X-CGP-ClamAV-Result: CLEAN X-VirusScanner: Niversoft's CGPClamav Helper v1.25a (ClamAV 1.2.1/27209) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=cni.org; s=mail; bh=2RtlUkmPbrHCjEql3aC23rce3PSUyyXfy77I+7PxGw0=; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:From:Message-ID :Date:To:Sender; b=RrXSdibalUVpvGA1Uu5TpWwIZOE+CljNDQX3T9iu6t7U3kqRRpqq4x8T8s 2egsx2Mr0gurltJ0LnsDzuClm8EYN5kdQB4AHDpkMwq8boK+5AIwRAyElcgy+XEdZTYcjH40b+Wgw LpTAUdjXUYtEwbko+k0tBNQbpbFCOWFg3AHQ= Return-Path: Sender: To: CNI-ANNOUNCE Date: Sat, 09 Mar 2024 13:00:30 -0500 Message-ID: X-Original-Return-Path: Received: from [69.248.123.21] (account clifford@cni.org HELO [192.168.50.171]) by cni.org (CommuniGate Pro SMTP 7.1.4) with ESMTPSA id 41780639 for cni-announce@cni.org; Sat, 09 Mar 2024 00:48:43 -0500 X-Original-Date: Sat, 9 Mar 2024 00:48:43 -0500 From: Cliff Lynch X-Original-To: cni-announce@cni.org X-Original-Message-ID: <20240309004843400961.c890580c@cni.org> Subject: British Library Report on Cyberattack MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: GyazMail version 1.7.1 After a long period of quiet, the British Library has just issued a very thoughtful and helpful report on the extremely disruptive and damaging cyberattack that took place in October 2023 and that they are still recovering from. This deserves wide review by leadership of organizations concerned with both information delivery and stewardship of cultural and intellectual heritage. There's a blog post that provides context at https://blogs.bl.uk/living-knowledge/2024/03/learning-lessons-from-the-cyber-attack.html and a longer report (about 18 pages) at https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf There are much broader systemic issues that aren't directly addressed in the BL report (which very much takes an institutional view). To what extent are information delivery and cultural memory and stewardship activities genuinely critical infrastructure that demand to be treated as such? Where does the responsibility lie, when it must be clearly above the level of individual institutions if these are genuinely critical functions? How do we deliberately introduce and manage redundancy in the interests of gaining resilience? As a society, what do we hope to accomplish for information delivery and stewardship of the cultural record in an environment of intensive cyber-attacks, whether motivated by criminal elements, geopolitics, or (increasingly) some hybrid of the two? What are the risks and the vulnerabilities? I'm very eager to engage these questions, which I've worried about for two decades now, and perhaps this report (and other events, including other attacks on libraries and cultural memory institutions, and the recent spate of attacks on biomedical facilities) will lend some new urgency to these discussions. Perhaps, in the US, the growing focus on risks to critical infrastructure of various kinds and the federal government efforts to begin to address these risks will begin to consider these vulnerabilities. Clifford Lynch Director, CNI