General Overview of the Cyber Security in Indonesia Digital Landscape under Presidential Regulation No 47 of 2023

Background

Indonesia has enacted Presidential Regulation No. 47 of 2023 on the National Cybersecurity Strategy and Cyber Crisis Management (“PR 47/2023”) since 20 July 2023. This regulation aims to stipulate the protection of the country’s digital landscape against threats and cyberattacks, as well as the preparation against, and recovery from cyber crises.

In this article, we provide a general overview of PR 47/2023, particularly elaborating the (i) Scope of PR 47/2023, (ii) National Cybersecurity Strategy, (iii) Cyber Crisis Management, (iv) Funding, and (v) Concluding Remarks.

The Scope of PR 47/2023

PR 47/2023 has two primary focuses:

  1. National Cybersecurity Strategy: national policy utilize all the available natural cyber resources to establish an adequate Cyber Security to defend and promote the nation’s interests. (Article 1 (2) of PR 47/2023)
  2. Cyber Crisis Management: governance of the utilization of resources and intervention measures effectively, conducted before, during, and after a Cyber Crisis. (Article 1 (5) of PR 47/2023).

The relevant stakeholders shall perform the necessary actions to implement and achieve cybersecurity stability according to the National Cybersecurity Strategy and Cyber Crisis Management (Article 3 of PR 47/2023).

The main objectives of the National Cybersecurity and Cyber Crisis Management Strategy are to: (a) realize Cybersecurity, (b) protect the national digital economy ecosystem, (c) increase the strength and capabilities of reliable and resilient Cybersecurity, and (d) prioritize national interests and support the creation of an open, secure, stable, and responsible global cyberspace (Article 4 of PR 47/2023).

National Cybersecurity Strategy

The National Cybersecurity Strategy has two important elements to optimize and ensure effective implementation:

A. Focus Area must include:

(i) Governance;

(ii) Risk Management;

(iii) Readiness and Defence;

(iv) Strengthening the protection of vital information infrastructure;

(v) National Cryptography Independence;

(vi) Improvement of capability, capacity, and quality;

(vii) Cybersecurity policy; and

(viii) International cooperation. (Article 5 of the PR 47/2023)

B. Action Plan of National Cybersecurity:

PR 47/2023 also establishes a comprehensive action plan that contains measurable endeavours to elaborate and implement the focus areas of the National Cybersecurity Strategy, which would be further regulated by the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara or “BSSN”). The action plan is prepared for a period of 5 years and may be reviewed from time to time (Article 15 of PR 47/2023).

Cyber Crisis Management

The Indonesian government is also maximizing the management of cyber crises from the preparation stage to the post-crisis evaluation. The process shall consist of phases on (i) Precrisis management, (ii) during-crisis management, and (iii) post-crisis management (“Cyber Crisis Management Phases”). The implementation must be coordinated with BSSN involving the Electronic Service Operator (Penyelenggara Sistem Elektronik or “PSE”) (Article 17 of PR 47/2023). In implementing the Cyber Crisis Management, BSSN must conduct a preparation, which includes (i) drafting a cyber crisis contingency plan, and (ii) conducting a simulation of the contingency plan (Article 18 of PR 47/2023).

To have a better view of the implementation of Cyber Crisis Management Phases, please refer to the following table on the actions that should be taken in the occurrence of a cyber security incident.

 

Cyber Crisis Management Phases

No.

Phases

Actions

1.

Pre-Crisis Management
  1. Cyber Incident Response: During this phase, the response team shall take actions in response to the Cyber incident that gradually increases and potentially becomes a crisis.
  2. Cyber Crisis Early Warning: In the event of an escalating Crisis, PSE would receive an early warning and must perform the necessary measures in response to such warning.
  3. Stipulation of Cyber Crisis Status: When the incident progressively increases and fulfils the crisis criteria, the president, with BSSN, shall determine the Cyber Crisis status and establish a cyber crisis task force.

(Article 20, 21, 22, and 23 of PR 47/2023)

2.

During-Crisis Management
  1. Cyber Crisis Mitigation: Cyber Crisis Mitigation shall be conducted with the activities set out below:
    1. Identification and analysis of the affected electronic systems;
    2. Isolation of the affected electronic systems;
    3. Preservation    of    evidence    from                         the  affected electronic systems;
    4. Investigation and eradication of the causes of Cyber Crisis;
    5. Strengthening the systems not affected by the Cyber Crisis; and
    6. Coordination with BSSN.
  2. Cyber Crisis recovery: Efforts are made to restore the affected electronic systems and data, and utilization of the reserved resources. Subsequently, the Recovery is assessed based on:
  1. The Recovery time that should be below the maximum limit stipulated in the Cyber Crisis Contingency Plan;
  2. The amount of recovered data; and
  3. The amount of recovered vital and supporting functions stipulated in the Cyber Crisis Contingency Plan.
  1. Reporting of Cyber Crisis: After the occurrence of the Cyber Crisis, the Task Force is required to submit the final report regarding the management of the period to the President of the Republic of Indonesia.
  1. Termination of a Cyber Crisis: Based on the report submitted by the Cyber Crisis Task Force, the president may decide to terminate the Cyber Crisis.

(Article 24, 25, 26, 27, and 28 of PR 47/2023)
3 Post-Crisis Management

During the post-Crisis management, the Cyber Crisis Task Force must:

  1. calculate the damage and economical losses caused by the Cyber Crisis;
  2. calculate the recovery cost; and
  3. evaluate the Cyber Crisis management.

 

Funding

To facilitate effective implementation of the National Cybersecurity Strategy and Cyber Crisis Management, financial aspects need to be comprehensively considered to be able to provide huge benefits in the interests of the nation. According to Article 34 of PR 47/2023, the Cybersecurity Strategy and Cyber Crisis Management are financially supported by:

  1. The State Budget (Anggaran Pendapatan dan Belanja Negara);
  2. The Regional Budget (Anggaran Pendapatan dan Belanja Daerah); and
  3. other legitimate and non-binding sources in accordance with the prevailing laws and regulations.

Concluding Remark

PR 47/2023 signifies the commitment of the Indonesian government to face the cybersecurity challenges. The National Cybersecurity Strategy and Cyber Crisis Management are expected to protect the nation’s interests, enhance cyber capabilities, and support the creation of Indonesia’s digital landscape that is safe, responsible, and free from cyber threats.

With the enactment of PR 47/2023, Indonesia is expected to be better equipped to face the dynamics of cybersecurity more adaptively and innovatively, ensuring the resilience of electronic systems, and safeguarding the stability and integrity of the national cyberspace, as well as the management of cyber crises.

The article above was prepared by Audria Putri (Senior Associate) and Irfan Yusuf (Associate).

Disclaimer: The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.