive and acces-
like law and business, to promote cross-disci- sible to a broader range of students. Additionally,
plinary expertise. we also need to provide financial incentives for in-
stitutions and educators to promote and enhance
● Public Access and Informal Education: ICT and cybersecurity education.
Support seminars, MOOCs, mentorship, work-
shops, and lectures on cybersecurity topics ac- 4. Develop Cyber Internships and Apprenticeship
cessible to non-specialists, fostering widespread Programs
awareness. Providing hands-on learning opportunities through
internships and apprenticeship programs is crit-
● Cyber Clinics: ical to bridging the gap between academic educa-
The cyber clinics offer a valuable opportunity to tion and practical cybersecurity experience. These
address the cybersecurity skills gap. By providing programs allow students and professionals to gain
hands-on experience for students while assisting real-world experience in cybersecurity, improving
under resourced organizations, they strengthen their skills and employability.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Education and Talent Development 77
 Actionable Initiatives: cybersecurity, including women, minorities, and
Partner with the private sector to offer internships those from disadvantaged backgrounds.
and apprenticeships, providing hands-on experi-
ence that bridges academic learning and practical ● Create partnerships with organizations that
application. promote diversity in STEM fields to increase par-
ticipation from all segments of society in cyberse-
5. Promote Micro-credentials in Cybersecurity curity roles.
Encourage the development and recognition of
short, focused qualifications in areas like cloud 7. Host a National Cyber Challenge
security and incident response. Micro-credentials Organize Capture the Flag (CTF) competitions
allow professionals to upskill rapidly and special- and other cybersecurity challenges to engage stu-
ize according to industry needs. dents and professionals. These events stimulate
interest, encourage skill development, and identify
Actionable Initiatives: promising talent.
● Promote micro-credentials that focus on
emerging areas such as cloud security, threat Actionable Initiatives:
intelligence, incident response, and forensic anal- ● Collaborate with universities, Kadin, and inter-
ysis. national organizations to provide sponsorships
and prizes, enhancing participation.
● Collaborate with industry leaders to ensure
Micro-credential programs are relevant and meet ● Establish pathways from competition participa-
current cybersecurity demands. tion to internships and employment opportunities
within the cybersecurity sector.
6. Enhance Diversity and Inclusion
A diverse cybersecurity workforce is essential for 8. Cybersecurity Talent Retention Strategy
bringing different perspectives and skills to the Retaining skilled cybersecurity professionals is
table. Programs aimed at increasing diversity, par- crucial. Their expertise grows with time, making
ticularly in underrepresented groups, are key to them invaluable assets. Cultivating a supportive
building an inclusive cybersecurity talent pipeline. environment where they feel empowered to ques-
tion, innovate, and adapt ensures job satisfaction
Key Recommendations: and encourages long-term commitment to the
● Develop mentorship programs and outreach organization.
initiatives targeting underrepresented groups in

7.5 Career Path and Occupation Mapping for Cybersecurity Talents

To further grow the cybersecurity talents and create labor market symmetry, there is a need for the public
and private sector to have a synergy in terms of how to properly channel these talents into the right oc-
cupation through proper career path and occupation mapping. In 2019, BSSN partnered with Kadin, Ministry
of Manpower, Ministry of Communication and Informatics, Ministry of National Development Planning, and BNSP
launched “National Occupational Map in the Indonesian National Qualification Framework in the Area of Cyberse-
curity Function” that outlines cybersecurity job roles, skills, competencies, and career paths while also serves as
the guidelines for individuals, educational institutions, and private sectors. The purpose of this document is also to
provide standardization, skills development, career planning, workforce development, and industry growth. There
are approximately 30 occupations and four key components for each occupation such as job roles, competencies,
career path, and certification or training which are already synchronized with Indonesian National Work Compe-
tency Standards (SKKNI) (see appendix N).45

7.6 Certification Programs and Standards

In the context of Indonesia’s evolving cybersecurity landscape, certification and standards play a critical
role in ensuring that both professionals and organizations are equipped to meet the growing demands for
cybersecurity resilience. This chapter will detail the professional and organizational certification programs nec-
essary to foster a robust cybersecurity environment, building on existing initiatives from the cybersecurity agency,
MOCI, and Kadin while incorporating best practices from global frameworks.

78 Cybersecurity Education and Talent Development Cybersecurity for a Sustainable and Resilient Digital Indonesia
7.6.1 Professional Certification Programs

To ensure that Indonesia develops a skilled and certified cybersecurity workforce capable of addressing complex
threats across sectors. Professional certification programs will focus on closing the cybersecurity skills gap by
providing globally recognized credentials and practical expertise.

Existing Certification Landscape:

• Cybersecurity Competency Certification: • MOCI’s Digital Literacy and Cybersecurity

In collaboration with the Indonesian Certification Training:
Body, it currently offers professional certifications MOCI has initiated several programs aimed at en-
that address specific competencies, such as net- hancing digital skills and cybersecurity awareness
work security and incident management. among professionals across industries, focusing
on areas such as data privacy, cloud security, and
threat detection.
Role of Kadin:

Kadin (the Indonesian Chamber of Commerce and Industry) is planning to expand and introduce cybersecurity
certification programs for professionals in collaboration with the cybersecurity agency, MOCI, and international
certification bodies. Kadin will act as the key facilitator, working to ensure that certification programs are aligned
with industry needs and cover the latest technologies.

Key Focus Areas:

• Expansion of Certification Programs: • Cybersecurity Talent Pipeline:

Offer a wide range of certifications like CompTIA Kadin will collaborate with universities, vocational
Security+, CISSP, and CEH, and collaborate with training institutions, and global tech companies to
international bodies such as ISC2 and ISACA to create a pipeline of skilled cybersecurity profes-
offer certifications tailored to Indonesia’s specific sionals. This will include integrating cybersecu-
needs. Focus on high-demand areas like incident rity training into academic curricula and offering
response, penetration testing, cloud security, and internships and on-the-job training.
critical infrastructure protection.

Implementation Plan

Stage 1
Establish a framework for certifying cybersecurity professionals in critical industries such as
finance, healthcare, and energy over the next three years

Stage 2
Introduce subsidies and financial incentives to support professionals obtaining
certifications, especially those from SMEs and underrepresented regions

Stage 3
Partner with private sector organizations to provide on-demand training and
certification workshops, leveraging both online platforms and in-person training

Exhibit 7.2 Implementation Plan

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Education and Talent Development 79
7.6.2 Organizational Certification Programs

The organizational certification program aims to ensure that organizations across Indonesia, especially those
operating in critical infrastructure sectors, meet internationally recognized cybersecurity standards. This will help
reduce risks and protect important national assets.

Current Initiatives:
• KAMI Index Assessment: • MOCI’s Data Protection Certification:
This facilitates assessment for organizations in This program focuses on ensuring compliance
sectors handling sensitive information, including with Indonesia’s Personal Data Protection Law
finance, government, and telecommunications (PDP), requiring organizations to safeguard per-
which follows the SNI/ISO/IEC 27001. sonal data in alignment with global standards.

Role of Kadin:

Kadin, the Indonesian Chamber of Commerce and Industry, will expand these certification efforts to include more
organizations, especially small and medium-sized enterprises (SMEs). Kadin will facilitate compliance with both
national and international cybersecurity standards, such as ISO/IEC 27001 and/or the NIST Cybersecurity
Framework.

Key Focus Areas:

1. Mandatory Certifications: 2. SME Cybersecurity Certification:

● Promote mandatory certification for critical ● Develop a tiered certification program for
sectors, including energy, finance, and healthcare, SMEs that gradually introduces them to cyber-
to meet ISO/IEC 27001 standards. security best practices. This would include basic
compliance with NIST, with a path toward more
● Facilitate workshops and training sessions to advanced certifications like ISO/IEC 27001.
help organizations prepare for certification.
● Provide financial support for certification pro-
grams aimed at smaller organizations, offering
tax incentives and government-backed grants to
encourage compliance.

Implementation Plan

Stage 1
Provide resources and support for organizations in critical sectors to achieve necessary
certifications, strengthening national cybersecurity infrstructure

Stage 2
Establish a dedicated cybersecurity compliance portal where organizations can perform
self-assesments, access certification guidance, and seek consultancy

Stage 3
Collaborate with global technology providers to develop customized cybersecurity certification
frameworks for industries like telecom, logistics, and manufacturing

Exhibit 7.3 Implementation Plan

80 Cybersecurity Education and Talent Development Cybersecurity for a Sustainable and Resilient Digital Indonesia
By leveraging the collective efforts of Cybersecurity Agency: MOCI, this ensures the development of a highly
skilled cybersecurity workforce and encourages organizations, particularly in critical sectors, to achieve and main-
tain global cybersecurity standards. Kadin’s role as a facilitator for SMEs and its collaboration with government
bodies will be key to achieving national cybersecurity goals.

7.7 Case Studies: Industry Support for Cybersecurity Education

Case Study 1: Google’s Extensive Collaboration and Initiatives

The United States

Google is committed to making cybersecurity careers accessible to everyone, regardless of their back-
ground. Google is taking a multi-pronged approach to improve cybersecurity globally, with specific
initiatives in Southeast Asia and Indonesia. To close the cybersecurity talent gap, they’re investing in hands-on
learning through cybersecurity clinics at 20 universities, the Google Cybersecurity Certificate for entry-level train-
ing, and industry partnerships to create new career pathways. By combining these efforts, Google aims to empow-
er individuals and strengthen the overall cybersecurity workforce to better protect against cyber threats.46

Southeast Asia
In Southeast Asia, Google’s charitable arm, Google.org, is giving $15 million to The Asia Foundation to
start the APAC Cyber Security Fund. They’re working with CyberPeace Institute and Global Cyber Alliance to
improve the online security of 300,000 small businesses, nonprofits, and social enterprises in 12 Asian countries.
This involves partnering with organizations and universities to provide training and support to local communities
and students.47

Indonesia
Indonesia faces a growing number of cyber threats, including data breaches and ransomware attacks,
which can disrupt essential services and harm the digital economy. In Indonesia, Google is addressing the
growing cyber threats by providing scholarships for BSSN officials to earn the Google Cybersecurity Certificate,
sharing threat intelligence with BSSN through Mandiant, and collaborating with BSSN on using AI to enhance
cybersecurity. There is a need to improve cybersecurity capabilities in the public sector and among small and
medium-sized enterprises (SMEs) in Indonesia. On the other hand, policymakers in Indonesia need support in
understanding and harnessing the potential of AI for cybersecurity while mitigating its risks.

● Training cybersecurity specialists:

Google is providing 1,000 scholarships for BSSN officials to earn the Google Cybersecurity Certificate. This will
equip them with the skills to protect networks, devices, and data from cyber threats.

● Sharing threat intelligence:

Mandiant, a Google Cloud company, will share its industry-leading threat intelligence with BSSN. This will help
BSSN understand the latest tactics used by cybercriminals and nation-state actors.

● Enhancing cybersecurity with AI:

BSSN and Google Cloud will collaborate on using AI to improve cybersecurity. This includes developing and im-
plementing solutions that use automation, analytics, intelligence, and AI to quickly detect, investigate, and prevent
cyberattacks on critical infrastructure.

This partnership is expected to strengthen Indonesia’s cybersecurity workforce, improve threat detection
and response, and raise cybersecurity awareness. By proactively investing in these capabilities, Indonesia
aims to safeguard its digital landscape and protect its citizens from the growing threat of cyberattacks. This in-
volves bolstering cybersecurity in the public sector and among SMEs, enabling them to better detect, prevent, and
respond to cyber threats using AI-powered tools.48

What’s Next
Looking ahead, Google continues its commitment to strengthen Indonesia’s cybersecurity across all lev-
els. In addition to their partnership with BSSN, Google.org is supporting The Asia Foundation to empower 70,000

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Education and Talent Development 81
micro, small, and medium-sized enterprises (MSMEs) with crucial cybersecurity skills. This initiative, implemented
with local partners like PPSW, PUPUK, and Majelis Ekonomi dan Kewirausahaan Muhammadiyah, will provide
training and AI-powered security tools to help MSMEs defend against cyber threats.

Furthermore, Google Cloud offers free cybersecurity and AI training resources through its Skills Boost
program, accessible to all Indonesians. These resources include courses like the Cloud Digital Leader Learn-
ing Path and the Introduction to Generative AI Learning Path, along with gamified learning experiences through
The Arcade. By providing these opportunities, Google aims to equip Indonesians with valuable skills in cybersecu-
rity and AI, enabling them to contribute to a safer and more resilient digital Indonesia.

Case Study 2: Palo Alto Networks CyberFit Nation

Initiative
Palo Alto Networks launched the CyberFit Nation program to address cybersecurity education gaps in Indonesia.
The initiative offers free workshops tailored to diverse audiences, including SMEs, corporate leaders, and stu-
dents.

Impact
By equipping different sectors with the knowledge and skills needed to protect their digital environments, CyberFit
Nation enhances overall cybersecurity resilience. Participants gain practical insights into threat prevention and
response strategies.

Case Study 3: Cisco Networking Academy

Collaboration
The Cisco Networking Academy partners with universities, vocational schools, and government agencies to pro-
vide free training in cybersecurity, networking, and IT skills.

Impact
Over 442,000 students in Indonesia have been trained through this program, earning globally recognized certifica-
tions. This enhances individual career prospects and also contributes to a more skilled national workforce capable
of addressing cybersecurity challenges.

45
BSSN et al., National Occupational Map in the Indonesian National Qualification Framework in the Area of Cybersecurity Function. (Jakarta:
BSSN, 2019.
46
Lisa Geverlber & Phil Venables, “New cybersecurity training to help build a safer world”, Google, May 4th, 2024, https://blog.google/out-
reach-initiatives/grow-with-google/google-cybersecurity-career-certificate/
47
The Asia Foundation, “APAC Cybersecurity Fund”, The Asia Foundation, October 10th, 2023 https://asiafoundation.org/apac-cybersecuri-
ty-fund/
48
Google Indonesia, “Google Bekerja Sama dengan BSSN dan Ekosistem Digital Indonesia untuk Memperkuat Pertahanan dan Keamanan
Siber Nasional Berteknologi AI”, Google, March 5th, 2024, https://blog.google/intl/id-id/company-news/technology/2024_03_google-bekerja-
sama-dengan-bssn-dan/?

82 Cybersecurity Education and Talent Development Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Chapter

08

Cybersecurity
Methodologies
and Risk
Management
Frameworks
Cybersecurity for a Sustainable and Resilient Digital Indonesia 83
Effective cybersecurity management requires adopting well-defined methodologies and risk management
frameworks that provide organizations with clear guidelines for identifying, mitigating, and responding to
cyber threats. Indonesia should prioritize the implementation of international best practices while also tailoring
them to fit the specific needs of important sectors like finance, healthcare, and energy. This chapter explores how
adopting well-defined cybersecurity methodologies and risk management frameworks provides clear guidelines for
identifying, mitigating, and responding to cyber threats, ensuring organizational resilience.

8.1 Adopting a Standardized Cybersecurity Methodology

A standardized cybersecurity methodology or framework is essential for organizations to systematically

manage their cyber risks. Adopting a recognized framework ensures that all cybersecurity activities—from iden-
tifying vulnerabilities to responding to incidents—are carried out in a structured and consistent way. It is crucial for
the Indonesian government to utilize existing industry-led, globally harmonized Information and Communication
Technology (ICT) standards, both in terms of setting standards for industry to meet in their own environments and
also in terms of the standards that vendor ICT products should meet. Drawing on these established standards
for both industry practices and vendor ICT products ensures alignment with global best practices and avoids the
pitfalls of creating country-specific standards that may inadvertently hinder innovation and security.

Key cybersecurity methodologies that Indonesia should consider adopting include:

• The Risk Management Framework: • ISO/IEC 27001:

The Risk Management Framework (RMF) is a set This international standard focuses on establish-
of guidelines, standards, and processes devel- ing a comprehensive Information Security Man-
oped by the U.S. National Institute of Standards agement System (ISMS). It helps organizations
and Technology (NIST) to help organizations protect data by ensuring confidentiality, integrity,
manage information security risks. It offers a com- and availability.
prehensive and flexible approach that integrates
security, privacy, and cyber supply chain risk man- • ASEAN CyberSecurity Framework:
agement activities into the system development For regional harmonization, Indonesia should
life cycle. ensure alignment with ASEAN’s cybersecurity
initiatives, which focus on securing the region’s
• NIST Cybersecurity Framework (CSF): critical infrastructure.
A widely accepted framework focusing on identi-
fying, assessing, and managing cyber risks. The • Cybersecurity Maturity Model Certification
NIST CSF organizes cybersecurity efforts into five (CMMC):
key functions: identify, protect, detect, respond, This framework offers tiered cybersecurity levels
and recover. to ensure that organizations in sensitive industries
like energy and defense meet stringent cyberse-
curity standards.

By adopting these frameworks, Indonesia can establish consistent and standardized approaches to cybersecurity
across sectors, enabling organizations to better protect their assets and manage risks.

8.2 Security Controls Based on NIST Cybersecurity Framework

The NIST CSF is a widely accepted framework that provides a comprehensive set of security controls. Under-
standing its five core functions helps organizations implement a structured approach to cybersecurity.

84 Cybersecurity Methodologies and Risk Management Frameworks Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Exhibit 8.1 The NIST Cybersecurity Framework

To ensure effective cybersecurity risk management, the NIST Cybersecurity Framework provides a comprehen-
sive set of security controls across five core functions:

1. Identify 4. Respond, and

2. Protect 5. Recover.
3. Detect
These functions create a structured approach for securing digital environments and responding to cyber incidents.
The NIST framework’s flexibility allows for adaptation to various sectors and organizations, from SMEs to critical
infrastructure operators.

8.2.1 Identify

The identify function helps organizations understand cybersecurity risks to their systems, assets, and data. By
identifying critical assets and assessing potential threats, organizations can prioritize the implementation of securi-
ty measures that align with their risk profile.
Key Activities:
• Asset management: • Governance:
Catalog all IT assets, including hardware, soft- Establish governance structures to assign ac-
ware, and cloud environments. countability for cybersecurity.

• Risk assessment: For a detailed breakdown of control steps under the

Identify vulnerabilities and threats through contin- NIST’s identify function, refer to Appendix B.
uous risk assessments.

8.2.2 Protect

The protect function focuses on implementing safeguards to ensure service continuity and the protection of as-
sets. This function prioritizes proactive measures to minimize the potential impact of cybersecurity events.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Methodologies and Risk Management Frameworks 85
Key Activities:
• Access Control:
Use multi-factor authentication (MFA) and role- • Information Protection Processes:
based access control to ensure that only autho- Establish policies for secure data handling and
rized personnel have access to sensitive systems storage, and regularly audit compliance with secu-
and data. rity standards like ISO/IEC 27001.

• Data Security:
Encrypt data at rest and in transit, and ensure that
data backups are secure and regularly updated.

For a detailed breakdown of control steps under the Identify function, refer to Appendix C.

8.2.3 Detect

The detect function focuses on monitoring systems to detect cybersecurity events in real time. Early detection of
malicious activity is crucial for mitigating damage and preventing data breaches.

Key Activities:
• Continuous Monitoring: • Detection Processes:
Implement tools such as Security Information and Set up automatic alerts for anomalies and events,
Event Management (SIEM) systems to monitor and ensure that detection rules are regularly up-
networks, endpoints, and applications for suspi- dated to reflect new threats.
cious activities.

Detailed methodologies for detection processes and controls are provided in Appendix D.

8.2.5 Recover

The Recover function ensures organizations can restore services and operations after a cybersecurity incident.
This function emphasizes resilience and continuous improvement in recovery processes.

Key Activities:
• Recovery Planning: • Post-Incident Reviews:
Develop recovery plans to restore systems and Conduct thorough assessments of the incident
services quickly. response process to identify lessons learned and
improve future responses.

Further details on implementing recovery controls can be found in Appendix F.

8.3 Tailoring Cybersecurity Methodologies to Organizational Categories

Organizations come in all shapes and sizes, with different resources and levels of risk. They vary signifi-
cantly in their resources, risk exposure, and digital environments. Therefore, Indonesia’s cybersecurity framework
must provide tailored methodologies that align with the specific needs of different organizations. To ensure that
cybersecurity efforts are proportional and effective, organizations are categorized into two distinct groups, catego-
ry A and category B, based on the potential damage a cyber incident could cause.

86 Cybersecurity Methodologies and Risk Management Frameworks Cybersecurity for a Sustainable and Resilient Digital Indonesia
8.3.1 Category A Organizations

These include small to medium-sized enterprises (SMEs), which may not have the resources to invest heavily in
cybersecurity infrastructure. For these organizations, a simplified methodology should be implemented, focusing
on basic cyber hygiene and low-cost security measures.

Key Actions:
• Basic Control Families:
Implement approximately ten foundational control families (Appendice) that address fundamental security
needs. These basic cybersecurity controls can ensure SMEs have a foundational level of security even with
limited resources. (Detail on Appendix G).

Implementation Guidance:
The implementation process for Category A organizations should be straightforward and focused on practical
steps:

• Secure Network Configurations: • Regular Patch Management:

Use firewalls, secure routers, and network seg- Keep software up to date to reduce the risk of
mentation to prevent unauthorized access. vulnerabilities being exploited.

• Basic Access Controls: • Data Protection:

Implement multi-factor authentication (MFA) and Encrypt sensitive data both at rest and in transit to
ensure users have appropriate access based on prevent unauthorized access.
their roles.
• Compliance and Monitoring:
Employ simple compliance verification and basic
monitoring techniques to maintain adequate cy-
bersecurity.

Additional requirements:
Category A organizations may be subject to additional regulatory obligations if they handle sensitive information
or work with third-party vendors. In such cases, they may be reclassified as Category B organizations, requiring
them to adopt more advanced cybersecurity measures. Similarly, suppliers to Category B organizations may need
to comply with higher security standards to protect the supply chain.

Attention:
In cyber and data security, it is common to assess potential impact based on three categories:

• Data Confidentiality: • Data Availability:

For example, a cyberattack intended to leak cus- For example, a cyberattack denying information
tomers’ details to the internet. from the company or its customers (e.g., shutting
down a website, locking files, or deploying ran-
• Data Integrity: somware).
For example, a cyberattack intended to falsify a
company’s financial reports.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Methodologies and Risk Management Frameworks 87
8.3.2 Category B Organizations

Category B organizations, such as large enterprises and critical infrastructure operators, face more significant cy-
bersecurity risks due to the complexity of their digital environments and the potential damage that cyber incidents
can cause. As a result, they must adopt more sophisticated cybersecurity frameworks and advanced risk manage-
ment processes.

Advanced Risk Assessment and Management Process:

Category B organizations need comprehensive risk management processes that include advanced models like
PASTA (Process for Attack Simulation and Threat Analysis) and FAIR (Factor Analysis of Information Risk). These
models allow organizations to quantify risks, prioritize investments, and develop mitigation strategies based on a
clear understanding of potential threats.

Introduction to Advanced Models:

1. PASTA (Process for Attack Simulation and Threat Analysis):

This model helps organizations simulate potential attacks, identify vulnerabilities, and develop appropriate
responses.

Stage 1 Stage 2
Define business objectives and determine how cyber Identify and categorize potential threat
risks align with organizational goals actors and their methods

Stage 4 Stage 3
Develop mitigation strategies to address Develop mitigation strategies to address
identified impact identified risks

Stage 5
Implement the mitigation strategies and measure
their effectiveness

Exhibit 8.2 PASTA Processes

2. FAIR (Factor Analysis of Information Risk):

This model focuses on quantifying risks and providing a financial assessment of potential impacts.

Stage 1 Stage 2

Identify risk scenarios specific to the organization’s assets Evaluate the probability and potential impact of these risks
and operations using quantitative analysis

Stage 4 Stage 3
Apply risk treatments and measure the change in risk Calculate the risk in financial terms to prioritize risk
post-implementation management investments

Exhibit 8.3 Key stages of the FAIR methodology

88 Cybersecurity Methodologies and Risk Management Frameworks Cybersecurity for a Sustainable and Resilient Digital Indonesia
Control Implementation Based on Risk Assessment:

Organizations should implement controls based on the outcomes of their risk assessments. Controls should be
prioritized using a Control Complexity Scoring System, which ranks controls from Level 1 to Level 4 according to
their complexity and cost-benefit value.

● Control Complexity Scoring

LEVEL Basic controls that are easy to implemment and involve minimal costs. Suitbale for protecting
assests or fot organizations with limited cybersecurity budgets.
1

LEVEL Controls offering a moderate level of security, requiring some investment in resources and time
to implement effectively.
2

More complex controls that provide higher security but require significant resources and exper-
LEVEL tise to deploy. Suitable for protecting valuable organizational assets that, while not critical, still
3 carry significant risk if compromised.

The most complex controls, designed for assets considered crown jewels or of national/regula-
LEVEL tory interest. These controls involve subtantial investment and are critical for assets where the
4 highest level of security is non-negotiable.

Exhibit 8.4 Control Complexity Scoring

● Key Implementation Guidelines for Category B:

• Identify Critical Assets: Classify assets based on • Resource Allocation: Allocate resources ac-
their importance and the potential impact of their cording to the complexity scores, directing more
compromise. resources toward controls critical for the organiza-
tion’s cybersecurity posture.
• Conduct Risk Assessment: Perform a compre-
hensive risk assessment to understand the threats • Monitoring and Adjustment: Continuously mon-
and vulnerabilities associated with each asset. itor the effectiveness of the implemented controls
and adjust as needed based on evolving threats
• Map Controls to Assets: Based on the risk as- and organizational changes.
sessment and the control complexity score, assign
appropriate controls to each asset. Reserve Level
4 controls for the most critical assets.

Continuous Monitoring and Improvement

Cybersecurity is a dynamic field, and Category B organizations must continuously adapt to emerging threats. Reg-
ular audits, vulnerability assessments, and penetration tests are essential to ensure that security controls remain
effective and up-to-date. Continuous review and improvement are necessary to address new risks and changes in
the threat landscape.

Integration with Organizational Processes

In addition to implementing advanced cybersecurity efforts, they must be integrated with business continuity and
crisis management frameworks. This ensures that cybersecurity is not treated as a standalone issue but is em-
bedded in the organization’s overall strategy.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Methodologies and Risk Management Frameworks 89
8.4. Advanced Cybersecurity Enhancement Recommendations

8.4.1 Continuous Visibility, Audits and Proactive Security Measures

In today’s rapidly evolving cyber threat landscape, maintaining continuous visibility and real-time mon-
itoring of an organization’s security posture is critical. Continuous visibility enables organizations to detect
anomalies, identify vulnerabilities, and respond swiftly to threats before they escalate. Regular penetration testing,
red teaming, and cyber exercises further bolster defenses by simulating real-world attacks, uncovering weakness-
es, and preparing teams for actual incidents. Proactive measures such as purple teaming, where offensive and
defensive teams collaborate, enhance the organization’s ability to anticipate and mitigate risks.
Regular audits of compliance with key security standards like ISO/IEC 27001 are also essential. By combining
these strategies, organizations can build a resilient cybersecurity posture that adapts to new threats and with-
stands the dynamic nature of the digital environment.

8.4.2 Incentivize Attack Surface Management (ASM) Adoption

Entities of all sizes have historically struggled to understand and manage their digital infrastructure,
including devices and applications exposed to the internet. Studies have found that even sophisticated
enterprises may have twice the number of systems exposed on the internet than they are internally monitoring—a
visibility gap that gives adversaries an advantage. Attackers regularly scan the internet for vulnerabilities in pub-
lic-facing infrastructure to exploit them. Adversary scanning can occur every 15 minutes or less following vulner-
ability disclosures. Meanwhile, global enterprises may need an average of 12 hours to find vulnerable systems,
assuming they are aware of all assets on their network.

Recommendations:

• The Indonesian government should incentivize • The cybersecurity agency may consider leveraging
each State-Owned Enterprise (SOE) and other or- ASM capabilities to create a ‘cyber weather’ map
ganizations to implement technologies that improve of government and SOE entities, providing broad,
real-time discovery and visibility over their network near real-time visibility into each entity’s cyber
attack surfaces, particularly internet-facing assets posture.
and assets held in cloud environments.

This approach aligns with global best practices, where entities in regions like the EU, the US, and Australia are
mandated to have real-time visibility into their internet-facing infrastructure.

8.4.3 Develop Guidance/Policies on Zero Trust

The Zero Trust model is essential in eliminating implicit trust within networks and validating all user
interactions. Instead of automatically trusting users and devices within a network, the Zero Trust model requires
verification at every access point. By continuously authenticating every access point, Zero Trust improves the
resilience of IT environments and reduces attack vectors. This strategic approach has been popularized by initia-
tives such as President Biden’s Executive Order on Improving the Nation’s Cybersecurity and is being adopted by
countries like Australia to enhance governmental cybersecurity postures.

Recommendation:
The Indonesian government should develop and implement Zero Trust security guidance across both the public
and private sectors. This framework will ensure that all sectors adopt policies that reduce implicit trust, continu-
ously authenticate access, and improve overall security.

90 Cybersecurity Methodologies and Risk Management Frameworks Cybersecurity for a Sustainable and Resilient Digital Indonesia
8.4.4 Develop a Plan for Secure Transition to the Cloud

Cloud adoption provides substantial benefits, including cost savings, scalability, and flexibility. However,
transitioning to cloud environments must be handled securely, as cloud services are not inherently secure by de-
fault. With the rise of multi-cloud environments, organizations may face visibility challenges, increasing exposure
to vulnerabilities.

Recommendation:
The Indonesian government should create a secure cloud transition plan for public and private entities. This plan
must ensure comprehensive visibility and governance across all cloud environments, emphasizing automation
and continuous monitoring.

Key Security Pillars for Cloud Transition:

1. Cloud Security Posture Management (CSPM): 3. Cloud Infrastructure Entitlement Management

Provides continuous visibility and compliance (CIEM):
across all cloud environments, including monitoring Manages access permissions and roles within
for misconfigurations and prioritizing risks. the cloud to prevent security risks from excessive
2. Threat Detection: permissions.
Utilizes User and Entity Behavior Analytics (UEBA) 4. Code Security:
and network anomaly detection for real-time identi- Incorporates supply chain security and Software
fication of threats. Bill of Materials (SBOM) analysis to ensure secure
coding practices and vulnerability management.

8.5 Enhancing Critical Infrastructure Protection

The protection of Critical Information Infrastructure (CII) is a top priority for Indonesia’s national cyber-
security strategy. Critical infrastructure sectors such as energy, telecommunications, and healthcare are highly
vulnerable to cyberattacks, and robust security measures must be implemented to mitigate these risks.

8.5.1 Prioritize and Invest in Critical Infrastructure Protection

Sector-specific cybersecurity guidelines, aligned with international standards such as ISO/IEC 27001 and the
NIST Cybersecurity Framework, should be developed and enforced across all critical sectors. These guidelines
will provide detailed protocols for incident response, risk management, and the implementation of advanced secu-
rity controls.

8.5.2 Centralized Cybersecurity Services

Critical infrastructure sectors should centralize their cybersecurity services within sector-specific Security Op-
erations Centers (SOCs). Centralizing services such as monitoring, incident response, and threat detection will
improve the efficiency and coordination of cybersecurity efforts across critical infrastructure sectors.

8.5.3 Regular Audits and Vulnerability Assessments

To maintain compliance with regulatory standards, all critical infrastructure sectors must be subject to regular
audits and vulnerability assessments. These audits will help identify areas where improvements can be made,
ensuring that cybersecurity measures remain effective in protecting critical infrastructure.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Cybersecurity Methodologies and Risk Management Frameworks 91
Chapter

09

Strengthening
Local Players in
Cybersecurity
Industry Growth

92 Cybersecurity for a Sustainable and Resilient Digital Indonesia

A robust and resilient local industry is essential to achieve Indonesia’s national cybersecurity goals.
Developing a competitive local cybersecurity sector is necessary to safeguard the nation’s critical infrastructure,
achieve technological independence, and foster economic growth. This chapter outlines a focused strategy to
build a solid local cybersecurity ecosystem that is capable of competing globally while ensuring national security.

By empowering local firms, promoting indigenous innovation, and ensuring fair competition with foreign enterpris-
es, Indonesia can position itself as a leader in the cybersecurity field both regionally and internationally. Three
major foundations that Indonesia should consider are ideal provision, transition, and SRO standardization.

Local Foreign
Value Added Resellers Technology License
Threat Intelligence Implement Enterprise
Reseller Business Model
Incident Response
Create Locally Relevant Supplying Cutting-Edge
Solutions Technologies

Form Reliable Alliance Knowledge Partner

Local Talent Development

Exhibit 9.1 Ideal Provision

Ideal Provision

Increased digitization is propelling Indonesia’s cybersecurity sector’s explosive expansion, but it also
confronts obstacles like a lack of qualified workers, little R&D, and a dependency on foreign solutions.
Local businesses should concentrate on specialty markets like threat intelligence and incident response, create
locally relevant solutions, and form reliable alliances to support a flourishing local industry while also still being
able to become Value-Added Resellers (VARs). As the VARs, local companies play their role as high-end se-
curity assessors, integrators, consultants, customer success accelerators, consolidators, optimizers, managed
security service providers (MSSPs), managed detection and response services (MDRs), and SOC-as-a-Service
Partners.49 International businesses may help by licensing their technology, allowing enterprise reseller business
models to be applied, sharing best practices worldwide, investing in local talent development, and supplying
cutting-edge technologies. Local innovation should be encouraged by the Government through incentives and
policies.50 To create a workforce of qualified cybersecurity professionals, the Government must also support
cooperation between regional and international actors and invest in education and training to develop a skilled
cybersecurity workforce.51

Transition from Technological Perspective

If Indonesia wants to compete at a high level, it needs to concentrate on promoting innovation rather than
merely implementing current technologies. This entails creating domestic cybersecurity solutions that are
suited to Indonesia’s particular problems, boosting R&D spending to spur innovation and provide a competitive
edge, and fostering a cybersecurity culture by incorporating best practices and awareness into educational and
professional development initiatives.52

Cybersecurity for a Sustainable and Resilient Digital Indonesia Strengthening Local Players in Cybersecurity Industry Growth 93
SRO Standardization

As mentioned in Chapter 5, establishing a Self-Regulatory Organization (SRO) for cybersecurity in Indo-

nesia can help to upscale the playing field for local and international companies. SRO can create industry
standards by establishing clear guidelines and best practices for cybersecurity products and services. Further-
more, it can also promote certification and accreditation by creating a framework to assess and recognize cyber-
security providers’ capabilities, which will eventually positively impact local talents’ capacity and capability. By
ensuring fair competition based on merit and capability rather than brand recognition, the SRO can foster a more
competitive and robust cybersecurity landscape in Indonesia.

9.1 Strengthening Policy and Regulatory Support for Local Industry

In Chapter 5, we discussed the broader regulatory landscape required to secure Indonesia’s digital future.
Building upon those foundations, Indonesia can build a self-reliant cybersecurity ecosystem by ensuring that local
firms are protected from unfair foreign competition while also fostering innovation.

Key Actions:
• Local Content Mandates meet local content standards while gaining access
The Indonesian Government can implement reg- to cutting-edge technologies and invaluable ex-
ulations requiring a minimum proportion of local perience. For instance, local cybersecurity SMEs
content in cybersecurity procurement for Govern- could receive a 10% pricing preference in Gov-
ment agencies and vital infrastructure projects ernment tenders during the procurement process.
to promote a thriving local cybersecurity sector. One example would be India, which has imposed
Clear definitions of “local” goods and services, preferential treatment in procurement for cyber-
including incorporating standards like Indonesian security products, which is expected to foster
ownership and domestic R&D, can help achieve income and employment growth.54
this. Local businesses could progressively in-
crease their capacity to satisfy demand using a • Regulatory Simplification
phased deployment strategy. A method for au- The Indonesian Government needs to expedite
diting and confirming compliance should also be yet streamline the bureaucratic hurdles of licens-
implemented with the help of independent certify- ing and regulation processes for the establish-
ing organizations. For instance, the Government ment of local cybersecurity businesses where
may require all agencies to purchase at least 40% businesses can quickly acquire licenses, permits,
of services or goods that they need from local and certificates, streamlining the compliance pro-
suppliers.53 cedure. It would ensure that local businesses fully
comply with the criteria and can comply efficiently
• Preferential Treatment in Procurement if clear and concise guidance on cybersecurity
The Indonesian Government can modify regula- standards and regulations were provided through
tions related to procurement to grant preferential the eligibility assessment process, exclusion of
treatment to empower and support the growth of tenderers with poor track records, and cyber in-
local cybersecurity companies, especially SMEs. tegrity of prospective tender, goods, and procure-
This can be achieved by providing price benefits ment procedure. Additionally, tax incentives for
during the procurement bidding process. Further- regional cybersecurity SMEs and startups would
more, some governments, either in municipal or also promote investment and industry expansion.
provincial level contracts, might only be awarded
to regional suppliers, particularly for initiatives that • Anti-Dumping Laws
deal with sensitive data or local needs. Encour- Introduce measures to prevent foreign companies
agement of joint ventures between domestic and from using predatory pricing strategies that under-
foreign businesses will also help local businesses mine local firms’ competitiveness.

49
Emily Real, “Rethinking Cyber Security Strategies: The Role of VARs”, Veeam, December 27th, 2023, https://www.veeam.com/blog/cy-
ber-security-resellers-veeam.html
50
International Trade Administration, “Indonesia Digital Economy”, International Trade Administration, September 19th, 2024, https://www.
trade.gov/country-commercial-guides/indonesia-digital-economy

94 Strengthening Local Players in Cybersecurity Industry Growth Cybersecurity for a Sustainable and Resilient Digital Indonesia
Impact:
• Increase opportunities for local companies, giving • Enhance competitiveness of local startups and
local cybersecurity firms greater access to nation- SMEs, allowing them to innovate, compete inter-
al projects and enabling them to scale and grow. nationally, and strengthen Indonesia’s cybersecu-
rity resilience.
• Reduce reliance on foreign solutions, decreasing
Indonesia’s dependence on foreign technologies
and fostering technological sovereignty.

9.2 Fostering a Competitive and Resilient Local Industry

Every successful industry is built on innovation, and Indonesia’s cybersecurity market is no different. This
section explores the particular mechanisms that stimulate innovation in the community’s cybersecurity ecosystem.
By supporting R&D, public-private collaborations, and intellectual property protection, Indonesia can lessen its
need for foreign technologies and create a competitive, self-sustaining cybersecurity economy.

Key Actions:
• R&D Grants and Incentives to partner with academic institutions to co-develop
The Government must introduce R&D grants and technologies tailored to Indonesia’s specific chal-
tax incentives for local firms investing in cyberse- lenges. Several promising academic institutions
curity technologies to stimulate local innovation. in Indonesia are ready to support the initiatives.
R&D grants are expected to cultivate the culture This model will facilitate knowledge transfer and
of science and innovation further. By offering information exchange between academia and
direct funding and tax breaks, the Government industry, ensuring that research is science-backed
can lower the cost barriers for local firms, enabling and grounded in practical applications. Some
them to explore new and advanced cybersecurity case study examples are the UK Research Insti-
solutions. The Government of the United States tute in Secure Hardware and Embedded Systems
has done this through its R&D Tax Credit.55 (RISE), Cyber NYC, and Stanford Cyber Initiative
(SCI).57 By combining both strengths, Indonesia
• Innovation Hubs can further accelerate the development of local
The establishment of cybersecurity innovation cybersecurity solutions.
hubs will provide a collaborative environment
where startups, research institutions, and corpo- • Intellectual Property (IP) Protection and Com-
rations can co-create solutions. These hubs will mercialization
serve as incubators for new technologies and Protecting local innovation is crucial to ensuring
business models, supporting the growth of local that Indonesian firms benefit from their invest-
talent and companies. Each hub will focus on ments in R&D by strengthening the regulations
Indonesia’s unique cybersecurity needs, such as and related ruling institutions in enforcing IP
securing critical infrastructure and protecting digi- protection.58 The Government should enhance IP
tal identities while fostering a culture of continuous protection laws, ensuring local firms can secure
innovation. For instance, in Europe, an innovation patents for their innovations, especially for digital
hub for cybersecurity called European Digital In- products.59 Moreover, support mechanisms for
novation Hubs (EDIHs) - Cybersecurity Innovation commercialization need to be introduced, help-
Hub provides a wide range of programs, including ing local firms bring their technologies to market
pre-investment testing, networking, skilling, and domestically and internationally. This will drive
networking.56 competitiveness and incentivize further invest-
ments in R&D. It is highly recommended that the
• Research Collaborations government of Indonesia also learn from WIPO
Local cybersecurity firms should be encouraged about the protection of IP.

51
edX Enterprise, “Indonesia Cyber Education Institute case study: Supporting students in building in-demand skills”, edX Enterprise, March
7th, 2024, https://business.edx.org/case-study/indonesia-cyber-education-institute-case-study-supporting-students-in-building-in-demand-skills

Cybersecurity for a Sustainable and Resilient Digital Indonesia Strengthening Local Players in Cybersecurity Industry Growth 95
Impact:
• Increase R&D investment in the local cyberse- • The cultivation of innovation culture can drive
curity sector, leading to the development of local technological advancement across the industry.
solutions tailored to national needs.

• Stronger local industry’s competitiveness can

reduce our reliance on foreign products and tech-
nologies.

Through these series of actions, it is expected that the growth of the local cybersecurity industry can be boosted,
human capital can be harnessed, and the ecosystem can be harmonized. This is aligned with the blueprint’s pro-
posal to foster a competitive and resilient local cybersecurity industry.

9.3 Supporting Local Firms’ Participation in Government Projects

For Indonesia’s local cybersecurity industry to thrive, they must be provided meaningful opportunities to partic-
ipate in national projects. By creating designated procurement set-asides, offering capacity-building programs,
and facilitating mentorships, the Government can ensure that local firms gain experience and build the credibility
needed to grow.

Key Actions:
• Designate Procurement Set-Asides for Local the form of hackathons, workshops, and boot
Companies camps to nurture emerging local talent.
Designate a portion of Government cybersecurity
projects exclusively for local companies, providing • Pilot Programs for Local Firms
them with opportunities to secure national con- Launch pilot projects to allow local firms to
tracts and gain valuable experience.60 demonstrate their capabilities in Government
projects, building a track record to bid for larger
• Capacity Building and Standardization for contracts.
Local Companies
Offer training programs and technical assistance • Business Incubation
to help local firms meet the standards for partici- Grow and nurture local cybersecurity firms by
pating in large-scale national projects. partnering with accelerators, incubators, enablers,
venture capital, and angel investors to unleash
• Mentoring Program the economic opportunity further. One example is
Facilitate mentorship programs where internation- Italy, where the Incubator of Politecnico di Torino
al cybersecurity firms mentor local companies, partnered with the Italian Agency for National
helping them develop the expertise needed to Cybersecurity (ACN) to provide a cybersecurity
compete in the market. These programs can take incubation program for cybersecurity startups.61

Impact:
• Increase participation of local companies in na- • Strengthened capabilities among local firms can
tional cybersecurity projects can drive business enhance their ability to take on larger projects and
maturity, growth, and experience. compete with international players.

• Providing equal opportunity for local companies

52
Indosec, “What should be Indonesia’s national cybersecurity strategy in 2024?”, Indosec, July 25th, 2024, https://indosecsummit.com/indo-
nesia-national-cybersecurity-strategy-2024/
53
Sekretariat Kabinet, “Pengadaan Barang dan Jasa Pemerintah, Wapres: 40 Persen Alokasi untuk UMKM”, Sekretariat Kabinet, June 18th,
2021, https://setkab.go.id/pengadaan-barang-dan-jasa-pemerintah-wapres-40-persen-alokasi-untuk-umkm/
54
ET Bureau, “Government to introduce preferential public procurement for cybersecurity products”, The Economic Times, Sep 26, 2017,
https://economictimes.indiatimes.com/tech/software/government-to-introduce-preferential-public-procurement-for-cybersecurity-products/arti-
cleshow/60843739.cms?from=mdr

96 Strengthening Local Players in Cybersecurity Industry Growth Cybersecurity for a Sustainable and Resilient Digital Indonesia
9.4 Encouraging Technology Transfer and Fair Competition

As Indonesia continues attracting foreign investment in its growing digital economy, partnerships developed with
foreign players must be linked to empower local cybersecurity companies. Therefore, structuring foreign partner-
ships to benefit local companies and putting measures in place to safeguard national interests can ensure that
Indonesia’s cybersecurity industry develops in a competitive and sustainable way.

Key Actions:
• Licensing, Value Added Resellers (VARs), and • Joint Ventures and Strategic Alliances
Enterprise Reseller Business Model Encourage partnerships between foreign and local
Local firms should be able to get licensing and firms to combine international expertise with local
decide to become resellers of foreign firms’ cyber- knowledge.
security products and services.62
• Knowledge Sharing Initiatives
• Technology Transfer Agreements Establish knowledge-sharing platforms where
Foreign firms are required to engage in technolo- foreign companies provide training and techni-
gy transfer when entering the Indonesian market, cal expertise to local professionals, ensuring the
ensuring that local companies benefit from access transfer of valuable skills.
to advanced technologies.

• Equity Restrictions in Key Sectors

Implement ownership restrictions in critical cyber-
security areas, ensuring local companies retain
control over key projects and infrastructure.

Impact:
• Strengthen local industry capabilities through • Increase collaboration between local and foreign
knowledge sharing and access to advanced tech- firms, fostering innovation and growth.
nologies.

• Protection of national interests by ensuring local

companies control critical infrastructure.

55
Omar Assoudi, “Leveraging the R&D Tax Credit: Cybersecurity Innovation”, Leyton, February 8th, 2024, https://leyton.com/us/insights/arti-
cles/leveraging-the-rd-tax-credit-cybersecurity-innovation/
56
European Commission, “European Digital Innovation Hubs (EDIHs) - Cybersecurity Innovation Hub”, https://commission.europa.eu/projects/
european-digital-innovation-hubs-edihs-cybersecurity-innovation-hub_en
57
European Commission, “European Digital Innovation Hubs (EDIHs) - Cybersecurity Innovation Hub”, https://commission.europa.eu/projects/
european-digital-innovation-hubs-edihs-cybersecurity-innovation-hub_en
58
Raihan Zahirah & Theo Gerald, “Digitalisasi, Teknologi, dan Inovasi” in Visi dan Peta Jalan Indonesia Emas 2045 Milik Pemuda, ed. Reza
Edriawan et al. (Jakarta: Indonesian Youth Diplomacy, 2024) 84, https://iyd.or.id/wp-content/uploads/2024/09/05092024_IYD_Report_All-Con-
tent.pdf
59
Thales Group, “Software Intellectual Property: What It Is & How to Protect It”, Thales Group, https://cpl.thalesgroup.com/software-moneti-
zation/protecting-software-intellectual-property
60
OECD, “Intervening to support SMEs in public procurement” in SMEs in Public Procurement: Practices and Strategies for Shared Benefits.
OECD. (Paris: OECD, 2018), 84-86.
61
i3P, “I3P launches the Cybersecurity Incubation Program, promoted with ACN and in collaboration with Leonardo and C*Sparks”, i3P, Febru-
ary 5th, 2024, https://www.i3p.it/en/news/i3p-launches-cybersecurity-incubation-program-acn-leonardo-c-sparks
62
Emily Real, “Rethinking Cyber Security Strategies: The Role of VARs”, Veeam, December 27th, 2023, https://www.veeam.com/blog/cy-
ber-security-resellers-veeam.html

Cybersecurity for a Sustainable and Resilient Digital Indonesia Strengthening Local Players in Cybersecurity Industry Growth 97
Chapter

10

Implementation
Roadmap

98 Cybersecurity for a Sustainable and Resilient Digital Indonesia

To transform Indonesia into a cybersecurity-resilient nation, the implementation of cybersecurity mea-
sures must be systematically and meticulously planned, phased, and monitored. This roadmap sets forth a
strategic path to build Indonesia’s cybersecurity capabilities incrementally, addressing both immediate needs and
long-term goals. By aligning with global best practices and adapting to the local context, this roadmap provides a
clear, actionable framework for government agencies, businesses, and critical infrastructure operators.

10.1 Periodical Target

Implementation Roadmap for Indonesia’s Cybersecurity Resilience

I. Short Term Target II. Medium Term Target III. Long Term Target
(by 2030) (by 2035) (by 2040)
Foundation Building & Advanced Capabilities & Full Resilience & Global
Early Strengthening Ecosystem Growth Leadership
• Establish National Cyber Defense Infra- • Advanced Threat Management: Capa- • Achieve Maximum Cyber Resilience:
structure: Form National CERT, develop bilities to address APTs, disinformation, Attain robust cyber defense capabilities
incident response frameworks. infrastructure outages, and sophisticated across all sectors to predict, withstand, and
cyber threats. recover from cyber incidents.
• Cybersecurity Education & Talent
Programs: Integrate basic cybersecurity • Adoption of Emerging Technologies: AI • Become a Global Cybersecurity Leader:
curriculum in schools and universities. integration for surveillance, automation of Lead in specific cybersecurity domains,
threat detection and incident response. acting as an enabler for best practices and
• Critical Sector Protection: Secure finan- innovations.
cial services, and critical infrastructure with • Build a Cybersecurity Ecosystem: Pro-
international-standard protocols. mote startups, invest in R&D, and enhance • Influence Global Norms & Policies:
the skilled cybersecurity workforce. Actively contribute to the creation of inter-
• Strengthen Legal & Regulatory Frame- national standards for responsible behavior
wor: Implement strict data protection laws, • Regional & Global Engagement: Estab- and collaboration in cyberspace.
incident reporting standards, and cyberse- lish international threat intelligence sharing,
curity regulations. cyber treaties, and a rapid response team
for cross-border security.

Exhibit 10.1 Short, Medium, and Long-Term Target

10.1.1 Short term target 2030

• Indonesia should develop essential cybersecurity cybercrime, bolster trust, and facilitate growth.
capabilities, including a national Computer Se- This includes international-standard security pro-
curity Incident Response Team (CSIRT), incident tocols, establishing early detection and monitoring
response plans, basic cybersecurity education in systems, and conducting regular security checks
schools, and a skilled cybersecurity workforce. and audits.
Furthermore, the country should strengthen cyber
infrastructure and implement strong data protec- • Indonesia must enhance law enforcement ca-
tion measures and establish early cybersecurity pacity and international collaboration to tackle
regulations for important sectors. Indonesia also complex cyber threats including malware, social
must enhance the capacity of law enforcement engineering, network-based attacks, web appli-
agencies to handle cybercrime, clarifying their cation attacks until AI powered attacks. Indonesia
roles, responsibilities, and organizational struc- also needs to develop comprehensive regulations
ture. This will streamline the process for citizens to address cyber security issues, including data
to report cybercrime and ensure a swift response protection, privacy, incident reporting, and security
from law enforcement. standards for digital products and services. These
regulations will guide the handling of cyberattacks,
• Indonesia needs to prioritize critical sectors such prevention, detection, response, and recovery
as financial services, healthcare, manufacturing, procedures.
and critical infrastructure to be protected from

Cybersecurity for a Sustainable and Resilient Digital Indonesia Implementation Roadmap 99

10.1.2 Medium term target 2035

• Indonesia should be able to have advanced threat • Indonesia needs to build a strong local cybersecu-
management to handle more sophisticated threats rity industry ecosystem and growth by supporting
such as APT attacks, disinformation operations, the creation of startups, investing in research and
and major infrastructure outages. In addition, development, and developing a skilled workforce.
Indonesia also should adopting latest high-capa-
bility technology, which include integrating artificial • Indonesia must take a more active role in regional
intelligence to improve surveillance, automating and international information sharing, cyberse-
threat detection and response, and enhancing curity cooperation, and capacity building. This
the capacity of the Computer Security Incident includes exchanging cyber threat intelligence, de-
Response Team (NCSIRT) veloping digital extradition treaties, and forming an
international rapid response team for cross-border
security.

10.1.3 Long term target 2040

• Indonesia must attain the highest cyber resiliency • Indonesia needs to actively participate in creating
level across all sectors, including the ability to an- global norms and guidelines for cyberspace, en-
ticipate, withstand, mitigate, respond, and recover couraging responsible behavior and collaboration
from major cyber incidents. between countries.

• Indonesia should be able to become cybersecurity

leader and enabler in specific domain.

Policy Area Key Stakeholders

1st Pillar Strengthening Cybersecurity Infrastructure

Immediate Conduct cybersecurity audits and vulnerability as-

Action sessments across critical infrastructure.
Kadin

Coord. Ministry of
Establish incident response and recovery plans
Politics, Law, and
tailored to critical sectors (energy, healthcare, etc.).
Security

MOCI
Establish SOC for continuous monitoring of govern-
ment and SOE networks.

MOD
Medium- Implement regular penetration testing, red team-
term Action ing, and cyber exercises for critical infrastructure Cybersecurity
sectors. Agency
SOE
Indonesia National
Expand SOC capabilities with AI-driven monitoring Police
and response systems Indonesia National
Army
House of
Representatives

100 Implementation Roadmap Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Fully integrate SOC across all sectors to enable State Intelligence
Long- real-time threat intelligence and response coordina- Agency
term Action tion. Private sector
Academia
Research
Upgrade SOC with next-gen technologies like AI
and machine learning. Institutions
Industry association
IGO

2nd Pillar Enhancing Cybersecurity Regulatory and Legal Framework

Review and enhance cybersecurity laws aligning Kadin

Immediate
with global standards (e.g., SNI/ISO/IEC 27001,
Action Coord. Ministry of
GDPR). Politics, Law, and
Security
MOCI
Define Government Policy and Operational Roles,
and Responsibilities- particularly with respect to MOD
the cybersecurity agency, the National CSIRT, the MOHA
National Emergency Management Authority
MSABR
Attorney General’s
Elevate Cyber Security to the Highest Levels of Office
Medium- Government via key Presidential Advisory. Cybersecurity Agency
term Action SOE

Develop sector-specific cybersecurity regulations MOH

(healthcare, finance, etc.) in collaboration with MOF
regulatory bodies. MOI
Indonesia National
Strengthen compliance mechanisms and enforce- Police
ment through regular audits. Indonesia National Army

Ensure regular updates to cybersecurity regula- House of

Long-
tions in response to evolving global cybersecurity Representatives
term Action
frameworks.
State Intelligence
Agency

Establish a fully centralized governance model Private sector

under the cybersecurity agency to ensure seamless Academia
law enforcement across all sectors. Research
Institutions
Industry Association
IGO
OJK
Central Bank of
Indonesia

Cybersecurity for a Sustainable and Resilient Digital Indonesia Implementation Roadmap 101
 3rd Pillar: Developing a Skilled Cybersecurity Workforce

Immediate Designate Government Agency Lead for Cyber

Action Education and Awareness Raising.

Kadin
Incentivizing ICT and STEM Courses via scholar-
ships or other initiatives. MOCI
MOD
Cybersecurity
Medium- Design cyber education through informal avenues Agency
term Action such as MOOC, workshop, mentorship, etc.
MOE
SOE
Build comprehensive cybersecurity education and Private Sector
training programs at schools and universities.
Education Institutions
Develop internships, micro-credentials, and appren- Academia
ticeships for cybersecurity roles. Civil society
Practitioner
Initiate standardized certification programs for pro- Media
fessionals and organizations. Industry association
Think Tanks

Long- Establish Indonesia as a regional hub for cyberse- Philanthropic

term Action curity expertise through international collaborations. Local government

Launch continuous professional development pro-

grams tailored for cybersecurity staff.

4th Pillar: Fostering Public-Private Partnerships

Immediate Develop real-time threat intelligence sharing Kadin

Action platforms. MOCI
Establish a Cyber Incident Review Board that
includes key public and private stakeholders. MOD
Cybersecurity
Agency
Medium- Strengthen law enforcement and private sector SOE
term Action collaboration for combating cybercrime.
Attorney General’s
Office
Foster cross-sector collaboration through Indonesia National
Kadin-led cybersecurity exercises. Police
Indonesia National Army
House of
Long- Formalize long-term collaboration agreements with
Representatives
term Action global cybersecurity leaders for threat intelligence
sharing.

102 Implementation Roadmap Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Create a self-regulatory organization for cybersecu-
State Intelligence
rity management.
Agency
Private sector
Industry Association
Media

5th Pillar: Adopting Global Cybersecurity Best Practices

Immediate Require immediate adoption of internationally rec- Kadin

Action ognized cybersecurity standards/Risk Management Coord. Ministry of Poli-
Practices (e.g., SNI/ISO/IEC 27001, NIST CSF, tics, Law, and Security
RMF).
MOCI
MOD
Incentivize Attack Surface Management (ASM) Cybersecurity
adoption across SOEs and private organizations. Agency
SOE

Medium- Develop guidance and/or incentivise the adoption Attorney General’s

term Action of Zero Trust security across sectors. Office
Indonesia National
Police
Mandate continuous monitoring and visibility pro-
Indonesia National Army
grams for all critical organizations
House of
Representatives
Long- Achieve national leadership in cybersecurity by State Intelligence
term Action aligning Indonesia’s standards with global best Agency
practices. Private Sector
Academia
Conduct annual reviews to update standards as per Research Institutions
evolving global benchmarks. Industry Association
IGO

6th Pillar: Strengthening Local Players in Indonesia Cybersecurity Industry Growth

Immediate Protecting local players with policy support such Kadin

Action as enforcing local content mandates, encouraging MOCI
local companies with supportive procurement poli-
cies, and implementing anti-dumping laws. MOI
MOT
KPPU
Set up cybersecurity innovation hubs to drive local
LKPP
innovation and startup growth.
Private Sector
Industry association
Begin the establishment of a Self-Regulatory Orga-
BRIN
nization (SRO) to develop and implement cyberse-
curity standards and certification programs. Academia

Cybersecurity for a Sustainable and Resilient Digital Indonesia Implementation Roadmap 103
 Medium- Expand R&D grants and tax incentives for local
term Action cybersecurity firms and innovation hubs.

Allocate a portion of government cybersecurity Venture Capitalists

projects for Indonesian local companies.
Angel Investors

Mandate top global enterprises to transfer technol-

ogy and knowledge to Indonesian local companies
via licensing, partnerships, or joint ventures.

Long- Using solutions from local companies for advanced Kadin

term Action threats, to bring technological independence by MOCI
reducing reliance on foreign technologies.
MOI
MOT
Maintaining sustainable innovation by strengthen- MLHR
ing intellectual property (IP) rights protection and
MOFA
commercialization for local innovation.
Private Sector
Industry Association
Achieving global cybersecurity leadership by posi-
BRIN
tioning Indonesia as a global leader in cybersecuri-
ty standards and practices. Academia

Financing Pathways

Options State budget, investment, grants, CSR, PPP, foreign aid, Government Cooper-
ation with Business Entities (KPBU), innovation matching funds, and blended
finance.

104 Implementation Roadmap Cybersecurity for a Sustainable and Resilient Digital Indonesia
10.2 Measuring Success

Key Performance Indicators for Indonesia’s Cybersecurity Strategy

1st Pillar: 2nd Pillar: 3rd Pillar:

Strengthening Cybersecurity Enhancing Regulatory and Developing a Skilled
Infrastructure Legal Framework Cybersecurity Workforce

1.1 Frequency of audits and 2.1 The quantity of cyberse- 3.1 Total number of trained cy-
assessments curity laws that conform to bersecurity professionals
global norms
1.2 Time to patch critical vul- 3.2 Number of colleges that
nerabilities 2.2 Regulatory compliance grant degrees in cyberse-
rate curity
1.3 Incident response time
(Mean Time to Re- 2.3 Frequency of legal frame- 3.3 The degree of public
spond-MTTR) work updates knowledge on cybersecu-
rity threats
1.4 Recovery Time Objective 2.4 Number of organizations
(RTO) with a dedicated CISO 3.4 Number of participants in
1.5 Number of sector-specific upskilling programs
SOCs established

1.6 Rate of information shar-

ing between the national
SOC and sector-specific
SOCs

4th Pillar: 5th Pillar: 6th Pillar:

Fostering Public Private Part- Adherence to International Strengthening Local Players
nerships and Collaboration Cybersecurity Standards in Indonesia Cybersecurity
Industry Growth
4.1 Number of public-private 5.1 Number of organizations
partnerships formed adhering to international 6.1 Policy and
standards Regulatory Support

4.2 Frequency of threat intelli- 5.2 Frequency of cybersecuri- 6.2 Fostering a Competi-
gence sharing ty audits tive and Resilient Local
Industry
4.3 Number of joint R&D proj- 5.3 Adoption rate of risk man-
ects initiated agement frameworks 6.3 Local Firms’ Participation
in Government Projects
4.4 Number of Cyber Incident 5.4 Number of organizations
Review Boards forged achieving specific CMMC 6.4 Technology Transfer and
level Fair Competition

Exhibit 10.2 Key Performance Indicators for Indonesia’s Cybersecurity Strategy

Cybersecurity for a Sustainable and Resilient Digital Indonesia Implementation Roadmap 105
Pillar 1: Strengthening Cybersecurity Infrastructure
1.1 Frequency of audits and assessments: 1.4 Recovery Time Objective (RTO):
In order to find flaws and vulnerabilities in systems The maximum allowable time to restore a system or
and procedures before attackers can take advantage service following an outage is defined by the RTO. A
of them, regular audits and assessments are helpful. shorter RTO is a sign of a more resilient company that
Generally speaking, a higher frequency denotes a can recover from setbacks fast. Maintaining vital ser-
more proactive security posture. The risk profile of the vices and reducing downtime depend on this.
systems being audited should dictate how frequently
these audits occur. Aim for less than 4 hours for critical systems, with
well-tested recovery plans.
Aim for at least once a year for critical infrastructure
companies and more frequently for businesses that 1.5 Number of sector-specific SOCs established:
pose a higher risk. Within critical infrastructure sectors, sector-specific Se-
curity Operations Centers (SOCs) facilitate specialized
1.2 Time to patch critical vulnerabilities: threat intelligence exchange and incident response. An
This indicator assesses how fast a company can increased number of SOCs points to a more effective
address serious security flaws in its hardware and and well-coordinated defense across several indus-
software. Attackers have a smaller window of oppor- tries. This demonstrates an industry-wide commitment
tunity when patches are applied more quickly. This is to cybersecurity.
a crucial sign of how well-equipped a company is to
handle threats. At least one dedicated SOC per critical sector, integrat-
ed with the national SOC.
Aim for less than 2 hours, with continuous improvement
towards real-time response. 1.6 Rate of information sharing between Indone-
sia’s SOC and sector-specific SOCs:
1.3 Incident response time (Mean Time to Re- For rapid threat identification and response, sector-spe-
spond-MTTR): cific SOCs and the national SOC must effectively share
The duration required to identify, contain, and resolve information. A high sharing rate promotes effective
a cybersecurity incident is measured by MTTR. A lower teamwork and makes it possible to comprehend the
MTTR means an organization can minimize damage danger landscape more thoroughly. A concerted nation-
and downtime caused by attacks. This is an important al cybersecurity effort requires this.
indicator of how prepared a company is for cybersecu-
rity threats. Enable real-time, automated sharing of threat intelli-
gence and incident reports between the national SOC
Less than 2 hours, with continuous improvement to- and sector-specific SOCs.
wards real-time response

Pillar 2: Enhancing Regulatory and Legal Framework

2.1 The quantity of cybersecurity laws that conform of organizations adhering to established regulations
to global norms: within a jurisdiction. High compliance suggests effec-
A country’s alignment with international cybersecurity tive enforcement and strong cybersecurity awareness,
standards like SNI/ISO/IEC 27001 and GDPR demon- contributing to a more secure environment, while low
strates its commitment to robust cybersecurity prac- compliance may indicate awareness gaps, enforce-
tices. This alignment fosters trust in digital services, ment challenges, or overly burdensome regulations.
facilitates cross-border data flows, and strengthens the
overall cybersecurity posture, indicating a dedication to Achieve at least 90% compliance with cybersecurity
protecting data and systems in the digital age. regulations within 5 years, with stricter targets for criti-
cal sectors.
100% alignment with key standards like SNI/ISO/IEC
27001 and GDPR within 3 years 2.3 Frequency of legal framework updates:
The frequency of updates to a country’s cybersecurity
2.2 Regulatory compliance rate: laws reflects its proactive approach to addressing new
Cybersecurity compliance rates reflect the percentage threats and technologies. Regular updates ensure a

106 Implementation Roadmap Cybersecurity for a Sustainable and Resilient Digital Indonesia
robust and effective legal framework, while infrequent (CISOs) within organizations signifies a strong com-
updates can leave organizations vulnerable due to an mitment to cybersecurity. CISOs provide expertise and
outdated legal landscape. leadership to manage risks, foster a security-conscious
culture, and align cybersecurity with business goals,
Review of cybersecurity rules and regulations once a ultimately enhancing an organization’s cybersecurity
year to keep pace with the developments in technology maturity.
and threats.
Ensure 100% of critical infrastructure organizations
2.4 Number of organizations with a dedicated CISO: and large enterprises have a Chief Information Security
The prevalence of Chief Information Security Officers Officer (CISO) within 4 years.

Pillar 3: Developing a Skilled Cybersecurity Workforce

3.1 Total number of trained cybersecurity profes- 3.3 The degree of public knowledge on cybersecu-
sionals: rity threats:
The number of people who have obtained cybersecu- This assesses how well-informed the general popula-
rity education or training is tracked by this measure. tion is about cybersecurity threats, hazards, and best
These could be online courses, workshops, official practices. It demonstrates how knowledgeable people
degrees, or certifications. It sheds light on the pool of are about internet safety and their capacity for self-de-
talent that is accessible for cybersecurity positions. fense. Surveys, tests, and the observation of security
measure adoption can all be used to gauge this.
Train at least 500,000 new cybersecurity professionals
within 3-5 years, with a focus on critical sectors. Achieve 80% public awareness on basic cybersecurity
hygiene within 5 years through national campaigns.
3.2 Number of colleges that grant degrees in cyber-
security: 3.4 Number of participants in upskilling programs:
This refers to the number of universities and other This monitors the quantity of people who are active-
educational establishments that provide formal courses ly participating in courses intended to improve their
(such bachelor’s or master’s degrees) with a cyberse- current cybersecurity expertise. To address new threats
curity concentration. This shows how much is being and technology, these programs may involve work-
invested in training the next generation of cybersecurity shops, certifications, or specialized training. This indi-
experts. cates a dedication to lifelong learning and professional
growth for cybersecurity professionals.
Establish and develop at least 10 universities with ded-
icated cybersecurity undergraduate and postgraduate Upskill at least 10,000 IT professionals in specialized
programs within 3 years. cybersecurity areas within 3 years.

Pillar 4: Fostering Public-Private Partnerships and Collaboration

4.1 Number of public-private partnerships formed: 4.2 Frequency of threat intelligence sharing:
This measures the degree to which formal collabora- This gauges the frequency with which various institu-
tion on cybersecurity projects occurs between public tions exchange cybersecurity-related information about
and commercial sector entities. These collaborations risks, vulnerabilities, and attack techniques. Numerous
can be in the form of cooperative research initiatives, metrics, including the quantity of data exchanged, the
information sharing agreements, or joint task force, frequency of meetings and communications, and the
among other things. A higher figure denotes a stronger number of alerts shared, can be used to monitor this.
dedication to shared cybersecurity responsibility and Higher frequency typically indicates improved coopera-
cooperative defense. tion and communication when reacting to cyberthreats.

Formalize at least 10 major public-private partner- Real-time sharing of actionable threat intelligence
ships in cybersecurity within 2 years, with at least one between government and private sector via a dedicated
focused on each critical sector. platform.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Implementation Roadmap 107
4.3 Number of joint R&D projects initiated: 4.4 Number of Cyber Incident Review Boards
This monitors the quantity of collaborative research forged:
and development initiatives with a cybersecurity focus. This assesses the official entities established to ex-
Through these projects, several organizations collabo- amine and assess noteworthy cybersecurity incidents.
rate to create innovative technology, approaches, and Experts from several companies or sectors usually
strategies to deal with cybersecurity issues. A greater serve on these boards, collaborating to comprehend
figure suggests more funding for innovation and a team the origins, effects, and reactions to incidents. An
effort to improve cybersecurity skills. increasing number of boards suggests a stronger focus
on enhancing future cybersecurity posture and drawing
Initiate at least 5 collaborative research and develop- lessons from previous occurrences.
ment projects in cybersecurity within 3 years, involv-
ing the public, private, and academic sectors with an Within 2 years, create at least one sector-specific
emphasis on fields like AI-driven security. board for critical infrastructure and one national Cyber
Incident Review Board.

Pillar 5: Adherence to International Cybersecurity Standards

5.1 Number of organizations adhering to interna- 5.3 Adoption rate of risk management frameworks:
tional standards (NIST, ISO): This measures the proportion of companies that have
This monitors the number of companies who have em- explicitly implemented a framework for risk manage-
braced and put into practice well-known cybersecurity ment in order to recognize, evaluate, and reduce
frameworks and standards, such as the NIST Cyberse- cybersecurity threats. Frameworks such as NIST SP
curity Framework or SNI/ISO/IEC 27001 (information 800-30 offer an organized method for managing risk
security management). Adhering to these guidelines and assisting organizations in setting security priorities
indicates a dedication to methodical security proce- according to their unique requirements and the threats
dures and frequently entails external evaluations or they face.
accreditations.
80% adoption of comprehensive risk management
100% compliance with SNI/ISO/IEC 27001 or NIST frameworks (like NIST CSF or FAIR) across large orga-
Cybersecurity Framework for critical infrastructure nizations and critical sectors within 5 years.
organizations within 5 years, with voluntary adoption for
others. 5.4 Number of organizations achieving specific
CMMC levels:
5.2 Frequency of cybersecurity audits: The Cybersecurity Maturity Model Certification (CMMC)
This gauges how frequently businesses assess their program mandates that defense contractors adhere to
cybersecurity posture through internal or external particular cybersecurity requirements. There are vari-
audits. Frequent audits assist in finding weaknesses, ous maturity levels for the CMMC; higher levels corre-
evaluating standard compliance, and guaranteeing spond to more sophisticated cybersecurity procedures.
the efficacy of security procedures. A more proactive This indicator shows the number of organizations that
and sophisticated approach to security management is have attained every certification level.
typically indicated by higher frequency.
Within 3 years, target certain CMMC levels for defense
Annual audits for all organizations, with more frequent and sensitive industry firms based on their risk profile
audits for high-risk entities and critical infrastructure. and data sensitivity.

Pillar 6: Strengthening Local Players in Indonesia Cybersecurity Industry Growth

6.1 Policy and Regulatory Support:

This measures the impact of policy and regulatory in- Increase market share for local firms and reduce reli-
tervention such as local content, preferential treatment, ance on foreign products to 30-40%. While complete
regulatory simplification, and anti-dumping law towards self-reliance may not be feasible, this shows significant
the business growth of local firms in a form of market progress in building domestic capacity.
share that signifies a substantial shift towards prioritiz-
ing local providers.

108 Implementation Roadmap Cybersecurity for a Sustainable and Resilient Digital Indonesia
6.2 Fostering a Competitive and Resilient Local business incubation. This ensures widespread involve-
Industry: ment and opportunity for local businesses.
This tracks how R&D grants, tax incentives, research
collaboration between industry and universities as To significantly boost local companies’ participation in
well as IP protection leads to the creation of new local government cybersecurity projects, the goal is to have
cybersecurity companies and innovation. The bigger 30-40% of local companies becoming capable of inde-
number resulted from this metric, it indicates a vibrant pendently leading large-scale projects.
and growing ecosystem with new players emerging.
6.4 Technology Transfer and Fair Competition:
Thriving local cybersecurity industry in Indonesia This monitors the inflow of advanced technologies and
should see 30-50 new companies and startups, 5-10% knowledge which derived from technology licensing,
annual R&D growth, and new patents filed annually, Value Added Resellers (VARs), and enterprise reseller
demonstrating a commitment to innovation and techno- business model, transfer agreement, joint venture, and
logical advancement. knowledge sharing initiatives.

6.3 Local Firms’ Participation in Government Proj- Indonesia aims to facilitate 3-7 major technology trans-
ects: fer agreements or joint ventures each year, involve
This gauges the uplift of local companies’ participation 500-1,000 local professionals in knowledge sharing,
in procurement and government cybersecurity projects and ensure that local companies maintain majority
generated from procurement set aside mode, standard- ownership in critical cybersecurity infrastructure.
ization, capacity building, mentorship, pilot project, and

Cybersecurity for a Sustainable and Resilient Digital Indonesia Implementation Roadmap 109
Works Cited

110 Cybersecurity for a Sustainable and Resilient Digital Indonesia

 Works Cited

Access Partnership. 2023. Google’s role in helping Indonesia build a safe and
productive society through digital tools. Economic Impact Report, Access
Partnership.

Andersen, Grady. 2024. Building Cyber Security Partnerships: Collaborative Efforts

across Universities. February 1st. Accessed October 2nd, 2024. https://
moldstud.com/articles/p-building-cyber-security-partnerships-collaborative-
efforts-across-universities .

Assoudi, Omar. 2024. Leveraging the R&D Tax Credit: Cybersecurity Innovation.
February 8th. Accessed October 3rd, 2024. https://leyton.com/us/
insights/articles/leveraging-the-rd-tax-credit-cybersecurity-innovation/.

Blomstein. 2020. Cybersecurity and the Procurement Procedure. November 3rd.

Accessed October 1st, 2024. https://www.blomstein.com/en/news/
cybersecurity-and-the-procurement-procedure .

BSSN, Kadin, Ministry of Manpower, Ministry of Communication and Informatics,

Ministry of National Development Planning, BNSP. 2019. Peta Okupasi
Nasional Dalam Kerangka Kualifikasi Nasional Indonesia Pada Area Fungsi
Keamanan Siber Tahun 2019. Roadmap, Jakarta: BSSN.

edX Enterprise. 2024. Indonesia Cyber Education Institute case study: Supporting
students in building in-demand skills. March 27th. Accessed October 1, 2024.
https://business.edx.org/case-study/indonesia-cyber-education-institute-case-
study-supporting-students-in-building-in-demand-skills.

ET Bureau. 2017. Government to introduce preferential public procurement for

cybersecurity products. September 26th. Accessed October 1st, 2024.
https:// economictimes.indiatimes.com/tech/software/government-to-
introduce-preferential-public-procurement-for-cybersecurity-
products/articleshow/60843739.cms?from=mdr .

European Commission. n.d. European Digital Innovation Hubs (EDIHs) -

Cybersecurity Innovation Hub. Accessed October 9th, 2024. https://
commission.europa.eu/projects/european-digital-innovation-hubs-
edihs-cybersecurity-innovation-hub_en .

Gevelber, Lisa, and Phil Venables. 2023. New cybersecurity training to help build
a safer world. May 4th. Accessed October 3rd, 2024. https://blog.google/
outreach-initiatives/grow-with-google/google-cybersecurity-career-certificate/.

Google. 2024. Secure, Empower, Advance: How AI Can Reverse the Defender’s
Dilemma. Industry Report, Google.

Google Indonesia. 2024. Google Bekerja Sama dengan BSSN dan Ekosistem Digital
Indonesia untuk Memperkuat Pertahanan dan Keamanan Siber Nasional
Berteknologi AI. March 5. Accessed October 1st, 2024. https://blog.google/intl/
id-id/company-news/technology/2024_03_google-bekerja-sama-dengan-bssn-
dan/?

Cybersecurity for a Sustainable and Resilient Digital Indonesia Works Cited 111
 Hansen, Royal, and Christoph Kern. 2024. Tackling cybersecurity vulnerabilities
through Secure by Design. March 4th. Accessed October 4th, 2024.

Hukumonline. 2024. “Strengthening the National Cybersecurity Ecosystem: Unveiling

New BSSN Frameworks on Cyber Incidents and Cyber-Crisis Management.”
Law Digest, April 10. https://pro.hukumonline.com/a/lt66165fbd50830/
strengthening-the-national-cybersecurity-ecosystem--unveiling-new-bssn-
frameworks-on-cyber-incidents-and-cyber-crisis-management.

i3P. 2024. I3P launches the Cybersecurity Incubation Program, promoted with ACN
and in collaboration with Leonardo and C*Spark. February 5th. Accessed
October 6th, 2024. https://www.i3p.it/en/news/i3p-launches-cybersecurity-
incubation-program-acn-leonardo-c-sparks .

I​​D-SIRTII. n.d. History Id-SIRTII/CC. Accessed October 10, 2024. https://www.idsirtii.

or.id/en/page/history-id-sirtii-cc.html.

Ifdal, Abdurrahman, and Kenzie Ryvantya. 2024. “Ketangguhan Diplomasi

Internasional.” In Visi dan Peta Jalan Indonesia Emas 2045 Milik Pemuda,
by Reza Edriawan, Raihan Zahirah and Stephanie Gabrielle, 58. Jakarta:
Indonesian Youth Diplomacy.

IISS. 2021. Cyber Capabilities and National Power: A Net Assessment. Assessment
Report, IISS.

Indosec. 2024. What should be Indonesia’s national cybersecurity strategy in 2024?

July 25th. Accessed October 1st, 2024. https://indosecsummit.com/indonesia-
national-cybersecurity-strategy-2024/.

​​International Trade Administration. 2024. Indonesia Digital Economy. September

19th. Accessed October 7th, 2024. September 19th, 2024, .

Kementerian Komunikasi dan Informatika Republik Indonesia. 2022. Presiden

Instruksikan Jajarannya Tindaklanjuti Kebocoran Data Pemerintah.
September 14. Accessed October 1, 2024. https://www.kominfo.go.id/berita/
berita-pemerintahan/detail/presiden-instruksikan-jajarannya-tindak-lanjuti-
dugaan-kebocoran-data-pemerintah.

Lagace, Martha. 2007. Industry Self-Regulation: What’s Working (and What’s Not)?
April 9th. Accessed September 26, 2024. https://hbswk.hbs.edu/item/industry-
self-regulation-whats-working-and-whats-not .

Ministry of Foreign Affairs of the Republic of Indonesia. 2020. Indonesia Voices

Cyber Stability in the UN. May 23. Accessed September 26, 2024. https://
kemlu.go.id/portal/en/read/1327/berita/indonesia-voices-cyber-stability-in-the-
un .

OECD. 2015. “Industry self regulation.” OECD Digital Economy Papers 40-63.

OECD (2018), SMEs in Public Procurement: Practices and Strategies for Shared
Benefits, OECD Public Governance Reviews, OECD Publishing, Paris, https://
doi.org/10.1787/9789264307476-en.

Palo Alto Networks. n.d. What Is Attack Surface Management? Accessed September
26, 2024. https://www.paloaltonetworks.com/cyberpedia/what-is-attack-surface-
management.

112 Works Cited Cybersecurity for a Sustainable and Resilient Digital Indonesia
 Parekh, Mitangi. 2024. Cybersecurity Ventures Report on Cybercrime. July 23.
Accessed September 11, 2024. https://www.esentire.com/cybersecurity-
fundamentals-defined/glossary/cybersecurity-ventures-report-on-cybercrime.

Poireault, Kevin. 2023. Manufacturing Top Targeted Industry in Record-Breaking

Cyber Extortion Surge. November 30. Accessed September 4, 2024. https://
www.infosecurity-magazine.com/news/manufacturing-top-targeted-orange/.

Priyandita, Gatra. 2024. Indonesia’s Cybersecurity Woes: Reflections for the Next
Government. Commentaries, Jakarta: CSIS.

Rahmansyah, Denny. 2019. Data Protection and Cybersecurity in Indonesia:

Enforcement and Litigation. December 12. Accessed September 26, 2024.
https://www.ssek.com/blog/data-protection-and-cybersecurity-in-indonesia-
enforcement-and-litigation/ .

Real, Emily. 2023. Rethinking Cyber Security Strategies: The Role of VARs. December
27th. Accessed October 4th, 2024. https://www.veeam.com/blog/cyber-security-
resellers-veeam.html .

Ridwan, Raihan, and Theo Gerald. 2024. “Digitalisasi, Teknologi, dan Inovasi.”
In Visi dan Peta Jalan Indonesia Emas 2045 Milik Pemuda, by Reza Edriawan,
Raihan Zahirah and Stephanie Gabrielle, 84. Jakarta: Indonesian Youth
Diplomacy.

Sari, Amelia Rahima. 2024. Revisi UU Polri Bikin Polisi Bisa Awasi Ruang Siber
hingga Blokir Internet, Pengamat: Jadi Dilema. May 30th. Accessed
October 1, 2024. https://nasional.tempo.co/read/1873786/revisi-uu-polri-bikin-
polisi-bisa-awasi-ruang-siber-hingga-blokir-internet-pengamat-jadi-dilema .

​​Sekretariat Kabinet. 2021. Pengadaan Barang dan Jasa Pemerintah, Wapres: 40

Persen Alokasi untuk UMKM. June 18th. Accessed October 3rd, 2024. https://
setkab.go.id/pengadaan-barang-dan-jasa-pemerintah-wapres-40-persen-
alokasi-untuk-umkm/ .

SentinelOne. 2023. Risks Within The Factory Lines | Examining Top Threats Facing
The Manufacturing Industry. September 19. Accessed September 11, 2024.
https://www.sentinelone.com/blog/risks-within-the-factory-lines-examining-top-
threats-facing-the-manufacturing-industry/.

Shepherd, Christian, Cate Cadell, Ellen Nakashima, Joseph Menn, and Aaron
Schaffer. 2024. Leaked files from Chinese firm show vast
international hacking effort. February 22. Accessed September 4, 2024. https://
www.washingtonpost.com/world/2024/02/21/china-hacking-leak-documents-
isoon/.

Statista. 2023. Estimated annual cost of cyber crime in Indonesia from 2018 to 2028.
March. Accessed September 11, 2024. https://www.statista.com/
forecasts/1411153/indonesia-cost-of-cyber-crime#:~:text=In%202022%2C%20
the%20cost%20of%20cyber%20crimes%20in,from%202018%20to%20
2028%20%28in%20billion%20U.S.%20dollars%29.

Sury, Dr. Kartina. 2023. Indonesia’s Cyber Resilience: At the Epicenter of ASEAN
Digital Economy Growth. Accessed September 25, 2024.
https://techforgoodinstitute.org/blog/expert-opinion/indonesias-cyber-resilience-
at-the-epicenter-of-asean-digital-economy-growth/.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Works Cited 113
 Thales Group. n.d. Software Intellectual Property: What It Is & How to Protect It.
Accessed October 4th, 2024. https://cpl.thalesgroup.com/software-
monetization/protecting-software-intellectual-property .

The Asia Foundation. 2023. APAC Cybersecurity Fund. October 10th. Accessed
October 1st, 2024. https://asiafoundation.org/apac-cybersecurity-fund/ .

TJC Group. 2024. The strategic imperative: Decommissioning legacy systems

for better cybersecurity. July 2. Accessed September 15, 2024. https://www.tjc-
group.com/blogs/the-strategic-imperative-decommissioning-legacy-
systems-for-better-cybersecurity/.

Unit 42. 2022. GALLIUM Expands Targeting Across Telecommunications, Government

and Finance Sectors With New PingPull Tool. June 13. Accessed September 2,
2024. https://unit42.paloaltonetworks.com/pingpull-gallium/.

Unit 42. 2024. ASEAN Entities in the Spotlight: Chinese APT Group Targeting. March
26. Accessed September 4, 2024. https://unit42.paloaltonetworks.com/chinese-
apts-target-asean-entities/.

Unit 42. 2024. Threat Actor Groups Tracked by Palo Alto Networks Unit 42. June 27.
Accessed September 10, 2024. https://unit42.paloaltonetworks.com/threat-
actor-groups-tracked-by-palo-alto-networks-unit-42/.

Unit 42 by Palo Alto Networks. 2024. Incident Response Report. Industry Report, Unit
42 by Palo Alto Networks.

114 Works Cited Cybersecurity for a Sustainable and Resilient Digital Indonesia
Appendices

Cybersecurity for a Sustainable and Resilient Digital Indonesia 115

Appendix A: Mastercard RiskRecon Overview

Mastercard’s innovative technology, RiskRecon, allows Automated Asset Value and True Risk Prioritization
organizations to monitor the security programs of third In addition, understanding asset importance with the
parties and business associates based on their inter- severity of an issue creates the critical capability to
net presence alone. Through close collaboration with understand actual risk. RiskRecon automatically com-
governments worldwide, RiskRecon offers improved bines both of these-the issue severity and the asset’s
third-party risk management and better cyber hygiene. risk categorization-to determine true risk.
It does not require any proprietary information, permis-
sions, disclosures, or invasive scans—it observes only RiskRecon runs all that data against sophisticated
what is directly available on the internet. models, generating an asset value profile that charac-
terizes each IT system as high, medium, low, or idle
Unique Technology and Data Ownership value. Where issue severity calculates the likelihood of
RiskRecon uses proprietary techniques that combine a system being compromised, asset value calculates
algorithmic and machine learning processes to discover the impact should that system be compromised. It may
the global IT profile of any internet-facing domain. A dis- be an online banking system or an electronic commerce
covery process would involve all the systems managed portal. This is a high-value asset since it contains very
by an entity, systems outsourced by them, including sensitive information like names, credit card numbers,
fourth-party domains such as Amazon, GoDaddy, and and login credentials. In contrast, the marketing web-
Azure. Once a system has been identified, RiskRecon site, if hosted separately, may be considered a low-
captures its network information, geolocation, and all value asset in that it does not ask for sensitive data from
the corresponding host details. It captures in-depth its visitors, and it is not linked to those systems that do.
security measurements through direct observation and
data collection across nine security domains and 40 Together, asset value and issue severity measurements
unique security criteria. for each system, combined with the specific risk policy
of its clients, enable RiskRecon to provide custom-
Unlike competitors that leverage bought databases or er-specific, risk-prioritized action plans for monitored
licensed feeds, RiskRecon owns its data. Owning the companies, along with all the supporting evidence
data allows the firm to create highly accurate informa- needed to identify precisely which issues make the big-
tion-a false positive rate of less than 1.0 percent-and gest difference to the risk. Whereas competitors provide
provide a thorough, detailed data set to customers. mere lists or categorizations of the problems based on
Owning the data set in this way also enables RiskRecon criticality, RiskRecon delivers prioritized action plans
to innovate rapidly, adding new measurements or that identify the small set of issues that most make a dif-
scanning for additional exposures as new vulnerabilities ference in risk reduction. This enables clients to under-
emerge. stand specific risk quantification and drive dramatic
improvement in risk reduction and process efficiencies.

116 Appendices Cybersecurity for a Sustainable and Resilient Digital Indonesia

Accurate, Deep, and Broad Security Measurements Data Gathering and Accuracy
RiskRecon measures each control through direct RiskRecon has a very accurate system in place for
observation and analysis of an entity’s internet-facing finding an organization’s internet-facing systems and
systems. The company provides the most accurate, finding problems in security, thus helping identify an
deep, and broad security measurements made up of organization’s vulnerable points on the internet. Being
40 unique criteria by directly observing an organiza- concerned with the accuracy of its data, it periodically
tion’s internet-facing footprint. Since RiskRecon has full audits data with third-party security firms to verify this. At
control over data quality and timeliness, it has a false the time of the last review, RiskRecon’s data was certi-
positive rate less than 1.0%. fied to have an accuracy rating of 99.1%. The company
does further work in refining their methodology to keep
Traditional solutions rely on threat intelligence feeds, accuracy rates at or above this level.
which are inherently noisy and prone to false positives,
and supplement these with purchased, dated IT asset Risk-Prioritized Findings
data bases. Without full control over the results, they RiskRecon offers risk-prioritized findings for exact iden-
can never ensure accuracy nor provide the evidence tification and efficient eradication of an organization’s
required to properly remediate findings. most critical third-party security risks. The SaaS service
delivers the data-driven evidence necessary to rapidly
Supply Chain Explorer for Vulnerability Triage and identify and remediate security weaknesses on the
Situational Awareness externally facing systems associated with the compa-
RiskRecon delivers ad-hoc search to provide instant IT nies being monitored.
and security visibility across an organization’s portfolio,
and deep into individual third parties. Examples of this Instead of overwhelming an organization with long lists
include instantly determining which third-party systems of issues, RiskRecon provides risk-prioritized findings,
can be vulnerable to a new security vulnerability, which action plans, and risk-adjusted ratings. Its customized
suppliers store data in an unapproved hosting provider analytics assess the IT systems of each third party to
or new country, and fourth-parties and concentration identify all security issues and calculate the asset value
risks are easily identified. Indirect data sources were of each system—that is, the magnitude of resulting busi-
also added to its Data Search feature to expand knowl- ness impact if that system is compromised.
edge of fourth-party relationships, such as vendors’ Measurement Criteria and Scoring
vendors, further down the supply chain and expand the
capability for vulnerability impact.

Measurement Criteria and Scoring

RiskRecon assesses nine security domains through direct observation and analysis of an entity’s internet-facing
systems:

1. Software Patching
2. Web Application Security
3. Network Filtering
4. Web Encryption
5. System Reputation (e.g., Command and Control, Botnet, Phishing)
6. Breach Events
7. System Hosting
8. Email Security
9. DNS Security

With its true risk-responsive rating model, RiskRecon is the only provider. From its data, the company provides
risk-adjusted weighting to each and every one of the security criteria and domains. The overall risk performance of
each company with a rating falls within the range from 0. These risk-based scores are further classified, based on
performance, into performance tiers of A, B, C, D, or F. This combination of performance tier and risk score provides
an intuitive, risk-informed understanding of the cybersecurity maturity and risk posture of any entity.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Appendices 117

Appendix B: Identify Step in NIST Appendix D: Detect Function based on
Cybersecurity Framework NIST Cybersecurity Framework

The Identify function lays the groundwork for an effec- The Detect function focuses on identifying the occur-
tive cybersecurity program. This pillar focuses on rence of cybersecurity events in a timely manner. This
developing an organizational understanding to manage pillar is crucial for the early detection of anomalies and
cybersecurity risk to systems, assets, data, and capa- incidents, enabling organizations to respond promptly
bilities. By identifying critical functions and the related and mitigate potential damage.
cybersecurity risks, organizations can prioritize their
efforts in line with their risk management strategy and
business needs.

Appendix C: Protect in NIST Appendix E: Respond based on NIST

Cybersecurity Framework Cybersecurity Framework

The Protect function outlines the safeguards necessary The Respond function details the steps necessary to
to ensure the delivery of critical infrastructure services. take action regarding a detected cybersecurity event.
This pillar emphasizes the implementation of appro- This pillar involves developing and implementing appro-
priate safeguards to protect organizational systems, priate activities to respond to detected incidents and
assets, and data from cybersecurity threats. By devel- mitigate their impact. Controls in this section focus on
oping and implementing these protection mechanisms, response planning, communication, analysis, mitigation,
organizations can limit or contain the impact of potential and improvements. By establishing a robust response
cybersecurity events. framework, organizations can manage and contain inci-
dents effectively, reducing their potential harm.

Appendix F: Recover from Incident based on NIST Cybersecurity Framework

The Recover function emphasizes the importance of restoring services and capabil-
ities following a cybersecurity incident. This pillar focuses on planning for resilience
and the timely recovery of normal operations to reduce the impact of cyber incidents.

118 Appendices Cybersecurity for a Sustainable and Resilient Digital Indonesia

Appendix G: Basic Control Families

1. Management Responbility
Understand exhisting cyber threats, and devise a work plan to close defense cyber gaps

2. Avoid Malicious 3. Encryption: 4. Cloud Computing

Code: Encrypt remote access of and Software Pur-
Use technologies to cope with employees and supploers, chase:
malware, and update the or- using commercial encryption Require (contractually) the
ganization system defenses. means.Encrypt access to sen- supplier to comply with com-
sitive data, use an encrypted mon software and data protec-
communication medium (both tion standards.
from domestic surfing through
wireless networks to the
organization and vice versa to
customers and suppliers).

5. Data Protection: 6. Computer Protec- 7. Human Resources:

Define protection mechanisms tion: Instruct new employees and
to protect data existing in the Define a required comput- remove former employees’
organization. er defense level. Including authorizations.
changing equipment default
passwords, removal of unnec-
essary software programs, re-
dundant connection blocking,
removing unnecessary admin
accounts.

8. Documentation and 9. Network Security: 10. Business Continuity:

Monitoring: Ensure that network access Recover capabilities from site
Document and monitor ex- is under the organization’s failures, deletion of data, file
ceptional activities, which may control (suppliers and employ- blocking.
attest to cyber threats. ees cannot connect remotely
at will) and that the network is
prepared to withstand denial
of service attacks.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Appendices 119

Appendix H: Guide for Regulators on Mapping and Rating Organizations in Critical
Infrastructure

Introduction:
This guide is intended for regulators and provides tools for risk assessment and classification of organizations
within critical infrastructure sectors. This process is essential to ensure that regulatory measures are appropriately
tailored to the risk level and operational significance of each organization.

Importance of Mapping and Rating:

Understanding the risk profile and operational importance of organizations within critical infrastructure sectors is
vital. It allows regulators to prioritize resources, enforce targeted regulations, and ensure that the most critical com-
ponents of the nation’s infrastructure are adequately protected against cyber threats.

Incorporating Supply Chain Considerations:

1. Supply Chain Dependency: 3. Third-Party Risk:
Assess how much an organization relies on its supply Identify and assess risks from third-party service pro-
chain. Those heavily dependent are at higher risk of viders and suppliers, especially those involving critical
disruption and cyber threats. services or components from regions with lax cyberse-
curity measures.
2. Supply Chain Resilience:
Evaluate the resilience of the supply chain to disrup- 4. Supply Chain as a Cyber Threat Vector:
tions such as natural disasters, geopolitical tensions, or Consider the potential for the supply chain to serve as a
cyberattacks. conduit for cyber threats.

Updated Risk Assessment Table with Supply Chain Considerations

Include columns for assessing supply chain risk alongside traditional risk factors such as market dependency,
economic impact, and data sensitivity.

Guidance for Regulators with a Focus on Supply Chain:

• Regulators should use the enhanced risk assessment • Organizations identified with significant supply chain
framework to understand how supply chain factors risks may require additional oversight, such as audits
influence an organization’s overall risk profile. of suppliers and third-party risk management prac-
tices.

Appendix I: Regulatory Risk Assessment Checklist

Organizational Impact Question:

1.1 Essential Services Does the organization handle sensitive or regulated
Question: data such as PHI (Protected Health Information), PCI
Does the organization provide essential services that, (Payment Card Industry data), or government data?
if disrupted, would have a significant impact on public
safety or national security? 2.2 Volume of Data
Question:
1.2 Economic Impact What is the volume of sensitive data processed or
Question: stored by the organization?
How significant is the organization’s role in the national
or regional economy? Dependency and Interconnectivity
3.1 Supply Chain Dependency
1.3 Monopoly Status Question:
Question: How dependent is the organization on its supply chain?
Is the organization a sole provider of critical services or Consideration:
products in its market? Are there critical components or services sourced from
high-risk vendors or regions?
Data Sensitivity
2.1 Type of Data Handled

120 Appendices Cybersecurity for a Sustainable and Resilient Digital Indonesia

3.2 Interdependency Risk Level Determination
Question: High Risk:
Is the organization part of a critical infrastructure net- Organizations that are critical to national security or
work whose disruption could cascade to other sectors? public safety, handle large volumes of sensitive data,
or have significant dependencies on potentially risky
Cybersecurity Posture supply chains.
4.1 Current Security Measures
Question: Medium Risk:
What cybersecurity measures does the organization Organizations that have a moderate impact on the
currently have in place? economy or public services and have implemented ade-
Consideration: quate but not comprehensive cybersecurity measures.
Are they compliant with national and international stan-
dards? Low Risk:
Organizations that have minimal impact on critical ser-
4.2 History of Breaches vices or infrastructure, face lower cybersecurity threats,
Question: and maintain good security practices.
Has the organization experienced any significant cyber
incidents in the past? Guidance for Regulators
Consideration: 9.1 Use of Checklist
What was the impact? Guidance:
Regulators should use this checklist during audits and
Third-Party and Vendor Risks assessments to determine the organization’s risk level
5.1 Third-Party Management systematically.
Question:
Does the organization have a robust third-party risk 9.2 Frequency of Assessments
management program? Guidance:
High-risk organizations may require more frequent and
5.2 Vendor Security Assessment detailed assessments compared to medium or low-risk
Question: organizations.
Are vendors and third parties assessed regularly for
compliance with security requirements? 9.3 Tailored Regulations
Guidance:
Resilience and Recovery Based on the assessment, regulators may need to
6.1 Business Continuity Planning apply tailored regulatory measures to ensure that high-
Question: er-risk organizations meet stricter security standards.
Does the organization have an established and tested
business continuity plan? Additional Questions for Specific Sectors
Note: Tailor additional questions to address unique
6.2 Disaster Recovery Capabilities sector-specific risks, such as energy source diversity for
Question: the energy sector or transaction security for the financial
What are the organization’s capabilities for recovering sector.
from a significant cyber incident or physical disaster?
Energy Sector
Compliance and Regulatory 10.1 Infrastructure Criticality
7.1 Regulatory Compliance Question:
Question: How critical is the organization’s infrastructure to the
Is the organization compliant with relevant sector-spe- national power grid or energy supply chain?
cific regulations?
10.2 Regulatory Compliance
7.2 Reporting and Transparency Question:
Question: Is the organization compliant with national and interna-
Does the organization adhere to required reporting and tional energy sector regulations (e.g., NERC CIP in the
transparency standards concerning cyber threats and U.S.)?
incidents?

Cybersecurity for a Sustainable and Resilient Digital Indonesia Appendices 121

10.3 Environmental Risks 10.5 Investment in Cybersecurity
Question: Question:
Are there any environmental risks that could impact the How much does the organization invest in cybersecurity
organization’s operational capabilities? relative to its size and the sensitivity of its operations?

10.4 Energy Source Diversity 10.6 Transaction Security Measures

Question: Question:
Does the organization rely on a single energy source, What security measures are in place to protect transac-
or does it have diversified energy sources that could tions from cyber threats?
mitigate supply disruptions?
10.7 Audit and Control Procedures
10.5 Physical Security Measures Question:
Question: How robust are the audit and internal control proce-
What level of physical security is in place to protect dures concerning financial reporting and cybersecurity?
critical energy infrastructure from sabotage or terrorist
attacks? Guidance for Regulators
11.1 Sector-Specific Focus
10.6 Cyber-Physical Systems Security Guidance:
Question: Regulators should use these questions to focus their
How are cyber-physical systems protected against assessments on the unique aspects of each sector.
potential cyber attacks that could cause physical disrup-
tions? 11.2 Risk Mitigation
Guidance:
10.7 Redundancy and Failover Capabilities Responses to these questions can help identify areas
Question: where risk mitigation measures are needed most
Are there adequate redundancy and failover mecha- urgently.
nisms in place to ensure continuous operation during an
incident? 11.3 Regulatory Adjustments
Guidance:
Financial Sector Based on responses, regulators may need to adjust
10.1 Compliance with Financial Regulations oversight intensity or focus, ensuring that organizations
Question: with higher risk exposures are more tightly regulated.
Is the organization compliant with major financial regu-
lations such as Basel III, Dodd-Frank, or local banking Adjustments and Highlights for Unique Sectors and
regulations? Critical Infrastructures
12.1 General Provisions for Critical Infrastructure
10.2 Exposure to Financial Crime Note:
Question: This document serves as the baseline for cybersecurity
What measures are in place to prevent exposure to across all critical infrastructures in Indonesia. While it
financial crimes such as fraud, money laundering, and provides comprehensive guidelines suitable for general
terrorism financing? application, specific adaptations and enhancements will
be directed by sector-specific regulators.
10.3 Data Breach Impact
Question: Purpose:
What would be the impact of a data breach, especially These adaptations are necessary to address unique
regarding customer financial information? vulnerabilities and threats faced by critical infrastruc-
tures, ensuring both national security and public safety
10.4 Systemic Importance
Question: Additional Guidance:
Is the organization considered systemically important to Regulators will provide additional guidelines on aspects
the financial stability of the country or region? such as incident reporting, board involvement, and life
safety protections tailored to the needs and risks of
each sector.

122 Appendices Cybersecurity for a Sustainable and Resilient Digital Indonesia

Appendix J: Specific Cybersecurity Framework for Financial Institutions in Indonesia

1. Overview:
This annex outlines heightened cybersecurity expectations specifically for financial institutions in Indonesia,
including banks, insurance companies, and fintech firms. It focuses on high-risk financial operations such as credit
issuance, loan processing, and payment clearing systems.

2. Introduction to Cybersecurity Challenges in the Financial Sector:

The financial sector, pivotal to national and global economies, faces sophisticated cyber-attacks that threaten indi-
vidual and institutional stability. This annex addresses these risks with sector-specific security measures.

3. Unique Cyber Threats to the Financial Sector:

• Credit Card Fraud:
High incidence of attacks targeting financial data to • Targeted Attacks:
commit large-scale fraud. High-risk of operations disruption and market manip-
ulation, impacting trust and causing reputational
• Banking Fraud: damage.
Common use of phishing and malware to infiltrate sys-
tems and manipulate financial operations.

4. Regulatory Perspective and Systemic Risk:

Emphasis on stringent cybersecurity protocols to prevent breaches and ensure financial stability, including compli-
ance with international standards like PCI-DSS.

5. Corporate Governance:
• Board of Directors and Senior Management: Ensure • Chief Information Security Officer (CISO): Develop
comprehensive oversight and alignment with cyberse- and enforce cybersecurity policies, enhancing sec-
curity initiatives and financial regulations. tor-specific threat awareness and preparedness.

6. IT Risk Management Framework:

Focus on identifying and mitigating risks associated with financial transactions, ensuring data encryption and
secure processing.

7. Operational and Technological Controls:

Implement advanced cryptographic solutions to secure transactions and protect against breaches in critical finan-
cial systems.

8. Incident Management and Response:

Establish advanced monitoring and real-time response capabilities to protect financial assets and sensitive cus-
tomer information.

9. Conclusion:
Adherence to these tailored guidelines is crucial for protecting the financial sector against unique cyber threats,
maintaining consumer trust and financial stability.

Appendix K: Cybersecurity Framework for the Energy Sector in Indonesia

1. Introduction to Cybersecurity Challenges in the Energy Sector:

Recognizing the energy sector as a backbone of national economy and security, this annex addresses its unique
cybersecurity challenges.

Cybersecurity for a Sustainable and Resilient Digital Indonesia Appendices 123

2. Unique Cyber Threats to the Energy Sector:
• Targeted Attacks on ICS: High risk to operational tech- • Nation-State Attacks: Increasing concerns about
nology controlling energy generation and distribution. external threats aiming to disrupt national infrastruc-
ture.
• Ransomware and Insider Threats: Significant risks
from both external attacks and internal vulnerabilities.

3. Governance and Regulatory Compliance:

Ensure alignment with national and sector specific cybersecurity regulations, emphasizing compliance and strate-
gic security initiatives.

4. Risk Management Framework:

Detailed focus on asset management and risk assessment specific to OT and ICS environments, highlighting the
critical nature of these systems.

5. Technical Controls and Security Measures:

Enhanced protections for network segmentation, ICS security, and physical and environmental controls to safe-
guard critical infrastructure components.

6. Incident Response and Business Continuity:

Develop comprehensive incident response strategies and business continuity plans to maintain operational integrity
and energy production.

7. Training and Awareness:

Sector-specific programs to educate and prepare personnel for unique security challenges faced by the energy
sector.

8. Conclusion:
This framework ensures the resilience of Indonesia’s energy sector against evolving cyber threats, promoting secu-
rity and reliability of critical energy infrastructure.
These annexes provide a detailed regulatory approach tailored to the specific needs of the financial and energy
sectors in Indonesia, enhancing the overall cybersecurity posture and readiness of these critical areas.

Appendix L: Incident Response Policy Template

1. Introduction
This policy outlines the approach that institutions in Indonesia should take to effectively manage cybersecurity
incidents.

2. Purpose
The purpose of this policy is to establish a structured framework for responding to cybersecurity incidents within crit-
ical sectors. It aims to define roles, responsibilities, and procedures to ensure a coordinated and effective response
to incidents.

3. Scope
This policy applies to all institutions under the jurisdiction of Kadin in Indonesia. It covers all types of cybersecurity
incidents, including data breaches, ransomware attacks, and system outages.

4. Definitions cybersecurity incidents.

• Incident: An event that violates an organization’s
security policies and could compromise the confidenti- • Critical Systems: Systems that are essential to patient
ality, integrity, or availability of information systems. care and hospital operations, such as EHR systems,
medical devices, and patient management systems.
• Incident Response Team (IRT): A designated group of
individuals responsible for managing the response to

124 Appendices Cybersecurity for a Sustainable and Resilient Digital Indonesia

5. Roles and Responsibilities
• Incident Response Team (IRT): Responsible for • IT Staff: Implement technical measures to contain and
coordinating the response to incidents, including eradicate threats, and assist in the recovery process.
communication with stakeholders, containment, and
recovery. • Other Staff: Provide input on the impact of incidents
on daily institutions activities and assist in prioritizing
• Chief Information Security Officer (CISO): Oversees recovery efforts.
the incident response process and ensures compli-
ance with regulatory requirements.

6. Incident Response Process

1. Detection and Reporting: All staff must report any 4. Eradication: The IRT will work to remove the threat
suspected cybersecurity incidents immediately to the from the affected systems using advanced forensic
IRT. tools.

2. Triage and Classification: The IRT will assess the inci- 5. Recovery: The IRT will restore affected systems from
dent’s severity and classify it according to its impact secure backups, prioritizing critical systems essential
on operations. to institutions activities.

3. Containment: The IRT will implement measures 6. Post-Incident Review: The IRT will conduct a review
to contain the incident, such as isolating affected of the incident to identify lessons learned and update
systems and disconnecting infected devices from the the incident response plan as needed.
network.

7. Incident Reporting
• Internal Reporting: The IRT must document all inci- • External Reporting: Significant incidents, such as data
dents and report them to institutions leadership and breaches, must be reported to regulatory bodies like
the CISO. Kadin and cybersecurity agency within the required
timeframes.
8. Training and Awareness
All staff must undergo regular training on cybersecurity best practices and the incident response process. This train-
ing should include phishing simulations, tabletop exercises, and role-specific scenarios.

Appendix M: Incident Response Management based on the BSSN Regulation No.1 of 2024

According to the BSSN Regulation No. 1 of 2024, the incident response management consist of:
1. Cyber Incident Response Team
a. National Cyber Incident Response Team
b. Sectoral Cyber Incident Response Team
c. Organization’s Cyber Incident Response Team

This team is responsible to issue cybersecurity warnings, formulating technical guidelines for incident handling,
issuing cybersecurity warnings; formulating technical guidelines for incident handling; recording all reported inci-
dents/complaints and providing initial handling recommendations to affected parties; triaging incidents based on
established criteria to prioritize response; coordinating incident handling with relevant stakeholders; and performing
other necessary functions. These other functions may include: addressing vulnerabilities in electronic systems;
handling digital artifacts; notifying about potential threat observations; detecting attacks; conducting cybersecurity
risk analyses; providing consultations on incident handling preparedness; and/or raising awareness and concern
for cybersecurity.

2. Cyber Incident reporting

a. Complainant’s contact information
b. Cyber Incident description
c. Chronology of Cyber Incidents
d. Impact of attack

Cybersecurity for a Sustainable and Resilient Digital Indonesia Appendices 125

3. Cyber Incidents handling
a. Cyber incident response and recovery
A cyclical cybersecurity process that involves: preparing mitigation plans and recovery strategies for cyber inci-
dents; analyzing and reporting on incidents when they occur; carrying out response and recovery actions to
address the impact; and finally, improving security measures based on lessons learned to prevent future incidents.

b. Delivery of cyber incident information to related stakeholders

A cyber incident information should contain at least:

i. Type of cyber incident indication
ii. Information distribution code
iii. Affected systems and/or assets
iv. Mitigation recommendations
c. Dissemination of information

4. Cyber Incidents preparedness implementation

This regulates and mandates the electronic system operators including IIV providers, ministries, and agencies to
have adequate preparedness in responding to the cyber incident. This involves:

a. Development of Cyber Incident Response Plans:

Aims to detail how to handle various types of incidents, outlining procedures, roles and responsibilities, necessary
resources, recovery processes, and contact lists which must be regularly evaluated and updated.

b. Business Continuity Planning:

Aims to ensure that the operational side will not be disrupted through proper recovery strategies, timelines,
resource allocation, and staffing needs.

c. Regular Drills and Simulations:

Aims to regularly test the response plan and business
continuity planning which must be conducted at least
once every two years.63

63
Peraturan Badan Siber dan Sandi Negara Nomor 1 Tahun 2024 tentang Pengelolaan Insiden Siber, BSSN. (2024)

126 Appendices Cybersecurity for a Sustainable and Resilient Digital Indonesia

Appendix N: National Occupational Map in the Indonesian National Qualification
Framework in the Area of Cybersecurity Function

Cybersecurity for a Sustainable and Resilient Digital Indonesia Appendices 127

Kadin INDONESIA
Indonesian Chamber of Commerce and Industry

Jl. H. R. Rasuna Said Blok X-5 No.Kav. 2-3,

Kuningan, Jakarta 12950
www.Kadin.id

128 Cybersecurity for a Sustainable and Resilient Digital Indonesia