Recently, the British Library’s computer systems were the victims of an assault orchestrated by the infamous ransomware group Rhysida.
This attack resulted in numerous essential systems of the Library being inaccessible for several months, coupled with the auctioning off of 600GB of personal data belonging to employees on Rhysida’s onion website. Despite the Library’s gradual recovery and commendable transparency in publishing its cyber-incident review paper, the incident underscores significant shortcomings in senior management and a lack of recognition for technical expertise within library operations, issues that resonate broadly across higher education institutions in the UK.
The review paper sheds light on various factors indirectly facilitating Rhysida’s attack. These include outdated legacy systems with inherent security vulnerabilities, a sprawling and inadequately managed technology infrastructure, and a deficiency in implementing multi-factor authentication across the infrastructure. These issues collectively hint at a broader management problem outlined in the paper: a failure to invest in in-house technical expertise, resulting in a reliance on outsourcing systems and infrastructure to third-party providers.
The British Library hack
“As a ransomware gang, the attackers’ goal appears to have been the copying and removal of personal or sensitive data which has the potential to be monetized either by payment of a ransom by the affected organization or by sale on the dark web. The data they copied amounts to some 600GB of files, which in real terms equates to just under half a million individual documents. Detailed analysis of this data is ongoing and is estimated to be complete by the end of March 2024. Based on analysis from our cyber security advisers, we believe the attackers used three methods of attack to identify and copy these documents.” the British Library points out.
“Work is now underway by our Corporate Management Information Unit to conduct a detailed review of the exfiltrated data to confirm our assumptions about the nature of its contents and identify any specific sensitive material. Where sensitive material is detected in the course of this review the individuals affected (whether staff or external) are being contacted and provided with appropriate advice or support, and the ICO is being kept informed”.
The review paper vividly portrays a scenario where the IT department, grappling with a dearth of adequate staff replacements, increasingly resorts to outsourcing to third-party corporate providers. This situation strikes a chord with higher education libraries across the UK. In the past few decades, university budgets have been under strain due to government cuts and the repercussions of Brexit on student enrollment.
As a result, university libraries have had to curtail in-house technology resources, including both staff and infrastructure. The downsizing of library systems teams, at times to just a single systems librarian, has had a significant impact. In some instances, library systems management has been outsourced to overburdened IT departments or third-party corporate vendors. Instead of investing in staff with expertise in library systems and core infrastructure, senior managers have given precedence to short-term trends from Silicon Valley, such as blockchain, the metaverse, and, more recently, large-language model ‘AI’.
Cyberattacks on knowledge institutions are increasing
In mid-October, Berlin’s natural history museum also fell victim to an attack. While in-person visits are still permitted, research activities are only feasible to a restricted degree. These incidents are not isolated occurrences. In a study examining 58 cyberattacks targeting universities, schools, and other institutions globally between 1988 and 2022, researchers noted a rise in the frequency of such attacks since 2015.
The researchers obtained information about the attacks from publicly accessible online sources, including media coverage and the affected institutions’ official websites. They determined that cybercriminals highly seek data related to research and education. The study indicates that ransomware attacks, which entail blocking access to data or systems until a ransom is paid, were the predominant form of cyberattack originating from external sources. Internally, students attempting to manipulate their grades by hacking into the system were identified as the most frequent cause of breaches within institutions.
It’s not hard to foresee the vulnerability of educational and research institutions. Every day, millions of staff, students, and alumni worldwide access institutional computer systems, creating a vast potential surface for exploitation.
This issue extends beyond the jurisdiction of the UK government; it concerns national and regional governments globally. Relevant authorities must enhance support for vital institutions during times of crisis. Additionally, funders and researchers should contemplate their role in addressing this challenge. For instance, they can contribute by exploring strategies to mitigate the risk of future cyberattacks and formulating response plans for when such incidents occur.