Public consultation launched for national policy regulating ethical hackers
The publication of a consultation on a national policy intended to result in a legal and stable procedure in relation to “well-intentioned security researchers,” otherwise known as “ethical hackers,” has been approved by the Cabinet, the Ministries for Home Affairs and the Economy said in a statement on Wednesday.
The Ministries said that this policy will be open for public consultation from 11 September until 7 October. They added that the policy will lead to a change in the law. The Ministries described ethical hackers as individuals or companies who break into ICT systems in order to provide solutions to certain issues and improve the cybersecurity of the system.
Speaking further about the policy, they said that it is being proposed that the owners and managers of ICT systems are to have a Coordinated Vulnerability Disclosure Policy (CVDP). They continued that while the majority of companies will have the framework to do this in a voluntary way, essential and important entities for critical infrastructure will do so according to their obligations in European directives.
The Ministries said that the Critical Infrastructure Protection Directorate (CIPD) will be keeping a register of organisations’ CVDPs and that it is only here that security researchers will be able to carry out their research on an organisation and offer their solutions. They added that this policy will ensure that there are a number of established parameters which regularise the position of cybersecurity researchers.
This document, the Ministries said, aims to improve public trust and cooperation between responsible organisations, both public and private, so that security researchers have a framework through which they will be able to operate. They went on that this policy is being managed and worked on jointly by the Maltese Digital Innovation Authority (MDIA) and the CIPD.
They referred to the National Strategy for Cybersecurity 20232026 and said that a goal of that strategy will be reached through this policy.
Economy Minister Silvio Schembri said that this policy will lead to significant improvement in cybersecurity systems, where ethical hackers will have a regulated framework from which they can operate in a legal and transparent manner. He continued that besides strengthening ICT systems, this will also contribute to the legitimisation of the security researchers’ industry, as they will be given protection and recognition for their contribution.
“This policy is not only about strengthening the digital infrastructure of the country but also about the protection of well-intentioned security researchers, where there will be clear parameters that distinguish between ethical and illegal practices. We want to ensure that these individuals, who work for cybersecurity solutions and to protect others, have the necessary conditions to operate in a safe and legal environment. This framework will lead to more trust and cooperation between the Government, the private companies, and these experts so that together we can strengthen the level of security and preparation against cyber-attacks,” Schembri said.
Home Affairs Minister Byron Camilleri said that the government will continue to be at the forefront of the technological world in order to address the new realities and carry out the necessary reforms. “It’s something we’ve been working on for several months and that is why today we were in a position for the Cabinet to approve this document for consultation.”
Camilleri continued that the government is recognising the realities of needing to keep ensuring the safety of companies and people who use technology and regulating practices which are developing to provide a new tool through them. “This is a reality we must acknowledge, while at the same time regulating it in a way that gives peace of mind to everyone. I look forward to this period of consultation so that we can implement this reform as well.”
The Ministries concluded that while this document is released for public consultation, the government has internally implemented a policy which gives clear direction on vulnerability tests carried out by well-meaning researchers. They said that in these scenarios, the government is committed to continuing to strengthen its digital infrastructure and is always looking to improve security mechanisms.
The new policy comes in the wake of a situation in Malta involving three students and their lecturer. In October 2022, three students, Giorgio Grigolo, Michael Debono, and Luke Bjorn Scerri, and their lecturer, Mark Joseph Vella, had found “serious security vulnerabilities” in the popular FreeHour student timetable mobile application. Upon these findings, the group informed the company about these security flaws and requested a “bug bounty” - a common reward practice in ethical hacking.
The group of four were then arrested, strip-searched, and had all their computer equipment seized by the authorities. The four accused are now facing charges which can carry a sentence of up to four years’ imprisonment. The first sitting will be held on 5 March 2025. FreeHour has reportedly said it wants a more “positive ending” for the students. The app’s founder told The Times of Malta that Freehour had reported the incident to authorities following advice and to ensure that it complied with data protection and cybersecurity regulations, and that it was only later that the company learnt that the students’ intentions were not malicious.
Last Sunday, Prime Minister Robert Abela said that government also wants to address this individual case. “You can ask, how can you be a government that wants good and have a genuine reality like this that leaves three youths and a lecturer condemned not because they failed, but because there was a legislative framework that was lacking? That is where the functions and obligations of the state come in. It cannot be that three youths and a lecturer carry a cross that it is not their job to carry. I am also convinced, both with the goodwill of those who initially submitted the report, and through this process, that eventually this case will find its natural resolution. I don't see that we should arrive at a situation - with this policy and new law that will be implemented eventually - where the youths or lecturers of this country are penalised.”