"tumultuous uncertainty", Richard Horne, CEO of the National Cyber Security Centre, warned as he set out a grim forecast for the coming decade at the tenth annual CYBERUK conference in Glasgow. He said rapid technological change driven by AI, paired with geopolitical tensions, is creating a "perfect storm" for the UK's cyber defenses. The NCSC had recorded 204 "national significant" cyber incidents at the time of its last annual review, published in October 2026, and Horne said the number of incidents has remained "fairly steady."
Nation-state threats from China, Russia and Iran
Horne told delegates that the majority of the NCSC’s "nationally significant" threats originate from nation states, and he named Russia, China and Iran as persistent actors targeting UK firms and individuals with differing tactics and objectives. He described China’s intelligence and military agencies as displaying an "eye-watering level of sophistication" and noted an August 2025 joint advisory — published alongside twelve allied agencies — that publicly linked three China-based companies to a global campaign overlapping what industry tracks as Salt Typhoon. Google Threat Intelligence Group’s Jamie Collier said China-nexus activity is often quieter and persistent and has shifted toward edge infrastructure such as routers and VPNs.
On Russia, Horne said tactics honed in the theatre of war with Ukraine are now being directed at states considered hostile. The NCSC and partners, including the National Protective Security Authority, are observing sustained Russian hybrid activity across the UK and Europe. Collier characterized Russia as "the most visible and disruptive threat," noting a mix of sophisticated espionage and increased pro-Russia hacktivist activity, while Bridewell’s data shows the Russian effort remains heavily concentrated on Ukraine and espionage against government and policy targets — with direct targeting of UK operational technology and critical national infrastructure by Russian state actors not evident "in volume right now," according to Bridewell’s Martin Riley.
Horne also singled out Iran, saying it is "almost certainly" using cyber activity to support repression of British individuals on UK streets. The NCSC has warned of increased targeted attacks against individuals via social media messaging apps. Riley called Iran "the shifting piece," pointing to Handala wiper activity in March that compromised Stryker's Microsoft Intune environment and remotely wiped devices at a key UK NHS supplier as evidence of the direction of travel, and warned organizations should expect more direct Iranian or Iran-aligned targeting "in the months ahead."
AI and frontier models changing the vulnerability landscape
The arrival of frontier AI models is a central concern. The release of Anthropic’s Claude Mythos model — described in the source as promising to identify and fix software vulnerabilities at speed — prompted the UK government to send an open letter to business leaders urging planning for rapid growth in such AI models over the next year and calling for cyber hygiene measures. Horne said "Frontier AI is rapidly enabling discovery and exploitation of existing vulnerabilities at scale," and Rob Demain, CEO of e2e-assure, warned zero-day attacks are becoming more common across all business sizes as a result. Despite the AI-driven change, Demain stressed that "basics such as full visibility across all environments, 24/7 monitoring, and correct technological configuration" remain among the easiest ways to stay a hard target.
UK preparedness: culture, skills and basic controls
Industry leaders at CYBERUK warned preparedness is uneven. Anthony Young, CEO of Bridewell, said most businesses are "not well prepared," struggling to implement basic controls and to achieve full visibility across their estates while security budgets are being squeezed. Horne urged a "cultural shift" so everyone — whether on the board or the IT help desk — is part of the cybersecurity mission. Young told Infosecurity that executives must "stand up" and invest for the long term, and that if a nation state launched a sustained attack on the UK today he would be "very worried." Demain cautioned that if organizations do not evolve how they detect and respond over the next 12 months they risk becoming "significantly under prepared."
GTIG’s Collier argued the most critical change for cybersecurity leaders is a move from a prevention-only mindset to a resilience mindset: "Organizations have to assume adversaries can gain initial access and focus on making their environment as difficult as possible for intruders to navigate."
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams should assume AI will accelerate discovery of vulnerabilities and therefore prioritize detection, response and resilience measures, including continuous visibility and 24/7 monitoring, as recommended by industry speakers.
- Policymakers and regulators will need to sustain cross-agency collaboration: the NCSC’s August 2025 advisory was coordinated with twelve allied agencies, illustrating the international dimension of attribution and response.
- Affected enterprises and procurement leaders must harden edge infrastructure and supply chains — the March Handala incident that affected Stryker’s Microsoft Intune environment and a UK NHS supplier shows how vendor and configuration weaknesses can cascade into operational impact.
The NCSC’s warning at CYBERUK frames a simple but stark reality: nation-state actors with different aims are operating at scale and frontier AI is lowering the cost and speed of exploitation, while many UK organisations remain short on basics and cultural readiness. The immediate challenge is not a single new technology or a lone adversary but the combination — policy, people and platform — that will determine whether the coming period of "tumultuous uncertainty" becomes manageable or calamitous.
https://www.infosecurity-magazine.com/news/uk-faces-a-cyber-perfect-storm-ncsc/
