[aiiotnoodle]

A lot of this sounds like they were under-resourced and the business increasingly adopted new technology with no ongoing support for their IT infrastructure.

> These legacy systems will in many cases need to be migrated to new versions, substantially modified, or even rebuilt from the ground up, either because they are unsupported and therefore cannot be repurchased or restored, or because they simply will not operate on modern servers or with modern security controls.

> There is a clear lesson in ensuring the attack vector is reduced as much as possible by keeping infrastructure and applications current, with increased levels of lifecycle investment in technology infrastructure and security.

> Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack.

A lot of lines like the following, also indicate to me IT was increasingly were involved in fighting fires and maintining operational systems ("keeping the lights on") rather than deploying new infrastructure and automation, updating software etc.

> Some of our older applications rely substantially on manual extract (...) which in a modern data management and reporting infrastructure would be encapsulated in secure, automated end-to end workflows.

Modern business is IT, I know that I am preaching to the chior but this sounds a lot like their IT was seen as a cost.

[nazgulsenpai]

> However, the first detected unauthorised access to our network was identified at the Terminal Services server. This terminal server had been installed in February 2020 to facilitate efficient access for trusted external partners and internal IT administrators, as a replacement for the previous remote access system, which had been assessed as being insufficiently secure. Remote usage expanded during the subsequent Covid-19 pandemic because of the greatly increased requirement for remote working and the range of IT projects being undertaken with third party support.

While I'm certain they are underfunded and overworked, this sounds like they had an internet accessible terminal server. I'd like to imagine IT screaming this is a bad idea but a suit somewhere saying they needed easy access for partners. I can only imagine how insecure the solution they replaced with this one was.

[toyg]

The British Library is closer to academia than business. Their IT provider is a state-adjacent entity: https://en.wikipedia.org/wiki/Jisc .

[KineticLensman]

I think it's part of a general trend where UK govt institutions have notoriously poor IT, usually consisting of semi-obsolete infrastructure, multiple legacy systems, sticking-plaster upgrades, one or two new state-of-the-art bits where budget is available, etc. Consider the NHS, the MOD, DVLA, etc.

[domh]

I would be fully supportive of the GDS (https://www.gov.uk/government/organisations/government-digit...) taking on additional responsibilities and providing support and assistance to other government agencies. gov.uk is almost universally praised by the general public and tech people.

[KineticLensman]

Agree, but they can't really do very much about the massive number of legacy systems in departments that can't or won't spend money to modernise. My favourite example to hate is the Driver and Vehicle Licensing Agency which tracks different things in multiple systems, and still requires snail mail interactions (!!!) for some services, such as reclaiming a license after a medical suspension (personal experience). To DVLA, people like me are a pure cost, as are the systems that record my data.

[kimixa]

Having experienced both the DVLA and (California) DMV, the DVLA feels miles ahead, like it's living in the future.

Things like finding out the status of a renewal involved finding a fax machine, everything but the most trivial renewal (say, renewing if you're on a work visa) seems to be done in person with handwritten paperwork, and the amount of busywork that seems to be done by hand by the DMV agent is quite easy to blame for the impressive wait times, multiple hours even if you have an appointment.

My DVLA renewal was trivial comparatively, they could even use my passport for an updated ID photo. But maybe if you're not a UK citizen they also make you jump through weird hoops?

I'm not saying that the DVLA is good, just that it could be even worse.

[KineticLensman]

> I'm not saying that the DVLA is good, just that it could be even worse

Some things they do reasonably well, yes. But edge cases like mine are the pits. To get a licence back after a medical suspension involves DVLA and the NHS posting physical letters to each other! It took 5 months for this purely admin process to complete, after I was medically fit. Grrrr. That is a long time to be denied the right to drive.

[clwg]

I've known people who have worked in IT in national museum settings, and from what I heard it sounded like a mix of traditional IT support—ensuring the lights stayed on, printers could print, emails and phones worked, and a very simple website stayed online.

Some aspects sounded quite interesting, but these weren't places pushing the envelope in any aspect of technology. I'm sure they were running outdated software and configurations on everything, but IT was closing their tickets and meeting their SLAs. And with no disrespect, these people weren't necessarily disruptors looking to shake up and modernize the museums' infrastructure and take it into the future either, they just did their job to the best of their ability and went home at the end of the day.

To generalize I find that this usually holds true in a lot of non-tech industries, and IT is generally seen as a burdensome cost as opposed to enabler of business.

[graemep]

The British library has pretty complex systems because of the vast size of teh collection. Some pretty interesting stuff:

https://www.youtube.com/watch?v=ZNVuIU6UUiM