Cybersecurity: Lack of specific legislation makes digital environment 'less secure'

Malta still lacks the specific cybersecurity legislation that could create a more secure digital environment and significantly boost the economy, despite increasing awareness on cybercrime among the population, according to Gege Gatt, vice-president of the Malta IT Law Association (MITLA) and director of software development firm ICON.

An investigation carried out by online resource site Website Builder Expert last week found that Malta was the European Union member state most vulnerable to cybercrime.

Local experts in the field have questioned the investigation’s methodology. However the findings indicated that Malta was particularly vulnerable because, it is claimed, Malta had “a high percentage of open internet connections, a lack of international cooperation and the lack of cybersecurity legislation”.

MITLA, a registered NGO dedicated to the advancement and development of IT law, recently organised its own summit on cybercrime.

Gatt said that although legislation exists to manage computer crimes – Malta recently adopted the EU Directive of Security of Network IS – it was still lacking in specific legislation, despite a green paper having been launched by the government in 2015. “It hasn’t made its way into our laws and it seems that we don’t have a functioning cybersecurity strategy which permeates through all strata of government and the private sector,” said Gatt, who suggested Malta needed to be more “ambitious” in this regard.

“[It] should create a secure place in which digital business and communication can flourish,” he added.

In addition to better legislation, Gatt also emphasised the need to rope in the private sector into setting up an effective cybersecurity framework. He argued that this was essential given that the private sector owns and runs most of the digital services we use.

Gatt also emphasised the need for adhering to international law and best-practice.

“Cyberterrorism and cybercrime are rarely a national issue, with criminal participants often simultaneously present across multiple jurisdictions,” Gatt pointed out, adding that better operational skills and an effective round-the-clock and well-funded unit, able to cooperate with European partners, were now a must.    

One area of the private sector that was of particular importance, according to the lawyer and web-entrepreneur, were small and medium enterprises (SMEs).

“In terms of cybersecurity, SMEs are often the weakest link in the chain and may be hugely vulnerable to threats,” he said. “The government should consider introducing grants to assist small companies to boost their cybersecurity knowledge and processes.”

He said that progress had been made in recent years, however it has been slow, as most companies continued to “under-budget” on security.

Flawed methodology

Inspector Timothy Zammit from the police’s Cybercrime Unit insisted that the Website Builder investigation did not paint an accurate picture of the situation across Europe, adding that, in addition to Malta placing last, there were a few other rankings that surprised him.

He pointed out that the investigation relied on data from four different reports that was collected over a period of three years. “The Eurobarometer [survey] quoted was published in 2015, meaning it contained data collected in 2014,” he said, while data for the number of malware encounters, for example, was from 2017.

He added that the reports were subject to interpretation, and in addition, the methodology used was simply “adding the scores from each one and calculating an average”.

Zammit insisted that the Maltese population, due to its willingness to experiment and try new technologies, was not as vulnerable to cybercrime as one might think.

He pointed to the WannaCry ransomware – malicious software that is able to infect computers and make all the data on it, inaccessible – which he said had spread across Europe, but which had not made it to Malta.

Zammit explained that in this particular case, the software was only able to infect older computers, and the fact that many people in Malta use up-to-date technologies added “a degree of resilience”.

He said that in a certain sense, a high proportion of cybercrime dealt with by local authorities involved people committing standard forms of crime, such as threatening someone or damaging their reputation, through the internet.

Much like a conman, who might portray a false image of himself for victims to trust them, criminals on the internet similarly try to exploit people’s curiosity, or them making snap decisions, he explained.

Asked whether he felt that the country needed better cybersecurity legislation, Zammit said that the cybercrime unit had made its own recommendations to the Attorney General, adding that they were only minor suggestions since the current repertoire of laws did not contain any worrying lacunae.  

He noted that the cybercrime unit, which is currently a nine-man operation, would be growing significantly over the coming years, with more investment being brought in for an eventual overhaul.

Anti-virus software for your phone

Zammit said that with technology constantly developing, law enforcement would need to adapt.

“We need to re-invent ourselves to do what we have managed to do with computers on other devices,” he said, noting that with the introduction of the Internet of Things – where everyday appliances like fridges, water heaters, and many others are remotely connected through the internet – the targets for cybercrime would be increasing significantly.

“One of the main issues that we’re seeing now for example, is that malware is now going from computers to hand held devices,” said Zammit. 

“If I were to go out in the street and ask people whether they have an anti-virus on their computer most would say yes, but if I ask about their phone, it’s a different story.”

He emphasised that nowadays, people’s phones likely contained more valuable information than their home computer did.

Ultimately, he said, significant improvements had been made and it was now important to remain vigilant and to “keep up the momentum” through more investment and development.