back to article Indonesian government didn't have backups of ransomwared data, because DR was only an option

Indonesia’s president Joko Widodo has ordered an audit of government datacenters after it was revealed that most of the data they store is not backed up. The audit and revelation that Indonesia lacks a backup plan came in aftermath of ransomware attack on the nation’s Temporary National Data Center (PDNS) that took place on …

  1. sarusa Silver badge
    Devil

    Of course you know what happens next...

    I think most Reg readers know what happens next when you mandate everything be backed up.

    Three years down the road, next big failure: They go to restore backups, and, oops! They don't work because nobody ever tested recovering them. 'You only told us to make backups, and we did!'

    I will bet one million rupiah (IDR) on this.

    1. trindflo Silver badge

      Re: Of course you know what happens next...

      Or, go to the backups and find they are also encrypted.

    2. Anonymous Coward
      Anonymous Coward

      Re: Of course you know what happens next...

      In countries with significant levels of corruption, backups get lost or politicians get arrested...

  2. Paul Crawford Silver badge

    Don't these data centres support snapshots? Not a replacement for backups if the data centre itself is destroyed or has catastrophic hardware failure, of course, but for ZFS (and I guess other file systems like the NetApp one, etc) they have very little cost/performance penalty and make winding back in time really easy.

    1. sitta_europea Silver badge

      Yeah, but you do still actually have to do something about it.

  3. Pascal Monett Silver badge
    Facepalm

    "Authorities are instead attempting to decrypt the data"

    Yeah well, given their competence in managing a government datacenter, I very much doubt that they'll get anywhere fast on that job.

    1. fg_swe Silver badge

      Re: "Authorities are instead attempting to decrypt the data"

      Of course not. They will call Canberra and London for help. Then they will find out that there is something called "strong cipher".

  4. Potemkine! Silver badge

    Most agencies did not use it because of budget constraints

    Well done beancounters!

    1. Paul Crawford Silver badge
      Facepalm

      Money well saved! Oh wait...

    2. sitta_europea Silver badge

      Ninja'd.

    3. abend0c4 Silver badge

      Actually, there's a very recent article in which the Indonesian president was castigating officials for the proliferation of uncoordinated online projects.

      From which you might conclude that there is more than sufficient money if only it were spent more effectively. But, then, you could say that about pretty much any government.

    4. Anonymous Coward
      Anonymous Coward

      I've experienced this in the UK several times: Tell bean counters we need money for backups/resilience who refuse it, then they complain when services go AWOL and ask "Why wasn't there any backups?"

      1. Alan Brown Silver badge

        When money for backups is refused, always ask for the reasons in writing, on paper and signed by a senior manager

        Then, when the inevitable happens you can stand to one side of the bus that manager will attempt to throw you under

    5. fg_swe Silver badge

      Could be Worse

      Now they know their network is completely insecure. Encryption is not the worst thing to happen. Imagine what more cunning attackers could have done. You know, folks like "equation group"...

  5. that one in the corner Silver badge

    Double edged sword of Damocles

    > credited the severity of the attack to the unification of institutions and ministry data

    You bring everything together, which can[1] reduce duplicates, reducing maintenance costs and ensuring consistency across departments; allow more cross-referencing and make novel searches possible; breaks open data silos and exposes data hoarding (of all types). So, a Good Thing.

    Exposes you to attacks where a single entry point can disrupt everything; where one poisoned entry appears in all departments' reports; where one bad DR plan (and "no plan" is a bad plan!) ruins it for everyone. So, a Bad Thing.

    What, then, is the better arrangement for practical purposes?

    Yes, yes, having a proper DR plan (and keeping it active and tested) and perfect security (active & tested) *is* the best arrangement, but just imagine you can have flaws, even in something *you* set up.

    [1] note "can", not saying they did in this case - not enough info

    1. fg_swe Silver badge

      Re: Double edged sword of Damocles

      I am sure the big boys on this planet will want you to collect all your eggs into one basket. Then it is superconvenient for these foxes to clean out your nest thoroughly. Or rather, they have to bring the X Ray machine into only one place.

  6. This post has been deleted by its author

  7. Andy Non Silver badge
    Facepalm

    The level of incompetence

    shown by the Indonesian government is utterly bewildering. Massive critically important data centre + no backups! If this is their level of competence they should seriously consider going back to pen and paper and forgetting about IT completely.

    1. sitta_europea Silver badge

      Re: The level of incompetence

      But then there's be less graft.

  8. Doctor Syntax Silver badge

    "Most agencies did not use it because of budget constraints"

    Now they're discovering what a real budget constraint is.

  9. cschneid

    I was approached by a budget person...

    ...who told me he had a user area pushing back against paying for database image copies. I explained these were to be used in case of a disaster. He replied, "I'll tell them it's like an insurance policy, something you pay for but hope never to need." No more pushback. Sometimes, people are sensible.

  10. Anonymous Coward
    Anonymous Coward

    bad karma

    this looks like bad karma. indonesia is notoriously fond of hacking activists or news sites that don't agree with government's stance. apparently there's justice in this world.

  11. Anonymous Coward
    Anonymous Coward

    Cloud?

    No mention of whether the Indonesian Government uses IT services hosted in "the cloud"?

    ....or whether the cloud provider provides backup services for extra dosh.......(ah....extra dosh would be a problem!)

    ....or whether the Indonesian Government would even know if "their cloud" had been hacked......

    So many opportunities....so many bean counters......so little money........

  12. Henry Wertz 1 Gold badge

    not so devastating in the past

    They weren't so devastating in the past, because it wasn't all stuck in a single datacenter (with apparently nothing separating things there, if the whole thing got encrypted.)

    I know what'll probably happen -- they'll have fancy cloud-style live backups, so when it happens again they'l go to those backups and they'll be encrypted too!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like