This is not science fiction. It is not a distant threat. It has already started — in London hospitals, on British high streets, and quite possibly in your living room right now. The question is not whether this kind of attack can happen. It is whether enough people understand what is at stake before the next one does.

It Has Already Started

This isn't a warning about the future. It is a report on what has already happened — and the pattern behind it.

In June 2024, a criminal gang attacked Synnovis, a company that processes blood tests for NHS hospitals across London. Within hours, seven hospitals lost the ability to run basic blood tests. Operations were cancelled. Blood transfusions were disrupted so severely that the NHS put out an emergency nationwide appeal for O-type blood donors — the universal type used when there is no time to match. Over 10,000 outpatient appointments and 1,700 procedures were postponed. The attack took months to recover from and exposed the personal health data of hundreds of millions of patient interactions. Nobody fired a shot. Nobody crossed a border.

In April 2025, hackers targeted Marks & Spencer over Easter weekend. They didn't smash a window or hold anyone at gunpoint. They called the IT helpdesk, pretended to be an employee, and talked their way past the security checks. Within days, M&S couldn't run its website, its stockrooms went dark, its food halls struggled to keep shelves filled, and the company was reverting to pen and paper to manage inventory. Online sales were suspended for 46 days. The total cost: over £300 million. M&S lost more money from that phone call than most towns generate in a year.

These are not edge cases. These are not sophisticated military operations requiring state-level resources. The M&S attack started with a phone call. The NHS breach came through a third-party supplier. And both caused the kind of disruption to ordinary daily life that most people associate only with physical emergencies — empty shelves, cancelled operations, urgent blood donation appeals.

The Blitz Nobody Can See

During the Second World War, the threat was visible. You heard the air raid sirens. You saw the planes. You could queue for Anderson shelters and feel, at least, that you were doing something. Communities formed around the shared reality of the danger. The government could point at the sky and say: that is what we are fighting.

The next wave of warfare does not announce itself. There are no sirens. There is no flash on the horizon. There is no enemy you can point to, no border being crossed, no soldier to photograph. There is just a Wednesday afternoon when your card stops working at the petrol station, or your GP surgery calls to say your appointment is cancelled, or the pharmacy can't dispense your medication because their system is down.

The crucial point is this: you do not need to attack a power station or a military installation to bring a modern country to its knees. You just need to take down enough of the ordinary systems that hold daily life together — payments, food logistics, fuel distribution, health services — long enough, and broadly enough, that the economic and social consequences cascade. We already know what a fuel shortage looks like. We saw petrol station queues stretch for miles in 2021 over a lorry driver shortage. Imagine that, but caused deliberately, and affecting not just fuel but food, and cash, and medicine, at the same time.

The TV in Your Living Room

Here is something that might surprise you. You may already be involved in this — without knowing it, without consenting to it, and without having done anything wrong.

In 2025, the FBI issued a public warning about something called the BadBox 2.0 botnet. A botnet is a network of devices that have been secretly infected with malicious software and can be remotely controlled by criminals. BadBox 2.0 is the largest network of infected TV streaming devices ever discovered. At its peak, it had enrolled over ten million devices across 222 countries — including the UK. These aren't obscure pieces of equipment. They are the cheap Android TV boxes, streaming sticks, digital projectors, and smart tablets that millions of households use to watch films, sport, and television.

Many of these devices arrived infected before you even plugged them in. The malware was installed at the factory, hidden inside the operating system, invisible to the user. Once connected to your home Wi-Fi, the device quietly joins the botnet — and your internet connection, your home network, can then be used by criminals to launch attacks on other targets. Your streaming box, bought for £25 from a marketplace, might be helping an organised criminal group attack a hospital, launder advertising fraud, or assist a foreign government's hacking operation. And you would never know.

The Government Is Not Ready — And It Is Making Things Worse

You might expect that facing a threat of this scale, government would be focused above all else on shoring up the country's defences. You might expect the public bodies responsible for our digital safety to be making careful, expert-led decisions. You would be wrong on both counts.

The government is currently building a mandatory national Digital ID system — a single digital card that will eventually be required to access employment, benefits, pensions, passports, and driving licences. All of it routed through one system. That system is called GOV.UK One Login, and it is already used by 13 million people.

Think about what that means in practice. Right now, if a criminal steals your bank card, the bank cancels it and you get a new one. Inconvenient, but recoverable. If a criminal steals your passport, you apply for another. These are separate systems with separate vulnerabilities. If any one of them is breached, the damage is contained. The Digital ID changes that fundamentally. It creates a single key that unlocks everything — your pension, your right to work, your driving licence, your benefit payments. One breach, and all of it is potentially compromised at once. Security experts call this a "single point of failure." For a lay audience, it is simpler than that: it is putting every egg in one basket, then advertising the basket to criminals.

In December 2025, senior civil servants who work on that system went to ITV News as whistleblowers, with confidential documents to back up their claims. What they described should alarm any ordinary person: One Login is failing to meet the government's own minimum security standards. People without proper security clearance had been able to access the system's most sensitive components — including development staff based overseas. System administrators were using unprotected devices, creating a potential pathway from the open internet straight into the heart of the system. And during a formal security test earlier in 2025, an outside tester was able to place malicious software on an administrator's computer and access sensitive parts of the system — without triggering a single alarm. The system, in other words, was penetrated during a test, and nobody noticed until the testers told them.

One of the whistleblowers spelled out what they fear: "The maximum damage that I can conceive is that they allow digital identity to continue to roll out and onboard all government services and then at a time of a bad state actor's choosing, they deny access to the services. That would shut everybody out of attempts to claim their pensions, welfare benefits, renew their passport, get a driving licence. Everything."

Read that again. One attack on one system. Everyone in the country locked out of everything. And the security concerns were first raised internally in 2022 — four years ago — and ignored. The whistleblower who reported the problems through official channels faced disciplinary action for doing so. The government's response to all of this has been to say that security is a priority, and to press on.

Meanwhile, the regulator Ofcom — whose expertise lies in broadcast licensing and communications regulation, not cybersecurity — has been monitoring how many British people use VPNs. A VPN is a tool that protects your internet traffic, used by journalists, lawyers, remote workers, businesses, and anyone concerned about their privacy online. Following public pushback against the Online Safety Act's age verification requirements, some MPs and campaigners began calling for VPNs to be banned or restricted. Security experts responded by pointing out that this would place the UK alongside China, Russia, and Iran as one of the few countries on earth that restricts its citizens' use of basic privacy tools. The body that should be leading this conversation — the National Cyber Security Centre — has been largely absent from it. A communications regulator should not be shaping national security policy. But right now, effectively, it is.

What This Means for You — and What You Can Do

The purpose of this piece is not to frighten you. It is to give you an honest picture of a threat that is real, that is already here, and that your own behaviour — and your government's decisions — can either make better or worse. The good news is that some of the most effective steps you can take are simple, free, and take ten minutes.

• 1
  Update your devices — all of them

  Your phone, laptop, router, and smart TV. Updates are not just new features — they patch security holes that criminals actively exploit. Turning on automatic updates is one of the highest-impact things a non-technical person can do. Do it today.

• 2
  Check your TV box and streaming sticks

  If it came from a brand you don't recognise, was advertised as "unlocked" or offering free sports and movies, and is not a certified product from a known manufacturer — consider unplugging it from your network. The FBI advises this explicitly. The risk is real and immediate.

• 3
  Use different passwords for different accounts

  When a company is breached, criminals test the stolen passwords on banking sites, email, and government services. If you use the same password everywhere, one breach unlocks everything. A password manager — free options include Bitwarden — generates and stores unique passwords so you don't have to remember them.

• 4
  Turn on two-factor authentication

  On your email, your banking app, and anywhere that holds important information. Two-factor means that even if someone has your password, they still can't get in without your phone. It is available on almost every service. It takes five minutes to set up and makes you exponentially harder to attack.

• 5
  Be sceptical of urgent requests

  The M&S attack started with a phone call. The attacker pretended to be an employee and asked the IT helpdesk to reset a password. If you receive an unexpected call, email, or text asking you to confirm details, reset a password, or click a link — stop. Call the organisation back on a number you find independently. Urgency is the weapon. Pause is the defence.

• 6
  Demand better from your representatives

  The Digital ID scheme is being built on a system that its own engineers say is not secure. The regulator responsible for online safety is considering restrictions on the tools that keep journalists and ordinary people safe. These are political decisions. Write to your MP. Ask what the government is doing to address the security concerns raised by whistleblowers. This is not a niche technical matter — it is a question of national resilience.

The Question Nobody Is Asking

When Jeremy Corbyn was asked about nuclear strikes, the audience was engaging with a question about visible, imaginable war. The harder question — the one nobody has yet asked at a prime-time debate — is what happens when an adversary doesn't need missiles.

In 1984, the BBC broadcast Threads, a drama about the aftermath of nuclear war in Sheffield. It is remembered as one of the most disturbing things ever shown on British television — not because of special effects, but because of specificity. It showed what nuclear war looked like on your street, in your home, to your neighbours. People who watched it changed their view of the threat. They demanded shelters. They demanded policy. The film did what no government briefing could: it made the abstract visceral and the distant immediate.

We need a Threads for cyber warfare. We need a public conversation that is as honest about this threat as that film was about nuclear war. Not hysterical. Not technical. Just clear. Because the next wave of warfare does not care whether you understand it. It does not care whether you live near a military base or a data centre. It is coming regardless — and it will land in your home, on your high street, and in your hospital, whether or not anyone told you to be ready.

Being miles from the battlefield is no longer protection. The battlefield is everywhere there is a device, a network, a system that someone depends on. That is your home. That is your town. That is the country you live in.

The air raid sirens are not coming this time. But that does not mean the bombs are not falling.

You are not a bystander in this. You are already on the frontline — in your living room, at your GP surgery, at the checkout. The only question is whether you know it.