State-linked actors were believed to be behind three-quarters of cyber incidents affecting the UK’s critical infrastructure and related organizations over the past year, Britain’s top cyber official warned, saying intelligence gathered through cyberespionage today could shape military targeting in a future conflict.
Richard Horne, CEO of the National Cyber Security Centre (NCSC), delivered the warning in a June 17 speech at the Royal United Services Institute’s annual security lecture in London.
The NCSC managed more than 200 incidents affecting organizations within the UK’s critical national infrastructure and its supporting ecosystem between June 2025 and May 2026.
“Of those incidents, 75 perecent were believed to be linked to state actors,” Horne said.
Cyberespionage and Future Conflict
Horne cast cybersecurity as a contest with hostile states and other capable adversaries, not a risk that companies can bring under control and then set aside.That contest is already playing out inside the technology that underpins critical national infrastructure, according to Horne.
Adversaries are pre-positioning today by establishing footholds in systems that could be exploited rapidly to cause mass disruption during a conflict, Horne warned.
A high-profile example cited in the speech was Volt Typhoon, a Chinese state-sponsored campaign largely against U.S. critical national infrastructure that was attributed in 2024.
Horne’s warning also applied to weaknesses tolerated in peacetime.
Private Infrastructure, Public Risk
Much of the technology that hostile actors use or target sits in private hands, including cloud, technology, and telecommunications systems.Horne described that shared environment as a “mid space” where government and industry need to pool intelligence, harden systems, and disrupt adversary activity before it reaches individual organizations.
“There is little value in contesting the mid and far space if, as a nation, our own systems, networks and institutions remain inherently vulnerable,” he said.
The same problem extends inside individual organizations. Boards and executives, Horne said, need to understand where they are exposed—such as through new technology, older systems, or supply chains—and assess what adversary capabilities could be used against them.
Foundational defenses remain uneven. The NCSC still sees too many significant incidents that are possible because basic protections are not in place, he said.
China-Linked Research Targeting
A separate June 15 report from the Google Threat Intelligence Group (GTIG) described a China-nexus actor tracked as UNC6508 targeting North American academic, medical, and military research institutions while remaining undetected for more than a year.The campaign pursued intelligence related to national security, Indo-Pacific Command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and medical research, according to Google.
The actor targeted Research Electronic Data Capture, a platform used by hospitals, universities, and research centers to build and manage online databases and surveys for medical and scientific research.
Google’s report described custom malware, stolen login credentials, internal network access, and abuse of an enterprise email-compliance feature that silently forwarded matching emails to an account controlled by the attackers.
Active Threats
Horne told the Royal United Services Institute audience that UK authorities are regularly detecting and stopping intrusions into critical infrastructure before the attackers’ intent becomes clear.“And we are seeing our critical infrastructure being targeted, regularly finding and stopping breaches, before their intent becomes clear,” he said.
The stakes, he said, are immediate as well as future-oriented.
“In cyberspace, we are not preparing for tomorrow’s conflicts ... to some degree we are fighting them today,” Horne said.







