Cyber Security in Indonesia Post Establishment of The Personal Data Protection Law

Reporter: Agung Budiarto |

Editor: Agung Budiarto |

Jumat , 12 Jul 2024 - 21:26

8. Increasing investment in the development of cyber security technology and devices in Indonesia for both government and private institutions. The cyber security system is a technology that is constantly changing and developing following the potential for cyber threats which are increasingly in various forms of attack so that investment especially provided by the Indonesian government will be a springboard for personal data managers so that they can immediately improve and increase the quality of the cyber security system. The Indonesian government needs to understand that investing in technology is an investment that requires a lot of money, but the impact and security provided are commensurate with what is being guarded, namely the personal data of the Indonesian people.

9. Holding a cyber security training program as part of mandatory qualifications for government agency personnel, especially those who have direct contact with the management and control of personal data. This is important to improve the quality and efficiency of personnel so that they can better deal with the tasks and functions they carry out.

10. Carrying out mass recruitment of young people who have qualifications in the field of cyber security as well as cyber security experts in Indonesia to participate in becoming part of data management institutions and personal data protection institutions. Bearing in mind and considering that government institutions, especially those responsible for cyber security and resilience, still need additional human resources, especially those who have competence in cyber security .

11. Conduct socialization in the form of education regarding cyber security to the Indonesian people in order to create awareness of the importance of cyber security and the potential for cyber crimes that may occur in people’s lives.

12. cyber security curriculum as part of the education curriculum in Indonesia which is given as early as possible so that children from school age to tertiary education have awareness of cyber security and are able to protect themselves from potential cyber threats.

IV. CONCLUSION

As previously mentioned regarding the condition of cyber attacks in Indonesia, even though the personal data protection law has been passed and implemented since October 17 2022, personal data leaks still occur with various motives and modes. The public, organizations and/or companies and other data management institutions still do not fully understand the contents of the Personal Data Protection Law and the preventive measures that can be taken to continue to protect the management and storage of personal data. Considering that this Law is a new regulation, it is the first step for the government to provide outreach to parties who manage and own personal data regarding procedures, as well as rights and obligations contained in the Personal Data Protection Law as well as procedures for carrying out reporting. theft of personal data that affects data owners and managers [5].

Challenges in implementing the Personal Data Protection Law are also something that cannot be avoided. Naturally, challenges are things that can occur unexpectedly, therefore the synergy between the government as the main person responsible and the community must be strengthened to minimize losses that can occur. from personal data leaks. Even though the government’s responsibility as a data manager is greater, the role of the community is no less important in being more alert and observant of potential cyber crimes, especially in areas connected online. It is important for the public to understand and be aware of cybercrime actions so that personal data is not used illegally by irresponsible parties [5].

In an effort to create national cyber resilience, apart from the need for socialization from the government, cooperation from non-government parties such as the mass media is also needed to educate the public about potential threats in the cyber domain and ways to prevent them. It is hoped that the intensity of public education will increase the awareness of each individual and group regarding their personal data.

REFERENCES

[1] D. RI, ”Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 Tentang Pelindungan Data Pribadi,” Pemerintah Indonesia, Jakarta, 2022.

[2] W. Djafar, ”Hukum Perlindungan Data Pribadi di Indonesia : Lanskap, Urgensi dan kebutuhan Pembaruan,” Jurnal Fakultas Hukum Universitas Gadjah Mada , pp. 1-14, 2019.

[3] BSSN, ”bssn.go.id,” 9 Agustus 2022. [Online]. Available: https://www.bssn.go.id/indeks-keamanan-siber-indonesia- peringkat-ke-24-dari-194-negara-di-dunia/.

cyber security in indonesia post establishment of the personal data protection law                            farah diba tanzilla, margaretha hanita, bondan widiawan
national resilience study, sksg, university of indonesia, jakarta, indonesia salemba raya street no. 4, jakarta, indonesia 10430 corresponding author: dibatanzilla66@gmail.com
abstract – cyber security plays an important role in a country’s national cyber security and defense efforts. with strong cyber security, indonesia will be able to handle cybercrime problems and be able to survive potential cyber threats in the future which are increasingly diverse in form and mode. protecting personal data is part of efforts to safeguard the cyber domain which has become a new commodity in the current technological era. the indonesian government has just passed the personal data protection law at the end of 2022 which requires a two-year socialization and transition period until the end of 2024. during the socialization period, this law found that personal data leaks in indonesia are increasing, which is important for further research. therefore this study will aim to obtain an overview of the condition of cyber security in indonesia, especially after the passage of the personal data protection law, find the core problem of the issue of data leakage, and outline suggestions that can be made by the indonesian government as a form of support for efforts to strengthen cybersecurity in indonesia. 
this research uses a qualitative analytical descriptive approach, data was collected through literature study and interviews as primary data sources. from this research, it was found that indonesia is still in a precarious state of cybersecurity, where cyber threat issues still occur, including personal data leaks. four factors cause the problem of data leakage as well as a perspective in suggestions for solving problems in cyber security in indonesia, namely policies, procedures, equipment, and people.
keywords – cyber security, personal data protection, personal data leakage.
 
i. introduction
in general, based on law number 27 of 2022 concerning the protection of personal data, it is stated that ”protection of personal data is one of the contents of human rights which is part of personal self-protection, therefore a legal basis is needed to provide security for personal data based on the 1945 constitution of the republic of indonesia”. personal data protection aims to guarantee citizens’ rights to personal protection as well as to raise public awareness and guarantee recognition and respect for the importance of protecting personal data itself. the personal data protection act includes 76 articles that should guarantee data subjects the security of their data from parties who can access and use the data outside their control or illegally [1].
in chapter 1 article 1 of law number 27 of 2022 concerning the protection of personal data, it is defined that personal data is data from a person or individual that can be identified independently or combined with other information that directly or indirectly goes through systems, both electronic and non-electronic. information can be defined as ideas, statements, messages, data, facts, and explanations that can be processed by sight, and hearing, and presented in a format adapted to the development of information and communication technology. while the definition of personal data protection, is all efforts to protect personal data in a series of personal data processes, to guarantee the constitutional rights of personal data subjects. the subject of personal data is a person or individual whose personal data is attached to it, it is also defined that everyone is an individual or a corporation. in article 2 it is explained that this law applies to everyone, public bodies and international organizations that carry out legal actions and are covered by the requirements: 1) are within the jurisdiction of the republic of indonesia, 2) are outside the jurisdiction of the republic of indonesia but has legal consequences in the jurisdiction of the republic of indonesia, 3) the subject of personal data of indonesian citizens is outside the jurisdiction of the republic of
indonesia. it is emphasized that this law cannot be enforced in the processing of personal data by individuals in personal or household activities [1].
the digital revolution creates innovation and the ability to obtain, store, transmit, and manipulate data in real-time, complex, extensive, and even undetectable. the digital revolution is said to be synonymous with the data revolution because the digital revolution has resulted in the phenomenon of massive data collection without considering what type of data will be useful in the future. therefore, various parties compete to collect almost all the data that can be obtained, both the government and the private sector compete to increase the capacity of data storage systems and do very little to delete data. data managers are aware that data now has value and is a tangible and usable asset. this increases the need for personal data protection for data subjects or the public who own personal data [2].
proper cyber-security requires preparation and strategic steps to run quickly and on target. reflecting on countries that have had legal regulations in the form of personal data protection laws even decades ago, but until now they are still trying to strengthen the resilience of their cyberspace. indonesia is now in a better phase and position compared to previous years in the field of cyber-security. in 2017 indonesia was ranked 70th in the global security index (gci), increased in 2018 to rank 41, and ranked 24th in 2020 out of 194 countries in the world [3]. however, this title is not a guarantee of cyber security and resilience and indonesia should continue to strive to strengthen its national cyber defense as well as be prepared for the potential for non- traditional crimes in the cyber sphere, which are now increasingly in various forms, especially those related to personal data protection.
ii. research methodology
this research was conducted using descriptive-analytical methods and a qualitative approach. data was collected through literature study and interviews by researchers directly with several sources who are experts and observers in the field of cyber security and cyber security in indonesia. in the research process, researchers collected data on cases of cybercrime in indonesia, especially on the issue of leakage of personal data from 2020-2023, cases that occurred before the enactment of the personal data protection law until after it was enacted and during the socialization period of the law. new law. the large number of cases of personal data leakage in indonesia after the enactment of the personal data protection law deserves more attention, especially because until 2024 there will be a transition and socialization period which will become a benchmark for cyber defense preparations after the socialization period.
using the fishbone data analysis technique or fishbone diagram analysis according to prunckun to assess the cause and effect of a problem can then help to become a guide in collecting the data and information needed in this research.
 
iii. result and discussion
leakage of personal data after the enactment of the personal data protection act
before the existence of the personal data protection act, regulations or laws regarding personal data protection were divided and scattered in several laws and regulations which in fact could not be said to be specific and comprehensive so they still needed special laws regarding personal data protection. these laws include law number 11 of 2008 and law number 19 of 2016 concerning information and electronic transactions (ite), law number 39 of 1999 concerning human rights (ham), law number 14 of 2008 concerning public information disclosure, as well as law number 23 of 2006 and law number 24 of 2013 concerning population administration [4]. also law number 36 of 2009 concerning health states that every individual has personal rights and personal data protection, law number 57 paragraph 1 number 36 of 2009 which contains that every individual should participate in protecting people’s data [5].
since the enactment of the personal data protection law on october 17, 2022, it is known that indonesia has received 46,994,562 attacks in the period from october 2022 to july 2023. data obtained from the honeynet map page of the national cyber and crypto agency shows that indonesia received more attacks compared to a superpower like the united states which received 42,537,733 attacks, the recipient of cyber attacks in third place was india which received 42,090,699 attacks, fourth place china received 27,758,546 attacks, and fifth place is south korea which received 15,860,207 attacks [6].
during this period, the region in indonesia that was in the red zone, namely the recipient of the most cyber attacks, was riau province with a total of 115,736,475 attacks. followed by dki jakarta province with 40,683,588 attacks, central java
province with 37,774,936 attacks, west kalimantan province with 23,566,241, east java province with 22,409,586, bali province with 20,822,614 attacks, west java province with 18,204. 613 attacks, gorontalo province with 11,127,916 attacks, aceh province with 10,572,024 attacks, south sumatra province with 10,215,026 attacks, banten province with 5,810,746 attacks, north sumatra province with 2,486,656 attacks. other regions such as the riau archipelago province, bengkulu, lampung, central kalimantan, east kalimantan, south kalimantan, north sulawesi, south sulawesi, west nusa tenggara, and east nusa tenggara and west irian jaya received less than one million attacks. meanwhile, the provinces of west sumatra, jambi, bangka- belitung, west sulawesi, central sulawesi, southeast sulawesi, north maluku, and maluku did not receive cyber attacks during this period [6].
even though the personal data protection law has been formed, it was found that in the period i, namely from january to june 2023, there has not been a single case that was sanctioned in the form of a fine as a result of the leakage of personal data. in about six months, it is known that there have been 35 cases of personal data leaks, the most leaks occurred in june, namely 15 cases of data leaks. so far the government has resolved data leak cases in previous years in the form of recommendations and written warnings. based on a statement from samuel abrijani pangerapan, director general of applications and informatics of the ministry of communication and informatics, sanctions in the form of new fines can be imposed at least since october 2024, which is exactly two years since the personal data protection act was passed, or since the socialization and trial period this law ends. this is related to the absence of government regulations (pp) regarding the application of fines in cases of personal data leaks that occur [7].
the condition of cyber security in indonesia after the enactment of the personal data protection act
the condition of cyber defense in indonesia, especially in the context of protecting personal data, still requires real action, especially from the indonesian government. the cyber realm is part of the territory of the republic of indonesia which, although its territory is not visible, has a very important role and position in national security and defense. the resilience of the cyber area will not be built properly if it only relies on laws that incidentally cannot be implemented because of the absence of an institution responsible for this area, especially in the field of personal data protection. what needs to be considered is the absence of an institution that is directly responsible for personal data issues in indonesia is clear evidence of the absence of integration from the indonesian government to seriously deal with cyber problems that continue to batter indonesia’s sovereignty. in fact, institutions such as the national commission for personal data protection should be the driving force and person responsible for the personal data protection law, without this commission the personal data protection law is just a text without the ability to protect the rights of the indonesian people or defend the national cyber area. protection of personal data is the beginning of the formation of a national cyber security system that is able to protect the people and other data subjects who are part of the republic of indonesia.
the existence of the personal data protection law is not the end of the struggle to maintain national cyber sovereignty, the creation of a national cyber area that is safe and responsive to potential cyber crimes requires cooperation from various parties, both government and non-government. for the sake of strong state sovereignty in the cyber area, indonesia still needs time for a socialization period or trial period for the personal data protection law that has been passed. in interviews conducted by researchers, experts in the realm of cyber security still have high hopes for the successful contribution of the personal data protection law to national cyber security and defense.
data leaks, which are now a major issue in the realm of national cyber security, are not only experienced by indonesia but also other countries almost all over the world. however, what makes the difference is the complexity of the cyber attack or data leak. according to faisal yahya, a country’s cyber resilience is not only assessed from the state’s side but from the entity that manages and owns cyber facilities which must be strengthened and increase awareness regarding potential cyber attacks. both the public and data managers in the private sector and government agencies have the same responsibility for cyber security awareness
. it was emphasized that the current reality shows that society dominates as a human factor in the realm of cyber security , the phenomenon of work from home or work from anywhere after the covid-19 pandemic has created a new environment in the world of work, where indirectly the responsibility regarding cyber security is held by control. each personnel who accesses the online realm with personal devices in their activities. even though institutions or companies have provided devices with cyber security to personnel, if this is not accompanied by cyber security awareness then the potential for cyber crime will continue to occur, because according to faisal yahya, ” the next version of cyber security is inside the people’s head ” therefore education regarding cyber security awareness must be the main basis for activities in the cyber area [8].
pratama dahlian persada stated that the condition of misuse of personal data in indonesia has entered a critical stage, there are almost no boundaries between which parties may be able to access public personal data for illegal activities. with regard to defense and cybersecurity, indonesia is also in a bad condition due to the absence of supporting features that are no less important in order to create a cyber space that can withstand threats. according to pratama, there are at least seven important issues that need to be resolved intensively by the indonesian government, namely:
• implementation of the law has not been optimal, both in terms of the content of the law and other supporting factors.
• the sectoral ego of the leaders of state institutions makes it difficult to form comprehensive and intensive cooperation between institutions, especially for institutions that have direct contact with cyber defense and security issues and the protection of personal data. this is directly related to the vision and mission of the indonesian government in implementing the personal data protection law.
• the vision and mission of cyber security and defense that have not been integrated, cooperation between institutions, especially under the auspices of the government, is the main key to the success of national cyber defense. currently, the duties and functions of institutions under the personal data protection act are still not clearly defined.
• the quality and quantity of government institution personnel who have direct contact with cyberspace is still lacking in number and capacity. the increase in cybercrime cases in indonesia has increased the need for personnel or human resources, increasing the number of personnel in related institutions is expected to strengthen the government’s work performance. it should be understood that in the context of cyber defense, it requires not only sophisticated equipment and infrastructure but also competent and qualified human resources. so that increasing the competence of internal personnel in government institutions is no less important and cannot be underestimated. this is because sophisticated infrastructure will not make a maximum contribution if it is not run by the right personnel.
• absence of cyber threats curriculum in indonesia. in connection with the previous point regarding education to achieve the maximum potential of existing human resources, indonesia needs a curriculum regarding cyber security not only for adults but should have been educated from an early age, because as time goes by, the cyber domain can not only be accessed by adults but as well as children who will one day become the nation’s successors. therefore, cyber security education needs to be held immediately, so that the nation’s future generations can continue to follow developments in the digital realm safely and avoid potential cyber threats.
• awareness or awareness of cyber security for leaders in indonesia. it is known that many leaders in indonesia still underestimate the issue of cybersecurity, this is judged by the devices and applications used which are insecure and very easy to hack. for example, personal communication media in the form of messages that are widely used by the public, are also used by state leaders as a medium of communication to discuss state issues. this is said to be very risky because apart from the high possibility of being accessed by irresponsible parties, the providers of these applications and devices are also able to find out about the country’s internal affairs in case of negligence, this issue has happened to leaders of other countries whose private message accounts have been hacked, this should serve as an example for the indonesian government to be more careful and concerned about the communication media used, especially if the communication includes sensitive matters and is an internal state affair.
• lack of critical infrastructure protection in indonesia. according to the national cyber and crypto agency, critical infrastructure is ”important infrastructure to support vital functions in society, such as health, safety, economics and social welfare. any disruption or obstacles to critical infrastructure will have serious consequences for these vital functions. for example, critical infrastructure including ports, airports, hospitals, telecommunication infrastructure, financial and banking services, etc.” [9]. this is related to the readiness of the government and infrastructure control institutions in indonesia which must prepare themselves to face potential threats in the cyber domain, especially after the socialization period for the personal data protection law ends in october 2024. readiness for the protection of personal data needs to be assessed. repeated because it is one of the risk points, especially in the section on administrative fines, which are only intended for non-governmental parties, so it is necessary to redefine the sanctions that will be imposed if the violating party is part of a government institution or controller of vital infrastructure [10].
there are things that can be considered by the indonesian government based on factors found using the fishbone method, related to policies, procedures, equipment and people, including:
1. prepare and increase awareness regarding potential cyber attacks that may occur after the two-year socialization period of the personal data protection law ends, in order to prepare supporting factors both in terms of implementing regulations and additions and improvements to the contents of the personal data protection law so that it can work optimally.
2. explain and define in detail the contents of the personal data protection act regarding sanctions given to government agencies that manage and store personal data in the event of a personal data leak. because the personal data protection act only explains the obligations and sanctions aimed at companies or non-governmental data controllers.
3. adding the principle of transparency to the personal data protection act which includes provisions regarding the time when personal data is collected, processed and stored by the personal data manager [11].
4. explain and reaffirm the division of authority between government agencies responsible for national cyber security and institutions that are data controllers and manage and store public personal data under the auspices of the personal data protection act. comprehensive and synergistic division of tasks and authorities from responsible government agencies will be a good foundation in particular for the implementation of the personal data protection law.
5. permanently establish a personal data protection authority agency or national commission for personal data protection so that the personal data protection act can be applied immediately to government agencies that store and manage public data, as well as private parties such as organizations and companies and other parties who are data managers personal. so that monitoring, sanctions and prevention of personal data leaks can be carried out.
6. conduct periodic inspections of institutions, companies and organizations that are the managers of personal data to ensure that the cyber security system used to store and access data meets established security standards.
7. collaborating with private parties working in the field of cyber security both from within and outside the country to establish cyber security standards that must be met by institutions and parties managing personal data, adapting to problems and potential data leaks that have occurred and may occur in indonesia.
8. increasing investment in the development of cyber security technology and devices in indonesia for both government and private institutions. the cyber security system is a technology that is constantly changing and developing following the potential for cyber threats which are increasingly in various forms of attack so that investment especially provided by the indonesian government will be a springboard for personal data managers so that they can immediately improve and increase the quality of the cyber security system. the indonesian government needs to understand that investing in technology is an investment that requires a lot of money, but the impact and security provided are commensurate with what is being guarded, namely the personal data of the indonesian people.
9. holding a cyber security training program as part of mandatory qualifications for government agency personnel, especially those who have direct contact with the management and control of personal data. this is important to improve the quality and efficiency of personnel so that they can better deal with the tasks and functions they carry out.
10. carrying out mass recruitment of young people who have qualifications in the field of cyber security as well as cyber security experts in indonesia to participate in becoming part of data management institutions and personal data protection institutions. bearing in mind and considering that government institutions, especially those responsible for cyber security and resilience, still need additional human resources, especially those who have competence in cyber security .
11. conduct socialization in the form of education regarding cyber security to the indonesian people in order to create awareness of the importance of cyber security and the potential for cyber crimes that may occur in people’s lives.
12. cyber security curriculum as part of the education curriculum in indonesia which is given as early as possible so that children from school age to tertiary education have awareness of cyber security and are able to protect themselves from potential cyber threats.
 
iv. conclusion
as previously mentioned regarding the condition of cyber attacks in indonesia, even though the personal data protection law has been passed and implemented since october 17 2022, personal data leaks still occur with various motives and modes. the public, organizations and/or companies and other data management institutions still do not fully understand the contents of the personal data protection law and the preventive measures that can be taken to continue to protect the management and storage of personal data. considering that this law is a new regulation, it is the first step for the government to provide outreach to parties who manage and own personal data regarding procedures, as well as rights and obligations contained in the personal data protection law as well as procedures for carrying out reporting. theft of personal data that affects data owners and managers [5].
challenges in implementing the personal data protection law are also something that cannot be avoided. naturally, challenges are things that can occur unexpectedly, therefore the synergy between the government as the main person responsible and the community must be strengthened to minimize losses that can occur. from personal data leaks. even though the government’s responsibility as a data manager is greater, the role of the community is no less important in being more alert and observant of potential cyber crimes, especially in areas connected online. it is important for the public to understand and be aware of cybercrime actions so that personal data is not used illegally by irresponsible parties [5].
in an effort to create national cyber resilience, apart from the need for socialization from the government, cooperation from non-government parties such as the mass media is also needed to educate the public about potential threats in the cyber domain and ways to prevent them. it is hoped that the intensity of public education will increase the awareness of each individual and group regarding their personal data.
 
references
[1] d. ri, ”undang-undang republik indonesia nomor 27 tahun 2022 tentang pelindungan data pribadi,” pemerintah indonesia, jakarta, 2022.
[2] w. djafar, ”hukum perlindungan data pribadi di indonesia : lanskap, urgensi dan kebutuhan pembaruan,” jurnal fakultas hukum universitas gadjah mada , pp. 1-14, 2019.
[3] bssn, ”bssn.go.id,” 9 agustus 2022. [online]. available: https://www.bssn.go.id/indeks-keamanan-siber-indonesia- peringkat-ke-24-dari-194-negara-di-dunia/.
[4] l. m. jannah, ”uu perlindungan data pribadi dan tantangan implementasinya,” 21 september 2022. [online]. available: https://www.jawapos.com/opini/01409091/uu-perlindungan-data-pribadi-dan-tantangan-implementasinya.
[5] a. f. sutarli, ”peranan pemerintah melalui undang-undang perlindungan data pribadi dalam menanggulangi phising di indonesia,” innovative : journal of social science research vol. 3 no. 2 , pp. 1-14, 2023.
[6] h. w. b. s. d. s. n. bssn, ”honeynet.bssn.go.id,” 27 july 2023. [online]. available: https://honeynet.bssn.go.id.
[7] i. cnn, ”cnnindonesia.com,” 19 juni 2023. [online]. available: https://www.cnnindonesia.com/teknologi/20230619141948- 192-963776/35-kebocoran-data-2023-kominfo-akui-cuma-beri-rekomendasi-dan-teguran.
[8] f. yahya, interviewee, wawancara penelitian tesis : pelindungan data pribadi dan ketahanan siber. [interview]. 13 june 2023.
[9] bssn, ”sosialisasi dan permintaan tanggapan atas rancangan peraturan bssn tentang perlindungan infrastruktur informasi kritis nasional,” 13 september 2019. [online]. available: https://bssn.go.id/sosialisasi-dan-permintaan-tanggapan- atas-rancangan-peraturan-bssn-tentang-perlindungan-infrastruktur-informasi-kritis-nasional-iikn/.
[10] d. p. d. persada, interviewee, wawancara penelitian tesis : pelindungan data pribadi dan ketahanan siber. [interview]. 9 june 2023.
[11] p. h. saragih, interviewee, wawancara penelitian tesis : pelindungan data pribadi dan ketahanan siber. [interview]. 10 june 2023.
[12] s. nadia, ”mengembalikan humanisme perlindungan data pribadi melalui perluasan yuridiksi ekstrateritorial sebagai upaya diplomasi dalam mewujudkan keamanan siber,” in antalogi esai hukum dan ham, jakarta, 2020, p. 55.
[13] wahyudi, ”ksi.indonesia.org,” 30 april 2020. [online]. available: https://www.ksi-indonesia.org/id/wawasan/detail/1292- mendesaknya-regulasi-pelindungan-data-pribadi-yang-kompherensif.
[14] t. w. edgar and d. o. manz, ”defining cyber space,” in research methods for cyber security, united states, elsevier inc., 2017, p. 34.
[15] h. yeli, ”a three-perspective theory of cyber sovereignty,” prism, 2017, pp. 109-115.
[16] s. ghernaouti, cyber power : crime, conflict and security in cyber space, epfl press english imorint, 2013.

Tag

# cyber security

Share

Koran Terkait

Kembali ke koran edisi Koran Radar Lampung Edisi Minggu 14 Juli 2024

Berita Terkini

Berita Terpopuler

Berita Pilihan