BSidesSF 2026 - Kidnapping a Library: How Ransomware Taught the British Library to... (Brian Myers)

Well, welcome to our next session. This is really cool. I'm dead excited. Um, as ever, if you have questions for our next speaker, please go to bsidesf.org/qna. That is Quebec November Alpha. Not anything you thought I said in the weird accent. All righty. Coming up now, we have Brian Meyers, who's going to kidnap a library. >> Oh, no. Someone else did that, didn't they? I'm so excited for this. It's got British in it. Uh, so please big bside San Francisco round of applause for Brian Mes. >> Hello. Uh, while I'm just pushing the last couple of buttons here, I have a favor to ask. If someone out there would be kind enough to take a photo of me

down here with that screen, it would greatly amuse my spouse. And my email will be on the last slide or you can find me on LinkedIn. There's contact information there. Thank you, someone. Um little bit here just a basic introduction. I started out in software development. I did that for a long time and was eventually ejected into management. From management I escaped about 10 years ago into information security where I've been happy ever since. And currently I work as an independent contractor helping companies set up and and run uh effective comprehensive information security programs. Um uh just to help you out, you don't have to take notes. All the slides are already online. You can go to my

website, go to the talks tab, uh, and find the link to the slides. They're in GitHub. You can download them there. Links and everything. It's all there. Um, the event I'm going to narrate to some degree took place in October of 2023. Uh, it was an attack on the British Library. Um, and I first heard about it from this post from Bruce Schneider. And he posted about it five months later because that was when the library posted their public report on what had happened. And the po the report is my primary source. Not my only source, but my primary source for what follows. And when I read Bruce Schneider's post, I was interested for a

couple of reasons. One, of course, for whatever lessons as a security professional I might learn. Um, two, because I was an English major and this is a library. Three, because like all English majors, I'm at least part Angloile. And this is the British Library. So, of course, I was in and I read it. Why might this interest you? Well, first of all, there are some juicy details, things that they should have done better that it's fun to hear about. Um, two, there are, of course, lessons learned from those juicy details. Uh, and you might find the lessons interesting. Third, I'll offer this as a story to add to your repertoire because very often when we're trying to convince

other people, uh, the importance of what we're recommending they do, it helps to have a story to go with it so they can see and imagine more viv vividly what the impact might have been. Um, and this is a good story in those in those terms. So, this is the report. It's 18 pages long. It is remarkably forthcoming. It doesn't share every single date detail, but way more than we usually hear from companies after a catastrophic disaster. And they have been much praised since by the press and the public, as you'll see, for their response generally. And this report was a key part of it. It's still out on the web, freely available for anyone to read. And from now on when I

say the report, this is the document I mean came out as a reminder 5 months after the attack. The attack was in October. The report was in March. Here's what we're going to do. I have four topics I want to cover. First is to remind you in a general way the scope of the British Library, what their operations are like, what they do, what it represents. Um, and a little bit about their history and their systems that will kind of set the scene for what follows. Then we'll walk through the attack itself. Who did it? How did uh how did it appear? What what happened? Uh how did that play out? And then we'll spend a little more time on the

consequences which were devastating to the library and the public. And finally, we'll consider the lessons learned from their experience. So the British Library, it is the National Library of the United Kingdom and one of the premier cultural institutions in the world. They have everything from the Magna Carta to handwritten lyrics by the Beatles. And in fact, I was just reminded by a cross word puzzle this week that they also have the only earliest manuscript of Beaolf. Among other things, many other things. They have lots of things. So many that they have to have huge storage facilities that are environmentally controlled up in Yorkshire where I guess the real estate is cheaper than London and they have so much to store they have

to put it up there. This is all temperature controlled archival warehouse settings. And you can see this is not the kind of stack where you send a library in to pull a book off a librarian in to pull a book off the shelf. In order to get a book from this, you punch what you want into a computer. A librarian does uh and some automated forklift goes up this pile of shelves and finds the right pallet and pulls it down and somebody pulls your book out of that and puts it in a van and sends it down to London where you get it in the reading room the next day. That's how this works. They have a cafe. They have an online

bookstore. Um, they put on exhibits that are sometimes very popular, like this one from 2017 about Harry Potter, which has not just Harry Potter memorabilia, but also magic related artifacts from the library's collection. Nearly a million people visited this exhibit, either in the main exhibit in London or in various regional uh manifestations of it that went around the country. They work with international partners to preserve um endangered archives and materials around the world. That gives you an idea of the scope. And they have over 200 miles of books. Their collection grows at six miles a year. And they don't just have books. They have uh they store um they archive websites. They have digitized manuscripts. They have manuscripts. They

have postage stamps. They have patents. They have sound archives. It's it's huge. It's vast. Um and you saw also they have a staff and a budget that are pretty significant. Um it helps in understanding what comes next to see just this little partial excerpt of how the library has grown over the years. It was created um by the government in in the 70s starting with a collection of books from the British Museum that they handed off to the British Library and it has acquired collections since then like a business acquiring other companies. It's like that in that clearly these were collections made by different people, different organizations with different goals using different information systems that have all been brought under

one eegis over the years. That's important for what's going to follow. Um, what information systems does the library have? They don't say this directly, but you know, it was interesting and as part of my prep for this, I thought it would be good to be able to understand what was available for attack. And so I went through the report and every time they mentioned an information system, I wrote it down and I've put it in these four groups. So basically what they have the public facing website which is rich. It's where readers uh create accounts and get access to archive archival materials uh that are digitized. For example, they have educational programs that they deliver through the website to schools

that want them um throughout the the country. Uh this is where you get access to digital archives. I guess I said that they have the point of sale systems on site where you can swipe a credit card to buy things in the cafe or the gift shop. They have the normal business systems that anybody would have, you know, their own firewalls, their own um office systems, HR, payroll, that kind of thing. And then of course they have their own network with the the hardware they manage, which is the digital archives and the online cataloges for reaching all their access uh for for finding information about all their holdings. So that's their information systems. I also wanted to know in advance what

was their information security program like. And so I gathered details from across the report and a few articles. Anytime anyone mentioned something that sounded like part of a standard information security program, I added it to this list. So you can see from this a couple of things I infer. First of all, they know what security is. They've heard of it. They're doing it. They're not ignorant about it. They're not rank beginners. They have, for example, um MFA. they have multi uh mobile device management you know not all the small companies I've worked with have that yet um that's a sign of maturity um a degree of maturity uh on the oh and they have a

risk um assessment activity so they have some kind of governance in place that is creating a roadmap for their security programs on the other hand the penultimate item on this list cyber essentials is an assessment an annual assessment that they started passing in 2019 and I looked this up. It's good that they passed it, good that they undertook it. It's a um a baseline of five technical controls defined by the UK government targeting businesses helping them prevent the most common internet born attacks. So it is not a comprehensive framework like ISO 27,0001 or NIST 853. it is a fairly low bar and that maybe is a counterindication to the the complexity of the full program that we

see evidenced elsewhere. And a final uh indication of the the degree of maturity of their program before the attack is that that cyber essentials um standard was updated by the government in 2022 and at that point the library discovered that their legacy systems could no longer meet even this minimal bar and they stopped reertifying. So there's a little more scene setting of uh what's going to happen. Right. So now you've seen the scope of the British Library, a little bit about their information systems and their information security program and how they've grown over the years by acquiring collections. Let's look at the attack itself. Who did it first? This is a well-known ransomware group called

Rita. It wasn't mentioned in Diego's talk yesterday, but it's like the ones that that he mentioned. And it is um it's been around for years. Um there have been CISA advisories about it first in 2023 and then updated again in 2025. They're still active this year. Um in fact I think they most recently hit the Phoenix Public Library. No, they don't specialize in cultural institutions. That's just a coincidence. Um and the Recita is the name of a centipede genus and this artwork comes from their website on the dark web. We don't have all the um full forensic details about exactly how they succeeded in their attack. We have some and the details we do have are completely

consistent with what CISA has described as their standard way of operating. So I'll start by giving you the standard way of operating and that'll help us fit in the pieces we're going to see. They don't um undertake the hard work of uh hacking in through clever vulnerabilities, cleverly exploited vulnerabilities in your periphery. They go the easy route. They generally always compromise somebody's legitimate credentials and log in as that person. Typically someone who's not part of your organization, a vendor or a contractor. Often we assume they do it by fishing. That'd be the easiest way, but they might be buying credentials on the dark web and figuring out who owns them. We don't know exactly. Uh but that's what

they that's their standard way of working. Um once they get in, they they don't upload a bunch of malware right away. They don't upload tools. They they use the living off the land strategy using uh u available tools already in the operating system to explore what's available to move laterally to escalate privileges to see what access they can get how far they can reach and once they have done that they copy down all the data to their servers first of all they steal it before they encrypt it this is the double extortion that Diego talked about yesterday and then of course they let loose the ransomware that encrypts all the files so that's how they

generally work. Let's look at a walk through a timeline of what we know happened at the library. Um, after the attack, the British Library hired forensic experts to come in and look at the logs. And this is reconstructed from from that effort. We know that somewhere in October, we don't know exactly when, uh, Receita had access to their systems. The first verified log entry that there certain was an attacker coming in occurs on October 25th. That may or may not have been the actual first entry that October 25th session. Oh. Oh, I I there is a little note I wanted to make here. This is one of the juicy details. So, the attacker is logging in through terminal

services. In 2022, the library implemented MFA across their system, but they made an exception for the British Library domain itself because it was uh a matter of practicality, cost, and impact on ongoing programs. So this server did not have MFA uh which would probably have stopped the attacker at least with these cred particular credentials. And in perhaps a masterpiece of British understatement they say they were aware of the risk. It's in the risk register but the consequences were perhaps underappreciated. Back to the timeline. Um so uh the attacker logs in on October 25th. On the early in the morning of the next day, something the attacker did tripped off an alarm that was and someone on the

library IT staff was awakened one at 1:00 a.m. in the morning as a result. This person looked into the logs and could discover nothing devious, nothing obviously wrong. I mean, it was legit credentials logging in and nothing bad had happened. At 1:00 a.m., this person, whoever it was, disabled the account and left a note for the morning crew to investigate further. The morning crew came in and looked around more thoroughly and confirmed, "Yeah, nothing bad's happened. We don't know what that alarm was for really, and they reenabled the account with a new password." None of this seems to have stopped the attackers who according to the logs were still active for the next few days,

searching, looking around, finding everywhere they could find files persisting. Um, they would when they did find files, they would grap across them. I don't know if it was GRAP exactly, but search for files that had certain keywords in them like confidential and pass uh um passport things like that. Just recon still not changing anything, just looking. They do that for a couple of days and then on 1:30 in the morning on a Saturday morning, clearly a time of choice when they hoped there would be fewer eyes in the system. Um the logs show that 440 gigabytes of data left the network um that night and sometime a shortly after that they turned on the um

ransomware which ran that night and when it came in in the morning they declared an incident and within an hour or two the um uh the incident response team was online with WhatsApp. Why you ask maybe? because that fortunately their incident response plan was good enough to identify an outofband communication me uh mechanism for the event that all systems might be down. All systems were down at this point. Um no one could no readers could register online. The online catalog was inaccessible. Book requests could not be made. No one could get access to any digital assets. Deliveries from Yorkshire were interrupted. The environmental monitoring in the warehouses in Yorkshire was off. The phone lines were

down. Everything was down. The library was blind and paralyzed. They didn't know what hit them. I mean, they could see it was ransomware, but they didn't know how far the damage had gone or exactly how it had occurred. U, we'll come back to some of this when we get to lessons learned. In particular, the the huge blast radius needs some explanation. We'll leave that as a mystery for a few slides here. Um, we don't know exactly what it looked like the attack in the U. British Library. They didn't publish screenshots, but this is a screenshot of a Receita attack from a different victim. And what you see when you log into your systems is typically this.

Your files are still there. There are your JPEGs. There's your executable. There's your spreadsheet. But they all have new extensions. They've been encrypted. You can't open them. There is one file you can open. It's a PDF. And you open it, and you get the ransom note. And this is an actual Receita ransom note with a particular victim redacted. I'm particularly fond of the closing paragraph which says I need to make this a little bigger so I can read it down here. Oh, now I've done it. Uh, that's me. My mistake. Yeah, there we go. I'm back. Yeah. Um, rest assured, our team is committed to guiding you through this process. Um, together we can restore the

security of your digital environment. I just I I like this. It's Well, I would hate to find it on my machine, but you know, the hutbah. Um, right. So, they the library didn't immediately know what all had happened, of course. Um, it took them time to figure it out. And so the results of that investigation are here, not immediately apparent in my timeline, but for your information, what they discovered had happened was that those 440 gigabytes, actually there were from a little more than we saw in that one log entry. Um, but the the data extracted and stolen included files from finance, technology, and HR. That included contact info for staff, partners, and customers, which is to say

PII, not in a health context, but personally identifiable information that you do not want to be responsible for leaking. That was bad. Um, and included in this were some personal staff files, not business files, but documents that belonged entirely to some of the staff. And we will come back to that again towards the end as well. Um, the library says that they destroyed data obviously by encrypting it. Um, they encrypted files and backups. Some backups were encrypted. Ultimately, the library got all their data back or at least enough. That turns out not to have been uh a cause of of long-term damage to the library, but they did destroy data. More devastating, it turns out, is

the report says that the attackers destroyed servers. Now, obviously, they didn't go in with a sledgehammer and destroy them physically, but they did the moral equivalent um by doing things like uh aggressively deleting logs and partitions, and they don't go into details, but given the history you saw of how this um organization grew, it's pretty obvious that part of the problem was very old systems that were out of date with like old versions of databases maybe that are no longer um supported. Maybe uh maybe there were some custom device drivers that were hard to restore. Uh whatever it was, some combination of factors like that made it impossible for them to restore significant amounts of their

infrastructure. They had the data and nowhere to put it. Right? You're probably curious about the ransom. I was. First of all, let's say Rita didn't know it, but they had no chance of getting ransom from the British Library because there's a general UK government policy that no publicly funded organization shall pay ransom. We don't know exactly what the ransom demand was. I have a little clue in a minute, but we don't know what it was. Um, we do know that uh, Rita hoped that they would get it and apparently unpublicized negotiations must have gone on or demands must have been sent because at a certain point several week weeks later, Rita took 10% of the data

that they had stolen and put it up for sale by auction on the dark web. This was clearly a negotiating tactic, saying, "We're serious and we're going to start um, putting the pressure on you. You better pay us." And a little more than a week later, they appear to have given up and realized this uh they weren't going to ring milk from this stone. And in revenge, they dumped all the data. They just gave it away. All the data they had stolen, put up on the dark web. That's the end of the ransom story. The ransom turns out to be only a minor incident in how this story plays out, but I was sure you'd want the

details. Um, so that's how the attack played out. Who did it? What happened? What it looked like on the receiving end. Now, let's think about the business recovering from that state where on October 23rd, whatever it was, they were blind and paralyzed. What happened? How did they recover? Well, they were down for the weekend. On Monday morning, they opened in what the report calls a pre-digital state. No computers, no devices, everything on paper. you could get books out if it happened to be a book that was already in the reading library um in London right there with you. Nothing else. Um a couple days later, uh they say all corporate desktop and laptop use ceases.

I assume that means they repossessed all companyissued devices and reimaged them, which would be a smart smart move, but it's more interference with the daily work of the library. You know, how are employees getting their work done at all? and no one none of their customers are getting the service they expect. And this is very visible to the public. We'll get there. Um it took them a couple of weeks to be sure they had a a good enough idea of what had happened to be able to make a public statement. So it was ne November 15th before they went out to the public and said, "Yeah, I know you know, but here's what happened. There was ransomware. Um we know that

data was stolen. We know a little bit about that data that was stolen. And even now we are still figuring out what exactly happened and how how extensive the damage is. That's two weeks later. By January some online catalog access was restored. By March 5 months later about half of the catalog was restored. And remember the catalog is only a part of their business. That doesn't mean the business is half up. It means even the catalog is only half up. Um, and this was all over the press even before they made their um, public announcement. Um, and you just think what it would be like to work at the library if you were on the security

team, if you were on the IT team, if you were in any role that had direct contact with customers. This went on, as you've already seen, for months. This was a difficult situation. Um, and it came out in an interview published in the register a little later that one of the things they they had to spend a lot of time on was figuring out the the security team I guess or the execs how to communicate this story as it was in progress to all the various internal and external constituents to their own staff who were upset naturally to their IT staff who were putting in long hours in crisis mode to the government to the press to their board

of directors. Um there was a lot of communication work which by the way they seem to have succeeded at brilliantly and we'll get evidence of that a little later but I point this up because um well we'll come back to that. Um here's a very rudimentary diagram of my diagram of their systems just to remind you you know the way this works is people log into their network from their own machines through VPN uh on their own network which I've called a data center. I know they have hardware I assume it's in a data center. They don't talk about that exactly. Um, that's where their library management systems are and their office systems, email and finance were

presumably SAS applications. They were in the cloud. Those email and finance, those business systems were what came back first. They came back rather quickly. So, this is a good story for the security of SAS operations. Um, if you suffer a ransomware attack, there's a good chance your SAS products, those parts of your system may not be affected. What was affected were all the machines the library themselves managed which is to say the machines that did cataloging circulation inter library loan acquisitions all the basic core functions of a library are what were most affected and slowest to restore um I've already talked about this a little bit this was just the the point that the their legacy systems were

unreoverable and I don't think I need to say more about that on this slide Here's their words about it. The destruction of servers had the most damaging impact on the library. You know, this is not what the attackers were aiming for when they went in. I'm sure they weren't thinking, "Oh, if we attack them, we can destroy their servers." No, they don't get money by doing that. That was an accident, a byproduct of the attack. And that was the most devastating thing that occurred to them. Obviously, we'll be picking up more information about this as we go through the story. So when the report came out in March, five months after the attack, this was

the state of things. Half of the physical collections were were inaccessible even to staff. The website was still down. They were not digit digitizing any artifacts anymore. That effort had stopped. No one had they were they were still slowly bringing back the digital collections. No researchers had access to even the most fundamental resources. The print legal deposit is an interesting little anglicism here. The um uh the like the Library of Congress, the British Library receives automatically copies of any published books in large parts of the UK. And that means they have this influx of materials. They're constantly needing to digitize, add to their catalog, and process. And the effort of keeping up with that work completely stopped,

meaning the backlog was continuing to grow hugely day by day. This is devastating in all kinds of little wrinkled, unpredictable ways. The March report said, "This is our recovery plan." Um, they said, "We're done with phase one of recovery." Phase one was short-term restoration of minimal necessary functions, and we got through that. Phase two, they said in March, we're still in the middle of phase two is short-term restoration, uh, sorry, is a phase of adapting as best we can to the new state of things. not making everything work, but like seeing what's recoverable and at least pushing that back up into some kind of workable order. They were still trying to get even that goal done in March. The big

green bar at the bottom, which is scheduled was scheduled to end, an effort scheduled to end in the middle of 2025, uh was the effort to completely rebuild their infrastructure from the ground up in the cloud in a consistently secure manner. And they said that will take us 18 months. Imagine taking this result to the CEO at your business after a disaster. After a disaster time to recovery, a year and a half. Estimated total cost, 40% of our cash reserves. And I'm pretty sure they slid across both those numbers. Uh we'll see why I guess that as we go ahead. That was huge. Um and of course those were only the direct costs. There were huge indirect

costs as many things were disrupted. Like just to take one unpredictable little thing I wouldn't have thought of. The British library, unlike any American library, actually pays authors every time their books get checked out to kind of make up for the fact that nobody bought the book. They checked it out from the library instead. They're not large payments. Unless you're a very popular author, it doesn't come out to anything like a living. But, you know, authors are often not well- paid people. And those payments are very important to some people. those payments had stopped. Just one of many little things that have ripple-on effects on people outside the library. And with that, we're to the end of

things from the report itself. And I'm skipping ahead to things that came out after the report. So, this is from August of 2024, a couple of months after the report. And uh it came out in an IT magazine that at that point the library had money and they were ready to hire a bunch of contractors with with to clearly to help them with the security rebuild. Great. I'm sure they needed uh people. I'm sure they needed expertise. This is an excellent sign. However, remember at this point they're roughly halfway through that 18-month projection. And if that's the point where they're starting to bring on starting to hire people, my guess is they're already a bit behind that

18-month um projection. Um the same month the library itself publishes this saying, "Oh, hey yeah, um the school year is coming up and great. Here's what we'll have ready for you. Our mostus educational resources and digitized manuscripts are back online." Yeah, the Yorkshire stuff isn't fully available there, but our mostused stuff you'll have, that's like a year after the attack, almost a year, and that's the stage they're still at. Um the information commissioner's office is the British regulator that's basically their GD GDPR regulator and it can do things like uh investigate breaches and impose fines. And in April of last year, this is more than a year after the attack, they announced, okay, we are done investigating the British

Library. And it's notable that they say first, we commend the British Library for being open and transparent about its system vulnerabilities. They are complimenting the report that we've been considering which indeed had been wellreceived by the public and the press. And if you want an example of how to do good corporate communications after a catast after a catastrophe, this is not a bad place to look. Conspicuously absent from this ICO announcement is any mention of a fine. They got off without a fine. And this is generally perceived to be um uh in recognition of their how well they did in trying to address everyone's concerns, explain what had really happened and be transparent about it.

There were some updates starting in November on the British Library website and uh so this is November 2025. Now we are two years after the attack and they are still explaining to users what is and isn't available. in March, that is last week, I went and looked at the um website and I took this little screenshot at the bottom of their homepage where it says about us, the last item. They still find it necessary to have a link to where you can get information about the cyber attack that happened over two years ago because they are still explaining to you now what you can and can't get to. So, you might have thought this was an incident two years

in the past and I was giving you a bit of history. This isn't done. This story is ongoing. So there are the consequences. Let's finally consider what did they say were the lessons learned. The root cause first of all they put this in three bullet points. I'm going to u paraphrase it. I think the first two bullet points are basically saying because so many of our legacy data operations are still manual. Properly isolating network segments was impractical. Therefore, once the attackers were in, they had a relatively easy time finding everything. So that's the root cause that accounts for the size of the um blast radius. That's why all systems were down. And once they got in, they

had access to way too much. The third bullet says that the attackers destroyed servers we can't rebuild. And we've already talked about that. That of course is why it took so long to recover. Then they say, here are 16 things we learned. I won't read them all. I'm going to you don't have to read them all on this slide. I just wanted to give a short overview first. We're going to look at them in groups on the the following slides. Almost all the items in this list map clearly to well-known best practices from common security frameworks. For example, here's a handful of them, maybe two handfuls of them. Uh, and I just for fun have mapped

them to NIST 853 controls just because that's the first framework I worked with. You could easily do this with any comprehensive security framework such as ISO 27,0001. Um I I maybe it's worth calling out one in particular here 15 near the end. Collaborate with sector peers is something they said they should do that they had not done or not done enough which means they felt that if they had talked more to what their sector peers were doing with security and what they were worried about it might have helped them uh manage their own security posture. Uh yes I see you. Yeah. Okay. Um uh and clearly writing that report and publishing it was a strong move in

trying to further inter inter agency communication about what we should be thinking about. So the the report is a big move on that line. Uh these three I won't dwell on too long but they're important because they're the three that directly address the legacy system problem. So it's interesting to see how do they think they need what do they think need to change in order to avoid a recurrence because this might be one of the main lessons for other agencies too and you know it's predictable they need to manage system life cycles know when a system you have is going out of date put that into your plans and make replacements uh you know uh upgrade it

uh on a planned schedule. Prioritize remediation of issues arising from the life cycle awareness. Um and prioritize recovery. They need res to test resilience as well as you know confidentiality. Um these two are the only two that don't map really well to existing framework best practices. There are general areas they fall into and I've marked them but they're particular little interesting wrinkles and they both have to do with the library staff. I've already commented that this was a long-lived crisis that clearly took a toll on the staff for a long time and one of their their um lessons learned is they need to adapt their incident response plan to have include in it ways to address the

well-being of the stress overstressed staff and the longer the crisis goes on the more something like that is necessary. Um and the second one has to do with the fact I think I mentioned it earlier that the some of the stolen files were personal uh files belonging to the staff. It turns out that the British Library by policy explicitly allowed staff to have their own files in some areas of the library's um IT systems. There were some designated areas where you were allowed to put your own files and some of those files were stolen. Imagine if you put, I don't know, your passport application, I'm making this up, on your company's box folder and a

ransomware attack led to your passport application being stolen. You might have a word or two to say to your security department and your execs. Um, and uh they decided that one of the lessons learned is that they would review their rules of behavior. Um, review the acceptable personal use of it. Um this last one of that this particular part is my favorite of the findings. Um it relates to a conversation that obviously occurs at any organization that has a catastrophe like this. And the report doesn't say exactly how this played out in the British Library, but in my head the way it goes inevitably is the execs come down to the security team and they say, "WTF?

This is what we were paying you to stop. What happened?" And the security team of course says, "What do you mean? It's in the risk register. We told you we need MFA." And a business decision was made that that was too expensive to do. And of course the execs would inevitably say, "Don't you think if you'd told us the library would fall over, we'd have stepped up?" So these two findings are the resolution of that that little discussion, however it it occurred. On the one hand, they're saying, "Okay, yes, we will do a better job of trying to explain to you what exactly the risks are all throughout, you know, reflect the whole risk profile

of this company to you. You on your part, I'm obviously situating myself with the security team. You on your part will do a better job understanding what we're telling you, right? That's how I read these two. These are the remediation actions they said they would undertake. And I think at this point there are no surprises. I don't need to call those out to you. I don't think there's anything there that would surprise you. I mean, obviously one of my favorites is the last one, stronger and more embedded governance structures. What does that mean? Um it means that uh the governance structures are the ones that um are responsible for executing security for keeping the risk

profile in a a known state and those highle concerns need to be embedded driven down further and and strengthened at lower levels in the organization. This is what every security team always wants and you know a disaster like this gives you a chance to make that point. Um I praise the library for this bit too for the the the risk analysis at the end of the report includes these points. They say given the experience we've just had and the initiatives we've just put in place we have some new risks to account for and I'll just talk about the first two here. The first one is that you know we were just very publicly the victims of a catastrophic attack. Now

anyone who paid attention to that attack knows very well that the ransomware was not the ransom was not paid. though ransom people may not be targeting us as much anymore. On the other hand, there are other attackers whose goals are different to create chaos, to harm reput rep uh reputation, to affect the annoy the British public, the British government. Those kinds of attackers may be more motivated to consider us and so our risk profile has perhaps just changed a little. They also say, you know, we've just, this is in the report, they still think that it'll take them only 18 months to rebuild everything. They say that is a long time. During that time, all of our

many of our functions will not be fully normal. There will be a great deal of very reasonable pressure from all sides equally shared to wishing we could get back to normal as quickly as possible. And there is a risk if we allow that wishful thinking to force us into shortcuts to bring the the uh schedule in, we risk compromising the degree of security we hope to achieve. And that in itself is a risk. I think that was a good call. Finally, and we are getting to the near the very end here, there's this statement from the report. Uh it basically says, you know, this was a substantial disruption and it gave us the opportunity to address structural

issues, deep structural issues that otherwise would have been too disruptive to address. And I can put that in much simpler words. And this after all is the moral of the talk. It's the reason I thought it would be useful uh some good use perhaps of your time to sit here. This is a a crisis that they have shared the results of and let's not let it go to waste. Take whatever lessons from this might be relevant to your organizations. Take the story itself and spread it around to anyone who needs to hear it. I deeply admire the British Library for making enough information available to us that we could see their post-mortem this way. Uh if you want more information, here

are links if you download the slides. Those are working links to the the report itself and a subsequent um government report uh report from the library to the government with some more details. There's guide for stopping ransomware on CISA if that's a place to start if you're looking for that. And if what you really want is more technical detail about how the ransomware worked, um, Sentinel 1 and Fortnet have that for you. And that's it. This is how you can reach me. I would love to hear from any of you. If you have any observations or other stories or questions you might want to uh ask, this is where you can find me. And if you have pictures of me

from the talk that I can amuse my spouse with, this is where to send them. Thank you very much.

Thank you, Brian. U that is a topic dear to my heart. It's such a great story, isn't it? It really is. Um not everybody responds that well. Um so I haven't got any questions in the slides, but do we have any questions in the room? Do you want to wave your hands around? It's gone very quiet. I can't Oh, I can't see. So there's that. So if you are waving, wave. >> That's okay. If if you think of any more later, I'll be upstairs having a beer pretty soon and you can find me there. >> That sounds amazing. Um here's a little thank you from Beside San Francisco to you. >> Great. Thank you very much.

>> Thank you. And um again, a big round of applause, please, for a great talk. Thank you, Brian.

>> Amazing. Thank you. Love it. I've probably got some announcements for you. Um head shot, that's one of them. There's the clip lord.