COVID-19 is not the only threat Indonesia is currently facing -- cyberattacks are also on the rise, as hackers to exploit Indonesia’s digital security vulnerabilities during the outbreak.
The pandemic creates a perfect chance for hackers to hack into networks as companies and office workers shift to online platforms to work remotely and new users dive into Indonesia’s cyberspace, Institute for Policy Research and Advocacy (ELSAM) deputy director Wahyudi Djafar warned.
“The scope of cyberattacks is large as they don’t merely cause economic losses but also disrupt important infrastructure used for communication,” he said on Monday.
His concerns are set against the backdrop of two recent cyberattacks in Indonesia, namely the “Zoombombing” of lewd images that disrupted a National ICT Council (Wantiknas) webinar and the data breach of 15 million users of the homegrown e-commerce unicorn Tokopedia.
Wahyudi also warned that sensitive health data on COVID-19 might be prone to cyberattacks, with the government lacking transparency on who can access the data and how it is preventing illegal access to such data.
In 2017, a ransomware called WannaCry rendered patients’ online information inaccessible in Jakarta’s Dharmais and Harapan Kita hospitals.
Indonesia’s prevailing regulations are “far from enough” to face the storm of cyberattacks during the pandemic, with provisions failing to stipulate consumers’ rights in case of a cyberattack, Wahyudi said.
He, therefore, called on the government to optimize the use of the Electronic Information and Transactions Law (ITE) and other relevant regulations to act against cybercrimes pending a deliberation of the long-awaited data protection bill at the House of Representatives.
Platform providers should also educate their consumers about how to use their applications safely, Wahyudi said. While digital usage in Indonesia is among the highest in the world, digital literacy is still relatively low, Communications and Information Ministry Director-General of Information Applications Samuel Abrijani Pangerapan said in a statement on Feb. 28.
Globally, a recent study by accounting firm PricewaterhouseCoopers’ (PWC) cybersecurity team revealed that hackers had intensified their phishing attempts threefold to exploit people’s fears and vulnerability as they were working and conducting most of their activities from home during the pandemic.
Indonesia is no stranger to cyberthreats, with the Cyber Body and National Encryption Agency (BSSN) recording 12.9 million cyberattacks in 2018. The agency reported that the number of cyberattacks also grew by an average of 15 percent every year.
Most recently, the government’s PeduliLindungi surveillance application, which is used to trace and track suspected patients as well as confirmed COVID-19 cases, sparked worries over the safety of its personal data. The Communications and Information Ministry later clarified that the application was safe to use and pledged to delete users’ data once the pandemic ended.
Communications and Information Minister Johnny G. Plate said his office would continue to ramp up cybersecurity and protect personal data with the BSSN, although he did not provide details on how this would be achieved.
"The government will continue to ensure that the digital economy, especially e-commerce, can run well and smoothly without being disrupted by data hackers or data breaches,” he said recently after holding a virtual meeting involving the ministry, the BSSN and Tokopedia.
The minister also urged the public to regularly change passwords and use one-time password (OTP) features to better protect personal accounts.
Ride-hailing giant Gojek’s chief information security officer George Do told The Jakarta Post in an exclusive interview last month that the quarantine period should compel the public to step up security measures on their devices and prompt organizations to undergo a digital “security paradigm shift”, citing Gojek’s use of cloud storage to interact with employees, as an example.
“First, everyone needs to be familiar with phishing and social engineering, and the basic understanding to never, under any circumstance, share one’s username and password with somebody else,” he said, adding that organizations also needed to be aware of malware and ransomware.