On 17 June 2026, the National Cyber Security Centre released figures showing that state-sponsored cyber attacks were behind three-quarters of the incidents it handled across UK critical national infrastructure in the past year. More than 200 incidents in total, in just 12 months. If your instinct is “that’s not my problem, I don’t run a hospital or a power station,” read on. The exposure is wider than most businesses recognise.
Table of Contents
State-Sponsored Cyber Attacks: Who Is Actually at Risk
Critical national infrastructure is a defined category, but the threat does not respect those boundaries. State actors consistently use supply chains, managed service providers and technology vendors as the route into CNI targets. So if your organisation provides IT, payroll, logistics or software to anyone in the CNI sectors, you sit within the attack surface the NCSC is describing.
That is not theoretical. Past campaigns attributed to Russian and Chinese state actors have deliberately targeted smaller suppliers because they held trusted access to larger targets. The pattern has not changed. The NCSC’s new data confirms it is still the dominant threat mode.
Why “State-Sponsored” Changes the Risk Calculation
Criminal ransomware groups want money. They typically move fast, make noise and look for the path of least resistance. State actors are often more patient. They want persistent access, gathered intelligence and the ability to act at a time of their choosing. That changes the threat model in two ways.
First, state-linked intrusions are more likely to be quiet. A compromised account reading email and mapping systems for months does not trigger the same alerts as a ransomware deployment. Standard detection tools calibrated for noisy criminal activity may miss the earlier stages of a state-linked intrusion entirely.
Second, state-sponsored cyber attacks are better resourced. NCSC CEO Dr Richard Horne cited Volt Typhoon at the lecture. That is a Chinese state campaign attributed in 2024. It placed footholds inside critical infrastructure networks for future use, not for immediate disruption. These are not rushed attacks. They are strategic operations. Comparing your defences to peer organisations is therefore not enough. Horne was direct: “being ‘roughly as good as your peers’ is not a complete strategy for security.”
The Three Security Priorities the NCSC Recommends
Horne set out three priorities at the RUSI Annual Security Lecture. They are not novel. But their source matters: these are the areas the NCSC believes would have prevented many of the 200-plus incidents it handled this year.
Understand your threat exposure. Know what an adversary would target in your organisation and how they would reach it. This requires mapping your assets, your third-party dependencies and your authentication architecture. A penetration test scoped to your actual attack surface is one of the fastest ways to understand this clearly. Generic scopes miss too much.
Address the fundamentals. Patch management, multi-factor authentication, privileged access controls, logging and monitoring. The NCSC’s own incident data shows that most significant breaches succeed because the basics are not in place. “We still see far too many significant incidents today that are possible because the fundamentals are not in place,” Horne said.
Ensure continuity and recovery. If a compromise happens, how quickly can you identify it, contain it and resume operations? Detection and recovery planning are as important as prevention. Organisations that measure security only by the absence of incidents will be underprepared when one occurs.
The AI Threat Has a Specific Deadline
The NCSC has assessed that AI-enabled cyber capabilities will very likely target legacy systems at scale by 2028. Most commentary on AI and security points to abstract future risks. This is different. It is a two-year planning horizon. The vulnerability class being flagged, legacy systems with known unpatched weaknesses, exists in most organisations right now. State-sponsored cyber attacks are already exploiting exactly these gaps, without AI assistance.
There is no AI solution to an unpatched system. There is patching, network segmentation and decommissioning old infrastructure, or compensating controls where replacement is not yet possible. Identifying these exposures now, before they become routes in, requires a structured assessment and the organisational will to act on the findings.
Legislation Is Moving Quickly
The Cyber Security and Resilience Bill is the government’s direct response to the scale of state-sponsored cyber attacks on UK essential services. It will extend mandatory security and incident reporting requirements to more organisations and sectors. A National Cyber Action Plan is expected in early July 2026, setting out government and industry responsibilities in detail.
Organisations that treat compliance as the end goal will spend the next year playing catch-up. Those that treat the underlying security as the goal will find compliance straightforward.
A Practical Starting Point
The NCSC’s own guidance covers the fundamentals and is available without charge at ncsc.gov.uk. But reading guidance and actually improving your security posture are different things. The organisations that manage best after an incident are those that tested their defences against real attack patterns, found the gaps, and fixed them first. That principle applies whether you run a CNI operator or a business that has never thought of itself as a security-relevant target.
