Chris Inglis Joins the BBC Talking Business Program to Discuss Global Cyberattacks

Hello and welcome to Talking Business. Here’s what’s on the program this week. It’s been a year of hacks, attacks, and ransom demands. Cybercriminals have compromised government systems, critical infrastructure, and businesses around the world in 2025. So will 2026 see more chaos or more control? We’ll get an insight into how the attacks work from the BBC’s Joe Tidey, who’s been reporting from the cyber frontline all year. PAC has even offered Joe a massive bribe to help them infiltrate BBC’s systems. And later, I’ll speak to Chris Ingles, who was America’s first National Cyber Director, and ask what business leaders can do to keep our data safe and their operations up and running. Finally, we’ll take a break on the ocean with our boss this week, Anna Nash, who’s the president of the luxury cruise company, Explorer Journeys. Wherever you’re watching, welcome to the program. Now towards the end of 2024, the US Treasury Secretary Janet Yellen and the UK’s chancellor Rachel Reeves met at the International Monetary Fund—two of the world’s most important financial leaders. But little did they know they were about to have their cyber defenses breached. In January, reports emerged that criminals had accessed files belonging to Yellen. And in November, Rachel Reeves stood up to deliver her long-awaited budget only to admit that journalists had already accessed and published the details after documents from a government agency were obtained online before she’d even announced them. Well, in 2025, around the world, hundreds of systems and businesses and governments have been accessed by criminals. We know the damage runs to billions of dollars. Here in the UK, the vehicle maker Jaguar Land Rover had its manufacturing halted for weeks, impacting more than 30,000 staff and more than a 100,000 more in its supply chain. It was so big that the government backed a two-billion-dollar loan to get production back up and running. The cost was so great, it was one of the main reasons given for the UK economy shrinking in October. But JLR was not alone. High profile retailers like Marks and Spencer, the Co-op, and the luxury department store Harrods, all had their systems breached and customer data exposed. Hackers even broke into a children’s nursery chain and threatened to release details of their children and their parents if the business didn’t pay a ransom. And in similar scenes around the world, Asahi breweries in Japan stopped production. Millions of customers of Australia’s Qantas Airlines were contacted following a data breach, and hackers even got into the systems of the business software giant Oracle. In Europe, travel at major airports, including London, Berlin, and Brussels, was thrown into chaos after an attack on software used at check-in and baggage handling. And in just the last few weeks, Germany’s foreign ministry has warned Russia about the consequences after the cyberattacks on its air traffic infrastructure. Martin Giese, German Foreign Ministry spokesman, says, “For some time now, we have been observing a massive increase in threatening hybrid activities by Russia. These range from disinformation campaigns to espionage and cyberattacks to attempts at sabotage. Based on a comprehensive analysis by the German intelligence services, we’ve been able to clearly identify Moscow’s signature and prove its responsibility. Russia is thus posing a very real threat to our security, not only through its war of aggression against Ukraine, but also here in Germany.” So a combination of hostile states and bands of hackers connected by the Dark Web continue to threaten the digital security of our critical systems. Most often for businesses, a hack is followed by a demand for money when a hack has threatened to expose customer data or sensitive information if their demands aren’t met. Well, one reporter here at the BBC has been in close contact with the hackers all year, and he joins me now from San Francisco. Joe Tidy, BBC Cyber Correspondent, welcome to the program. Good to have you here. And look, you found yourself at the center of a story in a very different way this year. Didn’t you just explain what happened? Yeah. It was this absolutely bizarre situation where a hacking group that called itself, Medusa, which is a gang that I have heard of and I knew of them. They contacted me on Signal out of the blue, completely random. And I do have interactions with cyber criminals quite regularly as part of my job. But this one was very different because they said to me, how would you like to give us your login credentials for the BBC? And we’ll give you a cut of the ransom that we take if we hack the BBC. And it led to what was a fascinating insight into something that we don’t really hear about very much, which is called the insider threat—the idea that hackers can sometimes and do sometimes make deals with employees of organizations in order to get inside a company or a corporation or whatever it is, and then hack them. And I obviously followed all the BBC rules and I spoke to my boss about it in the early stages saying, look, there’s a potential here for a very interesting story. I’m gonna play along. They offered me 25% of any ransom that they would extract from the BBC, which if you think about it, you know, it’s a lot of money. They said to me that we can retire you. They were very persuasive all the way through trying to get me to hand over the keys to the kingdom. Because I think what they thought was they would get inside the BBC using my login and then find their ways into the bowels of the corporation and then encrypt it and steal lots of data and carry out a ransomware attack. And then potentially, you know, try and extort the BBC for tens of millions of pounds in, probably, Bitcoin. So we normally do. Obviously at no point did I ever consider going through with this. And I was sort of stalling towards the end of the experiment and they got very impatient and they carried out what we call a multifactor authentication bomb—an MFA bomb—where they tried to force my hand, which was a very interesting experience to be on the end of. And just explain what happened there, Joe. They got very angry with me because I wasn’t carrying out their requests in the timescale they wanted me to. And they carried out this thing where they repeatedly try and reset my password, and it comes up with lots of password requests on your phone. And it effectively made my phone unusable because I knew what was happening—I knew what an MFA bomb is from previous attacks—and I didn’t want to press anything in case that would give them the foothold they needed to get inside the system. So instead I called the IT team, the cybersecurity team at the BBC, who were absolutely excellent. We agreed that we would just kick me off the system, just as a precaution to make sure everything’s safe, and everything was safe. They didn’t have my password or anything like that. All they had was my email. As I said, I’ve reported on these kinds of attacks before. I sort of know how they work, but to actually have it happen on your phone is very, very, unnerving, actually. We often think that these things are so sophisticated, but sometimes the weak link are just people clicking on malicious links. Yeah. And that honestly is the number one way, really. You know, it’s phishing attacks against individuals and the very occasional deal that I do think is rare. But it is humans. It’s people, accidentally letting other people into an organization. How would you assess the changing nature of the risk as well, Joe? Because obviously on one hand you’ve got bad actors within organizations or countries in some respect. Then on the other hand you’ve got maybe what we’d like to think are teenagers in back bedrooms just trying to cause disruption and maybe extort a bit of cash. Where is the greater threat, do you think? I still think the greater threat to an organization is from the professional cartel—like organized crime gangs who are mostly Russian speaking. That is where most of the attacks are coming from still. And it has been like this now for the last five, six, seven years. They are the ones who are ransomwaring lots and lots of companies, breaking in, stealing data, installing ransomware across the network, and then extorting them for Bitcoin. That is the number one way that corporations are being hit. But I do think we have seen this year, and it continues to happen, where there’s been a resurgence of teenage hacking cybercrime. There is an element of chaos and anarchy with these teenage gangs because they are kids and they are mucking around. And as well as having eyes on your data for money, for monetary gain, they’re also in it for infamy and for chaos. And that’s how we’ve seen some of these attacks this year sort of go off the rails really and become very, very, impactful across society. And also we’ve seen some strange scenarios where hackers are bragging about it online. And of course, you’re aware of that huge debate about whether it should be made illegal to pay a ransom because clearly, if you take out that financial benefit or that that reward, you know, it reduces the incentive to do this sort of stuff. But you can also understand why firms would want to pay just to get access to their systems back as well. Where do you sit on the validity of that argument? I’ve been reporting on cyber for over 10 years, it’s been, you know, the dominant debate of the last probably five. What can we do to stop this cybercrime ecosystem from flourishing? Paying, as we know, encourages them. And also, you know, the idea that if you pay them at all, everything will be fine again. That’s not really what we see. Even if you pay, a lot of your data will be unrecoverable—not a huge amount, let’s say, you might get 70% of your data back. And we know now from takedowns of some of the biggest gangs like Lockbit, for example, that the hackers say they delete your data, but they don’t. I think we are no closer to answering that question of, should we make payments illegal. I know in Australia there’s some moves now to make it so you have to declare. And in the UK there’s an idea as well that we are making it so that you have to say—you have to tell the authorities if you do pay. I’ve been speaking to ransomware victims and I spoke to one CEO from a Swiss company and he said, I wasn’t gonna pay because my morals are such and I know that it doesn’t help things. But then I looked out across my staff, all worried during this heightened time of chaos and disruption, whether or not they lose their jobs. I thought if it means saving their jobs and saving my company, I will pay. And that’s the situation that so many corporations and organizations are in when they have that horrible situation of being brought to their knees by cybercrime. And of course, as we look into the new year, given what’s happened in 2025—be that attacks on big manufacturers like JLR, retailers like Marks and Spencer, airports, air traffic control—I wonder whether those huge examples are a wake-up call to firms that they really need to take this seriously. And, of course, you talk to any big business and they say it’s their first priority—but this is the reality check for them, isn’t it? That if you don’t get your house in order, you could be next. Yeah. I think there’s a big difference, isn’t there, between corporations having cyberattacks on their risk register and having headlines where, you know, you really do see the impact of cyberattacks. The M& S and Co-op and Harrods wave of attacks in the spring were an absolute wake-up call for so many people, so many businesses. And quite frankly, you know, the general public as well, in the UK and around the world, when you’re seeing these household names have major problems with distribution, you can’t even get some food and things to stores, empty shelves in shops, can’t use services. That has been really shocking, I think, for a lot of people. And then, of course, you got JLR, which for the first time had a genuine impact on the GDP of a country because it’s had such a terrible impact on the company and they can’t build cars, which affects the UK economy. So I think there is a moment now where I think people will be waking up to the potential, you know, absolute, dangers of cybercrime, not just affecting business and not just affecting sort of your bottom line, but also affecting society as well. Really good to talk to on the program this week. Thank you. Joe Tidy there. In 2021, then-president Joe Biden appointed America’s first National Cyber Director, whose job it is to coordinate national cyber policy, strategy, and defense. That person was Chris Inglis, who now works, among other things, as a strategic adviser at the cybersecurity firm Semperis. Chris Inglis, welcome to Talking Business. Good to have you here. Give me a sense right now of the scale of the threat from cybercriminals and how the nature of that threat has changed. I’d say the scale of the cyber threat, particularly ransomware, is ever present. That sounds like a bit of a dodge, but it’s up. And I think it’s much more sophisticated than it’s been in recent years, largely because there are so many more that are attempting to practice that and because generative AI has made a difference. It hasn’t introduced new and novel attacks, but it’s made it easier to determine how to replicate something that sounds like it’s coming from inside your company and easier to scan the perimeter of your company so that you can make that attack. Would you argue that organizations and governments are suitably prepared and suitably protected, or are they still on the back foot when it comes to dealing with the nature of that threat as it changes? If you think your way through what your dependence on digital infrastructure is, you can be—if you take the measures in advance, to meld not just your skills, your assignment of roles, responsibility, and the use of technology. And you can be if you prepare for the event such that you can detect, engage, and evict this at the earliest possible moment. But most companies are not prepared. Most companies don’t take those steps in advance to understand what their dependence on this is, what they would do to defend that dependence, and what they would do in the moment, if it happened to them. What is the hardest bit to get right to really secure an organization? The hardest bit to get right is to think of this not as a cyber issue or, for that matter, a cybersecurity issue, but to think of this as a dependence on some critical asset within your company. The fix here is not simply for IT experts or cyber experts to undertake. Everyone in the company is on the front line of this. So many people think that their role doesn’t make a difference in the defense of the digital infrastructure, and it turns out that 90% of what goes wrong goes wrong outside the purview or the insight of the IT and the cyber experts in your company. Somebody clicks on a link inside your company. They’re essentially about to execute somebody else’s program with their permissions. That’s a very dangerous combination if it’s the wrong code and a high degree of privilege. Some would suggest that those bad actors—be they nation states or hackers—are already in some major systems, just lying dormant, waiting for their moment to pounce. Do you think there’s truth in that? In the United States, we believe there’s truth in that. We have found the evidence that the Chinese, in an activity that we refer to as Volt Typhoon, have inserted malware into critical infrastructure. What does that mean? That means that those critical systems—water flows, electrical flows, telecommunications—are at risk because the software and the hardware they rely on is something that can be disrupted by the Chinese nation state. Nations do spy on one another, hopefully so that they can understand where the world’s going and act collectively, collaboratively to take it to a better place. But the stuff that we found in what’s called Volt Typhoon doesn’t have any legitimate purpose for sensing what the United States might be doing so that you might better engage it. It has one purpose, one purpose alone: to disrupt it at a time and place of the Chinese nation state’s choosing. We believe that that is not simply inappropriate, but escalatory. It is damaging to the confidence that both sides have about how we behave in times of contingency and crisis. And so what is a solution short of going in, finding it, and removing it? But I make it sound very simple—that is anything but. Well, finding and removing it’s not a bad solution, but that takes time. First, you have to understand what your dependence is. Are you dependent upon critical infrastructure in the United States and the United Kingdom? Of course we are. Do we know precisely what the nature of that dependence is? What are the most critical functions and what are they dependent on? Have we then isolated the mechanisms, the software, the hardware underneath of that, so that we can focus on those and understand something about the providence of those? Where do they come from? Who builds them? Who sustains them? Who defends them? In some cases, no one’s defending them. And if we begin to get that right, then we walk—it’s a slow journey to be sure—but we but we walk a trail where we can get to a better place. And, Chris, should we be worried right now about that growth in vehicle production in places China? Autonomous vehicles, electric vehicles that are on our roads in the US, in the UK, and in Europe, and the technology that’s required to run those. We don’t really have oversight of exactly what’s inside them, do we? Sadly, my answer is yes. We have to be concerned about that. Now I’d like to trust that a world that is full of optimal production in many places can generate through globalization, inexpensive, but highly resilient, highly robust kind of systems of interest, a car being one of those. But China has shown itself willing and able to insert malware into the critical infrastructure of the United States, and I suspect other nations. And why would they, if they’re prepared to do that, avoid the temptation of inserting that into automobiles to use at a time and place of their choosing to hold you at risk so that they might get you to do their bidding? Another aspect of that is that these systems acquire a lot of information, necessarily, so that those systems can work well. And if that information is at the beck and call of a nation state whose government decides when and where they access that information, not using what the UK or the United States would say is an appropriate rule of law, then I’d also be concerned about that. Have I seen China or other nation states who produce these systems actually avail themselves of this in and through cars? Not yet, not at the moment. But we’ve seen them cross that line in other ways, holding water systems at risk, energy systems at risk, telecommunications at risk. And there’s a very small distance, almost a minuscule distance between that and automobiles or other systems that you’ve asked me about. And a final thought, if you will, on the timing of a lot of these attacks. Here we are. It’s Christmas in many parts of the world. People might be winding down towards the end of the year. They may take their foot off the pedal, their eye off the ball. It’s a really dangerous time, isn’t it? Because also you might wonder whether the response, or that immediate response, is necessary if someone suffers a cyberattack that might also be on holiday for the next few weeks. Well, the Semperis study that I think brought us together, that stimulated this conversation, bears that out. Turns out that criminals are people too. They understand the nature of human beings and what they do around the holidays. And most of us would like to have a little bit of time off, take a break. It turns out that most companies who have digital infrastructure that they defend year-round take time off in the defense of that across the holidays or weekends. That’s when criminal activity actually steps up—because they know that your guard is down. I wouldn’t say that it’s impossible to take a break over the holidays, but if you’re going to take your guard down, then take down the systems that you’re attempting to defend. If you want to turn your system off over the weekend and give your IT staff a holiday, terrific. If you wanna run that IT system at full strength with half of the people who normally defend it, then be aware that the criminals know that too and that they’re gonna come on strong. Friday night, probably five o’clock, when you’re stepping into the pub for that first pint. Common sense is a good remedy here, and use it in the same way that the criminals are. Make sure that you’re meeting them stride for stride, where they’re gonna hit you. Chris Ingles, so good to have you on the program with us this week. Thanks for taking some time. Thank you. Thank you very much for your time and your interest. Now it’s that time of year. Maybe you’re planning a getaway for 2026. Our Big Boss this week would want you to swap hotels for the high seas by trying to reinvent luxury cruises for a whole new generation. She’s the president of Explora Journeys and joins me now. Anna Nash, welcome to Talking Business. Good to have you here. Just explain what it is that you do. Thank you so much, Ben. It’s a delight to be with you. I’m global president of a relatively new ocean travel brand called Explora Journeys, and we’re on a mission to redefine ocean travel. We can see that there’s a younger generation that are really adopting ocean travel as a mode of travel or a mode of holiday. One of the key issues for the cruise industry, of course, is its environmental impact as well. Trying to offset, you know, pretty big emissions, when it comes to the number of ships that are operating and the emissions that they generate. How do you make sure that for that new generation that is environmentally conscious, that this is an option that would fit in with those ambitions that their travel is net zero? We know that all of our guests, young and old, they’re conscious travelers, they’re knowledgeable, experienced travelers, they want to know that they are investing, their time, but of course their money, in brands that respect the ocean. So give me a sense of what that looks like in practice. So how do you reduce our environmental impact? We have modern technology. Our ships are all new. Our fleet, in fact, is one of the newest, operating on the oceans. And with that, we have advances of technology. So Explora 3, which is the third ship in our fleet next year, launches with LNG capabilities. All of our ships have shore to ship capability in terms of power. We are RHNA Dolphin Certified for our fleet, so the underwater emissions that we make are as reduced as possible to protect the marine life that we’re operating around. The other thing that I think is really important in terms of communication is we have two ambassadors for our ships, one for each ship, that are marine biologists themselves, and so they work with us. When it comes to sustainability, Anna, though, you know, there are concerns about emissions from ships, be it from diesel engines or maybe some of the water that’s able to be released at sea. You know, what regulations do you have to abide by to make sure that you can protect the seas as much as possible? We’re fully compliant with all marine regulations. All of our fleet are almost brand-new ships. I mean, we’ve only been sailing for under two years, so we have got advances in technology, which, of course, is a benefit. But I would say for those that are wondering, we have advanced wastewater treatment systems and we are fully compliant with IMO regulations and the Baltic regulations as well. So we make sure that we are absolutely compliant when it comes to that side of things. Yeah, and your newer ships are LNG powered, and I know that’s a lot of investment to power ships with that relatively new technology. Is there a hope that you’ll be able to then retire the two diesel ships, and going forward, all ships will be LNG powered? All of our ships are adaptable. That is the plan moving forward. So, when Explora 3 launches, she will have LNG capabilities, but we have as a brand, a firm path to be net zero by 2050. And you’ll know, Anna, in this program, we’ve been looking, the main theme of this program is cybersecurity, and we’re looking back at the year that’s been defined by so many big attacks on businesses. Talk to me about what plans you have in place to make sure not only you are protected, but your customer data. And, crucially, as we’ve seen with a lot of firms, the suppliers, so your partners in this, things like baggage handlers at airports that were affected by software hacks. How do you protect the entire business? For us, cybersecurity is something that we take incredibly seriously. We have all of the tools and systems in place to make sure that we are protecting our guest data. So we have a large cybersecurity team that we work very, very closely with. And of course, we are fully compliant with all of the data and the way that we handle our guest data. Are you confident though that systems can be secure? Because that’s what’s so astonishing about what we’ve seen over the course of the year. You know, something as big as Jaguar Land Rover can be brought down by a hack. Things like M&S, we’ve seen Harrods too. I mean, can you ever be absolutely sure that that data’s safe? It’s a matter of making sure that we comply. As I said, our systems comply with international data protection standards. And as I said, we have a specialist team that advise us and work with us, so we’re as secure as we feel that we can be, and it’s something that we closely monitor. Anna Nash, so good to have you on the program this week. Thanks for being with us. Thank you for having me. That’s all for now. There’s more on the global economy on the BBC News website and app. Until next time, thanks for watching, and we’ll see you soon. Bye-bye.