Indonesia’s Presidential Regulation No. 47 of 2023 regarding National Cyber Security Strategy and Cyber Crisis Management (“PR 47/2023”) was enacted on July 20, 2023. This regulation provides strategic guidelines for government institutions and stakeholders to enhance (i) national cybersecurity and (ii) cyber crisis management.
Central to this effort is the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara or “BSSN“), which has been designated as the primary coordinator for cyber crisis management, a role that includes collaboration with Electronic System Providers (“ESPs”).
To enforce PR 47/2023, the BSSN has issued key regulations on (i) the establishment of Cyber Incident Response Teams (Tim Tanggap Insiden Siber) (“CIRTs”) and (ii) frameworks for managing cyber crises. These regulations are:
- BSSN Regulation No. 1 of 2024, dated January 10, 2024, regarding Cyber Incident Management (“BSSN Reg. 1/2024”); and
- BSSN Regulation No. 2 of 2024, dated January 10, 2024, regarding Cyber Crisis Management (“BSSN Reg. 2/2024”).
The regulations apply particularly to Vital Information Infrastructure Providers (“VII Providers”), which include state agencies, business entities, and organizations that own or operate Vital Information Infrastructure (“VII”). While the core focus of these regulations is the protection of VII, some of the requirements are also applicable to ESPs that do not qualify as VII Providers.
Definition and Determination of VII
Presidential Regulation No. 82 of 2022, dated May 24, 2022, regarding the Protection of Vital Information Infrastructure defines VIIs as electronic systems utilizing information technology and/or operational technology, either independently or interdependently with other electronic systems in supporting strategic sectors, which if disrupted, damaged and/or destroyed will have a serious impact on the public interest, public services, defense and security, or the national economy.
VII sectors include:
- government administration;
- energy and mineral resources;
- transportation;
- finance;
- health;
- information and communication technology;
- food;
- defense; and
- other sectors determined by the president.
ESPs must at least once a year go through a self-assessment and report the findings to the relevant authorities to determine if they qualify as a VII Provider. The assessment will include the following:
- investment value of the installed electronic system;
- total annual operational budget allocated for electronic system management;
- obligation to comply with certain regulations or standards;
- use of special cryptographic techniques for information security in the electronic system;
- number of electronic system users;
- personal data managed by the electronic system;
- classification/criticality level of data in the electronic system, relative to the threat of attempted attacks or breaches of information security;
- criticality level of processing in electronic systems, relative to the threat of attempted attacks or breaches of information security;
- geographical impact of electronic system failure; and
- potential loss or negative impact from incidents of information security breach in the electronic system.
BSSN Reg. 1/2024: Cyber Incident Management
Issued on January 10, 2024, BSSN Regulation No. 1 of 2024 defines CIRTs and their responsibilities. CIRTs are organized into three levels:
- National Cyber Incident Response Team (“National CIRT”);
- Sectoral Cyber Incident Response Team (“Sectoral CIRT”);
- Organizational Cyber Incident Response Team (“Organizational CIRT”).
Article 8 of the regulation mandates all ESPs, including non-VII ESPs, to establish CIRTs, although the regulation does not specify penalties for non-compliance. These teams must register with the National CIRT, with the registration for an Organizational CIRT valid for three years.
Key points of this regulation include the following:
CIRT Responsibilities
BSSN Reg. 1/2024 delineates the responsibilities of CIRTs, which include:
- Containment of and recovery from cyber incidents;
- Reporting cyber incidents to relevant parties; and
- Disseminating information to prevent or mitigate future incidents.
Reporting protocols for VII ESPs and non-VII ESPs
BSSN Reg. 1/2024 mandates that when a cyber incident occurs, the Organizational CIRT must report to the CIRT the next level up. A cyber incident is defined as one or a series of events that disrupt or threaten the operation of an Electronic System. In the event of a cyber incident, the responsibilities of VII ESPs and Non-VII ESPs are as follows:
- VII ESPs: Reporting is required for cyber incidents that disrupt the continuity of electronic systems and services. Each cyber incident must be reported by the Organizational CIRT to the Sectoral CIRT, with a copy to the National CIRT. Cyber incidents involving VII must be reported within 24 hours to the Sectoral CIRT and copied to the National CIRT. If a Sectoral CIRT has not yet been established, the report should be directed to the respective ministry or agency for that sector, copied to the National CIRT.
- Non-VII ESPs: Reporting is required for cyber incidents that impact the continuity of non-VII ESPs’ own electronic system services, though the regulation does not specify a deadline for these reports. Responses to cyber incidents by non-VII ESPs may be managed by either the Sectoral or National CIRT. The Sectoral CIRT addresses incidents affecting the service continuity of at least two organizations up to half the organizations in a sector.
The National CIRT manages incidents affecting:
- at least two sectors, with a minimum of two affected organizations in each sector; or
- more than half of the organizations within a single sector.
Each report of a cyber incident should at a minimum include:
- contact information of the reporting party;
- description of the incident;
- chronology of events; and
- impact of the incident.
BSSN Reg. 2/2024: Cyber Crisis Management
Issued on January 10, 2024, BSSN Reg. 2/2024 covers (i) Cyber Crisis Management preparation and (ii) the implementation of Cyber Crisis Management.
Preparation for Cyber Crisis Management
This phase involves developing Cyber Crisis Contingency Plans, strategic documents formulated by the head of the BSSN with input from the relevant ministries, agencies, CIRTs, and other stakeholders. These plans are essential for enhancing readiness to mitigate the effects of cyber crises and must be established within 12 months following the promulgation of BSSN Reg. 2/2024, i.e., by January 10, 2025.
The Contingency Plans are drafted considering:
- national cybersecurity risk assessments;
- national priority agendas; and
- the cybersecurity landscape.
The Contingency Plans must also include:
- threat scenarios;
- characteristics and history of cyber threats;
- roles, responsibilities, and communication patterns;
- containment processes;
- recovery processes;
- funding mechanisms; and
- reporting procedures.
BSSN Reg. 2/2024 also mandates that these Contingency Plans undergo simulations to test their practicality, validity, and quality. BSSN must conduct these simulations at least once every two years, including technical exercises and managerial decision-making simulations.
Additionally, BSSN and other relevant ministries or agencies are required to periodically evaluate the Contingency Plans annually or as needed, with the results potentially leading to necessary amendments.
Implementation of Cyber Crisis Management
BSSN Reg. 2/2024 structures cyber crisis management into three phases:
- Pre-Crisis:
- Cyber Incident Response: Actions to address escalating cyber incidents that could lead to a cyber crisis.
- Early Warning: The National CIRT alerts ESPs about potential crises escalating from cyber incidents, information relayed by Organizational, Sectoral, and National CIRTs.
- Crisis Status Determination: The President, on the recommendation of the head of BSSN, declares a cyber crisis.
- During Crisis:
- Crisis Containment and Recovery: Activities to manage and recover from the crisis.
- Crisis Management Reporting: Documentation and reporting of crisis management actions.
- Termination of Crisis Status: The process to formally conclude a crisis.
- Post-Crisis:
- Assessment of Impacts and Losses: BSSN, in collaboration with relevant ESPs, calculates damages, economic losses and reputational decline, and evaluates mitigation efforts.
- Estimation of Recovery Costs: Calculating the costs required to restore the electronic system to its pre-crisis state.
- Casualty Assessment: Calculating the total number of fatalities and identifying any missing and injured individuals.
Conclusion
The regulations issued by BSSN are critical steps in implementing the national strategy for cybersecurity and crisis management outlined in PR 47/2023. By establishing comprehensive guidelines for identifying VII, forming and operating CIRTs, and managing cyber crises, these regulations aim to strengthen Indonesia’s cybersecurity posture and ensure a coordinated response to cyber threats and incidents.
Key deadlines to note include:
- July 18, 2024: The deadline for the establishment and registration of Sectoral and Organizational CIRTs by VII Providers.
- January 10, 2025: The deadline for the development of Cyber Crisis Contingency Plans.
These deadlines highlight the urgent need for compliance to ensure the strategic objectives of national cybersecurity and effective crisis management are met. (20 May 2024)