Aurora and DHS - a misleading response to a significant mistake

Dec. 19, 2014

With all of the focus on cyber security one could expect that DHS is doing a credible job in helping to protect our country. In July 2014, DHS made an error by declassifying much of the Idaho National Lab (INL) Aurora documentation from FOUO to Unclassified.  DHS stated the documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised. However, several of the pages that were declassified provide a specific hit list of US critical infrastructure and even how to attack them.

 

With all of the focus on cyber security one could expect that DHS is doing a credible job in helping to protect our country. Unfortunately, that may not be the case.

In July 2014, DHS made an error by declassifying much of the Idaho National Lab (INL) Aurora documentation from FOUO (For Official Use Only) to Unclassified.  The mistake occurred because DHS named two different events with the same name- Aurora. One was “Google Aurora” which was the Chinese hack of Adobe, Northrup Grumman, etc. The second was the INL generator test also named Aurora. As previously mentioned in my early July blog, in May a Freedom of Information Act (FOIA) request was made to DHS for Google Aurora information but what DHS declassified was INL Aurora information. To be fair to DHS, the vast majority of the declassified documents were not of much interest – but unfortunately not all.  Several of the pages that were declassified provide a specific hit list of US critical infrastructure and even how to attack them. This information can easily be extrapolated to other critical infrastructures and locations.

However, below is DHS’s response to the declassification: “Operation Aurora, the Department of Homeland Security (DHS) National Programs and Protection Directorate provided several previously released documents to the requestor. It appears that those documents may not have been specifically what the requestor was seeking; however, the documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised. The Department will always work directly with requestors if they believe there has been a mistake in processing their request or that information has been withheld improperly. As in all cases, DHS works diligently to process FOIA requests in a timely manner, ensuring the full disclosure of records and information unless it is exempted under clearly delineated statutory language.”

Since DHS did release sensitive information, why doesn’t DHS own up to the mistake and simply apologize for it? 

Joe Weiss