NCSC: 75% of UK CNI cyber-attacks linked to hostile states

Speaking at the Royal United Services Institute (RUSI) Annual Security Lecture 2026 on June 17, Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), revealed that the agency handled 200 cyber incidents affecting critical national infrastructure (CNI) between June 2025 and May 2026. A striking three-quarters of these incidents were either directly carried out by nation-state actors or linked to hostile states, including Russia, China, and Iran. This announcement builds on Horne’s earlier disclosure in April, when the NCSC reported dealing with 204 “national significant” cyber incidents during its last annual review.

Horne outlined the cyber threat landscape across three contested spaces: far, mid, and near. In the far space, described as “the adversaries’ home turf,” the UK and its allies apply pressure through intelligence collection, sanctions, law enforcement actions, and offensive cyber operations to disrupt and degrade adversary capabilities at their source. The mid space, where digital infrastructure is shared by both legitimate users and malicious actors, poses a different challenge. Horne warned that attackers are exploiting cloud and open-source supply chains to spread malicious code and achieve scaled impact. He also cautioned that cloud-based AI services will increasingly enable attackers in the future. “This is where we can deliver collective scaled impact through hardening cloud, technology and telecommunications infrastructure and by disrupting adversary positions within those environments,” he urged. In the near space, which encompasses the systems of targeted organizations, Horne advised boards to prioritize practical capabilities: understand exposure, defend, and respond.

Horne argued that cybersecurity must be treated as an ongoing contest, not a static risk. “Many of you will recognize the sight of cybersecurity high on your board risk register, ultimately treated as another ‘risk’ to be mitigated. But that is often the wrong framing,” he stated. “The language of risk encourages us to think about what’s needed to get it under control, to get to a point where it’s ‘in appetite’; where we can tolerate it. But the language of a contest is about capability and performance, not control.” He warned executives and security leaders to stop treating cyber as an item on a risk register and to embrace continuous improvement. “When executives ask, when will we be done investing in cybersecurity, the answer is never,” he said.

During his speech, Horne singled out AI as an accelerant. He noted that frontier AI models are already effective at discovering long-standing vulnerabilities in code and predicted that attackers will increasingly automate and scale their attacks. “Many vulnerabilities that organizations tolerate today will be exploited in conflict tomorrow,” he said. This warning was based on an NCSC assessment that it is “highly likely” AI cyber capabilities will be used by attackers against known vulnerabilities in legacy technology within the UK’s critical infrastructure by 2028. Graeme Stewart, head of public sector at Check Point Software, called this assessment “not a distant horizon but the next product cycle.” Horne also emphasized that adversaries are pre-positioning today, establishing footholds within technology that underpins critical national infrastructure. “We know that adversaries are pre-positioning today, establishing footholds within technology that underpins critical national infrastructure that could enable rapid exploitation to cause mass disruption in a time of conflict,” he said.

The most significant example of this prepositioning tactic was Volt Typhoon, the Chinese state-linked campaign that infiltrated US digital infrastructure. Horne warned that such intelligence gathering will inevitably be used for warfare purposes. “Kinetic targeting in any conflict tomorrow will be based on intelligence gathered today,” he cautioned. To mitigate this threat, he urged security leaders to address unsupported legacy systems. “In cyberspace, we are not preparing for tomorrow’s conflicts, to some degree we are fighting them today,” Horne concluded.

Industry experts echoed Horne’s framing. Martin Riley, CTO at Bridewell, praised the perspective, stating, “This is a contest, not a checklist. Winning it does not start with better statistics. It starts with knowing your exposure, fixing the fundamentals and being able to see and stop an adversary once they are inside. The organizations that do this consistently will not be the ones in next year’s count.” Graeme Stewart agreed and said Horne’s speech should be “pinned to the wall of every boardroom in the country.” He warned that “organizations that approach cyber security purely as a box-ticking exercise will find themselves dangerously exposed.” James Neilson, SVP of global at OPSWAT, highlighted a critical knowledge gap between traditional IT systems and operational technology (OT) networks and devices in critical infrastructure organizations. “The challenge for many UK critical infrastructure organizations is that their environments include a mixture of IT and OT assets, but very few individuals possess deep expertise in both, creating knowledge gaps in threat assessment and defence development,” he said.

Andrew Lintell, general manager for EMEA at Claroty, concurred, noting that attackers particularly target OT-rich sectors, such as manufacturing, water and wastewater, and power generation, “because they’re seen as able to cause the most chaos and fear if successful.” He added that “these sectors account for more than 40% of attacks observed across 20 CNI sectors.”