Queensland GCIO defends web security

Governments should accept occasional website security breaches as a cost of being open for transactions, according to the Queensland’s chief information officer, Peter Grant.

Queensland last month was targeted by hackers who defaced the state’s tourism, science and economic development websites in protest against Australia’s proposed data retention laws.

The hackers, operating under the banner of the Anonymous collective, exploited an unpatched vulnerability on servers operated by hosting provider Melbourne IT.

Access to the sites was suspended and each politically charged, text-based defacement was removed shortly after the attacks came to light.

Grant said he was “comfortable” with how the government responded to the incident, noting that “it’s always a balancing act to get the ‘protect’ level right”.

“If our controls are to buy a bigger padlock then the [criminals] will go out and buy a bigger hacksaw,” he said.

“If you overdid the protect bit, then people could not do business with us.

“You’ll always find the ones that get hacked are the areas where you are trying to be as open as possible for transactions,” he said. “That’s how [hackers] get in.”

Grant said there were four dimensions of the State Government’s IT security strategy: protecting systems; detecting breaches; containing any damage done; and recovering from any attacks.

He would not disclose details of how the government protected its systems, noting that “we have to keep the [criminals] guessing”.

The Newman Government last week stated that it was “committed to ensuring the security of information and … concerned” about the breach of its websites.

“While the government is taking this attack seriously, it’s important to note that this was a single compromise that affected one server that hosted multiple websites,” it stated.

“The affected systems are legacy systems, and do not contain sensitive information.”