BOTTOM LINE UP FRONT

Britain could not feed, fuel and power itself through a fortnight of serious disruption, and that is the government’s own diagnosis, written across the National Risk Register, the Strategic Defence Review and the Covid Inquiry, then left unfunded. Westminster is fighting over the Defence Investment Plan and a forecast £28bn equipment shortfall, which is half the argument.

The realistic test is not invasion, it is a shock: a cyber attack on the grid or the NHS, a severed undersea cable, the next pandemic, and on that test we have forgotten what Covid taught us. The Nordic states face the same Russia on a fraction of our GDP and built the answer two generations ago.

For an investor this is a repricing event, a risk to existing portfolios and an opportunity in the firms that fix it. For a board it is one decision above all, the just-in-time-versus-buffer trade-off quietly delegated to procurement for twenty years and never taken back, and there are three questions below you can table at your next meeting to find out where you stand. And for you personally it is simpler still.

The first 72 hours are yours, not Whitehall’s.

1. Britain is having half an argument

For two years British defence policy has been a fight about money and kit, frigates, jets, the £28bn shortfall, who carries the can, and now who succeeds Starmer. That fight matters. Conventional forces and the deterrent are themselves a form of resilience: a country that can be deterred from attack does not have to absorb one, and run down the submarine-tracking and the conventional mass and you raise, not lower, the odds of the grey-zone pressure this paper is worried about, the coercion that sits below open warfare and above ordinary crime. Resilience and procurement are not rivals for the same pound. The point is narrower and sharper. The contested money and the political oxygen are going almost entirely to platforms, while the other half of national security, the ability to take a hit at home and keep functioning, is named in every strategy document and funded in almost none of them.

This is what the government’s own papers say. Resilience is, in NATO’s own words, “the first line of defence” (Roepke and Thankey, NATO Review, 2019), and Britain’s own Strategic Defence Review of June 2025 was built on that principle. It is tempting now to remember the SDR as a procurement document, a story about frigates, jets and the £28bn, but it was as much a resilience review as a military one: it called for a whole-of-society “new deal” to protect critical national infrastructure, the physical and digital systems a country cannot function without, in partnership with industry and allies, and it was accepted in full, all 62 recommendations. That resilience half is the part Britain has quietly dropped. The procurement fight took the attention and the money, the readiness mechanisms the review created leaned military rather than civil, and the whole-of-society ambition has thinned to language. The National Security Strategy of 24 June 2025 makes “Security at Home” its first pillar and names undersea cables, energy and logistics as priorities. So the doctrine is settled at the highest level. The question this paper asks is why the doctrine is not followed by the budget, and what it would take to fix that before the shock arrives rather than after.

2. What actually breaks

The government’s own National Risk Register 2025 lists 89 risks across nine themes, and the acute ones that dominate it are exactly these: cyber attack, infrastructure failure, pandemic, energy disruption. Resilience, in one established sense, is the capacity to absorb such a shock and keep functioning (Bourbeau, 2018, sets out this and other logics of the term), and across Britain’s critical systems the same pattern repeats, thinning domestic capacity, rising import dependence, just-in-time supply with almost no buffer, and a few nodes whose loss cascades fast.

Fuel is the sharpest single point of failure. Britain had 18 oil refineries in the 1970s and has four today, after Grangemouth and Lindsey closed in 2025. It was diesel self-sufficient as recently as 2011; by 2024 it imported two and a half times as much diesel as it produced and over three times as much kerosene (Fuels Industry UK; House of Commons Library). The bulk of that diesel arrives refined on the Continent from Middle Eastern crude, and the bulk of our jet fuel comes from the Gulf. That standing dependency, not any single day’s headline, is the point. The Strait of Hormuz is simply the proof of it: through 2026 it has swung between closure, a brief reopening and renewed closure as strikes and counter-strikes continue, and whatever its status on the morning you read this, the exposure that makes its closure dangerous for Britain is unchanged. Diesel moves food, runs backup generators and underpins every other system, so for a person in Leicester on a Tuesday this is not abstract: a sustained squeeze on imported diesel reaches the forecourt and the supermarket shelf within days, not months.

Food has thinned the same way. The statutory UK Food Security Report 2024 puts domestic production at about 60 percent of food by value, down from 78 percent in the mid-1980s, with most of the rest imported and fresh fruit barely 16 percent home-grown. The system runs on just-in-time logistics that Covid showed are brittle, and because food, fuel and power are interdependent, a sustained hit to fuel or electricity bites the food supply within days.

The grid is robust against routine faults and exposed to a coordinated attack. Great Britain’s transmission system has never suffered a complete shutdown in 75 years, a record that should not be inflated into alarmism. But the ten-hour blackout that hit more than 50 million people across Spain and Portugal in April 2025 showed how fast it cascades, and against a coordinated physical or cyber attack on a handful of high-voltage substations recovery is measured in days, not hours. The economic cost ran to around €1.6bn on the Spanish employers’ (CEOE) figure, lower on the government’s. The proximate domestic warning was the North Hyde substation fire of March 2025, which shut Heathrow, and it is the trigger behind the government’s forthcoming Energy Resilience Strategy (announced November 2025), the first of its kind.

It is worth conceding why all this thinned. Britain did not run down its refineries or its food production out of negligence. It did so because global markets, the North Sea and just-in-time logistics delivered real welfare gains, lower prices paid every year against a low-probability event. These were trade-offs, mostly rational ones. The argument is not that past decision-makers were foolish. It is that the risk balance has now shifted, because grey-zone threats are real and the harm is no longer hypothetical.

3. The digital and cognitive front

If the last section was about what Britain has let wither, this one is about who is already exploiting it. The attacks that are already landing do not hit military targets. They hit the soft tissue of daily life, and that is the point.

The clearest proof that a cyber attack can cause physical harm in Britain is the Synnovis case. In June 2024 Qilin ransomware encrypted the pathology provider for several London hospitals, forcing more than 10,000 cancelled appointments, postponing over 1,700 operations, triggering blood shortages, and, in the trust’s own confirmation, contributing to a patient’s death. The same period brought the attack on Transport for London, whose perpetrators, members of the group Scattered Spider, pleaded guilty in late June 2026, with the cost to TfL put at around £29m in losses and recovery. And the most economically damaging cyber attack in British history, the 2025 strike on Jaguar Land Rover, halted production for about five weeks, hit more than 5,000 supply-chain firms and drew a £1.5bn government loan guarantee, with the cost to the economy modelled at around £1.9bn (a single-modeller estimate, so treat it as modelled, not settled). Water is now a live target too: the Drinking Water Inspectorate recorded five serious cyber attacks on UK suppliers across 2024 and 2025, a record, and in one case hackers went undetected for nearly two years.

Underneath sits a structural weakness. Much of the UK’s energy, water and health estate runs on operational technology, the industrial control systems that run pumps, substations and hospital equipment, which were never designed to be connected to the internet and are very hard to secure. The cyber skills base is thin. And the timing has flipped against the defender: leading incident data now shows attackers routinely exploiting a software weakness before the company that makes the software even knows it exists. This is the pivot of the whole argument. When the exploit beats the patch, prevention alone is a losing game, and the only winning posture is to assume breach and recover fast. That is a resilience posture, not a procurement one, and the NCSC’s May 2026 warning, that AI is letting attackers exploit long-standing software flaws at a scale and speed not seen before and that organisations should brace for a “patch wave”, a surge of urgent software fixes hitting at once, is the official statement of it. Two state-level threats frame this. Chinese actors have pre-positioned inside US critical infrastructure to disrupt in a crisis, not merely to spy, and while an equivalent confirmed foothold in named UK infrastructure is an assessment rather than a proven fact, the same actors target allies and Britain should plan as a target. And around ten Baltic subsea cables have been damaged since 2022, prompting NATO’s Baltic Sentry, its patrol mission to protect undersea infrastructure, though it is important to be precise: several were assessed by Western officials as maritime accidents rather than confirmed sabotage, so the attribution is genuinely contested.

The last front is cognitive, and it is where Britain is thinnest. A population that trusts its institutions is hard to panic and quick to recover; a low-trust society is pre-vulnerable, because a hostile information operation need not invent a fracture, only widen one. Controlled studies show populations can be “inoculated” against disinformation in advance, the cognitive equivalent of a vaccine: show people the manipulation technique before they meet it and they spot it in the wild (Roozenbeek and van der Linden, Science Advances, 2022). Treating information defence as a standing state function is a developed doctrine, not an improvisation (Pamment, in Bjola and Pamment, 2019), and Sweden built an institution around exactly this idea, its Psychological Defence Agency, established in 2022. It reframes disinformation from a content-moderation problem into a national-resilience one, which is the through-line of this whole argument. For a company this is not only a policy point. The same vector runs straight through your own organisation: Scattered Spider broke into firms through people, not code, so employee resistance to social engineering and a rehearsed crisis-communications plan are the corporate edge of the same problem, and unlike national psychological defence they have a clear owner, your security awareness and communications functions.

4. What Britain admits, and what it has not funded

Britain ran down its civil resilience deliberately. The Civil Defence Corps was disbanded in 1968 (Grant, 2010) and the brief Protect and Survive revival of 1980 had no successor, and whether the cause was public ridicule or, as Preston’s archival study argues, the quieter institutional path dependency inside Whitehall (Preston, 2015), the lesson holds: preparedness messaging is politically fragile and must be framed as calm civic duty, not apocalypse.

The recent fix is real, and partial, and it can be proved from the government’s own documents of the last year:

• Government Resilience Action Plan (July 2025): £4.2bn for flood defences, over £1bn for biosecurity, a Resilience Academy and a national alert test to 87 million phones. The Centre for Long Term Resilience, a serious and non-partisan body, called it “ambitious progress with room to go further.”

• The SDR: a Defence Readiness Bill and a new strategic reserve by 2030, but read closely these mobilise the military and industry for conflict, not a Finnish-style civil reserve of fuel, food and medicines for a non-conflict shock.

• Cyber Security and Resilience Bill (now through the Commons and in the Lords, not merely proposed): extends regulation to data centres and managed-service providers and creates “critical supplier” powers with fines up to £17m or 4 percent of global turnover, exactly the lever the Synnovis and JLR cases argue for.

• Pandemic Preparedness Strategy (March 2026): around £1bn into health protection plus £250m for a national biosecurity centre at Harlow, and a prolonged-crisis rehearsal in Exercise Pegasus.

This is the right diagnosis. But the Covid Inquiry’s first report (July 2024) found the structures had “failed the citizens of all four nations,” and the through-line is the same: the words are published, the money is thin, and no single minister owns societal resilience the way the Treasury owns the spending review. The military cannot fill the gap, with standing domestic-resilience readiness at around 1,600 troops. The gap is one of funding, ownership and maturity, not of language, and that is a fair charge because the government itself supplied the evidence.

5. The model that works, and its limits

The Nordic and Baltic states face the same Russia and chose a different path. “Total defence” is a defined doctrine, not a loose label, and the Nordic states, Finland and Sweden above all, built a genuine whole-of-society version of it, combining the armed forces and civil society in a single comprehensive approach (Wither, 2020). Two elements transfer directly to Britain. First, supply security: Finland’s National Emergency Supply Agency holds strategic stockpiles and legally requires firms to keep reserves of staples, some underground. Second, psychological defence: Sweden’s 2024 reissue of the booklet “If Crisis or War Comes” went to all 5.2 million households, addressed disinformation for the first time, and told citizens to cope for at least a week unaided, backed by a dedicated agency.

Be honest about what does not transfer. The Nordic shelter stock, Finland’s capacity for over 80 percent of the population, is an invasion and air-raid measure, and it does little against the ransomware, cable cuts and fuel shocks this paper says are the realistic cases. Britain is also not Finland: an island with no land border with Russia, a nuclear deterrent and NATO’s Article 5 mutual-defence guarantee, whose planning case is disruption, not occupation. So the more apt comparators are the trade-dependent, island-like states that built resilience for disruption rather than war, the Netherlands and Singapore, as much as Finland. Both are wealthy trading hubs whose security problem is keeping flows of energy, goods and data moving through chokepoints they do not control, which is Britain’s real problem far more than a land invasion is. What Britain should copy is the supply-security architecture, the psychological-defence function and the calm national readiness standard, not the bunkers.

WHAT BALANCES THIS POSITION

The honest counter-case is strong and deserves stating. Britain’s geography, deterrent and alliance already provide depth, so mass civil-defence measures may be poor value, and as a top-six economy it can surge resources in a crisis as it did in 2020. There are three further objections the paper must meet rather than dodge. First, opportunity cost: every pound and minister-hour spent on stockpiles is one not spent on the deterrent and conventional forces that stop the crisis arising. Second, Britain is already moving: the Action Plan, the Bills, the strategies above are a real and accelerating body of work, so the gap is delivery and maturity, not absence. Third, the responsibilisation critique from the resilience literature itself: a state that tells citizens to prepare may be quietly offloading its own liability (Joseph, 2018), and a paper whose headline advice is “prepare your own household” risks doing the government’s deflection for it.

These have force, and the answer is ordering, not dismissal. The deterrent and conventional forces remain essential, which is why this paper says the DIP is necessary, not pointless. The government’s own work is welcome, but its own inquiry and its own watchdog say it is under-resourced and unowned, so conceding the trade-offs and the progress does not rescue the balance. And the responsibilisation point is met by sequence: the first and largest recommendations here are squarely state obligations, strategic reserves, hardened nodes, a single accountable owner with a ring-fenced budget, with household readiness as the necessary-but-not-sufficient last mile, not a substitute for any of them. What does not survive contact is the surge-in-a-crisis argument. Britain tried to surge in 2020, and its own inquiry found the structures failed. Resilience is the under-funded, under-owned half of a layered defence, and that is the binding gap.

WHAT SHOULD BE DONE

The fixes are known, and most are a matter of ownership and will, though not of no money: a serious programme of strategic reserves and node-hardening would run to low tens of billions over a decade, which is far cheaper than the shock it insures against but is not free, and the paper will not pretend otherwise.

For government. Give one Cabinet-level minister clear ownership of societal resilience with a ring-fenced budget, separate from the platform-driven DIP. Build a strategic-reserves function on the Finnish model, with statutory power to mandate reserves of fuel, food, medicines and critical inputs, and fix the fuel exposure first. Publish a calm, Nordic-style “prepared for seven days” citizen standard and report against it annually. Stand up a properly mandated, defensive psychological-defence function, insulated from policing domestic speech, and fund prebunking, the pre-emptive exposing of manipulation techniques before a population meets them, at the scale the evidence shows works. Pass and resource the Cyber Security and Resilience Bill, use its critical-supplier power on the Synnovis-class dependencies, modernise the 140-year-old subsea-cable law, and harden the handful of substations, cable landing stations and fuel terminals whose loss cascades.

For the City and the boardroom (if you do not run a company or allocate capital, skip to the household section below). This is a repricing event that cuts two ways, a risk to existing portfolios and operations and an opportunity in the firms that fix the problem. The moves split by who you are.

Three questions to table at your next board meeting. Start here, even if you read nothing else in this section. What is the longest our top five critical services can be down before the business is in real trouble, and do we actually know that number? Where is our single-vendor concentration, in cloud, software and key suppliers, and who owns that risk by name? If imported fuel were squeezed for two weeks, does our logistics network keep running? A board that cannot answer all three has just found its resilience gap. The rest of this section is how you close it.

If you run a company, start with the one decision that is genuinely the board’s and has been quietly delegated for twenty years: just-in-time versus buffer. The lean supply chain that procurement has optimised for two decades was chosen as an efficiency, never consciously as a resilience trade-off, and it belongs back in the boardroom. Your Chief Risk Officer or board risk committee should hold a concentration map of the critical services the group depends on, with a board-set tolerance for how long each can be down, a dual-sourcing policy for critical inputs, and the held-inventory-versus-just-in-time call taken by the board, not optimised away by procurement. Most large firms are not starting from zero, you already have business continuity teams; the honest problem is they are pointed at the wrong risks and outranked by efficiency targets. Two practical cautions. You usually cannot map your fourth parties, your suppliers’ suppliers, because the data does not exist, so the realistic first step is to demand concentration disclosure from your most critical direct suppliers, not a perfect four-layer map. And if you operate across borders, run this across the whole footprint: a resilience map that stops at Dover is not a map. The fuel and chokepoint exposure in Section 2 is yours too if you move goods or run plant: contract for priority supply where you can, hold on-site generation and a fuel buffer for critical sites, and stress-test the logistics network against a two-week squeeze rather than assuming the forecourt stays open. And treat the cost of all this as a margin and cost-of-goods question, not only a continuity one, because a chokepoint closure shows up in input prices long before it shows up as an outage.

The regulation is already landing on the balance sheet. Since the FCA’s operational-resilience rules took full effect in March 2025, regulated firms must map their important services and stay within a maximum tolerable disruption for each, even where a third party delivers it. The Critical Third Parties regime, the rules letting regulators directly oversee the handful of outside suppliers, a single cloud provider, say, that much of the system leans on, began in January 2025, but the Treasury has designated none yet, so that concentration risk in your supply chain is, right now, owned by your board and no regulator. CrowdStrike, the cybersecurity vendor whose botched software update in July 2024 took out around a quarter of the US Fortune 500 at an estimated $5.4bn, is the lesson, because almost none of those boards had ever named the dependency. And if you operate in the EU you are already inside the NIS2 Directive and, for financial entities, DORA (the Digital Operational Resilience Act), both live now and in some respects ahead of the UK, so a compliance map drawn only to the UK perimeter is already out of date. For most service businesses this single-vendor cloud and software concentration is now the highest-probability, highest-cascade operational risk you carry, ahead of fuel, and it deserves naming as a first-order exposure in its own right, not one line on a list. Add fourth-party concentration, your reliance on a supplier several contracts removed that you may never have heard of, to every diligence checklist, and price it properly: model the cost of remediation and lost output, and treat an unfixable single point of failure, one supplier with no substitute and no recovery plan, as a walk-away rather than a price-chip. Under directors’ duties, foreseeable operational collapse is already a governance failure, regulated or not.

If you allocate capital, the investable theme is real but needs honest sizing. The hardening sub-sectors, standby power and generation, grid-scale storage, water-treatment and leakage technology, fuel storage and terminals, and supply-chain and inventory-resilience software, are where policy money lands as stockpile, storage, medical and fuel-reserve procurement scales. Two caveats your investment committee will raise before you do: most of these are defensive infrastructure-yield assets, not a growth story, and infrastructure funds have already crowded the space, so entry multiples are not cheap. Separate the names with a dated policy catalyst, fuel and medical reserves, the Energy Resilience Strategy, the Harlow biosecurity build, from those structurally attractive whether or not Whitehall ever spends. Three worked examples of that cut: fuel storage and terminals have the clearest dated catalyst, since a statutory strategic-reserve mandate would force the buying, but the assets are lumpy and largely held by infrastructure funds already, so the entry point is the real constraint. Standby power and grid-scale storage ride a structural tailwind, data-centre demand and grid fragility, that holds whether or not the reserve mandate ever arrives, which makes them the more durable hold. Supply-chain and inventory-resilience software is the asset-light, higher-multiple play with almost no policy dependency, priced as growth rather than yield, so the risk there is valuation, not catalyst. Treat it as a watch-list to size as the budgets land, not yet a buy-list. And for the deal table: if conventional kit is stretched while resilience and cyber get new money, that is a clear steer between defence sub-sectors.

For you, the individual, and the small business. This needs no one’s permission, and it is the most useful thing here. In the realistic shock the first 72 hours are yours, not Whitehall’s, so adopt the Nordic standard. Keep seven days of water, roughly three litres a person a day, and non-perishable food with a manual tin opener. Hold a power bank, a battery or wind-up torch and radio, a buffer of any prescription medicine, and a written list of key numbers, because you cannot read a dead phone. Keep a few hundred pounds in physical cash, because cards stop working in a blackout, as Iberia showed. Separately, and as ordinary financial prudence rather than crisis planning, hold three to six months of essential outgoings accessible. Use a password manager and a hardware security key rather than text-message codes, and keep an offline backup of anything you cannot lose. None of this is survivalism. It is the household and small-business version of the continuity plan a serious company already runs, and the responsibilisation critique is answered by remembering that this is the last mile, not the state’s job done by you. If you run a small or medium business, the supply-chain fragility above is not abstract, it is your delivery schedule, your payment terminal and the generator that is not in the yard. Three things take an afternoon: name your single points of failure (the one supplier, the one payment provider, the one delivery route) and find a second option for each, keep enough cash and a backup way to take payment to trade through a card outage, and write a one-page plan for how your people keep working if the office, the network or the deliveries stop. That is the small-business version of the continuity plan a large firm already runs.

The country that wins the next crisis will not be the one with the biggest procurement budget. It will be the one that can take a hit and keep functioning. Britain is arguing about half the problem.

If this sharpened how you see the risk, send it to one person who runs a business or sits on a board. And if you want the next paper in your inbox, subscribe, it is free.

REFERENCES

Academic and doctrinal

• Bourbeau, P. (2018). On Resilience: Genealogy, Logics, and World Politics. Cambridge University Press.

• Grant, M. (2010). After the Bomb: Civil Defence and Nuclear War in Britain, 1945-68. Palgrave Macmillan.

• Joseph, J. (2018). Varieties of Resilience: Studies in Governmentality. Cambridge University Press.

• Preston, J. (2015). The strange death of UK civil defence education in the 1980s. History of Education, 44(2), 225-242.

• Roepke, W. D., and Thankey, H. (2019). Resilience: the first line of defence. NATO Review, 27 February 2019.

• Roozenbeek, J., and van der Linden, S., et al. (2022). Psychological inoculation improves resilience against misinformation on social media. Science Advances, 8(34).

• Pamment, J., in Bjola, C. and Pamment, J. (eds.) (2019). Countering Online Propaganda and Extremism: The Dark Side of Digital Diplomacy. Routledge.

• Wither, J. K. (2020). Back to the future? Nordic total defence concepts. Defence Studies, 20(1), 61-81.

• Monaghan, S. (2022). Deterring hybrid threats: towards a fifth wave of deterrence theory and practice. Hybrid CoE Paper 12.

UK government, last 12 months

• Strategic Defence Review 2025 (2 June 2025), gov.uk. CNI “new deal”, Defence Readiness Bill and strategic reserve; all 62 recommendations accepted in full.

• National Security Strategy 2025: Security for the British People in a Dangerous World (24 June 2025).

• UK Government Resilience Action Plan (8 July 2025); Centre for Long Term Resilience commentary.

• National Risk Register 2025.

• Cyber Security and Resilience Bill (introduced Nov 2025; report stage/third reading 2026).

• Pandemic Preparedness Strategy (25 March 2026); Covid-19 Inquiry Module 1 report (18 July 2024).

• UK Food Security Report 2024 (statutory, Agriculture Act 2020).

• Energy Resilience Strategy, announced November 2025 (forthcoming 2026).

Key data sources

• House of Commons Library (refineries, DIP shortfall, MACA readiness); Fuels Industry UK (fuel imports); Drinking Water Inspectorate (water cyber); UK government, May 2026 (subsea cables); Artemis (cat bond $63.9bn, end-Q1 2026); FCA PS21/3 and PS24/16 (operational resilience, Critical Third Parties); Parametrix (CrowdStrike $5.4bn); Cyber Monitoring Centre (JLR ~£1.9bn modelled); Finnish National Emergency Supply Agency; Swedish MSB (”If Crisis or War Comes”, 2024).