Indonesia’s National Data Centre Ransomware Attack: A Digital Governance Failure?


A recent ransomware attack on Indonesia’s public services revealed weaknesses that the country can ill afford to ignore if it wishes to fully participate in the digital century.

On 20 June 2024, the Temporary National Data Centre (Pusat Data Nasional Sementara, PDNS) in Surabaya suffered a ransomware variant known as ‘Brain Cipher’. This attack disrupted 282 public services, including immigration, airport services, and online student registration​. The attack happened less than a month after President Joko Widodo launched INA Digital, Indonesia’s govtech initiative, and revealed deficiencies in the state’s capacity to safeguard critical digital infrastructure.  

Despite advancements in digital policies like Satu Data Indonesia (One Data Indonesia)Kebijakan Satu Peta (One Map policy), and Sistem Pemerintahan Berbasis Elektronik (SPBE, or e-government), and the establishment of institutions like the National Cyber and Crypto Agency (BSSN), the government’s response demonstrated significant gaps in preparedness and resilience​. That essential services were heavily disrupted for four to seven days or more, and the government had to rely on emergency measures to restore functionality indicated a lack of robust contingency planning. The data taken is considered “lost and unusable”.

Meanwhile, the government’s stance on not paying the US$8 million ransom, albeit principled, shows its dilemma when confronted with sophisticated cyber threats. While on 3 July 2024 the hackers released the encryption key for free and demanded the government use it to decrypt the data, this incident underscores the need for Indonesia to be more proactive on cybersecurity, including making regular audits and having real-time threat detection and rapid response mechanisms.

This incident revealed several layers of governance failures. At the core, there was a lack of robust cybersecurity measures, inadequate crisis management protocols, and the absence of accountability among government officials.

First, despite previous incidents of data breaches and leakages highlighting the need for more robust data protection and cybersecurity, Indonesia’s cybersecurity infrastructure remains insufficient. The PDNS attack was part of a broader pattern of cyber vulnerabilities affecting government institutions. This reflects a failure to prioritise cybersecurity within the framework of national security.

Second, the government’s response has been characterised by confusion and a lack of clear communication. Initial responses were slow and officials appeared unprepared to effectively handle the crisis. This reflects a more fundamental issue with the government’s approach to digital governance, where reactive or curative rather than proactive or preventive measures are the norm. The weak response plan shows the need for better cyber preparedness and strategic crisis management frameworks.

Third, one of the most troubling aspects was the apparent reluctance of government officials to accept responsibility for their failures. Instead, there was buck-passing between the Ministry of Communication and Informatics, BSSN, and Telkom on whose fault it was. This exacerbated public distrust, arising in an online petition signed by thousands demanding that the relevant minister, Jokowi loyalist Budi Arie Setiadi, resign. Instead, Budi’s Director General for Informatics Application, Semuel A. Pangerapan, was the fall guy. This avoidance of accountability is symptomatic of deeper governance issues where transparency and accountability mechanisms are weak or non-existent. Such behaviour not only hinders the effective resolution of the current crisis but is particularly problematic in cyber governance, where citizens’ trust in a government’s transparency and ability to safeguard their private data is critical.

This incident revealed several layers of governance failures.

Those problems are rooted in human resource and prioritisation issues. First, the government must have a digital talent management strategy to ensure the best talent effectively manage and protect Indonesia’s digital assets. This is a fundamental challenge that must be addressed together with rapid digitalisation, evolving cyber threats, and comprehensive governance reforms.

Second, Indonesia’s national priority has often been to expand digital access rather than to ensure proper digital governance. This imbalance has created vulnerabilities exploited by cybercriminals and poor governance creating deficiencies in the state’s capacity to safeguard critical digital infrastructure and data. The June ransomware attack was so crippling because several ministries and agencies even lacked basic data back-ups.

Reforms in the digital sector must therefore focus on creating robust mechanisms for accountability and transparency, including setting up independent oversight bodies, implementing stringent reporting requirements, and ensuring accountability. Further revision to the Presidential Regulation on Indonesia’s govtech framework might be needed. Without this, digital initiatives will continue to be undermined by governance failures.

It is not easy to assess whether this attack was contained within Indonesia. In general, foreigners’ data are stored in two places. For those with Limited Leave to Remain (KITAS, Ijin Tinggal Terbatas) and Permanent Leave to Remain (KITAP, Ijin Tinggal Tetap) visas or permits  usually businesspeople and professionals  their data is stored in the Directorate General of the Civil Registry in the Ministry of Home Affairs, which was not affected by the attack. Yet, their travel history and the data of other foreigners, like tourists and visitors, are stored in the Directorate General of Immigration in the Ministry of Law and Human Rights, which was affected.

If the fallout extends beyond national borders, this can affect business confidence, especially if any sensitive information about foreign nationals or businesses is leaked or misused by the attackers. Foreign businesses might reconsider their operations in Indonesia if they perceive the cybersecurity risks as too high. International companies affected by the recent breach may also run afoul of their home countries’ data protection regulations.

Unfortunately, current regulations and laws in Indonesia are probably insufficient to handle, let alone deter, future cyberattacks. There is Law No. 11 of 2008 on Electronic Information and Transactions (“EIT Law”, amended by Law No. 19 of 2016), which prosecutes cybercriminals, punishing them with six years in prison and a 600 million rupiah (US$36,921) fine. There are also Presidential Regulation No. 28 of 2021 establishing the national cyber and crypto agency as the responsible agency for cybersecurity and Law No. 5 of 1999 prohibiting monopolistic practices and unfair business competition, which applies when cyberattacks are used for business espionage or unfair competition. However, the laws’ effectiveness heavily relies on the capabilities of law enforcement agencies to detect, investigate, and prosecute cybercrimes. While the punishments are not insignificant, it is not obvious whether these are sufficient to deter highly motivated and skilled hackers, especially those operating from outside Indonesia.  

The PDNS ransomware attack should be a wake-up call for Indonesia as it embarks on its digital transformation journey. Ensuring robust cybersecurity is not just a technical necessity but a fundamental condition for realising the vision of Grand Indonesia 2045  this must be the priority of the incoming government.

Comments