Offense is the new defense for fighting cybercrime

A new report from consulting firm NCC Group signals a decisive turn in global cyber strategy: governments are increasingly taking the offensive against digital adversaries, reshaping what resilience means for businesses worldwide.

The report, UK Cyber Radar: Edition 4, draws on NCC Group's policy work with governments and private-sector clients to map emerging cyber trends and regulatory shifts. Its message is clear: defense alone is no longer enough.

"2025 has been a year of unprecedented turbulence in the cyber landscape," said Verona Johnstone-Hulse, government affairs lead at NCC Group. "We're seeing governments and organizations across all sectors facing increasingly sophisticated attacks, prompting a fundamental rethink of what protection really entails."

Offense goes mainstream

Once focused on sanctions and deterrence, nations are now building offensive cyber arsenals and coordinating international takedown operations. The report calls this evolution "offense as the new defense," a doctrine where active disruption of threat actors becomes central to national security.

Examples include cross-border ransomware takedowns and a recently announced $1 billion U.S. investment in offensive cyber operations, underscoring how major powers view digital aggression as a legitimate defense mechanism.

Such moves raise difficult questions, according to NCC Group: Could the world be heading toward a state of "mutually assured cyber destruction"? And as Russia and China already enlist private firms to develop or deploy offensive tools, will Western democracies follow suit?

3h2Governance and shared responsibility

The report also warns that reactive, rule-by-rule compliance will no longer suffice. Cyber governance, the report stated, must evolve into a long-term, globally coordinated effort that can flex with rapidly shifting geopolitical priorities.

Despite growing public investment (governments have pledged more than $6 billion in cyber-resilience measures) NCC Group stresses that private organizations remain accountable for their own digital defenses. "Governments may fund national capabilities, but they won't pay for your company's cybersecurity program," Johnstone-Hulse noted. "Organizations of every size will be expected to do more."

Supply-chain sovereignty and economic security

A related theme running through UK Cyber Radar: Edition 4 is the tightening of supply-chain security. Nations are doubling down on domestic technology production and "reshoring" critical components, particularly in areas such as artificial intelligence and semiconductors. Heightened concern over foreign influence, the report observes, is driving both stricter procurement rules and new sovereignty-based due-diligence requirements.

"Cybersecurity has become inseparable from economic and national security," said Johnstone-Hulse. "We're seeing the end of unfettered globalization in tech supply chains, replaced by a more cautious, sovereignty-driven approach."

Preparing for what's next

Beyond these strategic shifts, NCC Group's latest radar tracks upcoming cyber regulations, the transition to post-quantum cryptography, and the emergence of a "cyber-regulation maturity curve." It urges organizations to anticipate tighter rules, the possible UK-style ban on ransomware payments, and new reporting mandates that could affect insurance and recovery costs.

The broader takeaway from the report: resilience now demands proactivity. Businesses can no longer rely solely on compliance checklists or after-the-fact incident response. Instead, they must engage in continuous threat modeling, supply-chain risk audits and strategic alignment with evolving national policies.

"In this new era," Johnstone-Hulse said, "cybersecurity isn't just about defense—it's about readiness, agility, and, when necessary, taking the fight to those who threaten you."

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.