The chilling description given by Infrastructure Minister Austin Gatt in Parliament on what happened after it emerged that hackers had attacked the government IT system show this is arguably the most serious breach of security in recent years. People are understandably worried about the threats to their privacy given that usernames and passwords belonging to 20,000 users were copied by hackers.

Yet, the incident was not so much an IT technical failure as much as a crash of internal control systems. Such a failure in security controls is always shocking but it is even more so in an IT environment that is one of the most strictly-controlled parts in any organisation.

The sharing of passwords between colleagues working in an IT department was a classic example of familiarity breeding contempt - in this case contempt of the strict internal operational procedures aimed to protect the interests of many Maltese people.

The way the minister tackled this issue is broadly understandable and justifiable, although there are some elements that one could disagree with. For instance, why was the CEO, who is ultimately responsible for the operations of Mitts, the government IT agency, allowed to travel abroad when an investigation was in progress?

The board of directors of the company was right in demanding an external investigation to establish the consequences of this tampering with the IT systems of Mitts. The directors were also right in submitting their resignation to the minister as they correctly argued that, ultimately, they were responsible for operational failures, even if no negligence can be imputed to them personally. The minister had a right to accept, or reject, this resignation. He decided on the second option. So who shall carry the can now? Does the buck stop at the minister's desk and, if so, what is he going to do about it?

The opposition was right to demand that a management audit should be held to ensure that there are no more serious failures of management relating to the way that operational risk is managed in Mitts. Indeed, such management audits should be as regular and frequent as the financial audits held in government departments.

The insistence on a magisterial inquiry is, perhaps, less convincing, certainly not at this stage. While an independent inquiry will no doubt serve to confirm that all the relevant facts, that are of interest to the public have, in fact been disclosed, a magistrate is probably not the best person to conduct such an inquiry.

Information security systems management is a complex function in most large organisations. The best people to carry out an independent review of an organisation's systems failure would be experienced IT security experts who could sift the evidence presented to them in a way that really identifies where failures of responsibilities occurred.

The setting up of a National Information Security Agency is a step in the right direction. If Malta is to justify its commitment to become a best-of-breed information and communications technology centre, it must foster and enforce best practices in information security.

Such an agency will, no doubt, insist that every organisation where IT is a strategic competence has the right checks and balances to ensure that such incidents like the one that happened in Mitts are not repeated.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.