The Indonesian military has a new role in cybersecurity but, worryingly, no clear doctrine on what to do with it nor safeguards against human rights abuses.
Assignment of cyber responsibility to the military is part of controversial amendments to the Armed Forces Law which the parliament passed in March and which significantly broadened the armed forces’ role in civilian governance.
The government says these amendments are crucial for strengthening Indonesia’s capabilities in information operations, with the military playing a pivotal role in safeguarding national interests in cyberspace. Military officials have also said the military’s cyber capabilities will not be used to police digital spaces or restrict freedom of expression. They point to the establishment of the Singaporean armed forces’ cyber force in 2022 as a precedent and to cyber operations in the Russia-Ukraine war as developments the amendments aim to address.
However, cyber defence without a guiding doctrine is akin to navigating a battlefield without a compass. The Indonesian military lacks a published cyber strategy, so its mandate in cyberspace is unclear. The most recent strategic document, the Guidelines on Non-Military Defence, issued by the Defence Ministry in 2016, does not specifically address cyber operations and is now outdated. More recent policies, such as the 2020–2024 National Defence Implementation Policy and the 2023 State Defence Doctrine, mention cyberattacks and hybrid warfare but fail to clearly define the military’s role or response.
Important questions remain unanswered: What constitutes a cyber threat? Who are the adversaries? What measures are deemed appropriate responses?
Without clear answers, the military’s involvement in cybersecurity risks allowing actions that may infringe on civil liberties.
Historically, Indonesia’s security apparatus has prioritised conventional threats: separatism, terrorism and political instability. This traditional focus has shaped a strategic culture that is poorly equipped for the complexities of the digital realm. Since the establishment of its Cyber Unit in 2017, the Indonesian military has struggled to meet personnel requirements, filling only around 40 percent of planned positions.
Although recruitment criteria have been adjusted to attract more civilian talent, the shortened military education for these recruits has raised concerns among officials about their integration into military units, particularly regarding their understanding of the chain of command and commitment to military service. Rather than fostering a comprehensive cyber strategy, the recent amendments appear reactive, potentially leading to overreach and the suppression of dissent under the guise of national security.
Expanding the military’s role into cybersecurity also raises concerns about the militarisation of civilian spaces. Cybersecurity inherently intersects with civilian life, covering such issues as privacy, freedom of expression and access to information. Entrusting the military with significant authority in this domain, without stringent oversight and accountability, risks undermining democratic principles and human rights.
The military’s history of information operations complicates things. Traditionally, the Indonesian military has conducted psychological operations aimed at shaping public perception and behaviour. It has often portrayed online criticism as information warfare, sometimes framing it as part of a proxy war involving foreign entities attempting to erode public trust in the military.
This narrative is particularly evident in operations in Papua, where critics frequently highlight the military’s harsh treatment of civilians, its role in protecting government-approved businesses, and incidents involving the killing of non-combatants. Integrating such operations into the cyber realm without clear boundaries and oversight presents risks of enabling the manipulation of information, the dissemination of propaganda, and the suppression of dissenting voices under the pretext of maintaining national security.
Moreover, the process behind the amendments has drawn criticism for its lack of transparency and public consultation. Deliberations were reportedly fast-tracked and conducted behind closed doors and civil society was sidelined. This potentially risks unchecked military influence in civilian governance.
The digital age undoubtedly requires robust cybersecurity measures, but these must be underpinned by clear strategies and respect for values such as privacy and freedom of expression. Without a well-defined doctrine and appropriate safeguards, the military’s expanded role in cyberspace risks becoming a tool for repression rather than protection.
The new stipulation offers no substantial change from the military’s existing responsibilities to counter espionage and sabotage that target military networks and critical government infrastructure. It is therefore unclear which specific threats the new law seeks to address, especially given that an academic paper published by the parliament does not mention cyber threats even once.
To navigate this complex terrain responsibly, Indonesia must develop a comprehensive cyber strategy that clearly delineates military and civilian roles, establishes robust oversight mechanisms and upholds the democratic values that the nation has worked hard to build since the fall of authoritarian rule. Without such a framework, Indonesia’s cyber soldiers remain armed without a compass—operating on a complex digital battlefield without clear direction, to the potential detriment of the very freedoms they are meant to protect.
