A new report from the International Institute for Strategic Studies (IISS) shows that cybersecurity and cyber policies have moved to the forefront of the international landscape. And, despite a somewhat shaky 12 months, the United States remains the most “cyber-capable” nation, according to the think tank.
The U.S. was ranked as having the greatest cyber capabilities in over seven categories and is expected to remain atop the leaderboard for at least the next ten years because of the “likely durability of US digital-industrial superiority,” said the IISS report.
Meanwhile, China is the only country that the report deemed to be on the path to joining the first tier. The think tank believes that the future balance of cyber power will likely result from the U.S. restricting China’s access to Western technologies and China’s response. This power dynamic started in the early 2000s when the U.S. and several of its allies started to restrict China. IISS noted that this “partial decoupling” of the West and China points to potential obstacles in China’s path towards cyber power. Sanctions on China were made in response to China’s “malicious behavior” in cyberspace, which could explain why the country is only in the beginning development stages for cyber defenses and cyber-resilience policies for infrastructure.
Artificial intelligence (AI) is another area that China is lacking in when compared to the U.S., the report said. The U.S. developed 66% of global AI open-source software, whereas China comes in at only 13%.
So far, China has remained intent on becoming a cyber powerhouse internationally. The country highlights this by producing cybersecurity strategy goals each year since 2016, and by setting itself up to be a world leader in its indigenous manufacture of core internet technology by 2030.
It is not that the U.S. holds a monopoly over the leaderboard, in fact at least six other countries are leaders in certain aspects of the ICT sector. The major difference between those countries and China, is that the other countries are close U.S. allies.
Among the 15 countries assessed in the report, there are four members of the Five Eyes intelligence alliance (U.S., U.K., Canada and Australia), three cyber-capable allies (France, Israel and Japan), four countries thought to be cyber threats (China, Russia, Iran and North Korea) and four states that are in cyber-power development stages (India, Indonesia, Malaysia and Vietnam).
Within the report, the 15 countries are assessed in the following capability categories: strategy and doctrine, core cyber-intelligence capability, cyber empowerment and dependence, cybersecurity and resilience, global leadership in cyberspace affairs, offensive cyber capability and governance, command and control.
The report noted that national circumstances of each state will of course evolve, and cyber strategies and investments will face challenges from many sources, including the COVID-19 pandemic. “Nevertheless, for each state, most policies and trends in capability are likely to endure.”
The countries were split into three tiers of cyber power, and only the U.S. was in the first tier. The second tier included Australia, Canada, China, France, Israel, Russia and U.K. The third or last tier included India, Indonesia, Iran, Japan, Malaysia, North Korea and Vietnam.
One issue that every country faced in its assessment was its ability to shape policy frameworks for cyberspace. Many countries created policies in order to exploit new opportunities or defend against new threats, according to the report. The traditional structures of government can often provide obstacles for creating durable policies that can adapt to the ever-changing landscape.
These challenges of finding national strategy for cyberspace affect national security. When it comes to the U.S. and China, there is competition for control over technologies like microchip production, computer assembly, cloud architectures, etc. These technologies will likely control the future of cybersecurity, and therefore this battle holds significant power in the cyberspace power dynamics.
Another finding of note is the importance of cyber resiliency. The report noted that in the 2020 Fortune ‘Global 500’ rankings, 43 of the 51 telecommunications or technology companies that were on the list were “dominated” by the U.S. and its allies.
Amid the 16 American companies on the list, Apple, Cisco, Google, IBM, Intel, Microsoft, Oracle and Qualcomm are described by China as the “eight guardian warriors.” Many countries rely on an international approach to collect intelligence and build offensive and defensive capabilities. China has started to involve U.S. companies, such as IBM, in its internal cyber-security governance and national technical standards, however, as the cyber power battle develops, the fate of such oversight is unknown.
The future of cyberspace is unlimited, especially regarding warfare. The U.S. and China predict that future battles will include artificial intelligence and space platforms.
“No state has yet made a transition in its current armed forces to well-integrated and broadly dispersed cyber capabilities, either for defensive or offensive purposes,” according to the report, which adds, “the U.S. has probably gone furthest.”
Even for leading countries, there is more to be done. The report highlights a few recommendations for countries to take in order to build their cyber capabilities. While the U.S. and its allies have the “most technically sophisticated tools, capable of delivering controlled, surgical effect against critical networks, including as part of high-intensity warfare,” they don’t use them effectively, and Russia and China have had greater success in these areas, according to IISS. The underlying issue among states is when is it appropriate to use these tools. The report states that for an understanding of responsible or irresponsible use of cyber tools, there must be open, effective conversations across the board.
In order for China to pass or join the U.S. in the top tier, China would have to create a cyber-industrial complex comparable to the U.S., and it would have to improve educational outcomes in cyber-related fields. This would involve China fostering a better relationship with universities and their research teams. Another point of contention is whether China would show its cyber power internationally in alliance with other cyber-capable states.
The report will no doubt bolster the U.S. cybersecurity community in the wake of recent attacks, but heed must also be paid to the think tank’s words about effective use of capabilities if the United States is to increase its defense of critical infrastructure against ever more powerful adversaries. In cyberspace as in physical warfare, possessing the best arsenal is only half of the mission.