UK Cyber Defences Fail as State Threats Surge
75% of UK cyber attacks traced to hostile states; legislation still pending
Model Diplomat6 min readEurope

The UK's Cyber Defences Are Failing — and the Threat Is No Longer Just Russian
Three-quarters of attacks on Britain's critical infrastructure now trace to hostile states, while home-grown teenagers crippled Transport for London from a bedroom in Walsall. The convergence of state espionage, AI-accelerated exploitation, and criminal impunity has outpaced the UK's 2018-era regulatory framework — and the legislation meant to fix it is still not law.
On June 17, 2026, NCSC chief executive Richard Horne delivered a speech at the Royal United Services Institute that should have recalibrated the national security debate. More than 200 cyber incidents affecting the UK's critical national infrastructure and its supporting ecosystem were managed by his agency in the year to May 2026, he disclosed — and around 75% of those were linked to hostile state actors, principally Russia, China, and Iran. NCSC
The figure is not a spike — it is the new baseline.
The NCSC's 2025 Annual Review, published in October 2025, recorded 204 nationally significant incidents in the 12 months to August 2025 — a 129% jump from 89 the previous year, averaging four per week. Of those, 18 were categorised as "highly significant," meaning they had a serious impact on essential services, the economy, or a large proportion of the UK population. That marked a 50% increase for the third consecutive year. NCSC Annual Review 2025
The number that should most concern policymakers is not in the NCSC data. It is the legislative calendar.
The Bill That Hasn't Arrived
The Cyber Security and Resilience (Network and Information Systems) Bill — the legislative vehicle designed to replace the UK's post-Brexit, 2018-era NIS Regulations — was introduced to the House of Commons on November 12, 2025. It completed Committee stage in February 2026, was carried over into the current session, and as of July 2026 has been introduced in the House of Lords as HL Bill 32. GOV.UK It has not been enacted. The gap between the threat curve and the regulatory response widens by the month.
The bill is not cosmetic. It would expand the scope of regulated entities to include managed service providers and data centres — a direct response to the supply-chain breaches that have characterised every major attack since 2024. It would equip regulators with stronger enforcement powers and, critically, grant the government new executive powers to respond to imminent cyber threats to national security. GOV.UK factsheets
During Committee stage in February 2026, industry representatives were blunt. techUK's Jill Broom testified that the bill "needs to go a bit further," warning that regulated entities face "pretty significant legal jeopardy" because so much detail is being deferred to secondary legislation. Dr Sanjana Mehta from RUSI urged expanding sectoral scope to include public administration. Hansard, February 3, 2026
The DSIT cyber security newsletter confirmed in May 2026 that a full National Cyber Action Plan will be published "this summer." The government is publishing a strategy before it has passed the law required to execute it. DSIT
Horne's language at RUSI sharpened the signal. Cyber security, he argued, should no longer be treated "simply as a risk to be managed, but as an ongoing contest with capable adversaries." The framing is not academic — it signals an agency preparing for a shift from reactive defence to active contestation. The NCSC now assesses that by 2028, AI-enabled cyber capabilities will be used by attackers to exploit known vulnerabilities at scale across critical national infrastructure. NCSC
The Submarines and the Cables
The cyber threat does not end at the digital perimeter. On April 15, 2026, Defence Secretary John Healey disclosed that three Russian submarines — one Akula-class attack submarine and two GUGI spy submarines from Russia's deep-sea research directorate — had conducted a covert month-long operation over undersea cables and pipelines in waters north of the UK. The Royal Navy deployed frigate HMS St Albans, the tanker RFA Tidespring, and anti-submarine Merlin helicopters to track the vessels. BBC News
"We see you. We see your activity over our cables and our pipelines, and you should know that any attempt to damage them will not be tolerated and will have serious consequences," Healey said, addressing Vladimir Putin directly from the Downing Street podium. BBC News
It is the most explicit known instance of Russia mapping UK subsea infrastructure for conflict targeting. More than 90% of the UK's internet traffic travels via roughly 60 undersea cables. The Langeled pipeline, stretching 724 miles between Norway and the UK, carries approximately 77% of Britain's gas imports. BBC News The CSIS noted in March 2026 that Russian hybrid warfare campaigns are designed to "erode European cohesion and capacity without triggering a conventional military response."
CSIS
Healey confirmed that GUGI spy submarines spent time positioned over "critical infrastructure relevant to us and our allies" and that while there is no evidence of damage, the Royal Navy's surveillance operation was designed to collect intelligence on Russian tactics and "potentially recover any surveillance assets left behind." BBC News
The Teenagers in the Bedroom
While state actors map the physical infrastructure, domestic teenagers are collapsing the digital one. On July 16, 2026 — three days ago — Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five years and six months in prison for the cyber-attack that crippled Transport for London between August and November 2024. The hack disabled 148 technology systems, forced all 27,000 TfL employees to reset their passwords in person, stole personal data from approximately 10 million customers, and cost the transport authority £29 million. BBC News
The pair were part of Scattered Spider, a loosely coordinated collective of young, native-English-speaking hackers — mostly based in the UK and US — that the NCA has described as one of the biggest threats to the nation's cyber security. They live-streamed their 16-hour intrusion. "Scattered Spider is creating webs on the London Underground," Flowers joked. He was 17 at the time. Jubair was 18. BBC News
They gained access by calling a TfL help desk and tricking a staff member into resetting credentials. The methodology was not sophisticated. The systemic failure, however, is profound. Flowers had been visited by West Midlands Regional Cyber Crime Unit in 2023 and issued a cease-and-desist order — which he ignored. Jubair had 22 previous convictions, beginning at age 14, including a Youth Rehabilitation Order for hacking with the Lapsus$ group, which targeted Nvidia and BT/EE. BBC News
NCA deputy director Paul Foster has publicly called for Cyber Crime Risk Orders — pre-emptive court restrictions on high-risk individuals — as part of planned reforms to the Computer Misuse Act. Those reforms remain unlegislated. BBC News
Scattered Spider's footprint extends far beyond TfL. The group has been linked to the ransomware attacks on Jaguar Land Rover — which halted production for five weeks — as well as Marks & Spencer and the Co-op, where the data of all 6.5 million members was stolen and held to ransom. JLR's attack is under investigation for possible Russian state links; if confirmed, it would represent a deliberate blurring of the line between criminal and state-sponsored actors. Chatham House
In April 2026, Peter Stokes, a 19-year-old dual US-Estonian national, was arrested in Finland and extradited to the US on Scattered Spider-related charges. The Department of Justice says the group has been involved in hacks resulting in more than $100 million in ransom payments. BBC News
The NHS: A Patient Dies
A patient died. King's College Hospital NHS Foundation Trust confirmed the death occurred during the June 2024 Qilin ransomware attack on Synnovis, a pathology testing provider, and the attack was a contributing factor. More than 10,000 appointments were cancelled. The Health Service Journal reported nearly 600 linked incidents, with patient care suffering in 170 of them — one case of severe harm, 14 of moderate harm. BBC News
Qilin, a Russia-based group, published almost 400GB of patient data on its darknet site — including names, dates of birth, NHS numbers, and blood test descriptions. When contacted by the BBC on an encrypted messaging service, the group said it had deliberately targeted Synnovis "as a way to punish the UK for not helping enough in an unspecified war." BBC News
Two years later, the data breach continues to metastasize. In June 2026, Mid and South Essex NHS Foundation Trust confirmed 2,380 of its patient records had been stolen in the same Synnovis hack. Bedfordshire Hospitals NHS Foundation Trust disclosed nearly 33,000 affected records. Norfolk and Norwich University Hospitals were also breached. Synnovis's chief executive Mark Dollar said the data was stolen "in haste and in a random manner" and that the company had only notified affected organisations in November 2025 — 17 months after the attack. BBC News
Discover more

India
Congress Accuses Modi of Stalling Women's Law
Congress accuses Modi of stalling women's reservation law by linking it to delimitation, revealing a deeper electoral strategy.

India
Women’s Reservation Bill 2026
The Constitution (131st Amendment) Bill, 2026 was defeated in Lok Sabha, revealing deeper political conflicts over women's reservation and delimitation.

US Politics
SNAP Food Assistance Faces Legal Challenges
In 2026, SNAP faces stricter eligibility rules and mounting legal challenges, threatening food assistance for the millions of Americans who rely on the program.

Economics
Trump's 10% Tariff Expires July 24
Trump's 10% universal tariff expires July 24, replaced by a two-tier Section 301 forced-labor tariff. Countries with bilateral deals pay 10%; others face 12.5%. $86B in IEEPA refunds paid.