NCSC CEO: AI advances plus geopolitics create a 'perfect storm' at CYBERUK26

Cyber security is getting squeezed from two sides at once. One side is technical — AI is making it easier to find and exploit weaknesses faster. The other is political — more serious incidents are now tied, directly or indirectly, to hostile states. That was the core message from NCSC chief Richard Horne at CYBERUK 2026 in Glasgow, where he described the next decade as a “perfect storm” of rapid technological change and rising geopolitical tension. (ncsc.gov.uk) ### What did Horne actually warn about? Horne’s point was not that AI has already unleashed some brand-new wave of magic cyberattacks. It was narrower, and more worrying. Frontier AI is already helping with the discovery and exploitation of existing vulnerabilities at scale, which means old weaknesses — unpatched systems, insecure code, legacy tech — get more dangerous when attackers can work through them faster and cheaper. (ncsc.gov.uk) ### Why bring geopolitics into it? Because the NCSC says the source of the worst incidents is shifting. Horne said the overall number of serious incidents has stayed fairly steady, but the mix has changed — the majority of nationally significant incidents the agency now handles originate directly or indirectly from nation states. The same briefing tied that to a broader “contested space” between pe(ncsc.gov.uk)ield in Ukraine beyond the battlefield. (ncsc.gov.uk) ### So is this really about basics? Basically, yes. That’s the uncomfortable part. Horne’s speech keeps coming back to fundamentals — patching properly, replacing legacy systems, and not shipping software with glaring vulnerabilities. AI changes the speed and scale, but it often cashes out through very ordinary failures. Think of it like giving attackers a faster metal detector — the buried weaknesses were already there. (ncsc.gov.uk) ### Why were passkeys part of the same event? Because the NCSC used CYBERUK to make a concrete policy move, not just give a warning. It said it will now recommend passkeys wherever a service supports them, and two-step verification only where passkeys are unavailable. That is a meaningful shift. The agency had held back from fully endorsing passkeys earlier because of implementation concerns, but now says industry progress has made them ready for mass adoption. (ncsc.gov.uk) ### What changed in the MFA argument? The catch is that “more factors” is no longer the whole story. The NCSC’s new technical position is that traditional MFA methods — SMS codes, email codes, app-based one-time passwords, push approvals — are inherently phishable. FIDO2 credentials, including passkeys, are judged as secure or more secure than traditional MFA against the common a(ncsc.gov.uk) itself counts as multi-factor. (ncsc.gov.uk) ### Where does quantum fit in? It’s the slower-burn piece of the same puzzle. The NCSC also used this period to push post-quantum planning, including a three-phase migration timeline aimed at moving organisations to quantum-resistant cryptography by 2035. That matters because sensitive data stolen today can still be valuable years later if future quantum systems can break the encryption protecting it. (ncsc.gov.uk) ### Why does this matter beyond the UK? Because none of these pressures are uniquely British. Passkeys, AI-assisted exploitation, state-linked intrusion, and post-quantum migration are all cross-border problems. The UK’s cyber agency is basically saying the playbook has changed: stop treating authentication, patching, and crypto modernization as separate chores. They’re now part of the same resilience problem. (ncsc.gov.uk) ### Bottom line? The news at CYBERUK 2026 was not just a scary phrase. It was a policy signal. Horne’s “perfect storm” line came with a practical message: assume attackers will get faster, assume states stay active, and fix the boring weaknesses now — while moving users off passwords and starting the long march to post-quantum security. (ncsc.gov.uk)