The British Library Hack is a Warning for All Academic Libraries

• April 8, 2024

In a recent cyber incident report released by the British Library, the organization sheds light on the vulnerabilities that led to a devastating ransomware attack by the notorious group Rhysida. Simon Bowie, an expert in the field, argues that this breach underscores the consequences of under-resourced technical teams and the widespread outsourcing of critical infrastructure.

The attack, orchestrated by Rhysida, resulted in significant downtime for many of the British Library’s essential systems, with some remaining inaccessible for months. Additionally, personal data belonging to employees was auctioned off on Rhysida’s dark web platform, exacerbating the fallout from the breach. Despite ongoing efforts to recover, the incident has prompted reflections on the management failures and the undervaluation of technical expertise within the library’s operations—a narrative that resonates across higher education institutions in the UK.

The British Library’s cyber incident review paper identifies several underlying issues that contributed to the breach. Outdated legacy systems, lacking adequate security measures, and an overly complex technological landscape left the institution vulnerable to attack. Furthermore, the absence of multi-factor authentication compounded these vulnerabilities, revealing systemic management deficiencies.

Notably, the report hints at a broader management problem—a shortage of investment in internal technical capabilities. The strain on the IT department, exacerbated by staff shortages and the loss of expertise due to employee turnover, suggests a reliance on outsourcing as a stopgap measure. While the paper does not explicitly state this, it implies that the library’s decision to outsource critical technology functions left it susceptible to exploitation.

The trend of outsourcing is not unique to the British Library but reflects a broader pattern within UK higher education institutions. As budgets dwindle and managerial priorities shift, libraries have increasingly turned to third-party vendors to manage their systems and infrastructure. This divestment in internal expertise, coupled with a pursuit of transient technological trends, has left libraries vulnerable to cyber threats.

Marshall Breeding’s Library Technology Guides corroborates this trend, illustrating how the majority of UK higher education providers outsource their library systems to corporate vendors. The dominance of companies like Ex Libris highlights the financial and strategic implications of this approach, often at the expense of fostering internal technical capabilities.

Bowie argues that this institutional devaluation of technical skills not only consolidates the power of corporate suppliers but also reflects a broader trend of generic management prioritized over specialized domain knowledge. The consequences of this approach were evident in the British Library’s reliance on cloud-based administrative systems, neglecting critical library management functions vulnerable to attack.

The aftermath of the 2023 British Library cyber-attack serves as a cautionary tale for cultural and heritage organizations nationwide. Instead of perpetuating the cycle of outsourcing and dependency on external vendors, Bowie advocates for a renewed focus on investing in internal expertise. By prioritizing the development of resilient IT infrastructures and bolstering library systems with dedicated technical teams, higher education institutions can mitigate the risks posed by cyber threats and safeguard their invaluable resources for generations to come.

Source: LSE Blog