Just as computational technologies are a dominant feature of 21st Century life, so too are the various ways in which computers may be
exploited for malicious purposes. The ubiquity of computer-based threats is such that, for the UK and other nation states, cyber security
is a matter of growing national defence significance. Evidencing this, the UK’s most recent integrated review of security, defence and
foreign policy mentioned the term ‘cyber’ 149 times, with the UK prime minister stating therein that by 2030 the UK aspires to be
‘one of the worlds leading democratic cyber powers’. To fulfill this vision, the UK must first have a sense of the nature of its threat
landscape. In order to contribute to this understanding, our research addresses the question: What are the conditions of the UK’s cyber
threat landscape? In asking this question, we are also seeking to answer a second, more pragmatic question: how can the UK’s cyber
defences be improved? There is a tendency when addressing questions of national significance to focus on large complex challenges,
such as the threats posed to the UK by Advanced Persistent Threats (APTs). In this paper we take a different approach, choosing
instead to focus on detectable, known and therefore potentially preventable cyber threats, specifically those that are identifiable by the
types of malicious scanning activities they exhibit. We have chosen this approach for two reasons. First, as is evidenced herein, the
vast majority of cyber threats affecting the lives and business endeavours of UK citizens are identifiable, preventable threats. Thus the
potential exists to better improve UK cyber defence by improving how citizens are supported in preventing, detecting and responding
to cyber threats; achieving this requires an evidence base. Second, it is potentially useful to build a quantifiable evidence base of the
known threat space —that is to say detectable, identifiable and therefore potentially preventable cyber threats —to ascertain if this
information may also be useful when attempting to detect the emergence of more novel, dangerous cyber threats; for example the
kind more readily associated with APTs. Therefore, this research presents an analysis of malicious internet scanning activity collected
within the UK between 1st December 2020 and the 30th November 2021. The data was gathered via a custom automated system which
collected and processed data from Greynoise and Shodan APIs, cross referencing it with data from the Office of National Statistics
and proprietorial data on UK place names and geolocation. The research was carried out after ethical approval by the University of
Oxford’s Computer Science Departmental Research Ethics Committee
