securing e-commerce environment in indonesia

8/14/2019 Securing e-Commerce Environment in Indonesia

1/22

FTII.id-FIRST

Securing e-Commerce

Environment in Indonesia:

SME IT-Security & Role of

.id-FIRST in Public-

Private Cooperation towards Effective

Reporting of ICT-incidents, Cyber Crimes

Prevention and Sharing of Threat InformationBy Idris F Sulaiman PhD

International Affairs Advisor/Economist

Indonesia Information Technology Federation (IITF)

E-Security Task Group APECTEL 29th Meeting, Hong Kong, March 22, 2004


2/22

FTII.id-FIRST

TopicsTopics

1) Introduction:

Indonesia ICT Status, Usage by SMEs, and

Cyber Fraud

Barriers to Usage and to Security Awareness

2) Indonesias IT Security Forum (ID-FIRST), ID-ISP-

CERT & work on IT Security for SMEs

3) Concluding comments

1) Introduction:

Indonesia ICT Status, Usage by SMEs, and

Cyber Fraud Barriers to Usage and to Security Awareness

2) Indonesias IT Security Forum (ID-FIRST), ID-ISP-

CERT & work on IT Security for SMEs

3) Concluding comments


3/22

FTII.id-FIRST

Indonesia - ICT Status - Telephony

Population: over 220 mil., over 110 mil. on Java Island (Q104)

Telephone density:

National: Fixed ~ 3 %; Cell/Mobile ~ 6%; Total ~ 9.1%(Q303)

Fixed wire line : ~ 8 millions (3.63% at 30.06.2003) Cellular Mobile : ~ 14.5 millions ( 30.06.2003)

Local Fixed Wireless Access : Started in some cities

Major cities have adequate teledensity

The Metropolitan City of Jakarta > 40% Other major cities ( eg Medan, Surabaya, Bandung, Semarang) >

11%

Villages and secondary cities have low teledensity

Eastern Indonesian towns: 2.04%

Remote Rural Areas : 0.2% (43,000+ villages with no telephonelines out of 70,000 villages)

World average of rural connectivity ~ 50%

Over 65% unconnected villages: Higher than World Average

Telephone Kiosks/Cafes : over 200.000


4/22FTII

.id-FIRST

Indonesia ICT Status - Internet

Internet/ISP subscribers: 900,000 (est.)

Internet users: 8,500,000 (est.) of 220 m. population - less 1%penetration one of the lowest in the Asia Pacific region

ISPs: over 200 licenses but only 43 operational and 10 ISPshave nearly 80% of the Internet users market share

Warnet (Internet Kiosk): over 2,500 (Warnets are populars placein large cities in main islands as centers of ICT access)

Computer ownership: 0.01-0.05% (less than one to 5 PCs per100 household for rural and urban areas) but there is a high rateof public access (Warnets are growing in the major cities).


5/22FTII

.id-FIRST

Cyber Fraud Status : Indonesia joins the Top-10

#1 by percentage & #3 by total volume

10India10Malaysia

9Bulgaria9Germany

8Lebanon8Nigeria7Turkey7Turkey

6Egypt6India

5Israel5United Kingdom

4Ghana4Israel

3Pakistan3Indonesia

2Nigeria2Canada

1Indonesia1USA

RankingCountryRankingCountry

Percentage

Transactions

Top Countries by

of Fraudulent

Total Volume

Transaction

Top Countries by

of Fraudulent

Source:

January 2004 edition of US VeriSigns Internet Security Intelligence Briefing report


6/22

FTII.id-FIRST

Internet Usage of SMEs

Survey of 227 companies (50:50 small - 5-25 employees and medium - 26-3000employees) conducted by the Asia Foundation and CastleAsia Group (2002), 153companies 67% used the Internet, 41% started within 1-2 years prior to the survey and are maintaining strong

growth with 20% joined in 2002.

Internet access is slow with 93% of user using dial-up connections because other connections(Cable - 2%, Leased line - 1%, Satellite - 1%, Wireless - 1% and others - 2%) are not available orare too expensive. Of all companies surveyed 86% use Internet to access E-mail (90% with buyersand 48% with suppliers).

Asia Fundation Foundation study is based on a survey in 12 cities on Java,

Sumatra, Sulawesi, Kalimantan and West Nusa Tenggara (Bali and Lombok) conductedbetween August and November 2001.

Distribution: the manufacturing sector (51%), distribution and trade (20%), Hotel andtourism (11%), telecom/IT (6%), business service (6%) and others (6%). Ratio of smallto medium-sized companies was 45:55

Export Manufacturing SMEs ("The Main Internet Users"), the Net is regarded as highly importantwith their regular meetings at trade shows. They use email to to effectively cut the costs ofcommunications.

Domestic Manufacturing SMEs ("Prospective Users") appear to regard the Net as less importantperhaps because many suppliers and buyers are not online and therefore companies still preferfacsimile communications.


7/22

FTII.id-FIRST

Internet Usage of SMEs (2)

All users use the Internet for communications with overseas buyers (100%),some for research (25%), promotion (23%), following trend set by competitors(16%), and as a business requirement (13%). Only

A minority it appears are using the Internet to satisfy customers (9%),

following the requirements of a donor program (6%), wanting to engage in e-commerce (3%) and other reasons (5%).

The donor program is called Technical Assistance Training Program (TATP)of the Information Infrastructure Development Program from the World Bank.It assists SMEs to make better use of the Internet by assigning them with localISPs ended in July 2003.

Tourism SMEs are one of the most intensive Internet users: receive emailsfrom repeat clients or inquiries to their listings on websites or e-commerce portals.

SME usage of the Internet is encouraging particularly for export-oriented

SMEs, the difficulties of on-line payment and low awareness make the useof ICTs by domestic oriented SMEs still low

Overseas large Online Buyers often play a very important role


8/22

FTII.id-FIRST

Barriers to Usage & Security Awareness

* First, internal to the SMEs: Management-related skills, English andInternet Etiquette, Computers and Costs of Acces

Second, external to SMEs:

International Perception of Security and Safety in Indonesia:This is an overwhelming concern to SMEs. Most of the 227 SMEsinterviewed say that various security breaches in Indonesia during2000-2001 had a direct impact on their sales.

There were no indications if the Internet could serve as a tool to

somehow bypass security concerns, particularly since many SMEsrely on direct visits from buyers at the early stage of the transactionprocess.

It is too early to indicate the results of recent efforts by Indo.com,Rajacraft.com and others since January 2003 to regenerate tourist

visits and re-ordering of goods. Nevertheless, the aftermath of therecent Iraq war and SARS virus scare could have a negative impacton tourism and also many SME sales in Indonesia.


9/22

FTII.id-FIRST

Barriers to Usage & Security Awareness (2)

Issues external to SMEs (continued):

Educational Issues and Poor IT support issues:

SMEs that are the more traditional non-users (who had no interest in the Internet)often lack entrepreneurial drive to expand their businesses, do not create productssuitable to changing market demands and do not market their products on and off-lineas do the more successful SMEs. The lack of such skills in the traditional-style SMEssuggest the need for improving the public school curriculum and teaching methods of

privately run business training programs especially outside Java and Bali.

Quality of Connectivity to ISPs: According to the surveyed SMEs, because ofvariable quality of connectivity to ISPs due to the variable quality of telephone linesand the long distance network, limited bandwidth and access numbers and little

support capabilities of ISPs. Greater competition in fixed and leased line provision orspecial subsided pre-paid Internet (e.g. pre-paid Hotmail by Microsoft Thailand) orsubsidized rates at Internet Cafe could lower ISP costs and improved connectivity andservices.


10/22

FTII.id-FIRST


Issues external to SMEs (continued)

Potential Increase in Cost of Connectivity - due to possible risesin telephone tariff (& subscription) that are higher than inflation rates

Potential Decrease Cost of Connectivity Decrease - due to lowerfixed wireless access tariff and subscription (TelkomFlexi, Esia, etc.),use of new wireless technologies (eg. Wi-Fi, Wi-Max)

Potential increase use of Mobile/Cellular phones and greater

use of multimedia-marketing due to use of new technologies(SMSs to CableTelevison, innovative SMS content but SMS spam?)


11/22

FTII.id-FIRST


Issues external to SMEs (continued): Competition for Telephone Lines, Poor Access and Limited Service: As

reported in the CastleAsia survey in 2002, in each of the 12 cities there hasbeen a standstill on the installation of new telephone lines.

Poor Quality of ISP and slow speed

Potential Rises in the Cost of Connectivity due to plannedincreases for telephone connection charges and subscription

charges

Potential Improvements due to the low-cost access of FixedWireless Access services from alternative providers Telkom-

Flexi, Esia and other

TRUST IS


12/22

FTII.id-FIRST

Building Blocks of Cybersecurity

(1) Legal Development:Enactment of E-Transaction Law (RUU-ITE)

(2) Enforcement Capacity Building:IT / Cybercrime Unit, National Police (POLRI-BARESKRIM) and Jakarta

Metro Polices Cybercrime Unit are building their forensic capabilities and

training investigator specialists; Intensive training commenced in February

2004

(3) Need for Awareness Building: Law that is not known is

not enforced. Law that is not enforced is not a (real) law...

(4) Information sharing and Industry Cooperation:

motivated the Indonesia IT Federation to establish .id-FIRST

TRUST-IS-

#1-ISSUE

I f


13/22

FTII.id-FIRST

.id-FIRST Background

Forum for Awareness Raising & Industry Cooperation

Forum forICT-incident Response and

Security Teams (id-FIRST) established in March 2003by the Indonesia Information Technology Federation Work on 8 member IT associations (software, hardware, wireless,

internet and phone kiosk, game and animation, satellite and cellular)

(APJII, ASPILUKI, APKOMINDO, ANIMA, INDO-WLI, AWARI, ASSI,ATSI)

Network of Response Security Teams (ID-CERT & ID-ISP-CERT/APJII) Teams with security teams of each

industry associations

Initial service: Mailing list [email protected] - statistics collection

(see ISP Association website, www.apjii.or.id/ Statistik)

Infosec

Forum


14/22

FTII.id-FIRST

.id-FIRST Vision

Vision:

to maintain and improve ICT securityamong its members as well associety at large

through the promotion of bestpractice in ICT security and theculture of security


15/22

FTII.id-FIRST

.id-FIRST Culture of Security

Our definition

-adopted from the "OECD Guidelines for the Security of Information Systems andNetworks: Towards a Culture of Security". This document was adopted as aRecommendation of the OECD Council at its 1037th Session on 25 July 2002

Nine principles:

1) Awareness: Team members should be aware of the need for

security of information systems and networks and what they can do to

enhance security.

2) Responsibility: All Team members are responsible for the securityof information systems and networks.

3) Response: Team members should act in a timely and co-operative

manner to prevent, detect and respond to security incidents.

4) Ethics: Team members should respect the legitimate interests of

others.

5) Democracy: The security of information systems and networks

should be compatible with essential values of a democratic society.


16/22

FTII.id-FIRST

.id-FIRST Culture of Security

the culture of security Nine principles (continued):

6) Risk assessment: Team members should conduct risk

assessments.

7) Security design and implementation: Team membersshould incorporate security as an essential element of

information systems and networks.

8) Security management: Team members should adopt acomprehensive approach to security management.

9) Reassessment: Team members should review and reassessthe security of information systems and networks, and makeappropriate modifications to security policies, practices,

measures and procedures.


17/22

FTII.id-FIRST

.id-FIRST work on SMEs

Plans for Indonesian-language guideline on SME IT-security and theculture of security using extl references ( AOEMA, NOEI, etc.)

Translate business cases for (large) corporations to the context ofSMEs in Indonesia.

Business case for large corporations in Indonesia can be similar tothose in developed countries (where the case covers risk andconsequence analysis, legal and contractual obligations, fiduciary duty ofdirectors, liability to clients and business partners). The large companies willhave their views/perspective covered much like in developed countries.

Consensus SME-IT-Security Indonesian Approach (might be differentto developed country SMEs): Indonesia SMEs operate in a very differentenvironment where there is minimal role for contractual arrangements andlaw enforcement is problematic. Planned collaborations on IT-Security

with SME Consultants (ASEMHAKI, HUKEI & others), IndonesiaCountry Gateway (World Bank-funded), Regional and National Forumfor SME (Forda-Asia Fdn-funded) and Citizen-Consumer ICT watchdog,Indonesia ICT WATCH

Providing advice on the latest anti-virus and other best day-to-day security

precautionary routines. Strengthening ISP (ID-ISP-CERT) support for SMEs(ISP Association - APJII.or.id website).

Implementing the Cyberstrategy:


18/22

FTII.id-FIRST

Implementing the Cyberstrategy:

Some responsibilities of ID-ISP-CERT

provide advice to on information systems' security

matters

To its stakeholder (eg. ID-ISP-CERT)

To SMEs and the public

establish an incident reporting scheme and

liaise with the Police regarding incidents on an

exception reporting basis

ID-FIRST: Indonesia Forum of ICT-Incidence Response and Security Teams (est March

2003) has a reporting scheme organized with ID-ISP-CERT at [email protected]_whichalso collaborates with ID-CERT (academic CERT)

Working towards Security Standards:


19/22

FTII.id-FIRST

Working towards Security Standards:Anti-cybercrime .id-FIRST Code Of Conduct

For Indonesia, consultations and work with within ISP

industry towards Code of Code for ISP (under

discussion from 2003 but needs to wait for the

Cyberlaw/RUU-ITE to be enacted). Banking is next.

ID-FIRST and ID-ISP-CERT provide input to POLRI and

Min. of Communication & Information work towards MoUon ICT Security (to be signed shortly in 2004).

Cyberlaw/RUU-ITE scheduled for enactment in 2005

ID-ISP-CERT in cooperative liaison with:

International and regional CERTs

ISPs and Law Enforcement Agencies on voluntary basis


20/22

FTII.id-FIRST

Various Security Initiatives

Current on-going .id-FIRST activities: Banking Fraud and IT Security - new ID-Banking Security Team planned

Critical Infrastructure (Indonesia Internet eXchange) - 3 IIXs in Jakarta

Considering models of cybersecurity: InfraGuard (Est. 1996, US)Trusted Networks of Industry & Govt (AU), Warning, Advice & Reporting

Points (WARPs - UK) and GOVCERT (Netherlands) Information Sharing & Analysis Center (ISAC): Conceived in US under

PDD63 (1998) for coordination between organizations in each CNI sector (Energy,

Banking/Finance, Telecommunications, Transport and others). Examples in: IT,

Banking, Energy, & Telecom Predictive ISACs do not normally share reports outside their own (paying)

membership

C l diSo


21/22

FTII.id-FIRST

Concluding comments

IT security focus should be preventive than reactive butwe need to provide business cases for collective SME ITSecurity activities & link access promotion with security

Some late-comer advantages for Indonesia on tech issuesbut consensus building & learning takes time.

.id-FIRST endeavors to achieve: Consensus & Self-regulation Approach to IT-Security may be best

Different situation in Indonesia to many developing & developedcountry SMEs): Legal and enforcement environment might be verydifferent, many extra levies from regional governments since decentralization

Collaborations with SME Consultants, Civil society Organizations and

Donor Agencies are keys to accelerating IT security improvements Many IT Security initiatives depend on the following:

I Legal developments (Cyberlaw draft / RUU-ITE enactment due 2005 butCyber Crime and Privacy provisions still need improvements)

I Information sharing and cooperation (support needed)I Security and technical guidelines (support needed)

I Awareness raising & education campaign (support needed)

So

What?


22/22

FTII.id-FIRST

Terima Kasih - Thank You - Xie-xie

For further informationFor further information::

Idris F. Sulaiman, PhDIdris F. Sulaiman, PhD

International Affairs AdvisorInternational Affairs Advisor

Indonesia Information Technology FederationIndonesia Information Technology Federation

Tel: +62 21 5296 0634 Fax: +62 21 5296 0635Tel: +62 21 5296 0634 Fax: +62 21 5296 0635Email:Email: [email protected]@indo.net.id

Address: 11th Floor, CyberAddress: 11th Floor, Cyber--ElektrindoElektrindo Building, Jl.Building, Jl. Kuningan BaratKuningan BaratNo.8, Jakarta 12710, IndonesiaNo.8, Jakarta 12710, Indonesia

Please visit:Please visit: www.FTII.or.idwww.FTII.or.id

www.Securewww.Secure--IndonesiaIndonesia--FIRST.or.id (FIRST.or.id (.id.id--FIRSTFIRST))

www.www.ICTwatchICTwatch.com.com

securing e-commerce environment in indonesia

Documents