Richard Horne, head of the National Cyber Security Centre, says attacks on power plants, hospitals, airports and the nuclear deterrent are a continuous contest 'across the entire pitch,' not a single breach at the gate.
Britain's top cyber defender is asking the country to stop fighting the wrong war. The threat facing UK critical infrastructure, the nuclear deterrent, power plants, hospitals, airports and the digital systems behind them, is no longer a single breach to repel at the gate. It is a continuous, distributed contest, reported by The Guardian in remarks by Richard Horne, chief executive of the National Cyber Security Centre, the cybersecurity arm of GCHQ.
The shift in mental model matters more than any headline number. For two decades, defenders have organized around the perimeter: build a wall, watch the gate, contain the breach. Horne's argument is that the adversary has already moved past the wall. The contest is now in midfield, on the wings, and in the back line, every hour of every day, which is why he rejects the image of a wrestling match with a defined clinch in favor of a football or basketball game played across a wide field.
The numbers are a symptom, not the story. The NCSC's own tally, more than 200 incidents against UK critical national infrastructure in the past year, gives a sense of scale, but the agency has not anchored the count to a specific 12-month window or normalized it against the size of the sector, so it should be read as an order-of-magnitude signal rather than a precise rate. Roughly three-quarters of those incidents are believed to be linked to state actors, the agency said, naming Russia, China and Iran. That attribution is the NCSC's own assessment, not an independent forensic finding, and the "believed to be" hedging is doing real work: state-linked operations are often deniable, and the line between espionage, disruption and preparation is deliberately blurred.
Horne's second move is the one that lands hardest: a forecast that the contest will intensify, not steady. By 2028, he argues, artificial intelligence will let capable adversaries probe, profile and personalize attacks at a scale defenders cannot match by throwing bodies at the problem. That is a projection from a single official, not a measured trend, and it should be read as a planning assumption rather than a deadline. The direction, though, is the point. Cheap, automated reconnaissance and tailored phishing are already compressing the time defenders have to spot a real intrusion among the noise.
The cheapest, most decision-useful change is the one Horne keeps returning to, and the one boards, hospital trusts and power operators can act on this year: basics. Tested backups. Recovery playbooks that have been exercised, not written. Patching discipline. Identity controls that do not depend on a single password or a single person. These are unglamorous, and they have been the cybersecurity community's prescription for a generation, which is precisely why they are still the right answer when the threat has gone upmarket.
The reader's exit ramp from helplessness is the same as Horne's. The contest is not winnable in the sense of a perimeter fight that ends with a clean repulsion. It is winnable in the sense of staying on the pitch, contesting every zone, and accepting that fundamentals, recovery, backups and basic cyber hygiene, are the part of the game that does not depend on out-arming the adversary. Horne's pitch metaphor is, in the end, a prescription for a different kind of preparation: not a fortress, but a team that knows how to play the whole field.