"We do know from conflicts around the world this last year that cyber operations are now integral to conflict, as much a reality of modern warfare as drones and missiles, and the scope of targeting is getting wider," Richard Horne, chief executive of the National Cyber Security Centre (NCSC), said at this year's 10th annual CyberUK conference in Glasgow.
NCSC workload: roughly four major attacks a week and 200+ nationally significant incidents
Horne told the CyberUK audience that the NCSC investigates major attacks at a rate of about four per week. That operational tempo sits alongside a broader surge: Anne Keast-Butler, director of the Government Communications Headquarters (GCHQ), said the NCSC "handled over 200 nationally significant incidents last year, more than double the year before." The figures underline a rapid escalation in the volume and severity of cyber incidents that the British government treats as national concerns.
Majority of serious investigations now trace to nation-state actors — China and Russia singled out
While British businesses continue to face financially motivated ransomware as their chief cybercrime threat, Horne said "the majority" of attacks the NCSC investigates trace to nation-state threat actors. He warned that China "wields an 'eye-watering level of sophistication in their cyber offerings,'" a capability he said is on par with Britain's own. Horne also singled out Russia, saying it has been "taking cyber lessons used in the theater of war and moving them beyond the battlefield."
The conference referenced concrete precedents: Horne cited the "attacks on the Polish energy sector in December" as a stark reminder that cyber operations can target critical infrastructure beyond classical military targets.
MI6, hybrid tactics, and the "space between peace and war"
Blaise Metreweli, chief of the Secret Intelligence Service (MI6), described a broad toolkit Moscow is testing in the gray zone. Metreweli listed items including "cyberattacks on critical infrastructure," "drones buzzing airports and bases," "aggressive maritime and undersea activity," "state-sponsored arson and sabotage" and a range of "propaganda and influence operations" aimed at exploiting societal divisions. "We are now operating in a space between peace and war," she said.
Dan Jarvis, Britain's minister of state for security, echoed the broader theme, saying Russia "has worked out that the most effective way is not to confront us directly but to quietly hollow us out." Collectively, these statements frame the current threat posture as a blended campaign that mixes kinetic, cyber and informational instruments below the formal threshold of war.
Frontier AI, Claude Mythos, and an accelerating cyber arms race
Speakers at CyberUK highlighted how emerging frontier artificial intelligence models can alter offensive and defensive dynamics. Officials warned that models such as Claude Mythos can find vulnerabilities and chain them together into exploits, and they said open-source models offering similar capabilities could arrive within six months. Jarvis said the government is committed to forging "much closer ties with frontier AI model developers" and argued for building "national scale, AI-powered cyber defense capabilities — capabilities that can protect our nation's most critical networks by autonomously identifying and addressing vulnerabilities at a speed and scale no human can match."
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: expect expanded remit beyond traditional IT — Horne noted cybersecurity now includes "securing the operational technology that controls energy systems, to production lines, robotics, space-based communications autonomous systems and agents." Protecting these environments will require different tooling and threat models.
- Policymakers and regulators: must contend with hybrid activity and AI-driven escalation. The government's stated priorities include studying Russian hybrid tactics, deepening engagement with frontier AI developers, and investing in AI-powered, national-scale defensive capabilities.
- Affected enterprises and procurement leaders: face a two-track threat environment. Ransomware remains the chief cybercrime danger for businesses, even as nation-state attacks make up the majority of incidents judged nationally significant. Resilience planning now needs to account for both financially motivated crime and sophisticated state-aligned operations against critical infrastructure.
British intelligence and military leaders, as represented at CyberUK, are racing to study how cyber operations have been used in current conflicts and to "shore up our resilience at home," Horne said. The combination of an increased rate of nationally significant incidents, explicit attribution to nation-states for the majority of probes, and the rapid arrival of frontier AI tools presents a concentrated set of challenges: operational scale, widening target sets, and accelerating attack automation. How government, industry and AI developers translate the conference rhetoric into durable defenses — and whether open-source AI capabilities arrive on the six‑month horizon mentioned by officials — will shape the next chapter of this contest.
