Aurora and DHS - a Misleading Response to a Significant Mistake

Monday, December 22, 2014

Joe Weiss


With all of the focus on cyber security one could expect that DHS is doing a credible job in helping to protect our country. Unfortunately, that may not be the case.

In July 2014, DHS made an error by declassifying much of the Idaho National Lab (INL) Aurora documentation from FOUO (For Official Use Only) to Unclassified.  The mistake occurred because DHS named two different events with the same name- Aurora. One was “Google Aurora” which was the Chinese hack of Adobe, Northrup Grumman, etc. The second was the INL generator test also named Aurora. As previously mentioned in my early July blog, in May a Freedom of Information Act (FOIA) request was made to DHS for Google Aurora information but what DHS declassified was INL Aurora information. To be fair to DHS, the vast majority of the declassified documents were not of much interest – but unfortunately not all.  Several of the pages that were declassified provide a specific hit list of US critical infrastructure and even how to attack them. This information can easily be extrapolated to other critical infrastructures and locations.

However, below is DHS’s response to the declassification: “Operation Aurora, the Department of Homeland Security (DHS) National Programs and Protection Directorate provided several previously released documents to the requestor. It appears that those documents may not have been specifically what the requestor was seeking;however, the documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised. The Department will always work directly with requestors if they believe there has been a mistake in processing their request or that information has been withheld improperly. As in all cases, DHS works diligently to process FOIA requests in a timely manner, ensuring the full disclosure of records and information unless it is exempted under clearly delineated statutory language.”

Since DHS did release sensitive information, why doesn’t DHS own up to the mistake and simply apologize for it?

This was cross-posted from the Unfettered Blog

Possibly Related Articles:
Breaches CVE DB Vulns US-CERT
DHS ICS Aurora Aurora Vulnerability
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.