Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: The United Kingdom
Richard Horne Seeks to Reframe Discussion of Cyber Exposure (@daveperera) • June 17, 2026
Britain's top cybersecurity official sought Wednesday to reframe digital defense as a contest against a constantly shifting opponent rather than a risk to be managed, calling today's spate of breaches and hacking incidents the opening salvos of a future war.
See Also: Does Office 365 Deliver The Email Security and Resilience Enterprises Need?
Richard Horne, chief executive of the U.K. National Cyber Security Center, criticized private sector risk benchmarks that rely on peer performance to rank exposure.
"Being 'roughly as good as your peers' is not a complete strategy for security," he said. Under that rubric, Horne suggested during a speech at London think tank Royal United Services Institute, the United Kingdom will lose the fight to control cyberspace.
"In any contest, the only benchmark that matters is how your capability and performance compares to that of your opponent," Horne said. The opponent is overwhelmingly the intelligence and military agencies of rival capitals, he added. Three quarters of the incidents managed by the NCSC over the last 12 months were likely instigated by nation-state hackers, he said.
Horne, who assumed leadership over the NCSC in October 2024, earlier this year disclosed that the center investigates major attacks at a rate of about four per week. He called for a "full court press" against cybersecurity foes in a March interview with ISMG (see: National Cyber Resilience Demands Unified Defense).
"The many vulnerabilities that organizations tolerate today will be exploited in conflict tomorrow. If they are too expensive or hard to fix in peacetime, then they certainly will be in war," Horne said Wednesday.
"Kinetic targeting in any conflict tomorrow will be based on intelligence gathered today," he warned.
Many organizations fail to implement what the NCSC terms "Cyber Essentials" - basic technical controls such as establishing a secure baseline configuration for computers, instituting user access control and ensuring a firewall is blocking malicious traffic.
A legislative proposal touted by Horne dubbed the Cyber Security and Resilience Bill would expand the British government's ability to impose new security requirements on critical infrastructure operators, which would newly include managed security providers and data centers. "Our role as government is to catalyze a response at scale," he said.
"When executives ask 'When will we be done investing in cybersecurity?' the answer is: never," he said.