Why Qld's GCIO asked agencies to phish their own staff

When he started out as Queensland’s government chief information officer, Andrew Mills decided that seeing was believing and bought a simulated phishing tool for agencies so they could find out how staff would fare in an attempted attack.

Queensland GCIO Andrew Mills

Mills bought the Threatsim product with a central pool of licences, and distributed it to government execs as part of the state’s preparation for Brisbane's 2014 G20 summit.

The GCIO’s office told iTnews the purpose of the exercise was for "agencies to better understand their risk position” but officials weren’t required to disclose the results of their internal tests, so we will never know how the state’s office staff actually performed.

Much more recently, however, the state government did learn just how porous its networks could be to a determined attacker.

In November last year assailants breached the websites of Queensland’s Department of Education and TAFE, with officials only discovering the intrusion when the purported hackers made contact.

The attack saw years worth of complaints and feedback data from students and teachers accessed by the intruders.

In response to the very public wake-up call, the government has since announced it will invest $12.5 million over four years into setting up a dedicated information protection unit within the government chief information office.

Mills told parliament this week that the unit forms part of Queensland’s revised approach to galvanising its perimeter and stepping up monitoring to keep up with increasingly effective would-be hackers.

He said phishing and online fraud was becoming far more sophisticated - like emails purportedly from a director-general’s account directing finance staff to pay a particular invoice to a particular bank account - and have already swept up some smaller agencies in their criminal pursuit.

“In the industry they say that for every person working in the enterprise on cyber security there are five people trying to break into their systems,” he briefed MPs.

He warned the government “will never be able to prevent” the kind of attack that befell the Education department from happening again, but the GCIO cyber security team would step up efforts in detection and monitoring over the next 12 months to respond quickly to the 20 percent of attacks that are impossible to stop at the front door.

Mills said infosec was developing much more of a black market emphasis over time.

“It used to be about hacktivists trying to embarrass you by putting porn on your website. Now it is becoming more criminal. They’re after your money and they want to sell your data,” he said.