A string of costly ransomware attacks on high-profile targets — including the SolarWinds, Microsoft Exchange Server and Colonial Pipeline hacks — has left some Americans wondering if perhaps our foreign adversaries have surpassed us in terms of cybercapacity.
The International Institute for Strategic Studies just completed a two-year assessment of the cybercapabilities of 15 nations, which it published on Monday.
The bottom line is that, according to IISS, China has been exaggerating its true power and is at least a decade behind the United States.
IISS concluded that China’s cybercapabilities are on par with those of France and Russia — which, if true, would come as a tremendous relief.
The IISS has undertaken a major two-year study of the cyber power for 15 global nations, using a new qualitative methodology to understand how best to rank state cyber capacity.
— IISS News (@IISS_org) June 28, 2021
IISS placed the 15 countries into three tiers.
The U.S. was the only nation to rank in the top tier. This means that in every category measured by the researchers, the U.S. had “world-leading strength.”
The second tier included Australia, Canada, China, France, Israel, Russia and the United Kingdom. These countries were determined by IISS to have “world-leading strengths in some of the categories.”
The third tier consisted of India, Indonesia, Iran, Japan, Malaysia, North Korea and Vietnam. These countries have “strengths or potential strengths in some of the categories but significant weaknesses in others,” according to the study.
IISS assessed each nation’s strength in the following areas:
- Strategy and doctrine.
- Governance, command and control.
- Core cyberintelligence capability.
- Cyberempowerment and dependence.
- Cybersecurity and resilience.
- Global leadership in cyberspace affairs.
- Offensive cybercapability.
Within the second tier, IISS concluded that “if a combination of world-class cyber security, world-class cyber intelligence, sophisticated offensive cyber capability and powerful cyber alliances were deemed key, Israel and the UK would probably be top.”
However, it said, “if the decisive factors were the amount of resources — both human and financial — devoted to cyber, unrestrained operational boldness and day-to-day experience of running cyber-enabled information operations, China and Russia would probably be the leading second-tier states.”
Although both countries vehemently deny their involvement in these operations, U.S. cyberexperts are confident about their complicity.
The report said that since the early 2000s, China has conducted “industrial-scale espionage operations designed to acquire both commercial intellectual property and personal data” and has “actively used disruptive cyber operations, while being careful to pitch them below the threshold that might trigger an escalatory response.”
It pointed out that China was a bit late to the cyberparty. It has been focused on closing the gap ever since, and by 2030, it likely will do so. China has benefitted from a growing economy and “technology transfer from abroad,” the report said.
CIA subcontractor Edward Snowden’s leaks of highly classified information from the National Security Agency in 2013 served as a major catalyst for the Chinese.
“The leaders of the Chinese Communist Party (CCP) were shocked by the revelations … The leaks made clear the continuing gulf between the US and China on cyber capability, and particularly the weakness of China’s cyber defenses (in terms of protecting networks rather than controlling content),” the IISS report said.
Compared with the United States and its allies, China has weak cyberdefenses, according to the report.
Nikkei Asia spoke to Robert Hannigan, a former director of the U.K. intelligence agency GCHQ, who said this was less of a problem for China or Russia than it would be for the United States.
“While it is true that cybersecurity is less well developed in Russia and China, they need it less urgently than open western economies,” he said. “The threat is not symmetrical: western economies are under siege from cybercriminal groups based in and tolerated or licensed by Russia — the same is not true in reverse.”
Russia and China know that the U.S. and U.K. would not “target civilian critical infrastructure,” whereas the Russians wouldn’t think twice, Hannigan told the outlet.
“That, in turn, demands higher levels of cybersecurity in the west,” he said.
The IISS report highlights the “manufacture of the core internet technologies it [China] relies on” as another area where China continues to lag.
When then-President Donald Trump led an effort last year to prevent global chip manufacturers from supplying critical parts to Chinese tech giant Huawei, the Chinese paid attention.
The report concluded that China, and “only China, is currently on a trajectory to join the US in the first tier.” And that China will close the gap in the next 10 years.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.