I write this article in the wake of revelations about how university students were treated after reporting a security vulnerability to a popular local app.
In my current role as head of Department of Computer Science at the University of Malta, I have been aware of this case for a few months. There is plenty about the details of the case which angers and saddens me, but I am unable to comment on specifics due to ongoing investigations.
Nevertheless, the fact that teenagers reporting a vulnerability are facing criminal investigation, having equipment seized, studies affected, being strip-searched, and held in a cell with other potentially violent criminals indicates to me that, at the very least, we have a severe lack of knowledge across camps in the country; knowledge which is essential to help Malta navigate the perils of the online world going forward.
Firstly, the people reporting the problem need to be aware that the company may not have the same knowledge about cybersecurity practices that they do. The mere mention of a security breach is enough to cause set alarm bells ringing, let alone bug bounties and the establishment of a deadline.
Similar to the way a doctor needs to have good bedside manners, a gentle approach is required that goes beyond clinically quoting standard industry practices. While in this particular incident, the vulnerability scanning was not part of a university activity, we, as trainers of future professionals, need to keep this in mind going forward. Of course, this does not justify the way the case was handled.
The app which had a security vulnerability should employ appropriately-trained engineers and exhibit humility when the need arises. It is expected that vulnerabilities will occasionally arise, and if in-house developers do not detect them, is it not better for an ethical hacker to inform us about them than for a malicious actor to exploit them at the expense of our users? In fact, bug bounty programmes are instituted by organisations to encourage such ethical hacking because it is beneficial to everyone.
It seems that in this case, a ‘bug bounty’ was interpreted as a ‘ransom demand’ and the ‘three-month deadline’ was interpreted as a threat. It is not a threat; it is a grace period to get your ducks in a row before responsible disclosure occurs. Users have a right to know that their data was at risk. One must pose the question, would a group of criminals with malicious intent provide their victim with names and contact details?
These misunderstandings may have triggered a knee-jerk criminal complaint. Yet, did the complaint need to trigger such heavy-handed treatment of those involved? One must therefore pose questions regarding the level of knowledge within the police force, the attorney general’s office and even court experts involved in such cases.
Malta’s legal framework with regards to cybersecurity matters relies mostly on a decades-old ‘misuse of electronic equipment’ law- Mark Micallef
I would have expected at least one of the people in these roles to raise a hand, explain how things are done in an international context, and calm the situation down. If we are to provide an environment that is conducive to safe online activity, then we also need to provide a safe harbour for ethical vulnerability analysis. This cannot happen without specialist knowledge being present within Malta’s law enforcement community. Of course, this community requires the support of adequate legislation and this brings me to my next point.
Malta’s legal framework with regards to cybersecurity matters relies mostly on a decades-old ‘misuse of electronic equipment’ law. While I am not a lawyer, I am given to understand that this law is vague and wildly open to interpretation. Other countries have pushed forward and implemented safe harbours for ethical hackers by, among other initiatives, legislating coordinated vulnerability disclosure legislation. A 2022 report by the European Union Agency for Cybersecurity notes that “Malta hasn’t yet implemented a CVD policy and there is no plan to implement one at this stage”.
For years, the University of Malta has been building a healthy profile of cybersecurity research and teaching. Our cybersecurity team has participated in international research projects funded by the EU and NATO. Only this week, I sat on an examination where the student demonstrated his detection of a vulnerability in a major international cryptocurrency exchange.
He explained how he reported the issue, discussed it with the exchange’s security team and had the satisfaction of seeing the issue fixed. Over the past two years, we have also been designing a modern cybersecurity masters’ programme in collaboration with prominent local partners. Yet, an incident like this calls all this activity into question. The university must ask itself how safe it is for cybersecurity researchers and practitioners to train and operate in Malta?
In the current legal context, is it even safe for the university to train new cybersecurity professionals?
More importantly, the question the country must ask itself is how safe are we online if the professionals who report potential risks to our safety end up facing criminal prosecution?
This is not just about consumer apps. The country is increasingly moving critical systems and services (e.g. health and taxes) online; and I for one would feel much safer knowing that besides the highly capable teams at MITA, there were other lines of defence which are openly welcomed by the country.
There are plenty of lessons to be learned by all involved in this case. I am certain that no malicious intent was involved when reporting the issue. I implore the authorities to bring competent parties together, not in a spirit of prosecution, but in a spirit of learning and enacting legislation and processes that enables us to move forward in a way that is safe for all involved.
The opinions expressed in this article are those of the author and not necessarily those of their employer.
Mark Micallef is head of the Department of Computer Science at the University of Malta.