U.K.'s NCSC chief warns AI is accelerating exploitation of known vulnerabilities; urges focus on fundamentals, crypto agility and resilience

Richard Horne, chief executive of the U.K.'s National Cyber Security Centre, told the FBI's "Ahead of the Threat" podcast that rapid AI advances are accelerating the weaponization of known software flaws and that organizations must prioritize cybersecurity fundamentals to withstand a coming "patch wave." "AI is just going to shine a light on that and expose whether the fundamentals haven't been happening," Horne said.

Brett Leatherman opened the segment by citing the Verizon Data Breach Investigations Report, noting that exploiting a known software vulnerability is now the most common initial access vector (31% of breaches, up from 20%), that only 26% of items on CISA's Known Exploited Vulnerabilities list were fully remediated last year (down from 38%), and that the median time to fully patch rose from 32 days to 43 days. "Attackers are weaponizing known flaws faster than defenders can close them," Leatherman said, summarizing the report.

Horne framed the issue as a capacity and prioritization problem. He endorsed the NCSC's "technical debt" language to get board attention, and urged CISOs to articulate their attack surface, budget for remediation costs and test operational plans so critical applications can be taken offline for urgent patches. "If they're doing this right, when those patches come, they're going to identify end-of-life devices; they're going to be taken offline and replaced," he said.

On AI, Horne said defenders should "walk before you run": use AI to automate first-line tasks such as anomaly detection and to improve code quality so that new software ships with fewer vulnerabilities. He warned of a short-term "bump" because existing codebases will still require massive updates, but called the longer-term potential "really exciting" if procurement and lifecycle practices change.

Horne also urged industry cooperation in mid-space interventions. He described NCSC's "share and defend" service that aggregates malicious links and provides them to ISPs for real-time blocking, producing billions of blocked attempts. He said trust groups of sector CISOs and rapid sharing of intelligence enable faster defensive action and produce feedback that improves government advisories.

On ransomware, Horne argued organizations should aim not to pay extortion demands. Drawing on Operation Cronos and past takedowns of LockBit, he said paying does not guarantee deletion of exfiltrated data and that recovery often still requires rebuilding systems over weeks or months. He recommended immutable backups, practiced recovery plans and organizational resilience.

Horne described workforce initiatives—Cyber First (school outreach), accredited university courses, bursaries and the I100 secondment program to rotate industry talent into government—and urged multi-year post-quantum roadmaps and "crypto agility" to prepare for future cryptographic transitions.

He closed by describing the value of offensive disruption to inform defense: coauthored advisories with U.S. partners produce industry actions that, in turn, generate intelligence for further interventions. "Offense is a critical part of defense," he said, and listeners were directed to NCSC.Gov.UK for advisories and trust-group participation.