The intent of the Indonesian National Armed Forces (TNI) to establish a Cyber Force needs to be supported, but not rushed.
In response to the recent hacking of TNI Strategic Intelligence Agency data in June 2024, the TNI commander, General Agus Subiyanto, declared that he would expand the TNI structure to include a new cyber force. Other government leaders, such as the then-chief of the TNI Information Center Maj. Gen. R. Nugraha Gumilar, claimed that the information obtained by the hacker was outdated, thereby attempting to downplay the event. Subiyanto took the incident as quite a slap in the face for the TNI, reacting almost immediately.
The process to establish this new force began quickly. At a joint session of the House of Representatives and the Regional Representative Council on 16 August 2024, the chairman of the People’s Consultative Assembly (MPR), Bambang Soesatyo, suggested the creation of the service. If created, the cyber force would become the fourth force after the army, navy, and air force.
This decision should be welcomed, as strengthening cybersecurity in Indonesia is a must. Indonesia has experienced a significant increase in cyberattacks since the beginning of 2024. According to the Indonesian-based civil society organisation on digital rights, SAFEnet, the frequency of events has doubled compared to data from the same period last year. Despite this, in Southeast Asia region, Indonesia is placed behind Malaysia, Singapore and Thailand in assessments of its cybersecurity capability level by the National Cyber Security Index. Indonesia’s vulnerability is what led to a failure of the TNI to protect itself.
However, before going further, the TNI needs to weigh up a few vital issues. The establishment of this new force must be comprehensively examined through consultation with various parties, especially relevant experts.
Given predictions that it will consume quite a substantial amount of the military budget, the establishment of the cyber force should not hamper the modernisation of the TNI’s main weaponry system, as this equipment will define Indonesia’s deterrence and active combat capabilities far into the future. Furthermore, Indonesia is currently failing to meet the minimum essential force. Without the right amount of personnel, the cyber force will be a hollow shell from the very start.
Next, the TNI needs to establish clear lines of demarcation and communication with existing institutions that deal with cyber security, most especially the civilian agencies. The Ministry of Communication and Informatics and the National Cyber and Crypto Agency must work closely with this new force. It’s crucial that the establishment of the cyber force does not create any overlap of authority between institutions, which would become a cyber vulnerability itself.
To avoid overlapping authorities, new legal and updated frameworks are necessary. The TNI Law, the National Defence Law, the Law on the Management of National Resources for National Defence (PSDN), and the Presidential Regulation on the organisation of the TNI must all be amended. Moreover, the cybersecurity and cyber resilience draft bill, which will fortify protection and security regulations for all data, will require additions based on changes to the other laws.
Finding the right personnel for the force will be an issue as well. While the TNI might find the number of people easily, it will be initially difficult to assess quality. Cyber and military culture are often opposed to one another, meaning the more experienced individuals in the cyber field might initially baulk at the thought of being in uniform. Finally, the TNI will be actively competing with multiple parties in recruiting and retaining qualified cyber personnel. The TNI will need to provide a competitive offer to potential recruits to attract the most qualified personnel and will have to tailor it to the culture it seeks to engage with directly.
It will also be crucial for the government to set clear boundaries on the powers of the force itself in order to uphold human rights and prevent encroachment from the military into civil spaces. There are concerns that the force’s projected offensive ability to control cyberspace will hinder people’s critical voices and freedom of expression. Should threats arise, whether domestically or internationally, this force—like all military forces—can be used against its own people in times of crisis.
In preparing for the establishment of a cyber force, Indonesia can look at Australia, which recently officially established a new cyber command. This command is designed to strengthen the ADF and work across its existing services. The equally-recently signed Defence Cooperation Agreement between Australia and Indonesia provides the perfect platform for Indonesia to explore the process of establishing their cyber force as the ADF sets up its own. In doing so, it can avoid many of the pitfalls before they ever happen.
Is the establishment of a cyber force a pressing need? Yes. Is it ambitious? Yes. Can it fail? Yes—if it is rushed.