The former head of GCHQ has warned businesses face increasingly sophisticated cyber attacks on critical national infrastructure (CNI), urging firms to pay closer attention to geopolitics and collaborate on fighting the next generation of threats.
Jeremy Fleming, who served as director of the agency from 2017 to 2023, says the ‘big four’ – generally understood as China, Russia, North Korea, and Iran – are launching attacks on CNI to an unprecedented degree.
He also noted attackers are using pre-positioning, in which they embed themselves into systems for future attacks.
“Some of the things we’re seeing and the way in which particularly pre-positioning is happening on critical national infrastructure, we haven’t seen that before,” Fleming told attendees at the Palo Alto Networks Ignite event in London this week.
“Now you know that’s really hard to do, I know as an intelligence professional, that’s really hard to do but we are seeing it. We’ve seen it in the water industry particularly in America, we’re seeing it across healthcare, we’re seeing it in other areas.”
Fleming pointed to the recent Salt Typhoon attack on US telecoms infrastructure as an example of the sophisticated threat posed by state-sponsored threat actors, noting that more attacks of its kind using living off the land techniques can be expected in the near future.
Fleming said that regardless of company size, from small businesses to the largest enterprises, can repel these threats on their own. To achieve this, however, he called for far more information sharing between firms.
“We have to do better, you all have to do better, at sharing your understanding of the threats,” he said.
“It’s the pace at which we’re able to share this information because some of you, one of you will solve something which is important from a state actor perspective for anyone else. That’s just the way it works. So how are we going to accelerate that data sharing amongst that?”
Haider Pasha, chief security officer, EMEA & LATAM at Palo Alto Networks, led the discussion with Fleming onstage during the Ignite keynote. He pointed to the Palo Alto Networks’ Cyber Threat Alliance, which grew from an information sharing agreement with a few close competitors to an organization of 26-27 industry leaders in cybersecurity, as an example of
“But I think, as you said, we need to do a better job of this,” Pasha noted.
This will be especially key as AI threats ramp up, Fleming noted, adding that sentiment on whether AI benefits attackers or defenders more is shifting due to growing caution in the cyber field.
While Fleming maintained that he’s still optimistic about how AI can benefit cybersecurity, he qualified that pace of delivery would make all the difference here.
Competing pressures on cyber teams
One of the major barriers organizations and nation states face in the coming years will be to meet their own data sovereignty requirements without withdrawing from vital information sharing agreements.
“So we are going to find that whilst I am airily talking about partnerships and whilst I’m airily talking about information sharing, quite a lot of the political pressure is going to get us to look inwards as nations,” Fleming said.
Against the backdrop of state-backed groups, Fleming also issued a stark warning:
“If you are faced with a determined state adversary, you will not stop them. That’s just the reality. Because a determined state adversary is not only trying to attack you from a cyber perspective, it’ll be looking for insider weakness, it’ll be looking for other aspects of leverage.
But Fleming clarified that most businesses don’t need to be concerned about state adversaries, suggesting instead that raising cybersecurity levels to the level required to block most attacks is sufficient and not beyond any capable organization.
He also acknowledged what Palo Alto Networks calls ‘mega breaches’, large attacks on organizations that severely disrupt services and cause hundreds of millions of dollars in losses. Fleming stated that these attacks are lucrative and often carried out by groups based in North Korea.
A recent example is the recent Bybit crypto heist, in which $1.5 billion of digital tokens were stolen from an international cryptocurrency exchange. Fleming cited this as an example of a for-profit attack typical of North Korean threat actors.
Profit-driven groups also lean on ransomware attacks to an increasing degree, with February 2025 having been the worst month for ransomware on record.
Despite efforts by international law enforcement to seize leak sites on the dark web and take down groups like LockBit, ransomware groups persist – and Fleming was frank about the low chance these efforts will succeed.
“Globally, we haven’t been able to take the steps necessary to disrupt ransomware at its source,” he said.
“And by that I mean, because many of the spaces where the ransomware actors are operating are denied spaces, law enforcement is unable to go after those in a way which is broad enough to make material difference.”
As with the threat posed by state-backed groups, Fleming urged firms to focus on the fundamentals and greater collaboration to shield themselves from ransomware.
