Indonesia seems to be moving toward finally creating a new national cyber agency after some debate.
As I mentioned in a piece earlier this week, Indonesia’s coordinating minister for political, legal and security affairs, General Wiranto, has indicated that the establishment of the body is now all but certain (See: “A New Cyber Agency for Indonesia?”). Wiranto said that the agency would be set up sometime during 2017, possibly as early as later this month.
The case for Indonesia to create such an agency has been clear for some time. As I have noted previously, Indonesia has long been one of the world’s most vulnerable countries to cyber attacks, and the challenge has grown at an alarming rate over the years (See: “Indonesia’s Cyber Challenge Under Jokowi”). While there are independent cyber units in various institutions, including the defense ministry, the police, and the state intelligence agency, there is a need, as in many other countries, to coordinate these activities.
But beyond the issue of whether Indonesia needs a new agency or when exactly it will be set up, the far more substantive question is: what exactly will the nature of this agency be in terms of its form and function, and what will this mean in practice for how the Indonesian government confronts cyber challenges? That’s still far from clear, even if this is far from uncommon for ambitious initiatives that attempt to coordinate various agencies.
Wiranto did shed some light on this in remarks to reporters last week, even though they still do leave some lingering questions. Speaking in Bahasa Indonesia, he described the national cyber agency as a “supranational,” “coordinating” body, working as an “umbrella” organization for all cyber organizations in Indonesia. He also stressed that the cyber units in each of the agencies would still continue to work independently.
“All units will keep working independently, we will not merge them into one,” Wiranto explained.
Though that clarification may be useful in easing initial fears about bureaucratic competition and inter-agency rivalry, this still does not tell us exactly how the new agency will interact with existing ones in practice without overstepping their authority in terms of more specific issues like the degree of coordination and control. For instance, various options had been considered regarding the new cyber agency’s relationship with the existing National Encryption Agency (LEMSANEG), with one suggestion that both organizations be merged rather than having a new agency operate as an independent coordinating body apart from it.
With respect to the agency’s responsibilities, Wiranto as well as other Indonesian officials have suggested that they would be more wide-ranging than just coordination. In his recent remarks to journalists, Wiranto reiterated that the agency could also be involved in other tasks, such as establishing regulations and setting policy.
The exact responsibilities of the agency will be central to its operation for various reasons. To take just one example, if its responsibilities include establishing regulations, then it will be at the center of debates about the potential erosion of freedoms that may come with increased security, a trade-off that has been a frequent subject of debate in the cyber realm in countries worldwide. Within Indonesia, there have already been concerns raised about the lack of data protection and potential government overreach.
Earlier this month, Wiranto sought to dispel fears that the agency would compromise individual or corporate privacy, calling such concerns “false” and “another hoax.” Even if he is right, such “fake” concerns are left to brew in part because of the lack of clarity about government policy. If indeed Indonesia does follow through on the setting up of its national cyber agency, it will be important for the Jokowi government to ensure that it shapes the conversation on it and takes into account the legitimate concerns of constructive opponents rather than let it be defined by extremist voices.