Malta’s laws need to adapt to allow ethical hackers to report cybersecurity vulnerabilities without fear of prosecution, according to experts in the area.
“With the existing legal framework, I would not disclose anything,” said cybersecurity lawyer Ian Gauci.
And ethical hacker and cybersecurity expert Neville Grech said some of his former university colleagues are now too scared to get involved in cybersecurity courses in case they “get arrested”.
Their comments follow the case of four computer science students who were arrested after disclosing a security weakness within local popular student app FreeHour that could have been exploited by malicious hackers.
Gauci explained that despite their best intentions, the students still face the risk of prosecution.
“Under our law, if there is unauthorised access (hacking) irrespective of whether it’s done ethically or unethically, it’s still prosecutable,” Gauci said.
The students are being investigated under Article 337 of the Criminal Code, which makes it illegal to access an application without being “duly authorised by an entitled person”.
Gauci explained that Malta currently does not have ‘safe harbour’ provisions for those using their computer skills for ethical purposes such as disclosing potential security risks with no malicious intent.
Ethical hackers are people who find exploitable vulnerabilities in a company’s software or web code and alert them to it.
Other countries in Europe, such as France and Belgium, have begun to enact laws that allow for ethical hacking under certain circumstances.
When an individual wishes to report a vulnerability affecting a Belgian organisation, they must also report it to the Centre for Cybersecurity Belgium, the country’s computer response team.
The Belgian legislation, enacted in February, also specifies that the person filing the report must act without fraudulent or malicious intent.
“There are multiple ways in which the legislator can cater for this and protect ethical hackers,” Gauci said.
“Alternatively, the law could also be amended to introduce certain exemptions from prosecution in certain pre-qualified instances,” he said.
France currently follows this format as their provisions exempt from prosecution researchers who report vulnerabilities.
The right intentions
Internationally, many companies, websites and software developers offer disclosure programmes that can give ethical hackers the opportunity to receive recognition for reporting vulnerabilities and bugs, Gauci said.
These programmes give ethical hackers the permissions and authorisations they need to go about their practices without worrying about legal ramifications.
Some of my former colleagues at university are now scared to be involved in cybersecurity courses- Neville Grech
Disclosure programmes can form part of larger processes where vulnerability finders work together and share information to ensure that, when found, the vulnerabilities are disclosed to the public once it has been fixed or patched, EU guidelines read.
These are known within the industry as Coordinated Vulnerability Disclosures (CVD).
According to a 2022 report by the European Union Agency for Cybersecurity (ENISA), Malta has not yet implemented a CVD policy and there is no plan to implement one at this stage.
However, in 2016, the Malta Cyber Security Strategy report said “the possibility of a national responsible disclosure policy framework... may also be explored”.
The framework could be enabled through “self-regulation, promotion and encouragement by the government, as well as through a proper framework to ensure responsible vulnerability disclosure”, the 2016 report read.
Questions were sent to the Malta Information Technology Agency on Monday asking whether there are any plans to adopt such a framework.
Yet, as Malta currently lacks CVD guidelines and safe harbour regimes, then ethical hacking is not something that Maltese law takes into consideration, Gauci said.
“A legal shield could be engineered for high-profile white hats (another term for ethical hackers) so that these provisions may carry some protections in overseas legal systems too,” Grech said.
Grech defined the importance of cybersecurity as an “essential activity that needs to be conducted to keep our democratic system, citizens, residents and internationally-operating companies safe”.
“Some of my former colleagues at university are now scared to be involved in cybersecurity courses in order to not get arrested,” Grech said.
Even bug bounties suffer from a lack of legal clarity. Bug bounties are a common practice among white-hat hackers as companies offer financial rewards for those who find bugs within their system.
“Bug bounties are not defined by the law but rather a term used within the industry,” Gauci said as he emphasised the country’s need to include ethical provisions.