Don’t Rely on Tiered Rankings to Measure Cyber Power
Recently, the International Institute for Strategic Studies (IISS) published a report that assessed nation state cyber capabilities and national power. The qualitative assessment covered and codified seven categories that contributed to building a nation state’s cyber program: strategy and doctrine; governance, command and control; core cyber intelligence capability; cyber empowerment and dependence; cyber security; global leadership in cyber affairs; and offensive cyber capability. The culmination of two-year’s worth of research, IISS conducted this broader study in order to provide a more comprehensive view and ultimately ranking what it considered the top 15 countries into three tiers based on its findings. The result is a well-researched document that has relied mostly on publicly-accessible information and intuitive analysis on which to make its determinations. It appears that expert input, some of whom may have previous government experience, also contributed to helping inform the product. Though IISS states that the product was created for policymakers,
Most of the countries cited are unsurprising, though their rankings might be. The United States occupies the sole top spot, while other notables like China, France, Israel, Russia, as well as Five-Eye members Australia, Canada, and the United Kingdom occupied the second category. IISS placed adversaries such as Iran and North Korea in the third spot. Perhaps the most surprising countries included are Indonesia and Malaysia. While Vietnam is alleged to have at least one advanced persistent threat (APT) group suspected of being sponsored or directed by the Vietnamese government, there has been less attention on Indonesia and Malaysia, though the Southeast Asia region has long been a hotspot for hostile cyber activity. Iran’s inclusion in Tier 3 is equally surprising, given the activity attributed to it, and how it harnesses its indigenous resources to support its cyber program.
Nuance appears to have played significantly in putting countries into their respective ranks, particularly framed within the context of the seven categories. For example, though highly-capable, IISS pointed out Russia’s reliance on foreign Information and Communications Technology and a weaker digital economy as impacting a higher ranking. Similarly, China’s lingering security issues is what keeps Beijing behind the United States by at least a decade. While nuance is an analytic necessity, it is often difficult to show a more defined correlation between issues. Just because a government has developed a national cyber security strategy, doesn’t mean its cyber security posture increases or that it is more automatically more resilient to cyber attacks. It merely indicates that it has positioned itself to perform better cyber security practices. It can still be targeted and victimized by the same levels of cyber malfeasance. Despite being the sole Tier 1 country listed with cyber security strategies and robust technology providers, the United States has still suffered some of the most noteworthy cyber attacks against its public and private sectors.
One criticism of the study is the lack of transparent assumptions that serve as the analytic foundations of this work. Citing assumptions upfront allows the analyst to recheck them throughout the process and ensure that any final assessment is not rooted in a false premise. Key assumptions are integral to conveying to readers those things that the analyst has accepted to be true and forms the basis of the assessment. When determining nation state cyber capabilities and national power, there is an assumption that the analyst has made a determination based on either publicly available or closed information channels. Attribution is essential in tying a state to a particular activity, and thus by extension, determining things like capability. Governments, media, and cyber security vendors have been quick to blame alleged offending governments of cyber malfeasance via news channels, and legal indictments. If the authors underpinned their analysis with these types of information, it would have been helpful to make that known to readers upfront. It would provide some indication of what type of information was used and what pieces were relied on more heavily than others.
However, the rankings themselves raise questions as to their value regardless of the methodology used, as trying to assess cyber power quantitatively and qualitatively is purely a subjective exercise. Quantifying amorphous issue-areas like cyber dependence and empowerment, global influence in governance (no headway has been made by anyone), the existence of a strategy and more importantly, military doctrine (often not publicly available), is more art than science. The only real way right now to measure cyber power and by its extension, a nation state’s ability to project its own power as a result of its dominance in cyberspace, is by looking at the effects of state-attributed offensive cyber operations. Calculating the material, informational, and operational costs to systems and processes as a result of disruptive/destructive cyber attacks is the only way to codify the cyber capability a state wields. And even that has a caveat associated with it, as observed actions only provide insight into what is known and does not necessarily reflect the total capability a state has.
And what does cyber power really mean? If the country assessments are accurate, the United States’ obvious dominance would be a formidable weapon that all governments would fear. Nevertheless, the endless volume of state and nonstate cyber malfeasance against the United States’ public and private sectors tell a different story. The United States may be the big dog on the block, but that doesn’t mean that others are not willing to use cyber means to prod, exploit, and disrupt the U.S. when it fits their interests to do so. Cyberspace does not require head-to-head confrontation to achieve results, a stark contrast to more conventional military actions that require easily measurable kinetic superiority as a factor to determine operational success.
Experts and analysts often discuss whether nuclear weapons or their cyber counterparts are the biggest threat in the world today. The two disciplines are often linked together, particularly when discussing strategies like arms control anddeterrence. However, aside from being a thought exercise, nuclear and cyber are ill-suited for comparison. After all, cyber weapons are not nuclear weapons. They do not require the same amount of financial, material, and personnel resources to build, sustain, and manage. Perhaps that’s the reason why cyber deterrence is so difficult to obtain – 1) because there hasn’t been a catastrophic event caused by a cyber attack that has resulted in substantial deaths, far reaching long-lasting disruptions that have severely impacted civilian operations (the 1945 atomic bombs are often used to measurethe potency of nuclear weapons), and 2) despite being a power or not, cyber weapons are easily acquired through indigenous development or purchase.
And while the U.S. has all the resources available to create and deploy sophisticated cyber weaponry, less capable and resource-challenged nation states can still compete with the big boys. There is increasing amount of literature capturing small nation state interest in acquiring offensive cyber capabilities for a variety of reasons to include domestic surveillance, deterrence, or be able to project their own sense of power. Several companies like the now defunct Hacking Team provide states with offensive tools to support a state’s ability to conduct these very activities. One company estimates the global cyber warfare market to make approximately USD 123 billion by 2026, a testament to the appetite of governments to have “cyber power.”
What’s more, for all the sophistication demonstrated in a Stuxnet or Duqu-style attack, ransomware has not only caused substantial damage, but has been called a “national security” threat. Not bad for an attack first used by cyber criminals. Ransomware’s recent successful deployments against oil and food supplies shows that sophisticated weaponry not required to make a significant impact. Nation states have allegedly used this type of attack to purposefully inflict damage on another state as a form of statecraft to coerce and punish. Furthermore, such services do not have to be independently developed (although they can) but can easily be purchased. And instantaneously, a state has the capability to attack a target of its choosing.
Although the report is ostensibly for policymakers, it provides a useful resource for professionals by essentially providing a reference that can be used in complement with government documents and unclassified testimonies by officials on the cyber activities of nation states. Most of the governments cited are those that have dominated news cycles the better part of the past decade, and are the ones frequently tied to alleged state-driven offensive cyber operations. IISS provides useful context as to a nation state’s planning, and its findings feed into analysis of how the states cited incorporate cyber into its military and civilian statecraft. Such developments should be monitored and tracked like any other state-run weapons development program.
But perhaps greater emphasis should be placed on the fact that cyber capability allows any state, group, or individual to power project, regardless of their size, or financial/material constraints. The tiered powers are not the only ones to which attention needs to be paid, because the capability to power project in the cyber domain already exists and is proliferating thanks to the current state of cyber defense measures and practices that are constantly exploited by attackers. Any nation state can flex its cyber muscles behind clandestine acts and achieve significant results, even against the tiered members in this report. The Biblical story of David versus Goliath is a consistent reminder that having great power to inflict pain without having a suitable shield to deflect it narrows the gap between ill-matched combatants. Cyberspace further contributes to making seemingly unbalanced confrontation more manageable. Because in the end, isn’t that what cyber power really is – a well-placed shot executed at the right time in the right environment? I think even the diminutive David would attest to that.
Black Swans and Gray Rhinos
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
Corporate Sensemaking: Establishing an Intelligent Enterprise
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage
This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking
COVID-19 Sensemaking: What is next for business and governments
From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.
Space Sensemaking: What does your business need to know now
A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking
Quantum Computing Sensemaking
OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.
The OODAcast Video and Podcast Series
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast