JAKARTA — The handling of national cyber incidents, which is often marked by finger-pointing between institutions, has become a key focus in the discussion of the Draft Law on Cyber Security and Resilience (RUU KKS). The House of Representatives’ Commission I has just held a public hearing to examine the urgency of the regulation so it does not overlap when future attacks occur.
Pratama Persadha, Chairman of the Cyber Security and Communication Research Institute (CISSReC), stressed that Indonesia’s main cyber security problem today is not merely tools, but coordination. According to him, when a large-scale attack occurs, communication chaos often breaks out among the institutions involved.
Shifting Blame
“When an incident happens, everyone is busy blaming others and making excuses. This is a classic problem,” Pratama said at the Parliamentary Complex in Jakarta on Tuesday (6/30). He cited the attack on the KPU and the incident at the Temporary National Data Center (PDNS) as examples of how ministries or agencies often pass responsibility for security to others.
Our bureaucracy is indeed rigid. Sectoral ego remains very high.
Pratama laid out a long list of institutions with cyber authority, ranging from the National Cyber and Crypto Agency (BSSN), the State Intelligence Agency (BIN), the National Police, the Indonesian Military (TNI), the Ministry of Communication and Digital Affairs (Komdigi), to sectoral regulators such as OJK or BI. Without a clear division of duties at the legal level, the potential for authority clashes in the field will continue to repeat.
Imagine if population data were leaked. Is this the job of Dukcapil, the responsibility of Komdigi, or within BSSN’s domain? In practice, institutions often wait for central direction or back away to avoid sanctions. In the KKS Bill, he proposed that the government clearly detail who leads command during a crisis, who has the right to investigate, and which party is responsible for providing transparent information to the public.
Cyber Resilience Must Come Before Security
Beyond the division of duties, Pratama offered a critical note on the bill’s focus. He argued that the government is too fixated on cyber security and neglecting cyber resilience. Focusing on a defense wall, no matter how thick, is often useless if hackers have already found a backdoor.
“Cyber security aims to prevent attacks. But cyber resilience is far more crucial, namely ensuring the system can keep operating even while under attack,” he explained. For him, a system’s ability to recover quickly and mitigate losses for the public is the core of true resilience.
The harsh reality is that no system is truly safe. Hackers have thousands of ways to break in, while we only have one way to defend. Therefore, the narrative must change. It should no longer be ‘don’t let it get breached,’ but ‘what do we do when the system has already gone down?’
Pratama urged that every operator of critical information infrastructure be required to prepare a solid business continuity plan and disaster recovery plan. This must become a firm mandate in the KKS Bill so that if the worst-case scenario occurs, public services do not come to a complete halt for a long time. We cannot keep relying on the hope that systems will not be attacked.
Need for Regular Audits
The KKS Bill is also expected to address independent audits for all public electronic system operators (PSE). So far, security audits have often been merely formalities or done through self-assessment. The result? Many security gaps go undetected until a large-scale data breach occurs.
Public policy observers say firm sanctions in the KKS Bill will make the difference. If an agency is negligent in protecting public data, there must be clear legal consequences, not just administrative warnings. Public trust in government digital services depends entirely on how seriously the state protects data sovereignty in cyberspace.
For ordinary citizens, the debate over this bill may sound technical. But its impact reaches directly into our wallets and personal data. Without a strong legal umbrella, personal data protection remains nothing more than a myth. The DPR and the government must quickly reach common ground in drafting this regulation to ensure Indonesia’s digital space does not become a playground for global hackers.
Going forward, cyber challenges will become more sophisticated as artificial intelligence is adopted. The KKS Bill must be designed to be flexible enough to face future threats, not just solve yesterday’s problems.
Key Points of the KKS Bill:
- Clear Command: The bill must regulate who the main leader is during a major attack so there is no more blame-shifting between institutions.
- Cyber Resilience: The focus must shift from merely preventing attacks to ensuring systems can keep operating and recover quickly.
- Mandatory Mitigation: Operators of critical information infrastructure must have measurable disaster recovery and business continuity plans.
Quick FAQ on the KKS Bill
What is the main difference between cyber security and cyber resilience?
Security focuses on preventing attacks, while resilience focuses on a system’s ability to keep functioning or recover quickly when attacks happen.
Why does coordination between agencies often fail?
Because of overlapping authority and the absence of a binding single-command structure under law during a national cyber crisis.
Who is most affected by this rule?
Operators of critical information infrastructure, such as state institutions, banks, and public digital service providers that store sensitive public data.

📝 Leave a Comment
Comment as . Reviewed by an admin before it appears.