a policy framework and regulations in place that's forward-looking, that is able to anticipate the challenges that we could foresee ourselves having in 10, 20 years. Now, however, of course, there's opportunities for AI, as we all know. It can make our day-to-day lives easier. It can automate certain routine tasks. It can, of course, spell check and do a lot of these things, which do take time.
And in a way, it can also help. because it's automated, be able to analyze massive data sets and come up with, you know, process a lot of data in a very short period of time, which could be difficult for humans to do. Now, of course, here we can also look a little bit more about how we see AI in terms of best practices for ourselves. You know, it is essential for us to identify, you know, what are the specific challenges that different security sector actors face, not just ourselves, but for example, how the armed forces may see and use AI differently as compared to the judiciary, for example.
It is also therefore important to have these guidelines that is, you know, based on exactly as I mentioned, the good principles of good SSG, as well as, you know, being aware of the different biases that it can exacerbate through its use. Then therefore, in that way, having a human in the loop is essential because we are able to pinpoint when, you know, there are different levels of accountability. And in this sense, then training security sector actors, training the people who are working in these institutions is therefore essential, as I've been mentioning throughout the whole time, because it's something that we can't let escape us. So in that sense, in this way, I think this is a very... broad and general overview of how good SSG interacts with cybersecurity in terms of how we can make our institutions stronger, safer, have people who are working in these institutions more aware of the different challenges that we can face vis-a-vis having an infrastructure in place to regulate AI as well as address cybersecurity challenges.
So I am open to any questions. If I will be happy to take them now or at the end, and I leave this up to my moderators. But thank you very much for listening, and I look forward to the presentations of my other panelists.
Thank you, Dr. Don Lee. I think we should continue with our next speaker, and we're going to answer the questions at the end of the all four speakers session. I guess just to keep everything up to speed. And I think our next speaker is Arief Kusuma from Silver Lake.
Good afternoon, Mr. Arief. Good afternoon. Please, come in. Thank you.
Pak Wira, can you give my team, his name is Pak Riza, R-I-Z, because he will project my presentation because I'm outside doing something. And please give the authority to give him. to share the screen yeah okay uh r i z reason i think i think my team will uh project the screen oh okay okay all right all right sorry can you set the screen okay while waiting for the screen i'm given by pakwira and benny my long time friend 12 minutes i'd like to keep it simple my presentation The title is basically Cyber Attack Challenges Impacting Economy, Politics, and also Security in our country, in Indonesia.
So I think just to make everybody make sense, actually I would like to share two use cases, but I'm given only one use case. because I'm coming from a financial industry. So disclaimer, this use case has been greenlit by the Ministry of Communication and Information Technology.
I think the title, I would like to start with my story. So what has happened on June 20th, our national data center, in this case, the Ministry of Communication and Information Technology, we got hacked. you know basically we get a ransom cyber attack you know so it it involves uh i think if i'm not mistaken around eight institutions the ministry of communication and information technology indonesian directorate general of immigration the Coordinating Ministry of Political, Legal and Security Affairs, National Threats and Cyber Agency, PT Tilkom, and also KSO Telkom Sipa, Cyber Crime Police, Polri, AWS Indonesia, and the last, I think, the Ministry of Law and Human Rights. So these simple cyber attacks, actually, it started off with the governance.
So what has happened on the Thursday, on the 20th of June, basically our national data center got hacked at the Ministry of Communication and Information Technology. That is why our public services, in this case, our national airport, Bandara Soekarno-Hatta, was paralyzed. So basically there was a long queue of people. doing things manually. But our Indonesian Director General Immigration, Pak Silmi Karim, assured the passengers traveling domestically and also internationally smooth, even though it takes longer time because they're doing this immigration check by manual things.
So what has happened on the Saturday, basically our Our PDN, our National Data Center, still work on progress. You know, the attack's still there. So the Coordinating Ministry of Political, Legal, and Security Affairs, Pak Hadi Chahyanto, mentioning that there was a technical glitch. You know, what he say, a technical glitch still going on. And then what was the root cause is still unknown.
You know, what he said in the media and also social media. And then the ministry of the same day, on the Saturday, the Ministry of Communication and Information Technology also revealed that, you know, I assure you that we are still working on this, you know, optimally, and also how they can recover, you know, in a speedy response. But Cominfo in this case, cannot know what was the root cause also, what was the disturbance.
why everything is paralyzed. Okay. And the next day, basically on the Monday, on the 24th, our Ministry of Communication and Information Technology and also Cybercrime Policy and also KSO Telkom Sigma still investigated comprehensively what was the root cause.
So they are still trying to fix this problem, this attack. they still cannot fix the data, still paralyzed in their data center. And then the Minister of Communication and Information Technology, Pak Budi Ari Setiadi, stated that the government will work closely and try to settle amicably with the hackers, and hopefully it will be settled. And then...
the same day on the Monday 24th of June, finally everything is settled. So I think if you guys saw on the news that there was a settlement, we don't know how they settled in terms of financial value, but it was being settled and all the public services, not 100%, but not paralyzed, but basically 85%. still working on the Monday.
So these three, four days, to me, as a practitioner, is a light nightmare. These simple things, because of the governance, because of our infrastructure, this cyber security attacks our national data center, very, very critical. Because when they attack this immigration, it will affect. the service excellence of our immigration office. So I think, you know, this is the storyline.
So the next slide, please, Pak Beni. Next, next. Yeah. So in this introduction, basically, I think the definition of cyber attack, I have explained, you know, how they steal the data, how they lock the, you know, what they call it, the lock. they log the data and also they encrypt the data they lock also the data the database and also, you know, they ransom some amount of money.
So the brief of introduction I have explained in my storyline. Next, Pak Bin. So if you see the news, basically, they ransom, you know, a certain amount in terms of financial losses.
These hackers, they ransom quite significant amount of money. I think around 122 billion rupiah equivalent to close to 8 million US dollars for unnecessary things. And also it affects our public services. In this case, it's our immigration office. And also because of this, you know, you know, tragedy on this national data center, there was recovery costs burdened to the national budget.
So I think we need to allocate, you know, overall year on year around 700 billion, you know, rupiah equivalent to 46 million US dollars. And also our government tried to attract, you know, investor, you know, coming in. This is one of the incidents that really, you know, reputation is very expensive.
That is why a lot of investors like Tesla, you know. other manufacturing, they're reluctant to invest in Indonesia, not only bureaucracy. The red tapes, I think this kind of incident also affecting the confidence for them to do the long-term investment.
Next, Pak Beni. Yeah, I think for the political point of view, definitely the cyber attacks. brain zipper, ransomware, really affect our reputation, not only domestic, ASEAN, but internationally. How weak our cyber defense in terms of infrastructure. And also in terms of democracy, as you know that we face the elections and also we have also Pilkada in November.
And as you know, in other countries, this kind of attacks can also attack the polling, the election. So I think Indonesia is one of the weaker areas in this case, how this cyber attack can manipulate the counting of the voting for the elections. And also it creates the international tensions.
As you know, data is very important. why a lot of multinational companies before the POJK, they must have data center in Indonesia. They prefer before the POJK to have the data center in Singapore, in India, in Singapore, or Hong Kong, because they don't trust our infrastructure.
A lot of this cyber attack happening. So many things. That's why they are afraid of this, what they call it national sovereignty or sovereignty of the state.
next time next so in terms of security challenges i think you know this data protection things needs to be improved and also the evolution malaysian malaysia software they are more advanced as you know that this brand zipper is the variant of love with 3.0 i think they also attack one of the biggest Sharia institution in May 2023 last year. Next. So how we identify this vulnerability? Definitely like other companies, institutions, we need to have SOP, the proper SOP. So in our regular company, normally we have what we call it IT audit in infrastructure.
So I think the Ministry of Communication and Technology, I think they need to have this periodic circuit audit, how they identify the weaker area even though they have it. But I think the weakest area is more on the executions and also what are the weakest area in this case. And also they need to also doing the penetration tests. They need to do the simulation on testing of the system. I think they have more than 30 up to 50 satellite systems within the national.
data center. And also how they're monitoring suspicious activities. I think they need to execute it.
I believe they have the tools, but somehow, somewhat, these hackers still can penetrate their data center. And this is very important. Normally, what has happened on the 20th of June, the way they penetrate, they intrude the computer network of this Cominfo.
through email phishing so email phishing is very simple uh because uh according to the survey i think more executives you know they can you know easily get deceived by this email phishing so i think the awareness of uh uh you know email phishing needs to be started at the highest level middle level even the low level next uh so Financial operation, basically there is this ransomware, there is a compensation cost. As you know, it's a huge, significant amount of money. And also there is operational disruptions.
Reputational loss is very, very expensive for Indonesia because of that incidence. And also because of this, the investment from our national budget needs to be allocated. I think more than 46 million US dollars because of this. Next, Ben. So I think the use case, I have mentioned it.
Unfortunately, I cannot mention the other use case because I don't get the permission to share that, you know, what has happened in May. But it's okay. I think it's almost similar.
Basically, the analysis of... I've explained in my story offline and what other steps, you know, I think also I mentioned in the previous slide and then the long term, you know, impacts changes government cybersecurity strategies. So I think we need to have much more strategic action rather than tactical, you know, actions. Next. So basically to summarize it, the importance of how we have an integration approach, how to strengthen our cyber resilience in Indonesia.
And then last but not least, this is Indonesia facing the cyber attack, I think more on the reactive mode rather than proactive mode. And my last comment, closing statement is how we strengthen IT infrastructure. ranging from the core system, the satellite system, also including the servers, network.
And also, last but not least, our digital talent. I think Cominfo mentioning that every year we are lacking at least 600,000 people per year. So I think we need to have awareness and how we have digital talent much more.
you know, provision in the near future. I think I close my presentations. I leave some inquiries, comments, maybe later after the third and the fourth panels.
Thank you so much. Yeah, thank you, Pak Arief Kusuma. I think it's really interesting to have somebody who who knows what's happening behind the scenes to give us a little bit of insight. because the rest of the information is still classified apparently.
It's okay and we're moving on to our next speaker, Pak Yuda Kurniawan. Pak Yuda, okay it's all yours. Okay good afternoon everybody, thank you Pak Wira, thank you Mas Beni and of course thank you for having me and today I was I will make a disclaimer first.
I'm not a cyber security expert, but my previous work is one of parliamentary staff in Commission One of Parliament, DPR, the integration parliament. I involved in the formulation of personal data protection law and I also noticed that the cyber security law or cyber security and resilience law It also already came into national legislative program in 2019 to 2024, but yes, it has been delayed until this time. So I'm not the expertise of the cyber security, but I follow the, what you call, the history of the cyber security.
cybersecurity and resilient bill. So maybe I can share some of my experience to this webinar today. So if we look again to in the 2009, the discussion began about the cybersecurity and resilience bill. When the Commission won, or the DPR, the Parliament of Indonesia, initiated the Cyber Security and Resilience Bill, and then the bill was initiated by Parliament, and then came into the National Legislative Programme in 2019 to 2024. So, basically, the target to finish the law is 2024. But we know that until today, we don't have any and we don't yet finish the bill. And if I'm not mistaken, we have two or three meetings to discuss about the cybersecurity and resilience law or bill.
And one of the two meetings about that, I think the agenda is stopped and then 2020 we're facing a COVID-19, 2021 to 2022 we're focusing on the personal data protection law and then 2023 we have another agenda, we have another focus like the digitalizations of the broadcast and then the revision of the transaction and electronic law and then until today the status of the bill is what they call it the status is delays or stop so we still we still wait to the next period of the parliament the new period of the parliament which are there we got carry over or not and we should check the national legislative program. So if we talk about the Cyber Security and Resilience Bill, there are some urgency that why Indonesia must have the Cyber Security and Resilience Bill. So Indonesia called the Cyber Security and Resilience Bill because there are too many actors and too many sectors in Indonesia that too I can and must be too accommodate in the bill.
So preventing cybersecurity threats is number one. Why the reason that we need cybersecurity and resilience bill. The second is protection of cyber structure. And then the third is of course the cybersecurity governance, institutions and interagency coordinations. The fourth is international cooperation.
The fifth is law enforcement. And the last but this is a very important is funding. because if we talk about the institutions and interagency coordinations and then how this effectively operate the institutions so we need to we need to what you call it we need to address the problem funding and then this fifth of the why the indonesia needs some cyber security and resilience bill and then If we look back to the Cybersecurity and Resilience Bill in 2019, we can see some provisions, actually.
First is the Cybersecurity and Resilience Bill talks about the definition of cybersecurity. Indonesia needs to define what is cybersecurity. Indonesia should be aware to...
to identify what is cyber threat, cyber attack, or something tactically. And then... One the other provision is the cyber security management.
It's about the institution, it's about how the institution will coordinate each other and of course a cyber security governance related to the how to respond, how to prevent the threat and etc. And the third is cyber security services. It's like a technical standard. to secure and how the best practice to provide cybersecurity services like the what we call it how government to create a public private partnership to harmonize the public private partnership cyber diplomacy is also the other provisions in the cybersecurity and residence bill and also the important things like law enforcement.
And then we see that the cyber security is the law, is the legislative framework to empower the national cyber agency. So this is why Indonesia needs to formulate or to what we call it to have. the cyber security and resilience flow. Then previously Indonesia already have actually the framework policy of cyber security even this is not integrated well but some of the regulation already accommodate the cyber security or cyber safe space matters like the low number 11 2008 on electronic information and transactions. The objective of the law is to regulate activities in cyberspace including electronic transactions, instruments for online defamation, cyber fraud, hacking and cyber crimes.
And also with the government regulations number 71 2019 on the electronic system and transactions. This is implementation agreement on the law number 11, 2008. Actually, this is the implementation agreement to regulate the obligation of electronic system providers, including security and user protections. And also the law number 27, 2022 on personal data protection.
The aim of the law is to safeguard personal data. We refer from the practice of EU GDPR. So EU GDPR is the benchmark of the personal data protection law in Indonesia. The regulation itself discovers the collections, processing, transfer of personal data requiring companies to get consent and then also to regulate the obligations of the provider to notify the... to notify the object data related to data breach.
And then the fourth is Presidential Regulations No. 53, 2017. The substance is the establishment of BSSN, or National Cyber Agency, as a national agency to coordinate national cybersecurity work. And also, implementation of national cybersecurity policy. Public sees that this is not enough for the national cyber agency for as an operative legal framework. So actually BSSN or national cyber agency must have a legislative framework to empower the institution actually.
And then, Indonesian Criminal Code, substance cybercrime provision on hacking on the road. This is in addition to EIT Law, number 11 and 2008. And then, the last one is Minister of Defense Regulations, number 82, 2014 on cyber defense policy. Our Ministry of Defense has the guidelines regarding infrastructure. They need to prepare for cyber warfare, the future of warfare, and then also the establishment of the cyber defense unit in the armed forces.
So if we see from the six regulations, we can conclude that we actually have at least six cyber security sectors in Indonesia. So the sector of cyber defense, the sector of cyber crime, the sector of cyber resilience, the sector of cyber diplomacy, the sector of cyber security, and also the cyber intelligence. And if you look up the institutions, we have many institutions that address some of the cyber space matters like Indonesian Armed Forces, if we talk about the cyber defense, cyber crime, which is addressed by Indonesian police and authority.
And then we have the three ministers and the institution of non-ministerial, like Ministry of Communication and Information, Ministry of Interior and National Cyber Agency, also with the Ministry of Foreign Affairs that address some cyber diplomacy matters. and then etc etc. Now the discussion of the cyber security and resilience draft has ignited a public debate actually. If we can see some of the position of the civil society organizations they have or they have kind of positions on that the bill versus like ELSAN or Institute for Community Studies and Advocacy. They say that cyber security and resilience bill is too state-centric because the bill has given the broad authority, wide authority and what do you call it, yeah like a wide authority to the national cyber agency.
Then why they put their critique on that kind of substance of stat-centric because BSN will have wider authority to define what is management of cyber security. Also with CEPNET, South Asia Freedom of Expression Network, they say that cyber security and the Jones bill potential threatening privacy and the freedom of expressions. So they critique on the the norms, the critique, the articles and for the Stara Institute Cybersecurity and Resilience Bill has failed to define the aspect of respect for human rights and threatening to civilian freedom. Maybe Center for Immigration Policy Studies sees in a different way because it sees that cyber security is not just for the security itself but the is related to many aspects like the previous discussions say that cyber security has impact on the economic affairs, impact to this social affairs and etc. So it needs to build a partnership actually with private sector in discussion on the cyber security and resilience bill because the critic from Infarsial actually they see that the discussion of cybersecurity resilience bill is to haste the unlikely public participation.
If I looking back to the year 2019, yeah, when the bill has come to the parliament, and the parliament says that they feel that they do not feel too hurry to to make the cyber security because the parliament says that they need some greater public participations they need some greater what we call it input from the expert from the private sector from the corporations and etc so they feel that we cannot to hurry we cannot too hasty yeah to make the bill entering into force. Then I identified some of the political challenges actually from the problem of the Cyber Security and Resilience Bill in Indonesia. The first political challenge is diverging interests of stakeholders.
Because you know, government, private sector, civil society, they have diverging interests. And also in the parliament internally, we have 10 fraction of the parties. Parties have their own agenda and then is this beneficial or not for the what we call it for the vote and etc. And this is simply make the law is quite challenging.
The second is human rights consort. because this is related to privacy and freedom of expression. And some of the civil society organizations in Indonesia says that the bill has to balance between the freedom, privacy, and security itself. Bureaucratic challenge, this is regard to ego sectoral due to new adaption and responsibility because once the national cyber agency appointed as the higher authority to manage the cyber security and the other institutions should adapt, should have an adaptation and maybe to share burden and modern responsibility. So the others institution should adjust on the the new responsibility or the new adaptation of the Cyber Security and Resilience Bill.
And the lack of public participation will complicate the acceptance of the bill because transparency is a key. I agree with Dawn about transparency, particularly in the discussion in the parliament and the political process. That's an important thing to make.
the bill more accountable and more transparent. And the last is the potency of the class between domestic political interest and international partner and technology. I think this is another problem from the political process and etc.
Because you know if we talk about the technology from China this is related to the domestic perception. If it's technology from Israel and also like technology or cyber technology from Israel, so domestic political interest will be particularly will be loud to criticize the government and the government will adjust to the uh and we'll look up how the aspirations of the public so there are there are there is class between actually domestic political interests and and the choosing of international partner and promote and technology so i will end my presentations i will look up for uh further discussion thank you i will go back with uh thank you okay thank you Mas Yuda for the insight coming in from behind the scene at the Indonesian Parliament. And I think we'll have some questions for Pak Yuda after the last session.
And I think we're moving on to the next speaker, Miss Sarah Widemar from the Zurich Federal Institute of Technology. The forum is yours. I hope you can hear me well. I'm just putting up.
Yes, all good here. Can you see my screen? Does it work? Yes, yes.
Perfect. Okay. So welcome everyone to my presentation on AI governance in Europe. Thank you to our partners in Indonesia for having me. Very briefly on me, I usually focus on the kind of AI use that is excluded from the regulation.
But today I will look with you into various regulation efforts in Europe. This spans from a loose set of principles up to binding frameworks such as the European Union's AI Act. So the focus will be mainly on EU but also on the UK, the United Kingdom's efforts, which is no longer in the EU, and following a different regulation approach compared to the EU, more like the one in the US, which is more decentralized.
I will, I think for the sake of time, I will start with the EU AI Act. You will see it's much, let's say, a kind of practical deep dive into the topic. I think I will touch upon various points that Don, Louis Don, mentioned in the first presentation.
So, what is the EU Artificial Intelligence Act? The EU AI Act is the very first or one of the first comprehensive legislation on AI in the world and the act aims to ensure that AI systems are safe and transparent and that consumers in the EU are not exposed to risks. Here the EU AI Act tries obviously to balance kind of the different objectives between security and regulation, but on the other side, the interests for innovation and the interests of private sector.
Very recently, for example, Apple released news that it does not release its latest AI-supported features in the EU market because of the EU AI Act. On the other hand, just I think one week ago, I think around 100 companies endorsed the EU AI Pact, kind of referring to their commitments to the EU AI Act and their, let's say, approving this. So what is special about the EU AI Act? It applies to the EU, but not only. It also applies to the third country providers and deployers that would like to deploy AI systems on the EU market.
So it has an extraterritorial effect, which is also why Apple, for example, is not amused about it. Further, it is special because it centers around a risk-based approach. I will go into detail with this what that means.
Maybe very briefly, the EU AI Act is not out of the blue, but is kind of the result and still in process of years of consultations and discussions that are also based in other relevant international frameworks or efforts for frameworks such as the Council of Europe, but also the OECD principles on AI or G20 as well as G7 efforts. What is important for the EU AI Act is that in many ways the regulation of AI in the European Union is a continuation of efforts in the cyber security landscape, meaning that the The regulatory context of AI is closely linked to the General Data Protection Regulation, the GDPR, which is in place since 2018. So the GDPR, the General Data Protection Regulation, aims at protecting the privacy and personal data of individuals within the European Union, giving them control over their personal data and imposing strict rules on data processing. and transfer. So given that AI systems are frequently result of processing of personal data, the GDPR obviously is very relevant for the EU AI Act.
Regarding data protection and privacy, both focus on limitation and the focus is on the user consent when processing personal data. I think I have here a... This is...
a screenshot of how this can look like for the end user in the European Union, as well as here in Switzerland, you see if you enter a new website, you will need to consent, you need to either accept the cookies or recheck them, otherwise you cannot further scroll on the website. So just as an input how the regulation in the end looks like for the end user. So the GDPR again is closely linked to the EU AI Act regarding transparency, data protection. Both have like this exoterritorial effect, as I already mentioned, meaning that whoever, even non-European companies that want to sell AI products or AI supported systems on the European market, do have to adhere to the EU AI Act.
So now, again, just the cookies, just a very rough timeline, I won't go into detail with this. So this year, the EU AI Act officially became a law, and you will process or pursue now a stepwise approach. Obviously, that will take up until 2027 to sort everything out. So it's quite a lengthy process as you can see.
A quick note on definition. Here we see the definition that they use in the EU AI Act. Well in general it's one of the key challenges for governments.
that they face when they design AI regulatory compliance strategies. It's kind of to figure out what constitutes AI. And we could talk in length about the different definitions. Here we see a definition that is very closely linked to the OECD definition. The definition for the EU AI Act is deliberately kept broad to cover the whole spectre.
from simple technologies up to systems focusing on deep learning and generative AI. This contrasts, for example, the UK approach. The UK does intentionally not refer to a concrete definition.
Who is affected? Again, kind of everyone... who wants to serve the European Union's markets.
And it covers all parties that are involved in the development, introduction, sale, distribution and utilization of AI systems. And again, as mentioned, the extraterritorial effects. What is not covered is, briefly mentioned in the beginning, is AI systems that are developed.
exclusively for military purposes and as well as for scientific research etc. So the AI act defines a framework to understand the risks associated with artificial intelligence. So it classifies AI systems based on their potential risks and divides them into different categories depending on the data they capture.
and the decisions or actions taken with that data. So the EU obligations will vary depending on the category the AI system falls into. We have here the first category, which is the one on the top, the one with unacceptable risks. This concerns systems, AI systems that enable manipulation, exploitation and social control practices.
that are seen as unacceptable risks. This, for example, includes social scoring by public authorities, exploitation of vulnerable characterization, characteristics of people, as well as real-time remote biometric identification for law enforcement. And because...
they are considered as high risks. They will be prohibited. Then the next I'm sorry, not a high risk, but unacceptable risks.
That's why they will be prohibited. Then the next category, the one with high risks, means or is targeting AI systems that negatively affect safety or fundamental rights. And within that category, there will be kind of two subcategories.
AI systems that are used in products falling under the EU. product safety legislation. That means also kind of tools like for critical infrastructure, like elevators or cars, etc.
And then the second subcategory are AI systems, systems falling into specific areas that will have to be registered in a EU database. That includes, for example, critical infrastructure, etc. But then it also concerns, for example, systems that would be used for evaluation of eligibility to credit or health insurance or life insurance or even public benefits. AI systems that would be used for job applications or evaluation of candidates, as well as products of safety components. Because these...
AI systems in this category are considered as high risk. They are subject to the most stringent regulatory requirements. This means, first already mentioned, is this EU database that I have to register into.
Then there's the transparency obligations to enable correct AI interpretation and use. So this AI, this transparency obligations could maybe look like as the one example of the PR I showed you in the very beginning and that you have to kind of give your consent that you register okay here is AI somewhere in the loop and then another part is the implementation of appropriate human oversight and obviously also high levels of cyber security etc. Then the third category, the one with the limited risks, that includes AI systems that interact with consumers.
It's like the generative AI would fall into that subject. That systems that can create or manipulate content like images, audio or videos. Chatbots such as chat GPT based systems. emotion recognition systems, and for example, systems that can generate deepfake content.
And because these AI systems in this category, well, they will be kind of unlike the high-risk systems that impact development and risk management in a broad sense, obligations for limited-risk systems focus on the outputs and users. So people must be informed when they interact with an AI system. People exposed to a non-prohibited emotion recognition or biometric system must be informed about the system's presence. And then deepfake content, like generated video or pictures, they must be used as being artificially generated or manipulated.
Then the last category, very briefly, would include, for example, spam filters or AI-enabled video games. Non-compliance will be, or let's say non-compliance with the prohibition of the AI practices will be subject to fines, quite high fines. Yes.
So just let me check the time. So maybe very quickly on the governance now, how do you envisions to kind of to also implement this? The EU as a supranational, at the supranational level has the European AI office in place since this year.
But then it will be the country's implementation efforts that will count. And here there are relevant authorities like the AI authorities of the member states or the TPA, like the data protection authorities that are already in place since the GDPR. So in a sense...
the AI governance will also be based upon the already existing structures that exist for the GDPR. Here very briefly, it is also up to every country or member state of the European Union to how extent they want to also kind of be more stringent with the regulation. Italy is like is an example that went even further than the European AI Act envisioned. For example, the Italy's data protection authorities, they banned chatGTP for a short time and they only chatGPT, they only were able to resume work after OpenAI announced a set of privacy controls for its generative AI chatbots.
I think I won't go now because of time not further into detail with this but hop over to the UK framework for AI regulation. Here the... let me just check...
yes. So the UK AI regulatory framework is built up on a principles-based approach rather than a... the one with prescriptive rules as the EUAI act. They're based on principles such as the safety and security, transparency, explainability, fairness, accountability and human oversight. As mentioned, there is no formal definition for artificial intelligence in this framework.
And in contrast to the EU's risks classification system and legal framework, the UK aims for a light touch approach to AI regulation, which supports the capacity of already existing regulators without establishing a super regulator. Let's put it that way. Here, I would like to mention also the AI safety summit of last year. that was I think in November last year. The UK invested heavily also to become kind of a leading player for artificial intelligence discussions at the international level.
The UK government held this AI 50 Summit in November and they also put forward the Bletchley Declaration which was signed by many states also like for example China and they agreed on the following principles that the UK is also basing its framework on the one the human-centric principle trustworthy responsible as well as safe so maybe Here, very quickly again, the current state. So there was a consultation process also interlinked with this AI summit that you see here in the last stage. Here, again, the five core principles that the UK put forward. for its framework.
And then maybe something else that is relevant in the UK context is that instead of a formal definition, the UK decided to categorize kind of three types of advanced AI systems, the one that are highly capable general purpose AI, highly capable narrow AI. and AI agents. Here again, I mentioned that the...
already existing bodies and authorities are responsible for introducing this framework in their area of responsibility. So it's not that new structures would be created but would be based on already existing government structures. Here very quickly, this was the AI Safety Summit that the UK hosted.
And well, yeah, even though this Bletchley decoration shows some degree of international consensus, I think the road ahead will be a tough one. As you see, already in Europe, which is kind of geographic-wise rather small as a region, the AI regulatory environment is very fragmented and inconsistent. Maybe to sum up here, what makes AI governance and the regulation efforts particularly challenging is kind of already it's starting with the definitions.
There are different definitions of what constitutes AI in different jurisdictions and there are different forms of emerging AI regulations from principles to kind of a rules-based approach. There are different conceptual approaches of AI regulations as well as different areas of law which overlap with AI regulation. I think I will end with this, my presentation which was I think kind of a insight into the on paper what states or the EU tries to do based on principles and how this transforms then into actual law.
And I'm happy to have questions if you have any further questions. Thank you. Okay. Thank you, Ms. Sarah.
Okay. I think To keep things moving, let's go to the, I think we already have some questions posted here on the chat box. So I will read them in the order of receiver.
Okay, hang on. Okay. We have a question from La Chica Salsabila to Pak Arief Kusuma. Thank you for the presentation.
What are the specific mission and project that the government currently works on? to tackle the cybersecurity in Indonesia. And I think we can combine that with the questions just below that from Astinimunstiaz Hanum.
What is the most effective way to maintain our identity in today's cyber world as a civilian, as we know that the longer we live, our digital footprints are everywhere, especially in response to financial fraud. I think I would probably give the floor to Pak Arief first. Silakan Pak Arief.
what was the first question again just uh just uh you know highlight again sorry i think i think uh just summarize it summarize it yeah sorry la chica salsabilla was asking the questions about uh the regarding with the bridge on the national data center so what what what steps are being taken by the government at the moment to address prevent it from happening again okay that's the first question second questions and the second question is from miss astin Tias Hanum as a civilian or a commoner, what's the most effective way to, probably not to maintain our identity, but to safeguard our identity? Thank you so much for those who asked the very strategic questions. Like I said in the beginning that Indonesia, I think in most cases on cyber attacks, I think I would say more than 85%.
We are reactive rather than proactive, you know, how to handle this. Meaning to say that once we get attacked, then we are panicking. We don't know what to do, you know, things like that. That's what happened, you know, on the 20th until 24th of June.
I think those three days, you know, even the real root cause. these seven institutions, they're confused. So if we have a proactive approach rather than reactive, I think we should have an alert warning system. Even we can predict, we can even solve temporarily. I think in this case, we are well unprepared.
We are not ready. I think it happens to, I would say, government agencies, offices, similar to what has happened on June 20th. So I think I know the real root cause, but I'm not...
a person who has authority to disclose that but at least now we know the the ransomware the name of ransomware is a brand zipper brand zipper is like i mentioned that they are the new variant of lock bit 3.0 i think they are based in eastern europe uh you know those three countries right one of them is uh russia so i cannot name the other two nations but they are well known for the, I would say, ethical hackers. So I think the intention, the motive, basically is money. So because of this, the weakest area is our infrastructure. So it's easy for them to penetrate. They just started off with email phishing, basically.
In last year, I think they attacked. one of the office in Kalimantan through email phishing but I think this time around also in one of the officer they attack through email you know phishing and that's why they sign in the data is is there but they encrypted the data they log the data they they put on the dark work that's why they ran somewhere I think the amount is like I mentioned is eight million us dollar but We don't know. I know, but I cannot disclose.
But somehow, somewhat, the government is settling down. That is why the motive is money. Once they get 70-80% out of their ransom, I think it should be sufficient enough.
So I think I urge the government to pay attention to this. I think it has to be proactive. They have the vendors.
they have the policies, it's just the execution and the operation is very weak from my point of view. Thank you. Okay, Arief, thank you.
And I think if anybody wants to ask the question directly, please raise your hand and I will give you the opportunity to ask the panelists directly. But before that, I'd like to address these two questions first. From Pak Hornady Setiawan and Pak Unggul. I think we can combine these two questions to, I think, to Mr. To Pak Yudai.
I think the first part of the question is the official pointed as the Minister of Communication Informatics did not come from IT background. So is that a problem? And the second part of the question is from Pak Unggul. I think one of the reason that the cybersecurity bill was delayed because of there are so many problems contained in the bill which Pak Yuda already explained I think with regards to how the civil society has been responding to the bill so I think I'll give to Pak Yuda to probably answer these two questions yeah thank you Pak Wira I hope you can hear my voice because I'm using the earphone Well, first of all, the Cyber Security and Resilience Bill is a problem because when the parliament discussed about the bill, there is some desire to push the...
national encryption agency into national cyber agency through the bill, through the Cybersecurity and Resilience Bill. That's the first problem. So the parliament is confused because this maneuver is likely seems to be forced.
by government to transform the national encryptions body or national encrypt encryptions agency into national cyber agency. And then the second is because we have focusing on personal data protections and the others law and regulations and the cyber security itself is being ignored in the parliament because they see parliament sees that there's some risks if we if the uh the discussion is too hasty because first uh the the opinion of the public about the uh it's too state-centric is it seems parliament believe on the public opinion the stat-centric issues so Government wants to create greater institutions that have big authority, broad authority to manage the cybersecurity, including the standard of the technology, including to standard certifications for security provider or cybersecurity provider. And the other institutions see difference on that. on that issues. So they believe, the other institutions believe that they also have the their own standards.
This is, I think, the other institutions in the governments have the different perceptions on how they manage the cybersecurity. And the public participation is very light. So and also the private sector because if we see the how government formulate the personal data protections governments can what do you call it can can invite the public widely they talk with the retailing industry they talk with the financial technology industry and also etc but this is not going to happen with the Cyber Security and Resilience Bill.
So if this is a problem, is it a is there is a problem or not? Yes, this is a problem actually. And then yeah, I see that COVID-19 is not a single factor that delays the Cyber Security and Resilience Bill in Indonesia, but some aspects like brokerage are challenging.
the sectoral egos in the cyberspace management in Indonesia and then the public opinion and the pressure from the civil society organizations to hold this bill is most likely is another several factors that delay this bill. Maybe that's my my opinion, Pak Wira. Thank you.
Thank you, Mas Yuda. And before we move to raise hands, direct questions, just one more question from the chat box that I would like to post here. I think this is addressed to Miss Sarah from Pak Victor Tobing. And I think Pak Victor Tobing wants to know more specifically about AI systems being developed or used exclusively for military purposes. like for example NATO system related to EU system and I think the question is how that works out I mean in terms of like supervision oversight and things like that thank you please miss Sarah yes thank you for the question and it's actually the one I'm kind of covering now in my current research so if us said if a system is exclusively used by military for military purposes, the EU AI Act does not apply, because military is excluded from the EU AI Act.
NATO has their own internal guidelines, so from 2021 they have an artificial intelligence strategy. And in that, they also refer to kind of the responsible use of AI and the principles they include that are kind of close to what we already heard. It's about responsibility, accountability, explainability, etc.
So that is kind of... within NATO. However, here the big challenge is already existing and will be in the future is when it comes to dual use systems.
And I'm there, I think it will be very difficult to to kind of steer around because often private sector or like private companies put forward new systems in often also in collaboration with the governments and they are then used by military as well for civilian purposes and there I think will be the big challenge in the future and already now we see that. Okay thank you. I think I would like to move to Pak Arief please Pak Arief do you have a question? okay you are still muted sorry I am Arief from certification body from Europe yes sir names okay i don't remember that who's explained regarding the risk-based approach maybe misara or But the point is I would like to ask about the risk-based approach. Is there any relation between assessment risks regarding the AI with the standard guidance risk assessment from ISO 31000 and regarding the new standard which ISO organization has been issued in 2023 that is the ISO 42001 artificial intelligence system, is that can apply with the system or is there any sample certificate that who is the organization has been already certified with ISO 400001?
Thank you. Perhaps Sarah can answer that maybe I would like to add maybe after that from practitioner point of view. Over to you Sarah. Yes, thank you for the question.
So I'm not very familiar with this ISO, the International Standardization Organization. And I didn't quite hear what the question exactly is. But when it comes to, I think, how you call it?
I think it will be at the supranational level within the EU, the responsibility to make sure that the legislation of the EU adheres to ISO. But I'm not sure whether that's answering your question. Okay, over to you, Barif.
I am the system from the in Europe that they have already offered to the key asset animation is there any organization which would like to certify it with AI management system it seems similar with the information security system yeah most of the organization suppose that might be applied ai system but this is a critical point that all the organization which has been already applied system should be certified with iso 4001 that's all thank you very much okay let let let me answer from my point of view I understand the questions, but I think the point that ISO 400001, I'm not quite familiar, but I know in general. So in terms of AI, I think I don't know which organizations, but we can take it offline. I can give you my numbers in this chat box.
I do have. I would say the key people in Indonesia, I think about five, seven people regarding to this, but organization, I'll try to find out. But if you want this risk-based approach combining with this AI system, I do have the people, the right fit people that can discuss deep dive to your questions.
So I think I'll leave my numbers to you. And yeah, thank you, Pak Arief. the same name yeah about mr arif the same name but yeah most important that i would like to know which the accredited from where that's uh certification body has been operated indonesia can issue iso 40000 if there is no accredited it is not useful because okay this is this is the not a credible certificate i mean that okay I will park these questions. I can leave it to my number to the, you know, Pak Beni and Pak Wira. Let's speak, take it offline Pak on this, yeah?
I'll find out the organization. At least I give you the answer, yeah? Thank you. Yeah, you're welcome.
Okay, thank you. I think that's a really good question. Who's going to make the certification, Jan, and standards?
Okay, I'm moving to one of the questions in the box. Back to from Patriz. And I think this should, I think this is best addressed by Dr. Don Louie.
Thank you for the insightful presentation. You've probably seen and learned a lot about the current cyber security trends in Indonesia, which lessons from Europe's security sector governance do you believe would be most relevant and beneficial for strengthening? Indonesia's AI and cybersecurity framework.
Thanks for this question and thanks for the introduction as well. I think I didn't really cover it in my presentation due to time reasons, but I think that one key issue and one key area that we can work on and particularly within the context of Indonesia from what I've understood so far is actually having a national cybersecurity strategy that's sort of all-encompassing that's also very much integrated within the wider national security policy. So for example, you know, as to give examples from Europe then, in Sweden, they say that the objectives of Sweden's security includes both, you know, online and offline, as well as, for example, the Finnish one also says that all these principles needed to be integrated within the broader cybersecurity strategy in national security strategy. Now here, when we're also talking about the development of, national cybersecurity strategy, it's also important to therefore then identify one authority or one institution that's tasked with overseeing this process that also has consulted with all the different institutions and all the different stakeholders.
The UK, for example, has already done this and the stakeholders could include, for example, not just government, but also private sector, civil society, academia, the technical community, as well as these international organizations that... we've just been talking about. And in a national cybersecurity policy, then we should have several key strategic priorities.
And this includes, you know, an enhanced governmental coordination at the policy and practice level, as well as stronger PPPs, like public private partnerships, international corporation, as well as, you know, running through as a red line, respect for fundamental human rights. Now, as I've mentioned before, and I do want to emphasize again, I think it's important in a national cybersecurity policy to have and to recognize the importance of critical national infrastructures and to include them and their protections within a national cybersecurity policy. For Switzerland, for example, we define that as, you know, public administration, energy, waste disposal, but also finance, health, water, food, transport. And of course, with any strategy and with any plan, it needs to have an implementation plan that involves both research and planning so that, you know, it's not just a strategy for right now, but a strategy that can bring the country or bring the context within the next five, 10 years. And Poland, for example, uses a user awareness of safety measures and practices in cyberspace as a key component to its national cybersecurity strategy.
And of course, as we're all doing here today as well, I think awareness raising, educating ourselves, and this is all part and parcel of a national cybersecurity. So here, I think it's just a quick overview of what I see as essential in terms of preparing and key lessons learned. And this is also all available online. I'll drop the link in the chat box.
But thanks again for the question, Riz. Thank you, Dr. Don. I think I would like to ask Pak Yuda, Pak Yuda Kurniawan, to chip in on this question.
I think what Dr. Don Lui just expressed is now. Pak Yuda, do you think it's possible to do that in Indonesia? I mean, because as everybody knows, we just have a new parliament this week just sworn in.
new parliament and then in the next a few weeks, I think end of this month we're going to have a new executive government in place. So do you think, Payudha, do you think this is an opportunity? There's a transition here, there's a window of opportunity to push some of these things and it's what Dr. Dawn just described to us.
Is it possible, is feasible to do it from your experience? Yeah, power up. We still have to wait about the Is the RG bill will be carried over or not into the new period?
Because as we know that Indonesia has a high vulnerability on the cyber attacks and cyber security problems. So normatively, this bill will be carried over in the new period of the parliament. And... It also depends on how the public gives pressure to the Parliament to discuss more openly and to invite the participation of the public wider. I still have believed that this is still possible to be discussed in the next period of the parliament because there is some existing problems about the cyber security concern and how to make it on the track is to raise the concern on the parties in the parliament.
parliament so the key is the internal bargain of the party in the parliament itself because the first one of the cyber security buses is initiated by parliament and it also can be initiated by government so still have a chance we still have hope thank you i think i think we should invite uh dr don and miss sarah to jakarta or send Pak Yuda and his colleagues to have further discussion on this. I think what Dr. Don just presented is a very good insight and Miss Sarah also contributed with a lot of good examples from Europe. That should inspire you, Pak Mas Yuda.
We have one more question, I think, because we have five minutes left. We have one question. One more raise hands from Mas Benny.
Okay, Pak Benny, silakan. Thank you very much, Wira, for having us and also asking me for joining a discussion here. I think, thank you very much, Ms. Dawn and Ms. Sarah for giving us a very insightful presentation.
I think I have two issues that I would like to raise. First is about AI, officially about AI, the actual intelligence. As we know that our education system has been challenged by chat GPT, right?
At least in Indonesia side. I'm also a lecturer for the last 10 years in a few universities. So I think it's challenging for us, for a lecturer, for example, we are giving assignment for a paper, right? So I think the challenge is, even though we know that's where the students say, read original paper or they they uh copy posted from the chat gpt uh from your point what point of view is better that in eu or in specific country in europe do they have a kind of regulation on in in uh what do you call it uh uh not not limiting you're not limiting using of gpt but how to regulate and how to put a norm in in the education system uh whether in in in EU in principle in norm but also specific country. Thank you very much.
Sorry, a second issue. Sorry, I would like to raise up about the current situation in Gaza, in Israel. I think we learned that, we know that Israel is using AI for using targeting Gaza population. What do you think about this, Sarah?
Thank you very much. Thank you, Vera. Thank you very much for the very interesting questions.
I will start with the first one, with the easier one. So AI and education. So I do not know that this would be, that this at this point is regulated at the European Union's level. I don't even think that it is currently at the national level regulated. At least I don't know of it.
I just know this of... this kind of discussion from let's say our university as far as I know is that it's discussed because it is an issue as to how to balance how to use AI for education having kind of the positive aspects of it versus kind of the negative aspects of let's say students submitting texts that is not written by themselves right again I think this is now more and more increasingly coming and I think what we will see is kind of a very individual approach I just know that our university at ETH is discussing this topic I do not know currently of any kind of let's say on paper regulation that they have put forward on that topic. But again I haven't also followed this that closely. Then regarding the second question, yes AI for targeting.
I'm currently writing a report on how AI is used on the battlefields and with that Israel-Gaza is also a focus of mine. There are specifically three different kinds of systems have been in the media. It's Lavender, VeriStudy is another system that was used or still is used.
The problem is that there's very few information public. We do not know in the end how these systems work. The problem for researchers with this lack of information, of public data, is then also how to put this into context. But I think what is clear...
is that it will be more and more a problem. I've been looking at this in the conflict of Ukraine, specifically because Ukraine is very public with information. You would find many different private actors that put forward systems that are used somehow in this loop of targeting. Griselda.
is like a system for example. What the Griselda does is that it imports vast amount of civilian as well as military data and with AI is kind of creating target groups. So what you see here is that in the end you don't have this omnipresent system that will be conducting all the targeting process right but nevertheless, in this process of targeting from data information collection, analyzing, and then actually submission for actual targeting, is that in all of these steps, you will find AI-supported systems. And I think at this stage, because there is no regulation for militaries, and militaries most probably would not kind of want to have or have people looking into their cards, right?
What do you have? What do you have in place? I think it's a very difficult topic and will be more and more relevant as to how to go about this. I don't know actually, I think we will see that in the future.
Right, thank you. I think we should, Les Persia and DKF should continue with these discussions, I think, with Mas Yuda as well, I think, because there's a window of opportunity to discuss more about this issue, which I think Indonesia can learn a lot from Yul. And before that, I would like to thank to all the speakers today but before that i would like to hear something from kevin so do you have something to add kevin i would first add that i certainly learned a lot today because it was the presentations i were already really interesting but the q a n the discussions and the question that came in how precise specific and in-depth they were made it like even more interesting so Definitely for us as a decaf, a lot to take back home and a lot to think about, because I agree with you, Vera, Les Percy and us should keep discussing.
There's looked like there could be a lot to do around this topic of governance of cybersecurity and artificial intelligence policies. That's a... really what we wanted to get from this webinar series which we're running with different partners in different countries it's to provide our analyses and research and understanding an example from europe but really much more to understand what's the situation in the different countries where we have partners receive the question to build our understanding and try to analyze later on how we could provide a support here as relevant and were relevant. So I really enjoyed this session today because thanks to all the participants and your very good moderation from Les Percy, I learned myself a lot.
I took lots of notes and I think we beyond sharing this information and discussion for two hours, we also go out with a lot of materials for further thinking and discussions. So Thank you again to Les Percy, specifically to you, Viara, for a very good moderation, and to our experts, and more widely to all our participants, because such a webinar is only as interesting as the involvement of all the participants, which was really great today. So thank you very much, everyone.
Thank you very much, everyone, for attending. Before that, I think we can take a picture. Oh yeah, take the picture. Please open your video camera.
Everybody, yeah. Okay, Ciara, can you do it? Ciara? Yes, I can.
Stand by. Ciara, okay, please everybody, please open your camera and we can take a picture and take a turn. Okay, everybody is there? Yes, one... One, two, three.
One more. Okay, one more. One more.
Second layer, please open your camera. Anyone else want to open your camera? Okay, one, two, and three. Okay. One more.
One more? Okay. One, two, and three.
Okay. Thank you very much, Sarah. Thank you very much, Don, Louis, Sarah, Kevin, for organizing this webinar. I think we can have some more.
Thank you very much, everyone. Thank you, Vinny. Thank you, everyone. See you in a few days.
Thank you. Yeah. Thank you.
See you guys again soon. Thank you, Don. Thank you, Sarah.
Thank you, Kevin. Thank you, Pak Arief. Thank you, Kevin.
Thank you, Kevin. already left. Thank you, Benny.
Thank you all the participants. Stay tuned and let's hope to see you all again soon. Okay, bye-bye, sir. Thank you, Victor. The materials will be shared later.
Thank you, Benny. Thank you, sir. Thank you, sir.
Sorry, I just came back from the camp. See you tomorrow. See you tomorrow, Mr. Issa. Okay, let's go. time i can see bye everyone thank you very much bye thank you very much kevin