UK critical infrastructure hit by 200 cyber incidents in a year, agency says

The UK’s critical national infrastructure has been hit by more than 200 cyber incidents over the past year and state-linked assailants were behind three-quarters of the attacks, according to the state cybersecurity body.

Richard Horne, the chief executive of the National Cyber Security Centre, said hostile states such as Russia, China and Iran were increasingly targeting systems behind the UK’s key services. Examples of critical national infrastructure include the UK’s nuclear deterrent, power plants, hospitals and airports.

Horne said the UK was engaged in an “ongoing contest with capable adversaries”. “This contest is not confined to a compact space. It is not like a wrestling match in a closely defined territory as some have suggested,” he said in a speech at the Royal United Services Institute.“It is far more akin to a football or basketball game, played across a large field of play, where success depends on how you operate across the entire pitch.”

Richard Horne, the chief executive of the National Cyber Security Centre. Photograph: CyberUK/Getty Images

Horne said advances in AI were likely to accelerate the threat, exposing cyber flaws in national infrastructure, with 2028 likely to be the year when such a threat crystalises.

He said organisations needed to concentrate on the “fundamentals” of cybersecurity such as ensuring they could recover quickly from attacks.

“The many vulnerabilities that organisations tolerate today will be exploited in conflict tomorrow. If they are too expensive or hard to fix in peacetime, then they certainly will be in war,” he said.

The emergence of Anthropic’s Claude Mythos AI model has raised concerns that organisations face a heightened risk of AI-enabled cyber-attacks. However, experts caution that most breaches still come from well-established risks such as weak authentication and already known vulnerabilities that have not been patched.

Horne described the cyber threat as affecting a range of places, from “boardrooms to IT help desks, to sofas at home.”

“If we collectively embrace the contest, understand the urgency and believe we can be a match for any opponent, then we can and will prevail,” he said.

In 2024, the then chancellor of the duchy of Lancaster, Pat McFadden, warned that AI could be weaponised against the UK and that Russia was targeting key infrastructure. He said: “Russia has targeted our media, our telecoms, our political and democratic institutions and our energy infrastructure,” and it could “shut down the power grids”.

In a speech in April, Horne said the UK could face “hacktivist attacks at scale” if it became embroiled in a conflict, and the impact could be similar to recent high-profile ransomware incidents.

Horne’s comments echoed a warning last year from Blaise Metreweli, the head of the UK spy agency MI6, who said the country was caught in “a space between peace and war” as tensions with Russia mounted.

The NCSC recommended in April that consumers drop passwords and adopt passkeys. It said passkeys – described as a “digital stamp” stored on your devices that allows you to sign in to apps and websites – should be consumers’ first choice of login across all digital services because passwords were not secure enough to stand up to modern cyber threats.