UK Cyber Chief: State Actors Linked to 75 Percent of Critical Infrastructure Cyber Incidents

NCSC chief Richard Horne warned that intelligence from cyberespionage today will shape military targeting and enable mass disruption in any future conflict.
UK Cyber Chief: State Actors Linked to 75 Percent of Critical Infrastructure Cyber Incidents
NCSC CEO Richard Horne speaks at the RUSI Annual Security Lecture in London on June 17, 2026. National Cyber Security Centre
|Updated:
0:00

State-linked actors were believed to be behind three-quarters of cyber incidents affecting the UK’s critical infrastructure and related organizations over the past year, Britain’s top cyber official warned, saying intelligence gathered through cyberespionage today could shape military targeting in a future conflict.

Richard Horne, CEO of the National Cyber Security Centre (NCSC), delivered the warning in a June 17 speech at the Royal United Services Institute’s annual security lecture in London.

The NCSC managed more than 200 incidents affecting organizations within the UK’s critical national infrastructure and its supporting ecosystem between June 2025 and May 2026.

“Of those incidents, 75 perecent were believed to be linked to state actors,” Horne said.

“Kinetic targeting in any conflict tomorrow will be based on intelligence gathered today. Part of preparing for any potential conflict involves cyber espionage ... gaining a clear understanding of the landscape to inform and refine potential targets.”

Cyberespionage and Future Conflict

Horne cast cybersecurity as a contest with hostile states and other capable adversaries, not a risk that companies can bring under control and then set aside.

That contest is already playing out inside the technology that underpins critical national infrastructure, according to Horne.

Adversaries are pre-positioning today by establishing footholds in systems that could be exploited rapidly to cause mass disruption during a conflict, Horne warned.

A high-profile example cited in the speech was Volt Typhoon, a Chinese state-sponsored campaign largely against U.S. critical national infrastructure that was attributed in 2024.

Horne’s warning also applied to weaknesses tolerated in peacetime.

“Vulnerabilities can’t be fixed overnight,” he said. “If they are too expensive or hard to fix in peacetime, then they certainly will be in war.”

Private Infrastructure, Public Risk

Much of the technology that hostile actors use or target sits in private hands, including cloud, technology, and telecommunications systems.

Horne described that shared environment as a “mid space” where government and industry need to pool intelligence, harden systems, and disrupt adversary activity before it reaches individual organizations.

“There is little value in contesting the mid and far space if, as a nation, our own systems, networks and institutions remain inherently vulnerable,” he said.

The same problem extends inside individual organizations. Boards and executives, Horne said, need to understand where they are exposed—such as through new technology, older systems, or supply chains—and assess what adversary capabilities could be used against them.

Foundational defenses remain uneven. The NCSC still sees too many significant incidents that are possible because basic protections are not in place, he said.

Artificial intelligence could accelerate the problem. Recent frontier AI models have demonstrated an ability to find inherent vulnerabilities in technology that organizations rely on, and the NCSC assesses that by 2028, AI-enabled cyber capabilities are highly likely to be used against known vulnerabilities in legacy technology in critical national infrastructure.

China-Linked Research Targeting

A separate June 15 report from the Google Threat Intelligence Group (GTIG) described a China-nexus actor tracked as UNC6508 targeting North American academic, medical, and military research institutions while remaining undetected for more than a year.

The campaign pursued intelligence related to national security, Indo-Pacific Command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and medical research, according to Google.

The actor targeted Research Electronic Data Capture, a platform used by hospitals, universities, and research centers to build and manage online databases and surveys for medical and scientific research.

Google’s report described custom malware, stolen login credentials, internal network access, and abuse of an enterprise email-compliance feature that silently forwarded matching emails to an account controlled by the attackers.

GTIG attributed the activity to UNC6508 with high confidence and assessed that its priorities aligned with historic Chinese state-sponsored espionage trends and intelligence-collection requirements. The report did not identify a specific Chinese state agency behind the campaign.

Active Threats

Horne told the Royal United Services Institute audience that UK authorities are regularly detecting and stopping intrusions into critical infrastructure before the attackers’ intent becomes clear.

“And we are seeing our critical infrastructure being targeted, regularly finding and stopping breaches, before their intent becomes clear,” he said.

The stakes, he said, are immediate as well as future-oriented.

“In cyberspace, we are not preparing for tomorrow’s conflicts ... to some degree we are fighting them today,” Horne said.

Google LogoMark Us Preferred on Google
Arthur Zhang
Arthur Zhang
Author
Arthur Zhang is a reporter for The Epoch Times. He is a U.S. veteran who holds an M.A. in history and international relations.