back to article Time to examine the anatomy of the British Library ransomware nightmare

Quiz time: name one thing you know about the Library of Alexandria. Points deducted for "it’s a library. In Alexandria." Looking things up is cheating and you know it. Hands up if you said it was burned to the ground by barbarians. That's almost entirely wrong – we'll get to that in a bit – and that's not important. What …

  1. iron

    "If a report of an air accident investigation revealed anything like the scope and systemic misadventure of the British Library report, it would shake up the aviation world so hard its rivets would pop."

    Nice sentence but Boeing's refusal to identify who replaced some door bolts or even if they were replaced at all would disagree.

    1. ChoHag Silver badge

      > Boeing's refusal to identify

      Regulators don't move as fast as the image of popping rivets would suggest. That particular part of the saga has not finished playing out.

    2. KarMann Silver badge
      Alert

      If I somehow find myself boarding a Boeing product anytime soon, I'll definitely be visually inspecting the rivets along the way.

      1. Tron Silver badge

        You have a few minutes between boarding and take-off.

        Enough time to apply some Araldite to anything that looks a bit iffy.

        1. Anonymous Coward
          Anonymous Coward

          Re: You have a few minutes between boarding and take-off.

          What if it's the door seals? You may not be able to get out later :).

          1. ThatOne Silver badge

            Re: You have a few minutes between boarding and take-off.

            You will, when the plane bursts open (they eventually do, apparently).

            I won't fly British Library, ah sorry, Boeing, unless my life depends on it (in which case it's a fair bet).

            .

            A shame about the Library though, that's humanity's heritage getting lost there. I'm against death penalty, but I would make an exception for ransomware lowlife attacking hospitals and educational institutions (that includes libraries and museums).

  2. Primus Secundus Tertius

    Force of Islam

    As I understand it, the Lib. of A. was finally destroyed by the forces of Islam. Who needs any other source of information when you have their particular Holy Book? Mind you, it may have suffered cuts in government expenditure long before that.

    1. Michael Hoffmann Silver badge
      Boffin

      Re: Force of Islam

      Or a Chriistian mob who also took time away from their busy job of destruction to maim and lynch Hypatia.

    2. Anonymous Coward
      Anonymous Coward

      Re: Force of Islam

      That's very debatable due to the amount of time between the alleged incident happening and it coming to light (1200's AD), This was alleged to have happening in 642AD. Islam was only formed in 610AD and they didn't start burning libraries till 976AD (https://en.wikipedia.org/wiki/List_of_destroyed_libraries). Another point to consider is the Rashidun Caliphate under Umar which conquered Egypt in 642AD so you then have to question was this an act in relation to the Quran or just an invading force destroying things in battle? You would have thought it would have been documented at the time in Egypt.

      1. Phil O'Sophical Silver badge
        Coat

        Re: Force of Islam

        You would have thought it would have been documented at the time in Egypt.

        And maybe stored in a big library?

        1. Anonymous Coward
          Anonymous Coward

          Re: Force of Islam

          Hats off to you on that one. I really did walk into that.

    3. Androgynous Cupboard Silver badge

      Re: Force of Islam

      I think that's exactly the point the author is making. The story of it being burned by islamic invaders (because it "either agreed with the prophet and was therefore unnecessary, or disagreed with him and was therefore sacrilegious" if I remember the quote) was an anecdote that spread because people wanted to believe it, but is nonsense. Most of the damage had been done when Caesars troops (probably) lit fires that spread back in 48BC, 700 years earlier. By the 640s whatever remained of the library was no long significant.

      Most of what we know about many ancient texts from Sophocles, Plato, Euclid etc. come from translations made from the Greek into Arabic by muslim scholars - they're doing the exact opposite of burning books, they're preserving them. But Christianity was threatened by Islam, so propaganda triumphed over facts. And it still does today.

      1. Mage Silver badge
        Flame

        Re: Force of Islam or Romans?

        Or "staff" selling off scrolls as firelighters for a few hundred years.

        Alexandria was under resourced for centuries. More stuff, relatively speaking, has survived from Sumer and Akkad because when you burnt down the town or city that preserved the tablets. Thousands sit unread in Paris, London and Chicago.

        A Chinese Emperor had a nationwide book/scroll burning campaign.

        Carnegie funded libraries world wide but now funding is cut in many countries. The British Library situation is symptom of a wider and deeper malaise.

      2. MachDiamond Silver badge

        Re: Force of Islam

        "Most of what we know about many ancient texts from Sophocles, Plato, Euclid etc. come from translations made from the Greek into Arabic by muslim scholars - they're doing the exact opposite of burning books, they're preserving them."

        There was a very strong tradition of scholarship within the Muslim community until one fevered Imam decided that all books other than the "One Book" were heretical and must be destroyed. It's unknowable how drastically that handicapped mankind when that happened.

        I have a house full of books, primarily STEM and reference materials, but also plenty of history, philosophy and psychology. For as big as a sci-fi nut as I am, I really don't have many feet of shelf space dedicated to fiction. What I do have is generally high quality hardcover and many signed copies. It helps that Larry Niven didn't live that far away for some time and I'd see him a few times a year. My bedroom is best described as a library with a bed in the middle. Other than the wardrobe and window, every wall is floor to ceiling bookcases. My dad once taught me that it's not a requirement that you know everything (and can't), but knowing how to find the information you need is a skill to be developed. I think that's one of the reasons I've had a life-long love affair with books. Local libraries have often let me down and it's been getting harder and harder to sneak into a library on a Uni campus to learn a few things and run away with that knowledge. They want paying and the price keeps rising.

    4. RegGuy1

      Re: Force of Islam

      Islam has been very good to us. The Renaissance learned a lot from them. I find the history of maths particularly interesting, and how that technology that we all take for granted came about -- the number system we assume has been around forever. Euclid? Although Euclid was so important his Elements[1] have come down to us via a wide range of paths.

      [1] A book that I would argue has been probably the most influential book in the world. Thinking of the science that has come from it, that has touched everyone on the planet.

      1. Androgynous Cupboard Silver badge

        Re: Force of Islam

        Yes you’re right about Elements. There were some significant Arabic translations with comment, but they were not the only ones, it continued to exist in Greek and Latin too. I believe this is fairly unusual for a text of that age and it speaks volumes (ahem) as to how important it was considered.

    5. ThatOne Silver badge

      Re: Force of Islam

      > the Lib. of A. was finally destroyed by the forces of Islam

      Well, everybody will accuse his favorite enemy. If you ask Russia it was the Ukrainians, for Israel it was the Hamas, and so on...

      What I've heard (might be a urban legend, but it's so stupid it sounds credible) is that is was some guy who wanted his name to live forever in History (which is why his name must never be pronounced or written)...

      1. ThatOne Silver badge

        Re: Force of Islam

        (After checking, that was rather the Temple of Ephesus, one of the 7 Wonders of the Ancient World, in 356 BC.)

        I stand corrected.

        This been said, apparently the library of Alexandria was destroyed by Julius Caesar in 48 BC, and what was left was finished off by other roman battles around 250-300 AD. I don't know how much was left for the Muslims to destroy another 3 centuries later.

  3. A Non e-mouse Silver badge

    I think you've missed a key aspect of the rail/air investigation authorities in the UK: If there is an incident you have to report it. The authority then undertake a no-blame investigation on what can be learned from the incident and make the report public.

    We need more organisations being open about A) Being attacked, and B), how they were hacked.

    Until we stop seeing being attacked as something to be swept under the carpet, we can't learn from them.

    Over the past couple of years I've come across two attacks: One was handled by the organisation's cyber insures who said "Don't speak to a soul about this or we wash our hands of you" and the other the NCC were involved with who also said "Keep quiet".

    1. CorwinX

      Absolutely - a critical key aspect of air crash investigations is not to assign blame unless some egregious action has been taken by the airline.

      The blame game incentives companys to hide things.

      No system is bulletproof - a culture of openness, where companies can put their hands up to being hacked without being pilloried for it can only improve security.

      1. A Non e-mouse Silver badge

        a critical key aspect of air crash investigations is not to assign blame unless some egregious action has been taken by the airline

        I can't speak for the USA based investigations, but in the UK, the air/rail investigation people only perform a no-blame just the facts investigation. If there was loss of life, then the investigators will be shadowed by the police (and others) who will be looking at the possibility of any criminal charges. The air/rail investigation people never perform any prosecution: That is key to why they work so well. They want transport to be safer by learning lessons and making improvements - not by finding someone to blame.

    2. MachDiamond Silver badge

      "Until we stop seeing being attacked as something to be swept under the carpet, we can't learn from them."

      It's a noble concept that constantly being set against by liability laws and blood sucking lawyers. Step one: Admit nothing. It won't matter how diligent you've been in protecting your systems since you'll be second guessed after something has happened.

      I believe that in many cases of hacked PII, a company should be punished but that's to set a cost of keeping that information in the first place. If there is no/little downside to holding large files on everybody that the company can get it's hands on, they will do that since that data can be in demand. If there is the possibility that a company can be put out of business and the top level executives wiped out as well, some might take thought about security and if the risk is worth the reward at that point. There's so little risk now that selling widgets AND data rather than just the widgets is a case of "why not?".

      1. Grinning Bandicoot

        RE: First paragraph

        HOOSANA! Today it appears that the lawyers that are the barbarians at the gates. The Liability laws have been bent far from the original form such that today when a fault is found and announced as part of a safety program the announcement is used as an admission of negligence.

  4. Michael Hoffmann Silver badge
    Unhappy

    Reason #854637

    ... why I got out of security.

    Figleaf and scapegoat. Circumvented over and over by besuited Big 4 consultants who couldn't configure the firewall on their home network modem.

    1. Lurko

      Re: Reason #854637

      Who'd want to work in IT security?

      Average salaries for IT security roles in the UK are pretty poor (eg Reed reckon an average of £70k in London, Indeed quote £55k). There are some better paid roles, but they tend to be few in number, although if you want to go contracting then there's some decent - and some very poor - rates on offer. My favourite was an SC cleared cyber security role for a government SOC "in Buckinghamshire", so only a few likely candidates there, and that was paying £500 a day. WTF do they think they'll get for that?

      Public or private sector, you'll be ignored before there's a problem, the big wigs will be too busy with their "urgent" but not important activity, with executive awaydays, and meetings with vendors and consultancies paid far more than you will be. Good practice will be sidelined if it is inconvenient for the execs or the sales teams; In the interest of low cost, vital business functions will have been outsourced and there's neither visibility or control over them.

      And when the brown stuff splatters, it'll all be your fault.

      1. abend0c4 Silver badge

        Re: Reason #854637

        Who'd want to work in IT security?

        A rapidly diminishing number, I would imagine. The likelihood of becoming the victim of events of this kind seems to be growing all the time and the IT environments we have make it hard to construct sufficiently robust defences.

        I think organisations need to spend a great deal more time planning how they will deal with major IT failures rather than simply imagining the risk can be prevented. That may well have an impact on how they conduct their IT operations and the extent to which the integration of systems for convenience outweighs the risk.

        1. ThatOne Silver badge
          Devil

          Re: Reason #854637

          > planning how they will deal with major IT failures

          They do: They have prepared ready-made press statements about how much their clients assets are important to them, and that they are doing whatever possible to understand what happened.

          Why, what did you expect?

      2. Zibob Silver badge

        Re: Reason #854637

        "and that was paying £500 a day. WTF do they think they'll get for that?"

        £3,500 a week

        £14,000 a month

        £168,000 a year

        That doesn't sound terrible.

        Even being generous and assuming a 5 day week

        £2,500

        £10,000 a month

        £120,000 a year

        A lot closer to the needed standard for buying a house but still 20k clear a year.

        For reference, I get £500 a week, for structural steel. Stuff that carries traffic and hangs above traffic, actual life on the line stuff. If I could get pair 5x for am office job, with much lower hazard risks and mental stress that would be a done deal.

        Yes I know there's education in there but that's true for any job.

        1. collinsl Silver badge

          Re: Reason #854637

          Yes but you're looking at contracting rates there so out of that £120k you have to find:

          * Tax at the appropriate rates for however you're paying yourself (so say goodbye to about 40-50% of that)

          * Holiday pay

          * Sick pay

          * Pension payments

          * Paying an accountant or accountancy firm or contracting firm if you work as a "consultant" to them and they take a cut of your wage.

          * Business expenses if you have to equip yourself to do the job

          * Training (since your employer won't spend money on training contractors most likely) plus time spent not working in order to train

          * Business rates (if you self-incorporate)

          etc etc.

          So you'll probably only personally end up with about £45-50K per year of that as "take-home" pay.

          1. Anonymous Coward
            Anonymous Coward

            Re: Reason #854637

            "For reference, I get £500 a week, for structural steel. Stuff that carries traffic and hangs above traffic, actual life on the line stuff. If I could get pair 5x for am office job, with much lower hazard risks and mental stress that would be a done deal."

            Many essential jobs get crap or crappish pay in the UK and there's not much you or I can do about that other than retrain. Or you could take your skills to somewhere they're more highly valued or there's offsets like better standards of living, such as Australia. If you're a qualified structural steelworker, then a brief search says there's visa-linked opportunities in Oz, but there's other destinations.

            The is Britain, and the only "valued and rewarded" jobs are crap like sales or financial services.

            1. Doctor Syntax Silver badge

              Re: Reason #854637

              The is Britain, and the only "valued and rewarded" jobs are crap like sales or financial services.

              And the only valued and rewarded qualifications are in the Humanities.

          2. Anonymous Coward
            Anonymous Coward

            Re: Reason #854637

            As far as extra costs for being a contractor go, holiday pay, sick pay, accountant etc. are all fair, as they're the sort of expenses that just don't factor into being an employee. But why put normal income tax first on your list? Employees have to pay tax too, just different amounts, depending on the circumstances. They also pay pension contributions too.

            No-one compares pay rates by "take home" pay, because there are too many factors related to personal circumstances that vary how much of your pay ends up going home with you. In any case, the projected £45-50k take home seems relatively healthy to me, especially when compared to average (gross) salaries.

          3. munnoch Silver badge

            Re: Reason #854637

            Not to mention being the first for the chop when costs need cut (ask me how I know that...). No job security beyond the next 30 days.

            My headline rate is (for one more week) slightly higher than 500 a day, but that doesn't all come to me. Its paid to an umbrella company who have me as their employee and who to take employ-ER deductions (NI, pension) off first before it can be used as my gross. And I pay the oh so progressive Scottish rates.

            IT contracting is most definitely *not* the pot of gold it used to be.

            1. Doctor Syntax Silver badge

              Re: Reason #854637

              IT contracting is most definitely *not* the pot of gold it used to be.

              It was only considered such by those permies who, for one reason or another, didn't want to partake of the fabled pot.

              1. Anonymous Coward
                Anonymous Coward

                Re: Reason #854637

                No. no. Contractors were an easy target, so IR35 was created.[1] It was much easier politically to tax contractors than go after the untaxed wealth of the rich and old. It remains the same today -- look at all that untaxed capital gains in property, oh and how many MPs are landlords? The richer half and the old are untouchable, because they are the only ones left voting Tory.[2]

                [1] A Gordon Brown idea, BTW.

                [2] Although I can't see Labour doing much, because of first past the post.

          4. Anonymous Coward
            Anonymous Coward

            Re: Reason #854637

            Um..... tax is taken from waged employees too.

      3. Martin an gof Silver badge
        Mushroom

        Re: Reason #854637

        £500 a day. WTF do they think they'll get for that?

        Teachers start on c£30,000 / yr, works out to £154 a day for 195 days a year. Even at the top of the standard scale (c£47,000), that's only £240 a day and doesn't take account of the fact that most teachers end up putting in a lot of hours "after hours" for no additional pay.

        A band 5 nurse (all newly-qualified nurses) starts on c£28,000 a year for (if I've calculated it correctly), 225 days a year (based on 8 hour shifts) after 35 days leave. That works out to £124 a day. A band 7 nurse (further qualifications and responsibilities) with 10 years service might be on c£50,000 and have 7 extra days leave, so that works out to c£230 per day.

        M.

        1. Yet Another Anonymous coward Silver badge

          Re: Reason #854637

          But those are salary jobs with a pension and presumably employment rights

          For a contractor job where you have to pay your own tax, benefits and training and spend time unemployed (but not able to claim) you need to double the salary

        2. 0laf Silver badge

          Re: Reason #854637

          If you have to budget for an employee you need to include what was described to me as "on-costs". So taking on an employee at £20k actually had to be costed at £30k to cover pension, NI, holidays etc.

          As a contractor you pay those yourself. So a comparison would be an employee with "on-costs" against a contractor rate. But a contractor also has no economy of scale for pensions and insurance for sick leave and does not have the reassurance of a notice period.

          And if you think £500 a day is expensive what do you think the government is paying the big firms like Fujitsu to supply specialist contractors? It's likely to be in the region of £1200 to £2000 a day.

          this is the loonacy of government, they won't employ someone to do the job at £300 a day but they will pay £2000 to outsource it to Fujitsu et all.

          1. MachDiamond Silver badge

            Re: Reason #854637

            "this is the loonacy of government, they won't employ someone to do the job at £300 a day but they will pay £2000 to outsource it to Fujitsu et all."

            It depends on the job needing doing. For that £2k, there's no tax liability for the employer, no redundancy, pension contributions, etc. They can hire a specialist for the job and when the job is done, they don't have to keep on paying that specialist at a premium rate. I do get your frustration at government outsourcing all sorts of things that are done on a regular basis and paying legions of middleman companies to "manage" those things. Every company that sells online has some sort of way to accept payments, yet, many government portals send you off to some 3rd party payment processing firm, many you've never heard of, to take your payment details and then shove you back to the government website when done. The city where I live books all sorts of consultants to do things that anybody in the city office could do and would do so and report back with far less verbosity. There was just a report done on the municipal water utility that was horribly written with things that should have been put in an appendix left in the body of the report so it took (virtual) scissors to make it flow and find the conclusions. I didn't need to see all of the math in-line. If I didn't trust that the consultant did the maths properly, there'd be no point in slogging through the report in the first place. I expect that it was as wordy as possible to justify the amount of money they paid this person/company.

        3. MachDiamond Silver badge

          Re: Reason #854637

          "A band 5 nurse (all newly-qualified nurses) starts on c£28,000 a year for (if I've calculated it correctly), 225 days a year (based on 8 hour shifts) after 35 days leave. That works out to £124 a day. A band 7 nurse (further qualifications and responsibilities) with 10 years service might be on c£50,000 and have 7 extra days leave, so that works out to c£230 per day."

          In the US, there has been a perpetual shortage of nurses for decades. While it may be a shite paying job in blighty, it can be considered in the same way as an internship. There's a ton of reciprocity in nursing education and certifications so to bring a nursing degree and a few years of experience to the US has very good translation. There might be some additional training involved and standing some tests, but not too bad. Even better, good wages can be had in places with less population and a lower cost of living so it's possible to do well enough on a starting wage. I use the US as an example as my mom is a retired nurse from the US, but other countries value the profession as well. After retiring, my mom worked as a nanny for a couple of wealthy couples looking after their kids. She got to travel a bit for that, it paid very well and there wasn't the 10 hour days on her feet. For somebody with the money, why wouldn't they want a qualified nurse looking after their kids that was a bit older and far more responsible? I say "paid well" modified with "for the hours served". It wasn't 40 hours per week, but it did have some overnights. Overnight in a very nicely appointed guest room and a well stocked kitchen.

      4. MachDiamond Silver badge

        Re: Reason #854637

        "My favourite was an SC cleared cyber security role for a government SOC "in Buckinghamshire", so only a few likely candidates there, and that was paying £500 a day. "

        Was that a zero-hour contract, for a specific job or ongoing regular employment? It is rather low unless it comes with a load of bennies. The hassle of getting and maintaining a clearance should double that rate.

      5. Anonymous Coward
        Anonymous Coward

        Re: Reason #854637

        Some of us do serious security stuff. The bank I've recently consulted for paid my team between $4000 and $9000 p/h per man according to seniority. The contract has just been renewed for a further two years.

        They seem to take their digital security very seriously, and are prepared to pay sensible rates for high quality, reliable solutions. Everything Microsoft is banned from their estate, and Apple products are only allowed to connect to their public wi-fi and for only for personal use. There have been numerous attacks of various kinds, and their frequency appears to be increasing. Most of this activity seems to be coming from Eastern Europe, some from North Africa and even a little from Central America!

        The hours are reasonable, and their management seem to have at least a rudimentary understanding of the problems - it's not too bad a job for us at the moment!

    2. 0laf Silver badge

      Re: Reason #854637

      Self employed consultancy wages are a poor comparison for all the reasons given, you need to half the headline figure to get a realistic comparison with a salaried employee. God knows how to compare it when IR35 is in the mix.

      As for shit salaries there are some decent number out there but I used work security in public sector and held responsibilities up to the boardroom level, was on call 24/7, was incident lead, was volunteering on several national projects and held multiple industry professional certifications. I struggled to get more than £35k as did my peers in similar organisations because I didn't manage staff and that's how the wagers were calculated.. Professional value or difficulty of replacement wasn't considered. In fairness even the lawyers weren't paid much more. Eventually the private sector made an offer I couldn't refuse. Double money and, in the end, less work and less stress.

      If you look back El Reg to a year ago there was an article then lambasting the Government for advertising for a head of cyber security for HMG Treasury for £50k. At the same time Renfewshire Council was offering £55k for an infosec manager.

      I'm not alone, most of the security people left in the public sector are only waiting on pensions.

      1. Doctor Syntax Silver badge

        Re: Reason #854637

        "because I didn't manage staff and that's how the wagers were calculated."

        And that goes right through the thinking and also a long way back. Investigating crime and giving evidence that could clear or convict someone on charges that could result in life imprisonment but don't manage staff? you don't have the responsibilities needed for promotion. (At least not until you hand in your notice at which time it's magically offered without any of the usual procedures.)

        1. MachDiamond Silver badge

          Re: Reason #854637

          "(At least not until you hand in your notice at which time it's magically offered without any of the usual procedures.)"

          In some careers, that's the only wage to get a rise. You have to legitimately threaten to leave or actually leave and work for somebody else for more money. Companies aren't keen to give more money to their employees, but HR isn't staffed with long term thinkers. HR will believe that they can find somebody new for any post without realizing that everybody that leaves takes with them incredible amounts of institutional knowledge and training. Much of that knowledge will be for things that didn't work. Things that didn't work often don't get documented so somebody new may make the same mistakes again, and the person that comes after them, etc, ad nauseum. The new-hire who's degree will still smudge is a financial money pit the company has to throw money in for months with the hope they will work out at some point, if they don't work out, the company's bottom line keeps suffering. At least they will take the job at far less than they were paying the other person with the experience, right?

      2. MachDiamond Silver badge

        Re: Reason #854637

        "If you look back El Reg to a year ago there was an article then lambasting the Government for advertising for a head of cyber security for HMG Treasury for £50k. At the same time Renfewshire Council was offering £55k for an infosec manager."

        They will then have posts that pay far over what is reasonable for half the work and responsibility spawned from the belief that the job is much more important even those the secretaries do all of the real work. In the US, some school district superintendents make serious 6 figure salaries when the teachers are barely able to survive on their wages. With overtime, bonuses and other payments, some fire chiefs/commanders can retire at 45 as millionaires.

        Government has to pay competitive salaries even if they offer solid Platinum benefits. A standardized benefits package doesn't really suit anybody very well. Some of those benefits only mean anything if you need them or stay in government service your entire career. If that's not your goal, it's the salary that will be the focus. I have to put on my conspiracy hat and wonder if some high paying government jobs started out as a way to hire family at a fat wage and it's the history of that position paying what it does that perpetuates the high salary going forward. Nothing to do with scarcity of candidates or difficulty of the job.

  5. Anonymous Coward
    Anonymous Coward

    The 21/22 annual report is instructive

    Had a scan of the last annual report before the incident, and although digital risks are one of the eight top risks, and there's half a page of prattle about risks governance, it's also instructive that there nothing on how much BL spend on IT, or what actions they planned or were taking to better understand or mitigate those risks. A couple of paragraphs about migrating to a secure O365 environment, but nothing that gives an outsider any hint of the tangled clutter of obsolete systems we now know they were running. Also notable that the budget increased by 12.1% between 2020/21 and 2021/22, so they had more money but chose to do other things with it.

    From the report, there's all the required-by-regulators corporate bilge about diversity, carbon reporting, sustainability, how much the board get paid and their pensions, but nothing about IT, or about IT security. The word "technology" appears eleven times, by comparison the word "paddington" appears seven times. Within the intended substance of the report, it's quite clear that the British Library functions operates as a temple for librarians, and I couldn't readily find a single source for the names and expertise of external board members. Put simply, it looks like nobody in senior positions properly understood IT, they didn't listen to the likely tiny handful of IT professionals they had, and acknowledged but then assumed the threat of cyber attacks was real, but not an urgent priority.

    1. Doctor Syntax Silver badge

      Re: The 21/22 annual report is instructive

      They were getting round to it.

      From the incident review document: in late 2022 the increasing use of 3rd party providers in the network was glagged as a risk. A review of security provision relating to is was planned for 2024.

  6. ChoHag Silver badge

    > Nobody dies at the moment of a major failure of systemic integrity such as the British Library experienced.

    Uhh... How many postmasters did we lose?

    1. A Non e-mouse Silver badge

      Not wishing to belittle the pain & suffering endured by postmasters, their friends and family, the Horizon debacle was very different to the UL attack.

      1. ChoHag Silver badge

        It was not a major failure of systemic integrity? Because I didn't see any integrity.

        1. collinsl Silver badge

          I think the point of that line in the article was that the British Library doesn't work with nuclear materials or massive vats of boiling metals or highly toxic chemicals etc.

          It also didn't start blaming it's staff and prosecuting them for tens of years as a result of the breach so I fail to see how it's comparable to the Horizon Scandal.

          1. samzeman

            The only way in which they could both be said to be a failure of systemic integrity is including the other sense of the word "integrity" as in moral, on PO's part.

        2. doublelayer Silver badge

          No, it really wasn't. It was a a major failure of systemic accuracy. Integrity and accuracy are completely different aspects of a system and have different effects when lost.

  7. Anonymous Coward
    Anonymous Coward

    Silver lining

    My late-return fines were wiped too…

  8. Anonymous Coward
    Anonymous Coward

    Root cause .. too much MICROS~1 INNOVA~1 ...

    “Rhysida, a newcomer to the ransomware scene, was detected through Kaspersky's telemetry data in May, and operates as a Ransomware-as-a-Service (RaaS). It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft.”

    1. veghead

      Missing Words

      Not once in the entire report does the word "Windows" appear. Considering Rhysida, like most other ransomware, runs on Windows, I'd suggest that the report isn't as open and complete as it could be. [If anyone genuinely believes the widespread use of this aged, lame duck, operating system, is not a key part of the ransomware problem, they will continue to shoot themselves in the groin forever more.]

  9. tiggity Silver badge

    What's the odds

    What's the odds that IT staff warning of issues were told one or all of - to be less negative / don't worry we have a plan for this that will be rolled out in year 20nn / it will cost too much / it will temporarily break too many systems / you are overstating the risks.

    From reading the (very lacking in any real detail) PDF it looked like some security holes were previously identified but the issues kicked into the long grass.

    It also looked like they had very poor backup behaviour, but again there was insufficient detail in the PDF.

    1. Doctor Syntax Silver badge

      Re: What's the odds

      One bullet point from the PDF dealing with improvements for the future:

      "a holistic, integrated security suite that covers the whole organisation, backed by managed security partners for improved incident response, detection, and remediation"

      I read that as "Single point of failure exposed to supply chain attack."

      1. MachDiamond Silver badge

        Re: What's the odds

        "I read that as "Single point of failure exposed to supply chain attack.""

        You have a Cray to do AI translation of gobbledygook? After they used the word "holistic" I started to get bilious.

  10. 0laf Silver badge
    FAIL

    No change

    Lots of platitudes and good intentions but this is near identical in method and cause to multiple atatcks going back 5 or 6 years not. Very specificallly it's almost identical to the attack on SEPA in 2020 which pretty much wiped out that organisation and probably lead to criminal investigations collapsing.

    Before that Redcar and Cleveland also wenbt through a catastrophic attack. There have also been dozens of other smaller scale or contained attacks that have happened. And these are in the public sector where they are generallly open about the attacks.

    It's very clear that still, systemically cyber security is not actually taken seriously (outside of soundbites when the shit hits the fan) and no lessons are being learned.

    I've worked in cyber security for over 20yr now and really very little has matured outside of the technology. IT is still the odd unit in the basement to be avoided at all costs and the first target for cuts. IMHO health and safety as a good model, cyber security has about another 20yr to go before anyone will really get a grip on it and then maybe there will be criminal sanctions for failures that can and have lead to deaths, maybe indirectly, but some of these attacks will have contributed to peoples ends.

    1. Anonymous Coward
      Anonymous Coward

      Re: No change

      You've been in the business for 20 years, yet you still say "cyber"?!

      1. Casca Silver badge

        Re: No change

        AC complaining is worth nothing

      2. 0laf Silver badge
        Trollface

        Re: No change

        I still believe in "Information Security" because my remit still includes paper and would include slate or vellum if the data was written on it. If you don't use the currently fashionable term you'll be ignored or maligned. I've been through many cycles of buzzwork bingo driven by sales droids. I don't like the game but you have to play it.

        If you knew your shit, you'd know that too.

        1. Anonymous Coward
          Anonymous Coward

          Re: No change

          As the original AC, I agree entirely with your reply, but as I do know my shit too, I keep the buzzwords for the managers and sales droids.

          It wasn't meant to be a rude comment. It was just tongue-in-cheek. I was just surprised to hear such a word to use amongst techie peers. Apologies for any offence caused.

      3. doublelayer Silver badge

        Re: No change

        You learn who to say things to. I also work in security, and that's what I say to people who work in IT or programming. They assume that I'm also doing some kind of technology security, and if they know that I'm a programmer, they can draw the lines. Say that to someone who doesn't work in tech and they either don't get it or assume you're a security guard and try to figure out why a programmer is doing that. The term they use for the entire information or technology security area is "cybersecurity". We're lucky that shortening that to "cyber" hasn't entirely caught on. Now I could try to adopt something that's really no better and get everyone to call it "computer security", educate them on why we sometimes call it infosec and try to make them do that, or use the term they know. I often choose the low-effort method that still gets communication going.

        1. Anonymous Coward
          Anonymous Coward

          Re: No change

          Original AC here. I do agree completely, and whilst I also have to often begrudgingly use their buzzwords to the non-techie managers, PR people, and customers, I didn't expect to see it used here.

          But it was just mean as a mild quip, I guess it came across ruder than I expected. Just as well I posted AC (which i did for other reasons)

          Just as long as no-one says "webinar" or "collaborative ecosystems", with a sprinkling of "something 3.0", washed down with "metaverse" and "sustainable technology" this grumpy old ass is happy!

          Apologies again to 0laf. I wasn't questioning his/her skills.

          1. 0laf Silver badge

            Re: No change

            Apology accepted with due grace.

            I am resoundingly bitter, jaded and very likely washed up by those decades as a blamehound and cleaner of shit stained fans and the walls behind them.

            Still fighting the good fight that people who stay "hacker" really mean "cracker"

            1. Anonymous Coward
              Anonymous Coward

              Re: No change

              Thanks. And I both sympathise and relate to that.

              We are probably more similar than it first appeared.

              Now onwards we go. Let's make a webinar about how to stop those cyber 2.0 hackers from destroying our metaverse! :-)

  11. Tron Silver badge

    There are cheaper options.

    Silo your tech. Internal intranet with no access to the public internet. Public facing internet services that, if taken down, can simply be replaced without loss of internal functionality or core data.

    Anything connected to the net is vulnerable and may not be defendable against everything, so leave the stuff that you can lose and replace cheaply, physically detached from your internal systems. Even if it means two colour-coded PCs for every desk.

    Post-Brexit we are a quarter to a third poorer due to the decline of Sterling, and short of staff. So we need cheaper options. Accept it.

    1. Anonymous Coward
      Anonymous Coward

      Re: There are cheaper options.

      The option to have absolute silos and perimeter security is not realistic these days. For most organisations they are exposing something their business does or has to their customers, clients or B2B over the internet. Also a significant chunk of your workforce is now based at home. Hence moves to zero trust, MFA, RBAC and segmentation. Bigger picture it's not a matter of cost - what price the breach? Although short sighted organisations will continue to see IT just as a cost rather than an enabler. But mostly it's a case of taking IT security seriously, before the breach, rather than after...

  12. Anonymous Coward
    Anonymous Coward

    What makes it even more exceptional is that we now know what happened and why.

    My take on the why is the regular - 'money'. Optimisation, cost control, expenditure cuts, overhead reduction, human resources downsizing, in full glory. Seemingly irrelevant, but the same root cause: you pay peanuts, you get monkeys.

    There are two guilty parties: consecutive governments who cut their funding, and the library management, unable to secure funding for core (?) services.

    p.s. never worked there, don't have any family, friends (or enemies) who work(ed) there, but I've been to that place a good few times over the last 20 years, enough to find them consistently unpleasant to deal with, consistently demotivated, consistently unflexible and consistently useless.

  13. munnoch Silver badge

    "Too old to be safe, too expensive in time and money to replace"

    There's something structurally wrong with the state of IT as a practice that forces this constant arms race of upgrades and replacements. Bits of my car wear out, but thats due to mechanical action, they literally get lumps knocked off of them. There is no analogy to that in software, it doesn't degrade.

    Once a piece of software is built it should essentially work, as in keep doing the same thing (functional defects may mean this isn't the "right" thing), for all eternity. We need to rethink how we deliver applications.

    My organisation has just gone through a Red Hat migration. We've spent literally hundreds of man days on it for just the one application I'm involved with (the organisation does make a rod for its own back with its change management procedures so that accounts for a lot of the overhead). Does the application run any better as a result? Nope, not in the slightest. Do our clients get a better service level? I doubt it. Can we ask them to pay us more as a result? Unlikely. Have we cocked up bits of it and had downtime of part of the estate? Sadly, yes. Has it diverted us away from real revenue opportunities? Almost certainly.

    Retiring in under a week. Let the script kiddies and chat bots figure it out from here.

    1. Doctor Syntax Silver badge

      Re: "Too old to be safe, too expensive in time and money to replace"

      Once a piece of software is built it should essentially work, as in keep doing the same thing (functional defects may mean this isn't the "right" thing), for all eternity. We need to rethink how we deliver applications.

      Two things there. 1. It may have as yet undiscovered vulnerabilities built in. 2. What it does when delivered isn't necessarily what it will need to do in the future.

      Development is the process of launching a software product into the maintenance cycle. Eventually most of the work that has been done on it may well have been done by maintainers. They need to be at least as good as the original developers.

      1. usbac

        Re: "Too old to be safe, too expensive in time and money to replace"

        I agree with the OP above.

        We also need to stop software companies from waiving liability for the security of their software. If someone sells a defective coffee machine that burns down a bunch of people's homes, they will get sued, possibly out of existence. It should be the same with software. If your software has a vulnerability that causes a data breach, you've done the equivalent of burning down someone's home. You should be just as liable as the appliance manufacturer.

        Software vulnerability analysis should be an area of increased investment. Maybe this is the one place where AI might actually be useful?

        We need something like an Underwriters Laboratories for software. Once software companies can't waive liability in their EULA anymore, they will need to insure against it. UL came about due to insurance company requirements for issuing product liability policies.

        1. doublelayer Silver badge

          Re: "Too old to be safe, too expensive in time and money to replace"

          If you do that, you will certainly sometimes get the writers of the software to pay for damage caused while running their software, but you will also get a lot of something else: IT people raked over the coals and punished severely. Because if you're going to pin the blame on the writers, those writers are going to have a need to pin the blame on someone else, and there is usually something the administrators could have, and in many cases should have, done which makes it their fault. For example, maybe we blame a software writer if their code has a zero-day in it, but who gets the blame if the software had a vulnerability in it patched two months ago but the administrator didn't install the update? If you're willing to charge the programmers for any financial cost, are you willing to charge the administrator that could have but didn't install the update with the same thing? After all, if the coffee machine was not defective but the plumber installed the water line in such a way that it flooded the machine, heating the water, and collapsed in a wonderful fountain of steam, you would be blaming that plumber.

          There are many situations where it's less clear, for example the programmers say the configuration was insecure, the administrators say the defaults were insecure, and they fight because neither wants to get stuck with the blame when it comes with that large a bill. So also budget for some lawyers to be involved, especially if the company who wrote the thing is large enough. They'll have a good incentive to make sure the court thinks it's your fault. Before you get too eager about finding someone who isn't you and blaming it all on them, think for a bit about whether it would be fair for someone to do the same to you. If it wouldn't, let's factor that in to the solution we propose.

          1. samzeman

            Re: "Too old to be safe, too expensive in time and money to replace"

            I wrote a long comment in response to this about how it would just be another extension of liability insurance for both companies/parties involved and then I realised having insurance decide blame is pretty harrowing in almost any big-money situation, especially thinking of healthcare, so I am inclined to agree (even though it would be unlikely either party pays out of pocket, I don't have confidence in unqualified insurers determining fault in IT failure situations)

            1. usbac

              Re: "Too old to be safe, too expensive in time and money to replace"

              Many, many years ago, before getting back into IT, I worked in the insurance industry (claims side). You would be surprised how many subject matter experts are employed by insurance companies. Especially in industries where they write policies. I once met a fire investigator that worked for an insurance company. He was very competent. He had been a fire marshal and investigator for the fire department for nearly 30 years.

          2. usbac

            Re: "Too old to be safe, too expensive in time and money to replace"

            I think the OP was making a point about getting off of this hamster wheel of constant patching/upgrading to chase security vulnerabilities. Software should not have zero-day vulnerabilities. If software was properly developed and tested, the admin you mentioned would not have had to watch for constant patches. The fact that the admin missed patch number 532 on software that was released six months ago, should never be a consideration.

            This mentality of "Does it compile? Great, release it. We can always patch it later..." is why we are where we are. The software industry is the only industry where you can knowingly release a dangerous and defective product, and have zero liability for it. All I'm asking for is that the software take some responsibility for their product. They won't until they are forced to.

            1. doublelayer Silver badge

              Re: "Too old to be safe, too expensive in time and money to replace"

              You will never prevent vulnerabilities from existing. You can reduce their number by spending more time (remember that it will increase the time and slow the pace of updates, including those you want to have), but it will never be zero. But let's try this thought experiment. What was the last zero-day or vulnerability that caused a zero-click attack, I.E. one that would have happened without any user interaction and was all due to the software. How many attacks like that do you know? Many attacks aren't that simple. They often rely on a user to activate the initial vector or to leave it insecure (basic SSH or RDP access to the internet is popular), the configuration to allow them to brute force passwords or access methods, the configuration to allow their compromised tokens to access things for a long time, profiling systems to not exist. None of that is down to programmers shipping too fast, and all of it can be blamed on the administrators who could have configured it and didn't.

              There are times when programmers are really at fault, but from your comment, I think you and the OP have overestimated how often this is. I am asking you again to consider how you would feel if it turns out that no vulnerability was found to be very important in this attack, but the administrator could have detected this and didn't with a different configuration, so they're the one bankrupted with penalties. If your response is "Fine with me. Let them suffer", then fair enough, we just disagree. If you think the administrators shouldn't face those consequences, then you should consider whether it's fair to have programmers face them in an analogous situation.

            2. Cav Bronze badge

              Re: "Too old to be safe, too expensive in time and money to replace"

              "you can knowingly release a dangerous and defective product,"

              Nonsense. We don't knowingly release dangerous code. Code is difficult. We are human.

              I've mentioned it before but NICTA, (Australia's National Information and Communications Technology (ICT) Research Centre of Excellence) took 5 years to mathematically prove that just 8,000 lines of code would work correctly. The team that did this had 12 researchers, NICTA/UNSW PhD students and UNSW other contributed staff. (UNSW - University of New South Wales).

              No amount of testing will find all cases of failure. If you want to apply the above level of mathematical checking then your next Windows licence will cost you half a million dollars and you can have Windows XP sometime in the next century...

            3. Cav Bronze badge

              Re: "Too old to be safe, too expensive in time and money to replace"

              "Does it compile? Great, release it. We can always patch it later..."

              Doesn't happen

        2. LybsterRoy Silver badge

          Re: "Too old to be safe, too expensive in time and money to replace"

          -- If someone sells a defective coffee machine that burns down a bunch of people's homes, they will get sued, possibly out of existence. --

          Let me guess ... you live in the USA.

        3. MachDiamond Silver badge

          Re: "Too old to be safe, too expensive in time and money to replace"

          "We need something like an Underwriters Laboratories for software. Once software companies can't waive liability in their EULA anymore, they will need to insure against it. UL came about due to insurance company requirements for issuing product liability policies."

          I don't see a UL organization as being possible. They'd find the obvious WTF's, but no software is ever going to be 100% secure (well mine is since I never seem to finish anything and start using it). It can also be a change in an OS that makes an application vulnerable so it might not be the publisher of the app that's at fault (or entirely at fault). If there were laws that stated that once a vuln is known to them, the author/publisher has to take immediate action and notify registered users, that would be a good thing. Any company that doesn't address issues that leads to data breaches, intrusions, etc, can be held liable and that liability could be terminal. The PR staff will see notifications as negative publicity, but if every company had to do it as a matter of law, people would quickly find out that everybody's poo stinks.

      2. LybsterRoy Silver badge

        Re: "Too old to be safe, too expensive in time and money to replace"

        and 3. Marketing keep on wanting to add more features even if the users don't want or need them.

        Basically we build to much complexity in rather than trying to keep things simple.

      3. MachDiamond Silver badge

        Re: "Too old to be safe, too expensive in time and money to replace"

        "Eventually most of the work that has been done on it may well have been done by maintainers. They need to be at least as good as the original developers."

        Management also needs to lose its fetish for changing UI's on a whim. Putting on a new shade of lip gloss will diminish the productivity of people using the software for a period until they find where all of the functions they use constantly have been buried. If there is a legitimate new feature, it's so much easier to find if all of the menus haven't changed at the same time.

        I get frustrated at eBay as they constantly change things around, take away features and make finding where things have gone even harder for no sane reason. They "new look" will come with some buzzword statement about "creating a better experience for users" which always means to me that I won't be allowed to list a whole new batch of things since I'm not a giant seller based in China where a knock-off is perfectly fine to sell for them.

  14. sitta_europea Silver badge

    The BL report reads to me like a blame deflecting exercise, with the main intent is to push the blame from the people who orchestrated this disaster onto the tools with which they did it.

    It talks at length about all the changes that are going to be made in the technology, and how well they're doing despite the challenges.

    It's staggeringly light on technical detail. "We think it was a compromised password on Terminal Services. It might have been phised."

    AFAICT the report mentions no changes in personnel, yet it's the personnel who orchestrated this disaster.

    If they aren't replaced, they'll just cause another one.

    1. Doctor Syntax Silver badge

      AFAICT the report mentions no changes in personnel management, yet it's the personnel management who orchestrated this disaster.

    2. doublelayer Silver badge

      What personnel? Because if you try to answer that question, you will instead start up the blame game. Is it the IT person's fault because they didn't put in some security method? Is it a finance person's fault because they didn't budget for it? Is it a manager's fault because they said not to bother because that's not a priority? Or do we track down the person whose password allowed the initial access and put it all on them? In reality, most situations can be blamed partially on all of those people: the manager said it wasn't a priority, but because the IT person explained it badly to them and because the finance person wouldn't pay for the staff or systems required, the finance person couldn't pay for that because the budget was set by senior management who didn't allocate anything because they didn't get told about the issue from the first manager, the IT person didn't build something out of the pieces available to them but because they weren't given the time, and the user entered their password on a phishing site, but wouldn't have done so if the IT people had put in a better email filter or more phishing training, and anyway that initial password wouldn't have allowed the attacker full access if the IT people had more inter-system security methods, which they didn't have because the finance person wouldn't pay for hardware, and they didn't build in software because the manager didn't give them enough time, because ...

      1. LybsterRoy Silver badge

        To me that reads like a lot of today's thinking - let's blame someone else.

        How about - " track down the person whose password allowed the initial access " and fire them making it very public just to set an example saying "there can be bad consequences" rather than "there there its not your fault"

        1. doublelayer Silver badge

          "To me that reads like a lot of today's thinking - let's blame someone else."

          Yes, that's what I meant by "blame game". People do it all the time. One of the people doing it, right now, is you. You're going to find one person who did one thing wrong and put the blame on them: "track down the person whose password allowed the initial access and fire them". I'm guessing that you work in IT, so you're nicely exempting your profession from it by finding someone else and deciding that they're responsible. In my example, I gave you lots of single people we could put the blame on.

          IT person: You could have had monitoring and more security, you didn't, so it's all your fault.

          Management: You could have told the IT person to have monitoring and more security measures, you didn't, it's all your fault.

          Finance: You could have increased budgets for security, you didn't, it's all your fault.

          Senior management: You could have approved more leeway for IT security measures, you didn't, it's all your fault.

          In reality, it is at least partially the fault of all five of those people, and possibly even more. Each person probably could have done something differently. Accurately estimating the correct amount of blame would involve trying to evaluate exactly where each person failed, but it doesn't really help much. If you're going to have blame-related consequences, doing that is the fairest way. If you're willing to fire the person who initially clicked on something they shouldn't have, imagine for a moment someone barging into your office, deciding that you should have done something differently, and announcing that you're the one to be fired. You probably could have done something, after all.

    3. yetanotheraoc Silver badge

      wrong lessons learned?

      "It's staggeringly light on technical detail."

      As far as I can see they identify three problems: (1) legacy systems (2) outdated network (3) lack of MFA. The issue I have with the list is that phishing a 3rd party provider is not going to be remediated by moving to a cloud architecture.

      RE (1) legacy systems, on page 6: "However, the first detected unauthorised access to our network was identified at the Terminal Services server. This terminal server had been installed in February 2020 to facilitate efficient access for trusted external partners and internal IT administrators, as a replacement for the previous remote access system, which had been assessed as being insufficiently secure." -- In other words, this was not a legacy system at all but a fairly new replacement system. Their even newer cloud solution is going to have remote access galore, so if that was the way in then, it will be the way in again. From what I can glean, their problem with legacy tech is not security related (despite page 14), but in trying to rebuild from the ashes.

      RE (2) outdated network, three bullet points on page 14: Maybe the first bullet point is somewhat correct, but I doubt any network would be resistant to compromised credentials. The second bullet point about ETL is not correct, the data most likely wasn't stolen in transit. The bit about modern and secure is therefore hand-waving. The third bullet point is not about intrusion at all but about recovery.

      RE (3) lack of MFA, on page 17: "The Library had MFA in place for all end-user technologies, but not on certain supplier endpoints." There you go. "Out of scope" on page 6. Hate to say it but their modernisation program is going to lead to even more third party access and even less control over their own network.

      According to page 5 they had a soft response to the initial intrusion on Wednesday-Thursday 2023.10.25-26 and basically allowed the attack to reach fully unrecoverable state by the Saturday. That was a human and management problem and not an underlying technology problem. They need to tighten up their response and escalation I guess, but nary a word about this in the lessons learned.

  15. Doctor Syntax Silver badge

    From the incident report:

    "A few key software systems, including the library management system, cannot be brought back in the form that they existed in before the attack, either because they are no longer supported by the vendor and the software is no longer available, or because they will not function on the Library’s new secure infrastructure which is in the process of being rolled out."

    There's no substitute for having source: whether it's your own, open, available or in escrow matters rather less than making sure is will be available and can be rebuilt if needed.

    1. Bill 21

      Agreed. I used to work on systems that were in maintenance for a couple of decades after delivery. Royalties, number of developer seats, per-named-developer seats, eol libraries, deceased suppliers, annual subscriptions,... the stuff of fing nightmares. OS could be awkward to get through company policies, but once you had ... it was so not a headache.

  16. bobd64

    Your vitriol is why cases don’t get published

    “This should be a near-criminal case of mismanagement.”

    It is vitriolic comments like this that scare institutions from publishing any information at all about what happened to them. Then nobody can learn from mistakes. If you want a secure environment then you need to let people talk about mistakes.

  17. Anonymous Coward
    Anonymous Coward

    Hi

    Do you have a copy of “Hacking for dummies?”

  18. Vader

    Let's not get to carried away, let's get the post office issues behind and then we can address the library. Can't have too many inquiries the poor MP's will be overloaded and there chums can't go to jail either.

  19. Dr Paul Taylor

    So what happened?

    I have gained even less idea from El Reg's reporting of what happened at the British Library than I did for the Post Office. The link supposedly to the report is actually to another story, that still doesn't summarise or link to the report.

    I walked past the BL last week. It still has a banner outside saying that it's "open 24 hours a day online".

  20. david 12 Silver badge

    Monopoly provider

    The aim of the Library of Alexendria was to have every book in the world.

    Not "a copy of every book ever written".

    The only copies of every book existing.

    They did this with an acquisition policy that included borrowing books, then just not returning them.

    So when it burned, it wasn't just one of the largest book collections existing, it was a collection of many books that existed nowhere else.

    If the burning of the BL was comparable, more shame to them.

  21. samzeman

    > Fat chance. The best we can hope for is the recomposting of the report into endless webinars, case studies and white papers by people with something to sell. There may be decent talks at industry conferences, chapters in textbooks and Youtube videos, none of which will be seen by the top-level policymakers who are the ultimate power brokers in how an organization perceives its infrastructure responsibilities.

    This did resonate.

    I recommend "how complex systems fail" - a good short bit of writing about how this tends to happen. Specifically bits about this being a feature of any complex system, root cause analysis being largely futile, and systems being able to run in a degraded state.

  22. Anonymous Coward
    Anonymous Coward

    Western Isles Council

    The Western Isles council in Scotland was also recently attacked, reportedly with similarly catastrophic consequences. One can’t help wonder if there were also similar reasons for their vulnerability.

    Weirdly nobody in the press seems to be talking about it, or holding anybody to account for a major failure of public services.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Western Isles Council

      I have a horrible feeling that this just keeps happening so much it's hard to keep up with. We'll make a note of it.

      C.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like