National Information Security Agency to be set up

‘Policies, procedures ignored’

Usernames and passwords belonging to the 20,000 users of the government IT system were copied by hackers on September 4 and it was probable that the attack was made through the system at Malta’s Embassy in Cairo, Communications Minister Austin Gatt told Parliament yesterday.

Making a statement on the investigations which had taken place at Mitts, Dr Gatt said that the National Information Security Agency would be set up in the coming days.

It would be separate but complimentary to the Malta IT Agency and the Malta Communications Authority in the sector of information security.

Referring to the breach, Dr Gatt said there was no proof that any e-mail account had been penetrated.

He said American experts, commissioned to establish whether information had been copied, had concluded that the computer system at the Maltese embassy in Cairo was infected with malware which was permitting connection between the government network and the internet.

The experts said that all traces of the attack indicated it was the work of an amateur and recommended that the embassy should be cut off from the government network. They were given copies of the hard disks to analyse the origin of the attack on the system.

These recommendations were communicated to the Police Commissioner who informed the Mitts chairman that the police wished to carry out the operation at the Cairo embassy on their own.

The police, who had reached the same conclusions as the experts, were at the embassy in the past days, elevated material and are currently carrying out investigations.

The embassy was also cut off from the system which was being overhauled, Dr Gatt said.

The minister said the Mitts board members had offered their resignation, which he refused since it resulted that the shortcomings were not the result of a policy they adopted but due to the application of procedures and systems.

In previous years, the minister said, the board consistently approved all investments requested by the management and which had to do with the security and operations of Mitts.

The board has already taken the correct measures in line with the information given by the management when it was informed of the problem.

It was also the board which insisted on a forced password change.

The minister said that at this stage, no Mitts employee was being investigated by the police because of illegal access to the e-mail accounts of Mitts users.

Although the assumption was that usernames and passwords had been copied successfully, at this point, Mitts had no evidence which showed that the e-mail accounts of particular users or government back-end systems were accessed.

This was strengthened by the fact that the passwords of all users were forcefully changed following a decision taken by the executive management of Mitts during a meeting of the board of directors on September 10.

This exercise was embarked upon on the morrow, September 11, and concluded that same day for MPs and senior government officials.

As a result, a number of users lost access to their e-mail because their previous password expired before they had time to change it.

The minister said there were a number of deficiencies at Mitts which had to be addressed as soon as possible.

Technical shortcomings which had taken place were not due to a lack of investment in security systems. Although all the necessary systems existed, they were not all being used in line with the decisions taken by the persons responsible for their implementation.

They had also taken place because written security policies and procedures were regularly ignored. A classic example was the sharing of passwords.

Dr Gatt said it was not the first time problems relating to information security originated from a Maltese embassy. This was because of the complex nature of the connections between the government network, the internet and that of Malta’s embassies overseas.

Mitts approved a series of measures which were taken by the company with immediate effect to further strengthen the systems’ security.

These measures include giving MPs and other people in sensitive positions a token or smart cart without which they would not be able to access their e-mail account. Moreover, Secure Mail was to be launched so that all e-mails would be encrypted.

Other security measures were being taken and although, the minister said he would not be giving a list of them, he was willing to request Mitts to brief the leader of the opposition on them if he wanted.

The Mitts board commissioned an external review team, chaired by Henri Mizzi, to analyse the circumstances which led to this incident and Mitts’ reaction.

It was also asked to list recommendations on an interim basis on measures which should be taken to strengthen the security of these systems.

This review team also has to establish operational responsibilities.

Replying to questions by opposition leader Joseph Muscat and Labour MPs Gavin Gulia, Helena Dalli, Leo Brincat, Charles Mangion, Anġlu Farrugia, Carmelo Abela and Owen Bonnici, Dr Gatt said passwords were changed after September 10 when the usernames and passwords were copied on September 4 because till then, Mitts had been giving the assurance that it was highly unlikely that the information had been copied.

He pointed out that he had not accepted the board’s resignation because there was no political or board responsibility. There was operational responsibility and this had to be established by the review team which had been set up.

He knew where to place a finger but did not want to at this point. The government, Dr Gatt said, was paying for licences, some of which were not being used. These decisions rendered the systems much less secure.

The minister said that all the people with a government username on gov.mt were affected. But while logs showed that all the passwords had been taken, no attempt was made to go into personal e-mails.

Employees, he said, were suspended because they were found to have software they should not have had. However, there was no evidence as yet that anyone’s e-mail account was penetrated.

Dr Gatt said that it was of concern that a mistake which could have been avoided had been made.

He agreed with a statement by Mr Brincat that Mitts’ CEO should be ashamed of himself to go abroad at such a sensitive time, when the investigation was being held.

As whether he agreed that a magisterial inquiry should be held, the minister said he agreed to one only if the police thought this was necessary.

Sign up to our free newsletters

Get the best updates straight to your inbox:

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.