The head of the U.K.’s National Cyber Security Centre (NCSC) warned that hostile states are driving the majority of cyber activity targeting the country’s critical infrastructure, saying around 75% of attacks can be linked to state actors. Speaking at the Royal United Services Institute (RUSI) Annual Security Lecture, Richard Horne, NCSC CEO, said the agency had managed more than 200 cyber incidents affecting critical national infrastructure and its wider ecosystem over the past year. He said adversaries, including those from Russia, China and Iran, are increasingly focusing on systems that underpin essential services, underscoring scale and persistence of the threat facing the U.K.’s most sensitive networks.
Horne framed the threat landscape as an ongoing contest rather than a conventional security problem, warning that adversaries are actively probing for weaknesses across critical systems.
The speech emphasized that many serious incidents continue to succeed because basic cybersecurity fundamentals are not consistently in place, and urged organizations to strengthen resilience by understanding exposure, improving core defences and ensuring rapid recovery capabilities. He also warned that artificial intelligence is expected to accelerate attacks, with AI-enabled capabilities likely to be used at scale by 2028 to exploit known vulnerabilities in legacy systems across critical infrastructure.
Another key point from Horne’s speech was his warning that advances in AI (artificial intelligence) are likely to intensify and speed up the cyber threat landscape, with the NCSC assessing that by 2028, AI-enabled cyber capabilities will likely be used by attackers to exploit known vulnerabilities in legacy technology at scale across critical national infrastructure.
“Many of you will recognise the sight of cyber security high on your board risk register, ultimately treated as another ‘risk’ to be mitigated,” according to Horne. “But that is often the wrong framing. At times, the language of risk can be helpful, but it can do us a disservice. Sadly, while we might like to think that individuals, companies and nations should have the right to operate in the digital territory of the world unbothered by those who would do us harm, it is not a given. But it is something we have to contest. And understanding cyber security as a contest is crucial for us all.”
Recognizing that the language of risk encourages thinking about what is needed to bring it under control and reach a point where it is ‘in appetite,’ where it can be tolerated, Horne noted, “But the language of a contest is about capability and performance, not control. It focuses on constantly striving to be better, because we know our adversaries are doing exactly the same. So, when executives ask ‘When will we be done investing in cyber security?,’ the answer is: never!”
“We often see a desire to benchmark cyber security against peers. Which is a common approach in risk management. But, whilst benchmarks have their place and can illuminate blind spots, being ‘roughly as good as your peers’ is not a complete strategy for security,” Horne said. “In any contest, the only benchmark that matters is how your capability and performance compares to that of your opponent. Understanding where your defences are weaker than you would like, how an adversary might exploit those weaknesses and where your strengths can give you an advantage.”
He added that this contest is not confined to a compact space. It’s not like a wrestling match in a closely-defined territory as some have suggested. “It is more akin to a football or basketball game (or even quidditch, if you want more dimensions!), played across a large field of play, where success depends on how you operate across the entire pitch. In this analogy, we can describe the spaces we need to contest in cyber security as ‘near’, ‘mid’ and ‘far’ spaces.”
Starting with the far space, Horne recognized that this is the adversary’s home turf, their systems, their tooling, their networks.
“It is the ground they believe they control. But where we, and our allies, bring pressure to bear, through intelligence collection, sanctions, law enforcement action and offensive cyber operations to disrupt and degrade their capability at source. It’s also where we understand the attackers’ intent and capability and is why the National Cyber Security Centre’s position within GCHQ and alongside our partners in the National Cyber Force is so important.”
“As you will appreciate, many examples of the action we take in this space must remain secret, but our strength in this area is critical to maintaining strategic advantage over those who wish to harm our nation,” he added. “And it’s from our operations in the far space that we are able to generate actionable intelligence for defence.”
Moving to the mid space, Horne added that “This is where we can deliver collective scaled impact through hardening cloud, technology and telecommunications infrastructure, and by disrupting adversary positions within those environments. The reality is much of this space is in private hands. Which means success here demands genuine collaboration between government and private sector, which is at the heart of our approach in the NCSC.”
He noted, “It means sharing what we learn in the far space, pooling what government and industry together see in the near space and turning that collective insight into action that raises the security of the whole ecosystem, not just individual organisations.”
“We’ve already seen commercially available cloud-hosted cyber security tools, such as Cobalt Strike, be abused by nation states and cyber criminals,” Horne detailed. “And when new AI-powered security tools are released, it’s not long before discussions appear on cyber crime forums exploring how those same capabilities can be repurposed for cyber attacks. So we should expect to see cyber criminals increasingly exploit the mid space.”
In the near space, where the defence and resilience of targeted organizations and systems are in focus, Horne said this is where the greatest scale of action is required and where the widest range of stakeholders must be involved to remain competitive in the contest.
“There is little value in contesting the mid and far space if, as a nation, our own systems, networks and institutions remain inherently vulnerable. And that challenge is only going to be exacerbated as AI continues its march of progress,” he added. “Recent developments of frontier AI models have demonstrated their effectiveness at finding inherent vulnerabilities in the technology we rely on. Our latest Assessment shows that by 2028, it is highly likely that AI-Cyber capabilities will be used by attackers against known vulnerabilities in legacy technology in our critical national infrastructure.”
Horne outlined three core capabilities as essential for organizations to build deliberately. The first is understanding exposure, including identifying where organizations are vulnerable through new technologies, legacy systems, supply chains, and other dependencies, as well as assessing the range of adversary capabilities that could be used against them. This includes recognising where critical operations may be heavily dependent on technologies that could be disrupted.
The second is defence, centred on consistently applying foundational cybersecurity measures across the organization, often described as basic ‘blocking and tackling’ or Cyber Essentials. While these fundamentals remain essential, they are frequently absent in significant incidents, and many organisations also require more advanced capabilities such as system architecture designed to contain breaches, limit blast radius, and support threat hunting, alongside broader frameworks such as the Cyber Assessment Framework.
The third is response, focused on maintaining continuity of critical operations and enabling large-scale recovery following a successful cyberattack. This includes the ability to rebuild systems and absorb disruption, even where it requires reassessing long-standing cost-driven business decisions. In this context, resilience, containment and rapid recovery are framed as essential capabilities for any digitally dependent organization.
Flagging that there is no time to delay in addressing cyber threats, as today’s actions directly shape future conflict scenarios. Adversaries are already using cyber espionage to gather intelligence, exploiting long-standing vulnerabilities that are difficult to fix quickly, and prepositioning within critical infrastructure for potential large-scale disruption. This activity is already visible in ongoing incidents affecting UK critical national infrastructure, many linked to state actors. As a result, cybersecurity is not preparation for future conflict alone but an active part of today’s security environment, requiring urgent action to strengthen resilience and reduce opportunities for adversaries to operate.
Drawing attention to the U.K. initiatives, such as CHERI, can be a game changer, Horne said, by revisiting fundamental design choices in hardware and software to enforce memory safety and protect against whole classes of vulnerabilities. “Work we are driving in the NCSC to move us towards a National Cyber Defence Capability to support the security of the nation in an agentic AI world. To join up intelligence and actions in the far, mid and near space in real time. To reimagine cyber security in an AI world.”
He added, “Work we do every day to empower organisations to be capable of defending themselves in this rapidly changing world and partnering with infrastructure providers to harden the mid-space and disrupt attacker activity. And, of course, the work that your organisations do day in and day out to contest the digital space on which you rely. With an often-unseen army of cyber defenders across our nation, united in a shared mission.”
Commenting on Horne’s speech, Ric Derbyshire, principal security researcher at Orange Cyberdefense, observed that undermining societal trust is often a primary objective for state adversaries, and cyber-attacks against critical national infrastructure and public services are an effective way to achieve that. “When critical services are disrupted, people who rely on them every day begin to lose confidence in the institutions around them. In many cases, the technical impact of a cyber incident is less important than the uncertainty and doubt it creates, making the intrusion itself simply the delivery mechanism for a wider cognitive effect.”
“The rapid advancement of AI will add another dimension to this challenge. The concern is not only how frontier models may be used by sophisticated state actors, but how the threat landscape may change as increasingly capable open-weight models become widely available,” Derbyshire detailed. “As these models mature, they will democratise access to capabilities that were previously limited to well-resourced actors, allowing a much broader range of adversaries to increase the scale, speed and sophistication of their operations.”
In his conclusion, Horne detailed that “The truth is that in this great contest there are no spectators, we are all on the pitch. From boardrooms to IT help desks, to sofas at home, to operations and partners abroad the contest is everywhere. If we collectively embrace the contest, understand the urgency and believe we can be a match for any opponent, then we can and will prevail.”
Earlier this year, the U.K. rebooted its Cyber Action Plan, backed by UK£210 million in funding to strengthen cyber resilience across government. Led by a new Government Cyber Unit, the plan aims to counter rising cyber threats by speeding up improvements to public sector cyber security. It focuses on strengthening digital resilience across government systems so citizens can securely access essential services such as benefits, tax and healthcare, while reinforcing trust that data and critical services are protected.
