Cyber Law in Asia

Indonesia

Government Structure

 

Do they designate a lead cyber security agency within the government?

The draft legislation designates the National Cyber and Encryption Agency (Badan Siber dan Sandi Negara, "BSSN").  See Draft Law Concerning Cyber Security and Resilience (Draft Cyber Law), Article 1, Paragraph 18.  

Is oversight provided on a centralized or sectoral basis?

Centralized.  Under the draft legislation, the BSSN is empowered to provide general cybersecurity oversight.  See, e.g., Draft Cyber Law, Article 16.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

The draft law includes critical information infrastructure as part of a broader category of "national cyber infrastructures," which also include national digital infrastructures, electronic-based government administration infrastructures, and other electronic system infrastructures in accordance with the laws and regulations.  These sectors are to be designated by regulations under the BSSN.  See Draft Cyber Law, Article 12, paragraphs 1-4.

How do they designate within these sectors?

Designation within sectors is to be determined by the BSSN.  See Draft Cyber Law, Article 10, paragraph 4.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes.  Every "cyber security and resilience provider" must mitigate "cyber threat risks" to protect the "object of cyber security" by taking seven specific steps outlined in the law, as well as under "specific standards set by BSSN" yet to be determined.  See Draft Cyber Law, Articles 12-13.  Additionally,  Article 14 prescribes specific steps in responding to a cyber incident or cyber attack, and Article 16 requires compliance with "specific standards set by BSSN" yet to be determined in these threat responses.

Does it take a risk-based approach?

Yes.  Cyber threats will be placed into four categories: no hazard, low hazard, medium hazard, and high hazard, to be defined by regulation.  See Draft Cyber Law, Article 15.

Do the security measures enable the use of international standards?

No.  Indonesia's cybersecurity draft legislation is very prescriptive, and directs compliance with strict steps outlined in the law itself, see Draft Cyber Law, Articles 12 and 14, and "specific standards set by BSSN," see Draft Cyber Law, Articles 13, 15-16.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

No.  The requirements of the draft legislation are specific and stringent, and therefore incompatible with NIST CSF.  See, e.g., Draft Cyber Law, Articles 12(2), 13(1), 14(2).

Do they include prescriptive or technology-based security measures?

Yes.  While it is not yet clear whether the framework is technology-biased as the full regulations have yet to be written, the security measures are prescriptive. See, e.g., Draft Cyber Law, Articles 12(2), 13(1), 14(2).

Incident Reporting

Are there mandatory incident reporting requirements?

Are there clear thresholds above which an incident should be reported?

​Yes.  Every "cyber incident" or "cyber attack" must be reported.  See Draft Cyber Law, Article 14(2).  A "cyber incident" is defined as a "Cyber Threat causing a Cyber electronic system to malfunction," Article 1(5), and a "cyber attack" is defined as a "Cyber Threat causing an object of Cyber security to be inoperable, in part or in whole, and/or temporarily or permanently," Article 1(6).  A "Cyber Threat" is defined as "all attempts, activities, and/or actions, whether domestic or foreign, considered and/or proven to possibly weaken, harm, and/or impair Indonesia’s Cyber Interest."  Article 1(4).

How do they determine the timeline within which an incident must be reported?

As of yet, there is no timeline required under the draft legislation.  See Draft Cyber Law, Article 14(2)(b).

Threat Information Sharing

Have they established a national threat information sharing entity?

No.  While entities are required to report incidents and attacks to BSSN, there is no requirement or indication of broader threat information sharing. See Draft Cyber Law, Article 14(2)(b).

Does this entity share information out to industry, as well as receiving information?

N/A

Is threat information sharing mandatory for any private sector entity?

No.  Incident and attack reporting is mandatory, but there is no mandate for broader information sharing.  See Draft Cyber Law, Article 14(2)(b).

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

Not specifically. However, the draft legislation provides that BSSN has the authority to "conduct investigations, prosecutions, and impose administrative sanctions," Draft Cyber Law, Article 44(f), and "perform assessment, testing, penetration of electronic system access security, and/or audit of Cyber Security and Resilience," Article 44(g), which could be interpreted to require access for these purposes.​

Are there requirements to cede control of facilities in an emergency situation?

​No.  There is not a specific requirement that entities cede control of facilities in emergencies in the draft legislation.

Are there requirements to provide source code or other decryption capabilities?

No.  There is not a specific requirement to provide source code or decryption to the government in the draft legislation; however, implementing regulations would provide further security requirements to entities.  Additionally, under a separate regulation, a private electronic service operator (ESO) must provide access to its system and data for supervision and law enforcement purposes.  See  GR 71/2019 Article 21; see also Agus Ahadi Deradjat, Indonesia Issues Important New Regulation on Electronic (Network and Information) Systems, Lexology (Oct. 30, 2019).

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.  The draft legislation does not require a local presence.

Are there requirements to localize data?

No as to the draft legislation, but in some cases as to electronic information systems generally.  A private electronic service operator (ESO) may only locate its data and/or system outside of Indonesia if the location does not diminish supervision by state ministries or law enforcement, and the entity provides access to the system and data for supervision and law enforcement purposes.  See GR 71/2019 Article 21; see also Agus Ahadi Deradjat, Indonesia Issues Important New Regulation on Electronic (Network and Information) Systems, Lexology (Oct. 30, 2019).

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Yes.  The draft legislation contemplates the imposition of an administrative fine if the legislation's standards in mitigation and incident response are not met, see Draft Cyber Law, Article 22, if a certified cyber device is not used, see Article 23, if a cyber security provider operates without a license or accreditation, see Articles 24-25, or if a professional organization issues a certificate of professional competency without accreditation, see Article 26, if but it does not specify the amount.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

No.  While the draft legislation does contain a criminal section, it indicates criminal sanctions for causing interference or malfunctioning of national cyber infrastructures, or for creating or distributing a device to do so, not for failing to meet cybersecurity requirements.  See Draft Cyber Law, Articles 68-72.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

Currently, Indonesia's key cybersecurity law is in a draft stage only.

South Korea

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. The National Cyber Security Center, which is a center of the National Intelligence Service. The Center works closely with the Korea Internet & Security Agency (KISA), which is sub-organization within the Ministry of Science and ICT.​

Is oversight provided on a centralized or sectoral basis?

Sectoral. CIIs are overseen by the central administrative agencies which designated them as CIIs. See Act on the Protection of Information and Communications Infrastructure, Article 5-8.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

Under PICIA, the law provides a nonexhaustive list of what is considered critical infrastructure: "The term 'information and communications infrastructure' means electronic control and management system related to the national security, administration, defense, public security, finance, communications, transportation, energy, etc. and information and communications network under Article 2 (1) 1 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc."  See Act on the Protection of Information and Communications Infrastructure, Article 2(1).

How do they designate within these sectors?

The heads of central administrative agencies have the authority to designate CIIs within their jurisdiction by considering 5 criteria listed in Act on the Protection of Information and Communications Infrastructure, Article 8, Section (1).

 The Minister of Security and Public Administration may designate information and communications infrastructure of an organization managed and supervised by the head of a local government as critical information and communications infrastructure, in consultation with the head of the local government, or revoke such designation. Act on the Protection of Information and Communications Infrastructure, Section (4).

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes. The head of a management organization is required to formulate and implement measures to protect critical information and communications infrastructure. These developed measures must be submitted to the relevant head of a central administrative agency. Any necessary measures required will be prescribed by Presidential Decree.  See Act on the Protection of Information and Communications Infrastructure, Article 5.

Does it take a risk-based approach?

Yes.  Heads of a management organizations are required to analyze and evaluate the vulnerabilities of critical information and communications infrastructure on a regular basis (as prescribed by Presidential Decree) and must take these evaluations into account when formulating security measures.  See Act on the Protection of Information and Communications Infrastructure, Article 5, Article 9.

Do the security measures enable the use of international standards?

While the Act on the Protection of Information and Communications Infrastructure does not specify whether organizations may comply using international standards, Article 26 of the Act provides that the Government  "shall ascertain international trends concerning the protection of information and communications infrastructure and promote international cooperation."  See Act on the Protection of Information and Communications Infrastructure, Article 26.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

The Act on the Protection of Information and Communications Infrastructure provides very broad guidelines that may enable the use of NIST CSF, but NIST has not identified Korea as a compatible jurisdiction. See International Resources, Adaptations, NIST.

Do they include prescriptive or technology-based security measures?

No.

Incident Reporting

Are there mandatory incident reporting requirements?

​Yes. When the head of a management organization "recognized that the occurrence of intrusion incidents has led to the disturbance, paralysis or destruction" of CIIs, the head must report to the relevant agency. See Act on the Protection of Information and Communications Infrastructure, Article 13.

Are there clear thresholds above which an incident should be reported?

No.

How do they determine the timeline within which an incident must be reported?

There is no mandatory timeline within which an incident must be reported pursuant to national guidelines.

Threat Information Sharing

Have they established a national threat information sharing entity?

​Yes. When the head of a management organization "recognized that the occurrence of intrusion incidents has led to the disturbance, paralysis or destruction" of CIIs, the head must report to the relevant agency. See Act on the Protection of Information and Communications Infrastructure, Article 13.

Does this entity share information out to industry, as well as receiving information?

​Yes. "NCSC and related organizations…can check the posted information and take responsive measures," indicating the NCSC also receives information.”  See NSCS Annual Review 2019, 19.

Is threat information sharing mandatory for any private sector entity?

No.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

No. The Committee may establish a Countermeasures Headquarters to provide support and for taking emergency measures. Any further matters concerning the "organization and operation of the Countermeasure Headquarters" are prescribed by Presidential Decree.  See Act on the Protection of Information and Communications Infrastructure, Article 15.

Are there requirements to cede control of facilities in an emergency situation?

Unclear.  Pursuant to Article 7,  "specialized institutions prescribed by Presidential Decree" may "provide technical support" where the Chairperson of the Committee believes that inadequate measures to protect critical information and communications infrastructure of a specific management organization are likely to cause harm to national security and the economy and society as a whole and therefore issues an order to supplement such measures."  See Act on the Protection of Information and Communications Infrastructure, Article 7.

However, "the Director of the National Intelligent Service shall not provide technological support to any information and communications infrastructure which stores personal information, such as financial information and communications infrastructure..." Id.

Are there requirements to provide source code or other decryption capabilities?

No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

Yes. The Aug. 30, 2018 Amendment to the Network Act requires certain offshore information communication service providers which do not have an address or place of business in Korea, to appoint a local representative responsible for Korean data privacy compliance. See Yulchon LLC, Amendments to the Network Act Coming into Effect in 2019, Lexology (Jan. 8, 2019).

Are there requirements to localize data?

​​Yes. Under the current IT Networks Act, the transfer of Korean personal information by an IT service provider from Korea  to an offshore country requires specific user consent. (As an exception, it suffices to disclose offshore transfers, typically in a privacy policy, insofar as the transfers are both “necessary” for the carrying out of the services and designed to enhance the user’s convenience.)  An August 30, 2018 amendment to the Network Act applies these same restrictions to onward transfers that take place after the initial offshore transfer of personal information. Korean regulators will be able to impose restrictions on the transfer of Korean PI to offshore IT service providers – online/connected services and goods – if and to the extent that those businesses’ home jurisdictions restrict the transfer of PI overseas.  See Kwang Hyun RYOO at al., Korean data law amendments pose new constraints for cross-border online services and data flows, Lexology.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Yes. Any person who "disturbs, paralyzes, or destroys" CIIs can be punished by a fine up to 100 million won. Any person who "divulges any confidential information secret" can be fined up to 50 million won. Individuals may also be subject to administrative fines, up to 10 million won. See Act on the Protection of Information and Communications Infrastructure, Article 28.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Yes. Any person who "disturbs, paralyzes, or destroys" CIIs can be punished by up to 10 years imprisonment with labor. Any person who "divulges any confidential information secret" can be punished for up to 5 years imprisonment with labor. See Act on the Protection of Information and Communications Infrastructure, Article 28.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Act on the Protection of Information and Communications Infrastructure was enacted on January 26, 2001 and last amended on Mar. 23, 2013.

The Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act) was enacted on and last amended on August 30, 2018.

 

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.