Indonesia's Military Cyber Force Faces Tough Battle Ahead

Lack of Resources and Inadequate Planning Could Make the Cyber Force a Non-Starter
Indonesia's Military Cyber Force Faces Tough Battle Ahead
Indonesian Troops at the National Monument in Jakarta (Image: Shutterstock)

The Indonesian military has responded to a major data breach by creating a brand new cyber force to defeat adversaries, but a lack of long-term planning, resources and collaboration with the private sector could turn the initiative into a non-starter.

See Also: VMware Carbon Black App Control

Former President Joko Widodo on Sep. 23 authorized the armed forces to set up a new branch dedicated exclusively to cyberwarfare, citing the country's need to respond with greater force against escalating cyberattacks targeting government and military entities.

Newly appointed President Prabowo Subianto, a former military man who took office Oct. 21, quickly approved the move, promising to oversee the formation of a new cyber force with a structure unlike an existing cyber unit that works with the three branches of the armed forces.

Prior to Jokowi's approval, Chief of Army Staff Gen. Maruli Simanjuntak told local media that the military cyber force will recruit cybersecurity experts from the armed forces as well as civilians with advanced skills in the field.

Simanjuntak added that the armed forces, known as the TNI, will collaborate with the defense ministry, communication and informatics ministry and other stakeholders to develop the cyber force and assign responsibilities.

The cyber force will initially include a cyber military center attached to the military headquarters, with similar centers attached to each military branch. Gen. Agus Subiyanto, who serves as commander of the armed forces, said TNI will focus on recruiting sufficient cybersecurity personnel, including high school and university graduates.

Since the initial announcements, neither the government nor the military has shared details about the structure and duties of the cyber military force, who will head it and whether it will supersede the powers of BSSN, the country's top civilian cybersecurity agency.

Experts have raised questions over the armed forces' ability to source funds for the military cyber force. TNI is presently struggling to meet its "minimum essential force" target that it had to achieve by 2024, and the proposed defense budget for 2025 at $10.9 billion represents just 0.8 percent of GDP, a far cry from the $21 billion the military demanded in 2022 to modernize its equipment.

"Given predictions that it will consume quite a substantial amount of the military budget, the establishment of the cyber force should not hamper the modernization of the TNI's main weaponry system," the Australian Strategic Policy Institute said. "This equipment will define Indonesia’s deterrence and active combat capabilities far into the future."

President Subianto has called for doubling the defense budget to enable the TNI to achieve its long-term plans, but finding the money could be challenging as the government faces soaring energy subsidy bills and races to fund other priority projects such as the $29 billion new capital city project in Nusantara.

Other nations in the Asia-Pacific region have planned similar plans to test their effectiveness but have struggled with allocating budget and personnel. The Philippines, which faces growing conventional and cyberthreats from China, set up a small cyber battalion within the military in 2013 and decided to upgrade it 10 years later to a command-sized unit with the mandate to exclusively secure and defend military systems from cyberattacks.

Sherwin Ona, associate professor at Manila-based De La Salle University and an auxiliary commander in the Philippine Coast Guard, said the cyber command faces major challenges, primarily competing for resources with the military rapidly shifting its focus to external defense (see: Philippines' Cybersecurity Initiatives Running Out of Time).

The cyber command also must compete with the private sector to attract skilled cybersecurity workers, a challenge complicated by a severe lack of domestic cybersecurity talent within the country. Government and private sector organizations require at least 180,000 cybersecurity and data privacy professionals to meet resource demands, but only 200 certified professionals are in the country, Ona said.

Even if the Indonesian government manages to raise the defense expenditure and cannibalizes other budgetary priorities to launch the military cyber force, experts argue that the armed forces must plan methodically to ensure the force fulfills its expected mandate.

"The establishment of this new force must be comprehensively examined through consultation with various parties, especially relevant experts," ASPI said. "The TNI needs to establish clear lines of demarcation and communication with existing institutions that deal with cybersecurity, most especially the civilian agencies."

The Institute said the TNI's decision to establish the military cyber force seems impulsive. In the first half of 2024, the new force found no mention in official circles but things moved quickly after hackers stole vast amounts of data from the TNI Strategic Intelligence Agency in June. Within two months of the incident, the cyber force received presidential approval.

According to former Brookings expert Ian Wallace, though militaries are often better prepared and better funded in terms of cyber capability than their civilian counterparts, it is unwise for governments or the private sector to overly rely on the military to defend against cybersecurity threats as the dependence impacts their own capabilities.

"Any country that depends too heavily on the military for cybersecurity will likely find itself reducing the incentives for the private sector to develop longer-term solutions," he said.

Martin Libicki, senior management scientist at the think tank RAND Corp., shared with Information Security Group back in 2009 why he thought the idea of creating a separate service branch on par with the Army, Navy and Air Force that's dedicated to cyberwarfare was a bad one.

He said cyber defense does not require a very large group of uniformed servicemen and those entrusted with computer administration can be trained to use the right tools to protect their systems and data. In terms of cyber offensive capabilities, there is no need for a cyber force as there are very few skilled people who can find zero-day vulnerabilities in enemy software and exploit them. "The number of zero-day vulnerabilities is limited. They are actually very precious commodities and you don't put them in the hands of a mass organization," he said.

"There is something to be said for not touting your cyberwar capabilities too much," he added. "Part of what you use cyberwar for is to instill uncertainty and doubt in the minds of the adversaries about whether the information that they are getting is correct. You want to surround your offensive cyberwarfare capabilities with as much uncertainty and doubt as you want to induce in the adversary yourself."

Indonesia's grand launch of a military cyber force appears as a welcome move in a year when government and military organizations have suffered several high-profile data breaches and cyber incidents, including a crippling ransomware attack on a major data center in June that paralyzed as many as 285 government ministries, agencies and departments.

Though the military cyber force may seem good on paper, the military's lack of preparation, collaboration with the private sector and resources may quickly send policymakers back to the drawing board to find new solutions to respond to the changing cyberthreat landscape.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.