Backup and Recovery: Learning from the Indonesian National Data Center Ransomware Attack

On June 20, 2024, it was reported that there was a disruption in the immigration check system at Soekarno-Hatta International Airport, resulting in long queues at the immigration gates. The National Cyber and Crypto Agency Republic of Indonesia (BSSN) later announced that the disruption was caused by a ransomware attack on Indonesian National Data Center (PDN), which affected systems in some government agencies such as the Directorate General of Immigration, the Ministry of Education and Culture, and many local governments.

Ransomware is a type of malware that attacks systems by locking files so they cannot be accessed, causing the system malfunction. Hackers demand a ransom to unlock the system, but there is no guarantee that they will provide the key to unlock even after the ransom is paid.

PDN is operated by the Ministry of Communications and Informatics (Kominfo) Republic of Indonesia in accordance with Presidential Regulation 95 of 2018 on the Electronic-Based Government System (SPBE). According to that regulation, PDN is a set of data centers that must be used by the government agencies. Kominfo currently operates a temporary PDN using third-party infrastructure while preparing for the permanent infrastructure, which is still being developed in various locations such as Batam and Cikarang.

A week after the ransomware attack, most government systems affected by the ransomware attack were still not recoverable. During a working meeting between the House of Representatives (DPR) and Kominfo and BSSN on June 27, 2024, it was revealed that recovery efforts were hindered by the lack of proper backup procedures.

Government Sector Information Security Governance

Various literatures mention that there are three aspects of information security: confidentiality, integrity, and availability. Presidential Regulation Number 95 of 2018, which serves as the legal basis for implementing digital government governance also provides comprehensive references, including security as one of the principles of SPBE implementation. In addition to confidentiality, integrity, and availability, the SPBE Presidential Regulation also includes authenticity and non-repudiation as part of SPBE security coverage.

According to the regulation, ensuring confidentiality is achieved through various control measures such as classification and access restrictions; ensuring integrity is achieved by detecting modifications; ensuring authenticity is achieved through verification and validation mechanisms; ensuring non-repudiation is achieved through the use of digital certificates; and ensuring availability is achieved through backup and recovery measures.

Backup and Recovery

Backup refers to the procedures and technologies for creating copies of systems (applications and data) on separate secondary devices. Recovery refers to using these backup system copies to restore the system to its original condition in case of damage or loss of applications or data. This can occur due to various reasons such as system errors, hardware failures, human errors, natural disasters, and cyber-attacks like ransomware.

The concept of backup and recovery are mentioned in some information security frameworks, such as NIST, which defines identification, protection, detection, response, and recovery as functions in the information security lifecycle. Backup is part of the protection function, while recovery is a function.

As a derivative of Presidential Regulation Number 95 of 2018, BSSN issued Regulation Number 4 of 2021 as a reference for the Management, Technical Standards, and Security Procedures of SPBE. Article 24 states the need for implementing backup and recovery systems and planning to ensure that data and information can always be accessed as a procedure to meet the availability aspect of security.

Follow-Up

PDN is currently used by most government agencies and will eventually be used by all government agencies to deliver public services, so it is crucial to pay attention to aspects of information security. Reflecting on the latest ransomware attack, one aspect that requires significant attention is availability (backup and recovery), considering that public services must always be available and quickly recoverable in case of disruptions due to technical, human, natural, or cyber-related factors.

Referring to the PPT framework (people, process, technology), the implementation of digital government security through SPBE already has a strong foundation in the process aspect, with comprehensive policies enshrined in regulations which need to be further strengthened with more technical procedures. In terms of the people and technology aspects, it is necessary to re-evaluate whether the current human resources and devices are adequate and reliable to support security governance implementation in the process aspect.