At the annual CyberUK conference hosted in Glasgow, Scotland, the leader of the United Kingdom’s top cyber defense body will deliver a stark wake-up call this Wednesday: the gravest cyber threats facing the nation today are not the work of criminal gangs, but of hostile state actors based in Russia, Iran, and China. Richard Horne, chief executive of the National Cyber Security Centre (NCSC) — a division of the UK’s signals intelligence agency GCHQ — will frame this growing threat against a backdrop of unprecedented geopolitical upheaval, arguing the world is now experiencing the most dramatic geopolitical shift seen in modern history. Previews of Horne’s speech, shared with journalists ahead of the event, emphasize that British private and public sector organizations cannot afford to delay upgrading their cyber defenses, as large-scale state-sponsored attacks could target the UK rapidly if the nation becomes entangled in a major international conflict.
Horne’s warning aligns with a growing chorus of alarm across Europe, where Nordic and Central European nations have repeatedly flagged state-linked hacking campaigns targeting critical national infrastructure in recent months. Per Horne’s prepared remarks, the NCSC currently responds to roughly four nationally significant cyber incidents every week. While criminal activity, most notably ransomware attacks, remains the most common cyber challenge for UK entities, the most destructive and high-stakes threats stem from operations backed directly or indirectly by foreign governments.
This characterization of an increasingly dangerous global security landscape echoes recent remarks from other top UK intelligence leaders. Back in December, Blaise Metreweli, head of the UK Secret Intelligence Service (MI6), noted that the international order is far more contested and dangerous than it has been in decades, with the UK now operating in a gray zone that falls somewhere between formal peace and open war. “Let’s be clear, cyberspace is part of that contest,” Horne will reiterate in his Glasgow address.
Horne will outline distinct threat profiles for each of the three major hostile state actors: China’s intelligence and military apparatuses have demonstrated a staggering, eye-watering level of technical sophistication in their global cyber operations; Iran, he will add, is highly likely using cyber tools to repress British dissidents and activists within the UK itself, targeting individuals the Iranian regime views as threats to its rule. For Russia, Horne will note that the Kremlin has refined and tested its cyber tactics through its full-scale invasion of Ukraine, and is now deploying those battle-hardened techniques far beyond the Ukrainian battlefield, carrying out sustained hybrid cyber operations targeting the UK and the wider European continent.
A core message of Horne’s speech is a call to action for British organizations: corporate and institutional leaders must study how cyber operations have been deployed in active conflict to build their own defensive resilience. Unlike ransomware attacks, which often can be resolved (at great cost) through payment of a ransom, large-scale state-sponsored cyberattacks in a conflict scenario leave no such exit. No amount of money will buy back access to hijacked systems or stolen data, Horne will stress, meaning every organization must map the full scope of its vulnerability and harden defenses before a crisis hits.
Recent cyber incidents across Northern Europe back up the urgency of this warning. Last Friday, Swedish authorities confirmed that a pro-Russian hacking group with ties to Russian intelligence services was responsible for a cyberattack on a Swedish heating plant carried out last year. Carl-Oskar Bohlin, Sweden’s civil defense minister, drew a direct line between that incident and a coordinated series of attacks in Poland last December, which hit combined heat and power plants supplying nearly 500,000 customers alongside multiple wind and solar farms. Polish investigators later concluded the hackers behind that assault were directly linked to Russian intelligence services.
Those attacks are not isolated. Norwegian authorities have tied an April 2025 hack that disrupted water flow from a Norwegian dam to Russian actors, while Danish officials confirmed a 2024 cyberattack on a Danish water utility that left hundreds of homes without water was also linked to the Kremlin. The Associated Press has tracked more than 155 disruptive incidents — including arson, sabotage, espionage, and cyberattacks — linked to Russia or its proxies by Western officials since Moscow launched its full-scale invasion of Ukraine in February 2022. Beyond critical infrastructure attacks, European officials have also linked Russian actors to a hack of German air traffic control systems, repeated attempts to compromise Signal and WhatsApp accounts belonging to European officials and journalists, and campaigns to exploit router security vulnerabilities to steal sensitive user data on behalf of Russian military intelligence.