Cyber vulnerability falls into two general categories: data acquisition, and systems sabotage.
Data security
Private companies are in possession of huge amounts of commercially valuable data which, if stolen, could enable a competitor to hijack years of work by researchers and gain a commercial advantage in the production of a mechanical tool, say, or some kind of medicine.
Governments, individuals and all kinds of organisations have private data which they wish to protect, and various kinds of damage can be done (or advantage gained by a competitor) should that data be stolen
Sabotage of systems
Less well recognised is the second kind of cyber vulnerability, which relates to the sabotage of systems.
In today’s world, all kinds of devices and components are connected to the internet. This includes some new cars and domestic devices, which naturally used to operate autonomously without dependency on any internal computers letalone external digital connections.
It also includes many kinds of components and equipment upon which our infrastructure relies. Much critical national infrastructure (CNI) – such as electricity and gas networks, water systems, trains and ports – is connected to the internet.
Connectivity is increasing as organisations seek to leverage the advantages it offers in terms of automation, remote control and data collection. However, this trend has introduced significant vulnerabilities. All kinds of important systems are vulnerable to remote sabotage, in other words, to being hacked and tampered with.
The consequences of such attacks could, in theory, be very serious. Changes to water treatment systems could poison hundreds of thousands of people. Cyber attacks on gas networks could cause devastating explosions.
Luckily, such disasters are not known to have affected the UK and remain very uncommon elsewhere. Uncommon, but not unheard of: of the hundreds of Russian sabotage attempted cyberattacks probing targets across Europe, some have succeeded.
State actors are not the only ones conducting such attacks, and companies in other sectors are often at just as much risk as CNI operators.
In 2025, Jaguar Land Rover’s UK manufacturing facilities were hacked, cause production to halt entirely for six weeks. Hundreds of people had to stop work, and the estimated cost to the British economy was of £1.9 billion.
The perpetrators are believed to have been English-speaking but as of January 2026 no arrests had been made.
China is understood by the UK government as probably the most sophisticated and capable non-allied actor in cyberspace.
As well as having a huge, relatively well-educated population, the PRC government has invested significant resources in its military and espionage agencies’ cyber capabilities as well as nurturing the development of cybersecurity companies, which have also been involved in external attacks on the UK.
Furthermore and critically, components made in the PRC are increasingly ubiquitous – that is to say that British companies, government departments and critical national infrastructure increasingly contain PRC-manufactured hardware.
Whilst vulnerabilities may in the future be deliberately inserted in the PRC and later exploited once in operation in the UK, potentially to devastating effect, perhaps more important are the risks presented by the exploitation of unplanned faults, shoddy software patches, and bad engineering.
The companies that produce hardware – and the country where a preponderance of the hardware is made – would naturally enjoy certain advantages in exploiting incidental vulnerabilities as they emerge or are discovered.
UK-China Transparency researches what the British government and British companies are doing to secure critical national infrastructure and the economy against the threat posed by these vulnerabilities.
