Three-quarter of cyber incidents affecting UK critical infrastructure organizations over the past year originated from nation-state actors or were linked to hostile states such as Russia, China and Iran, according to Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC).
Speaking at the Royal United Services Institute (RUSI) Annual Security Lecture 2026 on June 17, Horne said the agency dealt with 200 cyber incidents affecting critical nation infrastructure (CNI) between June 2025 and May 2026.
This builds on Horne’s disclosure in Aprill that the NCSC had dealt with 204 “national significant” cyber incidents at the time of its last annual review.
Cyber Threat Actors Operate in Near, Mid and Far Digital Space
Horne described the threat across three contested spaces he labelled far, mid and near.
In the far space, “the adversaries’ home turf,” he said the UK and partners press adversaries with intelligence collection, sanctions, law enforcement action and offensive cyber operations to disrupt and degrade their capability at source.
In the mid space, where digital infrastructure is shared by both legitimate and malicious actors, Horne warned attackers are exploiting cloud and open-source supply chains to spread malicious code and achieve scaled impact. He also cautioned that cloud-based AI services will play an increasing role in the future to enable attackers.
“This is where we can deliver collective scaled impact through hardening cloud, technology and telecommunications infrastructure and by disrupting adversary positions within those environments,” he urged.
In the near space, the systems of the targeted organizations, Horne urged boards to prioritise practical capabilities: understand exposure, defend and respond.
Cybersecurity is A Continuous Contest, Not A Risk
cybersecurity must be treated as an ongoing contest rather than a static risk, Horne argued.
“Many of you will recognize the sight of cybersecurity high on your board risk register, ultimately treated as another ‘risk’ to be mitigated. But that is often the wrong framing. At times the language of risk can be helpful, but it can do us a disservice,” he stated.
“The language of risk encourages us to think about what’s needed to get it under control, to get to a point where it’s ‘in appetite’; where we can tolerate it. But the language of a contest is about capability and performance, not control,” he added.
Horne warned executives and security leaders to stop treating cyber as an item on a risk register and to embrace continuous improvement.
“When executives ask, when will we be done investing in cybersecurity, the answer is never,” he said.
Security Leaders Must Address the Legacy Vulnerability Problem
During his speech at the RUSI event, Horne singled out AI as an accelerant. He said frontier AI models are already effective at discovering long standing vulnerabilities in code and predicted attackers will increasingly automate and scale attacks.
“Many vulnerabilities that organizations tolerate today will be exploited in conflict tomorrow,” he said.
This was in reference to an assessment made by the NCSC which said it was “highly likely” that AI cyber capabilities will be used by attackers against known vulnerabilities in legacy technology in the UK’s critical infrastructure by 2028.
This assessment that “is not a distant horizon but the next product cycle,” warned Check Point’s Stewart.
“We know that adversaries are pre-positioning today, establishing footholds within technology that underpins critical national infrastructure that could enable rapid exploitation to cause mass disruption in a time of conflict,” Horne also said.
The most significant example of such prepositioning tactic was Volt Typhoon, the Chinese state-linked campaign that infiltrated US digital infrastructure, Horne said.
He also emphasized that such intelligence gathering will inevitably be used for warfare purposes too.
“Kinetic targeting in any conflict tomorrow will be based on intelligence gathered today,” he warned.
One thing security leaders and executives can do now to mitigate this threat is to address unsupported legacy systems.
“In cyberspace, we are not preparing for tomorrow’s conflicts, to some degree we are fighting them today,” Horne concluded.
Experts Warn of IT-OT Knowledge Gaps in Critical Infrastructure
Speaking to Infosecurity, Martin Riley, CTO at Bridewell, praised Horne’s framing.
“This is a contest, not a checklist. Winning it does not start with better statistics. It starts with knowing your exposure, fixing the fundamentals and being able to see and stop an adversary once they are inside. The organizations that do this consistently will not be the ones in next year’s count,” he said.
Graeme Stewart, head of public sector at Check Point Software, agreed with Riley and added that Horne’s speech should be “pinned to the wall of every boardroom in the country.”
“Organizations that approach cyber security purely as a box-ticking exercise will find themselves dangerously exposed,” Stewart warned.
James Neilson, SVP of global at OPSWAT, pointed out the knowledge gap between traditional IT systems and operational technology (OT) networks and devices in critical infrastructure organizations.
“The challenge for many UK critical infrastructure organizations is that their environments include a mixture of IT and OT assets, but very few individuals possess deep expertise in both, creating knowledge gaps in threat assessment and defence development,” he said.
Andrew Lintell, general manager for EMEA at Claroty, concurred, highlighting that attacker particularly target OT-rich sectors, such as manufacturing, water and wastewater and power generation “because they’re seen as able to cause the most chaos and fear if successful.”
“These sectors account for more than 40% of attacks observed across 20 CNI sectors,” Lintell noted.
