• The vision and mission of cyber security and defense that have not been integrated, cooperation between institutions, especially under the auspices of the government, is the main key to the success of national cyber defense. Currently, the duties and functions of institutions under the Personal Data Protection Act are still not clearly defined.
• The quality and quantity of government institution personnel who have direct contact with cyberspace is still lacking in number and capacity. The increase in cybercrime cases in Indonesia has increased the need for personnel or human resources, increasing the number of personnel in related institutions is expected to strengthen the government’s work performance. It should be understood that in the context of cyber defense, it requires not only sophisticated equipment and infrastructure but also competent and qualified human resources. So that increasing the competence of internal personnel in government institutions is no less important and cannot be underestimated. This is because sophisticated infrastructure will not make a maximum contribution if it is not run by the right personnel.
• Absence of Cyber Threats Curriculum in Indonesia. In connection with the previous point regarding education to achieve the maximum potential of existing human resources, Indonesia needs a curriculum regarding cyber security not only for adults but should have been educated from an early age, because as time goes by, the cyber domain can not only be accessed by adults but as well as children who will one day become the nation’s successors. Therefore, cyber security education needs to be held immediately, so that the nation’s future generations can continue to follow developments in the digital realm safely and avoid potential cyber threats.
• Awareness or awareness of cyber security for leaders in Indonesia. It is known that many leaders in Indonesia still underestimate the issue of cybersecurity, this is judged by the devices and applications used which are insecure and very easy to hack. For example, personal communication media in the form of messages that are widely used by the public, are also used by state leaders as a medium of communication to discuss state issues. This is said to be very risky because apart from the high possibility of being accessed by irresponsible parties, the providers of these applications and devices are also able to find out about the country’s internal affairs in case of negligence, this issue has happened to leaders of other countries whose private message accounts have been hacked, This should serve as an example for the Indonesian government to be more careful and concerned about the communication media used, especially if the communication includes sensitive matters and is an internal state affair.
• Lack of critical infrastructure protection in Indonesia. According to the National Cyber and Crypto Agency, Critical Infrastructure is ”important infrastructure to support vital functions in society, such as health, safety, economics and social welfare. Any disruption or obstacles to critical infrastructure will have serious consequences for these vital functions. For example, critical infrastructure including Ports, Airports, Hospitals, Telecommunication Infrastructure, Financial and Banking Services, etc.” [9]. This is related to the readiness of the government and infrastructure control institutions in Indonesia which must prepare themselves to face potential threats in the cyber domain, especially after the socialization period for the Personal Data Protection Law ends in October 2024. Readiness for the protection of personal data needs to be assessed. repeated because it is one of the risk points, especially in the section on administrative fines, which are only intended for non-governmental parties, so it is necessary to redefine the sanctions that will be imposed if the violating party is part of a government institution or controller of vital infrastructure [10].
There are things that can be considered by the Indonesian government based on factors found using the fishbone method, related to Policies, Procedures, Equipment and People, including:
1. Prepare and increase awareness regarding potential cyber attacks that may occur after the two-year socialization period of the Personal Data Protection Law ends, in order to prepare supporting factors both in terms of implementing regulations and additions and improvements to the contents of the Personal Data Protection Law so that it can work optimally.
2. Explain and define in detail the contents of the Personal Data Protection Act regarding sanctions given to government agencies that manage and store personal data in the event of a personal data leak. Because the Personal Data Protection Act only explains the obligations and sanctions aimed at companies or non-governmental data controllers.
3. Adding the principle of transparency to the Personal Data Protection Act which includes provisions regarding the time when personal data is collected, processed and stored by the personal data manager [11].
4. Explain and reaffirm the division of authority between government agencies responsible for national cyber security and institutions that are data controllers and manage and store public personal data under the auspices of the Personal Data Protection Act. Comprehensive and synergistic division of tasks and authorities from responsible government agencies will be a good foundation in particular for the implementation of the Personal Data Protection Law.
5. Permanently establish a Personal Data Protection Authority Agency or National Commission for Personal Data Protection so that the Personal Data Protection Act can be applied immediately to government agencies that store and manage public data, as well as private parties such as organizations and companies and other parties who are data managers personal. So that monitoring, sanctions and prevention of personal data leaks can be carried out.
6. Conduct periodic inspections of institutions, companies and organizations that are the managers of personal data to ensure that the cyber security system used to store and access data meets established security standards.
7. Collaborating with private parties working in the field of cyber security both from within and outside the country to establish cyber security standards that must be met by institutions and parties managing personal data, adapting to problems and potential data leaks that have occurred and may occur in Indonesia.
8. Increasing investment in the development of cyber security technology and devices in Indonesia for both government and private institutions. The cyber security system is a technology that is constantly changing and developing following the potential for cyber threats which are increasingly in various forms of attack so that investment especially provided by the Indonesian government will be a springboard for personal data managers so that they can immediately improve and increase the quality of the cyber security system. The Indonesian government needs to understand that investing in technology is an investment that requires a lot of money, but the impact and security provided are commensurate with what is being guarded, namely the personal data of the Indonesian people.
9. Holding a cyber security training program as part of mandatory qualifications for government agency personnel, especially those who have direct contact with the management and control of personal data. This is important to improve the quality and efficiency of personnel so that they can better deal with the tasks and functions they carry out.
10. Carrying out mass recruitment of young people who have qualifications in the field of cyber security as well as cyber security experts in Indonesia to participate in becoming part of data management institutions and personal data protection institutions. Bearing in mind and considering that government institutions, especially those responsible for cyber security and resilience, still need additional human resources, especially those who have competence in cyber security .