‘They’ve turned one of our most important pieces of national infrastructure into an internet café,’ was how my friend Marcus, a scholar of early modern literature, put it to me, talking about the cyberattack that crashed the British Library at the end of last year. He’s not wrong. Since October, when a ransomware attack by the Rhysida criminal gang knocked all the library’s digital services offline, there really hasn’t been much more to the library’s Euston headquarters than a large airy building with a couple of expensive coffee shops.

The Integrated Catalogue, which is the means by which readers search the library’s vast collection and call books up from the stacks or down from its offsite storage in Boston Spa, has been offline for weeks. The same goes for the inter-library loans service and Public Lending Right (which administers the earnings authors get when their work is borrowed from lending libraries); as well as more specialist scholarly tools, such as the digitised versions of much of the library’s manuscripts collection and the English Short Title Catalogue, which is the most comprehensive index of pre-19th century printed materials in the language.

The ransom asked was 20 Bitcoin: £600,000. That’s less than a tenth of what this debacle is going to cost the library alone

Put simply, that means academics (and popular historians, researching novelists, undergraduates, and anyone else whose work depends on access to our patrimony of written knowledge) have been completely jiggered since autumn last year. Books have ground to a halt. Research has been throttled. The commonwealth of knowledge has been shuttered. The relatively scant press coverage does not begin to give a sense of the scale of this catastrophe. As the library’s Chief Executive Sir Roly Keating put it in a blog last week, ‘for the past two months researchers who rely for their studies and in some cases their livelihoods on access to the Library’s collections have been deprived of it’. There’s no end readily in sight.

It was announced over the weekend that from today a read-only version of the catalogue will be back up online – so readers will be able to find the shelf marks and locations for the books they need. But checking availability and calling them up from the stacks is still going to need to be done manually, most likely with paper slips. So we’ll have a slow, makeshift version of the core function of the library. Sir Roly promises the next round of PLR payments will be sorted out by the statutory deadline one way or another. But getting the library back to working anything like the way it used to be is currently estimated to be something like a year away.

What’s more, the cost of fixing this is grotesque. The initial damage assessment alone cost the Library a quarter-of-a-million pounds. The FT reports that the cost of getting the thing fixed – rebuilding systems, purging malware and so on – is going to be between £6million and £7million; getting on for half of the library’s £16.7 million reserve. That is only the direct cost to the library itself. The costs to the thousands and thousands of people who rely on the library for their daily work – some of whom have had to pay to travel to other collections to continue their research; others of whom will have been effectively out of work for months – is hard even to guesstimate.

All credit, at least, to the British Library for not taking the begging bowl to the Chancellor of the Exchequer. It seems to me they would have been within their rights: if our stupendous national collection of knowledge isn’t a valuable public resource – if it isn’t, in Marcus’s words, an important piece of national infrastructure – I don’t know what is. But nobody seems to like academics very much and this government likes them very little indeed. I expect a calculation was made that HMG would have giggled and told them to go sell some old elbow-patches on Vinted.

There are, no doubt, many lessons to be learned. Some are small ones: digital security is really important, and single points of failure are to be avoided. Others are bigger ones – namely, that we should all think twice before assuming that keeping things in digital form and digital form only is a great idea. If some bright spark had decided a decade or two ago, as seems quite possible, that a good space-saver would simply be to digitise all the non-antiquarian collections and pulp those tedious dead-tree books, the hack might have been an extinction event rather than a mere asteroid-strike.

But the question that nags at me is a less high-minded one, and it’s downstream from these other concerns. It’s to do with how, disaster already having struck, the BL dealt with it. The ransom asked was 20 Bitcoin: £600,000. That’s less than a tenth of what this debacle is going to cost the library alone. Might it not have been worth considering just paying the bad guys off in the first place?

This might, I know, seem counterintuitive. It is said to encourage criminals if you give in to their demands. If once you have paid him the dane-geld, as Kipling warned, you never get rid of the Dane. But rather like the principled prohibition on negotiating with terrorists, this notion doesn’t always survive contact with reality. We do tend to end up negotiating with terrorists (the Good Friday Agreement, widely agreed to be a Good Thing, was a result of just that). And we do pay a lot of danegeld one way and another.

Big businesses get clobbered by ransomware attacks all the time. And I was surprised to hear, talking to a couple of people who are familiar with the phenomenon, that most of them pay the ransoms like lambs. Indeed, the endgame of such an attack is as often as not a direct conversation between the chief technical officer of the victim company and the chief technical officer (if that’s what you’d call them) of the bad guys. Bitcoin safely banked, the latter genially explains to the former how to undo the encryption and get the systems back online.

The point here is that the hackers are rational actors too. Hacking the systems in the first place doesn’t cost them all that much to do. They know that it costs multiples of the ransom they ask to fix the systems that they have embuggered. They know that being widely known to have been the victim of a such a hack means reputational damage to the company, and maybe even legal vulnerability (since big companies have a duty of care over their users’ data). So they reason that most companies would rather pay, and quickly, to make the problem go quietly away.

They also know that if they bank the bitcoin and don’t decrypt the files, or if they hack the same system again ten minutes later just for the hell of it, word will tend to get round. Their business model depends on having their victims cough up: which means that their business model in the medium to long term depends on keeping their promises. There are plenty more victims to go round, and the embuggerment process is cheap as chips once you have the software, so why hit the same victim twice?

When the BL’s website first fell over, then, did Sir Roly and his colleagues make some calls to companies that had fallen victim to ransomware and compare notes? Or did they don their head-torches and descend to the stacks in search of Kipling?