CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 143
13. Indonesia
Indonesia’s rst formal strategy for civil-sector cyber
security emerged only in 2018, one year after its prin-
cipal cyber agency was created. Cyber-related institu-
tional changes within the armed forces began around
2014 but have not yet given rise to a published military
cyber strategy or doctrine. Political control of cyber
policy is exercised through the president. Indonesia
has only limited cyber-intelligence capabilities but
has been investing in cyber surveillance for domes-
tic security. It is more engaged than most developing
countries in cyber security and in employing digital
technologies. On international cyberspace policy,
it participates actively in the G20, the Asia-Pacic
Economic Cooperation, the Association of Southeast
Asian Nations and the Organisation of Islamic
Cooperation. Indonesia has some cyber-surveillance
and cyber-espionage capabilities, but there is lile evi-
dence of it planning for, or having conducted, oen-
sive cyber operations. Overall, Indonesia is a third-tier
cyber power. Given that it is expected to become the
fourth-largest economy in the world by around 2030,
it could be well placed to rise to the second tier if
the government decides that strategic circumstances
demand greater investment in the cyber domain.
List of acronyms
ASEAN Association of Southeast Asian Nations
BSSN National Cyber and Crypto Agency
MoD Ministry of Defence
OIC Organisation of Islamic Cooperation
TNI Indonesian Armed Forces
Strategy and doctrine
Until 2017, cyberspace policy in Indonesia was largely
undeveloped. Institutions, coordination and legal foun-
dations were all weak and there was no overall national
strategy.
1
Only some basic institutional foundations
were in place: the National Crypto Agency (founded in
1946) had been strengthened to some extent; a Computer
Emergency Response Team (CERT) had been created in
1998 through a private initiative; there was a govern-
ment infrastructure-incident-response team (another
CERT, in practice), set up in 2007;
2
14 additional CERTs
were in place by 2016; and some relevant laws and regu-
lations had been rened.
3
The principal development in 2017 was the estab-
lishment, by presidential decree, of the National Cyber
and Crypto Agency (BSSN),
4
replacing the National
Crypto Agency.
5
Also in 2017, the national police force
announced the expansion of its cyber-crime unit from
40 to 100 personnel.
6
The country began to frame its
cyber defence in very broad terms as part of its concept
of ‘total defence’.
7
The rst national cyber-security strategy was pub-
lished by the BSSN in 2018, seing out ve objectives:
cyber resilience, security of public services, enforce-
ment of cyber law, a culture of cyber security, and cyber
security in the digital economy.
8
The strategy was also
intended to support the country’s counter-terrorism
policies. Its stated goals included the promotion of
multi-stakeholder engagement and fostering global
trust in Indonesia’s management of its cyberspace. As
in most countries, the publication of a formal strategy
