The most-pressing world events explained by Lowy Institute experts and global contributors, in your inbox, every Wednesday.
You may unsubscribe from The Interpreter at any time. For information on our privacy practices and how to unsubscribe, see our Privacy Policy.
Indonesia, explained.

Why couldn’t Indonesia coordinate a faster response? (David Pupăză/Unsplash)
Regional partners assume a coordinated response – but in Indonesia, cyber authority on paper and in practice don’t match.
Imagine a cyber incident striking a major Indo-Pacific partner’s critical infrastructure. Your government has an active cooperation framework with that country – bilateral dialogues, shared threat intelligence, joint exercises. You want to offer technical support.
The question that follows may be more awkward than expected.
Who, exactly, are you offering it to?
In Indonesia’s case, the honest answer is that this question remains structurally unresolved.
In June 2024, a ransomware attack (Opens in new window) on Indonesia’s temporary national data centre resulted in weeks of disruption for 282 government agencies — including immigration services and airport operations. The incident drew extensive coverage. Most of it focused on the attack itself (Opens in new window): the sophistication of ransomware known as “Brain Cipher”, the government’s decision not to pay the ransom, the embarrassing sequel when the attackers released the decryption key for free. Less attention went to the harder question underneath: why couldn’t Indonesia coordinate a faster response?
The answer is not primarily technical. Indonesia’s national cybersecurity agency, BSSN, is designated (Opens in new window) as coordinator across government – but holds no enforcement authority over other agencies. During the incident, BSSN could not compel compliance with its own backup protocols – multiple affected agencies had simply not followed them.
Meanwhile, the military (TNI) had no formal mandate to assist and no established mechanism to operate alongside civilian responders. No pre-delegated authority existed for anyone to act decisively across institutional lines.
The result was weeks of paralysis that a more unified command architecture might have compressed into days.
Cooperation designed around capability transfer is less effective if the binding constraint is not capability but authority.
Indonesia has since moved (Opens in new window) to address this. Law No. 3/2025 formally assigns (Opens in new window) a cybersecurity mandate to the TNI. This matters – but a mandate is not an architecture. The law does not establish a joint command structure, define the conditions under which military capability can be employed, or create an operational integration mechanism between TNI and BSSN. Authority on paper and authority in practice remain two different things.
The reason this gap has persisted is not negligence but the product of a deliberate political settlement. Indonesia’s post-1998 reformasi framework imposed constraints on military involvement in civilian affairs – a corrective response to decades of Suharto-era military dominance. Any governance design that integrates TNI into civilian cyber response must manage that constraint to be politically viable. Legislation that simply expands the military’s mandate, without resolving the civilian oversight question, does not close the gap – it reframes it.
This matters beyond Indonesia’s borders. Australia (Opens in new window) and other regional partners have invested in bilateral cyber cooperation with Indonesia under frameworks that assume a partner capable of coordinated crisis response. Those frameworks are not misguided – but they may be misaligned.

Australia’s Joint Task Force 661 Defensive Cyber Operations team (Adam Abela/Defence Imagery)
Cooperation designed around capability transfer – sharing tools, exchanging analysts, running joint exercises – is less effective if the binding constraint is not capability but authority. That is, who can task whom, under what conditions, during an active incident. Until that question is resolved domestically, the value a partner can add in a crisis is limited by Indonesia’s internal architecture, not its technical readiness.
The governance literature on civil-military cyber integration points toward a solution: a joint operational body under civilian leadership, where military capability operates within a defined mandate rather than alongside one.
Research (Opens in new window) on Indonesia’s specific institutional constraints suggests a National Cyber Crisis Centre model – with BSSN providing civilian authority and TNI, Polri, and relevant ministries operating under that structure during declared incidents. This design preserves the reformasi principle of civilian primacy while enabling the kind of unified command that a major incident requires. It is a harder design problem than passing a law, but it is a solvable one.
The opportunity for partners is not to point out the gap, but to help close it. Cyber cooperation frameworks that include governance design assistance – helping Indonesia build the authority architecture, not just exchanging capabilities – would be both more durable and more strategically valuable. Concretely, this means treating institutional design as a deliverable, not a precondition. Indonesia is Southeast Asia’s largest economy and one of ASEAN’s most consequential middle powers. The question of who coordinates its cyber response during a crisis is not an internal technicality. It is a regional security question, and partners have every reason to care about the answer.
About the author
Fibriansyah Fatahillah
Fibriansyah Fatahillah is a dual master's degree candidate at the Naval Postgraduate School in Monterey, California (MS Information Systems & Technology / MS Applied Cyber Operations). Views expressed are the author’s own.