On June 17, 2026, Richard Horne, who serves as the chief executive of the U.K. National Cyber Security Center (NCSC), made significant remarks at the Royal United Services Institute in London. He emphasized the urgent need to rethink the conversation surrounding digital defense, arguing that it should be viewed as an evolving contest against dynamic adversaries rather than simply a risk management issue. Horne characterized the recent surge in hacking incidents and cyber breaches as merely the initial phases of a larger, impending conflict.

In his address, Horne criticized the reliance on private sector risk benchmarks that often gauge exposure against the performance of peers. He articulated a fundamental flaw in this approach, insisting that measuring security by being “roughly as good as your peers” falls drastically short of what is needed for effective cybersecurity. The reliance on peer comparisons could lead the U.K. to falter in its mission to secure cyberspace. He pointed out that under such frameworks, the nation could potentially lose its grip over its cyber environment.

According to Horne, the only crucial benchmark in any competitive scenario is how one’s capabilities and performance stack up against those of adversaries. He asserted that the primary threats emanate from the intelligence and military units of competing nations. In a striking revelation, Horne stated that approximately three-quarters of the incidents managed by NCSC in the previous year were likely initiated by nation-state hackers.

Since taking over the NCSC in October 2024, Horne has allowed for greater insight into the organization’s operations, revealing that they investigate significant cyberattacks at a frequency of about four per week. Earlier this year, he referred to the need for a “full court press” against cybersecurity threats during an interview with Information Security Media Group (ISMG). He emphasized that unresolved vulnerabilities present in organizations today are poised to be exploited during future conflicts. “If these vulnerabilities are too difficult or costly to address during peaceful times, they will certainly pose more significant challenges during wartime,” he warned.

Horne further elaborated on the notion that conventional warfare tactics, known as kinetic targeting, will increasingly rely on intelligence gathered in peacetime. This illustrates the intertwined nature of cyber and conventional threats in contemporary national security frameworks.

Despite the growing awareness and commitment to cybersecurity, many organizations continue to overlook basic measures that the NCSC has identified as essential. For instance, the Cyber Essentials framework outlines fundamental technical controls, including establishing a secure baseline for computer configurations, implementing stringent user access controls, and ensuring firewalls are effective at blocking malicious traffic.

Additionally, Horne highlighted a significant legislative initiative known as the Cyber Security and Resilience Bill. This proposal seeks to empower the British government to impose rigorous security requirements on critical infrastructure sectors. Notably, the bill will extend to managed security service providers and data centers. “Our role as a government is to catalyze a response at scale,” Horne stated, underscoring the necessity for robust, systemic changes in national cybersecurity protocols.

When addressing corporate executives’ frequent inquiries about the timeline for concluding cybersecurity investments, Horne delivered a clear reply: the investment is never truly finished. “When executives ask, ‘When will we be done investing in cybersecurity?’ the only legitimate answer is: never,” he concluded, reinforcing the perpetual nature of cybersecurity vigilance.