First: “calculating the chances” is not like doing your VAT return
There is no public dataset that lets anyone honestly compute a single probability for “Russia/China will succeed against the UK government or UK businesses”, because:
- most attempts are never detected (or never disclosed),
- “success” can mean anything from stealing one inbox to crippling a national service,
- and governments (mysteriously) don’t publish a nice spreadsheet of classified incidents.
So the only responsible way to answer is a scenario-based risk estimate grounded in UK Government/NCSC published assessments and the UK’s own National Risk Register likelihood bands.
What we can say confidently about the threat actors
China: highly capable, broad targeting, long-term access
The NCSC describes China as a “highly sophisticated and capable threat actor” targeting a wide range of sectors globally including the UK, and highlights China-linked campaigns and large botnets.
Russia: capable, opportunistic, and happy to be disruptive
The NCSC’s Annual Review framework treats state actors as a significant threat to UK cyber security, with the operating environment “escalating” and “nationally significant incidents” at record levels.
The UK’s own security leadership view
MI5’s Director General has publicly described fast-rising state threats in a “more hostile world”. That’s not a mathematical input, but it’s a strong signal about the baseline threat environment.
A practical probability model for “success”
Think of it as three different games, each with different odds:
1) Espionage and data theft (quiet success)
- Goal: access email, steal documents, map networks, remain undetected.
- Most likely “success” mode for state actors, because it can be low-noise.
2) Disruption without destruction (loud success)
- Goal: degrade services, cause outages, create chaos, force costly recovery.
- Harder than espionage, but very feasible against weakly defended targets and complex supply chains.
3) Destructive attacks on critical national infrastructure (CNI)
- Goal: break operational technology / core services, cause extended national-level impact.
- Possible, but rarer, and the UK plans around it as a reasonable worst-case scenario, not a daily outcome.
What the UK Government’s own risk maths says (best available public proxy)
The National Risk Register 2025 provides likelihood bands for “reasonable worst-case” cyber scenarios over a 5-year horizon. For the grouped category “Cyber attacks on infrastructure” it gives an average likelihood score of 4 = 5–25%and an average impact score of 3 (moderate).
That’s not “Russia or China will succeed” as a single number, but it is the UK’s public benchmark for how often a serious infrastructure-class cyber scenario could plausibly occur in the planning horizon.
Estimated chances of a successful Russian or Chinese attack (scenario-based)
UK Government (central departments, major agencies)
- Espionage success (some level of compromise somewhere, within 12 months): High
- Why: huge attack surface (people, suppliers, legacy), high adversary capability, and the NCSC describes escalating state threat activity.
- Material disruption of a major government service (within 12 months): Low to Medium
- More controls, monitoring, segmented estates. Still not immune, especially via suppliers.
- “Nationally significant” disruptive incident (within 5 years): Medium
- Consistent with the UK’s own planning posture (5–25% likelihood band for cyber attacks on infrastructure as a grouped risk).
UK businesses (all sizes, economy-wide)
- Espionage/data theft (within 12 months): Medium to High
- Especially in defence supply chains, tech, finance, energy, academia.
- Disruption via ransomware or destructive malware (within 12 months): Medium
- Here’s the brutal truth the NCSC repeats: most attacks use well-known techniques, and many organisations still don’t implement basics. The NCSC says Cyber Essentials controls can stop the “vast majority” of commodity attacks, but uptake remains far below the number of organisations exposed.
- Severe multi-week disruption in a major sector (within 5 years): Medium
- Again, consistent with the government’s own planning for telecoms, health, finance and other CNI-linked sectors.
A note you can publish without getting heckled by specialists
For state actors, “success” is often access, persistence, and intelligence value, not necessarily flipping the lights off. Disruption is a policy choice and a risk appetite question, not just a technical one.
If successful, what levels of disruption could they cause?
Level 1: Localised business disruption (hours to days)
- Email/Teams/SharePoint outage
- Finance/payroll interruptions
- Customer service and ordering disruption
- Cost: immediate operational loss + incident response + recovery
This is the most common “real world” pain for businesses.
Level 2: Regional/sector disruption (days to weeks)
The National Risk Register’s scenarios explicitly describe:
- Telecoms attack impacting millions of customers, with remediation potentially taking months or even yearsdepending on contamination and equipment confidence.
- Financial market infrastructure (FMI) attack with total disruption for at least a week and partial outage for weeks after, including destructive elements like overwritten data.
- Health and social care attack where secondary impacts (missed appointments, knock-on morbidity) can escalate sharply; the Register explicitly flags the potential for worsening health outcomes.
Level 3: Cross-sector cascading disruption (weeks to months)
The Register also spells out the systemic risk: cyber impact to foundational systems (like electricity transmission) can severely disrupt other critical systems, and recovery could take months, especially if cyber contamination complicates restoration.
That’s the “big one”: not guaranteed, not everyday, but serious enough that the UK plans around it.
Expert-informed “why it succeeds” factors (the boring bits that ruin lives)
The NCSC’s assessment is blunt: hostile activity is rising, and the gap between threat and resilience needs to close urgently. It also notes many attacks rely on well-known techniques and that basic controls would stop a lot of commodity attacks, but adoption is not universal.
Translated: the threat is elite, but the failure mode is often ordinary.
Final Thoughts
- Probability of some successful state-linked compromise somewhere in UK government/business networks:high (especially espionage and access).
- Probability of major, nationally significant disruption: meaningful but not constant, aligned with the UK Government’s own 5–25% (over 5 years) planning likelihood band for infrastructure-class cyber scenarios.
- Potential disruption if successful: ranges from company-level outages to multi-sector national impacts lasting weeks to months, depending on target, preparedness, and whether attackers choose stealth or disruption.
We have created Professional High Quality Downloadable PDF’s at great prices specifically for Small and Medium UK Businesses our main website. Which include various helpful Cyber related documents and real world scenarios your business might experience, showing what to do and how to protect your business. Find them here.
