The UK is underestimating the severity of the online threat it faces from hostile states and criminal gangs, the country’s cybersecurity chief will warn.

Richard Horne, the head of GCHQ’s National Cyber Security Centre, will cite a trebling of “severe” incidents amid Russian “aggression and recklessness” and China’s “highly sophisticated” digital operations.

In his first major speech as the agency’s chief, Horne will say on Tuesday that hostile activity in UK cyberspace has increased in “frequency, sophistication and intensity” from enemies who want to cause maximum disruption and destruction.

In a speech at the NCSC’s London HQ, Horne, who took on the role in October, will point to “the aggression and recklessness of cyber-activity we see coming from Russia” and how “China remains a highly sophisticated cyber-actor, with increasing ambition to project its influence beyond its borders”.

“And yet, despite all this, we believe the severity of the risk facing the UK is being widely underestimated,” he will say.

One expert described the comments as a “klaxon” call to companies and public sector organisations to wake up to the scale of the cyber-threat facing the UK.

Horne will make the warning as the NCSC reveals a significant increase in serious cyberincidents over the past 12 months. Its annual review shows that the agency had responded to 430 incidents requiring its support between 1 September 2023 and 31 August 2024, compared with 371 in the previous 12 months.

It says that 12 of those attacks were at the “top end of the scale” and were “more severe in nature” – a trebling from the previous year.

“There is no room for complacency about the severity of state-led threats or the volume of the threat posed by cybercriminals,” Horne will say. “The defence and resilience of critical infrastructure, supply chains, the public sector and our wider economy must improve.”

Last week the Cabinet Office minister, Pat McFadden, warned that Russia “can turn the lights off for millions of people” with a cyber-attack.

The NCSC review does not reveal the split between state-executed attacks and incidents perpetrated by criminal gangs. However, it is understood that a significant amount of its time is spent supporting organisations responding to ransomware attacks, where criminal gangs paralyse their targets’ IT systems and extract confidential data. The gangs then demand a ransom payment in bitcoin to return the stolen data.

Recent ransomware attacks against high-profile UK targets include the British Library and Synnovis, which manages blood tests for NHS trusts and GP services. The NCSC says it received 317 reports of ransomware activity last year, of which 13 were “nationally significant”.

“The attack against Synnovis showed us how dependent we are on technology for accessing our health services. And the attack against the British Library reminded us that we’re reliant on technology for our access to knowledge,” Horne will say. “What these and other incidents show is how entwined technology is with our lives and that cyber-attacks have human costs.”

Ransomware gangs typically originate from Russia or former Soviet Union countries and their presence appears to be tolerated within Russia, provided they do not attack Russian targets. However, one Russian cybercrime gang, Evil Corp, has carried out attacks against Nato countries at the behest of state intelligence services, according to the UK’s National Crime Agency.

Horne adds: “What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us.”

“And what is equally clear to me is that we all need to increase the pace we are working at to keep ahead of our adversaries.” It is understood the “underestimated” warning is directed at public and private sector organisations in the UK.

The NCSC says the top sectors reporting ransomware activity this year were academia, manufacturing, IT, legal, charities and construction.

The agency’s review says that the Russian regime, through its invasion of Ukraine, is inspiring non-state actors to carry out cyber-attacks against critical national infrastructure in the west.

The review points to Chinese hackers such as the Volt Typhoon group, which has targeted US infrastructure and “could be laying the groundwork for future disruptive and destructive cyber-attacks” while in the UK Beijing-linked groups have targeted MPs’ emails and the Electoral Commission’s database.

The report also warns that Iran “is developing its cyber-capabilities and is willing to target the UK to fulfil its disruptive and destructive objectives” while North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang’s internal security and military capabilities.

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea “disguised as freelance third-country IT staff to generate revenue for the DPRK regime”.

Alan Woodward, a professor of cybersecurity at Surrey University, said NCSC was warning the private and public sectors not to “take their eye off the ball”.

“The government is trying to sound the klaxon,” he said. “The feeling is that not everybody is listening yet.”