The government has warned that a serious cyber-attack on UK critical infrastructure has a 5–25% chance of happening over the coming two years.
The findings come from the new National Risk Register 2023 report, which is based on the government’s internal, classified National Security Risk Assessment, and considers malicious risks like terrorism and cyber-attacks alongside non-malicious risks such as severe weather incidents.
It lists several cyber-related risks, including attacks on:
- Gas infrastructure
- Electricity infrastructure
- Civil nuclear facilities
- Fuel supply infrastructure
- Government
- The health and social care system
- The transport sector
- Telecommunications systems
- UK financial infrastructure (by state actors)
- A UK retail bank (by state actors)
In most cases, the predicted attacks involve “encrypting, stealing or destroying data upon which critical systems depend or disruption to operational systems,” although in the case of government attacks there’s also a risk of loss of public trust and/or interference in elections.
Read more on cyber risk: 50% of UK CEOs See Cyber as a Bigger Business Risk than the Economy
The assessment ranks the likelihood of such attacks happening in the next two years as a “4” on a scale of 1–5, with 5 being the most likely (>25%).
Although technically this means they are “highly unlikely,” and the impact considered “moderate,” that still means an economic cost measures in the billions of pounds (rather than tens of billions), fatalities of up to 1000 people and casualties of up to 2000.
The report also highlighted artificial intelligence (AI) as a “chronic risk” – that is, one that poses “continuous challenges that erode our economy, community, way of life, and/or national security.”
According to a World Economic Forum report released earlier this year, 86% of business leaders and 93% of cyber leaders believe that global geopolitical instability is “moderately” or “very likely” to lead to a catastrophic cyber event in the next two years.