Nearly two years after the Brain Cipher ransomware attack on Indonesia's Pusat Data Nasional Sementara (PDNS) paralysed services at roughly 210 central and regional government agencies, the country's long-stalled Cybersecurity and Cyber Resilience Bill — Rancangan Undang-Undang Keamanan dan Ketahanan Siber, or RUU KKS — is moving again in the Dewan Perwakilan Rakyat (DPR). Backed by Badan Siber dan Sandi Negara (BSSN) and the newly renamed Ministry of Communications and Digital Affairs (Komdigi), the bill is being pitched as the legal scaffolding Indonesia conspicuously lacked when attackers walked into a flagship government cloud and demanded an $8 million ransom.
That diagnosis is broadly correct. Indonesia remains one of the few G20 economies without a dedicated cybersecurity statute, relying instead on a patchwork of provisions in the ITE Law (UU 11/2008, as amended), the Personal Data Protection Law (UU 27/2022), and Government Regulation 71/2019 on Electronic Systems and Transactions. The result is overlapping mandates between BSSN, Komdigi, the police, and sectoral regulators such as Bank Indonesia and OJK — and, as the PDNS incident showed, no clear chain of command when a critical system goes dark.
What's in the draft
According to reporting in Kompas, Tempo, and analyses by civil society groups including ELSAM and SAFEnet, the current draft does several useful things and several worrying ones at once. On the constructive side, it would:
- Codify a national taxonomy of Critical Information Infrastructure (CII) across sectors such as energy, finance, telecoms, transport, health, and government services.
- Establish mandatory incident notification obligations for CII operators, with timelines and escalation paths to BSSN.
- Create a statutory basis for a national Computer Security Incident Response Team (CSIRT) ecosystem, building on the existing Gov-CSIRT and sectoral teams.
- Introduce certification and competency standards for cybersecurity professionals and managed security service providers.
These are, in principle, the building blocks of a modern cyber regime — closer in spirit to Singapore's Cybersecurity Act 2018 or the EU's NIS2 Directive than to the more securitised models found elsewhere in the region.
Where it risks overreach
The problems lie in the detail. Earlier iterations of the bill — and, civil society warns, the current draft — concentrate sweeping powers in BSSN, including the authority to issue binding technical standards, conduct inspections of private networks, and order remedial action with limited judicial oversight. ELSAM has flagged that broadly worded provisions on "cyber threats" and "cyber attacks" could be read to cover lawful security research, vulnerability disclosure, and even investigative journalism touching on government systems.
That is not a hypothetical concern in Indonesia. Article 27(3) of the ITE Law on defamation has been repeatedly used against critics, and the same drafting culture risks bleeding into RUU KKS. A 2023 Access Now and SAFEnet survey of Indonesian security researchers found that a significant majority feared legal exposure when reporting bugs to government or state-owned enterprise systems — a chilling effect the PDNS attack should have refuted, not reinforced.
Two other design choices deserve scrutiny:
- Professional certification monopolies. If certification of cybersecurity professionals is centralised under BSSN with no recognition of established international credentials (CISSP, OSCP, CREST, ISO/IEC 27001 lead auditor), Indonesia will price its own talent out of a global market that is structurally short of skilled defenders. ENISA estimates the EU alone faces a cyber workforce gap in the hundreds of thousands; Indonesia cannot afford a parallel rent-seeking regime.
- Data-localisation creep. Drafts circulated in 2025 reportedly include provisions that would require CII operators to host certain data and security telemetry domestically. Sound on its face, this risks duplicating the localisation obligations already embedded in PP 71/2019 and OJK regulations — and, as India's experience with its 2022 CERT-In directions showed, can drive global cloud and security vendors to scale back local offerings rather than comply.
A pro-innovation path forward
Indonesia does not need to choose between resilience and openness. A proportionate RUU KKS would:
- Adopt a NIS2-style risk-based scope — distinguishing "essential" from "important" entities, with calibrated obligations rather than one-size-fits-all CII rules.
- Codify a safe harbour for good-faith security research and coordinated vulnerability disclosure, modelled on the US DOJ's 2022 CFAA policy update and the Netherlands' long-standing responsible disclosure guidelines. The PDNS attackers were not white-hats; criminalising the people who could have spotted the misconfiguration first is exactly backwards.
- Recognise international certification standards and allow private accreditation bodies to operate under a light-touch BSSN oversight regime.
- Build in independent oversight — ideally judicial authorisation for intrusive inspections, and parliamentary reporting on BSSN's use of new powers, in line with recommendations from the OECD Digital Security Risk Management framework.
- Harmonise, don't duplicate, with UU PDP, the ITE Law, and sectoral rules from OJK and Bank Indonesia, to avoid the regulatory thicket that already burdens Indonesian businesses.
The bigger picture
The PDNS attack was a governance failure as much as a technical one: reporting by Reuters and The Diplomat noted that the affected data was largely unbacked-up, and that basic hygiene — patching, segmentation, multi-factor authentication — had lapsed. Legislation cannot fix culture, but it can either incentivise or punish the people best placed to do so. As the DPR moves into substantive deliberation in 2026, the test for RUU KKS is whether it empowers defenders — researchers, CISOs, CSIRT teams, cloud providers — or whether it builds a securitised perimeter around government systems that leaves Indonesia just as exposed, with fewer friends inside the tent.