Cybersecurity professionals: The next line of defence in bolstering national security?

Cybersecurity has become a widespread concern for businesses and society alike.

Individuals and businesses are increasingly having to face challenges associated with cyber-incidents, placing the security of their data, infrastructure and on certain occasions even their financial assets, at risk.

In light of the above, the demand for cybersecurity professionals has rapidly surged over the past few years, and this need is only expected to continue.

The European Union Agency for Cybersecurity (ENISA) last month highlighted studies from the Cybersecurity Higher Education Database (CyberHEAD), which shows that although the number of cybersecurity graduates is at its highest, there is still a major cybersecurity workforce shortage. ENISA stated that this gap of around 300,000 posts “cannot be closed” with the current number of graduates and has since called for further investment in the re-skilling and upskilling of this workforce.

Karl Sammut, Partner at Sammut Legal, recently stated that this is an issue being faced both globally and locally. He remarked that it is a “complex” issue and has “various implications”, often feeling like a “catch-22 situation”. Notably, he emphasised that the shortage of cybersecurity professionals is “not just another human resources (HR) issue”, but a “matter of national security”.

Dr Sammut is a Commercial Lawyer specialising in business, technology and intellectual property. He operates in all areas of intellectual property and technology, advising on matters relating to software, hardware, cybersecurity, cloud, as well as data protection and privacy matters.

Following his post, MaltaCEOs.mt reached out to Dr Sammut to better understand why this cybersecurity professional shortage is of national concern, and what can be done to encourage more individuals to choose a career in cybersecurity.

“I think to best answer this, we must acknowledge that we are living in an interconnected world, and so as a result, most activities are either conducted totally online or within an online dimension,” Dr Sammut said.

Against this background, it is important to understand why online activities and any data associated with such activities must be “safeguarded and protected”, and “the role that cybersecurity professionals have in ensuring that online systems and digital assets are kept safe and secure”.

Dr Sammut remarked that the demand for cybersecurity professionals “heavily exceeds” supply, and it has become “quite difficult to find the right skillsets and people who have the necessary background and experience”.

He highlighted that if not addressed adequately, the shortage of cybersecurity professionals can escalate into a national security issue.

“ First and foremost, the state itself is both the custodian of vast amounts of data, and also manages a number of critical infrastructure which may be directly targeted by cyberattacks. Therefore, if the state is unable to successfully recruit and retain a sufficient number of cybersecurity professionals, it may find itself inadequately equipped to protect its sensitive data and critical infrastructure from potential cyberthreats,” he said.

“This shortage is particularly concerning for Malta’s private sector, which predominantly consists of SMEs. Such businesses may find it particularly challenging to secure the services of skilled cybersecurity professionals due to budget constraints. Malicious actors are fully aware of this and the fact that SMEs can be the ‘soft underbelly’ or the ‘weakest link’. In fact, in what is referred to as a ‘supply chain attack’, these SMEs are specifically targeted and used as an entry point to gain access to larger organisations, a modern ‘Trojan horse’ of sorts,” he continued.

“Imagine if a local major institution, such as a bank of a Government entity, is compromised, and the data within is exploited by malicious actors. Such an incident has the potential to trigger a chain reaction, particularly if it erodes the public’s trust into online safety and digital security. The resulting fallout can actually impact economic stability,” he argued.

Dr Sammut said that the internet and the online environment is “to a certain extent, not being actively monitored”, and cybersecurity professionals can potentially fill certain gaps, particularly when it comes to the prevention of certain cybercrimes.

“The fact that we have a gap and not enough practitioners to fill the available posts can pose a security risk. Holistically, this can also be a national concern,” he continued.

According to Dr Sammut, there is “another pressing concern” which can also impact the cybersecurity landscape in Malta, with this being the legal framework governing ethical hacking”. Ethical hackers, now more commonly referred to as ‘good faith security researchers’, are a vital component in the cybersecurity landscape. They try to identify bugs before they can be exploited and used by malicious actors. However, “due to the binary nature of the current computer crime framework in Malta, a person is deemed to have committed a computer crime once they gain unauthorised access to a computer system, irrespective of the lack of any malicious intent. Unfortunately, this means that good faith security researchers find themselves on a precarious legal tightrope solely because the current regulatory framework fails to recognise how they typically operate.

This topic made headlines earlier this year when four Maltese students were arrested after they allegedly exposed a security flaw in student app FreeHour. The students discovered that users’ email addresses, location data and control of Google calendars were all potentially vulnerable to malicious hackers. Instead of exposing the flaw, the students emailed FreeHour to inform them about it in October 2022, giving the company a three-month deadline to fix the vulnerability should it not want the information to become public, while also mentioning the possibility of a bug bounty. However, the students were then arrested, with FreeHour arguing that it was legally obliged to report the incident to the Cyber Crime Unit within the Malta Police Force and the Information and Data Protection Commissioner under GDPR law.

He noted that the recently well-documented events in Malta are “very unfortunate” and have undeniably had a negative impact on the industry. Good faith security researchers who might have previously proactively investigated whether a website or online application is safe or not, just to notify the relevant company to address the identified vulnerability are “now afraid to do so”, because they are concerned that “the police will come knocking”. However, this hesitation or uncertainty can create an unfortunate scenario where this vulnerability remains unaddressed, until a malicious actor exploits it for malicious purposes.

“There is a drive to address this uncertainty, but it is still a major concern. Cybersecurity practitioners are well aware of these issues and are having second thoughts about entering the industry,” Dr Sammut added.

He also pointed out that the case has been “widely reported” in various international fora, meaning many individuals and businesses know about certain problems in Malta, which can have an “even broader effect” on the sector, possibly leading to foreign cybersecurity professionals choosing not to relocate to Malta.

According to Dr Sammut, awareness and education should be the pillars for building a strong cybersecurity posture in Malta.

“October is cybersecurity month, and while there has been some drive about awareness, I expected much more in the advent of what we’re seeing. Cybersecurity is important throughout the year, but you can use this month to drive awareness. Once you increase awareness, that in itself can be a driver for change and growth,” he continued.

Unfortunately, Dr Sammut noted that the lack of awareness on cybersecurity matters is not limited to a particular demographic, such as the elderly, but extends well beyond that. He raised a thought-provoking question: “How many Boards of Directors discuss or consider aspects related to data protection or cybersecurity? From my experience, not a lot, and this is something which underscores the need for greater awareness even at C-level.”

Malta should also “aim to ensure” it produces a “continuous pipeline of cybersecurity practitioners”. This can be achieved, in the short term by encouraging current IT practitioners to transition into the field of cybersecurity, or alternatively, initiatives should be launched to attract experienced cybersecurity practitioners to Malta’s shores. In the long term, students “should be incentivised” to pursue cybersecurity as a career path, possibly by increasing stipends for students reading for these courses and offering grants or scholarships.

“Malta has always been agile enough to create new initiatives and seizing opportunities, as was seen in iGaming. With the collective effort of all relevant stakeholders, we can replicate the success we have enjoyed in other sectors also in cybersecurity. It is crucial that we view the shortage of cybersecurity practitioners not just as a problem, but as an opportunity. This shift in perspective can provide Malta with a distinct competitive edge,” Dr Sammut said.