NCSC CEO Richard Horne’s June 17, 2026 disclosure that nation-state actors (primarily Russia, China, and Iran) were responsible for approximately 75% of more than 200 UK critical national infrastructure cyber incidents in the past twelve months represents the most explicit public attribution at this scale to date. The 2028 AI-accelerated exploitation warning establishes a hard planning horizon for CNI operators across Five Eyes nations. This is a strategic intelligence item, not a product vulnerability; action required is threat model update and CNI posture review.