-
I've read all of the British Library's paper on their recent cyber-attack and have some thoughts from the perspective of someone who spent many years working in systems librarian roles in UK Higher Education libraries. @britishlibrary/1766056651331608671On Internet Archive
On twitter.com
♻️ 121 Retweets ❤️ 386 Favorites
-
First off, it's notable to me how cagey they are about mentioning any specific software or infrastructure providers. I presume they don't want to impact on their customer relationship with their software providers but I think it's very pertinent to know what software they use.Permalink On Internet Archive
-
Having worked at the British Library and seeing the report's allusions to Microsoft Teams and Microsoft Word, I assume that they've gone all in on Microsoft network infrastructure possibly with Windows Server servers and NAS and it's these network drives that were compromised.Permalink On Internet Archive
-
Second, it's immediately obvious that lack of investment in their own technology staff indirectly led to this attack. "The Technology department was overstretched..."; "There is a risk that a lack of detailed understanding of these systems...".Permalink On Internet Archive
-
They also directly state that outsourcing to third-party technology providers compromised their network. Every outsourced piece of infrastructure and software means a gap that someone can exploit.Permalink On Internet Archive
-
What does this mean for UK libraries? I would argue it means that most UK university libraries are currently at risk. As most have stripped their in-house systems team to the bone or got rid of tech staff entirely, library systems are largely outsourced creating vulnerability.Permalink On Internet Archive
-
Either they're outsourced to third-party corporate vendors like Ex Libris or to overstretched university IT departments. Both create security vulnerabilities as this British Library paper clearly shows.Permalink On Internet Archive
-
I'd also argue that the British Library attack was due in part to a false belief that third-party corporate software is more secure than in-house software and infrastructure. Hire good people in-house and then trust them to do a good job.Permalink On Internet Archive
-
UK university libraries have neglected technology and infrastructure for years instead spending resources chasing Silicon Valley fads like blockchain and AI. UK library systems teams are far smaller and far behind their US and other international counterparts.Permalink On Internet Archive
-
They've freely given not only their bibliographic data but their users' personal data to third-party corporate behemoths who charge over the odds for software licenses and who provide the illusion of computer security.Permalink On Internet Archive
-
Now UK libraries have these huge homogenised systems and infrastructures with massive gaps in security to let their third-party vendors in and they don't hire or retain staff who understand the technology behind it. They've never been more vulnerable.Permalink On Internet Archive
-
Let's not forget that a huge proportion of UK university libraries use software from Ex Libris Group, a company headquartered in a country that at worst is committing a genocide and at best is currently at war.Permalink On Internet Archive
-
For a fuller articulation of how this management approach to technology impacts library systems and library workers, you can read the 'critical systems librarianship' chapter I wrote with Andrew Preater back in 2018, so long ago I had a different name. eprints.rclis.org/32467/Permalink On Internet Archive
-
(Re. technology resilience, lol that the Handle URI for that chapter, the thing intended to prevent linkrot and enable long-term preservation, no longer works. It's only been six years.)Permalink On Internet Archive
-
I was pleased to be asked by @LSEImpactBlog to expand on my thoughts in this thread about what the British Library attack means for large-scale library systems and that this blog post is now available here: blogs.lse.ac.uk/impactofsocialsciences/2024/03/19/the-british-library-hack-is-a-warning-for-all-academic-libraries/Permalink On Internet Archive