Tag: security

Cyber Security – The British Library’s cyber-attack: disruption and resilience

Published on by Seema RampersadLeave a comment

This article is kindly reproduced here with the permission from SLA’s Information Outlook Magazine, Issue: April 2024 on Information Security. Thank you to Leslie Steele for suggesting this article, and for the Editorial Board for the continuous hard work and time.

Link to full issue: https://www.flipsnack.com/6AF9F9FF8D6/spring-2024-unqt6r4f0g/full-view.html

SLA Website: https://sla.org/

On Saturday, 28th October 2023, I was the Duty Officer managing the services in the Reading Rooms, and therefore made my way to work at the British Library for the start of the day. The night before, I had sent an email from home very late and it would prove to be my last interaction with our technology for several weeks. As I arrived at work there was panic and confusion over a major technology outage, and we were not entirely sure what the full implications were at the time. The previous summer we had experienced some technology issues, and I presumed this incident was related to that problem. I couldn’t even send an email or call colleagues on the telephone using the British Library’s computers.

Thankfully with the help of my colleagues and staff, who knew how to operate without the library’s technology, communicated with me via their smartphones on how we could resume service and open our Reading Rooms despite this challenge. With our website down, we were able to only communicate with our customers and readers verbally or via X (Formerly Twitter). The Wi-Fi was also down so it really was back to basics. The rest of the day passed without a lot of complaints, but I was on edge until we closed as I would have had to deal with any issues without having the answers for the technology problems. At least our readers were physically safe whilst I was on duty. However, I knew this would be an ongoing crisis for my colleagues returning to work on Monday and that we would have to be prepared for the days ahead.

It wasn’t until the third day without technology that we heard from our Gold Leadership Team that this was in fact a ransomware cyber-attack and we were unlikely to get back to normal for not weeks, but months. The initial disruption in hardware and software continued for weeks with no access to the British Library website or intranet. Our personal and customer computers were taken away to be fixed and new software and security updates were installed on our British Library assigned laptops. We had to go into crisis communication mode for those early weeks with staff and teams while still providing service. Some of the most used forms of communication were in-person staff briefings, email communications, and updates in the corporate Knowledge Matters blog.

The website eventually resumed in December with access to our catalogue and essential service points and information. The one most significant aspect I miss is the electronic resources for our end-users, and collection items retrieval from our site in Boston Spa. We are still a long way from pre-cyberattack content, data, and technology ability as we were so integrated; we are still unable to print from our staff profiles and while Wi-Fi access has resumed, it is in a temporary capacity compared to prior to the cyberattack. There seems to be a lot of work-arounds in our workflows and we are still apologising to customers who are unaware of the current situation. In the Business & IP Centre, we have continued to run most user services such as workshops, reference enquiries, one-to-one meetings, training, and projects, but we still miss our end-user access to electronic resources and databases.

As the cyberattack is so large-scale and the impact enormous, there has been a lot of media coverage and articles written on the attack. The media coverage made the general public aware that one of the most regarded national institutions was under threat with a ransomware attack by the group for payment within a deadline to the value of £600000 to be paid in Bitcoin. We were also aware that we had to inform staff, ex-staff, and customers of the threat of a ransomware attack especially with regards to their personal data. There were remedial measures put in place and we increased our awareness of some of the risks for data to be leaked on the dark web. Throughout this time, the British Library has been advised by the National Cyber Security Centre (NSCS) and other cybersecurity staff. In addition to being a national institution, I am sure there has been a thorough investigation and assessment on the steps that are required for recovery from the cyberattack. At the beginning of this year, staff were informed of the plan and programme for recovery as well as given an outline of what to expect in the next 18 months. It was at this briefing that the issues of the legacy systems and technology infrastructure were disclosed and the new opportunities for the library to ‘build back better’ or accelerate some of the new technological developments that were on the cards for our strategy to ‘Modernise the Library’. The Rebuild and Renew Programme was launched with more clarity on some of the work that the library implemented in time to build back better prior to the cyberattack.

The Chief Executive Officer, Roly Keating, has always been very vocal on the impact on our services, access to the collection, discovery, research, and the whole mission for sharing the world’s knowledge held in the British Library. There is a great blog post on the impact entitled Knowledge Under Attack. I also felt annoyed that this attack had impacted one of the most open libraries in the world, and in the sharing of knowledge and information for our many customers, partners and friends! However, it did highlight a couple of our vulnerabilities: lack of infrastructure development, and lack of investing in dedicated professional staff. There are some uncomfortable readings in the review report, several learning points, and other insights on how one can protect their own investments and risk management in these areas. The review highlights “Although the security measures we had in place on 28 October 2023 were extensive and had been accredited and stress-tested, with the benefit of hindsight there is much we wish we had understood better or had prioritised differently. With that in mind, this section identifies a number of early lessons from this attack which may be helpful for others as they consider their own investments and risk management in these areas.”

As an active library and information professional, I have always been aware of information security. I also helped host some information security related events in the past for SLA Europe, and as part of the Workplace Preparedness Council when we created a template for business continuity where our research mentioned cyber security as one of the threats libraries and research organisations may encounter. One of the other review recommendations is: “practice comprehensive continuity plans: Business Continuity Plans for the total outage of all systems need to be practised regularly, in addition to those relating to individual systems and services“.

With this heightened professional upskilling with SLA and my previous employers, I had looked at the time to see if a Business Continuity Plan was public for the British Library. Due to the sensitive nature of the content, the plan is not public. However, this does not prevent local departments and services from having plans for business continuity in place.

Hopefully, more people will see the importance of these plans and workplace preparedness for crisis management. In some aspects, the cyberattack has had its own challenges for our digital access as we continue to have limited access. Compare this to the recent pandemic in 2020-2021 where we could not get to the physical building, but we still had digital access. These recent crises should warn us that we can never predict but we can certainly prepare and plan for emergencies and future online and physical challenges.

At the MLA|SLA Conference 2023, I also attended a session wherein the panellist presented on ‘Cyber-crime and Information Content’ of an attack at their university. The cyber-criminals were after personal databases, unique research, and intellectual property. It did make me sit up and listen as I realised that criminals will try to attack anyone regardless if you are a research organisation or a bank! Much more so a national institution like the British Library as I was soon to find out a few months later. Ideally, I think as information professionals and good citizens, we should try to protect ourselves and our organisations from these inevitable threats as we live digitally. I have since told my friends that this threat can happen to anyone with data breaches or security risks from our local council, national passports, banking systems, retail, etc. It is obviously terrible when these events happen in our normal lives but it should also be an opportunity for us to promote digital literacy, compliance, good information governance, and security. It makes great financial and economic sense to invest in personal and organisational information security and professionals!

Six months on from the cyberattack, we are still not back to ‘normal’ in many aspects as we await the return of hardware, a fully functioning online presence, and the rebuild of legacy infrastructure. The hardest part is having to spend extra time catching up on the things I can’t easily do whilst in the office or going the extra mile to meet with customers to discuss their research needs and how we can give content and information with these challenges. It has been exhausting at times as we are constantly in a state of change or flux and though I am used to change – we are having to implore all our change management strategies and resilience. It seems we were only just beginning to get back from the ripple effect of the pandemic and now we are getting used to new challenges in the office and library. It is not a normal day in the office.

This has brought about high levels of anxiety and new well-being challenges for staff, customers, and stakeholders as with Public Lending Rights payments. We are certainly a research organisation and the cyberattack has prevented us from doing important work and business for academics and entrepreneurs. I have recently hosted tours from three university groups and partner organisations for projects. We are showing users around virtually and in person but we are still restricted on what we can access.

There is an element of regret that this has happened to us at the British Library. I also am personally annoyed that I am slower in fulfilling my tasks, and our users might not have access to the information they require in person near or far. The 18-page review of the Cyber Attacks aims to share our lessons learnt and encourages you to also be aware of the impact that this has on us; hopefully, you too can mitigate against cyber-attack or criminality. I implore you to be conscious and proactive as an information professional in your role as custodians and curators for specialised libraries, collection management, information, research, data, knowledge, insights, and other high-value assets in your organisations. Together we can empower and enlighten each other to face these threats now and in the future. And despite the disruption and challenges with the cyberattack at the British Library there are several new opportunities to learn and grow from this experience. The insights and learning certainly can make us more aware of dangers but we can develop strength and resilience and good old-fashion knowledge from the experience. The old wise adage resonates now…every cloud has a silver lining.

Further References: