After a long period of quiet, the British Library has just issued a very thoughtful  and helpful report on the extremely disruptive and damaging cyberattack that took place in October 2023 and that they are still recovering from. This deserves wide review by leadership of organizations concerned with both information delivery and stewardship of cultural and intellectual heritage.

There's a blog post that provides context at

https://blogs.bl.uk/living-knowledge/2024/03/learning-lessons-from-the-cyber-attack.html

and a longer report (about 18 pages) at

https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf

There are much broader systemic  issues that aren't directly addressed in the BL report (which very much takes an institutional view). To what extent are information delivery and cultural memory and stewardship activities genuinely critical infrastructure that demand to be treated as such? Where does the responsibility lie, when it must be clearly above the level of individual institutions if these are genuinely critical functions? How do we deliberately introduce and manage redundancy in the interests of gaining resilience? As a society, what do we hope to accomplish for information delivery and stewardship of the cultural record in an environment of intensive cyber-attacks, whether motivated by criminal elements, geopolitics, or (increasingly) some hybrid of the two? What are the risks and the vulnerabilities?

I'm very eager to engage these questions, which I've worried about for two decades now, and perhaps this report (and other events, including other attacks on libraries and cultural memory institutions, and the recent spate of attacks on biomedical facilities) will lend some new urgency to these discussions. Perhaps, in the US, the growing focus on risks to critical infrastructure of various kinds and the federal government efforts to begin to address these risks will begin to consider these vulnerabilities.

Clifford Lynch
Director, CNI