Government issues public consultation on ethical hacking

The Cabinet has approved the publication of a public consultation on a national policy aimed at establishing a formal and legal procedure regarding security researchers with good intentions, also known as ethical hackers.

This policy will be open for public consultation from Wednesday until 7 October 2024 and is expected to lead to changes in the law.

Ethical hackers are individuals or companies who access ICT systems to provide solutions and strengthen the system’s cybersecurity.

The issue was thrust under the spotlight after four computer science students were being investigated by the police after they found and highlighted a security weakness in Malta’s largest student application, FreeHour.

Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins were scanning through the software of the app when they found a vulnerability they say could be exploited by malicious hackers.

They emailed their findings to FreeHour’s owner and asked for a reward – or ‘bug bounty’ – for spotting the mistake.

But, instead of a payoff, the University of Malta students were arrested, strip-searched and had their computer equipment seized.

The policy published on Wednesday proposes that ICT system owners and managers should have a policy in place for coordinated vulnerability disclosure (CVDP). While most companies will have the framework to do this voluntarily, essential entities and those critical to infrastructure will be required to comply with their obligations under European directives.

The Directorate for Critical Infrastructure Protection (CIPD) will maintain a register of organisations' Coordinated Vulnerability Disclosure Policies. Only through this framework will ethical security researchers be able to conduct their research on an organisation and offer their solutions.

This policy will also establish a number of parameters to regulate security researchers.

“The document aims to improve public trust and cooperation between responsible organisations, both public and private, so that ethical security researchers can operate within a clear framework,” the government said.

This policy has been developed through the joint efforts of the Malta Digital Innovation Authority (MDIA) and the Directorate for Critical Infrastructure Protection (CIPD).

Economy Minister Silvio Schembri said the policy will lead to significant improvements in cybersecurity systems, providing ethical hackers with a clear and regulated framework through which they can operate legally and transparently.

“This policy is not only about strengthening the country’s digital infrastructure but also about protecting security researchers with good intentions, by establishing clear parameters that distinguish between ethical and illegal practices. We must ensure that these individuals, who work to find cybersecurity solutions and protect others, have the necessary conditions to operate in a safe and legal environment. This framework will foster greater trust and cooperation between the government, private companies, and these experts, enabling us to enhance security and preparedness against cyberattacks,” he said.

Home Affairs Minister Byron Camilleri said government needs to be at the forefront in addressing new realities related to the sector.

“As a government, we are recognising two realities: the need to continue ensuring the security of companies and individuals using technology to operate, while also regulating emerging practices, giving new tools even to those who use research to enhance security.

This is a reality we must acknowledge and regulate in a way that reassures everyone. I look forward to this consultation period so that we can implement this reform,” he said.

The government has also implemented an internal policy providing clear guidance on vulnerability testing carried out by security researchers with good intentions.

The public consultation can be accessed here.