The UK must prioritize cybersecurity or be left dangerously exposed

25th October 2025

Recent high-profile cyberattacks on British businesses underscore the need to elevate cybersecurity on the political agenda and prepare for rapidly escalating threats from both hostile states and criminal actors.

As countries gather in Hanoi to sign the first-ever UN binding treaty on cybercrime, the UK's National Cyber  Security  Centre (NCSC) has issued a sobering assessment of the cyberthreats facing the country.

The NCSC's annual review, which comes after recent high-profile cyberattacks on British businesses, warned that the number of cyber incidents that pose a risk on a national level has risen dramatically. The agency classified nearly half of all the cyber incidents it handled in the past year as nationally significant - a record high.

For a nation that prides itself on digital innovation, this should be a wake-up call. The UK needs to take decisive action to strengthen resilience, support businesses and secure critical infrastructure.

Without these steps, the UK is at risk of a cascading cyber crisis scenario - where coordinated or interconnected attacks could spread rapidly across sectors, disrupting essential services, supply chains and the economy. The consequences would extend far beyond the digital realm, touching every part of society.

Rapidly escalating threats
The NCSC's latest review leaves little room for complacency. The UK faces an intensifying mix of threats from state and criminal actors, with China, Russia, Iran and North Korea identified as persistent and highly capable adversaries. Hostile state actors increasingly target critical national infrastructure, supply chains and key economic sectors.

At the same time, threats are being reshaped by the rapid evolution of ransomware and the growing use of AI-enabled tools for reconnaissance and exploitation. In addition, the proliferation of commercial cyber intrusion tools has lowered the barrier to entry for sophisticated attacks. These tools include spyware and remote access software that was developed for government or corporate use but is increasingly sold on the open market. Together, these trends are expanding the pool of capable actors and accelerating the speed and scale at which attacks can occur.

The recent attacks on Jaguar Land Rover (JLR), Marks & Spencer, and the Co-op Group illustrate that the threat is not confined to foreign states or external perpetrators. Criminal actors, including from within the UK, were allegedly behind these attacks. The attacks disrupted production lines, emptied supermarket shelves and exposed how deeply the economy depends on digital systems that remain acutely vulnerable.

The gap between policy and practice
The UK's national cyber strategy, released in late 2021 and set for a refresh this year, adopted a ‘whole-of-society' approach, where government, business and citizens all play a role in building resilience.

It's a good principle, but implementation has not kept pace with the threat. The Cyber Security and Resilience Bill announced in the King's speech in July 2024 is meant to strengthen baseline security standards across industries. However, it has been repeatedly delayed and has not yet been introduced to parliament.

Senior ministers, including Chancellor Rachel Reeves, wrote last week to FTSE 350 executives urging them to take concrete measures to improve their cyber resilience. While such guidance is important, translating awareness into concrete action will require stronger and timely regulation, incentives and enforcement mechanisms. Otherwise, the risk is that many companies will continue to treat cybersecurity as a cost burden, rather than a matter of survival.

The consequences are plain to see. The attacks on Co-op and M&S forced temporary store closures and distribution chaos. JLR halted production for five weeks. These are not isolated events - they reveal how one cyber incident can ripple across supply chains and disrupt logistics, manufacturing and consumer confidence.

And whilst large corporations may have resources to recover, they are not immune. JLR, for example, required a government-backed loan package to stabilize operations after its recent cyber incident.

Small and medium-sized enterprises (SMEs), by contrast, generally have fewer financial or technical buffers to protect themselves adequately. They are hit frequently by cyberattacks, often with devastating impact. This creates a systemic weak point: if SMEs collapse, so may the larger networks they feed into.

Blurring lines, growing risks
Part of what makes today's threats so dangerous is the blurring of lines between state and criminal actors. Ongoing investigations are examining possible Russian links to the JLR attack; if confirmed, it would underscore how tightly intertwined domestic and foreign cyberthreats have become.

This hybrid ecosystem means the UK could easily face simultaneous attacks of different kinds - some strategic, some criminal, but all compounding in effect.

Consider what a cascading cyber crisis might look like in practice. State-linked groups and criminal operations could strike multiple sectors simultaneously: energy, finance, healthcare, and transport. Essential services would be crippled, economic activity would grind to a halt, and national security would be directly threatened.

This is no longer a theoretical exercise. The infrastructure exists, the capabilities are available, and the incentives are clear - whether financial, political, or strategic. The UK’s cyber ecosystem contains numerous weak links that could be exploited to trigger such a cascade.

Global action is vital, but not enough
The UN Convention against Cybercrime, which will be signed in Vietnam this weekend, is a milestone in international cooperation against cybercrime.

It aims to strengthen law-enforcement collaboration, streamline digital evidence sharing and combat transnational crimes such as ransomware and online child sexual exploitation. These are worthy goals. The UK should champion them.

Source
https://www.chathamhouse.org/2025/10/uk-must-prioritize-cybersecurity-or-be-left-dangerously-exposed