Indonesia’s #Bjorka embarrassment exposed its devastatingly weak cybersecurity – but a new data protection law may help
- A long-awaited data protection law passed earlier this month could pave the way for Indonesia to enjoy all that embracing a digital economy promises
- But only if it’s implemented correctly. The Bjorka hacking case showed the government needs to better prepare itself to protect its citizens
Overall, Indonesia’s government seems to be optimistic about the PDP law. Communication and Information Technology Minister Johnny G. Plate claimed that Indonesia was the fifth Asean country to have PDP regulations and said he believes the law embodies the government’s protection of Indonesian citizens’ private data.
If successfully implemented, the law will provide a future-oriented regulatory framework and possibly stimulate reform in data governance for the government and non-government organisations.
It also closes the lacuna in Indonesia’s governance framework for the protection of citizens’ personal information and data, a lack that the government acknowledged years ago.
However, not all commentators are optimistic. The implementation of the new PDP law already faces some serious challenges. First, it stipulates the need for “implementing regulations” to be harmonised across government, from the executive (presidential) to ministerial level.
All of these supporting regulations need to be formulated inclusively. Second, what form the implementing agency will take as the highest PDP authority that reports directly to the president is still unclear. Many alternatives are being suggested and this authority could take at least a year to be established. The implementation of a comprehensive PDP framework will inevitably entail more complex debates.
Looking at Indonesia’s legislative experience, worries about delays in the implementation of important laws are not baseless. The National System for Science and Innovation Law No. 11 of 2019 (UU Sisnas Iptek), for instance, was ratified in mid-2019 to mandate the formation of an independent Research and Innovation Agency, which is still not fully operational.
The National Capital Law No. 3 of 2022 (UU Ibukota Negara, or the IKN Law) was extremely rushed – taking only 42 days from the first reading in parliament to its passage. Its implementing regulations were quickly prepared and the IKN authority’s structure is incomplete, even now.
The IKN authority’s current head and his deputy are working without assistants or other organisational support. This has led to uncertainty over whether the targets for the new capital city’s development can be achieved and if the government is serious about fully moving out of Jakarta.
An audacious hacker or group called “Bjorka”, formerly @bjorkanism on Twitter, serially published sensitive personal data and doxxed several Indonesian public figures. From August 20 to the second week of September, Bjorka allegedly leaked and sold on the dark web the private data of millions of Indonesian citizens, supposedly taken from the databases of private companies, state-owned enterprises, and even state agencies and ministries.
Even private data such as the Covid-19 vaccination statuses of prominent politicians was leaked including Minister Plate, whose job scope ironically covers the prevention of such hacks, and his fellow ministers Erick Thohir (state-owned enterprises), Luhut Pandjaitan (coordinating minister of maritime affairs and investment), and parliament speaker Puan Maharani.
More seriously, Bjorka publicly accused general Muchdi, the retired former head of Kopassus (special forces) and a state intelligence officer, of the murder of human rights defender Munir. Munir’s case made headlines in 2006 when a different individual was charged but then acquitted of his September 2004 murder. Separately, Bjorka has leaked data belonging to Minister of Home Affairs Tito Karnavian and accused him of being involved in the recent high-profile murder of a police general’s aide in the “Sambo case”.
Bjorka must be held accountable but the government also needs to be responsible for Indonesia’s devastatingly weak cybersecurity regulations and digital capacity. The Bjorka case sends a message loud and clear: Indonesia’s capacity in cyber governance must be improved if it is to enjoy the promise of fully embracing the digital economy while dealing with the associated challenges and risks.
The #Bjorka case is merely a wake-up call. Governing in the digital era, Indonesia’s government should prepare itself and protect its citizens by sharpening the saw that is the PDP law. Only bad workers blame their tools.
Dr Yanuar Nugroho is a Visiting Senior Fellow at the ISEAS – Yusof Ishak Institute. He was the former Deputy Chief of Staff to the President of Indonesia 2015-2019.