indonesia national cyber security strategy

Prof. Zainal A. Hasibuan, Ph.D(Vice Executive Chairman of National ICT Council)

Dewan Teknologi Informasi dan Komunikasi Nasional2013

Indonesia National Cyber Security Strategy: Security and Sovereignty in Indonesia

Cyberspace

2

OUTLINE

The Strategic Roles of Indonesia ICT Indonesia ICT Numbers and Facts Three Dimensions of Cyber Threat Cases of Cyber Warfare/Attack Is Indonesia Under Attack??? Obstacles and Challenges of Indonesia National Cyber

Security Six Priorities Strategy of Indonesia National Cyber Security Conclusion

3

THE STRATEGIC ROLES OF ICT FOR INDONESIA

ICT is an important infrastructure for citizens

ICT is a trigger for economic growth and productivity

ICT is a strategic sector and Government valuable assets

4

INDONESIA IS THE 4TH LARGEST MOBILE SUBSCRIBERS

China India USA Indo Brazil Rusia

986 Juta

893 Juta

290 Juta249 Juta 244 Juta 236 Juta

Jumlah Pelanggan Telepon Seluler Dunia - 2011

1st2nd

3rd 4th 5th 6th

China India USA Indonesia Brazil Russia

With 249 million subscribers in 2011, Indonesia is the 4th

largest mobile market in the world.

sources: cia.gov (last updated April 2013)

5

INDONESIA IS THE 8TH LARGEST INTERNET USERS

China USA India Japan Brazil Rusia Germany Indonesia UK France

538 Juta

245 Juta

137 Juta

101 Juta 88 Juta67 Juta 67 Juta 55 Juta 52 Juta 52 Juta

Jumlah Pengguna Internet Dunia - 20111st

2nd

3rd

8th4th

9th5th 6th 7th 10th

China IndiaUSA IndonesiaBrazil RussiaJapan Germany UK France

sources: internetworldstats.com (last updated April 2013)

In 2011, the number of internet users in Indonesia is around 55 million. Internet users in Indonesia also are highly social and active. Indonesia is the

3rd largest facebook users and the 5th largest twitter users in the world.

6

THREE DIMENSIONS OF CYBER THREAT/ATTACK

Cyber threat/attack can be divided into three dimensions.

These threats potentially destroying the economy and destabilize the country's security.

Social/ Cultural Attack

Sources: Indonesia National ICT Council, DETIKNAS 2013

7

CASES OF CYBER WARFARE/ATTACK

STUXNET

Wikileaks

Estonia Cyber Attack 2007

Russia-Georgia Cyber warfare 2008

And many more...

8

IS INDONESIA UNDER ATTACK???Over the last three years,

Indonesia was attacked 3,9 millions in cyber space. (Sources: Minister of ICT, April 3rd, 2013).

During January-October 2012, The most attacked website is Government websites/domain: go.id (Sources: ID-SIRTII, 2012).

Sources: ID-SIRTII

Sources: Detikinet, 2013

OBSTACLES AND CHALLENGES OF INDONESIA NATIONAL CYBER SECURITY

Vision of Cyber Security not Intregated

Quantity and Quality of Information Security Human

Resources are Limited

ICT Critical Infrastructure Protection Mechanisms and

Standards not exist

Cyber Law and Policy not

Completed

Governance and Organization of National Cyber Security not

Synergized

Weakness of Coordination and Cooperation between

Agency

Application, Data and Infrastructure of

Information Security not Integrated

Lack of Awareness in Information

Security

Obstacles and Challenges

of National Cyber

Security


101010

Indonesia National Cyber Security Conceptual Framework (INCS)

10

Sources: Indonesia National ICT Council, Detiknas 2012

Avai

labi

lity

Inte

grity

Confi

denti

ality

Shar

ed re

spon

sibi

lities

Org

aniz

ation

Str

uctu

res

Capa

city

Bui

ldin

g

Inte

rnati

onal

Coo

pera

tion

Tech

nica

l and

Pro

cedu

ral

Lega

l

Risk Management

Leadership

Part

ners

hip

Security Strategic Level

Security Operational Level

Security Tactical Level

Direct

Execute

Cont

rol

11

SIX PRIORITY STRATEGIES OF INDONESIA NATIONAL CYBER SECURITY

Strengthe-ning Policies and Regulations

Establishment of Governance and

Organization

Critical Infrastructure

Protection

Implementation of System and Technology

Capacity Building for Human Resources

International Collaboration and

Cooperation

Security and Sovereignty in Indonesia Cyber Space


PRIORITY I: STRENGTHENING POLICIES AND REGULATIONS

POLICIES & REGULATIONS RELATED TO INFORMATION SECURITY IN INDONESIA

Telecommunication Act No. 36/1999

Information Transaction Electronic Act No. 11/2008

Implementation Of Telecommunications Government Regulation No. 52/2000

Organizational structure of information security Ministerial Regulation PM 17/PER/M.KOMINFO

IP-based network security Ministerial Regulation No. 16/PER/M.KOMINFO/10/2010

CA Supervisory Board ad hoc team Ministerial Decree No. 197/KEP/M.KOMINFO/05/2010

Information security coordination team Ministerial Decree No. 33/KEP/M.KOMINFO/04/2010

Web server security Ministry Letter

Wifi Security Ministry Letter

Guidelines for the use of ISO 27001 Ministry Letter

National Act:2Government Regulation:1 Ministerial Regulation:2Ministerial Decree:2Ministerial Letter:3

14

POLICIES & REGULATIONS RELATED TO INFORMATION SECURITY IN INDONESIA (2)

Criminal cases related to cyber crime in Indonesia could also be punished with:– Criminal Procedural Law Codex (UU KUHAP), – Pornography Act (UU Antipornografi No. 44/2008), – Copyright Act (UU Hak Cipta No. 19/2002), – Consumer Protection Act (UU Perlindungan Konsumen No.

8/1999).

15

POLICIES & REGULATIONS FRAMEWORK

Scope of Cyber Security Laws:– e-Commerce;– Trademark/Domain;– Privasi dan keamanan di internet

(Privacy and Security on the internet);– Hak cipta (Copyright);– Pencemaran nama baik (Defamation);– Pengaturan isi (Content Regulation);– Penyelesaian Perselisihan (Dispel

Settlement).– Infrastruktur TIK Kritis Nasional (ICT

Critical Infrastructure)

Substantive Law

Procedural LawPres

crib

e Ju

risdi

ction

Prosecutorial Authority

Enforcement Responsibility

Inte

rnati

onal

Law

Enf

orce

men

t Co

oper

ation

Sources: Indonesia National ICT Council, Detiknas 2012

PRIORITY II: ESTABLISHMENT OF GOVERNANCE AND ORGANIZATION

17

THE CONCEPT OF NCS ORGANIZATION STRUCTURE

The Concept of Indonesia NCS organization structure consists of multi-organization.

INCS organization contains of skilled, proficient, and experienced employees with prosperous information security knowledge inside their parts of specialization.Sources: Indonesia National ICT Council, DETIKNAS 2013

18

COMPARISON OF CYBER SECURITY ORGANIZATIONLevel Australia UK Indonesia

Strategic Cyber Security Policy and Coordination Committee (Lead Agency: The Attorney-General’s Department)

Function: interdepartmental committee that coordinates the development of cyber security policy for theAustralian Government.

Office of Cyber Security (OCS)

function: to provide strategic leadership for and coherence across Government;

Undefined

Tactical Cyber Security Operations Centre (CSOC) (Under Directorate: Defense SignalsDirectorate)

Function: provides the Australian Government with all-source cybersituational awareness and an enhanced ability to facilitate operational responses to cyber security events of national importance.

Cyber Security Operations Centre (CSOC)

Function: actively monitor the health of cyber space and co-ordinate incident response; to enable better understanding of attacks against UK networks and users; to provide better advice and information about the risks to business and thepublic.

Undefined

Operational CERTAustralia

GovCertUK ID-SIRTIIGovCertID-Cert

19

INDONESIA NATIONAL CYBER SECURITY ORGANIZATION STRUCTURE FRAMEWORK


20

ORGANIZATION MAPPING RECOMENDATION

Protect cyberspace environment

Homeland Security

Preventive and capacity building

Intelligence

KEMKOMINFO BIN LEMSANEG KEMDIKBUD

Protect militer cyberspace environment

Defense

KEMHAN TNI

Investigation and Prosecution of criminal in cyberspace

Law Enforcement

POLRI

KEMENKOPOLHUKAM

Coordination

Coordinator

Coordinator-Incident Response Team

KEJAKSAAN

Gov-Cert ID-ACAD-CSIRT ID CERT ......Sour

ces:

Indo

nesi

a N

ation

al IC

T Co

unci

l, D

ETIK

NAS

201

3

PRIORITY III: CRITICAL INFRASTRUCTURE PROTECTION

DEFINITION OF NATIONAL ICT CRITICAL INFRASTRUCTURES

ICT Critical National Infrastructures are assets, services, objects in the form of phyical or logical that involving the livelihood of many people, national interests and/or revenue of country that are strategic, in case of threats and attacks cause more loss of lives, destabilizing political, social, cultural and national economy as well as the sovereignty of the nation. (DETIKNAS, 2013)

Criteria of the National Critical ICT Infrastructure must fulfill one, some or all of the following characteristics:– Threats and attacks resulted in disaster/many lost lives.– Threats and attacks result in chaos in the national society.– Threats and attacks cause disruption of governmental operation.– Threats and attacks resulting in the loss of reputation, income and state

sovereignty.

23

IMPACT LEVEL OF CYBER ATTACK

Money,Espionage,

Skills for Employment, Fame,

Entertainment, Hacktivism,

Terrorism and War

APT/Nation State

Insider

Terrorism

Criminals

Hacker Groups

Hacker

Noob/Script Kiddy

Actor(s)Motivation

Low

Medium

High

Impact Level

• may result in the highly costly loss of major tangible assets or resources;

• may significantly violate, harm, or impede an organization’s mission, reputation, or interest;

• may result in human death or serious injury.

• may result in the costly loss of tangible assets or resources; • may violate, harm, or impede an organization’s mission,

reputation, or interest;• may result in human injury.

• may result in the loss of some tangible assets or resources • may noticeably affect an organization’s mission, reputation,

or interest.


24

CRITICAL INFRASTRUCTURE SECTORSSector Lead Agency

Energi dan Sumberdaya Mineral Kementerian ESDM

ICT Kementerian Kominfo

Transportasi Kementerian Perhubungan

Kesehatan Kementerian Kesehatan

Pemerintahan Sekretariat Negara/Sekretariat Kabinet

Keuangan dan Bank Kementerian Keuangan

Agrikultur Kementerian Pertanian

Pertahanan dan Industri Strategis Kementerian Pertahanan, Kementerian BUMN

Administrasi dan Pelayanan Publik Kementerian Dalam Negeri, Kementerian Hukum & HAM

Penegak Hukum POLRI, Kejaksaan RI, KPK

Sosial, Budaya dan Agama Kementerian Agama dan Kementerian Sosial

Sour

ces:

Indo

nesi

a N

ation

al IC

T Co

unci

l, D

ETIK

NAS

201

3

PRIORITY IV: IMPLEMENTATION OF SYSTEM AND TECHNOLOGY

LAYERS OF CYBER Implementation of

cyber security technologies and processes performed at each layers.

Cyber security at every layer is called defense in depth.

Defense in Depth strategy is to achieve the main objectives of security, namely Availability, Integrity, Confidentiality (AIC Triad).

Data

Application

Host

Internal Network

External Network

IMPLEMENTATION OF DEFENSE IN DEPTH INFORMATION SECURITY

External Network

DMZ

Penetration Testing

VPN

Logging

Auditing

Vulnerability Analysis

Network Perimeter

Firewalls

Penetration Testing

Proxy

Logging

Auditing


Stateful Packet Inspection

Internal Network

IDS

Penetration Testing

IPS

Logging

Auditing


Host

Authentication

Password Hashing

Antivirus

IDS

IPS

Logging

Auditing

Penetration Testing


Application

SSO

Content Filtering

Auditing

Penetration Testing

Data Validation


Data

Encryption

Access Controls

Penetration Testing

Backup


Sources: Jason Andress, 2011 (modified)

28

NEXT GOVERNMENT TECHNOLOGY IMPLEMENTATION RELATED TO NATIONAL CYBER SECURITY

Goverment Secure Network

Government Public Key Infrastructure

Government Integrated Data

Center

PRIORITY V: CAPACITY BUILDING FOR HUMAN RESOURCES

BUILDING INTEGRATED AND SUISTAINED HUMAN RESOURCES DEVELOPMENT PROGRAM


CURRICULUM JOB POSITIONQUALIFICATION (KKNI)

LEVEL OF THREAT/IMPACT

CAPACITY BUILDING: AWARENESS

31

AwarenessOne-way communication

Two-way interactive

communication

CAPACITY BUILDING: AWARENESS - ONE-WAY COMMUNICATION

One-way communication

(text, multimedia)

Film, Music, Poster, dll

Wide range, tends to bore, relatively

cheap cost and affordable

Methods Object Effectively

CAPACITY BUILDING: AWARENESS - TWO-WAY INTERACTIVE COMMUNICATION

Two-way interactive communication

(hypermedia)

FGD, Interactive Workshops, Video Games, e-learning.

Limited range, to be effective in changing

the culture of behavior, cost of

expensive

Methods Object Effectively

PRIORITY VI: INTERNATIONAL COLLABORATION AND COOPERATION

35

MEMBER OF INTERNATIONAL ORGANIZATIONJoin, participate, and ratify with international collaboration

and cooperation.Currently Indonesia become full member of:

– Asia Pacific and APCERT FIRST (Forum for Incident Response and Security Team) of the world.

– Organisation of the Islamic Conference-CERT (OIC-CERT)

36

CONCLUSIONS

Securing Indonesia Cyberspace is essential to create conducive and sustainability environment.

Indonesia Cyberspace has to be secured and sovereigned.Indonesia needs a national cyber security strategy in order to

focus on the development cyber security program.National Cyber Security is a very complex problem,

collaboration and cooperation with all stakeholders are needed.

Organization of Indonesia National Cyber Security (I-NCS) need to be established.

37

[email protected]

2013

Thank You