State Cyberattacks Stalk UK Critical Infrastructure

More than 200 cyber incidents hit Britain’s critical national infrastructure and its support chain in the year to May, and about 75% were believed to be state-backed. That turns UK critical infrastructure cyberattacks from a corporate risk file into a live national security problem, according to The Record.

Richard Horne, chief executive of the National Cyber Security Centre, told the RUSI Annual Security Lecture in London on June 17, 2026 that Britain is already contesting future conflicts in cyberspace. His central warning was blunt: hostile states are not waiting for a shooting war before mapping the systems Britain would rely on during one.

“Kinetic targeting in any conflict tomorrow will be based on intelligence gathered today,” Horne warned.

XOOMAR analysis: the mismatch is now the story. Britain’s critical infrastructure is a national security target, but much of the risk sits inside private-sector networks, supplier systems, ageing operational technology, and boardroom budgets. That gap is where adversaries are trying to live.

Britain's cyber war warning puts UK critical infrastructure cyberattacks on the front line

Horne’s message was not about routine espionage. It was about preparation for real-world disruption. His phrase “kinetic targeting” matters because it links today’s network intrusions to tomorrow’s physical effects: attacks on facilities, logistics, utilities, communications, or other systems that would shape how Britain responds in a crisis.

The NCSC said its teams handled more than 200 incidents affecting critical infrastructure and its supporting network in the year to May. About 75% were assessed as the work of state actors. Horne also said the agency is “regularly finding and stopping breaches, before their intent becomes clear.”

That last line is important. If defenders do not yet know whether an intrusion is meant for espionage, sabotage, coercion, or battlefield preparation, the old distinction between spying and attack starts to blur. The access itself becomes the threat.

This follows an earlier warning from Horne that the NCSC was handling four nationally significant cyber incidents a week. He has also said criminal activity remains the most common cyber problem, while the most serious threat comes from states. The new detail narrows the concern to critical infrastructure, the systems whose failure would move quickly from technical incident to public consequence.

The primary thesis is simple: UK critical infrastructure cyberattacks are now less about isolated breaches and more about positioning. Hostile states are building options.

The 75% figure turns hostile state attacks into a strategic signal

The headline number, three-quarters, is what changes the reading of the threat. If most serious activity against critical infrastructure is believed to be state-linked, the pattern looks less like opportunistic crime and more like strategic probing.

Critical infrastructure, in practical terms, includes sectors such as energy, water, telecoms, transport, health systems, finance, and the supply chains that keep them operating.

The public rarely sees the full evidence behind attribution. That is not a flaw in the story, it is part of the problem. Cyber attribution depends on intelligence, technical indicators, behavior, infrastructure, timing, and sometimes classified sources. Governments often disclose conclusions without exposing all the proof, because doing so can burn capabilities or teach attackers what defenders can see.

There is another limit: “incident” covers a wide range. Some intrusions may be stopped early. Others may involve deeper access. The source does not detail the breaches, affected sectors, or consequences. That restraint matters, especially because The Record notes that British intelligence has often been more guarded than Washington about naming such intrusions publicly.

Still, the direction is clear. A 75% state-linked share in critical infrastructure incidents means boards should not benchmark only against peer companies. Horne said that directly.

“The only benchmark that matters is how your capability and performance compares to that of your opponent,” he said.

Prepositioning inside British networks changes the cyber threat model

Horne said adversaries were “prepositioning” throughout British critical infrastructure. In plain English, that means attackers quietly get access, learn how systems work, establish ways back in, and wait until disruption serves a political or military goal.

He described the activity as:

“Establishing footholds within technology that underpins critical national infrastructure that could enable rapid exploitation, to cause mass disruption in a time of conflict.”

That is different from data theft. A thief wants files, credentials, or cash. A state actor may want options: sabotage, coercion, operational intelligence, or the ability to slow a country’s response during a wider confrontation.

Horne cited Volt Typhoon, the Chinese state-linked campaign exposed against U.S. infrastructure, as the clearest example of this tactic. The point was not that Britain disclosed a matching case in detail. It was that the method has become the reference model for how states may prepare the battlefield through civil

The Stakes

• More than 200 incidents in a year show critical infrastructure is already a sustained cyber battleground.
• With about 75% believed to be state-backed, the threat is tied directly to national security rather than ordinary cybercrime.
• Private-sector networks and supply chains may be the weak points adversaries exploit before any future physical conflict.