British Library pushes the cloud button, says legacy IT estate cause of hefty rebuild

The British Library says legacy IT is the overwhelming factor delaying efforts to recover from the Rhysida ransomware attack in late 2023.

Rhysida broke into the British Library in October last year, making off with 600GB worth of data and, crucially, destroying many of its servers which are now in the process of being replaced.

The institution says in a new report looking into the incident that many of its systems can't be restored due to their age. They will either no longer work on the fresh infrastructure or they simply can't get any vendor support after going end of life (EOL).

It also highlights the "historically complex network topology" that ultimately afforded the Rhysida affiliate wider access to, and opportunities to compromise, its network and systems than they would normally expect with more typical corporate targets.

Those legacy systems were also reliant on less secure, manual extract, transform, and load (ETL) data processes, rather than an encapsulated, end-to-end workflow as is typical in modern environments. As a result, a greater volume of staff and customer data was in transit on the network.

"There is a clear lesson in ensuring the attack vector is reduced as much as possible by keeping infrastructure and applications current, with increased levels of lifecycle investment in technology infrastructure and security," the report [PDF] states. 

"The Library responded as quickly as it could in the circumstances, and followed the necessary steps to limit the attack, but still suffered very significant damage."

As for why the British Library was running systems so old they can no longer be restored, it says The Legal Deposit Libraries (Non-Print Works) Regulations, introduced in 2013, had a big part to play.

These regs meant the library was required to make a number of key investments, using money taken from core Library funds, into mandatory services such as web archiving, digital preservation systems, and viewing applications. This depleted Library funds that otherwise may have been used to modernize its IT estate.

The management of yesteryear also has responsbility for the British Library's "unusually diverse and complex technology estate" – one that was formed around "very different collections and organizational cultures brought together by the 1972 British Library Act." 

What's the damage?

The disruption caused Rhysida's attack, which resulted in nearly all Library services being pulled offline until the incident was contained, including on-site Wi-Fi access and payment terminals, is still being felt today.

The British Library is proud that it was able to remain open throughout the entirety of the incident, but many of its core services remain disrupted.

Its research services, for example, remain incomplete even after the January return of the Library's online catalog search functionality. It was substantially restricted in the two months immediately after the attack too.

The Library is home to unique pieces and texts and is relied upon by researchers of all kinds for various projects, and also usually offers online access to various resources such as research journals. Electronic access to these is still offline five months after the attack.

Library Reading Rooms, which can be booked out by members to examine works on-site (British Library doesn't allow books to leave the premises) are also available fully but access to its physical collection is reduced by around 50 percent. Content held in its sprawling 44-acre Boston Spa archive vaults is also unavailable still.

Loans of works to other institutions are continuing, but with restrictions, the report adds. And access to collections for staff is limited, and that's having knock-on effects on other Library functions, although it didn't specify what these are.

When in doubt, head to the cloud

The British Library now has a renewed focus on cloud-based technologies and is expected to rely on them more so than ever before, starting in the next 18 months.

The current email, finance, HR, payroll, and physical security systems are currently cloud-based and were largely unaffected by the attack. The Library acknowledges the fact that cloud doesn't solve all its security risks, and introduces new ones in the process, but it believes they will ultimately be easier to manage in the long run.

Speaking of managing all of that, it seems as though the Library may have its work cut out for it. By its own admission, the tech team was "overstretched" prior to the attack and there was no mention of this being rectified between then and now. 

Staff shortages were a big concern at the time. Now, there is currently a belief that the team may not be sufficient in size to meet the demands of the rebuild program, and the report alludes to a potential issue with the way the Library pays for its talent.

"The need to grow cybersecurity capacity and cloud engineering capabilities will be particularly acute and will be difficult to remediate without reconsideration of how the Library remunerates high-demand IT skills," it says.

This IT overhaul is being bankrolled with funding that was originally slated for dissemination over the course of seven years between 2023 and 2030, but a significant chunk is set to be brought forward as part of a revised three-year budget.

The six-month period following the attack, which will conclude next month, was designated as a time to implement interim solutions to recover systems as fully as possible. The following 18 months is where all the IT upgrades are expected to take place.

The Library's seven-year funding period was originally devised in 2022 when it lost its Cyber Essentials Plus certification. It originally passed in 2019 but a criteria change saw the Library fall short of the government-backed program's standards.

For those wanting to read the Library's full account of how the attack played out, its report goes into extensive detail about how it all unfolded. Investigators aren't, however, certain about all aspects of the attack since the cybercrims' server destruction was comprehensive enough to wipe away many of its digital tracks.

The British Library posts, via the report, a list of things it learned from the incident that will inform its future approach to IT and cybersecurity, which will be broadly applicable across the cultural and technical aspects of the organization.

"Investment, boldness, and relentless focus are all needed to ensure that we are as secure as we can be against this threat, as the cost of investing in prevention is outweighed by the risk of failing to prevent," it says. 

"Although the security measures we had in place on 28 October 2023 were extensive and had been accredited and stress-tested, with the benefit of hindsight there is much we wish we had understood better or had prioritized differently." ®