Our Website Is Currently Unavailable: Cyberattacks on Cultural Heritage Institutions

Cyberattacks on museums, libraries and other cultural heritage institutions are a growing concern. While protocols for physical attacks or disasters are often well-established, the same cannot be said for virtual threats. If we want to proactively reduce risks, we need more than just firewalls – it’s the “human factor” that demands our closest attention.

This post is part of a series that provides think pieces and resources for academic librarians.

As 2017 was nearing its end, I arrived at the museum one morning to find our digital systems entirely offline. Shortly afterwards, IT informed me we had received a ransom note via email. The email looked completely unprofessional. At that point, I naively expected more elaborate hacker correspondence. I only believed it for myself upon seeing the corrupted and missing files in the repository. Having been involved with the digitization of museum materials from the very start, I can clearly recall the effort, time and funds invested. But believing that we had a serious backup, I wasn’t so much concerned as surprised. The despair came later when I realized that the backup wasn’t as safe as it should have been. We lost a lot of data and a large part of our digital assets, which in turn affected our museum business.

Fast-forward to the early days of the Russian invasion of Ukraine in 2022. I received several messages from my colleagues in Ukraine asking how best to prepare their digital objects and museum information for evacuation. Most of it was stored in the cloud, which was inaccessible due to constant cyberattacks. There were also questions related to digital heritage and its preservation in the event of a very physical war. No questions were asked about the evacuation of tangible museum objects.

“Losing online business to a cyberattack is not just an economic and legal issue.”

The spate of cyberattacks on cultural heritage institutions shows little sign of abating. Just last November, the website and internet services of the British Library were rendered inaccessible for weeks following an attack. Losing online business to a cyberattack is not just an economic and legal issue. Security breaches also erode confidence in libraries, which according to statistical data from the UK, enjoy high levels of public trust.

Besides the high risk to users’ and employees’ personal data, attacks risk the loss of material that exists only in digital form; those items either born-digital or digitized material for which the original is damaged or lost. The solution for the latter is solid, multiple and up-to-date backup systems. But when it comes to personal data and credit card details – valuable resources on the black market – the solution becomes more complex and requires technical knowledge.

I don’t presume that these examples are generalizable. But they are illustrative and, from my perspective, eye-opening. They demonstrate how the subject of digital heritage preservation and protection against cyberattacks is an issue of concern for all cultural heritage institutions – especially for those who have developed a mature digital identity and provide comprehensive digital content and user services.

Considering the Human Factor

Coming from the cultural heritage sector, I’m well-versed in the regulations and procedures regarding the safekeeping and protection of cultural heritage. Or, to put it in legal terms, cultural property (though the two labels aren’t entirely interchangeable). We all know what to do in case of a physical attack or other disastrous event. Indeed, the rules to be followed are quite clear and internationally recognized – if not always obeyed.

But how many of us have adopted procedures or guidelines around long-term preservation which also account for cyberattacks? How about measures which mitigate risk to digital assets? And when we discuss digital heritage, do we conceptualize it simply as data in cyberspace? Or should the term encompass an understanding that data itself is an asset? An asset in which we invest significant time and money – and one whose future-proofing requires reliable and trustworthy maintenance over the long term.

“IT security is only as good as the people working the systems, and the quality of cybersecurity thus depends on educated stakeholders.”

If cultural heritage institutions are to adequately prepare for and react to cyberattacks, they require both immediate access to IT support (which requires additional funds) as well as employees who are educated in cybersecurity, regardless of their primary work responsibility. IT security is only as good as the people working the systems, and the quality of cybersecurity thus depends on educated stakeholders.

As the human factor is considered one of the primary vulnerabilities to cyberattacks, it is an area where heritage institutions ought to invest effort to mitigate risks. They can do so by providing employees with access to widely available (and often open) educational programs. All cultural heritage professionals should be aware of common threats, such as the leakage of private data (information disclosure), repudiation (acting without confirmation), tampering (modifying data or requests during transmission), spoofing (impersonation), not to mention the new threats which will surface in the years to come.

As a result of my research and close observation of the changes in cybersecurity awareness, I can offer some basic conclusions:

  • Each heritage professional needs to have basic knowledge about cybersecurity issues.
  • Employers should provide access to mandatory cybersecurity courses so stakeholders can be aware of where and who might be the weak link.
  • Digital preservation has a physical dimension as well as a virtual one.
  • Protection never ends; it is a repetitive process with improvement as the final goal.
  • There is no such thing as a perfectly secure system, the best you can do will determine the quality of your future protection.
  • Entrusted with valuable cultural and research data, we bear the same responsibility for its protection as we do for precious physical objects. Thus, we need better regulations, international agreements and practical guidelines on digital materials.
  • Regular risk assessments should be a routine practice for both physical and digital assets.
  • Educate and test your employees and collaborators.

Since the needs and capacities of every institution are different, it’s essential to investigate and research each case to arrive at an optimal solution. But we should also try to detect patterns and similarities in the problems we face and the remedies we find. Only in doing so can we hope to establish common guidelines and principles of protection against cyberattacks in the cultural heritage sector. Awareness is evolving daily, but so are new malicious methods. We should try to keep pace.

[Title image by duoogle/iStock/Getty Images Plus]

Tamara Štefanac

Tamara Štefanac is a senior archivist and curator at the National and University Library in Zagreb, Croatia. Previously, she was the director of the Croatian Railway Museum in Zagreb. She holds a PhD in Archival Science from the University of Zadar, Croatia, and she is the current President of the The Croatian Committee of the Blue Shield.

Pin It on Pinterest