UK ‘Ill-Prepared’ for Cyberattacks as State-Backed Attacks Surge, Public Infrastructure at Risk

Key Takeaways

• Experts believe the U.K. is underprepared to defend against the rising threat of state-backed attacks.
• The U.K.’s growing cybersecurity skills gap and its continued reliance on legacy systems indicate risk factors.
• U.S. President Donald Trump recently signed an order to boost public infrastructure resilience.

Rising geopolitical instability is leading to a surge in state-backed attacks worldwide, as bad actors with increasingly sophisticated techniques target public infrastructure and private enterprises.

While the U.S. vows to ramp up its public infrastructure resilience, some experts are concerned that the U.K.’s cybersecurity is not ready to defend against rapidly growing threats.

U.K. Cyberattacks on the Rise

In 2024, the U.K.’s National Cyber Security Centre (NCSC) recorded a 16% increase in severe attacks impacting national security.

The NCSC’s annual report, published on Dec. 3, found that the U.K.’s cyber risk is “widely underestimated.”

The report claimed the agency’s Incident Management team intervened 430 times out of the 1,957 cyber-incident reports it received in 2024.

Of these incidents, 89 were nationally significant, including 12 critical incidents, marking a threefold increase from the previous year.

“What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face and the defenses that are in place to protect us,” NCSC CEO Richard Horne said.

“What is equally clear to me is that we all need to increase the pace at which we are working to stay ahead of our adversaries,” he added.

U.K. Underprepared for Cyberattacks

In February, research by cybersecurity firm Trend Micro exposed worrying gaps and confusion in the public sector’s defenses.

In a survey of 250 IT public sector leaders, Trend Micro reported a large percentage of U.K. IT bosses warned of critical cybersecurity gaps.

Around 64% of IT leaders claimed they did not know what best practices were, and 24% said the lack of best practices could directly lead to a cyber incident.

Professor Dan Hyde, partner at Keystone Law, told CCN that the U.K. remains “ill-prepared” for an increase in state-sponsored cyberattacks and would be “exposed in the event of a catastrophic attack.”

“There are serious cyber resilience gaps in at least 58 critical government IT systems, as well as numerous ‘legacy’ IT systems that are vulnerable,” he said. “These legacy systems represent a tangled web across departments and bodies, whose precise number and risk level are unknown.”

On March 25, a new report from the U.K. cross-party Public Accounts Committee (PAC) revealed that almost a third of all central government IT systems were labeled as “legacy.”

As the U.S. prioritizes infrastructure resilience, Greg Keller, co-founder of U.S. software company JumpCloud, told CCN that the U.K. must take “decisive action” to address the gaps in its cyber defense, especially within the public sector.

Threat to Public Infrastructure

The rising sophistication of cyberattacks and state-backed incidents has exposed the vulnerabilities within public sector organizations.

In June 2024, a cyberattack on a supplier of pathology services to the NHS in south-east London led to the postponement of over 10,000 outpatient appointments and 1,700 elective procedures.

Meanwhile, the British Library spent over £600,000 rebuilding its services after suffering a cyberattack in 2023, and it expects to spend much more on restoration.

The NCSC reported that around 40% of incidents it managed between September 2020 and August 2021 were aimed at the U.K.’s public sector.

U.K. Skills Gap

A January National Audit Office (NAO) report found that skills gaps were the biggest hurdle to building cyber resilience in the U.K.

“Skills gaps are the biggest risk to building cyber resilience, with one in three cybersecurity roles in government vacant or filled by temporary staff in 2023-24,” the public spending watchdog said.

According to the agency, the successive governments’ strategy to become “significantly hardened to cyberattacks by 2025” failed due to a lack of speed in implementation.

“The cyber threat to U.K. government is severe and advancing quickly; government must act now to protect its own operations and key public services,” the public spending watchdog added.

The NAO urged the U.K. government to “make and enact plans to fill cyber skills gaps in workforces” by the end of the year.

Trump Orders Infrastructure Resilience

In the U.S., President Donald Trump recently issued an Executive Order to increase the resilience of public infrastructure.

The order aims to boost the ability of states and local governments to prepare for cyberattacks and severe weather events.

“Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyberattacks, wildfires, hurricanes, and space weather,” Trump said.

Trump said the order would “inject common sense into infrastructure prioritization.”

However, earlier this month, the Trump administration cut millions of dollars in federal funding from two cybersecurity initiatives.

The proposed cuts signal a “troubling disconnect between strategic intent and actual investment,” Anna Collard, SVP of Content Strategy at KnowBe4, told CCN.

“For the U.K. to remain resilient, it must prioritize cyber resilience with strategic investment, public-private collaboration, and skills development forming the backbone of its national cyber defense,” she added.