Many have noticed that on top of the Joint Report issued on Thursday by the FBI and U.S. Department of Homeland Security on the Russian hacks, there is a very peculiar thing: A disclaimer stating that “The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within.” Some have speculated that the disclaimer is evidence that the federal government won’t stand by their findings. WikiLeaks drew even more attention to this detail by tweeting out a picture of the disclaimer, which was subsequently retweeted more than 7 thousand times. As a legal website, we always read the fine print too, and wanted to find out what this means.
Obama’s Russia sanctions: Note that the ‘hacking’ report released today:
1) Doesn’t mention WikiLeaks
2) Has the following disclaimer: pic.twitter.com/fu4QbRlcyB— WikiLeaks (@wikileaks) December 29, 2016
The 13-page page report describes how the Russian civilian and military intelligence Services have cyber operations that have included “spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.” The report, which came out at the same time that President Obama announced sanctions against Russia, has drawn criticism for being sparse on details. For example, even though the report is 13 pages long, the last 7 pages are general tips to the public about how to guard against cyber security threats.
“The DHS statement is a restatement of already known public information,” one cyber security expert said. But, drawing even more attention is that mysterious disclaimer at the top. What does it mean? We consulted with Stewart Baker, a cyber security attorney, and former first Assistant Secretary for Policy at the Department of Homeland Security under President George W. Bush. He admitted that during his years at DHS, he doesn’t recall seeing this type of disclaimer on reports that he reviewed.
However, he doesn’t think it is some kind of indication that the information is wholly inaccurate. “Often early reports or information that is pulled from reports have a few errors on it,” Stewart told LawNewz.com, saying for example that the government may identify a wrong IP address. “I can understand why someone would do that (provide a disclaimer) in the private sector. My guess is DHS wanted to get the information out as quickly as possible, and they want to recognize the possibility of corrections in the future.”
Baker said that any possible misattributions can cause harm to innocent people including being placed on blacklists. The disclaimer may be a way to provide the government “cover” if a private party turns around and sues them, he said. Included in the report are 50 “alternate names” purportedly used by Russian Civilian and Military Intelligence Services including CakeDuke, CHOPSTICK, CosmicDuke, and COZY Car. In addition, the report included a Yara Signature (a tool designed to help researchers identify and classify malware) used by the hackers.
As for the actual report itself. “I thought the report was ‘moderately persuasive.’ I assume there is more information that is not being released. The information that they did release look like the kind of commercial reports that we see rather than something that draws on a lot of classified sources,” Baker said.
Interestingly, when we searched through other NCCIC (Department of Homeland Security) reports that were issued in the last few years, we also found instances where a similar disclaimer was used. For example, this 2014 report about the hacking/exploitation of electronic highway signs, also contains the same language regarding warranties as the Russia hacking report. The joint report is characterized as “white” in the government’s traffic light protocols which is the lowest level. That means that the ” information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.”
As for the disclaimer, Stewart believes it is likely the government didn’t want to be held liable for any misinformation that is inadvertently released.