The publication of a consultation on a national policy intended to result in a legal and stable procedure in relation to "well-intentioned security researchers" otherwise known as "ethical hackers" has been approved by the Cabinet, the Ministries for Home Affairs and the Economy said in a statement on Wednesday.
The Ministries said that this policy will be open for public consultation starting from 11th September until 7th October. They added that the policy will lead to a change in the law. The Ministries described ethical hackers as individuals or companies who break into ICT systems in order to provide solutions to certain issues and improve the cybersecurity of the system.
Speaking further about the policy, they said that it is being proposed that the owners and managers of ICT systems are to have a Coordinated Vulnerability Disclosure Policy (CVDP). They continued that while the majority of companies will have the framework to do this in a voluntary way, essential and important entities for critical infrastructure will do so according to their obligations in European directives.
The Ministries said that the Critical Infrastructure Protection Directorate (CIPD) will be keeping a register of organisations' CVDPs and that it is only here that security researchers will be able to do their research on an organisation and offer their solutions. They added that this policy will ensure that there are a number of established parameters which regularise the researchers of security.
This document, the Ministries said, aims to improve public trust and cooperation between responsible organisations, both public and private, so that security researchers have a framework through which they will be able to operate. They continued that this policy is being managed and worked on jointly by the Maltese Digital Innovation Authority (MDIA) and the CIPD.
They referred to the National Strategy for Cybersecurity 2023-2026 and said that a goal of that strategy will be reached through this policy.
Economy Minister Silvio Schembri said that this policy will lead to significant improvement in cybersecurity systems, where ethical hackers will have a regulated framework from which they can operate in a legal and transparent manner. He continued that aside from strengthening ICT systems, this will also contribute to the legitimisation of the security researchers' industry as they will be given protection and recognition for their contribution.
"This policy is not only about strengthening the digital infrastructure of the country but also about the protection of well-intentioned security researchers, where there will be clear parameters that distinguish between ethical and illegal practices. We want to ensure that these individuals, who work for cybersecurity solutions and to protect others, have the necessary conditions to operate in a safe and legal environment. This framework will lead to more trust and cooperation between the Government, the private companies, and these experts so that together we can strengthen the level of security and preparation against cyber-attacks," Schembri said.
Home Affairs Minister Byron Camilleri said that the government will continue to be at the forefront of the technological world in order to address the new realities and carry out the necessary reforms. "It's something we've been working on for several months and that is why today we were in a position for the Cabinet to approve this document for consultation."
Camilleri continued that the government is recognising the realities of needing to continue to ensure the safety of companies and people who use technology as well as regulating practices which are developing to provide a new tool through them. "This is a reality we must acknowledge, while at the same time regulating it in a way that gives peace of mind to everyone. I look forward to this period of consultation so that we can implement this reform as well."
The Ministries concluded that while this document is released for public consultation, the government has internally implemented a policy which gives clear direction on vulnerability tests carried out by well-meaning researchers. They said that in these scenarios, the government is committed to continuing to strengthen its digital infrastructure and is always looking to improve security mechanisms.
The new policy comes in the wake of a situation in Malta involving three students and their lecturer. In October 2022, three students, Giorgio Grigolo, Michael Debono, and Luke Bjorn Scerri, and their lecturer, Mark Joseph Vella, had found "serious security vulnerabilities" in the popular FreeHour student timetable mobile application. Upon these findings, the group informed the company about these security flaws and requested a "bug bounty" - a common reward practice in ethical hacking.
The group of four were then arrested, strip-searched, and had all their computer equipment seized by the authorities. The four accused are now facing charges which can carry a sentence of up to four years imprisonment. The first sitting will be held on 5 March 2025. FreeHour has reportedly said it wants a more "positive ending" for students. The app's founder told The Times of Malta that Freehour had reported the incident to authorities following advice and to ensure it complied with data protection and cybersecurity regulations, and that it was only later that the company learnt that the students' intentions were not malicious.
Prime Minister Robert Abela, last Sunday said that government also wants to address this individual case. "You can ask, how can you be a government that wants good and have a genuine reality like this that leaves three youths and a lecturer be condemned not because they failed, but because there was a legislative framework that was lacking? That is where the functions and obligations of the state comes in. It cannot be that three youths and a lecturer carry a cross that is not their job to carry. I am also convinced, both with the goodwill of those who initially submitted the report, and through this process, that eventually this case will find its natural resolution. I'm not seeing that we should arrive at a situation that the case, with this policy and new law that will be implemented eventually, that there would be a situation where the youths or lecturers of this country are penalised."