E

ighteen-year-old DS may look like a regular teenager, spending his spare time helping his uncle sell chicken porridge in East Jakarta. No one would have thought that he was capable of hacking and defacing dozens of government websites, as he has done over the past three years, with the latest victim being the Elections Supervisory Agency (Bawaslu). The police arrested him on June 30.

“The suspect breached Bawaslu’s website just for fun,” the National Police’s cybercrime division chief Sr. Comr. Asep Safrudin said, as quoted by tribunnews.com.

He added the suspect learned about hacking from various sources on the internet, including from a Facebook group called “Typical Idiot Security”.

DS said he had warned Bawaslu that the website was prone to data theft. However, he did not receive any response from the agency.

His arrest has raised concerns over potential cyberattacks by cybercriminals, or simply irresponsible geeks, during elections, particularly in the lead up to the 2019 general elections.

“Hackers can disrupt elections by changing [vote count] result data, so it should be well protected,” Heru Sutadi of the Indonesia Information and Communications Technology Institute said. “Voters’ data should also be well protected.”

DS was arrested days after an alleged attack on another election body’s website, infopemilu.kpu.go.id, which is used by the General Elections Commission (KPU) to display the results of the 2018 regional elections official vote count. The cyberattack had prompted the commission to temporarily shut down the website.

KPU chairman Arief Budiman said last week the decision to shut down the website was made to prevent further commotion while they were studying the incident. The website became accessible again only recently when the KPU wrapped up the manual vote counting of participating regions. As many as 171 regional administrations held elections last month.

While most hackers, including DS, only deface the websites they breach, this does not mean the websites will be safe from data theft. The annual report of the Indonesian Security Incident Response Team on Internet Infrastructure (ID-SIRTII/CC) showed that more than 79,000 cases of data spills occurred from dozens of government websites, caused by malware, misconfiguration or hacking.

“Once hackers breach the server, all the data stored there can be taken, including sensitive information. It’s just up to the hacker whether they want to steal [the data] or not,” Heru said.

He added that sensitive data had been jeopardized as a result of the lack of attention from government bodies regarding data protection and reckless handling such as storing confidential and public data on the same server, unencrypted.

“Servers should also be monitored 24 hours a day, so the team could directly respond to threats and [cyber] attacks.”

Such preventive measures are deemed impossible to be fully implemented by government bodies because of the limited budget for technological maintenance.

“[As a result] there aren’t any IT teams in most institutions,” ID-SIRTII/CC deputy head Bisyron Wahyudi told The Jakarta Post.

While Heru suggested firewall installation on the server and limiting access to sensitive data as short-term solutions, Bisyron said Indonesia should have a comprehensive regulation on digital data protection that regulates the use of sensitive data of Indonesian citizens.

The pressure to legislate a data protection law has increased recently following the recent Facebook data-mining scandal, in which the personal data of more than 1 million users in Indonesia were allegedly inappropriately shared with third-party companies.

National Cyber and Encryption Agency (BSSN) spokesman Anton Setiyawan claimed the agency, which is responsible for cybersecurity in the country, had been working with the KPU to safeguard the election commission’s information system, including by installing a firewall and improving data management. “Surely there must be weaknesses, but we’ll improve it.”