Join us at Binding Hook Live on October 27 at Underbelly Boulevard Soho in London
Join us at Binding Hook Live
Request an invite
Main Logo Expert commentary on tech and security

Neglecting cybersecurity could harm Indonesia’s competitiveness

Gatra Priyandita / Christian Guntur Lebang 1 April 2025
Share On:
President Prabowo’s turn away from his predecessor’s cyber ambitions is symptomatic of wider strategic failings
Main Top Image
An Indonesian National Armed Forces forum on the creation of a Cyber Force, 25 September 2024. Photo: Pusat Penerangan TNI/Facebook

In September 2024, as his presidency drew to a close, Joko Widodo (known as Jokowi) unveiled an ambitious plan: the creation of a dedicated cyber force – a fourth branch of Indonesia’s armed forces. This was a decisive response to growing threats in cyberspace, especially ransomware and the proliferation of cyber scams and online mis- and disinformation.

Just months later, that vision has all but disappeared. Jokowi’s successor, Prabowo Subianto, has quietly shelved the idea and slashed cybersecurity budgets. The new government’s retreat isn’t just about money. It signals a deeper problem: Indonesia’s political leadership still sees cyber defence as an afterthought. While other nations are bolstering their cyber resilience, Indonesia remains fixated on conventional threats, leaving its cyber vulnerabilities dangerously exposed.

Prabowo’s setback: cybersecurity deprioritised

When Jokowi assumed the presidency in 2014, digital transformation quickly became a cornerstone of his economic and policy agenda. The former Jakarta governor and long-time mayor of Surakarta saw technology as a tool to streamline public services, curb corruption, and expand access to government resources. Inspired by the rapid rise of Indonesia’s tech unicorns, Jokowi also championed the digital economy, betting on internet commerce as a key driver of national growth.

By 2017, Indonesia had taken steps to strengthen the foundations of its cybersecurity ecosystem. The National Cyber and Crypto Agency (Badan Siber dan Sandi Negara, BSSN) was established to centralise cybersecurity policy, including setting the baseline cybersecurity standards across government and, later, critical information infrastructure. 

Other agencies were assigned specific roles: the Ministry of Communication and Informatics (now the Ministry of Communication and Digital Affairs) oversaw content security and tech regulations; the Ministry of Defense handled military cyber operations; and the National Police was tasked with enforcing cyber laws, tackling cybercrime such as online fraud, online gambling, and child exploitation.

When Prabowo Subianto took office in October 2024, many expected his defence background to translate into a stronger commitment to cybersecurity. Indonesia faces escalating cyber threats; recent attacks exposed the personal data of millions. The announcement of a dedicated cyber force initially suggested a long-overdue recognition of cyber threats as a core national security priority. 

However, instead of pressing ahead, Prabowo’s administration has deprioritised cybersecurity. The cyber force has quietly faded from public discourse. His defence minister, Sjafrie Sjamsoedin, has signalled a shift in focus, stating that, for now, efforts would concentrate on strengthening the existing cyber defence unit – a joint cyber support force – rather than creating a fully independent branch. Without strong political will, the cyber force appears unlikely to materialise anytime soon.

In addition to this, cybersecurity funding has been slashed. As part of Prabowo’s cost-cutting measures, funding for BSSN was temporarily frozen. The government withheld almost half of the BSSN’s Rp 1.32 trillion ($80 million) budget for 2025 – reducing the agency’s budget to just Rp 783 billion. 

These cuts have left key cybersecurity agencies struggling to recruit personnel, upgrade critical infrastructure, and coordinate responses to cyber threats. At a moment when Indonesia should be reinforcing its digital defences, it is instead retreating – leaving the nation increasingly exposed in the face of mounting cyber risks.

Why cybersecurity is a low priority

These budget cuts are not merely financial adjustments. They reveal a deeper, systemic issue: cybersecurity has never been a strategic priority for Indonesia’s political leadership. This neglect is rooted in historical and institutional legacies that continue to shape the country’s security policies, sidelining digital threats in favour of more traditional concerns.

Despite Indonesia’s rapid digitalisation, its approach to cybersecurity is underwhelming. Chronic underfunding has left key institutions ill-equipped to respond to cyber threats or build the necessary infrastructure to secure the digital ecosystem. Bureaucratic inertia further compounds the problem – officials view cybersecurity as an added cost rather than a critical investment, with rigid budgeting and procurement processes preventing agencies from adapting to evolving threats.

For decades, Indonesia’s national security doctrine has prioritised internal stability over external cyber threats. The military’s strategic culture, largely shaped by the army, remains fixated on conventional security challenges such as separatism, terrorism, and political instability. In this framework, cybersecurity – an oft-invisible yet pervasive risk – struggles to gain recognition as a core national security concern.

At the same time, Indonesia’s political leadership continues to treat cybersecurity primarily as a tool for information control rather than national defence. Government efforts have focused on policing social media, combating disinformation, and censoring politically sensitive content. 

While these measures may serve political interests, they do little to bolster Indonesia’s ability to defend against state-sponsored cyberattacks or sophisticated criminal cyber operations. As foreign misinformation campaigns become a key weapon in grey zone warfare, Indonesia lacks both a coherent strategy and a regulatory framework to counter them effectively.

This lack of urgency is further reflected in the government’s approach to cybersecurity leadership. Key positions are often handed to political loyalists rather than experts with technical expertise. The recently appointed head of BSSN, for example, Nugroho Sulistyo Budi, previously served under Prabowo in the army’s special forces unit and later in the Ministry of Defence. His predecessor, Hinsa Siburian, was also a military man with no cyber and information warfare background. 

With cybersecurity leadership shaped more by patronage than expertise, Indonesia’s cyber defences will remain fragmented, under-resourced, and ill-prepared to confront the growing scale of digital threats.

The consequences of cyber neglect

Indonesia’s failure to prioritise cybersecurity is already having serious consequences. According to data from Dutch cybersecurity firm Surfshark, the country is the most targeted in Southeast Asia for cyberattacks, with government agencies, businesses, and financial institutions frequently suffering breaches. 

High-profile incidents in recent years highlight the growing risks. In 2022, the infamous hacker ‘Bjorka’ exposed vulnerabilities in Indonesia’s data protection policies, leaking personal information from government officials and millions of citizens. 

Most alarmingly, in mid-2024, a massive cyberattack on Indonesia’s National Data Centre crippled government services, disrupting access to essential systems, including immigration, business licensing, and social security. These breaches underscore Indonesia’s glaring cybersecurity weaknesses – weaknesses that will only worsen without urgent investment in cyber defence.

Indonesia’s weak cyber defences also threaten its standing in international cyber diplomacy. While the country has been active in multilateral discussions on cyber norms and capacity-building, its inability to build credible cyber capabilities could undermine its influence in shaping global cybersecurity governance. If Indonesia wants to be taken seriously on the world stage, it must first demonstrate that it can secure its own digital infrastructure.

Time to get serious about cybersecurity

Indonesia cannot afford to continue neglecting cybersecurity. The government must properly maintain a secure cybersecurity budget and commit to building a robust cyber defence strategy. This includes fully funding the BSSN, empowering its cybersecurity ecosystem, and ensuring that key cybersecurity positions are filled by qualified professionals.

Moreover, Indonesia needs a comprehensive cybersecurity strategy that moves beyond censorship and focuses on real national security threats. This means investing in digital forensics, strengthening public-private partnerships, and enhancing cooperation with international allies on cyber threat intelligence.

If Prabowo wants to position Indonesia as a serious player in regional security, he cannot ignore the cyber domain. Failing to act now will only leave Indonesia more vulnerable in an era where cyber threats are becoming just as dangerous as traditional military threats. It is time for Indonesia’s leaders to recognise that in the modern world, cyber power is national power.

avatar
Gatra Priyandita
avatar
Christian Guntur Lebang

Related

Featured image
Binding Edge
Europe’s cyber rapid response teams should pivot to proactive missions
Taylor Grossman 1 March 2024
Read more arrow
Featured image
Binding Edge
Unpacking the vicious cycle of climate change and digital security
Katharine Palmer 4 February 2025
Read more arrow
Featured image
Binding Edge
War in Ukraine and the private sector
Hugo Rosemont 12 March 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.