Time to examine the anatomy of the British Library ransomware nightmare

March 25, 2024 TH Author

Opinion Quiz time: name one thing you know about the Library of Alexandria. Points deducted for “it’s a library. In Alexandria.” Looking things up is cheating and you know it.

Hands up if you said it was burned to the ground by barbarians. That’s almost entirely wrong – we’ll get to that in a bit – and that’s not important. What matters is we think such a thing is so tragic, so emblematic of cultural collapse, that we’ve told ourselves that story for nearly two thousand years.

The Rhysida ransomware attack on the British Library last October didn’t have the visceral physical aspect that creates a folk memory, but it should for anyone who makes enterprise IT. Five months on, not only are significant systems not restored, they’ve gone forever. Remedial work and rebuilding is going to drain cash reserves intended to last seven years. It was and is bad. What makes it even more exceptional is that we now know what happened and why.

The gories are all in a substantial, detailed report released by the British Library itself. It’s a must-read if your life involves any risk of a 2am phone call demanding you drive to the datacenter, even more so if it’s the CEO pulling up the Teams meeting in ten minutes. Truth is, it’s worth much more than a read, once you realize what the report represents. To get there, let’s look at what the institution actually represents.

A Magna Carta of fail

The British Library has many personalities. It has a unique, complex set of roles, which are uniquely regulated by law. Looked at another way, it is typical of national and other large institutions, in that IT infrastructure competes for resources against long-established core services, often unsuccessfully. In yet another light, that’s true to some extent for all organizations. The British Library’s situation is also merely a magnificent example of what can go wrong. All these perspectives are true, but the last has the widest implications.

If you have any years on you in this game, you will have first-hand experience of some of the factors identified in the report as enabling the disaster. Legacy systems too old to be safe, too expensive in time and money to replace, while more pressing needs exist. People who are asked to do too much with too little. The deadly inertia of complexity. New projects that leave older systems to wither in the shade. Security that rigorously defends against the wrong thing. The report is, as befits the institution itself, a comprehensive catalogue of important stories.

We are, as an industry, very lucky to have such a document. The reputational and commercial pressure to keep post-disaster dirty laundry out of sight leaves lessons unlearned, in general and often within the afflicted organization itself. The bigger the org, the harder the laundry.

Not here. You can call it commendable candour, or the proper response for a public service provider, it doesn’t matter. The enterprise IT infrastructure industry worldwide has been given a chance to audit its own practices as they really are, and the consequences that really flow. Internal reports can be written and cases made at all levels to plan, rebuild, manage and prioritize with wisdom and awareness.

Fat chance. The best we can hope for is the recomposting of the report into endless webinars, case studies and white papers by people with something to sell. There may be decent talks at industry conferences, chapters in textbooks and Youtube videos, none of which will be seen by the top-level policymakers who are the ultimate power brokers in how an organization perceives its infrastructure responsibilities.

This should be a near-criminal case of mismanagement. If a report of an air accident investigation revealed anything like the scope and systemic misadventure of the British Library report, it would shake up the aviation world so hard its rivets would pop. Lacking an external regulator with teeth like the FAA or CAA, and with no taste for self-regulation, there is no engine for reform, no roadmap of responsibility.

It’s not as if it doesn’t matter. Nobody dies at the moment of a major failure of systemic integrity such as the British Library experienced. Yet hospitals, safety-critical services and physical infrastructure are also regularly attacked, and they share the same bad practices that are the wrong sort of industry standard. The calculus of harm from delay or diverted resources in such cases is impossible to quantify: they may not be counted, but there are always victims who relied on things not breaking, things that we let break.

In the absence of sustainable organizational sanity in how it sees IT, the British Library report can still be useful through subversion. Write that internal report drawing parallels between the evidence it contains and what’s going on around you. Make it savagely to the point, keep it short, print it out, highlight the good bits with an old school yellow pen, and leave anonymous copies around the place. Slip one under the CEO’s office door. Be as creatively mischievous – or not – as your corporate culture deserves. Just don’t pass up the opportunity to use the power of a damned good story.

As for the Library of Alexandria, it may or may not have been burned down by Julius Caesar, although it might not have been deliberate and it may have been rebuilt. What really did for it was politics and a slow strangulation through lack of resources. True terror for the ages, right there. ®