E-Security Task Group APECTEL 29th Meeting, Hong Kong, March 22, 2004

Securing e-Commerce Environment in Indonesia: SME IT-Security & Role of .id-FIRST in PublicPrivate Cooperation towards Effective Reporting of ICT-incidents, Cyber Crimes Prevention and Sharing of Threat Information
By Idris F Sulaiman PhD
International Affairs Advisor/Economist Indonesia Information Technology Federation (IITF)

FTII

.id-FIRST

Topics
• 1) Introduction: – Indonesia ICT Status, Usage by SMEs, and Cyber Fraud – Barriers to Usage and to Security Awareness • 2) Indonesia’s IT Security Forum (ID-FIRST), ID-ISPCERT & work on IT Security for SMEs • 3) Concluding comments

FTII

.id-FIRST

Indonesia - ICT Status - Telephony
• • Population: over 220 mil., over 110 mil. on Java Island (Q1’04) Telephone density: – National: Fixed ~ 3 %; Cell/Mobile ~ 6%; Total ~ 9.1%(Q3’03) – Fixed wire line : ~ 8 millions (3.63% at 30.06.2003) – Cellular Mobile : ~ 14.5 millions ( 30.06.2003) – Local Fixed Wireless Access : Started in some cities – Major cities have adequate teledensity
• The Metropolitan City of Jakarta > 40% • Other major cities ( eg Medan, Surabaya, Bandung, Semarang) > 11%

– Villages and secondary cities have low teledensity
• Eastern Indonesian towns: 2.04% • Remote Rural Areas : 0.2% (43,000+ villages with no telephone lines out of 70,000 villages) • World average of rural connectivity ~ 50% • Over 65% unconnected villages: Higher than World Average

– Telephone Kiosks/Cafes : over 200.000

FTII

.id-FIRST

Indonesia ICT Status - Internet
• Internet/ISP subscribers: 900,000 (est.) • Internet users: 8,500,000 (est.) of 220 m. population - less 1% penetration one of the lowest in the Asia Pacific region • ISPs: over 200 licenses but only 43 operational and 10 ISPs have nearly 80% of the Internet users market share • Warnet (Internet Kiosk): over 2,500 (Warnets are populars place in large cities in main islands as centers of ICT access) • Computer ownership: 0.01-0.05% (less than one to 5 PCs per 100 household for rural and urban areas) but there is a high rate of public access (Warnets are growing in the major cities).

FTII

.id-FIRST

Cyber Fraud Status : Indonesia joins the Top-10

#1 by percentage & #3 by total volume
Top Countries by of Fraudulent Country USA Canada Indonesia Israel United Kingdom India Turkey Nigeria Germany Malaysia
Source:

Total Volume Transaction Ranking 1 2 3 4 5 6 7 8 9 10

Top Countries by Percentage of Fraudulent Country Indonesia Nigeria Pakistan Ghana Israel Egypt Turkey Lebanon Bulgaria India Transactions Ranking 1 2 3 4 5 6 7 8 9 10

FTII

January 2004 edition of US VeriSign’s “Internet Security Intelligence Briefing” report

.id-FIRST

Internet Usage of SMEs
• Survey of 227 companies (50:50 small - 5-25 employees and medium - 26-3000 employees) conducted by the Asia Foundation and CastleAsia Group (2002), 153 companies
– – 67% used the Internet, 41% started within 1-2 years prior to the survey and are maintaining strong growth with 20% joined in 2002. Internet access is slow with 93% of user using dial-up connections because other connections (Cable - 2%, Leased line - 1%, Satellite - 1%, Wireless - 1% and others - 2%) are not available or are too expensive. Of all companies surveyed 86% use Internet to access E-mail (90% with buyers and 48% with suppliers).

Asia Fundation Foundation study is based on a survey in 12 cities on Java, Sumatra, Sulawesi, Kalimantan and West Nusa Tenggara (Bali and Lombok) conducted between August and November 2001. Distribution: the manufacturing sector (51%), distribution and trade (20%), Hotel and tourism (11%), telecom/IT (6%), business service (6%) and others (6%). Ratio of small to medium-sized companies was 45:55
– – Export Manufacturing SMEs ("The Main Internet Users"), the Net is regarded as highly important with their regular meetings at trade shows. They use email to to effectively cut the costs of communications. Domestic Manufacturing SMEs ("Prospective Users") appear to regard the Net as less important perhaps because many suppliers and buyers are not online and therefore companies still prefer facsimile communications.

FTII

.id-FIRST

Internet Usage of SMEs (2)
• • All users use the Internet for communications with overseas buyers (100%), some for research (25%), promotion (23%), following trend set by competitors (16%), and as a business requirement (13%). Only A minority it appears are using the Internet to satisfy customers (9%), following the requirements of a donor program (6%), wanting to engage in ecommerce (3%) and other reasons (5%). – The donor program is called Technical Assistance Training Program (TATP) of the Information Infrastructure Development Program from the World Bank. It assists SMEs to make better use of the Internet by assigning them with local ISPs ended in July 2003. Tourism SMEs are one of the most intensive Internet users: receive emails from repeat clients or inquiries to their listings on websites or e-commerce portals. SME usage of the Internet is encouraging particularly for export-oriented SMEs, the difficulties of on-line payment and low awareness make the use of ICTs by domestic oriented SMEs still low Overseas large Online Buyers often play a very important role

• • •

FTII

.id-FIRST

Barriers to Usage & Security Awareness
* First, internal to the SMEs: • Second, external to SMEs:
– International Perception of Security and Safety in Indonesia: This is an overwhelming concern to SMEs. Most of the 227 SMEs interviewed say that various security breaches in Indonesia during 2000-2001 had a direct impact on their sales. – There were no indications if the Internet could serve as a tool to somehow bypass security concerns, particularly since many SMEs rely on direct visits from buyers at the early stage of the transaction process. – It is too early to indicate the results of recent efforts by Indo.com, Rajacraft.com and others since January 2003 to regenerate tourist visits and re-ordering of goods. Nevertheless, the aftermath of the recent Iraq war and SARS virus scare could have a negative impact on tourism and also many SME sales in Indonesia.
Management-related skills, English and Internet Etiquette, Computers and Costs of Acces

FTII

.id-FIRST

Barriers to Usage & Security Awareness (2)
• Issues external to SMEs (continued): •Educational Issues and Poor IT support issues: SMEs that are the more traditional non-users (who had no interest in the Internet) often lack entrepreneurial drive to expand their businesses, do not create products suitable to changing market demands and do not market their products on and off-line as do the more successful SMEs. The lack of such skills in the traditional-style SMEs suggest the need for improving the public school curriculum and teaching methods of privately run business training programs especially outside Java and Bali. •Quality of Connectivity to ISPs: According to the surveyed SMEs, because of variable quality of connectivity to ISPs due to the variable quality of telephone lines and the long distance network, limited bandwidth and access numbers and little support capabilities of ISPs. Greater competition in fixed and leased line provision or special subsided “pre-paid Internet” (e.g. pre-paid “Hotmail” by Microsoft Thailand) or subsidized rates at Internet Cafe could lower ISP costs and improved connectivity and services.

FTII

.id-FIRST

Barriers to Usage & Security Awareness (3)
• Issues external to SMEs (continued)
•Potential Increase in Cost of Connectivity - due to possible rises in telephone tariff (& subscription) that are higher than inflation rates •Potential Decrease Cost of Connectivity Decrease - due to lower fixed wireless access tariff and subscription (TelkomFlexi, Esia, etc.), use of new wireless technologies (eg. Wi-Fi, Wi-Max) •Potential increase use of Mobile/Cellular phones and greater use of multimedia-marketing due to use of new technologies (SMSs to CableTelevison, innovative SMS content but SMS spam?)

FTII

.id-FIRST

Barriers to Usage & Security Awareness (4)
• Issues external to SMEs (continued):
• Competition for Telephone Lines, Poor Access and Limited Service: As reported in the CastleAsia survey in 2002, in each of the 12 cities there has been a standstill on the installation of new telephone lines. • Poor Quality of ISP and slow speed •

• Potential Rises in the Cost of Connectivity due to planned increases for telephone connection charges and subscription charges • Potential Improvements due to the low-cost access of Fixed Wireless Access services from alternative providers TelkomFlexi, Esia and other

FTII

.id-FIRST

TRUST-IS#1-ISSUE

Building Blocks of Cybersecurity

• (1) Legal Development:
Enactment of E-Transaction Law (RUU-ITE)

• (2) Enforcement Capacity Building:
IT / Cybercrime Unit, National Police (POLRI-BARESKRIM) and Jakarta Metro Police’s Cybercrime Unit are building their forensic capabilities and training investigator specialists; Intensive training commenced in February 2004

• (3) Need for Awareness Building:

Law that is not known is not enforced…. Law that is not enforced is not a (real) law...

• (4) Information sharing and Industry Cooperation:
motivated the Indonesia IT Federation to establish .id-FIRST FTII

.id-FIRST

Infosec Forum

.id-FIRST Background

• Forum for Awareness Raising & Industry Cooperation • Forum for ICT-incident Response and Security Teams (id-FIRST) established in March 2003 by the Indonesia Information Technology Federation
– Work on 8 member IT associations (software, hardware, wireless, internet and phone kiosk, game and animation, satellite and cellular) (APJII, ASPILUKI, APKOMINDO, ANIMA, INDO-WLI, AWARI, ASSI, ATSI)

– Network of Response Security Teams (ID-CERT & IDISP-CERT/APJII) Teams with security teams of each industry associations • Initial service:
– Mailing list abuse@apjii.or.id - statistics collection (see ISP Association website, www.apjii.or.id/ Statistik)

FTII

.id-FIRST

.id-FIRST Vision
Vision:
to maintain and improve ICT security among its members as well as society at large through the promotion of “best practice” in ICT security and the culture of security

FTII

.id-FIRST

.id-FIRST Culture of Security
Our definition -adopted from the "OECD Guidelines for the Security of Information Systems and
Networks: Towards a Culture of Security". This document was adopted as a Recommendation of the OECD Council at its 1037th Session on 25 July 2002 Nine principles:

• • • •

1) Awareness: Team members should be aware of the need for security of information systems and networks and what they can do to enhance security. 2) Responsibility: All Team members are responsible for the security of information systems and networks. 3) Response: Team members should act in a timely and co-operative manner to prevent, detect and respond to security incidents. 4) Ethics: Team members should respect the legitimate interests of others. 5) Democracy: The security of information systems and networks should be compatible with essential values of a democratic society.

FTII

.id-FIRST

.id-FIRST Culture of Security
…the “culture of security” …
Nine principles (continued): • 6) Risk assessment: Team members should conduct risk assessments. • 7) Security design and implementation: Team members should incorporate security as an essential element of information systems and networks. • 8) Security management: Team members should adopt a comprehensive approach to security management. • 9) Reassessment: Team members should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures. FTII

.id-FIRST

.id-FIRST work on SMEs
• • • Plans for Indonesian-language guideline on ”SME IT-security and the culture of security” using ext’l references ( AOEMA, NOEI, etc.) “Translate” business cases for (large) corporations” to the context of SMEs in Indonesia. Business case for large corporations in Indonesia can be similar to those in developed countries (where the case covers risk and consequence analysis, legal and contractual obligations, fiduciary duty of directors, liability to clients and business partners). The large companies will have their views/perspective covered much like in developed countries. Consensus SME-IT-Security Indonesian Approach (might be different to developed country SMEs): Indonesia SMEs operate in a very different environment where there is minimal role for contractual arrangements and law enforcement is problematic. Planned collaborations on IT-Security with SME Consultants (ASEMHAKI, HUKEI & others), Indonesia Country Gateway (World Bank-funded), Regional and National Forum for SME (Forda-Asia Fdn-funded) and Citizen-Consumer ICT watchdog, Indonesia ICT WATCH Providing advice on the latest anti-virus and other best day-to-day security precautionary routines. Strengthening ISP (ID-ISP-CERT) support for SMEs (ISP Association - APJII.or.id website). .id-FIRST

FTII

Implementing the Cyberstrategy: Some responsibilities of ID-ISP-CERT
• provide advice to on information systems' security matters
– To its stakeholder (eg. ID-ISP-CERT) – To SMEs and the public

• establish an incident reporting scheme and • liaise with the Police regarding incidents on an “exception” reporting basis
– ID-FIRST: Indonesia Forum of ICT-Incidence Response and Security Teams (est March 2003) has a reporting scheme organized with ID-ISP-CERT at abuse@apjii.or.id_which also collaborates with ID-CERT (academic CERT)

FTII

.id-FIRST

Working towards Security Standards:
Anti-cybercrime .id-FIRST Code Of Conduct
• For Indonesia, consultations and work with within ISP industry towards “Code of Code for ISP” (under discussion from 2003 but needs to wait for the Cyberlaw/RUU-ITE to be enacted). Banking is next. • ID-FIRST and ID-ISP-CERT provide input to POLRI and Min. of Communication & Information work towards MoU on ICT Security (to be signed shortly in 2004). • Cyberlaw/RUU-ITE scheduled for enactment in 2005 • ID-ISP-CERT in cooperative liaison with:
– International and regional CERTs

.id-FIRST FTII – ISPs and Law Enforcement Agencies on voluntary basis

Various Security Initiatives • Current on-going .id-FIRST activities:
– Banking Fraud and IT Security - new ID-Banking Security Team planned – Critical Infrastructure (Indonesia Internet eXchange) - 3 IIXs in Jakarta

• Considering models of cybersecurity: InfraGuard (Est. 1996, US),
Trusted Networks of Industry & Gov’t (AU), Warning, Advice & Reporting Points (WARPs - UK) and GOVCERT (Netherlands) • Information Sharing & Analysis Center (ISAC): Conceived in US under
PDD63 (1998) for coordination between organizations in each CNI sector (Energy, Banking/Finance, Telecommunications, Transport and others). Examples in: IT, Banking, Energy, & Telecom
• Predictive ISACs do not normally share reports outside their own (paying) membership

FTII

.id-FIRST

So What?

Concluding comments

• IT security focus should be ‘preventive ’ than ‘reactive’ but we need to provide “business cases” for collective SME IT Security activities & link access promotion with security • Some late-comer advantages for Indonesia on tech issues but consensus building & learning takes time. • .id-FIRST endeavors to achieve:
– Consensus & Self-regulation Approach to IT-Security may be best – Different situation in Indonesia to many developing & developed country SMEs): Legal and enforcement environment might be very different, many extra levies from regional governments since decentralization – Collaborations with SME Consultants, Civil society Organizations and Donor Agencies are keys to accelerating IT security improvements – Many IT Security initiatives depend on the following: I Legal developments (Cyberlaw draft / RUU-ITE enactment due 2005 but Cyber Crime and Privacy provisions still need improvements)

I Information sharing and cooperation (support needed) I Security and technical guidelines (support needed) .id-FIRST FTII I Awareness raising & education campaign (support needed)

Terima Kasih - Thank You - Xie-xie
For further information:

Idris F. Sulaiman, PhD
International Affairs Advisor Indonesia Information Technology Federation

Tel: +62 21 5296 0634 Fax: +62 21 5296 0635 Email: idriss@indo.net.id
Address: 11th Floor, Cyber-Elektrindo Building, Jl. Kuningan Barat No.8, Jakarta 12710, Indonesia

Please visit:
• www.FTII.or.id • www.Secure-Indonesia-FIRST.or.id (“.id-FIRST”) • www.ICTwatch.com FTII

.id-FIRST