The British Library falls victim to cyber attack

The British Library has said that a cyber attack is behind a major outage that is still affecting services across several locations. The website - which is used by millions of people each year - was taken out by criminals at the end October. Ciaran Martin is the former head of the UK’s National Cyber Security Centre…

Ciaran - The British Library has suffered a type of cyber attack known as a ransomware attack. It's when a bunch of criminals hack into a network and they do one of two things to the network. One is they lock you out of it, and the other is they steal some data. And if they lock you out of it, it's really hard to function. Your network, you just can't get in. They demand a ransom, that's why it's called ransomware. They say, 'pay us some money and we'll let you back into the network. We've got a key.' And if you don't pay that, then you won't get back in. Now it's clear the British library hasn't paid. So now they said, we've taken some of your data, not clear what they've got and we're gonna sell it to other criminals. So you better pay us now. And again, the library appears not to be paying. That little bit about the data is not really visible. What is visible is the fact that if you go into the British Library and obviously thousands of academics, they're important work depends on access to the British Library's network. It's not been working for several weeks.

Chris - Goodness. And is this part of a general trend or is this just one of those very unfortunate one-off things?

Ciaran - This is part of the biggest problem in cybersecurity. We talk a lot about some of the big catastrophic potential threats of advanced AI and so forth, but this stuff's been around for years and in the 2020s it's got really bad. There've been some extremely serious cases that have put people in danger. Not so much in the UK, thankfully, but next door in Ireland in 2021 there's a body, it's a bit like NHS Commissioning, it sort of organises healthcare provision in the Irish state. And it got done over by a ransomware attack. And it meant that instead of reserving books, reserving hospital appointments, cancer consultations, diagnostics, things like that. That went offline for weeks in Ireland, you can imagine the consequences of that were horrendous. A pipeline in the United States was switched off two years ago, which resulted in fuel shortages and just companies all the time are getting hit by this ransomware. It's a real scourge and it's the biggest problem we've got in cyber defence these days.

Chris - Do we know who these actors are?

Ciaran - Yes, we do. Broadly speaking, it's all about money and it's mostly about Russia, but not necessarily about Putin. Russia is a country with lots of skilled hackers, it's a struggling economy and it doesn't really have the rule of law in the same way that we would have. They're businesses, they really, really are businesses. They research some of their targets. They work out what they can charge in these ransoms. They sell things to each other, they hire each other's services, they're well run businesses. But if you set up a criminal business of this type in the UK or in the US or somewhere in the EU, the police would just come and kick the door down. Now in Russia, whilst there's no real evidence that Putin directs these thugs, for example it would've been pretty serious if Putin had been seen to have ordered a hit on the Irish healthcare system or an American pipeline. The Russian state tolerates them. It appears that the Russian state says, 'look, don't attack Russian business, don't attack Russian citizens. Leave us alone and you won't have any trouble from the police.' And so there's this real problem where there's a safe haven. The Russian constitution prohibits the extradition, they arrest and transfer to other countries of any Russian citizen. So we've got these people, they don't have to set foot in the UK or the EU or North America or wherever to harm us, but we can't send the police after them, which is what we normally do with criminals.

Chris - So what is the remedy? How can we defend ourselves better?

Ciaran - There are two partial remedies. There's no complete remedy, sadly. So one is for governments to put pressure on the criminals and on the Russian state. So before the war in Ukraine, Joe Biden went to meet Vladimir Putin in Geneva and one of his top three agenda items for that summit was taking action against Russian cyber criminals. Now with the war, attention slightly moved on to other things understandably, but western intelligence agencies who have their own cyber operators do their best to take down the digital infrastructure that these criminals are using. And every so often some of these people make stupid mistakes. They either contract with people in the west or they go on holiday in the west and then we try to arrest them. That's a bit whack-a-mole, but we do our best. The solution I'm afraid for organisations is just to try and strengthen two things. One is our own cybersecurity. A lot of these attacks are not the most sophisticated, they're not the sort of Hollywood things that you would imagine the top cyber hackers in the world doing. They're quite simple attacks, exploiting outdated software, some mistakes in the way systems are brought together, all that sort of stuff. So improving that sort of basic cybersecurity is important, and so is what we would call resilience. And resilience essentially means if you do get hit, can you mostly keep going? Can you operate at 50% for a week and then recover within a week? And we need to get better at that too. You know, there is in this first part of so-called ransomware, which is the most serious part, it's the part that's really hitting the British library. The data thing's really a bit of a bluff in my opinion. But the bit where the system isn't working, if you can get a backup system up and running really quickly, then the ransom doesn't really work.

Chris - The fact that the British Library has had problems for a period of time argues that they aren't able to deploy a backup or that they're worried that they're immediately going to get penetrated again because they can't find how these people got in. So what do you think they should do? Should they pay up?

Ciaran - So first of all, they shouldn't pay up and the government tends not to allow public bodies to pay up. There's no law against paying ransoms but the British library is a public authority. And if you do pay up, it's obvious what will happen. They'll come back for more. Britain will be seen as a soft touch and all the British institutions will get whacked by this scourge of criminality.