NCSC UK: Hostile-State Activity Behind 75% of Attacks on UK Critical Infrastructure
NCSC UK's CEO puts a number on hostile-state activity — three-quarters of attacks on UK critical systems. The figure, drawn from a year of incident response, reframes the threat as a sustained contest.
NCSC UK's CEO puts a number on hostile-state activity — three-quarters of attacks on UK critical systems.
LONDON — The United Kingdom's National Cyber Security Centre on June 17, 2026 put a number on a threat its officials have long described in general terms: hostile-state activity is now linked to around three-quarters of the cyber incidents affecting the country's critical national infrastructure and the wider ecosystem that supports it. The figure came in a keynote by NCSC chief executive Dr Richard Horne, delivered at the Royal United Services Institute's (RUSI) Annual Security Lecture, and it was drawn from the agency's own incident-response caseload rather than a survey or forecast.
Horne said the NCSC managed more than 200 incidents affecting the UK's critical national infrastructure and its supporting ecosystem in the year to May 2026, and that roughly 75% of those were believed to be linked to state actors. He named Russia, China and Iran as the principal hostile states pressuring the systems behind the UK's essential services — a framing consistent with the agency's prior public assessments of the primary drivers of UK cyber threats.
What NCSC's CEO Said
In his keynote, Horne said the NCSC had managed more than 200 cyber incidents affecting the UK's critical national infrastructure and its supporting ecosystem over the year to May 2026, and that around three-quarters of them were believed to be linked to state actors. He named Russia, China and Iran as the hostile states most active against the systems that underpin essential services. The NCSC published the headline of the speech under the framing that hostile states are linked to three-quarters of cyber attacks affecting the UK's critical systems.
The number matters because of where it comes from. It is not an industry survey, a vendor estimate, or a projection: it is the agency's own characterisation of the incidents it handled during a defined twelve-month window. That distinction is worth keeping in mind. The figure describes the share of NCSC-managed CNI incidents assessed as state-linked, in the UK, over the year to May 2026 — not a universal proportion that can be lifted and applied to other countries, other sectors, or the entire universe of cyber activity. NCSC framed it as a measure of how much of the serious activity against UK essential services it attributes to states, not as a claim that three-quarters of all cyber attacks everywhere are nation-state operations.
Horne paired the statistic with a broader argument about how the country should think about cyber security. He said it should be treated not simply as a risk to be managed but as an ongoing contest with capable, well-resourced adversaries — a deliberate shift in language away from the vocabulary of risk registers and towards the vocabulary of sustained competition. He also looked ahead, warning that advances in artificial intelligence are likely to accelerate the threat, with the NCSC assessing that by 2028 AI-enabled capabilities will likely be used to exploit known vulnerabilities in legacy technology at scale across critical national infrastructure.
Sector-Advisory Posture for UK Critical-Infrastructure Organizations
The speech functioned as much as a call to action as a status report. Horne directed his appeal at boards and executives specifically, calling on, in his words, every board member and every executive in every organisation to take responsibility for cyber resilience. The emphasis on senior leadership is itself the message: the NCSC's posture is that resilience against state-grade threats is an organisational and governance problem, not one that can be delegated wholly to a security team or treated as a line item.
He set out three core capabilities organisations should focus on. The first is understanding their exposure — knowing what they run, what is reachable, and where they are vulnerable. The second is building stronger defences grounded in proven security fundamentals rather than novel or exotic controls. The third is ensuring they can keep operating and recover quickly after an incident, which places incident response and recovery on equal footing with prevention. The framing is notable for what it does not promise: it does not suggest any single product or programme makes a CNI operator safe, but rather treats exposure management, fundamentals and recoverability as a continuous discipline.
For UK critical-infrastructure organisations, the practical reading is that the NCSC is signalling where it expects attention to go. The agency's guidance has consistently pointed operators toward the basics done well — asset inventory, prompt patching of internet-reachable systems, network segmentation, tested backups and rehearsed recovery plans. Horne's keynote re-anchors those fundamentals to a specific, quantified threat picture, which can help security leaders make the case for investment to executives who respond to numbers and to direct statements from the national authority.
Coordination With Industry-Association Partners
The venue itself signals the audience the NCSC is trying to reach. Delivering the figure at the RUSI Annual Security Lecture — a forum that draws defence, security and policy professionals rather than a purely technical crowd — places the statistic in front of the leaders and institutions that set strategy and allocate resources across sectors. The NCSC has long worked through sector bodies, regulators and industry associations to translate national threat assessments into operator-level action, and a keynote of this kind is part of that translation.
That model matters because critical national infrastructure in the UK is largely operated by private companies and is spread across distinct sectors — energy, water, transport, telecommunications, health and finance among them — each with its own regulators, trade bodies and information-sharing arrangements. The NCSC's role is partly to provide a common threat picture that those varied bodies can act on, and the three-quarters figure gives sector partners a shared reference point. As trade-press coverage of the lecture underlined, it is a single, citable number that an energy regulator, a water-industry association or a telecoms forum can use to frame their own member guidance.
The coordination angle also connects to attribution. Publicly naming Russia, China and Iran as the hostile states behind the activity is consistent with a broader pattern in which UK and allied governments increasingly attribute state-linked operations on the record, both to deter and to galvanise defenders. The CyberSignal has reported on related government attributions in Europe, including Germany's attribution of Signal phishing against lawmakers to Russia, which sit alongside the NCSC statement as examples of governments moving from private assessment to public naming.
How Non-UK Defenders Should Read the Statement
For security leaders outside the United Kingdom, the temptation is to read the three-quarters figure as a global benchmark. It is not one, and it should not be treated as such. The number is specific to NCSC-managed incidents affecting UK critical national infrastructure and its supporting ecosystem in the year to May 2026. The proportion of state-linked activity in another country, or in a different sector mix, or measured over a different window, could be materially higher or lower, and nothing in Horne's remarks claims otherwise.
What does travel across borders is the qualitative picture and the prescription. The observation that capable states are sustainedly targeting the systems behind essential services is not unique to the UK, and allied agencies have described comparable pressure. The capabilities Horne emphasised — understanding exposure, building defences on fundamentals, and being able to recover — are jurisdiction-neutral and map onto the guidance most national cyber authorities already publish. A defender in another country can reasonably take the UK statement as corroboration of a threat direction without importing the specific percentage.
The forward-looking warning about AI is similarly portable. The NCSC's assessment that AI-enabled capabilities will likely be used by 2028 to exploit known vulnerabilities in legacy technology at scale is a statement about the trajectory of the threat, and it reinforces a priority that crosses borders: reducing the population of unpatched, internet-reachable legacy systems before automated tooling makes exploiting them cheaper and faster. That is a defensible takeaway for any operator, whether or not they fall under NCSC's remit.
Open Questions
Several details around the figure remain at the level of the agency's own characterisation rather than published underlying data. The NCSC stated the count of incidents and the approximate share linked to state actors, but the speech and accompanying release did not publish a case-by-case dataset, a precise breakdown by sector, or a per-actor split among the named states. The three-quarters figure should therefore be read as the agency's assessment of its caseload, not as a figure derived from a public, independently auditable dataset.
The naming of Russia, China and Iran is consistent with the NCSC's prior public statements, but the keynote did not tie specific named operations, campaigns or victims to the headline percentage, and it did not attribute individual incidents within the 200-plus caseload to particular actors. Defenders should be careful not to infer that any specific recent incident is among those counted, or that a named state is responsible for a given sector's exposure, absent separate attribution.
What is firmly established is enough to act on: the UK's national cyber authority, on the record and at a prominent venue, has quantified hostile-state involvement in attacks on its critical infrastructure at roughly three-quarters of its CNI incident caseload over a defined year, named the states it holds responsible, and asked boards to treat the threat as a contest rather than a managed risk. For UK operators that is a direct prompt to revisit exposure, fundamentals and recovery; for defenders elsewhere it is corroboration of a threat direction, to be read with the figure's UK-specific scope kept clearly in view.
The CyberSignal Analysis
The reported facts above are the NCSC's; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts, and the three-quarters figure remains specific to NCSC's UK CNI incident caseload for the year to May 2026.
Signal 01 — A Headline Percentage Tells Defenders Direction, Not Dosage
The three-quarters figure is a useful signal precisely because of what it does not claim. It is the NCSC's characterisation of the state-linked share of the CNI incidents it personally handled in the UK over the year to May 2026 — a measure of composition within one agency's caseload, not a base rate that applies to any given operator's inbox. Our reading is that its value to a security team is directional: it tells you that when serious things happen to UK essential-service systems, the odds strongly favour a capable, resourced adversary rather than opportunistic crime. It does not tell you what proportion of the traffic hitting your own perimeter is state-grade.
The failure mode to avoid is treating the number as a dosage you can plan capacity against. A percentage drawn from managed incidents says nothing about volume, frequency, or the far larger population of low-grade activity that never reaches national-authority incident response. The defensive interpretation we would draw is that the figure justifies raising the assumed sophistication of who might be behind a serious CNI intrusion — not recalibrating day-to-day alert triage around a headline three-quarters.
Signal 02 — The Caseload Is the Denominator, and It Is Narrow by Design
What makes this statistic credible — that it comes from real incident response rather than a survey — is also what bounds it. The denominator is the set of incidents the NCSC managed and assessed as touching UK critical national infrastructure and its supporting ecosystem. That is a deliberately selective population: incidents serious enough, and central enough to essential services, to draw national-authority engagement. Our assessment is that the state-linked share looks high in part because the filter that produced the caseload already screens toward the kind of high-consequence targets that capable states prioritise.
For defenders, the actionable reading is to resist inferring your own threat model from a denominator you are not inside. An organisation outside the CNI perimeter, or inside it but below the threshold that triggers NCSC-level response, is measuring a different population entirely. The figure is best used as evidence about the top of the severity curve for UK essential services — not as a proxy for the attacker mix an average enterprise faces.
Signal 03 — Non-UK Defenders Should Import the Prescription, Not the Percentage
For security leaders outside the United Kingdom, the durable content of the statement is qualitative, and it travels. The observation that capable states are sustainedly pressuring the systems behind essential services is corroborated by allied agencies, and the three capabilities Horne stressed — understanding exposure, building defences on proven fundamentals, and being able to recover — are jurisdiction-neutral. Our view is that a defender abroad can and should treat the UK statement as confirmation of a threat direction while leaving the specific three-quarters figure at the border.
The forward-looking piece is the part most worth importing intact. The NCSC's assessment that AI-enabled tooling will, by 2028, likely be used to exploit known vulnerabilities in legacy technology at scale is a statement about trajectory rather than about the UK, and it sharpens a priority that crosses every jurisdiction: shrink the population of unpatched, internet-reachable legacy systems before automation makes exploiting them cheaper. That is the takeaway we would carry out of this speech regardless of which national authority's remit an operator falls under.