UK Cyber Chief Warns of State-Sponsored Cyberattacks at Scale as Geopolitical Tensions Rise

What happened

Richard Horne, head of the UK’s National Cyber Security Centre, warned at the CyberUK conference in Glasgow on Wednesday that the most serious cyberattacks against the UK are now carried out by Russia, Iran, and China. British businesses must prepare for state-sponsored cyberattacks at scale if the country becomes involved in an international conflict.

Horne said the NCSC currently handles around four nationally significant cyber incidents per week. UK Security Minister Dan Jarvis added that the agency handled more than 200 nationally significant incidents last year, more than double the previous year. While ransomware remains the most common problem by volume, Horne was explicit that state-sponsored activity now represents the most serious threat tier.

Each of the three named states poses a distinct threat profile. Russia is applying tactics developed during its war in Ukraine to targets beyond the battlefield, with Horne pointing to sustained Russian hybrid activity across the UK and Europe. China’s intelligence and military agencies display what Horne described as an eye-watering level of sophistication in their cyber operations. Iran is assessed to be using cyber activity to target British individuals seen as a threat to the regime.

Horne and Jarvis both cited the AI-accelerated threat environment, with Jarvis warning that adversaries can now find vulnerabilities faster than human teams can patch them. Jarvis also referenced a cyberattack on Jaguar Land Rover that affected UK economic growth late last year as an example of how infrastructure compromise creates measurable economic damage. In a conflict scenario, Horne said organizations would face attacks at scale with no option to pay their way to recovery, unlike ransomware, making proactive resilience the only viable strategy.

The warnings coincide with a documented pattern of Russian-linked attacks on European critical infrastructure, including heating plants in Sweden and Poland, a dam in Norway, and a water utility in Denmark, as part of more than 155 incidents of disruption attributed to Russia or its proxies since February 2022.

Who is affected

UK businesses across all sectors are the stated audience, with particular concern for organizations operating logistics systems, critical infrastructure, and economic supply chains. The geographic scope extends to European allies, with Sweden, Poland, Norway, and Denmark all having reported Russian-linked infrastructure attacks in recent months.

Why CISOs should care

The NCSC chief framing state-sponsored attacks as the most serious threat, not ransomware, is a meaningful signal about where the risk ceiling now sits. The specific warning that a conflict scenario would bring attacks at scale with no recovery payment option changes the calculus for resilience planning. Organizations that have built their incident response around ransomware recovery models, where paying or negotiating is at least theoretically on the table, need to consider whether those models hold up against a destructive state-sponsored attack designed to deny rather than extort.

The AI acceleration point is also worth registering. Vulnerability discovery at machine speed versus human patching speed is a structural gap that is widening, not closing.

3 practical actions

1. Stress-test resilience against destructive attack scenarios, not just ransomware: Review whether your recovery plans assume the option of paying for decryption keys or negotiating access restoration. A state-sponsored destructive attack removes that option entirely, and your plans should account for full rebuilds from clean backups.
2. Map your organization’s exposure to the three named threat actors: Russia, Iran, and China each pursue different target sectors and objectives. Assess whether your industry, geographic footprint, or government relationships place you within any of their documented targeting patterns and adjust your threat model accordingly.
3. Accelerate patching velocity with automation: The warning that AI is enabling adversaries to find vulnerabilities faster than human teams can patch them points directly at the need for automated patching pipelines and vulnerability prioritization tools that can compress the window between disclosure and remediation.