Dr Richard Horne, chief executive of Britain's national cyber agency, the NCSC (National Cyber Security Centre), told the RUSI (Royal United Services Institute) annual security lecture on 17 June that NCSC managed more than 200 cyber incidents against UK critical national infrastructure in the year to May 1. RUSI is a London defence think tank; critical national infrastructure covers the energy, water, health, transport, and finance systems a country cannot function without. Around 75% of those incidents were linked to state actors in Russia, China, and Iran, Horne said 2. He warned that vulnerabilities tolerated today will be exploited in conflict tomorrow.
The number does work beyond the headline. It lands as the UK Cyber Security and Resilience Bill moves through Parliament, having cleared the Commons on 10 June without the ransomware-payment regime that fell out at report stage . A bill asking operators to report incidents and meet baseline standards is easier to defend with a named agency putting a count on the threat to the systems it covers. Horne's 200-plus figure, three-quarters of it traced to hostile states, is the evidence base ministers can cite at the Lords stage.
Horne also looked forward, putting AI-enabled exploitation of known flaws at scale by 2028 3. That horizon would be overtaken within days, when the wider Five Eyes alliance compressed the same timeline far harder in a joint statement of its own.
