WASHINGTON: The US stands alone as the only tier-one cyber power in the world, but China will rise as a highly capable peer competitor over the next decade, a new International Institute for Strategic Studies (IISS) report concludes.
“Dominance in cyberspace has been a strategic goal of the United States since the mid-1990s,” the report notes. “It is the only country with a heavy global footprint in both civil and military uses of cyberspace, although it now perceives itself as seriously threatened by China and Russia in that domain. …The US retains a clear superiority over all other countries in terms of its [information and communications technology] empowerment, but this is not a monopoly position.”
“The US capability for offensive cyber operations is probably more developed than that of any other country, although its full potential remains largely undemonstrated,” the report adds.
The report, Cyber Capabilities and National Power: A Net Assessment, places seven countries in the second tier, two of which are US competitors: China and Russia. The other five are US allies, giving US forces an even greater boost. Three are Five Eyes members (Australia, Canada, and UK). Another, France, is a close NATO ally. The other is a close ally, Israel. (How good are these allies? CYBERCOM announced late Friday that a Canadian team won the command’s premier annual defensive exercise, called Cyber Flag 21-2.)
The report notes that China has evolved its cyber capabilities from “a position of relative electronics backwardness” three decades ago to “conduct[ing] large-scale cyber operations abroad, aiming to acquire intellectual property, achieve political influence, carry out state-on-state espionage and position capabilities for disruptive effect in case of future conflict.”
China has since “established the world’s most extensive cyber-enabled domestic surveillance and censorship system.” But its ambitions are broader. The country’s 2015 military strategy and 2016 cyber strategy announced its intentions to compete with the US and others in cyberspace. Its efforts to date are bolstered by a growing economy and burgeoning domestic tech market.
However, China’s “core cyber defenses remain weak compared with those of the United States, and cyber-resilience policies for its critical national infrastructure are only in the early stages of development.” Yet, the report adds, “China is a second-tier cyber power but, given its growing industrial base in digital technology, it is the state best placed to join the US in the first tier.”
As for Russia, it seeks “to redress key weaknesses in its cyber security through government regulation and the creation of a sovereign internet, and by encouraging the development of an indigenous digital industry. Given its economic circumstances, these ambitions may prove unrealistic.” (Russia’s economy was slightly larger in 2020 than Australia’s and smaller than South Korea’s.)
The report notes Russia’s past cyber campaigns reflect “increasing levels of technical sophistication,” but “Russia appears not to have given priority to developing the top-end surgical cyber capabilities needed for high-intensity warfare.”
“To join the US in the first tier,” the report concludes, “[Russia] would need to substantially improve its cyber security, increase its share of the global digital market and probably make further progress in developing the most sophisticated offensive military cyber tools.”
The IISS study, which began in February 2019, analyzes 15 countries and places them into three tiers, based on a review of cyber capabilities and national power, to include international competition, economic strength, and military affairs. The report’s methodology, which is qualitative, factors in capabilities across seven categories as follows:
- Strategy and doctrine;
- Governance, command, and control;
- Core cyber-intelligence capability;
- Cyber empowerment and dependence;
- Cyber security and resilience;
- Global leadership in cyberspace affairs; and
- Offensive cyber capability.
Other notable findings on the second-tier countries include:
- Australia — Characterized as still developing its cyber capabilities from a “low base,” which it could accelerate by investing in cyber education and a “viable sovereign cyber capability.”
- Canada — Characterized as having “relatively mature civil-sector cyber capability,” bolstered by a strong tech economy and whole-of-society approach, but there’s work to be done on offensive cyber.
- France — Characterized as having “robust strategies,” as well as “highly capable and innovative” cyber practices. Its desire for autonomy is viewed as both a strength and weakness.
- Israel — Characterized as having a “vibrant cyber ecosystem and a relatively high level of preparedness and resilience within the private sector,” with significant offensive capability.
- UK — Characterized as being a “highly capable cyber state,” but it is hampered by a shortage of cyber experts in the workforce and its smaller economy provides less to invest in cyber than, say, the US and Canada. Possesses demonstrated offensive capabilities, which the country continues to invest in and develop.
Notable in the third tier are India, a close US partner, as well as US adversaries Iran and North Korea. (India is not technically a US ally, but has a unique status as Major Defense Partner.)
“India has made only modest progress in developing its policy and doctrine for cyberspace security,” the report notes. “Its approach towards institutional reform of cyber governance has been slow and incremental…” India’s best opportunity to advance to the second tier is to “harness its great digital-industrial potential and adopting a whole-of-society approach to improving its cyber security.”
Since Stuxnet, Iran has viewed itself as being in a cyberwar with the US and its regional foes, but “economic depression, political turmoil and internal deficiencies” hinder its advancement. “It lacks the resources, talent and technical infrastructure needed to develop and deploy sophisticated offensive cyber capabilities, even though it has used lower-level offensive cyber techniques widely, with some success.” The repressive regime that rules the country often turns its capabilities against its own population to “quell domestic opposition.”
Of all the countries examined, North Korea is the most difficult to accurately analyze. “Little is known of its cyber-policy ecosystem,” the report notes, but the country is characterized as probably not having a formalized cyber strategy. As such, its operations are largely opportunistic. “Despite its penchant for conducting offensive cyber operations, the techniques used are relatively basic, as it lacks the capability for sustained or sophisticated operations.” Its domestic defenses are “among the lowest in the world,” but the country has largely closed off its domestic internet from the rest of the world. Economic fragility and geopolitical isolation will continue to hinder the country.
However, as Breaking D readers know, a former senior South Korean commander has characterized North Korea as a “cyber superpower.” Indeed, to make sure every one of the 1,400 people listening to him got his point, retired Lt. Gen. In-Bum Chun, said: “I repeat – North Korea is a cyber power.”
Other countries covered in the study include Indonesia, Japan, Malaysia, and Vietnam — all of which are categorized as third tier.
GA-ASI’s MQ-9B: The right UAV for persistence, power, and performance
When assessing the state of the art of unmanned aerial systems, it’s critical to be very clear about what various aircraft can and can’t do – and could never do.
Norway’s air defense priorities: Volume first, then long-range capabilities
“We need to increase spending in simple systems that we need a huge volume of that can, basically, counter very low-tech drones that could pose a threat,” Norway’s top officer told Breaking Defense, “so we don’t end up using the most sophisticated missile systems against something that is very cheap to buy.”
