The UK’s critical national infrastructure (CNI) is being targeted, and the UK official National Cyber Security Centre (NCSC) is regularly finding and stopping breaches, said the NCSC’s chief Dr Richard Horne in a lecture to the defence and security think-tank RUSI. Between June 2025 and May 2206, the NSCS managed more than 200 incidents impacting organisations within the UK’s CNI and supporting ecosystem, he said. “And of those incidents, 75 per cent were believed to be linked to state actors,” he added. He called on the UK to ‘act with urgency as a nation’, ‘given the pace at which technology is developing’. ย And with international partners, he said, ‘as we are not a digital island.’ The stakes in cyber security could not be higher, he added.
While breaches are inevitable, catastrophic impacts need not be, he argued. He pointed to payment cards as an example of successful, sustained security. He concluded: “The truth is that in this great contest there are no spectators, we are all on the pitch. From boardrooms to IT help desks, to sofas at home, to operations and partners abroad the contest is everywhere. If we collectively embrace the contest, understand the urgency and believe we can be a match for any opponent, then we can and will prevail.
For the full speech visit the NCSC website. RUSI members can watch the recorded speech.
Comments
Dr Ric Derbyshire, a Principal Security Researcher at Orange Cyberdefense, said: โUndermining societal trust is often a primary objective for state adversaries, and cyber-attacks against critical national infrastructure and public services are an effective way to achieve that. When critical services are disrupted, people who rely on them every day begin to lose confidence in the institutions around them. In many cases, the technical impact of a cyber incident is less important than the uncertainty and doubt it creates, making the intrusion itself simply the delivery mechanism for a wider cognitive effect.
“The rapid advancement of AI will add another dimension to this challenge. The concern is not only how frontier models may be used by sophisticated state actors, but how the threat landscape may change as increasingly capable open-weight models become widely available. As these models mature, they will democratise access to capabilities that were previously limited to well-resourced actors, allowing a much broader range of adversaries to increase the scale, speed and sophistication of their operations.”
“Our role is making sure our customers do not appear in that incident count in the first place. The organisations that understand and manage their exposure well are not the ones generating the reports the NCSC ends up handling. The harder truth sits underneath the headline. Cyber defence capability across critical national infrastructure is still too immature, and too often budget constrained. Boards have accepted the threat narrative. Investment in the operational capability to act on it has not kept pace.
“Detection, response and recovery are still treated as a project to finish rather than a discipline to sustain. That gap is exactly where a capable adversary chooses to operate. Dr Horne is right that the vulnerabilities organisations tolerate today will be exploited tomorrow. This is the core argument for Continuous Threat Exposure Management. Most organisations still cannot answer a simple question with confidence. What is actually exposed, and what would an attacker reach first. A vulnerability count is not an answer to that. Exposure has to be understood in terms of reachability, exploitability and the business function sitting behind it.
“This is where the AI warning belongs. The NCSC expects AI-enabled capabilities to exploit known vulnerabilities in legacy technology at scale by 2028. Read that carefully. The near-term threat the NCSC is pointing at is not exotic. It is the industrialisation of weaknesses we already know about and already tolerate. AI compresses the time between a vulnerability being disclosed and it being used against you, and it widens the set of targets an attacker can reach in a single campaign. Novel exploit discovery is coming too, and AI will accelerate that, but it is not where most organisations will be hurt first. The organisations carrying unmanaged exposure are the ones who will pay soonest, because they have handed the attacker a backlog to work through at machine speed.
“The instinct will be to answer AI with AI. In exposure management, that is partly right. Automated, continuous validation of what is reachable and exploitable is how you keep pace. But in the SOC, the reflex is where a lot of organisations are about to go wrong.
“The answer to generative AI weaponisation is not simply generative AI in the SOC, whatever the wave of new vendors are telling you. The answer is SOC maturity. That means the right capability in the right place. Deterministic automation for the work that should never have needed a human. Machine learning for detecting anomaly and pattern at a scale people cannot match. Generative AI and reasoning applied where judgement and language genuinely help, not bolted across everything as a headline. None of those layers is the differentiator on its own. What ties them together is threat intelligence and threat hunting, integrated tightly into operations rather than running alongside them. And here is the part most organisations miss.
“The intelligence that protects you is not the feed everyone else is consuming. It is the intelligence you generate from real activity in your own environment. What is actually touching your edge. What is moving inside your network. What your hunters surface that no external report would ever have told you. Consuming everyone else’s intelligence makes you aware. Generating your own makes you defensible. This is the shift in posture the moment demands. Be prepared for the attacker at the door right now, not the potential attacker in a future scenario. Dr Horne made the same point. To some degree we are fighting these conflicts today.
“Exposure management reduces the opportunity. It does not remove it. The first foothold is increasingly a network edge device or an unmanaged device that sits outside the endpoint estate. A firewall, a VPN appliance, a router, an IoT sensor, a contractor’s laptop. None of these run an endpoint agent. None of them raise an endpoint alert. The attacker knows this, which is why they pick them.
“This is where network detection earns its place. If you cannot see lateral movement across the network, you are blind in the exact spot where the modern intrusion begins and spreads. People associate this problem with OT, and it is acute there. But it is just as real in enterprise IT. The unmanaged and the unmonitored are everywhere. Network visibility, paired with a SOC that can investigate and act on what it sees, is how you catch the movement that endpoint telemetry never will. Dr Horne’s framing is sound. This is a contest, not a checklist. Winning it does not start with better statistics. It starts with knowing your exposure, fixing the fundamentals, and being able to see and stop an adversary once they are inside. The organisations that do this consistently will not be the ones in next year’s count.”
