LEGAL UPDATES BY BEPARTNERS
Technology, Media & Telecommunication
Cybersecurity Protocols for Teleconferences

The New Norm?

25 April 2020
Indonesia currently prioritises the functions of ‘Critical National Infrastructure[1]’,  in its continuation to prioritise and ensure health, safety, and wellbeing of society. This unprecedented situation sees a surge in most, if not all, private and public companies working from home (“WFH”) as companies are left with no choice due to further extended large-scale social restrictions (“PSBB”) until the 22 May.
 
Even the Indonesian Supreme Court, Attorney General’s Office, and the Ministry of Law and Human Rights has followed suit in the utilisation of teleconferencing as per the signing of the Cooperation Agreement of the implementation of trails through teleconference on 13 April[2].
 
Teleconferences are the new norm in order to accommodate upsurges of teleworking (e.g. Zoom, Google Suites and teleconferencing), where cyber protocols and policies have been developed by countries cyber enforcement agencies to combat inflationary cyber risks upon data privacy of individuals and companies.
 
BSSN is the governmental body that is responsible for any cyber security issues with afforded functions such as preparation, implementation, monitoring and evaluation of technical policies for the identification, detections, protection for cyber vulnerability, cyber incidents and/or cyber-attacks in Indonesia. Whilst there were efforts to pass a draft bill on cybersecurity in 2019 (“Cybersecurity Bill”) to establish an overseeing comprehensive bill it ultimately failed to pass the requirement to be enacted.
 
As such, prevailing legal framework for cybersecurity in Indonesia is dispersed over a number of different regulations. Nonetheless, the main reference for cybersecurity in Indonesia still refers to Law No. 11 of 2008 regarding Information and Electronic Transactions, as lastly amended by Law No. 19 of 2016 (“EIT Law”). However, EIT Law regulates more so on the prohibition of cyber incidents (including, hacking, denial-of-service, phishing, identity theft) than describing the specific forms of cyber security that can be applied in Indonesia. Depending on the context, other regulations may have specific cybersecurity framework applicable to e-commerce businesses.
 
This article will address the procedures and recommendations stipulated by Indonesia’s State Cyber and Cryptography Agency (“BSSN”), in efforts to ensure effective implementation of cyber security protocols in order to curb and tackle several potential cyber risks/incidences associated with the increasing transition towards teleconferences.
 
Current Cyber Attacks
 
The Increase of remote works provides for more data footprints which in turn will undoubtedly result in more cyber risks for companies and individuals. The prevailing legal framework for cybersecurity in Indonesia is dispersed over a number of different regulations. Nonetheless, the main reference for cybersecurity in Indonesia still refers to Law No. 11 of 2008 regarding Information and Electronic Transactions, as lastly amended by Law No. 19 of 2016 (“EIT Law”).
 
- Phishing
Generally phishing can be considered a fraudulent act under the Indonesian Criminal Code (Kitab Undang-Undang Hukum Pidana – “KUHP”), which is subject to a maximum of four years of imprisonment. Depending on the phishing methods being used, a phisher may also be charged with the provisions under the EIT Law. For instance, phishing through ‘covert redirect’, or unlawful transfer of electronic information, is punishable with a maximum imprisonment of 12 years and/or at a maximum fine of IDR 12 billion as per the EIT Law.
 
Example – ‘CoronaLive1.1’
Threat actors have taken advantage of the current situation through an application called ‘CoronaLive1.1’. This app is supposedly to be used to view various information and updates about the Covid-19 spread. The mobile-based CoronaLive1.1 is openly sold on SpyNote and Mobihok. According to BSSN’s spyware analysis[3], whilst the application is running it requests access to location and media storage, where the application can also take pictures, record videos by remotely activating the microphone and camera. It is malicious spyware as threat actors can access various sensitive data stored on the device.
 
- Interruptions during Video-Conferences
 Although there is no specific charge for interruptions, these are extremely inconvenient  and cause disruptions during conference calls with clients.
Teleconferencing Cyber Protocols/Measures
 
In combating the above, BSSN have released comprehensive whitepaper guidelines addressing steps that can be taken by companies and/or individuals holding teleconferences to protect data among other factors.
 
1. Preparation of facilitating Video Conferences[4]
 
Proper facilitation of ensuring the secureness of video conference applications, communication devices, and networks should be reviewed for cybersecurity reasons.
 
Video Conference Application:
- Use video conference applications that are official with the most up to date version and downloaded from official sources;
- Use applications, which has encryption features, end-to-end encryption, private chat capability, communications links, and the likes which can be activated during the teleconference.
- Select an application that has the ‘restrictions’ feature, so when all participants have joined the conference this will prevent others from entering without approval.
- Ensure that the ID, PIN or Password is frequently updated and changed from time to time.
 
Communication Devices:
 Hosting Side
- Use strong keywords (at least 8 uppercase and lowercase character and special combinations) for meeting passwords.
- Monitor and verify each participant who has and will join the Conference.
- If available, activate the ‘restrictions’ feature when all participants have joined the conference.
 
 Client Side
- Use devices belonging of personal property or company issued for video conferencing activities.
- Ensure the latest version of the official operating system is installed on the device used.
- Ensure the device has antivirus/anti-malware installed and regularly updated.
- Do not upload teleconferencing screenshots that display meetings ID, participant’s name or other limited information.
 
Work Environment / Network
- Conduct the teleconference in a secure work environment by ensuring there are no sensitive written information in the background (e.g. on whiteboard) that is within the camera range.
- Strongly recommended to use personal and/or trusted internet networks with an official Virtual Private Network (VPN)
- If possible do not use internet networks in public places like cafes, malls or restaurants.
 
2. Guidelines on Communicated Classified Information[5]
 
Recommendations regarding substances of information that should not be conveyed during teleconferencing.
 
Technical/Substance Side:
- Delete conversation history considered to be classified and ensure that it is not saved in the application’s database.
- Use encryption mechanisms or keywords for data or meeting records teleconferencing that will be stored both on cloud-based storage media and on each device.
- Ensure the truth of information to be conveyed and know the capacity of participants as the owner and sender of information.
- Be aware of the laws and regulations relating to classification of information and legislation concerning information and electronic transactions.
 
3. Steps to Secure the Video Conference[6]
 
Confidential and sensitive information is often discussed at meetings. Wrong disclosure may lead to violations of data privacy regulations.
 
Prioritise network Security:
- Ensure the video platform uses Session Boarder Controller (SBC) to manage traffic, including searching and blocking suspicious connections.
 
Importance of Encryption:
- Network security with encryption is an absolute must for video conferences.
 
Self-protection with “Permission”:
- Permission should be spread to those authorised to join the conference to prevent unwanted participants who have accidentally joined the call.
 
Create and Comply Policies for Video Conferencing:
- Policies are required to be made including the regulating of the system’s use, safe utilisation of mobile and remote devices and what information course can be delivered at the time of the teleworking (e.g. NIST SP 800-46 Revision 2).
 
4.  Best Practices for Effective Video Conferences[7]
 
Prior to the Video Conference:
- When using an unfamiliar device or location, carry out a test connection beforehand.
- Fulfilment of steps from abovementioned 1-3.
 
Duration of the Video Conference:
- Require all participants to share their audio and video.
- Request participants if they’re location is noisy or is no longer conversing.
 
Over-The-Top (OTT) Services
 
Applications such as Zoom, Netflix, and Spotify are just some examples of OTT services that are currently operating in Indonesia without any physical presence and local representatives. In such a case, supervision by BSSN and the Ministry of Communications and Informatics (“MCI”) is relatively limited in their capability to oversee every single OTT Services provided in Indonesia.
 
Hence, we note that the government is exploring to require overseas digital business who has fulfilled certain thresholds (e.g., number of traffic or users in Indonesia) to appoint a local representative. This also in line with government’s efforts implement taxation schemes for overseas digital businesses in the near future. For specific information on OTT services tax collections please refer to our previous article on the “Government to Accelerate Tax Collection on Overseas Digital Business Due to Covid-19”.
 
Conclusion
 
Cybersecurity and internal protocols to secure teleconferencing privacy is of great significance for the security of Critical National Infrastructures and businesses in such a fragile situation. What businesses should be looking to invest is in their cybersecurity protocols and information security programs, or at the very least, strengthen their internal policies of teleworks. Although cybersecurity programs rarely increase revenue, they almost certainly protect it[8].
 
It is of paramount importance for companies, regardless of the size of operations, to ensure their cyber security network and protocols are up to date to combat the potential risks of continuous teleworking through applications such as Zoom.
 
If there are any queries with regards to how this may affect your business, please contact us for further legal consultation.
 
This information does not, and is not intended to, constitute as legal advice; instead, all information, content, and materials are for general information only.
 
©2020. BE Partners. All Rights Reserved

[1] State Cyber and Cryptography Agency (BSSN), ‘Video Conference Applications Security Recommendations’, [Online] accessed through https://cloud.bssn.go.id/s/PfXXAdqK3CT3kd7#pdfviewer

[2] Supreme Court of Indonesia, ‘Memorandum of Understanding on the Implementation of Trials through Teleconference’, [Online] accessed through https://badilum.mahkamahagung.go.id/berita/pengumuman-surat-dinas/2951-perjanjian-kerjasama-tentang-pelaksanaan-persidangan-melalui-teleconference.html

[3] State Cyber and Cryptography Agency (BSSN), ‘CoronaLive1.1 APK’, [Online] accessed through https://bssn.go.id/analisis-spyware-coronalive1-1-apk/

[4] State Cyber and Cryptography Agency (BSSN), ‘Video Conference Applications Security Recommendations’, [Online] accessed through https://cloud.bssn.go.id/s/PfXXAdqK3CT3kd7#pdfviewer pg 3\

[5] State Cyber and Cryptography Agency (BSSN), ‘Video Conference Applications Security Recommendations’, [Online] accessed through https://cloud.bssn.go.id/s/PfXXAdqK3CT3kd7#pdfviewer

[6] ibid

[7] ibid

[8] Dan Raywood, 'The Short-Term Impact Of #COVID19 On The Cybersecurity Industry' (Infosecurity Magazine) [Online] accessed through <https://www.infosecurity-magazine.com/news-features/short-impact-covid19-industry/>.