British Library's candid ransomware comms driven by 'emotional intelligence'

CyberUK Emotional intelligence was at the heart of the British Library's widely hailed response to its October ransomware attack, according to CEO Roly Keating.

The British Library's (BL) ransomware attack last year was one of the most damaging in recent memory, at least in the UK. The transparency of the organization's response over the following months was hailed as what should be the industry standard.

At no point... did we engage with the perpetrators

Keating said from the outset the Library was acutely aware of how many partners, scholars, and researchers rely on its services worldwide, so the plan was to communicate often, even if that was just a short update saying very little.

"But I think it's probably fair to say early on it was all quite dry; rapidly we began to realize we had to be a little bit more emotionally intelligent than that," he told delegates at British cyberintelligence talkshop CyberUK 2024 last week. 

"We were having very strong feelings of frustration, anger, anxiety. Those feelings were shared by our staff, whose data had been lost. Our users' data had been taken away and published. So, gradually we increased our focus on wellbeing, paying attention to how people were feeling."

Keating said the BL started to adopt a more human voice, apologizing where necessary, and acknowledging the difficulty of the bouts of uncertainty that come with a ransomware recovery.

It all culminated in March when the BL published a candid deep-dive into the incident which laid bare the state of its aging architecture that ultimately allowed the Rhysida gang to carry out its attack.

"Our real focus, I have to say, was on those in our peer organizations, in our sector, the cultural sector, the collection sector, the library sector, for whom, although cyber is obviously part of the risk register, it's not always front of mind," Keating said.

"We felt that by sharing information where we did err on the side of openness and candor – and I'll be the first to say that not everything we put in there makes comfortable reading for ourselves – but I think that's probably a common feeling for anyone going through an experience like this.

"What we do hope is that if doing this strengthens the ability of others to strengthen themselves against these attacks, which will come, then some good will have come from this dreadful incident. The lessons are there. If you've read the paper, there are many of them. They are for us to learn, but perhaps some may have relevance for others."

BL received a wealth of support and expert advice from partners, stakeholders, and national authorities such as the NCSC from the get-go, including around public comms. It's a point Keating established clearly, perhaps to tie his account of the incident in nicely with the key messaging of the event: to build national resilience to cyber attacks by increasing cross-sector collaboration and openness.

Delegates of the UK's National Cyber Security Centre's (NCSC) conference last week were told that cross-sector collaboration is as important as ever during this limited window of opportunity to stifle China's bid for tech dominance. Keating's tale of working with numerous experts to overcome an incident and emerge stronger on the other side, fits neatly with one of the event's core themes.

Full recovery 'just a matter of time'

Given the high-profile nature of the attack at the BL, there is understandable intrigue among many about when the national institution will be back to full operation.

Keating said: "Full restoration is only a matter of time, but it will take time. And although there is an atmosphere of relative normality, if you come to the BL – we're thriving in all sorts of ways – but behind the scenes, there is a much longer journey of full technical rebuild."

That rebuild will likely involve the management and retirement of legacy systems, and deploying MFA widely across the organization. These were the two main issues the CEO highlighted, referencing the full report published in March. 

Library service availability is still spotty. Its on-site exhibitions and reading rooms are still open to the public, but many of its research services that are relied upon by so many remain either entirely unavailable or partially available. 

New capability is being restored regularly though, and prospective users can keep tabs on available services via the BL's website.

Of course, the number of services available to library-goers now is much expanded from the first days of the attack, which floored everything from materials access to credit card terminals and building Wi-Fi.

Keating said the early days were a strange time given the building was open as normal, all while behind the scenes a calamity ensued.

"One peculiarity of our position was that none of the systems that were attacked affected our ability to open the building, so, at no point did the British Library North or South ever have to close its doors to the public. What was affected was the quality of service we could give," noted Keating. 

• Time to examine the anatomy of the British Library ransomware nightmare
• Yacht dealer to the stars attacked by Rhysida ransomware gang
• British Library pushes the cloud button, says legacy IT estate cause of hefty rebuild
• UK government woefully unprepared for 'catastrophic' ransomware attack

"So, it was an atmosphere of almost studied normality at some times in terms of some of our public visitors coming on site. But of course, behind the scenes, we were absolutely lacking some of the fundamentals. And I should add… at no point, being wholly conscious of public policy and as a public organization, did we engage with the perpetrators. 

"What we did have to think about constantly was storytelling and narrative and communication with our stakeholders, with our staff, with our board – everyone we work with in the British Library, [which] by the way works with partners right across the UK and across the world." ®