Ransomware-hit British Library: Too open for business, or not open enough?
Unique institutions need unique security. Instead, they're fobbed off with the same old, same old
Opinion The British Library’s showpiece site, in a listed red brick building in St Pancras, is presided over by a large bronze sculpture depicting Isaac Newton poring over a document he’s working with, measuring it with dividers.
Based on a print by William Blake, it’s tempting to see it as celebrating the Enlightenment to which the British Library is dedicated. Visitors who know something of Blake know better: the irascible 18th century poet, artist and mystic took a dim view of the movement, so much so that he subtitled the print, "Newton: Personification of Man Limited by Reason." It’s a deeply ironic bit of work.
Isaac Newton sculpture outside the British library (click to enlarge) Pic: Sampajano Anizza/Shutterstock
That irony did double duty recently. Newton may have been guarding the Library with logic and reason, but flaws in cybersecurity let the barbarians in through the gate. Ransomware bandits Rhysida plundered the vaults and hauled off a bunch of HR data, currently on offer for 20 bitcoin. On their way out, the ravening hordes crippled the institution’s infrastructure so badly that access to the central stacks was halted, together with the website, wireless access, and so on.
What makes the British Library an intriguing victim is the sort of work it does. As one of the world's largest libraries, with 170 million items, it is emblematic of public knowledge. Its books may contain many secrets, but they're open to researchers to find, interpret, and publish - or they would be, if the IT was working. It's those researchers who are uniquely suffering now, with PhD students unable to finish their work before deadlines, and their professors unable to publish. Bad news, but hardly fatal and with minimal economic impact. Like many state, education and healthcare attacks, the intention seems to be as much disruption and bad publicity as enrichment.
The other victims are the library staff, but they're hardly alone. The attack was one of many corporate breaches in October 2023, with some 890 million records stolen - bringing the total 2023 count to five billion. It is curious to contemplate that such wholesale larceny is rarely, if ever, discussed outside the specialist media: something that happens 40 times a day isn't news, and the corporate secrets don't hurt companies very much when they're lifted.
The thing about the British Library is that it shouldn't have that many secrets to protect. The privacy of its staff and its readers, certainly, but its core activity of archiving and making public millions of items of information is the precise opposite of secret. Putting aside the standard corporate IT functions of the Library, which will remain precisely as vulnerable as the industry norms allow, how much of the Library's functionality could be made entirely open? If the logic and catalogues were out there in Gitland for anyone to rebuild the Library on their desktop, what power would hackers have over it all?
This is a high-falutin' idea that ignores the many realities of legacy systems, interconnected knowledge ecosystems, and the practicalities of managing such a huge collection in such an elderly institution. It is an intriguing exercise in engineering, trying to apply principles of partitioned systems of varying trust, the true nature of data and resiliency through redundancy. Assuming cybersecurity is basically a worm-eaten sponge, how far can you write it out of the system? The British Library would be an excellent test bed for these ideas. How toxic is security?
The basic notion that the default purpose of security is to protect secrets is nowhere near as clear cut as it seems, even under extreme conditions. In World War II, the British invented the cavity magnetron, a device that hugely increased the capability of airborne radar. Fear of it falling into the hands of the enemy kept it out of use until 1943. Sir Bernard Lovell, integral to the development of wartime radar, subsequently concluded that the secrecy didn't do much good as the enemy engineers already knew how it worked. Using it earlier, especially against submarines, would have been a better decision.
There's another reason Lovell is worth thinking about. He's most famous for building the iconic radio telescope at Jodrell Bank, still a vital scientific device. He was told to cancel it by the government, but diverted funds from other projects to keep it going. He was days away from being charged with misuse of public funds when the Soviets launched Sputnik. His dish was the only one capable of tracking what was immediately seen as the greatest threat to western security ever seen: instant hero.
- Rhysida ransomware gang: We attacked the British Library
- Textbook publishers sue shadow library LibGen for copyright infringement
- DB or not DB: Open-sourcer Percona pushes out plethora of SQL and NoSQL tweaks in bid to win over suits
- The dread sound of the squeaking caster in the humming data centre
Talk to any archivist, curator or worker in libraries and museums, and you'll find out how little money there is, and how little of that goes on making good IT, let alone good security. Outdated and badly maintained software is a big part of why hacking groups find it cost-effective to attack badly funded public service targets. That's why the British Library won't be seen as a chance to rethink how public service security can be made better by not seeing it as just another off-the-shelf proven-broken system.
To rethink what secrecy and security mean, and to find ways to beat bureaucracy to make that happen - we could have no better inspiration than Lovell. After the triumph of Sputnik, he became a pillar of the scientific establishment: irony enough that one day he may earn a spot alongside Newton outside the British Library. ®