September 11, 2020
As conventional wisdom goes, experts tend to rank the U.S ahead of China, U.K., Iran, North Korea, Russia, in terms of how strong it is when it comes to cyberspace. But a new study from Harvard University’s Belfer Center shows that China has closed the gap on the U.S. in three key categories: surveillance, cyber defense, and its efforts to build up its commercial cyber sector.
“A lot of people, Americans in particular, will think that the U.S., the U.K., France, Israel are more advanced than China when it comes to cyber power,” Eric Rosenbach, the Co-Director of Harvard’s Belfer Center, told CyberScoop. “Our study shows it’s just not the case and that China is very sophisticated and almost at a peer level with the U.S.”
Overall, China’s cyber power is only second to the U.S., according to the research, which was shared exclusively with CyberScoop. But the study also found that several countries that are not currently considered conventional cyber powers are rising on the world stage.
Measuring cyber power can often be a complex endeavor, as many details are tucked away in top secret government documents around the world or veiled diplomatic messages. The researchers involved in creating the framework, who hail from Google’s Threat Analysis Group and the U.K. government’s cyber policy team, set out to provide a metric that reveals a more realistic picture of the cybersecurity ecosystem.
“Too often both in academia and the policy world people would go with the conventional wisdom … in the U.S. government, everyone talks about the ‘big four,’ they say well, first you’ve got Russia and China, then you’ve got North Korea and Iran,” Rosenbach, the former Assistant Secretary of Defense responsible for cyber at the Department of Defense, told CyberScoop. “But that thinking is really simplistic and they don’t think about cyber power more holistically which can then result in bad policy decisions and poor strategic outcomes. We wanted to have a much more rigorous way to assess cyber power at a national level.”
The framework tracks 27 indicators meant to measure countries’ cyber capabilities and 32 indicators meant to measure countries’ intention to use their cyber powers as a result. To get a diverse picture of cyber power, the researchers divided their measurements into seven categories, including nations’ defenses, offensive cyber-operations, foreign intelligence collection, surveillance, and control of the information environment. The research team also measured countries’ capabilities and intentions related to defining international cyber norms and their efforts to grow their domestic cyber sectors.
“There’s more than the military that have an interest in cyber and cyber power,” Irfan Hemani, a co-author of the report who serves on the U.K. government’s cybersecurity policy team, told CyberScoop. “Actually to be a cyber power — it’s not just for destroying energy grids, if that’s even possible. It’s much more than that. It’s all these comprehensive qualities.”
According to the report, the U.S. is the most powerful cyber actor on the world stage. It topped out in five of the seven categories, including control of the information environment, shaping of international cyber norms, intelligence, and offensive and destructive cyber-operations. But the research suggests there are a number of countries that are becoming more capable cyber powers, including the United Arab Emirates, Vietnam, and Singapore, Rosenbach told CyberScoop.
“They’re all developing talent, expertise, capabilities,” Rosenbach said. “When you think about cyber strategy, you may want to engage them now.”
Malaysia, Sweden, and Switzerland, also ranked in the top 10 in multiple categories, including intelligence, surveillance, information control, and commercial growth. Overall, the U.S., China, U.K., Russia, and the Netherlands are the most formidable cyber powers, the NCPI found. The top 10 is rounded out by France, Germany, Canada, Japan, and Australia. Rosenbach said he was “a little surprised” at the top 10 list.
“Most people in the military word would never point to the Japanese, the Germans or the Dutch as a top 10 cyber power,” Rosenbach told CyberScoop.
Previous cyber power indices from other research teams, the co-authors of the research say, don’t provide a full understanding of who’s up and who’s down on the world stage. The Economist Intelligence Unit and Booz Allen Hamilton’s “cyber power index,” for instance, doesn’t measure offensive capabilities, instead focusing on economic indicators. The Potomac Institute’s Cyber Readiness Index examines a country’s commitment to securing its infrastructure, the researchers say.
“I always found myself asking myself why we didn’t have a more sophisticated way to assess nation-state cyber capabilities and intents,” Rosenbach told CyberScoop, referring to his time at the Department of Defense. “Because we didn’t have a study like this, some of the policy formulations at the DOD, or White House were just overly simplistic. We couldn’t look at a variable … and decide [how] we could advance our overall interests.”
Chinese cyber prowess
In recent months, Chinese government hackers have been ramping up their cyber-operations against perceived government opposition, including protests in Hong Kong, Uighur Muslims, and Taiwan. And while those operations might capture headlines, there is a broader ecosystem of cyber power at work in China, the NCPI shows. China was high on the list on its monitoring of domestic groups, information control, foreign intelligence collection, and defense as well, according to the research. According to a U.S. Department of Defense assessment on Chinese military power published last week, China’s People’s Liberation Army, which has historically had a disparate cyber-operation, has been working to enhance its capabilities. It has done so specifically through their Strategic Support Forces, a theater command-level organization created in recent years, which is working to centralize its cyber reconnaissance, cyberattack, and defense capabilities into one unit.
“Among the impetuses for the SSF’s establishment was the PLA’s apparent concern about the disparity between its cyber capabilities and those of the United States,” the DOD report states, adding that China’s focus on cyber power is driven by a goal to catch up to the U.S. cyber-operations. “China believes its cyber capabilities and cyber personnel lag behind the United States, and it is working to improve training and bolster domestic innovation to overcome these perceived deficiencies and advance cyberspace operations.”