The Urgency of Defining Indonesia’s National Critical Infrastructure

: Indonesia has experienced millions of cyber attacks but it has never been able to be handled properly and completely, partly because of weak policies and conventional perspectives in understanding cyber threats. A country's vital infrastructure is related to a country's national interests, so threats to vital infrastructure are tantamount to threatening Indonesia's national interests. The level of use and dependence of a country on information and communication technology is directly proportional to the level of security and defense vulnerability in a country. Communication network connectivity and information technology cause security in this domain to become a separate issue in itself. This study aims to outline the importance of Indonesia to establish a national vital infrastructure in Indonesia to prepare Indonesia to face threats in the fifth domain. Determination of national vital infrastructure is urgent because it is closely related to the determination of jurisdiction, national defense and security policies in the cyber domain. This research is a normative study using a comparative approach. The results showed that Indonesia still uses a conventional perspective in seeing the form of threats and determining national vital objects as stipulated in Presidential Regulation No. 63 the year 2014. Therefore, to face the threats of defense, security as well as national interests of Indonesia in the cyber domain, the government needs to evaluate existing policies by the modern threats, as well as to establish and define Indonesia's vital national infrastructure.


INTRODUCTION
Information technology changes battles that exist in physical domains such as land, sea, air, and space by using kinetic weapons into modern wars that are in the virtual domain and use non-kinetic weapons 1 . Cyber power has now become a major part in new war concepts and doctrines based on modern technology. Developed countries have established virtual domains as new war domains and become part of their country's sovereignty that must be maintained. Mastery of this capability makes cyber capability the most influential instrument in almost all levels of conflict because it is able to provide new techniques to increase the speed, scale and strength of military attacks 2 . Cyber attacks are considered very dangerous because they can cause various disturbances and physical impacts on humans or other objects without crossing national borders 3 . One of the main problems that arise from cyber threats is the anonymity of attacks and connectivity between infrastructure networks (both civilian and military). The Office of Science and Technology Policy underlines the danger of vulnerability due to the interconnectivity between national infrastructures, cybernetics networks are basically a combination of networks, interconnected and interdependent. Interactions between these subsystems affect overall network performance. Interactions between subsystems cannot be predicted and sequential; these interactions can be random, asynchronous, and unpredictable 4 .
Currently, Indonesia has experienced millions of cyber attacks but cannot be handled properly; this is partly due to the lack of policies related to cyber threats that cause limited perspectives on existing cyber threats. Cyber threats even though the attack technique is identical but can be distinguished based on the actor, motive, and target of the attack. Some experts in analyzing cyber attacks use strict liability and target-based approaches, where both approaches require the definition of a country's critical infrastructure. Indonesia currently still uses Presidential Decree No. 63 year 2004 concerning Security of National Vital Objects. This policy still uses conventional perspectives on threats and safeguards against Indonesia's vital objects. Therefore, the government must evaluate the policy to be adapted to the current modern threat model 5 .

RESEARCH METHODS
This research is a normative legal research with a statue and comparative approach.

RESULTS AND DISCUSSION 1. The Impact of Cyber Threat
The technology revolution has significantly changed the strategic security environment. The information technology application in modern society makes the security environment change rapidly and significantly, including in the defense sector. The information technology revolution brings positive impacts as well as important negative impacts to be aware of in various forms of cyber threats. Therefore, this type of threat has become the attention of many countries in the world because it is able to provide a real significant threat to the security, defense and national interests of a country.
The urgency of managing threats in this domain encourages countries to prioritize their regulatory policies and the budget provided to minimize and protect their cyber domains. For example; The UK in carrying out cybersecurity strategy to achieve the vision of "UK is secure and resilient to cyber threats, prosperous and confident in the digital world" budgeting for 1.9 Billion Pounds for 2016-2021, this budget increased from the previous amount of 860 Million Pounds to carry out cybersecurity strategy for the period April 2011 -March 2016 6 . The budget amount and the increase in the budget of each period shows that cyber threats cannot be underestimated; this is also confirmed by the National Security Strategy which states that the cyber threat as a Tier One risk to United Kingdom interests. According to the British Defense Secretary, this budget is used in response to increased cyber threats through the full spectrum of cyber military capabilities to increase attack capability, military range capabilities. This defense budget is invested in sophisticated capabilities to conduct surveillance and intelligence to keep the country safe 7 .
Similar to Britain, America considers that the cyber domain as a key sector of the global economy because it is able to drive the innovation and economy. On the other hand, the developments of information technology confront America with new security challenges that make cyber threats a serious and significant threat to national economy and security 8 . The Director of National Intelligence stated that the cyber threat is the number 1 strategic threat in the U.S that replace the terrorist threat that first appeared in 911 9 . The US cybersecurity budget continues to increase every year. In 2017 US cybersecurity provided $ 19 Billons which increased 35% from 2016 to $ 14 Billion. This budget is used to support a broad-based cybersecurity to secure the government, improve the security of important infrastructure and technology, invest in equipment and the future labor force and strengthen America in order to better control digital security. In particular, this budget is to encourage the Cyber security National Action Plan in order to increase the cybersecurity level in the government's digital ecosystem as a whole 10 . The chart shows that cyber threats are one of the threats to Indonesia's national defense. The chart is in line with the potential threats chart from non-state which shows that cyber threats are increasing every year. From the data above, the government should increase awareness, speed, and accuracy in responding to various forms of threats to the Indonesian defense, including cyber threats. From the 1990s to the present, various cyberthreat cases such as cyberwarfare and cyber espionage have opened many countries' awareness of the importance of a country to be aware of cyber threats which are increasingly sophisticated and dangerous and able to influence the security and national interests of a country. The success of a cyber attack is not only measured by physical damage, but its impact on the stability, economic condition of a country and basic services to civil society such as electricity, water, transportation, communication as well as emergency services. Several cases of cyberwarfare, including: 1. North Korea's cyber attack on Sony Pictures Entertainment in November 2014 is considered as the one of the latest cyber attacks that harm American entities. This attack is destructive and also copies of unreleased films and thousands of important data containing information about celebrities, employees and Sony's business activities 11 . 2. Russian cyber attacks on the Estonian information technology infrastructure network in 2007, this attack almost caused the paralysis of Estonian economic activities due to the high dependence on the use of information technology infrastructures in Estonia, including communication, banking where the majority of banking transactions in this country are run electronically 12 . 3. CIA Agent cyber attacks on computer speed control pumps and gas valves worked out of control which caused Soviet-owned gas pipelines in the Siberian region to explode and were recorded as the largest explosion ever besides a nuclear bomb 13 . 4. The US and NATO cyber attacks in 1998 succeeded in crippling and deceiving air defense and Serbian air traffic controllers before the bomb attack on Serbian targets in Kosovo 14 . In addition, it also blocked the Yugoslav communication network during the conflict 15 . A similar strategy was . Indonesia became the second largest country hit by this virus, but the motive and impact of the virus attack were unknown, especially to Indonesia, although this virus was also allegedly made to retrieve important information on organizational infrastructure in certain countries 28 . These cases show how cyber attacks can be used systematically to disrupt and weaken the defense systems, public infrastructure systems, economic systems, and other national vital infrastructure networks related to the safety and security of a country. In addition, cyber attacks cause high economic losses and increase every year. According to cybersecurity ventures, in 2017 global economic losses due to cyber attacks of $ 3 Trillion are predicted to reach $ 6 Trillion every year starting in 2021. This loss count includes damage and data destruction, lost productivity, stolen money, theft of personal and financial data, fraud, theft of intellectual property, embezzlement, postattack disruption, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm 29 . In a report in 2017, the Cost of Cybercrime Study conducted by the 2017 institute phenomenon in seven countries including America, Germany, Japan, Britain, France, Italy, and Australia shows America is at the top of the country experiencing the highest losses with average losses. Annually reaching $ 21 million and Australia in the lowest position with annual average losses of $ 5.41 Million 30 . From the study, the value of losses experienced by industry shows that the financial services sector ranks top followed by utilities and energy then aerospace and defense. 22 Chen, T.M., 2013. An assessment of the department of defense strategy for operating in cyberspace. Army War College Carlisle Barracks Pa Strategic Studies Institute. 23 Lindsay, J.R., 2013. Stuxnet and the limits of cyber warfare. Security Studies, 22(3), pp.365-404. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/, http://www.businessinsider.com/stuxnet-was-far-moredangerous-than-previous-thought-2013-11?IR=T&r=US&IR=T, http://newatlas.com/south-korea-stuxnet-cyberweapon/30977/ Accessed 23 September 2018 24 http://www.inquiriesjournal.com/articles/1343/stuxnet-the-worlds-first-cyber-boomerang, http://www.news.com.au/technology/online/security/alex-gibney-film-gives-chilling-insight-into-the-world-of-statesponsored-cyber-warfare-unleashed-by-stuxnet/news-story/a7063ae03dcb5cd6ed2a576d6a8ea9dc, http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet Accessed 23 September 2018 25 http://teknologi.news.viva.co.id/news/read/166993-trojan-scada-hantui-iran-indonesia-india, http://www.antaranews.com/berita/222505/apa-itu-stuxnet Accessed 23 September 2018 26 Rp. 194.6 billion from 2015 to 2016 and this number will increase every year 32 . The cyber attacks impacts should be a future lesson in dealing with potential cyber threats that are far more dangerous and complex. The attack shows clearly how cyber attacks can be used systematically, effectively and efficiently in weakening, disrupting systems related to defense, security, economic conditions and political conditions of a country. There are no politically motivated cyber attacks on Indonesia that can be handled properly and only a few attacks on economically motivated cases that can be handled indicate ineffective policies and institutions that should be able to deal with these complex threats. Therefore, the government immediately takes steps to deal with cyber threats which are increasingly sophisticated, systematic and more dangerous. This effort is carried out by strengthening the policy and integrated institutions in addressing cyber threats in the future. Weak policies create a lot of legal loopholes so that the handling of cyber threats becomes ineffective and often misguided because there are no separate domains of enforcement and handling of threats and "unknown" levels of cyber attacks on Indonesia. The weakness of the existing policies also influences the narrow viewpoint, which leads to the weakness of the relevant institutions that are authorized to handle cyber threats. Cyber domain is multidomain of almost all institutions related to Indonesia's defense, security and national interests. Therefore this domain must be managed by many relevant institutions because of its multispectrum nature. Furthermore, the international convention is required to regulate cyberwarfare by developing the existing international law principles or by expanding the definition and scope of conventional war provisions. This provision will harmonize the perspective and understanding in order to minimize debate and interpretation so that it can provide maximum protection to the population and civilian objects.

Cyberattack Analysis Apporach
To analyze the use of non-conventional weapons there are three models of analysis, including; Instrument based, Consequence-based and Strict Liability 33 . The instrument-based approach views whether damage/harm/destruction caused by a previous attack method can be obtained by kinetic attacks. For instance cyber attacks to disable electricity networks are automatically qualified as armed attacks because in general to disable the electricity network is carried out by dropping bombs on power plants. According to the consequence-based approach, equating cyber attacks with kinetic attacks is irrelevant and attention should be focused on the cyber attacks impact on the country. Such as cyber attacks to manipulate banking and economic service information so that disrupting trade in a country can be declared an armed attack. Manipulating information is not same as the kinetic attack but if the consequences can disrupt a country's economic activities it is considered as armed attack. According to the strict liability approach, cyber attacks on vital infrastructure are automatically considered as armed attacks. This approach was proposed by W.G. Sharp to justify the anticipation of "self-defense" before the harmful/dangerous impacts arise from the potential of cyber attacks. He stated that "... the penetration by the state into sensitive computer systems such as command and control systems, missile defense computer systems, and other computers that maintain the safety and reliability of a nuclear stockpile, should be by their very nature be presumed a demonstration of hostile intent ... " 34 . Duncan Holis uses 3 approaches to determine when a cyber attack can be called the use of armed force. First, the "instrumentality approach" approach, which argues that cyber 31 https://inet.detik.com/security/d-3081840/kerugian-akibat-kejahatan-cyber-tembus-usd-150-miliar Accessed 23 September 2018 32 https://www.merdeka.com/teknologi/ini-jumlah-kerugian-finansial-korban-kejahatan-cyber.html Accessed 23 September 2018 33 Kazinec, D., 2011. Issues of cyber warfare in international law (Doctoral dissertation, Mykolas Romeris University). 34 Elin Jansson Holmberg, armed attack in cyberspace: do they exist and can they trigger the rights to self defense?.Thesis.Stockholm University. 2015 UNIFIKASI : Jurnal Ilmu Hukum, p-ISSN 2354-5976, e-ISSN 2580-7382 Volume 06 Nomor 02.2019 https://journal.uniku.ac.id/index.php/unifikasi attacks cannot be categorized as armed attacks in accordance with article 2 (4) because they do not have physical characteristics associated with military attacks. Second, the "target-based approach", that cyber attacks are considered as armed attack if the attack penetrates the vital national infrastructure system even though the attack does not cause physical harm or loss of life. According to him, this is an inclusive approach because the nature of cyber attacks has a broad impact. Third, "consequence approach", this approach emphasizes on the consequence of cyber attacks. Cyber attacks that are intended to have an impact that is usually generated by kinetic power can be referred to as an armed attack. According to Sharon, this approach does not take into account the damage caused by cyber attacks which, despite causing little physical damage. He states that; "A cyber attack that shuts down any part of a nation's critical infrastructure may have an effect that is much more debilitating than a traditional military attack. The threat in such a situation may be more terrorizing and harmful than a traditional armed attack 35 .

Critical Infrastucture Definition in several countries
Indonesia does not use the term "vital infrastructure" but uses the term "national vital object". Presidential Decree No. 63 year 2004 defines national vital objects as areas/locations, buildings/installations and/or businesses that related to life sustainability, the state interests and/or strategic resources of state income. Included in the category of national vital objects are objects that produce daily basic needs; threats and disturbances to it result in casualties against humanity and development; threats and disturbances to it result in national transportation and communication chaos; and/or threats and disturbances to it result in disruption of the administration of government. The definition is still very limited and uses a tangible point of view, even though national vital objects have broad categories. This affects the security model and response of the authorities if there is a cyber attack on the national vital object. Infrastructure can be referred to as a vital infrastructure if the disruption to the infrastructure can result in a significant socio-economic crisis and potentially undermine the stability of a society, causing a political, strategic and security impact. There are three factors used to define vital infrastructure, namely; the symbolic importance of the infrastructure, the immediate dependence on infrastructure and the complex dependencies 36 . To define national vital objects, we can compare several definitions of vital infrastructure that exist in other countries and international organizations. In comparison, the US in the Presidential Decision Directives -PPD 63 1998 defines vital infrastructure as: "Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. Critical Infrastructure include, but are not limited to, telecommunications, transportation, energy, finance and banking, water systems and emergency services, both private and governmental" 37 . The USA PATRIOT Act 2001 defines critical infrastructure as systems and assets, whether physical or virtual, so vital to the U.S that the incapacity or destruction of such systems and assets would have a debilitating impact on national economic security, national security, national public health or safety, or any combination of those matters 38 . The United States has 16 sectors which are included in the category of vital infrastructure whose assets, systems, networks both physical and virtual whose inability or damage will affect the national security, national economy, public health or safety or a combination of these impacts. In the 2013 Presidential Policy Directive / PPD-21, several sectors were included in the critical infrastructure category and appointed sector-specific agencies (SSA): Source : (Presidential Policy Directive 21, 2013) According to PPD-21, The Office of Infrastructure Protection leads and coordinates national programs and policies on the security and resilience of vital infrastructure while building strong partnerships across government agencies and the private sector. This office is also responsible for conducting and facilitating vulnerability and impact assessments to help understand and deal with risks to these vital infrastructures 39 . In this PPD-21 there are 3 strategies to strengthen the security and resilience of vital infrastructure, namely; Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience; and Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure 40 .
Malaysia uses the term Critical National Information Infrastructure (CNII) and defines it as those assets (real and virtual), systems and functions that are vital to their nation's destruction. They will have a devastating impact on 41 : 1. National defense and security; guarantee sovereignty and independence whilst maintaining internal security. 2. National image; Projection of national image towards enhancing stature and sphere of influence. 3. Government capability to functions; maintain order to perform and deliver minimum essential public services. 4. National economic strength; Confidence that the nation's key growth area can successfully compete in global market while maintaining favourable standards of living. 5. Public health and safety; delivering and managing optimal health care to the citizen European Union defines Critical infrastructure as "Means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, security, safety, health, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions". Critical infrastructure is defined as a European Critical Infrastructure if a vital infrastructure in a member country which if disturbed or destroyed will have a significant impact on at least 2 member countries. The significance of the impact is assessed based on cross-cutting criteria 42 . Included in the European Critical Infrastructure covers 2 major sectors and their subsectors, illustrated in the table as follows; Ocean and short-sea shipping and ports Source : (EU Commission, 2008) From these definitions there are several similar patterns that are used to define critical infrastructure, including that (1) protected objects are tangible and intangible (virtual, system, program) objects, (2) attacks on both objects are considered to disturb the security and national interests, (3) efforts to influence, disrupt and disable an infrastructure that is not limited to destructive attacks which are considered as attacks on the state, (4) all fields categorized as vital objects are objects related to security state, governance, supporting and sustaining the national economy, the interests of fulfilling the basic needs of the people. Therefore, Presidential Decree No. 63 year 2004 concerning national vital objects must be reviewed, including a security model to deal with cyber threats against all vital objects and objects that have not been categorized as vital obedience but have fulfilled these categories. At least the government must determine 11 critical infrastructure, including the Defense and Security Sector, Government Sector, Transportation Sector, Financial Services Sector, Health Sector, Technology, Information & Communication Sector, Energy Sector, Water Sector, Defense Industry Sector, Manufacturing Sector, Food & Agriculture Sector.

CONCLUSION
The Interconnection of information and communication technology infrastructure networks, both civil and military, makes the security of vital national infrastructure increasingly vulnerable. The government must immediately improve policies on national vital objects that still use conventional approaches in understanding modern threats. By establishing a national vital infrastructure, efforts to protect national interests and sovereignty of Indonesia in the cyber domain with a combination approach of strict liability and consequence based approach can be carried out. In addition, cyber attacks in Indonesia can be handled effectively and efficiently by the appropriate and authorized institutions.