Skip to main content
Geopolitics & DefenseNational Security

UK Bolsters National Risk Register with New Cyber Threat Scenarios

Government officials gather in a formal conference room with subtle tech elements in the background.

"Throughout our history, the UK has overcome challenges from plagues and pandemics to war and our fair share of wet weather." The phrase, offered by the chief secretary to the Prime Minister, Darren Jones, frames a sweeping reassessment of national risk: on July 14 the government updated the National Risk Register to add several cyber-related scenarios — some described as capable, in the register's own terms, of producing fatalities and mass casualties.

New scenarios anchored to the classified National Security Risk Assessment

The updated National Risk Register, published on July 14, draws its judgments from the government's internal, classified National Security Risk Assessment and now treats a set of cyber scenarios alongside long-standing non-malicious threats such as severe weather. The register explicitly couples malicious risks — including terrorism and cyber-attacks — with non-malicious risks, reflecting the government's view that dependency on information technology (IT) and operational technology (OT) changes the shape and severity of national emergencies.

Colocation datacenters: "disruptive and sophisticated" attacks

One newly listed scenario is a cyber-attack on data infrastructure: a "disruptive and sophisticated" assault against one or more UK colocation datacenters that permits exfiltration of data, customer information, intellectual property, or operational details. The register gives this scenario a likelihood score of 5–25% — labelled "highly unlikely" — and an impact rating of "moderate." The published impact band is specific: fatalities of up to 200, casualties of up to 400, and economic costs reaching hundreds of millions of pounds. The register notes disaster recovery for such an attack could take several days to weeks, while data restoration might take years.

Water systems, policing infrastructure, and a mass IT outage

Three other cyber scenarios received detailed treatment. A cyber-attack on water infrastructure describes an intruder moving into a water company's OT systems and deploying destructive malware, producing loss of visibility and control; the register warns a major disruption to water supply and wastewater services for a large population could take several months to recover from and lead to physical and mental health casualties and fatalities. A cyber-attack on policing infrastructure could compromise investigations and prosecutions, risk staff safety, damage reputation, and reduce police access to intelligence and operationally critical information — curtailing frontline effectiveness and creating risks to life and property; the most severe impacts are expected to last days with ongoing disruption stretching into months. Finally, the register adds a "mass CrowdStrike-style outage impacting IT systems" — described as a digital outage with key impacts including shutdown of communications, emergency services, transport, border control, financial systems, and broadcasting, alongside widespread failure of smart devices and smartphones. The water and policing scenarios share the same 5–25% likelihood and "moderate" impact band; the digital outage has an assessed likelihood anywhere between 1% and 25%+, and an impact range from moderate to catastrophic.

Interference in democratic processes — a new, dedicated section

The register also introduces a new section devoted to interference in democratic processes. That section sets out a range of vectors including "attacks on election infrastructure, deterioration of the online information space, harassment and intimidation towards candidates or voters, the hack and leak of sensitive information relating to a party or a prominent individual, and any element of foreign interference in any of these." By listing these elements together, the register treats attacks on technical systems and degradation of the information environment as parts of a single, aggregated risk to democratic functioning.

What this means for technologists, policymakers, and the public

  • Technologists and security teams: expect the register's scenarios — particularly datacenter, water, and policing outages — to shape resilience planning and incident response playbooks, since the document quantifies both likelihood bands and concrete impact measures such as fatalities and multi-month recovery timelines.
  • Policymakers and regulators: the inclusion of democratic interference and broad digital outage scenarios will feed into cross-government planning and the classified National Security Risk Assessment; the register's linkage of AI and expanding IT/OT dependence (as cited by Darren Jones) signals a policy focus on emerging tools and systemic dependencies.
  • End users and households: the government says it will launch a "landmark national resilience campaign" later this year aimed at encouraging households to take simple steps to improve resilience to risks like cyber-attacks, placing public preparedness alongside technical and institutional measures.

In parliament on June 14, Darren Jones linked the updates to both climate signals and technological change: "This year we saw temperatures across the UK breaking records in May, only to be exceeded again in June, and AI offers new ways for criminals to carry out cyber-attacks against us, as well as offering huge opportunities for our economy and security." The register's additions make concrete the government's assessment that digital dependencies and the evolving threat environment can produce physical harms and prolonged disruption — and they set a calendar marker for an upcoming public resilience campaign.

The publication leaves an immediate policy choice visible: whether the new register prompts accelerated investments in OT protections, datacenter redundancy, policing system backups, and household-level guidance. The register supplies probabilities and impact bands; the next step is execution — and the nation will soon watch how that execution is communicated to, and received by, the public.

Original story: https://www.infosecurity-magazine.com/news/uk-national-risk-register-cyber/