Learning Lessons From the Cyber-Attack: British Library Cyber Incident Review
Note to Readers
This report, issued during the first week of March of 2024, should be reviewed by all who partner with research libraries, providing content and platform services. The full report is only 18 pages in length, but notes areas of vulnerability that are common to institutional libraries and offers sector-wide lessons for follow-up. NISO I/O is providing only clips from the report here; we urge the information community to read the report in full.
Table of Contents
- Executive Summary
- Causality - Understanding the Attack
- Impact
- Crisis Response and Recovery
- Technology Infrastructure
- Future Risk Assessment
- Learning Lessons From the Attack
Of interest is a corroborating message of the concern for libraries, appearing on the London School of Economics blog regarding the findings in the report.
From the Executive Summary
This paper provides an overview of the cyber-attack on the British Library that took place in October 2023 and examines its implications for the Library’s operations, future infrastructure, risk assessment and lessons learned.
[clip]
Our major software systems cannot be brought back in their pre-attack form, either because they are no longer supported by the vendor or because they will not function on the new secure infrastructure that is currently being rolled out. This includes our main library services platform, which supports services ranging from cataloguing and ingest of non-print legal deposit (NPLD) material to collection access and inter-library loan. Other systems will require modification or migration to more recent software versions before they can be restored in the new infrastructure. Our cloud-based systems, including finance and payroll, have functioned normally throughout the incident.
The paper outlines the impact of the attack on the delivery of the Library’s mission and its public purposes. Most severely hit during the crisis have been our purposes relating to Custodianship and Research, as these have been directly impacted by the loss of core systems relating to collection access. Our public purposes relating to Business, Culture, Learning and International partnership have been relatively less affected, with on-site services and activities continuing largely without significant interruption, as have our partnership networks with public libraries. Exhibitions and on- site cultural events have exceeded their targets during the period.
[clip]
The paper considers the attack in the context of the Library’s historic technology infrastructure. The Library’s unusually diverse and complex technology estate, including many legacy systems, has roots in its origins as the merger of many different collections, organisational cultures and functions. We believe that the nature of this legacy infrastructure contributed to the severity of the impact of the attack. The historically complex shape of the network allowed the attackers wider access than would have been possible in a more modern network design, and the reliance of older applications on manual processes to pass data from one system to another increased the volume of staff and customer data held in multiple copies on the network.
[clip]
Future risk assessments must take into account the increased risk of major attacks on the Library and the significant culture change needed to fully embed cyber security at the heart of technology rebuild and all processes going forward. The challenge of rebuilding our technology infrastructure in full also brings risks of capacity and capability within our Technology department, which will need to be actively addressed. Due to the complexity of restoring, modifying, consolidating, retiring, rebuilding or replacing a large number of systems at the same time there will need to be a careful balance of informed analysis, visionary design, and firm objective setting and management.
We expect the balance between cloud-based and onsite technologies to shift substantially towards the former in the next 18 months, which will come with its own risks that need to be actively managed, even as we substantially reduce security and other risks by making this change.
Finally, the paper aims to ensure a common level of understanding of key factors that may help libraries, peer institutions and other organisations to learn lessons from the British Library’s experiences since the attackers first struck. To this end, we also append a list of lessons we have learned on our own account, including some that may have wider relevance to our peers and partners.