UK cyber chief warns country is ‘widely underestimating’ risks from cyberattacks

The cyber risks facing the United Kingdom are being “widely underestimated,” the country’s new cyber chief will warn on Tuesday as he launches the National Cyber Security Centre’s (NCSC) annual review.

In his first major speech since joining the NCSC — part of the signals and cyber intelligence agency GCHQ — Richard Horne will drive a shift in tone in how the cybersecurity agency communicates these risks.

Despite some evidence showing cyberattacks growing year-on-year for half a decade, the NCSC has not previously confirmed the trend nor expressed alarm about it.

“What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us,” Horne will say, according to an advance preview of his speech on Tuesday. 

Citing the intelligence that NCSC has access to as an agency within GCHQ, Horne will warn that “hostile activity in UK cyberspace has increased in frequency, sophistication and intensity,” adding that despite growing activity from Russian and Chinese threat actors, the agency believes British society as a whole is failing to appreciate the severity of the risk.

The annual review reveals that the agency’s incident management team handled a record number of cyber incidents over the past 12 months — 430 compared to 371 last year — 89 of which were considered nationally significant incidents.

NCSC did not break down how many of these were caused by state-sponsored cyber attackers versus financially-motivated criminals, but said 13 of the 89 incidents were ransomware attacks.

Six of the nationally significant incidents were attributed to the exploitation of two zero-day vulnerabilities: CVE-2023-20198 in Cisco IOS XE, which was previously connected to cyberattacks in Norway; and CVE-2024-3400 in Palo Alto Networks PAN OS, a vulnerability that U.S. authorities said was being exploited by the Iranian government in concert with ransomware groups.

Ransomware generally is described in the review as continuing “to pose the most immediate and disruptive threat to our critical national infrastructure, with some state-linked cyber groups now targeting the industrial control systems that infrastructure relies on.”

“There is a widening gap between the increasingly complex threats and our collective defensive capabilities in the UK, particularly around our critical national infrastructure (CNI),” the report states.

“That widening gap will only become more pronounced over time as the scale and capability of cyber actors proliferates, the relationship between state and non-state actors becomes more obfuscated, and states’ abilities to understand cyber activity becomes fraught. It is therefore vital we increase our cyber resilience across the whole of the UK, and that we do so with urgency.”

The review dedicates the most space to China among foreign threats. Although unlike the United States the U.K. has not announced any targeting of its infrastructure by the Chinese hacking group tracked as Volt Typhoon, it has publicly accused Beijing of “carrying out malicious cyber activity targeting U.K. institutions and individuals important to our democracy.”

The document repeats the government's praise for NCSC's certification scheme, Cyber Essentials, but acknowledges criticisms about the low levels of adoption. Out of more than five million eligible organizations in Britain, as of the end of this February only just over 31,000, or fewer than 1%, held a certification.

“The reality is, not enough organisations are implementing our guidance, nor applying these frameworks,” the review finds.

“There is no room for complacency about the severity of state-led threats or the volume of the threat posed by cyber criminals,” Horne will warn. “The defence and resilience of critical infrastructure, supply chains, the public sector and our wider economy must improve.”