Following the release of the British Library’s cyber incident report, Simon Bowie argues that the hack was symptomatic of an under-resourced technical team and the outsourcing of key infrastructure.
The British Library’s computer systems were recently attacked by the notorious ransomware group Rhysida. The attack led to many of the Library’s core systems remaining unavailable for months and the auction of 573GB of employees’ personal data on Rhysida’s .onion site. Though the Library is slowly recovering and has admirably published their cyber-incident review paper openly, the incident highlights failures of senior management and devaluing of library technical skills that are widely applicable to libraries across UK higher education.
The review paper highlights several issues that indirectly led to Rhysida’s attack: out-of-date or end-of-life legacy systems with security vulnerabilities, an overly complex technology estate sprawling unmanaged, a lack of multi-factor authentication across the estate. These are all symptomatic of a more wide-ranging management issue that is hinted at throughout the paper: a lack of investment on in-house technical staff leading to a focus on outsourcing systems and infrastructure to third-party providers.
These statements point towards an IT department struggling with the amount of work due to outgoing staff not being replaced and knowledge of systems being lost when experts leave.
The review paper does not state this outright, but it is apparent, when it says that “[t]he Technology department was overstretched before the incident and had some staff shortages which were beginning to be successfully addressed.” And when it points to a risk of “lack of detailed understanding of these [IT] systems” either “inhibit[ing] the pace of recovery” or leading to “sub-optimal decision-making”. These statements point towards an IT department struggling with the amount of work due to outgoing staff not being replaced and knowledge of systems being lost when experts leave.
The paper also alludes to outsourcing of technology functions through “[t]he increasing use of third-party providers within our network […] due to capacity and capability constraints within Technology and elsewhere in the Library”. In other words, the Library did not employ enough in-house technical staff to maintain their systems and ended up relying on third-party providers. Though the paper is light on specific technical details (in contrast to the Republic of Ireland’s Health Service Executive whose report on their 2021 network breach pointed to a specific Microsoft Excel file as the root cause), there is an implication that entry to the Library’s network was gained through one of their “numerous trusted partners for software development, IT maintenance, and other forms of consultancy”.
The paper paints a picture of an overstretched IT department with staff who were not being replaced and whose functions were increasingly being outsourced to various third-party corporate providers. This is an all too familiar picture for UK higher education libraries. Over the past few decades as university budgets have been squeezed by government cuts and the impact of Brexit on student intakes, university libraries have cut back on in-house technology in terms of both staff and infrastructure. Library systems teams have been drastically reduced, in some cases to a single systems librarian and in other cases outsourcing library systems management to equally overstretched IT departments or to third-party corporate vendors. In lieu of investing in staff with expertise in library systems and core infrastructure, senior managers have instead chased short-term Silicon Valley fads like blockchain, the metaverse, and most recently large-language model ‘AI’.
The trend to corporate outsourcing in library systems is clear from Marshall Breeding’s Library Technology Guides, which shows that the vast majority of UK higher education providers outsource their library systems to corporate vendors. Ex Libris dominates the market for both library management systems (Ex Libris Alma has 54% market share) and discovery indexes (Ex Libris Central Discovery Index has 65% market share) with OCLC, Ebsco, and Innovative Interfaces, Inc (which is in fact owned by Ex Libris) following close behind. The software licenses for these products can be up to hundreds of thousands of pounds per year and represent money that could be spent on investing in systems teams able to face the differing technical challenges of different libraries. As well as money, libraries also give away valuable data to these corporations in the form of bibliographic records produced through the labour of library staff and the personal data of library users, many of whom don’t know that their data and lending records are given away to large corporations.
Instead of investing in expanding the profits of third-party corporations, UK higher education libraries could be investing in people and in building their own technical expertise for resilient IT infrastructures and library systems.
As I argued in a book chapter co-written with Andrew Preater, the institutional devaluing of library technical skills consolidates the power of corporate software suppliers. However, I would further argue that it’s a symptom of genericisation in university management, whereby senior managers value generic management skills more highly than specialised library knowledge.
It is therefore interesting to note that the British Library’s review paper says that “email, finance, HR and payroll systems are cloud-based and are functioning normally”, but that the library management system is one of a “large number of legacy systems” that were not only vulnerable to attack, but were extremely difficult to restore to bring core library services back online. This appears to suggest that technology investment went on generic administrative functions rather than specialist library management functions. Either because of their own lack of specialist librarianship knowledge, or because they were focused on generic managerial achievements, senior management neglected the British Library’s core library systems.
The reverberations of the 2023 British Library cyber-attack will be felt for a long time, not only by the UK’s national library, but by every culture and heritage organisation that can learn from its mistakes. Instead of investing in expanding the profits of third-party corporations, UK higher education libraries could be investing in people and in building their own technical expertise for resilient IT infrastructures and library systems.
The content generated on this blog is for information purposes only. This Article gives the views and opinions of the authors and does not reflect the views and opinions of the Impact of Social Science blog (the blog), nor of the London School of Economics and Political Science. Please review our comments policy if you have any concerns on posting a comment below.
Image credit: Neil Turner, British Library via Flickr (CC BY-SA 2.0)
