UK National Resilience
- maitlandhyslop
- May 16
- 11 min read
To: House of Lords Select Committee on National Resilience
From: Dr Maitland Hyslop
Date: 30th March 2026
UK NATIONAL RESILIENCE
Risk Interconnection, Preparedness & the Leadership Imperative
Executive Summary
The United Kingdom faces a risk environment of unprecedented complexity. Unlike prior decades when threats were largely discrete and sequential, today's risks cascade — a pandemic accelerates supply chain failure; a cyber-attack cripples the energy grid; disinformation corrodes the public consent needed to respond to either. Resilience is no longer a technical problem. It is a leadership, governance, and social contract problem.
This submission examines seven interconnected themes: the architecture of national and international risk; the risks with greatest severity; what defence must change; private sector exposure; public understanding and preparedness; the perception-reality gap; and the corrosive role of disinformation. Throughout, two threads from previous analysis recur: the failure of leadership at institutional level, and the transformative — and double-edged — role of AI.
1. How National & International Risks Interconnect
The National Risk Register 2023 catalogues risks in silos — natural hazards, malicious threats, societal. This architecture underestimates the systemic nature of modern risk. Four interconnection mechanisms are decisive:
Mechanism | How It Operates in Practice |
Infrastructure Interdependency | Power, water, telecoms, and financial systems share physical and digital infrastructure. An attack on one cascades into others within hours. The 2021 Texas grid failure demonstrated how a weather event became a water, health and economic crisis simultaneously. |
Supply Chain Fragility | The UK imports ~46% of its food and is heavily dependent on global semiconductor supply. Conflict in Ukraine, Taiwan, or the Gulf — or a major pandemic — creates domestic shortfalls that governments cannot quickly remedy. |
Digital Entanglement | Nation-state cyber actors (Russia, China, Iran, North Korea) conduct persistent operations against UK critical national infrastructure. Ransomware affecting the NHS in 2017 and 2024 illustrates health-digital-social interdependency. |
Geopolitical Contagion | Ukraine, Middle East and Indo-Pacific instability simultaneously affect energy prices, refugee flows, military commitments, and UK domestic political cohesion. No single government department owns this nexus. |
The critical insight — drawn from earlier leadership publications — is that these connections are known but not acted upon because institutional leadership is structured for single-domain accountability. A Cabinet structure built for peacetime administration is ill-suited to polycrisis management.
AI Dimension: AI-driven early warning systems (such as Advanced Research and Invention Agency (ARIA) funded tools) can model cascading risk with far greater fidelity than human analysts — but only if decision-makers are willing to act on probabilistic, non-linear threat pictures. That requires leadership culture change, not just technology investment. |
2. National Risks with the Most Severe Impact
Severity is a product of probability, consequence and recoverability. The following five risks stand above others on all three dimensions:
Risk | Why It Is Most Severe |
Catastrophic Cyber Attack on CNI | An attack disabling power generation, water treatment or financial clearing would cause mass casualties within days, not weeks. The UK has no full national rehearsal of such a scenario. NCSC acknowledges the threat is growing faster than defences. |
Pandemic / Engineered Pathogen | Covid-19 caused the deepest UK peacetime economic contraction since 1709. A pathogen with higher lethality and transmissibility — including one engineered using AI-assisted biology — represents an existential-tier event. The Biological Weapons Convention has no enforcement mechanism. |
Extreme Weather & Climate Tipping Points | Not a gradual transition but a series of acute shocks: flooding affecting 1 in 6 UK properties, prolonged drought disrupting agriculture, and heatwaves breaching NHS capacity. The 2022 UK heatwave killed ~3,000 people. Infrastructure was designed for a climate that no longer exists. |
Armed Conflict & NATO Article 5 Trigger | Russia's war doctrine explicitly includes the threat of nuclear use. A conflict escalating to Article 5 invocation would require UK mobilisation it is structurally unprepared for — with an Army at its smallest since Napoleonic times and reserve forces that are chronically under-equipped. |
Societal Fragmentation / Democratic Erosion | Least visible but most corrosive. If institutions lose public trust — through perceived failures, disinformation, or elite capture — the social licence for collective response to any emergency evaporates. This is the meta-risk that amplifies every other. |
3. What Needs to Change in Defence
UK defence is caught between legacy structures designed for Cold War deterrence and an era demanding hybrid, multi-domain, rapid-response capability across the full spectrum from grey-zone operations to high-intensity conflict. The 2021 Integrated Review and its 2023 Refresh identified the direction but not the pace or resourcing required.
Structural Reforms Required
• Whole-of-Government War Readiness: Defence must be reframed not as a departmental function but as a national enterprise. The Cabinet Office Briefing Rooms (COBR) architecture must be permanently staffed for complex emergencies, not convened reactively. (The overall approach must be more akin to the Chinese 42 vector approach).
• Reserve Forces Transformation: The Army Reserve and other reserve components must be genuinely dual-use — trained for warfighting but also deployable domestically for civil emergencies. This requires employer compacts, legal frameworks and sustained investment.
• AI and Autonomous Systems at Scale: The UK's defence AI investment remains fragmented across DSTL, ARIA and industry. A coordinated national AI-defence programme — analogous to the US JAIC — is needed. Adversaries are not waiting.
• Counter-Hybrid Warfare Doctrine: Influence operations, sabotage, cyber intrusion and lawfare below the Article 5 threshold are Russia and China's preferred operational mode. The UK needs a doctrine and command structure — with legal authority to act — that addresses this continuum.
• Industrial Base Resilience: UK defence procurement is heavily dependent on global supply chains for munitions, electronics and platforms. Stockpiles of key munitions were revealed as critically low in the early months of Ukraine support. Sovereign manufacturing capacity must be restored.
Leadership Dimension: Previous conversations identified a pattern of institutional leaders optimising for peacetime metrics — budget efficiency, headcount reduction — while deferring the harder task of genuine war-readiness. This is not unique to defence: it reflects a broader failure to lead for discontinuous, non-linear futures. The DSR 2025 must deliver structural accountability, not aspiration. |
4. Risks Facing the Private Sector
Critical National Infrastructure is overwhelmingly privately owned and operated in the UK: 80% of energy, 100% of telecoms, all major financial institutions, most water utilities. The private sector is therefore simultaneously a primary target and a first line of defence — a duality that its governance structures and commercial incentives are poorly designed to manage.
Key Risk Dimensions
• Cyber and Ransomware: Supply chain attacks (SolarWinds-type) and ransomware now routinely target UK firms. The average cost of a major cyber incident to a FTSE100 company exceeds £50m. Yet board-level cyber literacy remains weak; many treat it as an IT problem rather than a strategic risk.
• Regulatory Fragmentation: NIS2 (transposed into UK law), DORA (financial sector), and the proposed Critical Infrastructure Resilience Bill each impose different frameworks on overlapping sectors. Compliance becomes the goal rather than actual resilience.
• Concentration and Single Points of Failure: UK financial clearing, internet backbone, and cloud infrastructure are concentrated among very few providers. A failure of a major hyperscaler (AWS, Azure, Google) would simultaneously affect NHS, HMRC, MoD, banks and logistics.
• AI-Driven Business Risk: AI deployment in supply chain, customer management and financial modelling introduces new categories of systemic risk — model failure, adversarial manipulation, and speed-of-automation-driven crises that outpace human intervention.
• Workforce and Social Licence: A private sector that is visibly unprepared for emergencies — or that profits from them — faces workforce disengagement and reputational collapse. Business resilience and social legitimacy are increasingly the same thing.
What is needed is a genuine public-private resilience compact: clear government standards with teeth, co-investment in national resilience infrastructure, and shared exercises that go beyond tabletop to genuine stress-testing. The current model of voluntary codes and light-touch regulation is not adequate for a threat environment of current severity.
5. Society: Understanding, Preparing & Delivering Resilience
The UK has a distinguished tradition of civil resilience — from wartime community organisation to modern emergency volunteering — but this social capital is being depleted rather than built. Three transformations are required:
Understanding — Making Risk Real Without Causing Paralysis
Risk communication in the UK defaults to technical language, statistical framing, and governmental reassurance. None of these work. Research consistently shows that communities engage with risk when it is concrete, locally framed, and linked to action. The Community Resilience Framework, launched 2022, is under-resourced and patchy in delivery.
AI-powered public communication tools — personalised risk summaries, community-level vulnerability mapping — could transform public understanding, but only if trusted institutions deploy them. Trust is the precondition, not the output.
Preparing — From Awareness to Capability
• A national curriculum in emergency preparedness — from secondary school age — would build lifelong competence and normalise resilience behaviours without stigmatising them.
• A UK equivalent of Finland's whole-of-society resilience model: universal basic training, clear roles for citizens in national emergencies, and a legal framework that supports volunteer activation.
• Community-level resilience hubs, co-located with existing civic infrastructure (libraries, schools, faith institutions), pre-stocked and practised — not improvised in the aftermath of a disaster.
Delivering — Institutions That Can Execute Under Pressure
Local Resilience Fora are the statutory mechanism for local planning. They are chronically under-funded, led by part-time officials, and rarely exercise at scale. The gap between plan and capability was starkly visible in the 2007 floods, 2020 PPE failures, and 2023 RAAC crisis. Execution requires investment, accountability and — critically — leaders who have practiced failure, not just planned for success.
The leadership thread: earlier work on institutional leadership identified a common failure pattern — leaders selected for compliance and communication skill rather than adaptive capacity and moral courage. Resilience delivery requires leaders who can make fast, high-stakes decisions under uncertainty, communicate transparently when things go wrong, and sustain effort through long-duration crises. This is a talent pipeline problem as much as a funding problem. |
6. Public Perception vs. Real Risk: The Dangerous Gap
Public risk perception is shaped by availability bias, media salience, and political framing — not actuarial probability. The gap between perceived and real risk creates both over-preparation for some threats and dangerous under-preparation for others:
Risk Category | Public Perception |
Terrorism | Systematically over-feared. Post-7/7 and Manchester, terrorism dominates public anxiety despite extremely low individual probability. Huge resource allocation relative to risk. |
Pandemic / Engineered Pathogen | Under-feared post-Covid. The trauma of 2020-22 has not translated into sustained preparedness behaviour or political will. 'It happened once' paradoxically reduces perceived probability. |
Cyber Attack on Infrastructure | Almost entirely invisible. Few citizens connect their digital daily life to critical infrastructure vulnerability. No salient near-miss has crystallised the risk. |
Climate & Extreme Weather | Polarised and politicised. Half the population perceives existential risk; half dismisses urgency. Neither drives the practical adaptive behaviour needed. |
Societal Fragmentation | Unrecognised as a 'risk'. Most citizens do not frame declining institutional trust, increasing polarisation, or democratic erosion as resilience threats — yet these are the conditions that make all other risks unmanageable. |
The practical consequence: political capital follows perceived risk, not real risk. This means chronic under-investment in cyber, biological, and long-duration climate adaptation — and over-investment in visible, photogenic, politically legible threats.
Closing this gap requires an independent, well-resourced and trusted body for public risk communication — one with the institutional credibility of the ONS but the communication reach of the BBC. No such body currently exists with the mandate and resources to do this work.
7. Disinformation: The Risk Multiplier
Disinformation does not create risks — it amplifies them. It degrades the shared factual basis needed for collective response, undermines trust in institutions, and fragments society at precisely the moments when cohesion is most needed. This makes it one of the most strategically dangerous elements in the current threat environment.
How Disinformation Operates in Crisis
• Speed asymmetry: False narratives spread six times faster than corrections on social platforms (MIT Media Lab). By the time institutions respond, the false narrative is established.
• Emotional exploitation: Disinformation is engineered for emotional response — fear, anger, disgust. These emotions suppress analytical reasoning and accelerate sharing.
• Source confusion: State actors (especially Russia's GRU and SVR) operate through networks of apparently independent accounts, creating the appearance of organic consensus around false narratives.
• AI amplification: Generative AI has collapsed the cost and skill required to produce convincing synthetic media, fabricated documents, and personalised disinformation at scale. The 2024 UK election saw the first significant deployment of AI-generated disinformation in a domestic context.
What the UK Has and What It Lacks
The UK has the Counter Disinformation Unit (CDU), the NCSC's online resilience work, and Ofcom's Online Safety Act powers. These are necessary but insufficient. The CDU operates at departmental scale against a threat of national scale. The Online Safety Act focuses on harm to individuals, not systemic democratic harm. There is no standing capability to rapidly rebut state-sponsored disinformation at the speed at which it travels.
Finland and Estonia — which have faced this threat directly from Russia for longer — have developed whole-society media literacy programmes embedded from primary school through civic institutions. The UK equivalent remains marginal and under-funded.
AI's double edge: AI can detect, analyse and counter disinformation at scale — and adversaries know this. The race is now between AI-powered disinformation generation and AI-powered detection/rebuttal. The UK must invest in the latter while recognising that no technological solution substitutes for a population with the critical thinking skills to resist manipulation. Both are essential. |
8. Barriers to Resilience — and How to Remove Them
Structural Barriers
• Short-termism: Political cycles of 4-5 years are misaligned with resilience investment cycles of 10-30 years. No government will invest heavily in threats that may not materialise on their watch.
• Siloed accountability: Cabinet departments, Local Resilience Fora, and sector regulators each own a slice of resilience with no integrating authority or budget that spans the system.
• Classification culture: Much of the most useful threat intelligence is classified at levels that prevent it reaching the businesses, councils and community organisations that need it most.
Behavioural and Cultural Barriers
• Normalcy bias: Organisations — and governments — systematically underestimate the probability of unprecedented events and resist costly preparations for scenarios they have never experienced.
• Heroic recovery culture: The UK's emergency response culture celebrates post-disaster improvisation (Dunkirk spirit) rather than demanding pre-disaster preparation. This perversely reduces the political incentive to invest in resilience.
• Leadership selection failure: Across public sector, defence and regulated industry, promotion and appointment processes select for risk-aversion, communication skill and hierarchy-navigation — not the adaptive, decisive, morally courageous leadership that crisis demands. This thread runs through every section of this submission.
What Must Change — Integrated Recommendations
Domain | Priority Actions Required |
Governance | Create a National Resilience Council with cross-departmental authority, independent funding, and a mandate spanning 20-year horizons. Model on Climate Change Committee but with executive reach. |
Defence | Implement a genuine readiness baseline, restore munitions stockpiles, reform reserve forces, accelerate AI/autonomous systems integration, and adopt counter-hybrid warfare doctrine with legal authority to act. |
Private Sector | Move from voluntary resilience codes to mandatory standards with board-level accountability. Establish shared public-private exercises at national scale. Reform CNI concentration. |
Public Communication | Fund an independent national risk communication function. Embed emergency preparedness in education. Build trusted, AI-enabled community resilience tools. |
Disinformation | Establish a standing national rebuttal capability. Fund whole-society media literacy programmes. Use AI for detection at scale while building population-level critical thinking. |
Leadership Pipeline | Reform civil service, military and emergency services selection and development to reward adaptive capacity, moral courage, and crisis leadership — not just management competence. |
AI Governance | Develop a UK AI-resilience strategy that harnesses AI for early warning, response coordination, and disinformation detection while building defences against adversarial AI use. |
Conclusion: Resilience as a Leadership Choice
The UK is not uniquely vulnerable — but it is uniquely unprepared relative to the realism of its threat environment and the sophistication of its adversaries. The knowledge, the frameworks and in most cases the financial capacity to address these risks exist. What is consistently absent is the leadership will to act on a timescale that matters — before the crisis, not in response to it.
Every section of this analysis returns to the same point: resilience is not a technical problem awaiting a technical solution. It is a social and political problem requiring leaders — in government, defence, business and civil society — who will prioritise long-term national security over short-term institutional comfort.
AI will be decisive in how this plays out. Used well, it will accelerate early warning, improve response coordination, and make resilience infrastructure smarter and more adaptive. Used poorly — or left to adversaries — it will make the UK more fragile, more manipulable, and less able to act cohesively when cohesion is most needed.
The central thesis, consistent across previous publications: The UK does not lack resilience frameworks, risk registers or policy papers. It lacks the institutional leadership culture and political will to act on what it already knows. That is the most important vulnerability — and the one most within our power to change. |
About The Author:
Dr Maitland Hyslop is a Visiting Lecturer at Buckingham University in Security and Intelligence, and part of Northumbria University’s Disaster and Development Network. He has been active as a businessman and academic in Resilience since 2004. His 2013 PhD is in Organisational Security. He has written relevant books (Critical Information Infrastructure Protection; Obstructive Marketing, How Companies Get Stopped from Marketing Their Products; On War 2020, The Threat to Britain; The Invisible Apocalypse, Cyber Threats to Britain; Mixed Reality Leadership; AI Governance; Resilience in the AI Century) and numerous articles.
07730 456652
This is a personal submission.
Comments