What happened
Britain’s cyber chief warned that hostile states are responsible for roughly three-quarters of cyberattacks affecting the country’s critical national infrastructure.
Richard Horne, chief executive of the National Cyber Security Centre, said the agency handled more than 200 incidents affecting critical infrastructure and its supporting ecosystem in the year to May. About 75% of those incidents were believed to be the work of state actors.
Horne said the NCSC is regularly finding and stopping breaches before the attackers’ intent becomes clear. He warned that adversaries are prepositioning inside British critical infrastructure by establishing footholds in the technology that supports essential services.
Those footholds could allow attackers to rapidly exploit systems and cause mass disruption during a future conflict. Horne cited Volt Typhoon, the Chinese state-linked campaign exposed against U.S. infrastructure, as the clearest example of this type of activity.
Horne argued that cyberspace should no longer be treated only as a risk to be managed, but as a contest that must be actively fought. He said organizations should not benchmark their defenses only against peers, but against the capability and performance of their opponents.
The warning comes as the UK government moves forward with the Cyber Security and Resilience Bill, which is intended to compel improvements at operators of essential services. The government is also preparing a new National Cyber Action Plan, expected in early July.
Horne also warned that artificial intelligence will sharpen the threat. A new NCSC assessment judged it highly likely that by 2028, AI tools will be used to exploit known weaknesses in aging technology across critical infrastructure.
Who is affected
UK critical national infrastructure operators are directly affected, along with the technology providers, suppliers, and supporting organizations that help run essential services.
The warning is especially relevant to operators of essential services because hostile states are allegedly prepositioning inside the technology that underpins critical infrastructure. The affected ecosystem is not limited to the primary operator. It includes suppliers, managed service providers, vendors, and other organizations connected to critical infrastructure environments.
Executives and boards are also affected because Horne framed cybersecurity as an ongoing contest rather than a temporary investment cycle. Organizations responsible for essential services should expect continued pressure to improve resilience, regulatory compliance, and operational readiness.
Why CISOs should care
This warning changes the framing of critical infrastructure cybersecurity. The issue is not only criminal intrusion, data theft, or compliance risk. The NCSC is warning that hostile states may be positioning themselves for disruption in a future conflict.
For CISOs, that means resilience planning must account for adversaries who may already have access, may be waiting for the right moment to act, and may target operational disruption rather than immediate financial gain.
The shift from “risk” to “contest” also matters. Risk management often focuses on tolerance, appetite, and comparison with industry peers. Horne’s message is that the more important benchmark is whether an organization’s defenses can hold against the adversaries actually targeting it.
The AI warning adds urgency. If AI tools are likely to help attackers exploit known weaknesses in aging infrastructure by 2028, organizations cannot leave legacy systems, unpatched technology, and weak monitoring as long-term accepted risks.
3 practical actions
- Hunt for prepositioning inside critical systems: The NCSC warned that hostile states are establishing footholds inside technology underpinning critical infrastructure. CISOs should prioritize threat hunting, identity review, persistence detection, and network visibility across systems that support essential services.
- Benchmark defenses against adversary capability, not industry peers: Horne warned that comparing defenses only against rivals is inadequate. Security leaders should evaluate controls against known state-linked tactics, realistic attack paths, and the capabilities of adversaries targeting their sector.
- Reduce exposure in aging critical infrastructure before AI accelerates exploitation: The NCSC assessed it is highly likely that AI tools will be used by 2028 to exploit known weaknesses in aging technology. CISOs should identify legacy assets, prioritize remediation or isolation, and strengthen monitoring around systems that cannot be quickly replaced.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.