Growing Cyber Threats: A Call to Action for UK Critical Infrastructure
According to Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), a staggering three-quarters of cyber incidents affecting critical infrastructure organizations in the UK over the past year originated from nation-state actors or were connected to hostile states like Russia, China, and Iran. Horne made these remarks during the Annual Security Lecture hosted by the Royal United Services Institute (RUSI) on June 17, 2026, highlighting the urgent need for enhanced cybersecurity measures.
In the period between June 2025 and May 2026, the NCSC managed to confront 200 cyber incidents that impacted critical national infrastructure (CNI). This data builds upon Horne’s earlier revelations in April regarding 204 “national significant” cyber incidents recorded during the agency’s previous annual review. The frequency and complexity of these incidents underscore the dynamic and evolving nature of cyber threats.
Multi-Dimensional Cyber Threat Landscape
During his speech, Horne elaborated on the threat landscape, categorizing it into three contested realms: far, mid, and near.
-
Far Space: This describes the adversaries’ home turf, where the UK and its allies actively engage in intelligence collection, law enforcement, sanctions, and even offensive cyber operations. The objective is to disrupt and degrade adversaries’ capabilities at their source.
-
Mid Space: This area, where legitimate and malicious actors share digital infrastructure, presents significant risks. Horne identified cloud services and open-source supply chains as fertile grounds for malicious actors to disseminate harmful code effectively. As AI services increasingly migrate to cloud platforms, the threat landscape may grow even more complex. “This is where we can deliver collective scaled impact through hardening cloud, technology, and telecommunications infrastructure,” Horne asserted, emphasizing the importance of enhancing defences in this space.
- Near Space: In this space, the focus shifts to the systems of individual organizations. Horne urged boards to prioritize practical capabilities, which include understanding their exposure, defending against threats, and structuring an effective response.
Cybersecurity as a Continuous Contest
Horne argued for a paradigm shift in how organizations view cybersecurity, insisting it’s not simply a risk to be managed but an ongoing contest. Traditional notions of risk, he claimed, often create a false sense of security, leading organizations to consider cybersecurity as just another box to tick off on a risk register. Instead, he noted the importance of viewing cybersecurity as a contest of capability and performance. “When executives ask, when will we be done investing in cybersecurity, the answer is never,” he cautioned.
This continuous investment model is crucial as organizations face evolving threats that can disrupt national and economic stability. Horne’s message was clear: organizations must stop regarding cyber threats as finite problems and instead focus on constant improvement and adaptability.
Addressing Legacy Vulnerabilities
Horne specifically highlighted the potential risks associated with legacy systems, particularly in light of advancements in AI that can discover longstanding vulnerabilities in code. He predicted that as attackers increasingly automate their strategies, the vulnerabilities that organizations tolerate today might soon be leveraged to cause significant disruptions in future conflicts. “Many vulnerabilities that organizations tolerate today will be exploited in conflict tomorrow,” he warned, urging executives to take proactive measures against unsupported legacy systems.
The assessment by the NCSC posited that by 2028, it is “highly likely” that AI cyber capabilities will be utilized by attackers against known vulnerabilities within the UK’s critical infrastructure. Horne cited instances of adversaries pre-positioning themselves within crucial technologies, establishing footholds that could facilitate rapid exploitation during periods of conflict. The Volt Typhoon campaign, linked to the Chinese state, serves as a cautionary tale regarding these tactics.
Bridging the Knowledge Gaps in Cybersecurity
Experts in the cybersecurity field are echoing Horne’s sentiments. Martin Riley, CTO at Bridewell, praised Horne’s framework, asserting, “This is a contest, not a checklist.” He emphasized that the key to mastering this contest lies in understanding exposure, rectifying fundamental vulnerabilities, and developing the capacity to detect and neutralize intrusions.
Graeme Stewart, public sector head at Check Point Software, stressed the importance of Horne’s insights, suggesting that his speech should serve as a valuable reference in boardrooms across the country. Organizations that approach cybersecurity merely as a compliance exercise could be leaving themselves dangerously vulnerable.
Moreover, James Neilson, Senior Vice President at OPSWAT, pointed to a critical knowledge gap between IT systems and operational technology (OT) within CNI organizations. The complexity of these environments often results in a lack of expertise, creating deficiencies in threat assessment and defense strategies. Andrew Lintell, general manager at Claroty, underscored that sectors rich in OT, such as manufacturing and power generation, are particularly appealing to attackers due to the chaos they could cause.
In conclusion, Horne’s address marks a pivotal moment for the UK’s national cybersecurity strategy, calling for heightened awareness, continuous adaptation, and collective efforts to confront the growing threats posed by cyber adversaries. As the landscape evolves, so too must the approaches taken to safeguard critical infrastructure.