Britain is already fighting the opening exchanges of future conflicts in cyberspace, the country’s cyber chief warned Wednesday, as he disclosed that hostile states are responsible for three-quarters of the attacks striking the country's critical national infrastructure.

Richard Horne, chief executive of the National Cyber Security Centre (NCSC), said his teams had handled more than 200 incidents affecting critical infrastructure and its supporting ecosystem in the year to May, of which about 75% were believed to be the work of state actors.

The detail builds on Horne’s disclosure earlier this year that his agency was handling four nationally significant cyber incidents a week, with the majority traced back to what are believed to be hostile governments rather than criminal hackers.

Delivering the annual security lecture at the Royal United Services Institute on Wednesday, Horne said his agency was “regularly finding and stopping breaches, before their intent becomes clear.”

He warned that “kinetic targeting in any conflict tomorrow will be based on intelligence gathered today” and that adversaries were “prepositioning” throughout British critical infrastructure.

Horne described these threats as “establishing footholds within technology that underpins critical national infrastructure that could enable rapid exploitation, to cause mass disruption in a time of conflict,” and cited Volt Typhoon, the Chinese state-linked campaign exposed against U.S. infrastructure, as the clearest example of the tactic.

The announcement did not detail these breaches, but the reference is significant: British intelligence has tended to be much more guarded than Washington about naming such intrusions, partially on the basis that acknowledging them publicly may inadvertently assist the perpetrators.

“In cyberspace, we are not preparing for tomorrow’s conflicts. To some degree we are fighting them today,” said Horne.

Changing tone

Horne’s speech notably departed from the vocabulary his own agency has long used when discussing cybersecurity. The issue, he argued, should no longer be treated as a “risk” to be managed and tolerated but as a “contest” to be fought.

For a decade, the vocabulary of risk management has effectively been the house style of British cyber advice. The NCSC’s flagship guidance document, the Cyber Assessment Framework, opens with an objective titled “managing security risk” and existing guidance on the agency’s website walks practitioners through risk assessment, risk quantification and the setting of risk appetites.

Horne’s speech places the NCSC’s vocabulary in step with a wider shift in how Western governments have come to describe cyberspace. NATO declared in its 2022 strategic concept that the domain is “contested at all times,” and in the years since, allied officials echoed the sentiment that cyberspace is best understood as a permanently contested environment.

Senior figures at U.S. Cyber Command have made much the same case, warning that the steady pattern of attacks falling short of war is nonetheless having “strategically consequential effects” on Western states.

“When executives ask ‘when will we be done investing in cyber security?’ the answer is: never,” said Horne. He warned that benchmarking defences against industry rivals, a staple of corporate risk management, was an inadequate approach.

“The only benchmark that matters is how your capability and performance compares to that of your opponent,” he said.

Horne’s earlier speeches dwelt on a “widening gap” between threats and defenses, warning that the country was dangerously underestimating the danger. On Wednesday, he repeated his recent call for a “full court press” across what he called the near, mid and far spaces of cyberspace.

Artificial intelligence, he added, would sharpen the threat. A new NCSC assessment judged it “highly likely” that by 2028 AI tools would be used to exploit known weaknesses in ageing technology across critical infrastructure — a concern the agency has stressed in recent months.

The reframing arrives as the British government moves to complete the passing of the Cyber Security and Resilience Bill through Parliament, which will use regulation to compel improvements at operators of essential services.

It also comes as the government plans to introduce a new National Cyber Action Plan. Recorded Future News understands the plan is currently set to be published in early July.

Horne stressed: “In this great contest there are no spectators, we are all on the pitch. If we collectively embrace the contest, understand the urgency and believe we can be a match for any opponent, then we can and will prevail.”