Indonesia National Cyber Security Strategy
Download as PPTX, PDF13 likes11,809 views
The document outlines Indonesia's strategic role in ICT, highlighting its significant mobile and internet user base, and the threats to national cyber security. It discusses the various dimensions of cyber threats, obstacles in cybersecurity governance, and presents six priority strategies for strengthening national cyber security. The conclusion emphasizes the need for a robust national cybersecurity strategy and collaboration among stakeholders to secure Indonesia's cyberspace.
Indonesia National Cyber Security Strategy
- 2. 2 OUTLINE The Strategic Roles of Indonesia ICT Indonesia ICT Numbers and Facts Three Dimensions of Cyber Threat Cases of Cyber Warfare/Attack Is Indonesia Under Attack??? Obstacles and Challenges of Indonesia National Cyber Security Six Priorities Strategy of Indonesia National Cyber Security Conclusion
- 3. 3 THE STRATEGIC ROLES OF ICT FOR INDONESIA ICT is an important infrastructure for citizens ICT is a trigger for economic growth and productivity ICT is a strategic sector and Government valuable assets
- 4. 4 INDONESIA IS THE 4TH LARGEST MOBILE SUBSCRIBERS 986 Juta 893 Juta 290 Juta 249 Juta 244 Juta 236 Juta China India USA Indo Brazil Rusia Jumlah Pelanggan Telepon Seluler Dunia - 2011 1st 2nd 3rd 4th 5th 6th China India USA Indonesia Brazil Russia With 249 million subscribers in 2011, Indonesia is the 4th largest mobile market in the world. sources: cia.gov (last updated April 2013)
- 5. 5 INDONESIA IS THE 8TH LARGEST INTERNET USERS 538 Juta 245 Juta 137 Juta 101 Juta 88 Juta 67 Juta 67 Juta 55 Juta 52 Juta 52 Juta China USA India Japan Brazil Rusia Germany Indonesia UK France Jumlah Pengguna Internet Dunia - 2011 1st 2nd 3rd 8th 4th 9th 5th 6th 7th 10th China IndiaUSA IndonesiaBrazil RussiaJapan Germany UK France sources: internetworldstats.com (last updated April 2013) In 2011, the number of internet users in Indonesia is around 55 million. Internet users in Indonesia also are highly social and active. Indonesia is the 3rd largest facebook users and the 5th largest twitter users in the world.
- 6. 6 THREE DIMENSIONS OF CYBER THREAT/ATTACK Cyber threat/attack can be divided into three dimensions. These threats potentially destroying the economy and destabilize the country's security. Social/ Cultural Attack Sources: Indonesia National ICT Council, DETIKNAS 2013
- 7. 7 CASES OF CYBER WARFARE/ATTACK STUXNET Wikileaks Estonia Cyber Attack 2007 Russia-Georgia Cyber warfare 2008 And many more...
- 8. 8 IS INDONESIA UNDER ATTACK??? Over the last three years, Indonesia was attacked 3,9 millions in cyber space. (Sources: Minister of ICT, April 3rd, 2013). During January-October 2012, The most attacked website is Government websites/domain: go.id (Sources: ID-SIRTII, 2012). Sources: ID-SIRTII Sources: Detikinet, 2013
- 9. OBSTACLES AND CHALLENGES OF INDONESIA NATIONAL CYBER SECURITY Vision of Cyber Security not Intregated Quantity and Quality of Information Security Human Resources are Limited ICT Critical Infrastructure Protection Mechanisms and Standards not exist Cyber Law and Policy not Completed Governance and Organization of National Cyber Security not Synergized Weakness of Coordination and Cooperation between Agency Application, Data and Infrastructure of Information Security not Integrated Lack of Awareness in Information Security Obstacles and Challenges of National Cyber Security Sources: Indonesia National ICT Council, DETIKNAS 2013
- 10. 101010 Indonesia National Cyber Security Conceptual Framework (INCS) 10 Sources: Indonesia National ICT Council, Detiknas 2012 Availability Integrity Confidentiality Sharedresponsibilities OrganizationStructures CapacityBuilding InternationalCooperation TechnicalandProcedural Legal Risk Management Leadership Partnership Security Strategic Level Security Operational Level Security Tactical Level Direct Execute Control
- 11. 11 SIX PRIORITY STRATEGIES OF INDONESIA NATIONAL CYBER SECURITY Strengthe- ning Policies and Regulations Establishment of Governance and Organization Critical Infrastructur e Protection Implementat ion of System and Technology Capacity Building for Human Resources International Collaboration and Cooperation Security and Sovereignty in Indonesia Cyber Space Sources: Indonesia National ICT Council, DETIKNAS 2013
- 12. PRIORITY I: STRENGTHENING POLICIES AND REGULATIONS
- 13. POLICIES & REGULATIONS RELATED TO INFORMATION SECURITY IN INDONESIA Telecommunication Act No. 36/1999 Information Transaction Electronic Act No. 11/2008 Implementation Of Telecommunications Government Regulation No. 52/2000 Organizational structure of information security Ministerial Regulation PM 17/PER/M.KOMINFO IP-based network security Ministerial Regulation No. 16/PER/M.KOMINFO/10/2010 CA Supervisory Board ad hoc team Ministerial Decree No. 197/KEP/M.KOMINFO/05/2010 Information security coordination team Ministerial Decree No. 33/KEP/M.KOMINFO/04/2010 Web server security Ministry Letter Wifi Security Ministry Letter Guidelines for the use of ISO 27001 Ministry Letter National Act:2 Government Regulation:1 Ministerial Regulation:2 Ministerial Decree:2 Ministerial Letter:3
- 14. 14 POLICIES & REGULATIONS RELATED TO INFORMATION SECURITY IN INDONESIA (2) Criminal cases related to cyber crime in Indonesia could also be punished with: – Criminal Procedural Law Codex (UU KUHAP), – Pornography Act (UU Antipornografi No. 44/2008), – Copyright Act (UU Hak Cipta No. 19/2002), – Consumer Protection Act (UU Perlindungan Konsumen No. 8/1999).
- 15. 15 POLICIES & REGULATIONS FRAMEWORK Scope of Cyber Security Laws: – e-Commerce; – Trademark/Domain; – Privasi dan keamanan di internet (Privacy and Security on the internet); – Hak cipta (Copyright); – Pencemaran nama baik (Defamation); – Pengaturan isi (Content Regulation); – Penyelesaian Perselisihan (Dispel Settlement). – Infrastruktur TIK Kritis Nasional (ICT Critical Infrastructure) Substantive Law Procedural Law PrescribeJurisdiction Prosecutorial Authority Enforcement Responsibility InternationalLawEnforcement Cooperation Sources: Indonesia National ICT Council, Detiknas 2012
- 16. PRIORITY II: ESTABLISHMENT OF GOVERNANCE AND ORGANIZATION
- 17. 17 THE CONCEPT OF NCS ORGANIZATION STRUCTURE The Concept of Indonesia NCS organization structure consists of multi- organization. INCS organization contains of skilled, proficient, and experienced employees with prosperous information security knowledge inside their parts of specialization. Sources: Indonesia National ICT Council, DETIKNAS 2013
- 18. 18 COMPARISON OF CYBER SECURITY ORGANIZATION Level Australia UK Indonesia Strategic Cyber Security Policy and Coordination Committee (Lead Agency: The Attorney-General’s Department) Function: interdepartmental committee that coordinates the development of cyber security policy for the Australian Government. Office of Cyber Security (OCS) function: to provide strategic leadership for and coherence across Government; Undefined Tactical Cyber Security Operations Centre (CSOC) (Under Directorate: Defense Signals Directorate) Function: provides the Australian Government with all-source cyber situational awareness and an enhanced ability to facilitate operational responses to cyber security events of national importance. Cyber Security Operations Centre (CSOC) Function: actively monitor the health of cyber space and co-ordinate incident response; to enable better understanding of attacks against UK networks and users; to provide better advice and information about the risks to business and the public. Undefined Operational CERT Australia GovCertUK ID-SIRTII GovCert ID-Cert
- 19. 19 INDONESIA NATIONAL CYBER SECURITY ORGANIZATION STRUCTURE FRAMEWORK Sources: Indonesia National ICT Council, DETIKNAS 2013
- 20. 20 ORGANIZATION MAPPING RECOMENDATION Protect cyberspace environment Homeland Security Preventive and capacity building Intelligence KEMKOMINFO BIN LEMSANEG KEMDIKBUD Protect militer cyberspace environment Defense KEMHAN TNI Investigation and Prosecution of criminal in cyberspace Law Enforcement POLRI KEMENKOPOLHUKAM Coordination Coordinator Coordinator-Incident Response Team KEJAKSAAN Gov-Cert ID-ACAD-CSIRT ID CERT ...... Sources:IndonesiaNationalICTCouncil,DETIKNAS2013
- 21. PRIORITY III: CRITICAL INFRASTRUCTURE PROTECTION
- 22. DEFINITION OF NATIONAL ICT CRITICAL INFRASTRUCTURES ICT Critical National Infrastructures are assets, services, objects in the form of phyical or logical that involving the livelihood of many people, national interests and/or revenue of country that are strategic, in case of threats and attacks cause more loss of lives, destabilizing political, social, cultural and national economy as well as the sovereignty of the nation. (DETIKNAS, 2013) Criteria of the National Critical ICT Infrastructure must fulfill one, some or all of the following characteristics: – Threats and attacks resulted in disaster/many lost lives. – Threats and attacks result in chaos in the national society. – Threats and attacks cause disruption of governmental operation. – Threats and attacks resulting in the loss of reputation, income and state sovereignty.
- 23. 23 IMPACT LEVEL OF CYBER ATTACK Money, Espionage, Skills for Employment, Fame, Entertainment, Hacktivism, Terrorism and War APT/Nation State Insider Terrorism Criminals Hacker Groups Hacker Noob/Script Kiddy Actor(s)Motivation Low Medium High Impact Level • may result in the highly costly loss of major tangible assets or resources; • may significantly violate, harm, or impede an organization’s mission, reputation, or interest; • may result in human death or serious injury. • may result in the costly loss of tangible assets or resources; • may violate, harm, or impede an organization’s mission, reputation, or interest; • may result in human injury. • may result in the loss of some tangible assets or resources • may noticeably affect an organization’s mission, reputation, or interest. Sources: Indonesia National ICT Council, DETIKNAS 2013
- 24. 24 CRITICAL INFRASTRUCTURE SECTORS Sector Lead Agency Energi dan Sumberdaya Mineral Kementerian ESDM ICT Kementerian Kominfo Transportasi Kementerian Perhubungan Kesehatan Kementerian Kesehatan Pemerintahan Sekretariat Negara/Sekretariat Kabinet Keuangan dan Bank Kementerian Keuangan Agrikultur Kementerian Pertanian Pertahanan dan Industri Strategis Kementerian Pertahanan, Kementerian BUMN Administrasi dan Pelayanan Publik Kementerian Dalam Negeri, Kementerian Hukum & HAM Penegak Hukum POLRI, Kejaksaan RI, KPK Sosial, Budaya dan Agama Kementerian Agama dan Kementerian Sosial Sources:IndonesiaNationalICTCouncil,DETIKNAS2013
- 25. PRIORITY IV: IMPLEMENTATION OF SYSTEM AND TECHNOLOGY
- 26. LAYERS OF CYBER Implementation of cyber security technologies and processes performed at each layers. Cyber security at every layer is called defense in depth. Defense in Depth strategy is to achieve the main objectives of security, namely Availability, Integrity, Confidentiality (AIC Triad). Data Application Host Internal Network External Network
- 27. IMPLEMENTATION OF DEFENSE IN DEPTH INFORMATION SECURITY External Network DMZ Penetration Testing VPN Logging Auditing Vulnerability Analysis Network Perimeter Firewalls Penetration Testing Proxy Logging Auditing Vulnerability Analysis Stateful Packet Inspection Internal Network IDS Penetration Testing IPS Logging Auditing Vulnerability Analysis Host Authentication Password Hashing Antivirus IDS IPS Logging Auditing Penetration Testing Vulnerability Analysis Application SSO Content Filtering Auditing Penetration Testing Data Validation Vulnerability Analysis Data Encryption Access Controls Penetration Testing Backup Vulnerability Analysis Sources: Jason Andress, 2011 (modified)
- 28. 28 NEXT GOVERNMENT TECHNOLOGY IMPLEMENTATION RELATED TO NATIONAL CYBER SECURITY Goverment Secure Network Government Public Key Infrastructure Government Integrated Data Center
- 29. PRIORITY V: CAPACITY BUILDING FOR HUMAN RESOURCES
- 30. BUILDING INTEGRATED AND SUISTAINED HUMAN RESOURCES DEVELOPMENT PROGRAM Sources: Indonesia National ICT Council, DETIKNAS 2013
- 31. CAPACITY BUILDING: AWARENESS 31 Awareness One-way communic ation Two-way interactive communic ation
- 32. CAPACITY BUILDING: AWARENESS - ONE-WAY COMMUNICATION One-way communication (text, multimedia) Film, Music, Poster, dll Wide range, tends to bore, relatively cheap cost and affordable Methods Object Effectively
- 33. CAPACITY BUILDING: AWARENESS - TWO-WAY INTERACTIVE COMMUNICATION Two-way interactive communication (hypermedia) FGD, Interactive Workshops, Video Games, e-learning. Limited range, to be effective in changing the culture of behavior, cost of expensive Methods Object Effectively
- 34. PRIORITY VI: INTERNATIONAL COLLABORATION AND COOPERATION
- 35. 35 MEMBER OF INTERNATIONAL ORGANIZATION Join, participate, and ratify with international collaboration and cooperation. Currently Indonesia become full member of: – Asia Pacific and APCERT FIRST (Forum for Incident Response and Security Team) of the world. – Organisation of the Islamic Conference-CERT (OIC-CERT)
- 36. 36 CONCLUSIONS Securing Indonesia Cyberspace is essential to create conducive and sustainability environment. Indonesia Cyberspace has to be secured and sovereigned. Indonesia needs a national cyber security strategy in order to focus on the development cyber security program. National Cyber Security is a very complex problem, collaboration and cooperation with all stakeholders are needed. Organization of Indonesia National Cyber Security (I-NCS) need to be established.
Editor's Notes
- #24: Advanced Persistent Threat (APT) is an organized and long-term attack, designedspecifically to access and exfiltrate information from the target systems and impliesa more active role in gathering information than any that we have discussed previously.APT operations are more direct, and may have more in common with the CNAprocess that we will discuss in Chapter 9, closely matching some of the activities, butdiffering somewhat in intent and motivation. In APT, the steps that we might take areattack, escalate, and exfiltrate.