The Hack
How to write about attacking the United States: The Cosmopolitan Globalists' Guide to Style
By the Cosmopolitan Globalists
The Cosmopolitan Globalists, we have grandly announced, will not chase breaking news. It breaks, we shrug.
But the Cosmopolitan Globalists have done nothing useful today because we can’t take our eyes off the breaking news. It’s best we be honest about this. And we don’t know what it means any more than you do.
Is Russia about to invade a NATO country?
We don’t know.
What does “a grave risk to government and private networks” entail?
We don’t know.
How secure is the American nuclear deterrent?
We don’t know.
Who now controls American nuclear weapons?
We don’t know.
But one thing we do know: The Cybersecurity and Infrastructure Security Agency can’t go in there without an editor.
We have learned that the Energy Department and National Nuclear Security Administration, which maintains the US nuclear weapons stockpile, has been hacked. Politico reports that officials have found evidence of “highly malicious activity.”
We’re perplexed by this phrase: When someone hacks the US nuclear weapons stockpile, it’s clearly not a benign pastime, so what exactly does “highly malicious” mean? Is this as opposed to “a mildly malicious attack?” Is the maliciousness tied to the intent of the hacking, or to its effect? About a matter of such obvious importance—just once—might a US official—just once—issue one single comprehensible and grammatical English sentence? Just once?
Are we in immediate danger? Is this akin to Russian bombers buzzing our airspace to see how quickly our fighters can intercept them? Or is it like artillery striking West Berlin?
We don’t know. Is this gladdening news? We’re sure it’s not. But how bad is it? We can’t tell, because our government can’t write. Neither can our software titans.
If you can’t write, you can’t think. So let’s clear a few things up.
We know that according to the Cybersecurity and Infrastructure Security Agency, there has been an “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.” That covers all the bases, but what does that mean? Not one single sentence of their memorandum makes sense.
The Agency reports that “state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations” are at risk, although the urgent communiqué does not say what the risk is. The advisory indicates that the matter is too sensitive to explain:
Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.
“An operational security plan needs to be developed and socialized.” What does that mean? How do you socialize a plan? A plan—countable noun—is a method for achieving an end or an orderly arrangement of parts of an overall design or objective. Don’t argue with us; argue with Merriam Webster. You socialize children. Or in the worst case, your economy. That sentence just makes no sense, and the use of the passive voice obscures the key question: Just who is meant to develop the plan? No amount of circumlocution can obscure the problem: The plan needs to be developed.
That is to say, as of today, there is no plan.
“The adversary’s initial objectives,” the document continues, “as understood today, appear to be to collect information from victim environments.”
The Cosmopolitan Globalists implore the Cybersecurity and Infrastructure Security Agency to use the active voice. Who, precisely, understands this? What is a “victim environment?” Who are the victims?
And who is the adversary?
We’ll save you time with an educated guess. Russia did it.
Microsoft President Brad Smith wrote an urgent salvo addressing the crisis. Titled “A moment of reckoning: the need for a strong and global cybersecurity response,” it is a master-class in bad writing and has already been placed in the Cosmopolitan Globalists’ Style Guide under the heading, “No.”
“This latest cyber-assault,” he writes, “is effectively an attack on the United States.”
Let Brad Smith’s haunting words serve as a warning. Even if the future of the human race hinges upon what you have to say, unless you say it in clear English—or a clear version of some human language—the Cosmopolitan Globalists will roll their eyes. What does “effectively” mean? Does he mean, “Someone has attacked the United States?” Someone has attacked the United States in an effective way? Someone has done something that has the effect of an attack?
Mr. Smith, if there is an attack worth writing about, there is an attacker. The attacker is the subject of your sentence:
Correct: “Jones attacked the United States.”
Incorrect: “The United States was attacked by Jones.”
Highly incorrect: “This was effectively an attack.”
Smith introduces his essay with this paragraph:
The final weeks of a challenging year have proven even more difficult with the recent exposure of the world’s latest serious nation-state cyberattack [sic]. This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.
The Cosmopolitan Globalists recommend striking the whole paragraph. It tells us nothing and only frustrates as we wait for him to get to the point. We already know it has been a difficult year. Who doesn’t? “A moment of reckoning” is a cliché; if you absolutely must, use it properly: There is a day, not a moment, of reckoning. Don’t argue with us; argue with the New Testament.
And really, the whole paragraph should go. We get it: Something bad happened. Also: There either is or isn’t a hyphen after “cyber.” But not both.
The past 12 months have produced a watershed year with evolving cybersecurity threats on three eye-opening fronts.
The first is the continuing rise in the determination and sophistication of nation-state attacks. In the past week this has again burst into the headlines with the story of an attack on the firm FireEye using malware inserted into network management software provided to customers by the tech company SolarWinds. This has already led to subsequent news reports of penetration into multiple parts of the U.S. Government. We should all be prepared for stories about additional victims in the public sector and other enterprises and organizations. As FireEye CEO Kevin Mandia stated after disclosing the recent attack, “We are witnessing an attack by a nation with top-tier offensive capabilities.”
If it is continuing it should not be eye-opening. We suggest shortening your paragraph thus:
A sophisticated nation-state attacked the firm FireEye using malware inserted into SolarWinds’ network management software. The US government is under attack and so are we. We’re dumbfounded by the attackers’ skill.
Now, isn’t that better?
His next paragraph has to go, and so does the next one. He finally finds the beef here:
There are broader ramifications as well, which are even more disconcerting. First, while governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy. As SolarWinds has reported, the attackers installed their malware into an upgrade of the company’s Orion product that may have been installed by more than 17,000 customers.
The nature of the initial phase of the attack and the breadth of supply chain vulnerability is illustrated clearly in the map below, which is based on telemetry from Microsoft’s Defender Anti-Virus software. This identifies customers who use Defender and who installed versions of SolarWinds’ Orion software containing the attackers’ malware. As this makes clear, this aspect of the attack created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia.
Editors’ note: It should not take 474 words to get to the subject of the essay, which should be the first word of the first sentence. Subjects vs. Objects explained, a refresher: “As a basic rule: The subject is the person or thing doing something. The object has something done to it.”
Confused? Keep asking yourself: Who’s doing the attacking? The attacker is the subject of the sentence. Start your essays vigorously. Start with the subject. “Russia attacked the United States” is vigorous—and if that’s not what you mean, Mr. Smith, what do you mean?
Customers who used Microsoft’s Defender and installed malware-infested versions of SolarWinds’ Orion. Based on Microsoft’s telemetry data.
Next: “A supply chain vulnerability of nearly global importance?” That’s gibberish. By “nearly global importance,” Mr. Smith, do you mean, “extremely important, but not entirely global?” Or do you mean “nearly of global importance,” and by implication, not important? There’s all the difference in the world between The Buckeyes were nearly defeated and The Buckeyes were defeated.
What’s a supply chain vulnerability, by the way? We know, but we sort of have to think about it. Wouldn’t it be clearer to say, “Russia can now choke and starve every capital in the West?” That would get people’s attention. And if that’s not what you mean—well, what do you mean?
Midway through the race, Mr. Smith switches horses. Why is he suddenly going on about “private sector offensive actors?” Are they related to the SolarWinds attack, or is he bringing this up under the penumbra of “bad things we ought to know?”
It certainly sounds grim by the time he wraps it up. But most people, Mr. Smith, won’t have the patience, which is a shame, because underneath all this bad prose, you are saying something important:
There is a third and final sobering development worth noting from what has obviously been a challenging year. This comes from the intersection between cyberattacks and COVID-19 itself.
(Intersection. Just strike that word. It never helps anywhere, except maybe at a traffic juncture.)
One might have hoped that a pandemic that cut short millions of lives might at least have received a pass from the world’s cyberattacks. But that was not the case. After a brief lull in March, cyberattackers [sic] took aim at hospitals and public health authorities, from local governments to the World Health Organization (WHO). As humanity raced to develop vaccines, Microsoft security teams detected three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19. A crisis always seems to bring out the best and worst in people, so perhaps we should not be surprised that this global crisis was no exception.
Edited version: Russia attacked hospitals, healthcare workers, and seven companies researching vaccines and treatments for Covid-19. That’s not what friends do.
As for the news itself, herewith the minutes of the Editorial Board of the Cosmopolitan Globalists:
Vivek: The breaking news here is incidental. The story for CG is what the Trump Administration has really done to keep US government safe from cyber intrusions. Sometimes, when a leader is not inclined to pursue something, the team takes action—but not wholeheartedly, and that gives poor results. Did Trump’s blindness to Russia and his complete avoidance of the issue, out of personal pique, hurt?
Claire: Bit of a leading question, Vivek—
Vivek: Did people down the line draw cues from the leader, assume it wasn’t a top priority, and do a half-assed job?
Claire: We must investigate this question. We can’t presume we know the answer.
Claire: Some good points can be found—I think—beneath all of Paul Smith’s awful writing, even if it practically takes a secret-decoder ring to get to it.
Vivek: This bit is the key text:
The nature of the initial phase of the attack and the breadth of supply chain vulnerability is illustrated clearly in the map below, which is based on telemetry from Microsoft’s Defender Anti-Virus software. This identifies customers who use Defender and who installed versions of SolarWinds’ Orion software containing the attackers’ malware.
Vivek: There may just be a Microsoft vulnerability as well. And in tried-and-tested PR, obscure wording is a tactic to hide uncomfortable facts. I’m wondering if he is trying to hide a Microsoft vulnerability while also using the opportunity to push the Microsoft brand.
Claire: Could be. Or it could be that no one has ever edited his prose. Hey, has anyone seen an article that clearly spells out why this matters? The obvious implication—though I see no one saying so, plainly—is that Russia may be able to launch or disable our nuclear weapons—
John Number 1: —is that true from a technical perspective?
Claire: I don’t know.
Vivek: You don’t understand the difference between “effectively an attack” and a conventional attack. If cyberattacks are the norm, everyone’s defense capabilities are compromised. Today, even cars run on software. So while a cyberattack may not kill the way a conventional attack would, it’s still an attempt to cripple a rival, and in that sense, an attack on a rival. Cyberattacks are more than metaphorical. They take longer to unravel and may have deeper effects.
Claire: I’m not suggesting it’s trivial—just that I don’t know how bad it is.
Vivek: Irrespective of whether someone can disable weaponry to the point we’re discussing, the point is: This is a scenario that all war planners must discuss, and a contingency they must plan for. From that perspective, any attempt to get into another nation’s cyber assets is a problem. Even if it’s just a hunt for information. One vulnerability shows that there might be more. It’s not like turning a spy in Berlin to find secrets in the old days.
Claire: Makes sense. You know, speaking of the old days—remember Toomas Hendrik Ilves, the former President of Estonia? He’s working on an article for the Cosmopolitan Globalist about the future of war. Let’s see what he thinks about this.
CG editorial team in unison: [excitement] Yes, good idea! Ask him!
We turned to our expert.
Claire: Mr. President? How bad is this?
President Ilves: It’s real bad.
Claire: Oh.
President Ilves: Think of it as finding out someone has been in your computer and accessed your most intimate and private stuff and all your medical records, all your bank accounts, your passwords, friends’ and kids’ addresses … you don’t know what they have or might do but you do know they have accessed the stuff you never want known—except we’re talking about a country with 330 million people.
Claire: That’s bad.
President Ilves: When you realize that Solar Wind managed data transfer for DoE and Treasury, you basically crap your pants.
The Cosmopolitan Globalists: Can we print that?
President Ilves: Strictly speaking, according to the legal definition, this is not an attack. We haven’t yet seen any damage. Definitionally, it’s a “penetration.” But we know they’ve got into the system. Now any minute we could have an attack. The data may have been copied. They might have my medical records; they could change my blood type. ANY F*CKING MINUTE the attack could begin—anything from turning the traffic lights in New York, Chicago, Washington, and Los Angeles green at 5:00 p.m. on the last evening of Friday shopping before Christmas to making the nuclear reactors melt down and turning the missiles into scrap metal.
Claire: Well, this does seem bad. Shall we ask Twitter how bad it is?
The Cosmopolitan Globalists: May as well.
Claire: Hey Twitter, how bad is this?
Twitter: Targeting infrastructure security, monitoring, industrial control systems—it doesn’t take much to cause a radiological incident. A loss of temperature control, erroneous pressure, quantity readings could have devastating consequences.
Claire: Twitter, are you speculating? When you say, “It doesn’t take much,” my first thought is, “Surely there are multiple safeguards against this?”
Twitter: There are safeguards, but we still rely on the integrity of our records. To give a simple example: consider a nuclear facility processing uranium hexafluoride. If a cyber attack altered the electronic records of quantities of material in a given container, it may lead to a situation in which a critical mass of material results from too much being inadvertently mixed together in a vessel, causing a radiological incident, exposing workers to potentially fatal doses. Hackers have little understanding of the processes they’re tampering with.
The Cosmopolitan Globalists, in unison: That’s bad.
Claire, dismayed: They’d best not go in there without an editor.
Well, now that you have penetrated the terrible, passive-voice Latinate prose and told me what they’re really saying, I’m terrified.
Also enjoyed the cameo from President Toomas Ilves. We can trust him when says “crap your pants”. Nice
Claire, can we go w "CosGlo" or something? This leads to calling sensible things "cosglogian" -> "the cosglogian view" (not sure yet if the "g" should be hard or soft). But I can see it in Webster's in a few years. The full team name is supercalafragalistic and all...so many syllables.