Regulation on National Cyber Security Strategy and Cyber Crisis Management
On July 20, 2023, the President issued a cyber security framework namely President Regulation No. 47 of 2023 on National Cyber Security and Cyber Crisis Management Strategies (“PR 47/2023”). This regulation was issued to safeguard the nation and its interests against the abuse of cyber resources and to address and recover from cyber crises considering the potential of technological advancements in the future.
PR 47/2023 governs the strategy of national cyber security which consists of focus areas and an action plan on cyber security national (the “National Cyber Security Action Plan”) made by the State Cyber and Signal Agency or Badan Siber dan Sandi Negara (“BSSN”). PR 47/2023 is effective as of its issuance.
We set out below the key provisions of PR 47/2023.
♦ National Cyber Security Strategy
The national cyber security strategy is aimed at obtaining cyber security and ensuring a secured national digital economy ecosystem. The focus areas of this strategy consist of:
- governance;
- risk management;
- preparedness and resilience;
- strengthening the protection of vital information infrastructure;
- national cryptography independence;
- capability, capacity, and quality enhancement;
- cyber security policy; and
- international cooperation.
PR 47/2023 stipulates that the National Cyber Security Action Plan shall be made by focusing on the abovementioned areas. The National Cyber Security Action Plan is prepared for 5 (five) years and may be reviewed at any time. The Plan shall cover at least the following elements: (i) activities; (ii) success indicators; (iii) implementation timelines; and (iv) responsible parties.
The National Cyber Security Action Plan must be carried out by a state administration agency or instansi penyelenggara negara.
♦ Cyber Crisis Management
Under Article 17(2) of PR 47/2023, the Cyber Crisis Management is coordinated by BSSN which will involve Electronic Service Providers or Penyelenggara Sistem Elektronik (each, an “ESP”).
In implementing the Cyber Crisis Management, BSSN conducts preparation in the form of preparation of a Cyber Crisis Contingency Plan and Contingency Plan Simulation. The latter is carried out through exercise and role playing.
We set out below the implementation actions to be done for each phase of the cyber crisis management, namely actions before the cyber crisis occurs, when the cyber crisis is occurring, and after the cyber crisis occurred.
Before the Cyber Crisis Occurs
The cyber incident response as a means of cyber crisis management before a cyber crisis occurs shall be carried out gradually by the Cyber Incident Response Team. In relation to the cyber crisis early warning, pursuant to Article 22 of PR 47/2023, not only that it shall be informed to ESPs, such ESPs are required to take action in response to such early warning. Subsequently, a cyber crisis status shall be determined by the President based on a suggestion from the Head of BSSN. Upon such determination, the President shall create a cyber crisis task force.
When the Cyber Crisis is Occurring
Cyber Crisis Countermeasures shall be carried out through several activities as set out under PR 47/2023, among others, the identification and analysis of the scope of electronic systems affected by the cyber crisis. Meanwhile, the Cyber Crisis Recovery shall be carried out through data and system restoration for data and system that has been affected or utilization of backup and/or alternative resources, followed by retesting critical and support functions to ensure that recovery objectives are met.
As for the Cyber Crisis Handling Report, it shall be done by the Cyber Crisis task force to the President, which shall consist of the analysis report and objectives of the cyber crisis handling as well as the recommendation on further cyber crisis handling. The determination of the termination of the cyber crisis status shall be done by the President.
After the Cyber Crisis Occurred
The implementation of the activities done in this stage shall be coordinated by the BSSN with the involvement of ESPs. The calculation of the estimated damages, losses, and recovery costs due to a cyber crisis shall derive from the economic value of the temporarily damaged assets arising out of the cyber crisis and costs borne to restore the electronic system to its state prior to the cyber crisis. An evaluation of cyber crisis handling will be a consideration in taking a cyber security policy.
July 26, 2023
AKSET
Please contact Johannes C. Sahetapy-Engel (jsahetapyengel@aksetlaw.com) or Clara Anastasia So (canastasia@aksetlaw.com) for further information.
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.