The Disturbing Impact of the Cyberattack at the British Library

At 9:54 A.M. on October 28th, an apologetic message appeared on the X account of the British Library, in London: “We are currently experiencing technical issues affecting our website. We apologise for the inconvenience and hope to resolve it as soon as possible.” It was a Saturday, which, before I had kids, used to be my favorite day at the library. “The B.L.,” as its people know it, is a magnificent, red-brick, vaguely ship-shaped structure a few hundred yards from King’s Cross station, where you can request anything from a quarto by Shakespeare to “The Art of Faking Exhibition Poultry” (1934). On Saturdays, the building is quieter and the place has a mellow, productive atmosphere. I used to stop by for a few hours to catch up on work or to waste time, snuffling around for ideas. I first came across the Premonitions Bureau—an experiment from the nineteen-sixties to collect forebodings from the British public, and which I wrote a book about—in Humanities 2, one of the B.L.’s eleven reading rooms, on a Saturday. In the same room, a few rows away, at Desk 3186, I wrote the first paragraph of my first piece that was published in The New Yorker.

By midmorning on October 28th, the library’s tech issues were widespread. The public Wi-Fi wasn’t working, and neither was the online catalogue: it was impossible to use a computer to request a book, access a journal, or listen to any of the library’s millions of audio recordings. The next day, a Sunday, when the reading rooms were closed, a statement from the library described “a technology outage.” When the B.L. reopened after the weekend, it was in a pre-digital state. The Web site, phone lines, and all online services—exhibition-ticket sales, reader registrations, card transactions in the gift shop, the electronic nervous system that unified the library’s collections and shared them with the world—were down. Daily deliveries of materials from Boston Spa, in Yorkshire, where almost a quarter of the library’s books are warehoused, were put on hold.

The outage became an incident. The National Cyber Security Centre, a branch of G.C.H.Q., the British equivalent of the National Security Agency, got involved. On November 20th, a hacking group called Rhysida—after a genus of caterpillars—offered 490,191 files stolen from the British Library for sale on the dark Web. United States cybersecurity officials describe Rhysida as a “ransomware-as-a-service” provider—a gun for hire—part of an increasingly professional array of cyber-extortion organizations. Rhysida’s hacks, which have become prolific since the spring, involve a double shakedown: Once inside a system, the ransomware encrypts swaths of the victim’s files, which can be unlocked for a price. Soon afterward, personal or sensitive data stolen from the system are put up for auction on Rhysida’s Web site. The whole process—and how to pay up—is detailed in semi-polite PDFs, which are sprinkled throughout the victim’s screwed-up servers. “Your digital ecosystem has been compromised,” a message reads. “The potential ramifications of this could be dire.”

Since Rhysida surfaced, in May, its victims have included the Chilean Army, a medical-research lab in Australia, and Prospect Medical Holdings, a health-care company with hospitals in Pennsylvania, Rhode Island, Connecticut, and California. There are reports that its code contains fragments of Russian, and it appears not to have struck inside Russia or its close allies. When I checked the Rhysida Web site last week, there were data for sale from Grupo José Alves, a Brazilian conglomerate; Insomniac Games, the maker of the Spider-Man 2 video game; HSE, a Slovenian energy company; and the Qatar Racing and Equestrian Club. The British Library data—an apparently unsorted dump of employees’ passport scans and other personal information—were put up for sale for twenty bitcoins, some eight hundred and fifty thousand dollars. The library refused to pay. After a week, Rhysida made ninety per cent of the data available for anyone on the dark Web to download: “Data hunters, enjoy.”

The effect on the B.L. has been traumatic. Its electronic systems are still largely incapacitated. When I visited the library last Monday, the reading rooms were listless and loosely filled. “It’s like a sort of institutional stroke,” Inigo Thomas, a writer for the London Review of Books, told me. I got my first reader’s pass to the British Library in the fall of 2001, at the start of my final year in college. I remember nervously taking my pencils, laptop, and notebook in a clear plastic bag to a desk in the Rare Books and Music reading room and contemplating the measureless treasures beneath my feet. The B.L. holds around a hundred and seventy million items, including Jane Austen’s writing desk; a handful of Bach’s musical scores; a thirty-six-hundred-year-old hymn to Osiris, the ancient Egyptian god of the dead; and eight million stamps. What would you like to see? An amazing proportion of things can usually be delivered to any reading room within seventy minutes, brought up from the library’s deep and complicated basement on a network of conveyor belts.

Last week, in Rare Books, the five librarians on duty sat on chairs behind the counter. Two were reading books, a third was on her Kindle, and the others were on their phones. It took a moment to catch their attention. “It’s a bit boring, to be honest, and a bit worrying,” one of them whispered, as he passed me a slip of paper with a link to the Joint Information Service Committee—a national, not-for-profit digital organization that maintains its own database of library catalogues and has been unaffected by the attack.

I wanted a copy of “The Cuckoo’s Egg,” a classic account, by Clifford Stoll, of tracking a hacker through American university, military, and intelligence computer networks in the eighties. I noted down the shelf mark from J.I.S.C. and took it to another desk, where a librarian flipped through a slightly battered printout of codes—some in red and others in black—and shook her head. The B.L. has a bespoke cataloguing system, in which books are ordered by size and how often they are requested, rather than by subject, date, author, or the Dewey decimal system, so it is almost impossible to predict which titles are still accessible. With some envy, I noticed that another reader had managed to get hold of a history of Lincolnshire cathedral. At the back of the reading room, another researcher was looking for “The Science of Music in Britain,” a reference work by Jamie C. Kassler, an Australian music scholar, which a friend had told her was on an open shelf. “It’s two green volumes, at eye level,” she said, relaying her friend’s directions to the librarian. “He’s about my height.”

Most people at the B.L. don’t use the books. The building has more than a million visitors a year, and most come on school trips, or for the exhibitions, cafés, and free Wi-Fi. (The corridors and landings between the reading rooms are lined with tables and desks: a luminescent crowd-scape of screens, students, and London freelance energy.) That side of the library is pretty much back to normal. Although the Web site is still down, the B.L. has been using a blog to convey essential information, and there is a rudimentary Wi-Fi sign-up page. At the entrance of the Alan Turing Institute, a data-science and A.I.-research center, which is housed in the library, I noticed a brightly decorated wall, covered in computer-related expressions: F is for Fakes. P is for Phishing. A teen-ager was inspecting an M4 Enigma machine, used to encrypt messages between German U-boats and their naval bases during the Second World War in 4,134 million million million possible ways. It was possible not to know that anything was wrong.

But, for those who rely on the B.L.’s collections, and, more broadly, its distribution of free, digital information to the British educational system, the ramifications of the cyberattack have been dire. Outside the Maps Room, which offers access to four and a half million documents, going back to the fifteenth century, a display read, “Disruption to certain services is now expected to persist for several months.” Inside, the reading room was empty except for two security guards and a librarian standing on a chair. (It was impossible to hand over precious materials without electronic monitoring.) “It’s like this all day now,” one of the guards said. He thought the library might be up and running by Easter. Daniel Starza Smith, a John Donne scholar at King’s College London, found his way to academia after losing himself in the Conway Papers, a seventeenth-century-manuscript archive in the B.L. “You can sit there for weeks on end and order up everything you could ever want,” he told me. “And to have that taken away, it’s such a wrench and so psychologically disorientating as a researcher.” In “The Library of Babel,” the short story by Jorge Luis Borges, the thrill of a library that contains every possible book is succeeded by “a similarly disproportionate depression,” when its readers realize that the place is totally unnavigable. “The word that gets overused in many other contexts but is absolutely applicable here is Borgesian,” Smith said. “It is like the literalization of a Borgesian library problem. . . . You can access everything but you can’t access anything. ”

Leave a Reply

Your email address will not be published. Required fields are marked *