An embarrassing few weeks for the Indonesian government seem to be coming to an end, now that it is recovering data from a major ransomware attack that had hit more than 160 agencies and exposed fundamental weaknesses in its digitalisation efforts.
It says it is getting its critical data back, days after things took a surprising turn with the attackers called Brain Cipher releasing the key to decrypt the data for free, instead of insisting on their initial US$8 million ransom.
After the cyber attacks on the country’s national data centre occurred last month, immigration services, investment licensing and many other public services had been affected.
Now, it is unclear if the government has unlocked its data with the key provided by the hackers, though it has reportedly tried that out.
Clearly, the incident is a black eye for Indonesia, the largest market in Southeast Asia’s burgeoning digital economy and an increasingly importantly hub for data centres, including ones serving the local market.
At the same time, the debacle provides valuable lessons for both governments and businesses in Southeast Asia, which are growing their dependence on digital technologies all the time.
One of the most stunning revelations from Indonesia was that only 2 per cent of the data stored in one of the two compromised government data centres was backed up.
Before the news of the government recovering its data this past week, some of the affected agencies had been resigned to losing all their data altogether, because it was locked up by the cyber attackers. That would have wiped years of digitalisation efforts off the table.
This is a wakeup call for any organisation, let alone a government working for more than 280 million people, that has any mission-critical data stored on their premises or on the cloud.
At a time when people are backing up their WhatsApp messages on Google Drive every day, there really is no reason for the Indonesian government to forget about backing up data used in critical services.
Backing up, however, is the minimum. How frequent that backup is carried out and how fast the data can be recovered are important questions that should be asked before disaster strikes.
Data that changes frequently and is critical for an important service to run needs to be recovered quickly. This means hours instead of days or even weeks.
For such “warm” or “lukewarm” backups, storage vendors such as Pure Storage now push for faster flash-based backups that can transfer data at a much faster pace than traditional tape backup (and at a higher cost, of course).
Old data that can be recovered over a longer period can perhaps be held in “cold” facilities that are more like archives than backups. These should not have to be called into action at short notice for a disaster recovery response.
It’s important to note that cyber criminals are also targeting backups today because backups are a way to avoid paying ransoms and get things working again.
Some technology vendors, such as Veeam, for example, today sell solutions that promise to keep the infected data from contaminating the clean backups through thorough and frequent checks.
After all, there’s no point backing up if you’re also backing up the infected data. If you end up recovering the infected data in the end, your systems will still be under the control of the hackers.
And let’s not forget that backups, while important, are not the only thing that the good guys need to worry about. After all, if the hackers have already stolen the data, they can leak that data to the Dark Web.
Not only will this embarrass the government or business holding the data but it will heighten fraud risks for individual victims. With the stolen personal information exposed, other hackers in future can target these individuals, say, by impersonating them or even blackmailing them.
Think back about the case in Singapore in 2019, when more than 14,000 people who were HIV-positive had their personal data stolen from the country’s health ministry and exposed. The distress from embarrassment and potential blackmail is hard to imagine.
Besides locking up data and then exposing it, cyber criminals may also launch a distributed denial of service at the same time. This will drive up pressure to pay the ransom, according to software testing and design company Synopsys.
So, having a backup is important to prevent services from being disrupted massively, as has happened in Indonesia, but it is important to boost preventive measures to reduce the risk of such incidents happening in the first place.
Notably, in May this year, Indonesia had just come up with new regulations to respond to the type of cyber crisis it would experience very soon.
Particularly, the government had called for the development of crisis management plans, which included risk assessments, threat scenarios and recovery processes. Steps were prescribed for vital information infrastructure providers to take before, during and after a cyber incident.
This is a comprehensive call to action similar to what Asean neighbours Malaysia and Singapore have also put in place. Given the growing cyber threats, particularly from ransomware, these regulations will compel critical service providers to bolster defences and reduce risks of widespread impact.
To be sure, there’s no way to avoid cyber attacks altogether. Even with the best defences, the bad guys only have to get things right once, while the good guys have to keep avoiding mistakes all the time, as the saying goes.
However, risks can be reduced with preventive measures and even if the inevitable happens, mitigation strategies like backup and recovery will help manage the impact.
This attack on Indonesia’s cyber infrastructure brings an important lesson: The more you digitalise, the tougher your cyber defences have to be, because your dependency on these systems grows quickly over time.
Even though the Indonesian government is able to recover its data this time, there’s no telling if the data will be exposed later on. Or if its weaknesses can be exploited again in future. The damage will be long-term.
For the country’s government and indeed any organisation in Southeast Asia, recovering data may be tough, but recovering that valuable trust from citizens and users again could be even tougher.
