Perspective: Challenges in Strengthening Digital Security in Southeast Asia countries

1. In 2019, Indonesia, a country with the fifth-highest number of internet users in the world, plans to issue their first law on cyber security. Once the bill is passed, Indonesia will be the latest Southeast Asian country with a cyber security law after Singapore, Thailand and Malaysia.

It is understandable that Indonesia need this cyber security law to protect over 150 million internet users — as projected in 2023, now 107 million users — a 13% increase in a year. These users are vulnerable to at least 232.45 million cyber-attacks in 2018 and 205 million attacks in 2017. In May 2019 alone, 1.9 million cyber-attacks were recorded. It is estimated these attacks can cause Rp478.8 trillion (US$33.7 billion) in losses. That’s equal to almost a fifth of Indonesia’s state budget next year.

Currently Indonesia’s law enforcement institutions are not equipped with adequate laws and tools to combat cyber-threats nor cyber-attacks. A law on cyber security is urgently needed as Indonesia deals with an increasingly high level of cyber threats.

But I found interesting facts on draft of the bill of Indonesia’s cybersecurity distributed two-months ago. The bill poses a serious threat to citizens’ freedom of speech and will create a super body institution that will be above law enforcement institutions. The law will arm the state in the fight against cyber threats. It will appoint the National Cyber and Encryption Agency (BSSN) as the implementing body to coordinate with the armed forces, police, attorney-general’s office, intelligence bodies and other government ministries and institutions.

Definitely there is no multi-stakeholders involvement in the drafting process in this cyber security bill, no discussion with other government institutions, no dialogue with private sectors related to cyber security or e-commerce, not even asking for inputs from CSOs. That is why SAFEnet speaks out and ask the Indonesia legislative to withdraw such authoritarian cyber security law, and the legislative finally withdraw the bill on last September. But it is far from over.

2. We aware fake news/hoax/misinformation becomes problems in the Southeast Asia region. But, SAFEnet monitor in some countries in Southeast Asia, the governments obviously use “fake news” as an excuse to silence criticism. While in some other, the government use “fake news” to justify their action against humanity. Countries already known for heavy-handed control of the internet are using “fake news” to seize even more control of news outlets and communications platforms. What’s unique about the context of the Southeast Asian region is that fake news and disinformation operate within a framework where existing laws already inhibit freedom of expression.

In countries like the Philippines, Indonesia, and Myanmar, disinformation and hateful rhetoric online have had serious consequences for public opinion. In cases like Cambodia, Thailand, Vietnam, and Singapore, where there are existing laws that curtail freedom of expression, social media has become the new avenue for government to exercise control over free speech.

Start from 2017, many Southeast Asian countries have national election process. The governments are trying to exploit concerns over “fake news” in order to adopt proposals to increase state control over online communications and expand censorship and Internet surveillance.

In 2017, Malaysia government during (former) Prime Minister Najib Razak released Akta 803 Berita Tak Benar – the first fake news law in the region. Following by Singapore in 2018. In October 2019, Thai Government told coffee shop owners to submit their consumer Wi-fi browsing records as part of the ministry\’s campaign against fake news. These legislation in the surface look great, but in the practice government start granting itself the power to unilaterally remove competing narratives is something that not in line with their narratives.

Indonesia government choose “instant” way to combat fake news/hoax. While amplifying in media (or events) about a national campaign against hoax, in May 2019, Indonesia government start to use Bandwith Throttling and also use Internet Shutdown in August-September 2019 to handle the spreading of fake news/hoax related to electoral process and handling social conflict in Papua.

Actually these governments aren’t concerned about fake news, but they are concerned about their official narratives being countered by speech carried on platforms they can’t directly control. Fake news legislation is an easy way to grant themselves the power they need to nuke content that contradicts government portrayals of events, incidents, and law making efforts. It not only turns the production or sharing of government-designated “fake news” into a crime, but also allows the government to directly target internet companies for content posted by their users.

3. I believe cybersecurity is a matter of trust. To reach the trust, the key is to have a dialogue in national level and also in regional level to achieve best result. Private sector companies should join the table. Cyber-technologists also should participate. Thus, it needs a lot of hands to handle such complex issues like cyber security.

But what is cyber security means to many of lawmaker/decision makers in the region? I think the state defining cyber security as the part of national security. The state uses a security approach in forming cyber security policies. As the result, such cyber security policy is counter-productive and tends to violate digital rights, and also threatens the recognition of human rights and democracy.

4. For years, SAFEnet have seen cyber-threats and cyber-attacks to netizen, women, and At-Risk communities, such as journalists, anti-corruption activists, environment activists, LGBTIQ, and religion minorities. They are being attacked digitally and physically, doxed, arrested, prosecuted with the internet law. DdoS attacks to media outlet, censorship with website/social media account take down content, unlawful surveillance, becomes a new normal. The foundation of freedom of press, freedom of expression, and freedom of assembly are under attack.

Lately in Indonesia, SAFEnet witness is the cyber-amok in the form of mass-harassment toward a person/groups, or mass-violence toward a people/groups who supported a politician who runs as Governor of Jakarta or toward activists against the revision of Corruption Eradication Commission (KPK) Law, or mass-coordinated action to give one star review for Tempo a mainstream media outlet to make the Google Playstore automatically delisting/delete the Media apps just because the media made a magazine cover illustrating Pinocchio nose over the figurative look of President of Indonesia. — just happened recently to Tous Le Jours perfume store apps in France, for mistakenly related to Tous Le Jours bakery in Indonesia.

5. SAFEnet gives series of Digital Security Training to netizen, women, and At-Risk groups such as journalists, anti-corruption activists, environment activists, LGBTIQ, religion minorities — starting with understanding of right to be safe while online, the importance to protect data and identity, introducing the security culture, protecting their internet account, social media, and files from intrusion by outside users, and others materials.

But still, I think it is not enough. I believe this digital security training should also being teach to wider audience: to the children, to girls/women, to the peasants, labor, and others, especially many of Indonesia people now using smartphones from China. Four from five market leader of smartphones in Indonesia are coming from China. These China dominant market leader also happens in other the Southeast Asia countries. These smartphones are lack/less standard on protecting people’s rights.

I am wondering and start asking questions: Why not putting this digital security material training inside the Siberkreasi – Indonesia digital literacy program? Or into trainings for users from the private companies like GAFAM etc. (Google-Apple-Facebook-Amazon, Twitter, et cetera.) I am looking forward that The States addressing these current issues: When will they really took serious action to protect their own people from cyber-threats and cyber-attacks from the “bad actors/agencies” like put these online agitators to jail? When will they start to care about people data and identity from transborder thieves, like what happened this year during major data breach over at least 35 million  of Lion Air customers in Thailand, Malaysia, and Indonesia? Are there any discussion to have a standardized online data protection laws in the regions?

In the end, I am proposing The State, Private Companies/Sector, Academicians, Technologists, Journalists/Media owners, and CSOs to have dialogue to adopt and develop a Holistic Security approach to build stronger cyber securities. The word \’security\’ here has a deeply personal, subjective and gendered concept. Such holistic security approach will focus more on protecting the human, not the technology. [dam]

Presented by Executive Director SAFEnet Damar Juniarto in Internet Governance Forum (IGF) 2019 in Berlin, Germany, on November 28, 2019 in session \”Strengthening Digital Transformation Through Digital Security\”.