Edward Snowden's revelations of the extensive global communications surveillance activities of foreign intelligence services have led countries such as Indonesia to take concrete steps to enhance protective information security for classified data and communications. This paper develops the wideband Delphi method to study the Indonesian Government's requirements for cyber-defence in response to reported secret intelligence collection by the Australian Signals Directorate. It provides a clearer understanding of the issues that influence Indonesian policymakers' views on the mitigation of foreign surveillance. We developed and conducted an adaptive wideband Delphi study with senior Indonesian officials, with group discussions and individual sessions to explore how to mitigate the surveillance activities of the Five Eyes (the U.S.-U.K.-Canada-Australia-New Zealand) intelligence alliance. We used the U.S. National Security Agency framework of the three elements of defence in depth (people, operations, and technology), in combination with governance and legal remedies, as an analytical framework. We identified twenty-five mitigation controls to deal with the priority concerns of policymakers, which were divided into a five-defence in depth elements. We discuss the key requirements for protecting against foreign surveillance to be taken into account in state cyber-defence frameworks and suggest effective mitigation controls for safeguarding and protecting states' national interests.