Decoding the world of cybersecurity

NCSC warns state actors dominate critical attacks

The NCSC says hostile states are linked to around three-quarters of incidents affecting UK critical systems, placing resilience and accountability at the centre of national cyber policy.

NCSC warns state actors dominate critical attacks
Summary
  • NCSC chief executive Richard Horne said hostile states were linked to around 75% of cyber incidents affecting UK critical systems.
  • The agency managed more than 200 incidents affecting critical national infrastructure and its supporting ecosystem in the year to May 2026.
  • The warning strengthens pressure on resilience planning, supplier assurance, incident readiness, and executive accountability across essential services.

The National Cyber Security Centre has said hostile states are linked to around three-quarters of cyber incidents affecting the UK’s critical systems, giving a public measure of the pressure facing infrastructure operators and the suppliers around them.

In a speech at RUSI’s Annual Security Lecture, NCSC chief executive Dr Richard Horne said the agency managed more than 200 cyber incidents affecting the UK’s critical national infrastructure and its supporting ecosystem in the year to May 2026. Around 75% were believed to be linked to state actors.

The NCSC named hostile states including Russia, China, and Iran in the wider threat context, although it did not publicly attribute individual incidents, identify specific victims, or describe technical methods used in those cases. The agency’s public account of the speech presented the figures as evidence of the scale of cyber threats facing critical infrastructure.

The figures move the discussion beyond generic warnings about hostile activity. Critical national infrastructure depends on energy, transport, telecoms, water, healthcare, public services, financial systems, and a large set of private suppliers. State-linked activity does not need to cause visible disruption to create risk. Espionage, pre-positioning, credential theft, supplier compromise, and mapping of operational environments can all sit below the threshold of public crisis while increasing future exposure.

The reference to the supporting ecosystem is important. Critical services do not run only on the systems owned by the principal operator. They depend on managed service providers, software vendors, engineering contractors, cloud platforms, identity providers, telecoms carriers, maintenance companies, and specialist equipment suppliers. The practical boundary of critical infrastructure is often wider than the legal or organisational boundary of the regulated entity.

That creates a governance challenge for operators and public authorities. Accountability may sit with the operator, but resilience depends on visibility and control across a broader dependency chain. When a supplier handles privileged access, remote maintenance, data processing, monitoring, or backup operations, its failure can become the operator’s incident.

The UK is already moving towards stronger cyber resilience expectations through policy work and sector-specific regulation. The NCSC warning adds pressure for disciplined incident reporting, stronger third-party assurance, tested recovery plans, and clearer ownership of cyber risk at executive level. State-linked threats are now part of the normal operating environment for organisations that run or support essential services.

That does not mean every infrastructure operator is facing bespoke state activity every day. State-linked attackers can still exploit ordinary weaknesses: exposed management interfaces, weak identity controls, poor logging, vulnerable edge devices, unsupported systems, insecure remote access, and insufficient segmentation. Strategic intent often depends on mundane technical failure.

Resilience therefore cannot be reduced to prevention. Critical-system operators need to know which services must continue, how quickly affected systems can be isolated, what manual fallback exists, how supplier access is governed, how incident decisions are escalated, and how public consequences would be managed. Technical controls remain essential, but continuity under pressure is the operational test.

The NCSC’s figures describe external hostile activity, but they also expose domestic preparedness. As the UK becomes more dependent on connected infrastructure, shared suppliers, and digital public services, unclear ownership of risk leaves less room for recovery when attacks move from access to disruption.

×