Malta (MT)

National Cyber Security Strategy

The Maltese Government, in collaboration with the Malta Information Technology Agency (MITA), launched the National Cyber Security Strategy in October 2016. The strategy for the years 2014-2020 is a framework to protect systems, networks and information on the internet, together with the people who make use of these services. It  calls for a multi-disciplinary appraoch with actions covering various economic, social, and cultural aspects, given the broad nature of cyber security and its impacts, in line with the EU Directive.

The six main objectives of the strategy represent an initial set of priority areas:

Obj. 1 - Establish a governance framework: a strategy needs to be established, effectively implemented and maintained on a continuous basis. This requires key coordination structures, processes, roles and practices with particular focus on cyber risk management within the public and private sector. 

Obj. 2 - Combat cybercrime: ensure and consolidate capabilities to tackle cybercrime.

Obj. 3 - Strengthen national cyber defence: foster the sharing of cyber security knowledge and intelligence, review current legislation and regulations in line  with cyberspace developments and ensure digital resilience on a national and organisation-wide scale, considering also legal developments at EU level, notably  legislation  pertaining to data protection (GDPR) and Network and Information Security (NIS Directive).
Obj. 4 - Secure cyberspace: foster self-regulation and viluntary self-commitment, bearing in mind that legislation is not a panacea to cyber security commitments. Encourage the use of standards and best practices that guarantee security whilst allowing interoperability. Attention should also be paid to promoting the security and trust of online public services and consolidating support to the business community.
Obj. 5 - Cyber security awareness and education: target educational insitutions, public and private sectors, as well as citizensa as a means to raise awareness, build knowledge as well as capabilities and expertise in cyber security. A key recommndation is to launch an on-going educational and awareness campaign at the national level.
Obj. 6 - National and International Cooperation: ensure effective consultation, co-operation and collaboration at national, European and international levels enabled by EU and international institutions and activities, based on the understanding that cyber security has no boundaries.
Collectively, the objectives cover two strategic outcomes: 1) defending and protecting the national information infrastructure from cyber threats and 2) ensuring the security, safety and protection of users of cyberspace.

The Strategy is the starting point for achieving these outcomes based on implementation, evaluation and maintenance, including the evolution of the threat landscape, EU directives and technological advances.

Cyber security is seen as a national investment to make Malta a secure online jurisdiction and a centre of excellence in various business sectors interacting in cyberspace.

 

NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

 

Year of adoption

October 2016 - Malta Cyber Security Strategy following the publicaton of the Malta NCS Green Paper in 2015.

Updates and revisions

In January 2017, the Minister for Competitiveness and Digital, Maritime and Services Economy launched Malta’s first National Cyber Security Strategy with MITA launched a two year National Cyber Awareness Campaign as one of the Strategy’s initial priority areas. The campaign targets society, businesses and the public sector. 

The Campaign aims to cover the online security interests of the public sector, the citizen, as well as the private sector, giving also particular attention to the SMEs which, as within the EU, constitute the majority of the Maltese economy.

Implementation and monitoring

A Steering Committee is responsible for the National Cyber Security Strategy implementation. The Malta Information Technology Agency (MITA) is the central driver of Government’s Information and Communications Technology (ICT) policy, programmes and initiatives in Malta. It is tasked with implementing the programmes set out in the Digital Malta National ICT Strategy 2014-2020. MITA manages the implementation of IT programmes in Government to enhance public service delivery and provides the infrastructure needed to execute ICT services to Government. MITA is also responsible to propagate further use of ICT in society and economy and to promote and deliver programmes to enhance ICT education and the use of ICT as a learning tool.

MITA also supports the cyber security awareness campaign

Operational capacity building
CSIRTMalta is Malta’s national Computer Security Incident Response Team (CSIRT). The mission of CSIRTMalta is to support CI’s, CII’s and other sensitive infrastructures in Malta on how to protect their information infrastructure assets and systems from cyber threats and incidents.
 
The Malta Cyber Security Strategy at the operational level: defines the function(s) for the steps needed to increase capacities in line with the overall strategic outcomes with regard to national coordination of cyber detection and response.

Computer Security Incident Response Teams  (CSIRTs) tend to be of technical and operational nature. Thus it is important to ensure consolidation of a top level National CSIRT. Close communication and coordination of the CSIRT is also required on:

  • Real-time information sharing and response to calls.
  • Longer term planning.
  • Communication and coordination with other CSIRTs in Malta as required.
  • Possible further alignment with EU legal requirements and consolidation.

Steps taken at the business and societal levels: Malta has established:

e-Commerce Malta highlights 3 pillars: 1) generating trust in e-commerce; 2) transforming micro-businesses; 3) taking SMEs and industry to new levels of cyber security, such as through the audit-kit and a Specialist advisory service (Measure 2) and the European Trust Mark (Measure 9).

Digital Malta: is the Forum for transforming industries through ICT that aims to raise awareness about the benefits of adopting technology and enabling self-regulation.

Legal conditions

Specific legislation and regulation related to cybersecurity has been enacted through the following instruments:

  • Electronic Comunications Networks and Services regulation: Subsidiary legislation 399.28. In the event of a significant breach of security or integrity of the services or network, the provider must notify the MCA (Malta Communications Authority) appropriately and without undue delay and any users concerned. If the incident is serious, the MCA will notify other member states and the EU agency for network and information security - ENISA.
  • Malta Financial Services Authority: Imposes a duty to financial institutions to report to MFSA, the Maltese Central Bank any breach. If the breach involves personal data, the IDPC must be informed as well.
  • Malta Gaming Authority: The MGA requires operators to report any breaches or attacks in their systems. These reports must be prepared in the form of a prescribed incident report form and submitted to the MGA within 24 hours of the relevant incident.

In May 2017, the Malta Forum for Internal Auditors organised an event with presentations on General Data Protection Legislation: a challenge for the Internal Auditor. The ISACA Malta Chapter has also organised an educational event on the GDPR.

The National Audit Office (NAO) has issued an IT Audit report on Cyber Security across Government entities.

Public private partnerships The MITA has established an Innovation Hub for startups that are selected to follow the YouStartIT acceleration programme and receive a pre-seed investment.
Date of last analysis July 2017 (complete revision)

 

 

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Computer security incident response teams (CSIRTs)

CSIRTMalta

National updates 

The Strategy highlights the importance of cyber risk management under measure iv - ensure the conduct of a national cyber risk assessment exercise. The purpose is to identify major national cyber threats and risks, assess respective impacts and suggest risk mitigation and management strategies accordingly. This exercise should be undertaken on a regular basis as the threat landscape evolves and new technologies become available. Such an exercise should include regular testing and validation exercises.

Measure v stresses the importance of cyber risk assessments also on an individual basis "Ensure necessary measures in line with individual cyber risk assessments by key public and private sector organisations falling within the scope of related EU legal requirements" (i.e. processing of personal data in relation to products and services dealing with EU citizens or in relation to the Directive on Network and Information Security. The strategy explictly encourages cyber risk assessments as relevant within the public and private sector in that the legislation demands a risk-based approach to the development of appropriate controls. 

Moreover, the Strategy underscores the importance of cyber risk assessment in general to all organisations operating in cyberspace. It includes references on the need to assess financial risks with regard to cyber-related incidents and the potential need for cyber insurance. However, it points out that cyber insurance coverage must not replace risk management and the use of necessary security controls.

Guidance and Updates

Evaluations and periodical reviews are an integrated part of the National Cyber Security Strategy. Cyber risk management practices also include monitoring and evaluations.

Languages

English

Date inserted July 2017 (complete revision)

 

Contact us for more info