Cyber Capabilities and National Power
Cyber Capabilities and National Power
Cyber Capabilities and National Power
NATIONAL POWER:
A Net Assessment
This report sets out a new methodology for assessing cyber power, and then applies
it to 15 states:
Three cyber-capable allies of the Five Eyes states – France, Israel and Japan
Four countries viewed by the Five Eyes and their allies as cyber threats – China,
Russia, Iran and North Korea
Preface i
The Cyber-Power Project: Context and Methodology 1
Country Studies
1. United States 15
2. United Kingdom 29
3. Canada 39
4. Australia 47
5. France 57
6. Israel 69
7. Japan 79
8. China 89
9. Russia 103
10. Iran 115
11. North Korea 125
12. India 133
13. Indonesia 143
14. Malaysia 153
15. Vietnam 161
Net Assessment 171
In February 2019 the International Institute for Strategic actions in cyberspace.5 In March 2020, Trump declared a
Studies (IISS) announced in a Survival article its intention to national emergency in cyberspace,6 the fourth time in five
develop a methodology for assessing the cyber capabilities years that a US president had done so. In April 2021, China
of states and how they contribute to national power.1 Here, referred to the US as the ‘champion’ of cyber attacks.7 A
we set out that methodology, use it to assess 15 countries, month later, the G7 foreign ministers’ meeting called on
and draw out the overarching themes and conclusions. both Russia and China to bring their cyber activities into
This report is intended to assist national decision- line with international norms.8 Overall, this report pro-
making, for example by indicating the cyber capabilities vides substantial further evidence that, for many countries,
that make the greatest difference to national power. Such cyber policies and capabilities have moved to centre stage
information can help governments and major corpora- in international security.
tions when calculating strategic risk and deciding on The countries covered in this report are the US, the
strategic investment. United Kingdom, Canada and Australia (four of the Five
While other organisations have developed index-based Eyes intelligence allies); France and Israel (the two most
methodologies,2 with most focusing principally on cyber cyber-capable partners of the Five Eyes states); Japan (also
security, our methodology is broader: it is principally qual- an ally of the Five Eyes states, but less capable in the secu-
itative and analyses the wider cyber ecosystem for each rity dimensions of cyberspace, despite its formidable eco-
country, including how it intersects with international nomic power); China, Russia, Iran and North Korea (the
security, economic competition and military affairs. principal states posing a cyber threat to Western interests);
The 15 studies represent a snapshot in time: the national and India, Indonesia, Malaysia and Vietnam (four coun-
circumstances of each state will of course evolve, and cyber tries at earlier stages in their cyber-power development).
strategies and investments will face challenges from many We assess each country’s capabilities in seven
sources, including the COVID-19 pandemic. Nevertheless, categories:
for each state, most policies and trends in capability are
likely to endure. • Strategy and doctrine
The studies have been conducted against the back- • Governance, command and control
ground of intensifying international confrontation in • Core cyber-intelligence capability
cyberspace. Several reference points can be cited by way of • Cyber empowerment and dependence
illustration. In 2015, China’s new military strategy declared • Cyber security and resilience
that ‘outer space and cyber space have become new com- • Global leadership in cyberspace affairs
manding heights of strategic competition’ between states.3 • Offensive cyber capability
In 2016, the Unites States accused the Russian government,
and President Vladimir Putin personally, of ordering a sus- Key assessments are summarised in a single para-
tained information attack on the US presidential election.4 graph at the start of each chapter.
In May 2019, then-president Donald Trump foreshadowed The IISS intends to continue its research into cyber
a technology war with China if it continued its malign power and to lead expert dialogue on the subject, guided
Notes
1 See Marcus Willett, ‘Assessing Cyber Power’, Survival: Global Chain’, 15 May 2019, https://trumpwhitehouse.archives.gov/
Politics and Strategy, vol. 61, no. 1, February–March 2019, pp. 85–90. presidential-actions/executive-order-securing-information-
2 Examples include the International Telecommunication communications-technology-services-supply-chain.
Union’s Global Cybersecurity Index, the Potomac Institute’s 6 White House, ‘Text of a Letter from the President to the
Cyber Readiness Index 2.0 and the Harvard Kennedy School’s Speaker of the House of Representatives and the President of
National Cyber Power Index 2020. the Senate’, 30 March 2020, https://trumpwhitehouse.archives.
2017, https://www.dni.gov/files/documents/ICA_2017_01.pdf. 8 ‘G7 Foreign and Development Ministers’ Meeting, May 2021:
5 White House, ‘Executive Order on Securing the Information Communiqué’, London, 5 May 2021, http://www.g7.utoronto.ca/
Over the last 20 years, cyber capabilities have become a These media reports only tell a small part of the story.
formidable new instrument of national power. As well as State cyber operations to reconnoitre and gain a pres-
using such capabilities to obtain state secrets from each ence on relevant networks are occurring every second
other, as in traditional espionage, states have also used and are now a permanent feature of cyberspace. The
them for a range of other, more threatening purposes. risk of miscalculation is high. Reconnaissance or prepo-
These include bolstering their own economic develop- sitioning could be misinterpreted by the defender as an
ment by stealing intellectual property; threatening to actual attack, and therefore provoke retaliation. Inserted
disrupt the financial institutions, oil industries, nuclear code could malfunction, causing an accident. Escalation
plants, power grids and communications infrastructure of could easily spiral out of control as a result, which is
states they regard as adversaries; attempting to interfere perhaps the gravest risk entailed in state-on-state cyber
in democratic processes; degrading and disrupting mili- operations. Other risks include the acquisition of state
tary capabilities in wartime; and, in one case, constraining capabilities by criminals or terrorists, and the ease with
the ability of another state to develop nuclear weapons. which states can find highly effective offensive tools on
The state-on-state cyber operations revealed in the the open market (the so-called ‘low point of entry’).
media include those by the United States and Iran against In short, cyberspace has become, perhaps inevi-
each other; Israel and Iran against each other; Russia tably, a key and risky new environment for statecraft
against Estonia, Georgia and Ukraine; and Chinese and competition between states in the twenty-first
attempts to steal intellectual property on an industrial century. It has also become a major, and arguably the
scale. Russian operations against the democratic process major, domain for organised crime. There are no reli-
in the US and United Kingdom have received consid- able estimates of the costs of cyber crime at a national
erable attention, as have the US retaliatory operations level.1 It is possible to document lower-end estimates of
against the St Petersburg-based group deemed to be certain types of cyber crime, such as credit-card fraud,2
partly responsible. A Russian cyber operation against but such sub-categories cannot capture the full range
the US in late 2020, the ‘SolarWinds hack’, has also been of economic costs from the many types of cyber crime
prominent. There have been operations by Iran against that extend beyond direct losses, for example by caus-
Saudi Arabia, by North Korea against Sony Pictures ing reputational damage or degradation of share value.
and the global banking system, and by the US, the UK Since 2017 there has been a surge in reported losses from
and Australia against the Islamic State (also known as ransomware (malware that prevents access to critical
ISIS or ISIL). Some operations have been conducted in data until the required ransom amount is paid), which
an unrestrained manner, resulting in many unintended have totalled tens of billions of dollars. The damage
victims. For example, the NotPetya malware that the done by the various types of cyber crime has inevitably
Russians used against Ukraine severely damaged the led to a new world of litigation, regulatory fines and
Maersk shipping line, and the WannaCry malware the insurance claims. In addition, terrorist groups such as
North Koreans used against the global banking system ISIS and al-Qaeda aspire to become more cyber-capable,
affected the UK’s National Health Service. while political-activist groups of all stripes now view
Notes
1 For a discussion of the challenges, see Eileen Decker, ‘Full Count? workshop ‘Economics of Information Security’, Boston,
Crime Rate Swings, Cybercrime Misses and Why We Don’t Really US, 3–4 June 2019, pp. 5–8, http://orca.cf.ac.uk/122684/1/
Know the Score’, Journal of National Security Law & Policy, vol. 10, Levi_Measuring%20the%20Changing%20Cost%20of%20
2 See, for example, Ross Anderson et al., ‘Measuring the at protecting US citizens’ privacy and US companies’ most
changing cost of cybercrime’, paper presented to the 2019 sensitive information ‘from aggressive intrusions by malign
Department of State, ‘Announcing the Expansion of the Clean the same region of the world, choosing South and Southeast Asia.
Network to Safeguard America’s Assets’, 5 August 2020, https:// 6 For the tech companies in the 2020 Fortune Global 500 ranking, see
china.usembassy-china.org.cn/announcing-the-expansion-of- https://fortune.com/global500/2020/search/?sector=Technology.
nationality to it is not easy. There are discrete sub-fields (up to 7 Agreement was reached in 2015 within a Group of Governmental
ten, depending on one’s perspective) and more than 20 sectors Experts appointed by the UN General Assembly on possible
of economic and social activity to which those sub-fields can voluntary norms governing international behaviour of states
be applied. The US leads the world by a wide margin in AI in cyberspace. The relevant UN document is Secretary-General,
applications for the health sector, and China may well rank quite ‘Group of Governmental Experts on Developments in the Field
highly in AI applications for energy efficiency. Moreover, as the of Information and Telecommunications in the Context of
Organisation for Economic Co-operation and Development International Security’, A/70/174, 22 July 2015, https://undocs.
(OECD) has noted, every country has its own distinct priorities org/A/70/174.
and enablers when it comes to exploiting AI for economic 8 See the lists of the leading tech and telecoms companies
gain – see OECD, Artificial Intelligence in Society (Paris: OECD among the 2020 Fortune Global 500: https://fortune.com/
Dominance in cyberspace has been a strategic goal positions in certain aspects of the ICT sector,
of the United States since the mid-1990s. It is the though all but one (China) are close US allies or
only country with a heavy global footprint in both strategic partners. The US has moved more effec-
civil and military uses of cyberspace, although it tively than any other country to defend its critical
now perceives itself as seriously threatened by national infrastructure in cyberspace but recog-
China and Russia in that domain. In response, it is nises that the task is extremely difficult and that
taking a robust and urgent approach to extending major weaknesses remain. This is one reason why
its capabilities for cyber operations, both for sys- the country has for more than two decades taken a
tems security at home and for its ambitions abroad leading role in mobilising the global community to
in the diplomatic, political, economic and military develop common security principles in cyberspace.
spheres. The US retains a clear superiority over all The US capability for offensive cyber operations is
other countries in terms of its ICT empowerment, probably more developed than that of any other
but this is not a monopoly position. At least six country, although its full potential remains largely
European or Asian countries command leadership undemonstrated.
List of acronyms
CDI Cyber Deterrence Initiative ISAC Information Sharing and Analysis Center
CISA Cybersecurity and Infrastructure Security Agency ITU International Telecommunication Union
DHS Department of Homeland Security NSA National Security Agency
DNI Director of National Intelligence NSC National Security Council
DoD Department of Defense ODNI Office of the Director of National Intelligence
ICT information and communications technology
France 22
cyber civil defence.46
Since 2011, policy has been influenced by a deepen-
Israel 16
ing sense of urgency around homeland cyber defence
Australia 13
due to espionage and attempted sabotage (with the
Notes
1 White House, ‘National Security Strategy of the United States 5 The term ‘critical information infrastructure’, in common use
of America’, December 2017, https://trumpwhitehouse.archives. both in the US and internationally, refers to all the information
2 White House, ‘National Cyber Strategy of the United States of 6 United States Cyber Command, ‘Beyond the Build: Delivering
America’, September 2018, https://trumpwhitehouse.archives. Outcomes through Cyberspace – The Commander’s Vision and
Defense Cyber Strategy 2018’, https://media.defense.gov/2018/ 7 There were significant new elements in the 2015 policy
FINAL.PDF. the Build’ that the cyber defences in the Department of Defense
4 White House, ‘Executive Order on Taking Additional Steps to were inadequate to deal with the threats it was facing and
Address the National Emergency with Respect to Significant that military units needed to be able to operate with degraded
Malicious Cyber-Enabled Activities’, 19 January 2021, https:// systems and a lack of cyber situational awareness (including
cyberspace during day-to-day competition to preserve U.S. 17 Director of National Intelligence, ‘Industry Snapshot: Summary
military advantages and to defend U.S. interests. Our focus will of Partner Responses to the FY 2015–2019 IC S&T Investment
be on the States that can pose strategic threats to U.S. prosperity Landscape’, 2015, p. 5, http://www.dni.gov/files/documents/
and security, particularly China and Russia. We will conduct atf/In-STeP%20-%20Industry%20Snapshot.pdf. This document
cyberspace operations to collect intelligence and prepare military provides valuable insight into the ‘industrial’ foundations of
cyber capabilities to be used in the event of crisis or conflict.’ the US intelligence community.
10 White House, ‘National Cyber Strategy of the United States of 18 National Academies of Sciences, Engineering, and Medicine,
America’, September 2018, p. 21. ‘A Decadal Survey of the Social and Behavioral Sciences: A
11 White House, ‘Memorandum on Renewing the National Security Research Agenda for Advancing Intelligence Analysis’, 2019,
briefing-room/statements-releases/2021/02/04/memorandum- social-and-behavioral-sciences-a.
renewing-the-national-security-council-system. The Principals 19 For example, on the high dollar value of foreign inputs
Committee is the ‘senior interagency forum for consideration of into the US digital sector, the Organisation for Economic
policy issues affecting national security. … Its regular members Co-operation and Development (OECD) stated that ‘while
will be the Secretary of State, the Secretary of the Treasury, the United States has the lowest share of foreign value added
the Secretary of Defense, the Attorney General, the Secretary in domestic demand of OECD countries (12%), the sheer size
of Energy, the Secretary of Homeland Security, the Director of its economy means that in [dollar] terms it is by far the
of the Office of Management and Budget, the Representative biggest consumer of foreign value added: 2.2 USD trillion,
of the United States of America to the United Nations, the of which, 1.2 USD trillion (55%) comes from more digital-
Administrator of the United States Agency for International intensive industries’. See OECD, ‘Measuring the Digital
Development, and the Chief of Staff to the President. The Director Transformation’, March 2019, p. 228, https://www.oecd-
and the National Security Advisor to the Vice President shall be 20 Jessica R. Nielsen, ‘New Digital Economy Estimates’, Bureau of
invited to attend every meeting of the PC.’ Economic Analysis, August 2020, https://www.bea.gov/system/
for new White House cybersecurity role’, Politico, 6 21 For a description of how the US measures the ICT sector, see
13 See CISA, ‘National Infrastructure Advisory Council’, https:// We Measure the Digital Economy?’, Harvard Business
14 For further information, see the website of the ISACs National how-should-we-measure-the-digital-economy.
Council: https://www.nationalisacs.org. 23 See US Federal Reserve, ‘Fedwire Funds Service Monthly Statistics’,
Agency, https://www.us-cert.gov/resources/assessments; and 24 See Dan Schiller, Digital Capitalism: Networking the Global Market
United States Department of Homeland Security, ‘Cyber System (Cambridge, MA: MIT Press, 2000).
Resilience Review’, Factsheet, https://www.cisa.gov/sites/default/ 25 See, for example, G20, ‘G20 Digital Economy Development
range of economic activities that includes using digitised 33 United Nations Conference on Trade and Development,
information and knowledge as the key factor of production, ‘Digital Economy Report 2019’, Geneva, p. 2, https://unctad.
space’. The challenges of measuring and comparing different 34 Congressional Research Service, ‘Global Research and
countries’ digital economies have also been addressed in several Development Expenditures: Fact Sheet’, updated 29 April 2020,
OECD studies, such as the 2019 report ‘Measuring the Digital p. 2, fig. 2, https://fas.org/sgp/crs/misc/R44283.pdf.
Transformation: A Roadmap for the Future’, 11 March 2019, 35 Xiaomin Mou, ‘Artificial Intelligence: Investment Trends and
DC8358091A60B496B5A6F525ECD799E6. documents1.worldbank.org/curated/ar/617511573040599056/
Working Paper, no. WP/19/16, 17 January 2019, p. 4, 36 Stefano Baruffaldi et al., ‘Identifying and measuring
27 OECD, ‘Measuring the Digital Transformation’, pp. 15, 30, Papers, no. 2020/05, p. 54, https://doi.org/10.1787/5f65ff7e-en.
The 25 technologies were: Control arrangements, Organic 37 MIT News, ‘MIT reshapes itself to shape the future’, 15 October
access, Traffic control for aircraft, Multiple transmissions, 38 White House, ‘Artificial Intelligence for the American People’,
Film devices, Interactive television, VOD Network and 39 White House, ‘American Artificial Intelligence Initiative: Year
access restrictions, Speech or voice analysis, Connection One Annual Report’, 2020, p. 5, https://www.whitehouse.gov/
communication services, Image analysis, Mathematical 40 Doug Brake, ‘Submarine Cables: Critical Infrastructure
models algorithms, Transmission arrangements, Near-field for Global Communications’, Information Technology &
transmission systems, Payment protocols, and Security and Innovation Foundation, April 2019, http://www2.itif.org/2019-
authentication. submarine-cables.pdf.
28 See OECD, ‘Measuring the Digital Transformation’, p. 30. 41 See International Cable Protection Committee, ‘Member List’,
startupranking.com/countries. It defines a start-up as ‘an 42 According to a US diplomatic cable, the National Infrastructure
organisation with high innovation competence and strong Protection Plan ‘requires compilation and annual update of
technological base, which has the faculty of an accelerated a comprehensive inventory of CI/KR [critical infrastructure/
growth and maintains independence through time’. The IISS key resources] that are located outside U.S. borders and
has not independently verified this ranking. whose loss could critically impact the public health, economic
30 Times Higher Education World University Rankings, 2021, https:// security, and/or national and homeland security of the United
31 Data for the US comes from the OECD, and for China from affect systems within the U.S. directly or indirectly.’ See Geoff
it/en/architecture/2011/06/20/open-source-design-02-wikileaks- technology-services-supply-chain.
43 Union of Concerned Scientists, ‘UCS Satellite Database’, Cybersecurity Principles for Space Systems’, 4 September 2020,
satellite-database. memorandum-space-policy-directive-5-cybersecurity-
Semiconductor Industry’, 2020, p. 8, https://www.semiconductors. 53 Under the US Export Authorization Act, the Entity List is a
Report-FINAL-1.pdf. Note that not all the columns add up to businesses, research institutions, government and private
100%, because other countries not named in the chart are also organizations, individuals, and other types of legal persons – that
involved in the sector. are subject to specific license requirements for the export, reexport
45 For a brief insight into this issue, see Saif M. Khan, ‘US and/or transfer (in-country) of specified items’. See Bureau of
Semiconductor Exports to China: Current Policies and Trends’, Industry and Security, ‘Entity List’, https://www.bis.doc.gov/
46 Greg Austin, ‘US Policy: From Cyber Incidents to National to the Entity List’, 15 May 2019, https://www.commerce.
47 For a summary, see Department of Homeland Security, 55 United States Cyberspace Solarium Commission, ‘Final
‘Support to Critical Infrastructure at Greatest Risk (“Section Report’, March 2020, https://drive.google.com/file/d/1ryMCIL_
publication/support-critical-infrastructure-greatest-risk- 56 Chris Cillizza, ‘The end of the Trump White House is *exactly*
Nation’s Cybersecurity Workforce: Building the Foundation for 57 International Telecommunication Union, ‘Global Cybersecurity
a More Secure American Future’, 10 May 2018, https://csrc.nist. Index 2018’, p. 62, https://www.itu.int/dms_pub/itu-d/opb/str/
gov/publications/detail/white-paper/2018/05/30/supporting- D-STR-GCI.01-2018-PDF-E.pdf.
operations” to deter foreign adversaries’, Washington Post, of Governmental Experts (GGE) has convened for two-year
bd0b-11e8-b7d2-0773aa1e33da_story.html. International Security’ until 2018, when it was renamed the GGE
50 Joint Chiefs of Staff, ‘Homeland Defense’, Joint Publication on ‘Advancing Responsible State Behaviour in Cyberspace in the
51 White House, ‘Executive Order on Securing the Information Disarmament Affairs, ‘Developments in the field of information
and Communications Technology and Services Supply Chain’, and telecommunications in the context of international security’,
Experts on Developments in the Field of Information and (ANSI, 104 Secretariats), the United Kingdom (BSI, 77 Secretariats),
Telecommunications in the Context of International Security’, France (AFNOR, 77 Secretariats), and Japan (JISC, 74 Secretariats).
A/70/174, 22 July 2015, https://www.un.org/ga/search/view_ In IEC, Germany holds the most secretariat positions (36),
doc.asp?symbol=A/70/174. followed by the US (26), Japan (24), France (22), United Kingdom
61 ISACA – formerly the Information Systems Audit and Control (20), and Italy (13). China leads as many TCs and SCs in IEC as the
Association, but now known only by its acronym – is dedicated Republic of Korea (both holding 10 secretariats).’
to system security: see http://www.isaca.org. It has 75 chapters 63 See Greg Austin and Pavel Sharikov, ‘Preemption Is Victory:
in the US but only one in China (and that is in Hong Kong). Aggravated Nuclear Instability of the Information Age’, Non-
As for the IEEE, it is the largest professional organisation in proliferation Review, vol. 23, nos. 5–6, pp. 691–704.
the world, and influential in international cyberspace policy. 64 See David E. Sanger and William J. Broad, ‘Trump Inherits a
In 2020, almost half of its 419,000 members were in the US. See Secret Cyberwar against North Korean Missiles’, New York Times,
European perspective’, Heinrich Böll Foundation, Berlin, 2020, p. 65 Ellen Nakashima, ‘Trump approved cyber-strikes against
22, https://eu.boell.org/sites/default/files/2020-03/HBS-Techn%20 Iranian computer database used to plan attacks on oil tankers’,
Stand-A4%20web-030320.pdf. The data on chairs of standards Washington Post, 23 June 2019, https://www.washingtonpost.
The United Kingdom is a highly capable cyber state, UK’s key weaknesses, in common with most other
with clear strategic oversight at the political level. It states, are shortfalls in its skilled cyber workforce
has world-class strengths in its cyber-security ecosys- and that it cannot afford to invest in cyber capabili-
tem, centred on the National Cyber Security Centre, ties on the same scale as the United States or China.
and in its related cyber-intelligence capability centred These are offset in part by the breadth and depth of
on the Government Communications Headquarters. the UK’s proven international alliances, particularly
There is a strengthening partnership between gov- with the US. Another area of potential comparative
ernment and industry, and an attempt to develop weakness is that the UK lacks the indigenous indus-
a whole-of-society approach to improve national trial base required to build and export the equipment
cyber-security capability. There is significant invest- that might ultimately dictate the future of global
ment in cyber research and development and inno- cyberspace, meaning it can only seek to manage the
vation, with the government looking to the strengths attendant risks. The country uses its international
of the private sector and academia. To increase its influence to shape the future of cyberspace and is a
reservoir of cyber skills, the UK appears to be pursu- strong advocate for the application of existing inter-
ing widespread and innovative collaboration across national law to the use of cyber capabilities. The UK
all sectors. Its economy, society and armed forces has developed, and used, offensive cyber capabilities
all greatly benefit from digital connectivity but are since at least the early 2000s, and is investing further
potentially more vulnerable as a result. Perhaps the in their expansion.
List of acronyms
DCMS Department for Digital, Culture, Media & Sport NCF National Cyber Force
GCHQ Government Communications Headquarters NCSC National Cyber Security Centre
ICT information and communications technology NCSP National Cyber Security Programme
JFCyG Joint Forces Cyber Group NCSS National Cyber Security Strategy
MoD Ministry of Defence NOCP National Offensive Cyber Programme
NAO National Audit Office
Notes
1 HM Government, ‘National Cyber Security Strategy 2016–2021’, 5 Dominic Nicholls, ‘Britain is “at war every day” due to
2016, https://assets.publishing.service.gov.uk/government/ constant cyber attacks, Chief of the Defence Staff says’,
cyber_security_strategy_2016.pdf. news/2019/09/29/britain-war-every-day-due-constant-cyber-
2 Ibid., p. 9. attacks-chief-defence.
3 ‘The National Security Secretariat, a division of the Cabinet 6 A public source giving some insight into doctrine is UK Ministry
Office (the Department), manages the Programme on the of Defence, ‘Joint Doctrine Note 1/18, Cyber and electromagnetic
National Security Adviser’s behalf.’ See National Audit Office, activities’, 21 February 2018, https://www.gov.uk/government/
15 March 2019, p. 20, https://www.nao.org.uk/wp-content/ 7 UK Ministry of Defence, ‘Joint Concept Note 2/17, Future
Security-Programme.pdf. publishing.service.gov.uk/government/uploads/system/
Opportunities and risks’, International Monetary Fund networks by 2027’, 14 July 2020, https://www.gov.uk/
www.imf.org/en/Publications/WP/Issues/2019/01/17/ networks-by-2027#:~:text=HUAWEI%20will%20be%20
Chinas-Digital-Economy-Opportunities-and-Risks-46459. completely%20removed,sanctions%20against%20the%20
Skynet satellite constellation. The MoD is considering options for 17 International Telecommunication Union, ‘Global Cybersecurity
maintaining the continuity of Skynet services beyond August 2022, Index 2018’, pp. 30, 62, https://www.itu.int/dms_pub/itu-d/
10 Organisation for Economic Co-operation and Development, 18 Those functions include the production of national assessments,
‘Measuring the Digital Transformation: A roadmap for the protection of critical national infrastructure, information
the future’, 11 March 2019, p. 34, https://www.oecd. assurance, and national-level computer-emergency response
org/publications/measuring-the-digital-transformation- teams.
11 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United infrastructure are chemicals, civil nuclear, communications,
States Stay Ahead of China?’, 21 December 2020, https://chuvpilo. defence, emergency services, energy, finance, food, government,
medium.com/ai-research-rankings-2020-can-the-united-states- health, space, transport and water – see Centre for the Protection
stay-ahead-of-china-61cf14b1216. This ranking has weaknesses, of National Infrastructure, ‘Critical National Infrastructure’,
12 Bach Xuan Tran et al., ‘Global evolution of research in artificial 20 National Audit Office, ‘Progress of the 2016–2021 National
intelligence in health and medicine: A bibliometric study’, Cyber Security Programme’, 2019, p. 11, https://www.nao.org.
https://www.mdpi.com/2077-0383/8/3/360/pdf. National-Cyber-Security-Programme.pdf.
13 Department for Digital, Culture, Media and Sport, ‘Initial 21 More UK companies offer cyber-security services than the 100
National Cyber Security Skills Strategy: Increasing the UK’s or so that are accredited – the UK government estimates the
cyber security capability – a call for views’, 3 May 2019, number is around 800. On one level, such diversity is a strength;
market 2020: Findings report’, 2020, https://assets.publishing. 22 Sam Donaldson et al., ‘UK Cyber Security Sectoral Analysis
the_UK_labour_market_2020.pdf. gov.uk/government/uploads/system/uploads/attachment_data/
15 The UK is nonetheless an active exporter of telecommunications file/861945/UK_Cyber_Sectoral_Analysis__2020__Report.pdf.
equipment. For example, BT and Vodafone install and operate 23 UK Department for Digital, Culture, Media and Sport, ‘Cyber
systems in many other countries. In any case, it could be argued Security Breaches Survey 2020’, 26 March 2020, https://www.
manufactured – hence the impact on US chip manufacturers of 24 Global Cyber Security Capacity Centre, ‘Cybersecurity
the US ban on Huawei products. Supply-chain risks may be an Capacity Maturity Model for Nations’, Oxford University, 2017,
manage those risks, and the UK’s approach may later be 25 Since a UN General Assembly resolution in 2004, a UN Group
regarded as having been in the vanguard. of Governmental Experts (GGE) has convened for two-year
of Information and Telecommunications in the Context of 27 The UK government continues to neither confirm nor deny the
International Security’ until 2018, when it was renamed the GGE information leaked by Snowden.
on ‘Advancing Responsible State Behaviour in Cyberspace in the 28 Apart from its statements with regard to the Islamic State, the
Context of International Security’. In cyberspace-policy circles it UK has made no formal acknowledgement of its offensive
is common to refer to it simply as ‘the GGE’. See UN Office for cyber operations. But for a mention of such operations in
Disarmament Affairs, ‘Developments in the field of information Afghanistan, see Gordon Corera, ‘UK’s National Cyber Force
and telecommunications in the context of international security’, comes out of the shadows’, BBC News, 20 November 2020,
https://www.un.org/disarmament/ict-security. https://www.bbc.com/news/technology-55007946.
26 For a collection of such statements, see GCHQ, ‘National 29 UK Parliament, ‘Electronic Warfare: Question for Ministry of
Cyber Force transforms country’s cyber capabilities to protect Defence’, UIN 201591, tabled on 12 December 2018, https://
national-cyber-force#:~:text=Defence%20Secretary%20Ben%20 detail/2018-12-12/201591.
Canada is a highly digitised middle power with an ICT systems. Its national resilience policy is well
advanced economy. It pursues a whole-of-society organised but less practised than it needs to be.
approach to cyber security that sits comfortably with Elements of its critical infrastructure are shared with
its system of government and foreign policy. Its cyber the US (a common electric grid, for example). Canada
policies, like those of the United States and United is active in a multitude of diplomatic forums and
Kingdom, recognise a rich mix of stakeholders, and in building cyber capacity in other states. Its cyber
it has a relatively mature civil-sector cyber capabil- potential is enhanced by its proven ability to operate
ity buttressed by appropriate laws and regulations. in alliance with other cyber-capable states: this gives
The Canadian government is also proactive in pro- it access to additional assets, especially those based
moting digital transformation. A strong, and in some in outer space. Canada is not a global operator in
regards world-leading, tech economy gives Canada cyberspace in the same way that the US and the UK
an advantage over many states with similarly sized are, and offensive cyber, for which the country estab-
economies. It relies, however, on other countries to lished a legal basis only in 2018, is the area in which
provide most of the hardware that powers modern it can do most to improve its overall cyber power.
List of acronyms
CAF Canadian Armed Forces DCIO Defence Chief Information Officer
CSE Communications Security Establishment DND Department of National Defence
CSIS Canadian Security Intelligence Service ICT information and communications technology
1 Canada Privy Council Office, ‘Securing an Open Society: planning, see https://www.canada.ca/en/department-national-
gc.ca/collections/Collection/CP22-77-2004E.pdf. cow-estimates-a-2019-20/joint-capabilities.html.
2 See, for example, Public Safety Canada, ‘Securing an Open 13 Numerous statements made during a Public Safety Committee
Society: Canada’s National Security Policy’, 2015, https://www. meeting, 22 March 2018, https://openparliament.ca/committees/
publicsafety.gc.ca/cnt/ntnl-scrt/scrng-en.aspx. public-safety/42-1/101/?singlepage=1.
3 Public Works and Government Services Canada, ‘Defensive 14 Len Bastien (Defence Chief Information Officer and Assistant
Cyber Operations’, Letter of Interest, Solicitation No. W6369- Deputy Minister, Information Management, Department
QE.B049.E26594.EBSU000.PDF. committees/national-defence/42-1/77/len-bastien-1/only.
Capstone Concept’, 2009, pp. 28–30, http://publications.gc.ca/ 16 Commodore Richard Feltham (Director General,
5 Canadian House of Commons, ‘Standing Committee on the National Defence Committee, 30 January 2018, https://
www.ourcommons.ca/DocumentViewer/en/42-1/NDDN/ commodore-richard-feltham-1/only.
6 Canadian Armed Forces, ‘Strong, Secure, Engaged: Canada’s Response Team’, Canadian Forces College, 2016, p. 3, https://
7 Public Safety Canada, ‘Cyber Security in the Canadian Federal Activities’, 2019, https://www.canada.ca/en/department-
scrt/cbr-scrt/fdrl-gvrnmnt-en.aspx. disclosure/cow-estimates-a-2019-20/joint-capabilities.html.
8 The Standing Senate Committee on Banking, Trade and 19 International Telecommunication Union, ‘Core Household
Commerce, ‘Cyber Assault: It Should Keep You Up at Night’, Indicators’, June 2019, https://www.itu.int/en/ITU-D/Statistics/
9 Public Safety Canada, ‘National Cyber Security Action Plan 20 Canadian Wireless and Telecommunications Association,
10 Public Safety Canada, ‘Speech on Canada’s evolving national Country Commercial Guide’, 3 August 2020, https://www.
en/public-safety-canada/news/2019/01/speech-on-canadas- ICT%20sector%20is,with%20%249.3%20billion%20in%202019.
evolving-national-security-architecture-in-a-constantly- 22 Ibid.
gc.ca/cnt/trnsprnc/brfng-mtrls/trnstn-bndrs/20191211/002/ bb167041-en&_csp_=509e10cb8ea8559b6f9cc53015e8814d&ite
index-en.aspx. mIGO=oecd&itemContentType=book#section-213.
12 Canadian Armed Forces, ‘Strong, Secure, Engaged: Canada’s 24 The initiative was designed to foster further investment in
Defence Policy’, p. 72. For more information on the CAF’s cyber these areas, based in part on a commitment of US$750 million
Canada, ‘About Canada’s Supercluster Initiative program’, Infrastructure’, updated 19 August 2020, https://www.
26 Innovation, Science and Economic Development President Donald J. Trump and Prime Minister Justin
Canada, ‘Canada’s Digital Charter in Action: A Plan by Trudeau’, 13 February 2017, https://pm.gc.ca/en/news/
site/062.nsf/vwapj/Digitalcharter_Report_EN.pdf/$file/ trump-and-prime-minister-justin.
27 Public Safety Canada, ‘National Cyber Security Strategy – “identify and mitigate” cyberthreats to critical civilian sites’,
Canada’s Vision for Security and Prosperity in the Digital CBC, 9 September 2019, https://www.cbc.ca/news/politics/
28 Cornell University, INSEAD and the World Intellectual Government of Canada and the Government of
Property Organization, ‘Global Innovation Index 2020: Who the United States of America for Cooperation in
Will Finance Innovation?’, pp. 54–6, https://www.wipo.int/ Science and Technology for Critical Infrastructure
for the Future', 2019, p. 37, https://www.oecd.org/publications/ 42 National Defence and the Canadian Armed Forces, ‘The
Edition’, May 2020, https://cifar.ca/wp-content/uploads/2020/10/ 43 Public Safety Canada, ‘Cybersecurity Action Plan between
Get Prepared website, https://www.getprepared.gc.ca/cnt/rsrcs/ 45 Canadian Internet Registration Authority (CIRA), ‘CIRA
security-privacy/security-identity-management/government- D-STR-GCI.01-2018-PDF-E.pdf.
34 Canadian Centre for Cyber Security, ‘About the Cyber Centre’, Discussion with Public Safety Canada’, NATO Association
Cyber Operations’, Letter of Interest, Solicitation No. W6369- 48 Public Safety Canada, ‘National Cyber Security Action Plan
36 Government of Canada, ‘Government of Canada, Cyber 49 Since a UN General Assembly resolution in 2004, a UN Group
Security Event Management Plan (GC CSEMP) 2019’. of Governmental Experts (GGE) has convened for two-year
on ‘Advancing Responsible State Behaviour in Cyberspace in the Identify China as Responsible for Cyber-Compromise’, 20
Disarmament Affairs, ‘Developments in the field of information 57 Commodore Richard Feltham (Director General, Cyberspace,
and telecommunications in the context of international security’, Department of National Defence) statement at the National
50 Reiskind, ‘Canada’s Cyber Security: A Discussion with Public Forces, ‘Strong, Secure, Engaged: Canada’s Defence Policy’,
51 Chart of signatures and ratifications of Treaty 185, Council of 58 Cormac Mac Sweeney, ‘Canada’s Military Will Soon Be Able
Europe, 2019, https://www.coe.int/en/web/conventions/full-list/-/ to Disrupt ISIS: Defence Minister’, News 1130, 8 June 2017,
conventions/treaty/185/signatures?p_auth=zrS8ISMY. https://www.citynews1130.com/2017/06/08/canadas-military-
Threats and Building Trust’, in Governing Cyberspace during a 59 Howard Yu, ‘Decentralized Cyber Forces: Cyber Functions at
Crisis in Trust, Centre for International Governance Innovation, the Operational and Tactical Levels’, Canadian Forces College,
cyberspace-part-i-canada-a-leader-in-cyber-defence. Day on which Part 3 of that Act Comes into Force: SI/2019-70’,
54 ‘Statement by Len Bastien [Defence Chief Information Officer Canada Gazette, Part II, vol. 153, no. 15, http://www.gazette.
Australia’s cyber-security strategies have concen- more mature cyber capabilities than its modest
trated on national security, commercial cyber secu- defence and intelligence budgets might suggest. It
rity, the industrial base for sovereign capability, is active in global diplomacy for cyber norms and
workforce development and good international cyber capacity-building. In 2016 it acknowledged for
citizenship. The Australian Signals Directorate, the the first time that it possessed offensive cyber capa-
country’s principal cyber-related agency, remains bilities – examples of their use against the Islamic
the most influential in national policymaking. The State (also known as ISIS or ISIL) were subsequently
country is still developing its military cyber strat- put into the public domain. Australia has actively
egies and policies after setting up an Information supported the United States-led Cyber Deterrence
Warfare Division in 2017. Australia can boast some Initiative, which aims to use cyber means to coun-
research and industry credentials in the field of ter the malign cyber activity of other states. For
information and communications technology and Australia to become a more effective cyber power, it
cyber security, but these are growing from a low will need to make dramatically greater investments
base. In part because of its 70-year membership of in cyber-related tertiary education and carve out a
the Five Eyes intelligence alliance, Australia has more viable sovereign cyber capability.
List of acronyms
ACSC Australian Cyber Security Centre DSCC Defence Signals Intelligence and Cyber Command
ADF Australian Defence Force ICT information and communications technology
ASD Australian Signals Directorate IWD Information Warfare Division
ASIO Australian Security Intelligence Organisation
Notes
2 See Gary Waters, ‘National Cyber Emergency Policy for 2018, https://news.defence.gov.au/media/media-releases/
Routledge, 2020), pp. 93–105. 16 This is explained by IWD as follows: ‘IWD is developing the
3 Australian Government, Department of the Prime Minister information warfare capabilities for the ADF to employ in all its
and Cabinet, ‘Australia’s Cyber Security Strategy: Enabling activities, such as protecting its networks and missions systems,
Innovation, Growth and Prosperity’, Canberra, 2016, https:// conducting exercises and training events, supporting the
www.homeaffairs.gov.au/cyber-security-subsite/files/PMC- community and our region in disaster relief, stability and security
4 Ibid., p. 6. IWD develops are put into operation by the ADF. Chief of Joint
5 Australian Government, Department of Home Affairs, Operations [sic] is responsible for how the capabilities are used
‘Australia’s Cyber Security Strategy’, Canberra, August 2020, to meet the directions of the Australian Government.’
6 Australian Government, Department of Defence, ‘2016 Defence Organisation for Economic Co-operation and Development
White Paper’, Canberra, 2016, https://www.defence.gov.au/ (OECD), ‘Measuring the Digital Transformation: A roadmap
WhitePaper/Docs/2016-Defence-White-Paper.pdf. for the future’, 11 March 2019, pp. 54, 101, 121, https://www.
9 Australian Government, Department of Defence, ‘2020 Defence 18 OECD, ‘Measuring the Digital Transformation: A roadmap for
10 Australian Government, Department of Defence, ‘2020 Force Index 2020: Who Will Finance Innovation?, 2020, pp. xxxiv, xxxvi,
au/StrategicUpdate-2020/docs/2020_Force_Structure_Plan.pdf. 20 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United
11 Australian Government, Prime Minister of Australia, States Stay Ahead of China?’, 21 December 2020, https://
23 See, for example, the case of quantum computing at the 31 Joint Committee on Public Audit and Accounts, ‘Report
University of Sydney, as reported in ‘Global VC Bets on 485 Cyber Resilience’, December 2020, https://www.
University’, Technology Decisions, 9 May 2016, https://www. 33 The goals of the growth-centres initiative in the designated
24 Australian Government, Department of Defence, ‘Defence to enhance management and workforce skills; and to
Science and Technology Group’, https://www.dst.defence.gov. identify opportunities for regulatory reform. See Australian
25 Union of Concerned Scientists, ‘UCS Satellite Database’, Resources, ‘Industry Growth Centres’, https://www.industry.
26 See Waters, ‘National Cyber Emergency Policy for Australia: Plan – 2019 Update’, December 2019, https://www.austcyber.com/
“pretty ordinary” before ASD’s Top Four’, ZDNet, 2 June 2015, 35 Ibid., p. 33.
28 See, for example, the Australian Government Information Australian Institute of International Affairs, 17 October 2019,
Security Manual (ISM), which ‘assists in the protection of http://www.internationalaffairs.org.au/australianoutlook/
organisations’ systems’. Australian Government, Australian 38 Australian Government, ‘Portfolio budget statements 2016–17:
Signals Directorate, ‘Australian Government Information Budget related paper no. 1.5: Education and Training Portfolio’, pp.
complements the advice in the ISM), February 2017, https:// 39 AustCyber, ‘Cyber Security Competitiveness Plan – 2019
security-incidents; and Australian Government, Australian 40 It took Australia several years to set its immigration policies
Signals Directorate, ‘The Essential Eight Maturity Model’, 26 in a way that would attract higher numbers of cyber-security
June 2020, https://www.cyber.gov.au/acsc/view-all-content/ professionals. The government started in 2017 with the
29 Australian National Audit Office, ‘Cyber Resilience’, Auditor programme, which aimed to find talent for ‘highly-skilled
General Report, no. 53 of 2017–18, 28 June 2018, https://www. niche positions’ (without specifying cyber security) that could
temporary residents. This was followed in 2018 by a scheme terms to address international-security aspects of cyberspace.
that focused on seven ‘future-focused fields’, including cyber It was known as the GGE on ‘Developments in the Field
security, but employer sponsorship was still required – the of Information and Telecommunications in the Context of
aim was to recruit 5,000 immigrants in the scheme’s first year International Security’ until 2018, when it was renamed the GGE
of operation. In November 2019, the government launched on ‘Advancing Responsible State Behaviour in Cyberspace in the
a new programme for skilled migration that would allow Context of International Security’. In cyberspace-policy circles it
applications from individuals, not just from the sponsoring is common to refer to it simply as ‘the GGE’. See UN Office for
employer. See Greg Austin, ‘Twelve Dilemmas of Reform in Disarmament Affairs, ‘Developments in the field of information
Cyber Security Education’, in Greg Austin (ed.), Cyber Security and telecommunications in the context of international security’,
pp. 208–21. 48 See ‘Australia, Huawei and 5G’, IISS Strategic Comments, vol.
41 Australian Government, Department of Home Affairs, 25, no. 28, October 2019, https://www.iiss.org/publications/
42 ‘Australia Needs Civil Defence against the Cyber Storm: Policy 49 Rosie Perper, ‘Australia snubbed Huawei and completed
Report’, Research Group on Cyber War and Peace UNSW, its undersea cable project to bring high-speed internet to
University of New South Wales Canberra, 31 March 2019, p. Pacific Islands’, Business Insider, 28 August 2019, https://
3, https://www.unsw.adfa.edu.au/unsw-canberra-cyber/sites/ www.businessinsider.com.au/australia-snubs-huawei-finishes-
accs/files/uploads/Policy%20Report%20Cyber%20Civil%20 undersea-cables-for-pacific-islands-2019-8?r=US&IR=T.
43 Rajiv Shah, ‘Protecting critical national infrastructure in an era vulnerabilities” in PNG data centre’, Capacity Media, 12
report/protecting-critical-national-infrastructure-era-it-and-ot- data-centre.
44 Australian Government, Department of Defence, ‘2016 Terrorism: Address to the House of Representatives, Parliament
Defence White Paper’, Canberra, 2016, p. 45, https://www. House, Canberra’, 23 November 2016, https://parlinfo.aph.gov.
defence.gov.au/WhitePaper/Docs/2016-Defence-White- au/parlInfo/search/display/display.w3p;query=Id:%22media/
capabilities, Australia does not have the capacity to to the Lowy Institute’, 27 March 2019, https://www.asd.gov.au/
This means we will be working with our alliance partner the 53 Ibid.
United States, ASEAN countries, the North Atlantic Treaty 54 On warfighting, the plan says: ‘ASD supports Australian
Organisation (NATO), the United Nations and other partners Defence Force (ADF) operations around the globe, including
to achieve our common goals in protecting and promoting a by providing intelligence and offensive cyber capabilities to
stable rules-based global order.’ enable the warfighter and protect ADF personnel and assets’.
45 See Australian Government, Department of Foreign Australian Government, Australian Signals Directorate, ‘ASD
Affairs and Trade, ‘Australia’s International Cyber Corporate Plan 2019–20’, Canberra, 2019, p. 7, https://www.
The French government has robust strategies for favours regulation as a means of addressing cyber
security in cyberspace, supported by mature insti- threats, exemplified by new laws on election interfer-
tutions and regular budget infusions. France has a ence and protecting critical national infrastructure.
wide cyber-intelligence reach but keeps its cyber- On the international stage France has promoted mul-
security functions organisationally separate from its tilateralism on cyber issues. Its offensive cyber capa-
intelligence community. In terms of digitisation of its bility is mature but probably lags behind those of the
society and economy, France is not one of the lead- United States and the United Kingdom. Its desire for
ers among the world’s developed countries, though national autonomy on key cyber capabilities denies
its ICT sector has clear strengths. It has shown itself France the potential gain from a more integrated
to be highly capable and innovative on cyber secu- approach with key allies, but as a result it is less
rity, advocating a whole-of-society approach. It also dependent on them.
List of acronyms
ANSSI National Cybersecurity Agency ICT information and communications technology
CDSN Defence and National Security Council MdA Ministry of the Armed Forces
DGA General Directorate for Armaments SGDSN Secretariat-General for Defence and National Security
DGSE General Directorate for External Security SOC Security Operations Centre
Notes
1 Ministère des Armées, ‘Livre blanc: Défense et sécurité nationale’, 9 Ministère des Armées, ‘Éléments publics de doctrine militaire
information/les_dossiers_actualites_19/livre_blanc_sur_ defense.gouv.fr/fre/content/download/551497/9393997/
defense_875/livre_blanc_1337/livre_blanc_1340/index.html. El%C3%A9ments%20publics%20de%20doctrine%20
3 Secrétariat général de la défense et de la sécurité nationale It was revealed in this 2019 document that an offensive cyber
4 Agence nationale de la sécurité des systèmes d’information, doctrine had been in place in 2017.
‘Défense et sécurité des systèmes d’information: Stratégie de la 10 Secrétariat Général de la Défense et de la Sécurité Nationale,
02-15_Defense_et_securite_des_systemes_d_information_ www.sgdsn.gouv.fr/uploads/2018/02/20180206-np-revue-
strategie_de_la_France.pdf. cyber-public-v3.3-publication.pdf.
5 Ministère des Armées, ‘Livre blanc: Défense et sécurité 11 François Delerue and Aude Gery, ‘France’s Cyberdefense
nationale’, 2013, http://www.livreblancdefenseetsecurite.gouv. Strategic Review and International Law’, Lawfare, 23 March 2018,
fr/pdf/le_livre_blanc_de_la_defense_2013.pdf. https://www.lawfareblog.com/frances-cyberdefense-strategic-
operation: A post-mortem’, Atlantic Council, 20 June 2019, 12 Arthur P. Laudrain, ‘French Cyber Security and Defence: Strategy,
des armées, sur la manipulation de l’information’, Vie 34 Direction générale de la sécurité extérieure
18 Ministère des Armées, ‘Politique ministérielle de lutte 38 Isabelle Laumonier, ‘Internet sous l’oeil des services de
20 Ministère des Armées, ‘Communiqué: La France se dote d’une 39 ‘France and economic intelligence’, Tarlogic, 6 November 2019,
lutte-informatique-defensive. eu/eurostat/web/products-datasets/-/tin00074.
21 Agence nationale de la sécurité des systèmes d’information, ‘Le 42 Ministry of the Economy and Finance, ‘Numérique: Chiffres
Volet Cybersécurité de France Relance’, September 2020, https:// clés’, 14 March 2019, https://www.entreprises.gouv.fr/
www.ssi.gouv.fr/agence/cybersecurite/le-volet-cybersecurite-de- etudes-et-statistiques/numerique-chiffres-cles.
france-relance. 43 G. De Prato (ed.), The 2018 PREDICT Key Facts Report: An Analysis
22 ‘Un plan à 1 milliard d’euros pour renforcer la cybersécurité’, of ICT R&D in the EU and Beyond, European Commission, JRC
fr/un-plan-a-1-milliard-d-euros-pour-renforcer-la-cybersecurite. repository/bitstream/JRC112019/jrc112019_2018_predict_key_
la stratégie française’, Gouvernement.fr, 18 February 2021, 44 Ministry of the Economy and Finance, ‘La Fintech, le numérique
piece-jointe/2021/02/210218_dp_cyber_vfinale.pdf. economie.gouv.fr/entreprises/fintech-innovation-finance.
25 Conseil de defense et de sécurité nationale 46 ‘Baromètre EY - FD’, France Digitale blog, accessed 8 July 2019,
‘Revue stratégique de cyberdéfense’. 47 Hiscox, ‘Hiscox Cyber Readiness Report 2019’, https://www.
cyberdéfense’, p. 53, and implemented by 2019. See Institut 49 European Commission, Joint Research Centre, ‘AI Watch:
des hautes études du ministère de l’Intérieur, ‘Organisation TES Analysis of AI Worldwide Ecosystem in 2009–2018’, JRC
de l’État français en gestion de crise cybernétique majeure’, Technical Reports, LU: European Commission, 2020, pp. 30–1,
gestion-de-crise-cybernetique-majeure. 50 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United
30 Laudrain, ‘French Cyber Security and Defence’, p. 19. States Stay Ahead of China?’, 21 December 2020, https://
33 COMCYBER, ‘GDA Tisseyre: “On est 3400 cybercombattants 51 ‘AI for Humanity’, AI for Humanity, 29 March 2018, https://
53 Arcep, ‘Baromètre de l’interconnexion de données en France’, 65 ‘Loi N° 2013-1168 Du 18 Décembre 2013 Relative à La
27 June 2019, https://www.arcep.fr/cartes-et-donnees/nos- Programmation Militaire Pour Les Années 2014 à 2019 et Portant
Computer Communication Review, vol. 46, no. 1, 11 January 2016, 66 ‘Code de La Défense – Article L2321-2’, L2321-2 Code de la
55 Orange, ‘Les Réseaux d’Orange: dossier de presse’, February 67 G20 Research Group, ‘2019 G20 Osaka Summit Interim
orange-2017-fr/dp_reseaux_orange_fr_full.pdf. compliance/2019osaka-interim/08-2019-g20-compliance-
56 France IX, ‘France-IX’s Infrastructure’, https://www.franceix. interim-cyber-resilience.pdf. The companies were Airbus,
57 Wei Shi, ‘French parliament passes “Huawei Law” to Safran and Thales.
Du Réseau Interministériel de l’État’, Thales Group, accessed 12 71 ‘France Wins Cyber Defence Exercise Locked Shields 2019’,
press-release/thales-assure-la-securite-de-lacces-internet-du-reseau. france-wins-cyber-defence-exercise-locked-shields-2019.
59 Arthur Laudrain, ‘France’s “Strategic Autonomy” Takes to 72 International Telecommunication Union, ‘Global Cybersecurity
Space’, International Institute for Strategic Studies, Military Index 2018’, pp. 30, 62, https://www.itu.int/dms_pub/itu-d/
60 Ministère de l’Europe et des Affaires Étrangères, ‘Defence 74 Ministère des Armées, ‘Livre blanc: Défense et sécurité
Toulouse – Communiqué issued by the Ministry for the Armed 75 Assemblée nationale, ‘Rapport d’information de Mme
Forces’, 5 February 2021, https://www.diplomatie.gouv.fr/ Alexandra Valetta Ardisson et M. Bastien Lachaud Déposé En
61 European Union Agency for Cybersecurity, ‘NIS Investments Cyberdéfense’, 4 July 2018, http://www2.assemblee-nationale.
62 Wavestone, ‘Top Companies Cybersecurity Index: 2020 Annual IntelligenceOnline, 11 March 2015, https://www.
Wavestone-Cyberindex-top-companies-2020-EN.pdf. developpe-les-jeux-de-cyberguerre-a-bruz,108065256-bre.
63 ‘Dossier de presse – Cybersécurité, faire face à la menace: la 77 BPI France, ‘Definvest: Fonds d’investissement dédié aux
stratégie française’, Gouvernement.fr, p. 12. entreprises stratégiques de la Défense’, accessed 8 July 2019, https://
Fonds-d-investissement-thematiques/Definvest. cyber-security/article/indo-french-bilateral-cyber-dialogue-20-06-19.
78 Comité de lutte contre la manipulation de l’information (CLMI) 87 Ministère de l’Europe et des Affaires Étrangères, ‘G7 French
79 Sénat, ‘Délégation Parlementaire au Renseignement: Rapport presidency – Cyber Norm Initiative: Synthesis of Lessons
d›activité 2019–2020’, 11 June 2020, http://www.senat.fr/rap/r19- Learned and Best Practices’, 26 November 2019, https://
506/r19-50638.html. www.diplomatie.gouv.fr/en/french-foreign-policy/digital-
post-mortem’. initiative-synthesis-of-lessons-learned-and.
81 Ministère de l’Europe et des Affaires Étrangères, ‘Stratégie 88 Ministère de l’Europe et des Affaires Étrangères, ‘Guaranteeing
la-france/diplomatie-numerique/la-strategie-internationale-de-la- digital-strategy/article/guaranteeing-cybersecurity.
ann%C3%A9es%20%C3%A0%20venir.&text=Elle%20 diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/
s’articule%20autour%20de,%3A%20gouvernance%2C%20 france-and-cyber-security/article/eu-cyberattacks-q-a-from-the-
%C3%A9conomie%2C%20s%C3%A9curit%C3%A9. press-briefing-30-jul-20.
82 Arthur Laudrain, ‘Avoiding A World War Web: The Paris Call 90 Lorie Maglana and Sunny Man, ‘Europe: EU imposes the first
for Trust and Security in Cyberspace’, Lawfare, 4 December ever sanctions against cyber-attacks’, Global Compliance News,
paris-call-trust-and-security-cyberspace. the-first-ever-sanctions-against-cyber-attacks-20200810.
83 Since a UN General Assembly resolution in 2004, a UN Group 91 Ministère des Armées, ‘Droit International Appliqué Aux
of Governmental Experts (GGE) has convened for two-year Opérations Dans Le Cyberespace’, 9 September 2019, https://
International Security’ until 2018, when it was renamed the GGE 92 Ministère des Armées, ‘Le COMCYBER’, 4 February 2021,
Disarmament Affairs, ‘Developments in the field of information Commandement de la cyberdéfense sont tournés vers les actions
and telecommunications in the context of international security’, offensives’, Zone Militaire, 9 May 2020, http://www.opex360.
https://www.un.org/disarmament/ict-security. com/2020/05/09/environ-40-des-effectifs-du-commandement-
84 Ministère de l’Europe et des Affaires Étrangères, ‘Guaranteeing de-la-cyberdefense-sont-tournes-vers-les-actions-offensives.
Cybersecurity’, undated, https://www.diplomatie.gouv.fr/en/ 94 Nathalie Guibert, ‘Général Lecointre: “L’indicateur de réussite
edition of the Franco-German common situational picture’, 2020, 95 Martin Untersinger and Jacques Follorou, ‘La France suspectée
situational_picture_2020.pdf. www.lemonde.fr/international/article/2014/03/21/la-france-
Bilateral Cyber Dialogue’, 20 June 2019, https://www.diplomatie. 96 Simon Pascal, ‘Cyberdéfense. “Nous allons accroître encore
cyberdefense-nous-allons-accroitre-encore-les-capacites-de-la- special-interest/gess/cis/center-for-securities-studies/pdfs/
plaque-rennaise-7091506. Cyber-Reports_National_Cybersecurity_and_Cyberdefense_
Cyberdefense Policy Snapshots: Collection 1’, Center for 98 Laudrain, ‘French Cyber Security and Defence’, p. 9.
Israel was one of the first countries to identify cyber- strategy that includes close cooperation between
space as a potential threat to its national security, government, the private sector and academia, and
and started to address the issue more than 20 years with international partners. This cooperation, led
ago. Initially it perceived that the main threat was by the INCD, has created both a vibrant cyber eco-
of cyber attacks against its critical national infra- system and a relatively high level of preparedness
structure, but that perception has evolved to include and resilience within the private sector. On offensive
attacks against other nationally significant targets. cyber operations, little has been publicly avowed,
Technological and geopolitical changes have driven but notable attacks that have been attributed to
various organisational reforms in the way Israel’s Israel include the use of the Stuxnet worm against
national-security system responds to cyber threats, Iran, between 2008 and 2010, and an attack against
a process culminating in 2018 with the formal estab- an Iranian port in 2020. Based on such evidence, it
lishment of the Israeli National Cyber Directorate appears that Israel has a well-developed capacity for
(INCD) within the office of the prime minister. The offensive cyber operations and is prepared to under-
country has also drafted a formal national cyber take them in a wide range of circumstances.
List of acronyms
IDF Israel Defense Forces NISA National Information Security Authority
INCD Israeli National Cyber Directorate
Notes
1 In 2002 the Ministerial Committee for National Security adopted within the Israeli Security Agency (Shin Bet). See Gil Baram,
Resolution B/84 on ‘Responsibility for Protecting Computer ‘The Effect of Cyberwar Technologies on Force Buildup: The
Systems in Israel’, which provided the basis for the creation of Israeli Case’, Military and Strategic Affairs, vol. 5, no. 1, May 2013,
a steering committee charged with identifying all public and p. 29, https://www.inss.org.il/wp-content/uploads/systemfiles/
and therefore requiring constant protection. Some of these 2 A similar process is currently under way with regard to
systems were not operated by the Israel Defense Forces but by artificial intelligence, aiming to establish Israel among the top
civilian or government companies. The resolution also mandated five countries in the field – see, for example, Éanna Kelly, ‘Israel
the creation of the National Information Security Authority, the sets out to become the next major artificial intelligence player’,
unit responsible for the protection of computerised systems Science Business, 2 July 2019, https://sciencebusiness.net/
3 State of Israel, Prime Minister’s Office, National Cyber 16 NISA is known as ‘Re’em’ in Hebrew.
Directorate, ‘Israel National Cyber Security Strategy in Brief’, 17 Lior Tabansky, ‘Critical infrastructure protection against cyber
September 2017, p. 5, https://cyber.haifa.ac.il/images/pdf/ threats’, Military and Strategic Affairs, vol. 3, no. 2, November
bershetvet mheshebyem’, Haaretz, 1 January 2010, http://www. 18 Israel Defense Forces, ‘Military Intelligence Directorate’, https://
haaretz.co.il/misc/1.1182490. www.idf.il/en/minisites/military-intelligence-directorate.
5 Gili Cohen and Oded Yaron, ‘Barak Acknowledges Israel’s 19 Yaacov Katz, ‘Security and Defense: Israel’s Cyber
Cyber Offensive for First Time’, Haaretz, 6 June 2012, https:// Ambiguity’, Jerusalem Post, 31 May 2012, http://www.jpost.
www.haaretz.com/barack-acknowledges-israel-s-cyber- com/Features/Front-Lines/Security-and-Defense-Israels-
6 Graham Allison, ‘Deterring Terror: How Israel Confronts the Freilich and Gabi Siboni, ‘Israel and cyber space: Unique
Next Generation of Threats – English Translation of the Official threat and response’, International Studies Perspectives, vol.
Strategy of the Israel Defense Forces’, Special Report, Belfer 17, no. 3, August 2016, p. 8, https://www.researchgate.net/
7 Ibid., p. 22. 21 See Israel Defense Forces, ‘C4I and Cyber Defense Directorate’,
10 Government of Israel, ‘Mesper hhelth 3270’, 17 December 2017, Sociology Mind, vol. 8, March 2018, pp. 114–22, https://www.
https://www.gov.il/he/Departments/policies/dec_3270_2017. scirp.org/pdf/SM_2018032915444002.pdf.
11 Baram, ‘The Effect of Cyberwar Technologies on Force Buildup: 23 Richard Silverstein, ‘Israeli Intelligence Budget Nearly Doubles
The Israeli Case’, pp. 29–32. in Past Decade Under Netanyahu’, Tikun Olam, 5 May 2017,
12 Government of Israel, ‘Resolution no. 2444’, 15 February 2015, https://www.richardsilverstein.com/2017/05/05/israeli-
https://www.ictrp.org/wp-content/uploads/2019/02/Government- intelligence-budget-nearly-doubles-past-decade-netanyahu.
for-Cyber-Security.pdf. This presented Israel’s operational Info Security, 26 June 2019, https://www.infosecurity-magazine.
cyber-defence strategy for the civilian economy, calling for greater com/news/netanyahu-boasts-of-israels-cyber-1.
coordination of all national cyber-defence bodies and laying the 25 Israel Defence Forces, ‘Military Intelligence Directorate’.
foundations for the creation of the NCSA for this purpose. 26 Sean Cordey, ‘The Israeli Unit 8200: An OSINT-based study’,
13 Yigal Unna, ‘National Cyber Security in Israel’, Cyber, Center for Security Studies, Cyber Defense Project, December
Intelligence, and Security, vol. 3, no. 1, May 2019, p. 170, https:// 2019, p. 8, https://css.ethz.ch/content/dam/ethz/special-interest/
www.inss.org.il/publication/national-cyber-security-in-israel. gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-
14 Amir Cahane, ‘The New Israeli Cyber Draft Bill – A Preliminary 2019-12-Unit-8200.pdf.
Overview’, The Federmann Cyber Security Research Center – 27 Amir Mizroch, ‘Rise of Computer Vision Brings Obscure Israeli
Cyber Law Program, undated, https://csrcl.huji.ac.il/news/ Intelligence Unit Into Spotlight’, Forbes, 28 May 2018, https://
new-israeli-cyber-law-draft-bill. www.forbes.com/sites/startupnationcentral/2018/05/28/rise-of-
Israel Defense, 19 April 2014, https://www.israeldefense.co.il/ Leading the $82 Billion Industry’, Forbes, 18 July 2017, https://
en/content/revolution-intelligence-agencies. www.forbes.com/sites/gilpress/2017/07/18/6-reasons-israel-
29 Jonah Jeremy Bob, ‘Mossad chief Yossi Cohen: Cyber intel became-a-cybersecurity-powerhouse-leading-the-82-billion-
https://www.jpost.com/israel-news/mossad-chief-yossi-cohen- 39 Cordey, ‘The Israeli Unit 8200: An OSINT-based study’, pp. 3, 12.
cyber-intel-is-main-tool-against-terrorism-593617. 40 Isaac Kfir, ‘Learning from Israel’s cyber playbook’, Asia and
30 ‘Shin Bet head says over 2,000 terror attacks thwarted the Pacific Policy Society, 5 November 2018, https://www.
timesofisrael.com/shin-bet-head-says-over-2000-attacks- 41 Daniel Estrin, ‘In Israel, teaching kids cyber skills is a national
Centre of Excellence, 2017, pp. 14–15, https://ccdcoe.org/ 42 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United
33 In the 2020 listing of the top 150 cyber-security companies, the US 9 May 2019, https://futureoflife.org/2019/05/09/state-of-ai.
had 95 companies, Israel 16, the UK eight, Russia one, and China 44 Kyle Wiggers, ‘Israel Risks Falling Behind in AI Despite
none. See Steve Morgan, ‘Hot 150 Cybersecurity Companies Growth’, VentureBeat, 17 February 2020, https://venturebeat.
to Watch in 2021’, Cybercrime Magazine, 5 January 2021, https:// com/2020/02/17/israel-risks-falling-behind-in-ai-despite-growth.
cybersecurityventures.com/cybersecurity-companies-list- 45 European Commission, Joint Research Centre, ‘AI Watch:
hot-150. Although quite subjective, the list indicates the amount TES Analysis of AI Worldwide Ecosystem in 2009–2018’,
of attention that Israeli companies in this sector attract. JRC Technical Reports, 2020, p. 29, https://data.europa.eu/
34 Israel National Cyber Directorate, ‘The Israeli cyber industry doi/10.2760/85212.
continues to grow: Record fundraising in 2020’, 21 January 46 ‘Israel Launches National AI Plan at Cost of 1.63 Bln USD’,
Central, Israel Innovation Authority, February 2019, http:// 49 Israel National Cyber Directorate, ‘The Israel National Cyber
see Lilach Baumer, ‘Israel’s Tech Sector Grows, but 50 ‘“Cyber winter is coming,” warns Israel cyber chief after attack
Demand Still Outstrips Supply, Says Report’, Calcalist, on water systems’, Times of Israel, 28 May 2020, https://www.
articles/0,7340,L-3796731,00.html. changing-point-in-cyber-warfare.
52 International Telecommunication Union, ‘Global Cybersecurity lheylevpey meyd’ vesheytevpey mev”p bethevm hesyeyber
Index 2018’, p. 64, https://www.itu.int/dms_pub/itu-d/opb/str/D- beyn yesheral veypen’, 28 November 2018, http://www.gov.il/he/
53 See Israel National Cyber Directorate, http://www.gov.il/en/ Directorate, ‘Rash memshelt yesheral, benyemyen netneyhev
54 Uri Berkowitz, ‘Hesvet hemdeynh: hekyerv at hem’erekt shetkeyn bem’even hayervh hershemy shel memshelt hevdev, vhetmev ‘el
at hhebrh shelkem lemteqpet Bhesyeyber hebah’, Globes, 5 May shevret heskemyem beyn hemdeynevt’, 15 January 2018, www.
55 Israel National Cyber Directorate, ‘National Cyber Concept 63 Israel National Cyber Directorate, ‘Heskem hebnevt lesheytevp
for Crisis Preparedness and Management’, 6 November 2018, p’evelh bethevm hegnet hesyeyber beyn yesheral leqrevateyh’, 12
for a Cyber Crisis: Characterization & Requirements from Crisis Israel National Cyber Directorate, ‘Australian–Israeli cooperation
Management Team and IR Team’, 8 November 2019, https:// in the field of cyber’, 29 January 2019, http://www.gov.il/he/
www.gov.il/BlobFolder/news/cybercrisisforir/en/Cyber%20 departments/news/agree_australia.
57 Israel National Cyber Directorate, ‘Guidelines on Protecting Cyber Security’, RepublicWorld.com, 16 July 2020, https://www.
departments/general/icssolutions. sign-agreement-to-expand-cooperation-in-cyber-security.html.
58 Israel National Cyber Directorate, ‘Recommendations on Using This agreement with India expanded on areas of cooperation
Zoom Safely’, 5 May 2020, https://www.gov.il/en/departments/ covered in the two countries’ 2018 agreement.
59 Israel National Cyber Directorate, ‘Cyber Emergency Response signed between Greece and Israel’, 16 June 2020, https://www.gov.
Team’, https://www.gov.il/en/departments/news/119en. il/en/departments/news/greece.
60 Since a UN General Assembly resolution in 2004, a UN Group of 66 Israel National Cyber Directorate, ‘Semyenr beynelavemy
Governmental Experts (GGE) has convened for two-year terms to pevrets derk lentesyegy hebrevt vemmeshelvet memdeynevt
address international-security aspects of cyberspace. It was known yedyedvetyevt’, 18 November 2018, http://www.gov.il/he/
Telecommunications in the Context of International Security’ until 67 Israel National Cyber Directorate, ‘Shet”p bethevm hegnet
2018, when it was renamed the GGE on ‘Advancing Responsible hesyeyber beyn yesheral lemdeynevt ameryeqh helteyneyt
State Behaviour in Cyberspace in the Context of International vheqareybeyyem’, 28 March 2018, http://www.gov.il/he/
it simply as ‘the GGE’. See UN Office for Disarmament Affairs, 68 Jean-Christophe Noël, ‘Israeli Cyberpower: The Unfinished
‘Developments in the field of information and telecommunications Development of the Start-up Nation’, French Institute of
in the context of international security’, https://www.un.org/ International Relations, November 2020, p. 21, https://www.ifri.
disarmament/ict-security. org/sites/default/files/atoms/files/noel_israeli_cyberpower_2020.pdf.
61 See, for example, a speech by Deputy Attorney General Roy 69 ‘Israel, US Conclude Joint Cyber Defense Exercise’, Israel
Schöndorf, ‘Israel’s perspective on Key Legal and Practical Defense, 10 November 2019, http://www.israeldefense.co.il/en/
lerashevnh bep’eyelvet seyyebr hetqepyet shel yesheral’, 73 Tabansky and Israel, Cybersecurity in Israel, pp. 66–7.
Haaretz, 6 June 2012, http://www.haaretz.co.il/news/ 74 ‘IDF’s cyber warrior 8200 intelligence unit gets medal for
71 David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the timesofisrael.com/idfs-cyber-warrior-8200-intelligence-unit-
72 Cohen, Freilich and Siboni, ‘Israel and cyber space: Unique 75 Ibid.
Japan has been among the global leaders in the with many corporations unwilling to meet the costs
commercial application of information and com- of bolstering them. The country’s resilience planning
munications technologies since the early 1980s, but has been rather limited, though this intensified in the
its readiness to deal with the security aspects of run-up to the 2020 Olympic and Paralympic Games
cyberspace is a much more recent phenomenon. Its (postponed due to COVID-19). Japan still does not
first mature cyber-security strategy was issued in have an official military cyber strategy or an official
2013, building on several earlier policies that were military doctrine pertaining to cyberspace, though it
focused on rhetorical principles of classic informa- has made modest organisational changes in its armed
tion security of a narrow technical kind. Japan now forces, including the creation of some dedicated cyber
has a well-developed approach to the governance units. Its offensive cyber capabilities remain under-
of cyberspace, but this constitutes a looser set of developed because of the constitutional and politi-
arrangements than in countries such as the United cal constraints on the country’s use of force. By 2020,
States and the United Kingdom, particularly in terms prompted in part by the US and Australia, Japan had
of information-sharing by the private sector. Japan’s shifted to a more robust cyber posture because of ris-
defences in cyberspace are not especially strong, ing concerns about China and North Korea.
List of acronyms
ASEAN Association of Southeast Asian Nations IPv6 Internet Protocol Version 6
CCDCOE Cooperative Cyber Defence Centre of Excellence JSDF Japan Self-Defense Forces
CSSH Cyber Security Strategic Headquarters MoD Ministry of Defense
DIH Defense Intelligence Headquarters NISC National Center of Incident Readiness and Strategy for
DSI Directorate for Signals Intelligence Cybersecurity
ICT information and communications technology NTT Nippon Telegraph and Telephone
IoT Internet of Things
1 Information Security Council, The First National Strategy on gathering and analysis on domestic and foreign cybersecurity;
Information Security: Toward the Realisation of a Trustworthy the promotion of international cooperation and collaboration;
Society, 2 February 2006, http://www.nisc.go.jp/eng/pdf/ and cybersecurity workforce development for and by the
national_strategy_001_eng.pdf. governmental bodies’. National Center of Incident Readiness
2 Information Security Council, Cybersecurity Strategy: Towards a and Strategy for Cybersecurity, Organisational Structure, http://
World-Leading, Resilient and Vigorous Cyberspace, 10 June 2013, http:// www.nisc.go.jp/about/organize.html.
www.nisc.go.jp/active/kihon/pdf/cybersecuritystrategy-en.pdf. 16 National Center of Incident Readiness and Strategy for
3 Japan Ministry of Foreign Affairs, National Security Strategy, 17 Cybersecurity, Cybersecurity Framework in the Government of
4 Government of Japan, Cybersecurity Strategy, 4 September 2015, presentation delivered by Tomoo Yamauchi, Deputy Director-
DEFENSE_COOPERATION.pdf. The ‘guidelines’ framework Capabilities: How Much Is Enough?’, Military Balance blog,
has been used since 1979 to set the parameters of defence International Institute for Strategic Studies, 28 August 2020,
cooperation between the two countries. https://www.iiss.org/blogs/military-balance/2020/08/
Cybersecurity, Cybersecurity Strategy, 27 July 2018, https:// 20 ‘Japan Embraces AI Tools to Fight Cyberattacks with US$237
2019), pp. 228–9. 21 Daishi Abe, ‘Lagging China and the US, Japan to beef up
9 Ministry of Defense, National Defense Program Guidelines for FY cyberdefense’, Nikkei Asia, 20 June 2020, https://asia.nikkei.com/
10 National Center of Incident Readiness and Strategy for 2,000 personnel in 2020.
Cybersecurity, Cybersecurity Strategy, 27 July 2018. 23 Samuels, Special Duty: A History of the Japanese Intelligence
11 Ministry of Defense, Defense of Japan 2020, 2020, p. 41, https://www. Community, p. 232.
12 Ibid., pp. 218, 267. Overview of FY2020 Budget Request, 2019, https://www.mod.
– FY 2023), 18 December 2018, https://www.mod.go.jp/j/ 25 Longmei Zhang and Sally Chen, ‘China’s Digital Economy:
14 Government of Japan, Cybersecurity Strategy, 4 September 2015. Working Paper, no. WP/19/16, 17 January 2019, p. 4, https://
administrative organs; fact-finding on the cause of incidents 26 For technology companies in 2020, see https://fortune.com/
ch/?sector=Telecommunications. on QZSS at the 7th Session of the IMO’s NCSR’, 5 March 2020,
International Federation of Robotics (IFR), 17 December 2018, 44 Ministry of Defense, Defense of Japan 2020, pp. 266–7.
28 OECD, Japan, OECD Economic Surveys, April 2019, p. 44, https:// Cybersecurity, Cybersecurity Strategy, 27 July 2018.
29 Osamu Tsukimori, ‘Japanese manufacturers use decades of (4th Edition)’, 25 July 2018, https://www.nisc.go.jp/eng/pdf/
chips’, Japan Times, 9 October 2019, https://www.japantimes. 47 Mihoko Matsubara, ‘A Glimpse into Private Sector Security in
decades-experience-dominate-key-chemical-market-cutting- glimpse-private-sector-cybersecurity-japan.
30 Nippon Telegraph Telephone (NTT) Group, https://www.ntt. Cybersecurity, ‘The Guidance on Operations of Information
31 Ipv6 Test, ‘IPv6 in Japan’, October 2019, https://ipv6-test.com/ Agencies’, 31 August 2016, Revised 25 July 2018, https://www.
stats/country/JP. nisc.go.jp/eng/pdf/shishin30-en.pdf.
32 NTT WE Marine, ‘Cable-Laying Vessels’, https://www.nttwem. 49 Information Technology Promotion Agency, ‘Fact-finding
33 OECD, Japan, OECD Economic Surveys, April 2019, p. 44. measures’, 25 March 2020, https://www.ipa.go.jp/security/
computer”’, 15 November 2018, https://www.bbc.co.uk/news/ 50 Ministry of Economy, Trade and Industry, ‘Cybersecurity
Security Framework: To ensure trusthworthiness of a new type of 51 National Center of Incident Readiness and Strategy for
supply chain in ‘Society 5.0’, so-called ‘value creation process’, Cybersecurity, ‘The Guidance on Operations of Information
18 April 2019, https://www.meti.go.jp/english/press/2019/ Security Measures of Government Agencies and Related Agencies’.
36 Ministry of Economy, Trade and Industry, Cyber/Physical Index 2018’, p. 62, https://www.itu.int/dms_pub/itu-d/opb/str/
united-states-stay-ahead-of-china-61cf14b1216. go.jp/e/jdf/sp/no44/sp_activities.html#article03.
40 Ministry of Defense, Defense of Japan 2019, 2019, p. 229, https:// undated, https://www.mofa.go.jp/files/000412327.pdf.
41 Cabinet Office, ‘Juntenchōeisei shisutemu ni tsuite’, undated, of Governmental Experts (GGE) has convened for two-year
42 Quasi-Zenith Satellite System (QZSS), ‘Overview of the It was known as the GGE on ‘Developments in the Field
Quasi-Zenith Satellite System (QZSS)’, https://qzss.go.jp/en/ of Information and Telecommunications in the Context of
overview/services/sv01_what.html. International Security’ until 2018, when it was renamed the GGE
Context of International Security’. In cyberspace-policy circles it Ministry of Foreign Affairs of Japan, ‘The 5th Trilateral Cyber
is common to refer to it simply as ‘the GGE’. See UN Office for Policy Consultation’, 10 December 2020, https://www.mofa.
and telecommunications in the context of international security’, 67 Wilhelm M. Vosse, ‘Japan’s Cyber Diplomacy’, Research in
Developments in the Field of Information and Telecommunications 68 European Commission, ‘European Commission adopts
in the Context of International Security, 22 July 2015, https://www. adequacy decision on Japan, creating the largest area of safe
59 Council of Europe, ‘Japan joins Budapest Convention’, 69 Franz-Stefan Gady, ‘Toothless tiger: Japan Self-Defence
press release, 3 July 2012, https://www.coe.int/en/web/ Forces’, BBC News, 14 October 2015, https://www.bbc.com/
cybercrime/news/-/asset_publisher/S73WWxscOuZ5/content/ news/world-asia-34485966.
60 ‘Asean cybersecurity centre opens in Bangkok’, Bangkok Post, 14 Right to Self-Defense’, Institute for Security and
southeast-asian-cyber-security-centre-opens-in-thailand. cybersecurity-japans-right-to-self-defense.
61 NATO Cooperative Cyber Defence Centre of Excellence 71 Also, in 2019, according to a media report, the Ministry of
(CCD COE), ‘Japan to Join the NATO Cooperative Cyber Defense contracted private-sector companies to develop
Defence Centre of Excellence in Tallinn’, press release, 12 offensive cyber capabilities for defensive purposes. See ‘Japan
January 2018, https://ccdcoe.org/news/2018/japan-to-join- to develop 1st defense use computer virus against cyberattacks’,
tallinn. news/2019/04/e9e4df950d3d-japan-to-develop-1st-defense-
63 Ministry of Defense, ‘Participation in NATO Cyber Defence 73 See Franz-Stefan Gady and Yuka Koshino, ‘Japan and Cyber
Exercise “Cyber Coordination 2019”’, press release, 27 November Capabilities: How Much Is Enough?’, Military Balance blog,
China’s leaders have moved decisively to embrace the those of the United States, and cyber-resilience poli-
information revolution. They started from a position cies for its critical national infrastructure are only
of relative backwardness in electronics in the 1990s, in the early stages of development. China has been
but with the advantages of a rapidly growing economy locked in a battle with the United States and its allies
and technology transfer from abroad. The country has over global cyber governance since the early 2000s, a
since established the world’s most extensive cyber- contest aggravated by US determination to sanction
enabled domestic surveillance and censorship system, Chinese tech firms in response to China’s malicious
which is tightly controlled by the leadership. China’s behaviour in cyberspace. Since the early 2000s China
intention of becoming a cyber power was reflected in has conducted large-scale cyber operations abroad,
its military strategy released in 2015 and its first for- aiming to acquire intellectual property, achieve politi-
mal cyber-security strategy in 2016. The country has cal influence, carry out state-on-state espionage and
ambitious goals for the indigenous manufacture of position capabilities for disruptive effect in case of
the core internet technologies it relies on, aiming to future conflict. China is a second-tier cyber power but,
become a world leader in such technologies by 2030. given its growing industrial base in digital technology,
Its core cyber defences remain weak compared with it is the state best placed to join the US in the first tier.
List of acronyms
BRI Belt and Road Initiative MPS Ministry of Public Security
CAC Cyberspace Administration of China MSS Ministry of State Security
CCP Chinese Communist Party PLA People’s Liberation Army
ICT information and communications technology SSF Strategic Support Force
Notes
1 This CCP body was known as the Small Leading Group on P020191112539794960687.pdf. The report covers the first six
Informatisation and Cyber Security until 2018, when it was months of 2019.
upgraded to the status of a CCP commission and renamed the 6 Ibid., p. 74.
Central Commission for Informatisation and Cyber Security 7 See Greg Austin and Wenze Lu, ‘Five Years of Cyber Security
(CCIC). This put it on a similar level to powerful entities such Education Reform in China’, in Greg Austin (ed.), Cyber Security
as the Central Military Commission. Its name in English is Education: Principles and Policies (Abingdon: Routledge, 2020).
often shortened to the Central Cyberspace Affairs Commission 8 For an overview of the early military developments, see Greg
(CCAC). The equivalent government body remains the Austin, ‘China’s Security in the Information Age’, in Lowell
Cyberspace Administration of China, which operates in part as Dittmer and Maochun Yu (eds), Routledge Handbook of Chinese
the secretariat or office for the CCIC. Security (Abingdon: Routledge, 2015), pp. 355–70.
2 Cyberspace Administration of China, ‘National Cyberspace 9 Yan Weifeng, Cong Meijun ‘konghai yiti zhan’ gouxiang kan zhanyi
Security Strategy’, 2016, https://chinacopyrightandmedia. fazhan (Beijing: Haichao Press, 2016), p. 197.
3 Rogier Creemers, Paul Triolo and Graham Webster, ‘network space’ (wangluo kongjian) instead of ‘cyberspace’,
‘Translation: Cybersecurity Law of the People’s Republic of and ‘network warfare’ (wangluo zhan) instead of ‘cyber
China (Effective June 1, 2017)’, New America, 2018, https:// operations’. The PLA’s dictionary of military terms
4 For an overview, see Greg Austin, Cybersecurity in China: The degrade their effectiveness, while protecting one’s own
Next Wave (New York: Springer, 2018), p. 8. network systems and network information’. See Military
5 China Internet Network Information Center, ‘Statistical Terminology Committee, Academy of Military Sciences,
Report on Internet Development in China’, August 2019, pp. Military Terminology of the People’s Liberation Army (Beijing:
Psychological Warfare Challenge’, The Heritage Foundation, 25 Brendon Hong, ‘The American Money Behind Blacklisted
12 July 2013, p. 2, https://www.heritage.org/global-politics/ Chinese AI Companies’, Daily Beast, 2 January 2021, https://
report/winning-without-fighting-the-chinese-psychological- www.thedailybeast.com/the-american-money-behind-
warfare-challenge/#_ftn1. blacklisted-chinese-artificial-intelligence-companies.
12 Jeffrey Engstrom, ‘Systems Confrontation and Systems 26 Josh Rudolph, ‘Sharper Eyes: Surveilling the Surveillers (Part 1)’,
Destruction Warfare: How the People’s Liberation Army China Digital Times, 9 September 2019, https://chinadigitaltimes.
13 China Aerospace Studies Institute, In Their Own Words: Foreign 28 See Greg Austin, Cyber Policy in China (Cambridge: Polity, 2014), p. 1.
Military Thought – Science of Military Strategy 2013, 8 February 29 China Academy of Information and Communications
2021, pp. 58, 160–1, 221, https://www.airuniversity.af.edu/ Technology, ‘Zhōngguó shùzì jīngjì fāzhǎn báipíshū’, May–July
Chinese%20Military%20Thoughts-%20In%20their%20 P020200703318256637020.pdf.
China, ‘China’s Military Strategy’, May 2015, http://eng.mod. 31 China Academy of Information and Communications
gov.cn/Database/WhitePapers/2014.htm. Technology, ‘Zhōngguó shùzì jīngjì fāzhǎn báipíshū’, p. 8.
15 See, for example, ‘Réngōng zhìnéng jūnbèi jìngsài zhèngzài 32 Ibid., p. 27. Alibaba ranked 132nd in the 2020 Fortune Global 500
qiǎorán xīngqǐ’, China Youth Daily, 17 October 2019, https://m. and Tencent 197th.
16 ‘Xi calls for building a strong army’, Xinhua, 26 October 2017, Nightmare’, Diplomat, 18 February 2015, https://thediplomat.
http://www.xinhuanet.com//english/2017-10/26/c_136708142.htm. com/2015/02/new-report-highlights-chinas-cybersecurity-nightmare.
17 See Greg Austin, ‘The Strategic Implications of China’s Weak 34 Davey Winder, ‘China Prepares to Drop Microsoft Windows,
Cyber Defences’, Survival: Global Politics and Strategy, vol. 62, Blames US Hacking Threat’, Forbes, 30 May 2019, https://
Institute for National Strategic Studies, National Defense 35 State Council of the People’s Republic of China, ‘Notice of
University, 2018, p. 5, https://ndupress.ndu.edu/Portals/68/ the State Council Issuing the New Generation of Artificial
Costello and McReynolds, ‘China’s Strategic Support Force: A South China Morning Post, 11 November 2020, https://www.
21 Ibid., pp. 40–1. 37 Jeffrey Ding, ‘China’s Current Capabilities, Policies and
22 ‘Zhànlüè zhīyuán bùduì jīcéng jiànshè gōngzuò shùpíng’, Industrial Ecosystem in AI – Testimony before the U.S.–China
Xinhuanet, 24 September 2017, http://www.xinhuanet.com/ Economic and Security Review Commission Hearing on
23 MSS is the main civilian intelligence and counter-intelligence of Artificial Intelligence, New Materials, and New Energy’,
China’s%20Current%20Capabilities,%20Policies,%20and%20 straitstimes.com/asia/east-asia/chinese-president-xi-jinping-
Industrial%20Ecosystem%20in%20AI.pdf. warns-of-new-long-march-as-trade-war-intensifies.
38 Ibid., p. 40. 50 Elliott Zaagman, ‘Cyber Sovereignty and the PRC’s Vision
39 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United for Global Internet Governance’, China Brief, vol. 18, no. 10, 5
States Stay Ahead of China?’, 21 December 2020, https:// June 2018, https://jamestown.org/program/cyber-sovereignty-
chuvpilo.medium.com/ai-research-rankings-2020-can-the- and-the-prcs-vision-for-global-internet-governance.
communications link opened between Beijing and Shanghai’, 52 China National Computer Network Emergency Response Team,
OpenGovAsia, 28 October 2017, https://opengovasia.com/ ‘2016 Nián wǒguó hùliánwǎng wǎngluò ānquán tàishì zòngshù’,
China Morning Post, 9 January 2021, https://www.scmp. 54 China Internet Network Information Center, ‘Statistical
43 IISS, The Military Balance 2021 (Abingdon: Routledge for the 57 Samm Sacks and Robert O’Brien, ‘What to Make of the Newly
IISS, 2021), pp. 48, 191, 250. Established Cybersecurity Association of China’, Center for
44 Defence Intelligence Agency, ‘Challenges to Security in Strategic and International Studies, 25 May 2016, https://
Space’, January 2019, https://www.dia.mil/Portals/27/ www.csis.org/analysis/what-make-newly-established-
Documents/News/Military%20Power%20Publications/ cybersecurity-association-china.
Space_Threat_V14_020119_sm.pdf. 58 Samm Sacks and Manyi Kathy Li, ‘How Chinese Cybersecurity
45 Andrew Tate, ‘China integrates long-range surveillance Standards Impact Doing Business in China’, CSIS, 2
capabilities’, Jane’s Intelligence Review, vol. 29, no. 12, December August 2018, https://www.csis.org/analysis/how-chinese-
2017. See also Timothy Heath, ‘China’s Pursuit of Overseas cybersecurity-standards-impact-doing-business-china.
Security’, RAND Corporation, 2018, p. 30, https://www. 59 Dora Wang, Charmian Aw and Cindy Shen, ‘MLPS 2.0: China’s
Creation of the PLA Strategic Support Force and its Implications “Supply Chain Security” in “Critical” Industries [Translation]’,
for Chinese Military Space Operations’, RAND Corporation, New America, 27 April 2020, http://newamerica.org/
research_reports/RR2000/RR2058/RAND_RR2058.pdf. reviews-eye-supply-chain-security-critical-industries-translation.
48 Semiconductor Industry Association, ‘2020 – State of the U.S. 61 Emma Rafaelof et al., ‘Translation: China’s Data
Semiconductor Industry’, p. 8, https://www.semiconductors.org/ Security Law (Draft)’, New America, 2 July 2020, http://
wp-content/uploads/2020/07/2020-SIA-State-of-the-Industry- newamerica.org/cybersecurity-initiative/digichina/blog/
Report-FINAL-1.pdf. translation-chinas-data-security-law-draft.
Law: What Businesses Should Know’, Lexology, 2 International Security’ until 2018, when it was renamed the GGE
63 Cybersecurity Association of China (CAICT), ‘2020 Nián is common to refer to it simply as ‘the GGE’. See UN Office for
zhōngguó wǎngluò ānquán chǎnyè tǒngjì bàogà’, p. 8, https:// Disarmament Affairs, ‘Developments in the field of information
products and services in cyber security for companies whose 72 United Nations General Assembly, ‘Resolutions adopted by
revenue arising from that sector is at least 50% of their total the General Assembly on 5 December 2018: Developments in
revenue. This report includes the data from around 500 cyber- the field of information and telecommunications in the context
security companies in China and can be regarded as a reliable of international security’, Resolution 73/27, 11 December
estimate compatible with similar estimates made in previous 2018, https://undocs.org/en/A/RES/73/27. The OEWG’s full
years for the sector as a whole. The CAICT has published a name is the Open-ended Working Group on Developments
much higher estimate but that includes many products and in the Field of Information and Telecommunications in the
services not normally included in the cyber-security sector. Context of International Security. For details on its activities,
64 See Gartner, ‘Gartner Forecasts Worldwide Security and Risk see United Nations Office for Disarmament Affairs, ‘Open-
Management Spending Growth to Slow but Remain Positive ended Working Group’, https://www.un.org/disarmament/
65 Statista, ‘Leading cybersecurity vendors by market share priorities’, Journal of Cyber Policy, vol. 3, no. 3, 2018, p. 313.
worldwide from 2017 to 2020’, 2 July 2020, https://www.statista. 74 Zaagman, ‘Cyber Sovereignty and the PRC’s Vision for Global
68 See Austin and Lu, ‘Five Years of Cyber Security Education chàngyì’, 8 September 2020, https://www.fmprc.gov.cn/web/
69 An overview of China’s participation in debates on global norms 77 See National People’s Congress of the People’s Republic of
for cyberspace can be found in Greg Austin, ‘International legal China, ‘Zhōnghuá rénmín gònghéguó mìmǎ fǎ (2019 nián 10
norms in cyberspace: Evolution of China’s national security yuè 26 rì dì shísān jiè quánguó rénmín dàibiǎo dàhuì chángwù
motivations’, in Anna Maria Osula and Henry Roigas (eds), wěiyuánhuì dì shísì cì huìyì tōngguò’), 26 October 2019, http://
Rodham Clinton, Secretary of State, Washington DC, 21 January in the framework of the World Summit for the Information
2010/01/135519.htm. 2002 and 2003. See ‘The Internet Governance Forum (IGF)’,
71 Since a UN General Assembly resolution in 2004, a UN Group UN Internet Governance Forum, 24 June 2015, https://www.
terms to address international-security aspects of cyberspace. 79 Adam Segal, ‘When China Rules the Web: Technology in Service
It was known as the GGE on ‘Developments in the Field of the State’, Foreign Affairs, vol. 7, no. 5, September–October
80 Nigel Inkster, China’s Cyber Power, Adelphi 456 (Abingdon: 84 Amy Chang, ‘Warring State: China’s Cybersecurity Strategy’,
Routledge for the IISS, 2015). Center for a New American Security, December 2014, p. 25,
82 For the tech companies in the 2020 Fortune Global 500 ranking, Brief, vol. 15, no. 8, April 2015, p. 5, https://jamestown.org/
‘Global 500’, Fortune, https://fortune.com/global500/2020/searc 86 Pollpeter, ‘Chinese Writings on Cyberwarfare and Coercion’, p. 7.
83 Kevin Pollpeter, ‘Chinese Writings on Cyberwarfare and Warfare: Lessons from the Science of Military Strategy’, p. 5.
Coercion’, in Jon R. Lindsay, Tai Ming Cheung and Derek S. 88 Pollpeter, ‘Chinese Writings on Cyberwarfare and Coercion’, p. 8.
Reveron (eds), China and Cybersecurity: Espionage, Strategy, and 89 Ibid., pp. 13–14.
Russia’s cyber strategy is dictated by its confronta- the West, and particularly the United States. It has
tion with the West, in which it sees cyber operations credible offensive cyber capabilities and has used
as an essential component of a wider information them extensively as part of a much broader strat-
war. Its cyber governance is centralised, hierarchi- egy aimed at disrupting the policies and politics of
cal and under the president’s personal control. The perceived adversaries, especially the US. It has run
country is highly dependent on foreign ICT corpo- extensive cyber-intelligence operations, some of
rations and has a less impressive digital economy which reveal increasing levels of technical sophisti-
than, for example, the United Kingdom or France. cation. However, Russia appears not to have given
It is seeking to redress key weaknesses in its cyber priority to developing the top-end surgical cyber
security through government regulation and the capabilities needed for high-intensity warfare.
creation of a sovereign internet, and by encouraging Overall, Russia is a second-tier cyber power. To join
the development of an indigenous digital industry. the US in the first tier it would need to substantially
Given its economic circumstances, these ambitions improve its cyber security, increase its share of the
may prove unrealistic. For two decades Russia has global digital market and probably make further
led, with some successes, diplomatic efforts to cur- progress in developing the most sophisticated offen-
tail what it sees as the dominance of cyberspace by sive military cyber tools.
List of acronyms
FSB Federal Security Service KGB Committee of State Security
FSTEK Federal Service for Technical and Export Control SORM operational investigative-measures system
GRU Main Intelligence Directorate SVR External Intelligence Service
ICT information and communications technology
Notes
1 Valery Gerasimov, ‘Tsennost’ nauki v predvidenii’, Voenno- 6 See the chapter ‘Russia under Threat’ in Keir Giles, Moscow
promyshlennyi kurier, 27 February 2013, https://vpk-news.ru/ Rules: What Drives Russia to Confront the West (Washington DC:
in Mark Galeotti, ‘The “Gerasimov Doctrine” and Russian 7 Office of the President, ‘The Military Doctrine of the Russian
bezopasnosti Rossiiskoi Federatsii’, 6 December 2016, https:// Soldiers! Hands Up! Lay Down Your Weapons!”’, Observer.
Information Security Doctrine: Guarding a besieged cyber 10 Keir Giles, ‘Assessing Russia’s Reorganized and Rearmed
fortress’, Finnish Institute of International Affairs, Comment Military’, Carnegie Endowment for International Peace, May 2017,
4 Ministry of Defence, ‘Kontseptual’nye vzgliady na Ministry: Russia Sending SMS Messages Asking Residents of
deiatel’nost’ Vooruzhionnykh Sil Rossiiskoi Federatsii v Ukrainian Border Regions to Appear at Nearest Military Units’,
informatsionnom prostranstve’, 22 December 2011, http:// Ukrainian News, 27 November 2018, https://ukranews.com/en/
ens.mil.ru/science/publications/more.htm?id=10845074@ news/598565-defense-ministry-russia-sending-sms-messages-
cmsArticle. asking-residents-of-ukrainian-border-regions-to-appear.
5 Office of the President, ‘The Military Doctrine of the Russian 11 Ministry of Defence, ‘Nachal’nik General’nogo shtaba VS RF
Federation’, 25 December 2014, https://rusemb.org.uk/press/2029. general armii Valeriy Gerasimov provel brifing dlya inostrannykh
news_page/country/more.htm?id=12331668@egNews. sea, the exclusive economic zone, the continental shelf and
12 Ministry of Defence, ‘Prevoskhodstvo v kiberprostranstve their natural resources, ensuring the information security
stanovitsya odnim iz usloviy pobedy v voynakh’, 22 April of Russia and exercising the basic functions of the federal
13 This observation is based on a review of the contents in two executive bodies’. See Russian Government, ‘Federal Security
key journals, Voennaia mysl’ and Informatsionnye voiny, from Service’, http://government.ru/en/department/113.
2017 to 2021. A possible explanation of the lack of attention to 24 Sluzhba vneshnei razvedki
the technical aspects is that in Russia there is much less public 25 Glavnoe razvedyvatel’noe upravlenie
14 Federal’naia sluzhba bezopasnosti 27 United States Office of the Director of National Intelligence,
15 See President of Russia, ‘Security Council structure’, http:// ‘Assessing Russian Activities and Intentions in Recent US
center to counter cyberattacks’, Russia Today, 11 September 28 Mark Galeotti, ‘Russian intelligence is at (political) war’, NATO
attacks. also-in-2017/russian-intelligence-political-war-security/en/
18 Responsibility for key missions was assigned to FSTEK in 30 Keir Giles and Kim Hartmann, ‘Socio-Political Effects of Active
Decree no. 569 of 25 November 2017, ‘Ukaz Prezidenta RF ot Cyber Defence Measures’, in P. Brangetto, M. Maybaum and
25 noiabria 2017 g. N 569 “O vnesenii izmenenii v Polozhenie J. Stinissen (eds), 6th International Conference on Cyber Conflict,
o Federal’noi sluzhbe po tekhnicheskomu i eksportnomu Proceedings (Tallinn: NATO CCDCOE Publications, 2014),
19 Roger McDermott, ‘Russia Activates New Defense Understanding of Russian Hacking Grows, So Does Alarm’,
Management Center’, Eurasia Daily Monitor, vol. 11, no. New York Times, 2 January 2021, https://www.nytimes.
196, 2 November 2014, https://jamestown.org/program/ com/2021/01/02/us/politics/russian-hacking-government.html.
20 Keir Giles, ‘Russia’s “New” Tools for Confronting the West – Debate’, Washington Post, 8 December 2011, https://www.
2016, p. 25, https://www.chathamhouse.org/sites/default/files/ 34 Andrew Foxall, ‘Putin’s Cyberwar: Russia’s Statecraft in the
publications/2016-03-russia-new-tools-giles.pdf. Fifth Domain’, Russia Studies Centre Policy Paper no. 9 (2016),
21 Ministry of Defence, ‘Nachal’nik NTsUO general-polkovnik The Henry Jackson Society, May 2016, https://www.
oborony v 2020 godu”’, 20 November 2020, https://function.mil. 35 Cory Bennett, ‘Kremlin’s ties to Russian cyber gangs sow US
national security of the Russian Federation, counterterrorism, 36 For the tech companies in the 2020 Fortune Global 500 ranking,
the protection and defence of the state border of the Russian see ‘Global 500’, Fortune, https://fortune.com/global500/2020/
h/?sector=Telecommunications. 48 Ibid.
37 Office of the President, ‘Ukaz Prezidenta Rossiiskoi Federatsii o 49 CERT-GIB was originally a Russian private-sector initiative,
Strategii po razvitii informatsionnogo obshchestva v Rossiiskoi in 2011, which has since grown into a global business. See
38 Sergey Sukhankin, ‘Russia Adopts New Strategy for 51 Dmitriy Kuznetsov, ‘GosSOPKA: chto takoe, zachem nuzhna i
Development of Information Society’, Eurasia Daily Monitor, kak ustroena’, Anti-Malware.ru, 2 April 2019, https://www.anti-
39 Fond obshchestvennoe mnenie, ‘Internet i onlain servisy’, 31 oblasti GosSOPKA i bezopasnosti KII’, Positive Technologies,
40 Ibid. knowledge-base/terminology-gossopka-kii-full-version.
41 ‘The Inclusive Internet Index 2020’, Economist Intelligence 52 Kuznetsov, ‘GosSOPKA: chto takoe, zachem nuzhna i kak
42 ‘Russia’s Communications Ministry plans to isolate the RuNet 12 July 2019, http://www.comnews.ru/content/120767/2019-07-12/
43 See Juha Kukkola, ‘The Russian Segment of the Internet as a Gosudarstvennoi sistemy obnaruzheniia, preduprezhdeniia
Resilient Battlefield’, in Juha Kukkola, Mari Ristolainen and likvidatsii posledstvii komp’iuternykh atak (GosSOPKA) i
Juha-Pekka Nikkarila (eds), GAME PLAYER: Facing the structural vklyuchenie ego v sistemu avtomatizirovannogo obmena
transformation of cyberspace (Helsinki: Finnish Defence Research informatsiei ob aktual’nykh kiberugrozakh’, Ofitsial’nyi
Agency, 2019), pp. 117–32, https://maanpuolustuskorkeakoulu. internet-portal pravovoi informatsii, 9 October 2019, http://
fi/documents/1948673/10330463/PVTUTKL+julkaisuja+11+Ga publication.pravo.gov.ru/Document/View/0001201910090023.
me+Player.pdf/9ff35e9b-3513-c490-c188-3e3f18e71bdd/PVTUT 55 ‘2020: Zapusk Tsentra monitoringa i reagirovaniia s pravom
45 Union of Concerned Scientists, ‘UCS Satellite Database’, 1 pol’zovatelei’, The Bell, 11 February 2020, https://thebell.io/fsb-
augmented in 2019 with tougher penalties for non- 57 GMA Consult Group, ‘Russia Authorizes 16 Preinstalled
compliance. See Gorodissky and Partners, ‘Russia Sets Applications for All Smartphones and Tablets’, 20 December
47 ‘Russian court fines Twitter and Facebook 62,840 dollars each Human Rights Watch, 18 June 2020, https://www.hrw.org/news/
Index 2018’, p. 62, https://www.itu.int/dms_pub/itu-d/opb/str/ 69 Anton Troianovski and David E. Sanger, ‘Putin Wants a Truce
61 ‘DDoS attacks on Russian online retailers double in 2020’, Times, 25 September 2020, https://www.nytimes.com/2020/09/25/
62 ‘Data leaks from Banks of Russia’, TAdviser, 29 January 2021, 70 The OEWG’s full name is the Open-ended Working
financial_sector_in_Russia_grew_by_a_third. For details on its activities, see United Nations Office for
63 Lawrence Abrams, ‘Russian government warns of US Disarmament Affairs, ‘Open-ended Working Group’, https://
64 Presidential Administration, ‘Federal Security Service Board Post, 22 December 2017, https://www.washingtonpost.com/
president/news/65068. vital-undersea-cables-its-making-nato-nervous/2017/12/22/
Interior Ministry Board’, 3 March 2021, http://en.kremlin.ru/ 72 Andy Greenberg, ‘A Brief History of Russian Hackers’ Evolving
povelo itogi pervykh uchenii po zakonu o “suverennom 73 Anton Troianovski and Ellen Nakashima, ‘How Russia’s
RuNete”’, Vedomosti, 23 December 2019, https://www. military intelligence agency became the covert muscle in
of Information and Telecommunications in the Context of Bodies Data: Security Service of Ukraine’, Security Service of
International Security’ until 2018, when it was renamed the GGE Ukraine, 6 May 2020, https://www.sbu.gov.ua/en/news/1/
Context of International Security’. In cyberspace-policy circles it 75 White House, ‘Press Briefing by Press Secretary Jen Psaki and
is common to refer to it simply as ‘the GGE’. See UN Office for Deputy National Security Advisor for Cyber and Emerging
Disarmament Affairs, ‘Developments in the field of information Technology Anne Neuberger, February 17, 2021’, https://
https://www.un.org/disarmament/ict-security. press-briefing-by-press-secretary-jen-psaki-and-deputy-national-
Iran regards itself as being in an intelligence and Iran will not be able to boost its indigenous cyber-
cyber war with its enemies. In 2010, when the Stuxnet defence capability easily or quickly. Its overall cyber
attack on Iran by the United States and Israel was capabilities do not match the scale and sophistica-
revealed, the country had little access to international tion of its ballistic-missile or nuclear programme. For
cyber-security suppliers and only a very small num- example, it lacks the resources, talent and technical
ber of domestic researchers in the field. Since then, infrastructure needed to develop and deploy sophis-
however, it has become a determined cyber actor ticated offensive cyber capabilities, even though it has
against US, Gulf Arab and Israeli interests. At the used lower-level offensive cyber techniques widely,
same time, a perceived need to quell domestic oppo- with some success. Iran is a third-tier cyber power
sition through increased internal cyber surveillance that makes use of less sophisticated cyber technolo-
has dovetailed with the government’s desire to coun- gies and operational capabilities to serve its strategic
ter external threats. However, economic depression, goals, which include espionage, power projection
political turmoil and internal deficiencies suggest that and strategic signalling.
List of acronyms
CERT Computer Emergency Response Team MOIS Ministry of Intelligence and Security
ICT information and communications technology NCC National Cyberspace Center
IRGC Islamic Revolutionary Guard Corps NPDO National Passive Defense Organization
IRGC-IO Islamic Revolutionary Guard Corps Intelligence
Organization
Notes
1 Daniel Baldino and Jarrad Goold, ‘Iran and the emergence of com/service/iran/archive/2013/02/02/387239/story.
of revolution?’, Australian Journal of International Affairs, vol. 7 Zak Doffman, ‘Iran: “We Will Beat U.S. in Intelligence War” and
68, no. 1, 2014, pp. 17–35, p. 28. “Punish Mistakes With Crushing Strikes”’, Forbes, 19 May 2019,
UNIDIR Cyber Policy Portal, ‘Iran (Islamic Republic of)’, https:// we-will-beat-u-s-in-intelligence-war-and-punish-mistakes-
cyberpolicyportal.org/en/state-pdf-export/eyJjb3VudHJ5X2 with-crushing-strikes/?sh=9a225d25e16d.
3 See Small Media, ‘Iranian Internet Infrastructure and Policy to Any Cyber Threat’, Fars News Agency, 17 August 2020,
default/files/u8/IIIP_Feb2014.pdf. f-Iranian-Armed-Frces-Warns-f-Tgh-Reacin-Any-Cyber-Threa.
4 Ibid., p. 7. 9 See also International Institute for Strategic Studies, Iran’s Networks
5 Ibid., p. 4. of Influence in the Middle East (London: IISS, 2019), pp. 27–8.
6 ‘Iran Enjoys 4th Biggest Cyber Army in World’, Ahlul 10 Official Gazette of Iran, ‘Mosavabbe shoraye aali fazaye
Bayt News Agency, 2 February 2013, https://en.abna24. majazi dar khosoos siyasat haye hakem bar rah andazi noghat
aspx?Code=1152. articles/sci-tech/101979/iran-gov-t-outlines-projects-to-expand-
intelligence agencies, but also act as political police to suppress 22 Jamal Sophieh, ‘An Overview of Digital Economy and
12 Congressional Research Service, ‘Iranian Offensive Cyber Communications Technology, workshop presentation, July
mideast/IF11406.pdf. AsiaPacific/SiteAssets/Pages/Events/2019/jul-iran-dtx/
com/news/world-middle-east-53345885. According to the BBC, 23 ‘Qatar, UAE, Iran and Egypt Making Big Strides in Digital
Soleimani was one of the most powerful intelligence officials in Inclusion’, Consultancy-me.com, 3 March 2021, https://www.
14 ‘Mohsen Fakhrizadeh: “Machine-gun with AI” used to kill Iran 24 ‘Iran Unveils Four Mega Projects to Boost Digital Economy’,
scientist’, BBC News, 7 December 2020, https://www.bbc.com/ Iran Front Page, 28 May 2020, https://ifpnews.com/
news/world-middle-east-55214359. iran-unveils-four-mega-projects-to-boost-digital-economy.
15 See ‘Markazeh modiriyat emdaad va hamahangie amaliyate 25 ‘Iran to Open Second Largest Data Center over Weekend:
rokhdad haye rayaneh ei’, https://cert.ir/index. Minister’, Pars Today, 25 June 2020, https://parstoday.com/en/
Intelligencer, Summer 2015, pp. 64–5, https://www.afio.com/ 26 See S.F. Wamba et al., ‘Are we preparing for a good AI society?
in intelligence operations’, Janes, 19 August 2020, sd_all; and Jiqiang Niu et al., ‘Global research on artificial
18 Insikt Group, ‘Despite Infighting and Volatility, Iran Maintains no. 66, pp. 7–9, https://www.mdpi.com/2220-9964/5/5/66/pdf.
Aggressive Cyber Operations Structure’, Recorded Future, 27 Kyle Bergquist and Carsten Fink, ‘The Top 100 Science
2020, pp. 13–21, https://go.recordedfuture.com/hubfs/reports/ and Technology Clusters’, World Intellectual Property
Iran Uses Contractors and Universities to Conduct Cyber Times, 2 January 2021, https://www.tehrantimes.com/
20 ‘Iran Unveils Four Mega Projects to Boost Digital Economy’, Iran’s Startups’, Atlantic Council, 7 February 2020, https://www.
by Iranian economists, see Amir Hossein Mozayani and 30 Najmeh Bozorgmehr, ‘Start-up Republic: Can Iran’s Booming
Niloofar Moradhassel, ‘How Much Has ICT Contributed Tech Sector Thrive?’, Financial Times, 17 April 2018, https://
and Politics, vol. 1, no. 1, 2020, pp. 57–68, http://jep.sbu.ac.ir/ 31 International Monetary Fund, ‘Islamic Republic of Iran’,
States Stay Ahead of China?’, 21 December 2020, https:// can keep operating if the Internet is cut off’. He also reported plans
33 Bach Xuan Tran et al., ‘Global evolution of research in artificial News Agency, 21 October 2019, https://www.farsnews.ir/en/
34 ‘Iran, Russia to Cooperate on Artificial Intelligence Research’, Iran Press, 22 December 2018, https://iranpress.com/en/
ir/news/84025992/Iran-Russia-to-cooperate-on-artificial-intelligence- achievements.
35 ‘Iran uses “artificial Intelligence” in drone drill’, Mehr Rising Cyber Threats’, Financial Tribune, 19 May 2019, https://
news/168208/Iran-uses-artificial-intelligence-in-drone-drill. fortress-to-forestall-rising-cyber-threats.
36 Michael Rubin, ‘Even Iran Wants an AI-Powered Military 46 See Y.M. Ramezan et al., ‘The Role and Influence of the
Drones’, National Interest, 25 December 2020, https:// Digital Economy on the Strategic Model for Development of
military-drones-175202. of Iran’, Journal of National Security, vol. 10, no. 35, Spring
37 Andrew Hanna, ‘Iran’s Ambitious Space Program’, The 2020, pp. 327–58, https://www.sid.ir/en/journal/ViewPaper.
Iran Primer, United States Institute for Peace, updated 1 aspx?ID=749286. The Journal of National Security is published
February 2021, https://iranprimer.usip.org/blog/2020/jun/23/ by the Supreme National Defense University of Iran. In the
iran%E2%80%99s-ambitious-space-program. abstract of their article, the authors state that ‘the main issue
38 ‘Iran Launches Its First Military Satellite’, Al-Jazeera, 22 … is the lack of a well-designed and strategic model for the
39 Michael Elleman and Mahsa Rouhi, ‘The IRGC Gets into the Index 2018’, p. 64, https://www.itu.int/dms_pub/itu-d/opb/str/
Studies blog, 1 May 2020, https://www.iiss.org/blogs/ 48 International Telecommunication Union, ‘Global Cybersecurity
41 Farzin Nadimi, ‘Iran’s Passive Defense Organisation: Another 49 ISACA – formerly the Information Systems Audit and Control
Target for Sanctions’, The Washington Institute, 16 August 2018, Association, but now known only by its acronym – is dedicated
‘Disaster risk governance in Iran: Document analysis’, Journal 51 The Cybersecurity Alliance for Mutual Progress brings together
of Education and Health Promotion, vol. 8, 2019, Table 5, https:// government bodies, public organisations and non-profit
43 BBC Monitoring, ‘Iranian Passive Defence Organization organizes developing economies. See https://www.cybersec-alliance.org/
2011. The head of the NPDO, Brigadier-General Gholamreza 52 For some background, see ‘U.S.–Iran Tensions: Implications
Jalali, reported in October 2019 that it had held five exercises for Homeland Security’, Hearing before the Committee
in the year from 21 March 2018 to 20 March 2019, focusing on on Homeland Security, House of Representatives, 116th
the ‘functioning of cyberspace and the internet’. Among the Congress, 2nd Session, 15 January 2020, https://www.
53 For a list of similar attacks in the years since 2012, see Andrew https://www.haaretz.com/israel-news/tech-news/.premium.
Hanna, ‘The Invisible U.S.–Iran Cyber War’, The Iran Primer, HIGHLIGHT-iranian-cyberattack-claims-new-victim-and-
com/en/consulting/our-thinking/understanding-the- banks-ny-dam.
55 Catalin Cimpanu, ‘Two more cyber-attacks hit Israel’s water Infrastructure: The Implications of U.S.–Iranian Escalation’,
two-more-cyber-attacks-hit-israels-water-system/. com/s3fs-public/publication/Jones_IransThreatSaudi_layout_
Defense Corporation, Leaks Data on Dark Web’, International 60 Insikt Group, ‘Despite Infighting and Volatility, Iran Maintains
Business Times, 21 December 2020, https://www.ibtimes.sg/ Aggressive Cyber Operations Structure’, Recorded Future,
corporation-leaks-data-dark-web-54341. 2020-0409.pdf.
North Korea’s cyber strategy is probably not formal- government and depends on a very small number of
ised and its operations have been characterised by gateways provided by Chinese and Russian service
opportunism. Little is known of its cyber-policy eco- providers – a lack of diversity that makes the con-
system. Since 2015 its publicly revealed cyber activity nections highly vulnerable to disruption. The coun-
has consisted mainly of large-scale cyber fraud and try’s level of cyber security is among the lowest in
extortion as a way of bolstering the country’s access the world. North Korea’s undertakings in cyberspace
to hard currency. It has also carried out acts of cyber are hampered by a low cyber-skills base, largely the
sabotage, including in retaliation for perceived insults result of its self-imposed isolation, weak education
to the leadership of the ruling Korean Workers’ Party. system and underdeveloped ICT sector. It has played
Control of cyber policy is firmly in the hands of the almost no part in global cyber diplomacy and has few
leadership, operating through the structures of the international relationships to support its cyber ambi-
party and the armed forces. North Korea lacks any tions. Despite its penchant for conducting offensive
sophisticated cyber-intelligence capability. It has a cyber operations, the techniques used are relatively
basic digital ecosystem, with between three and five basic, as it lacks the capability for sustained or sophis-
million devices connected to internal mobile net- ticated operations. Overall, though its cyber opera-
works, including via a government intranet. Access tions have achieved some global notoriety, North
to the global internet is strictly controlled by the Korea is a third-tier cyber power.
List of acronyms
ICT information and communications technology RGB Reconnaissance General Bureau
KWP Korean Workers’ Party
Notes
1 See Ji Young Kong, Jong In Lim and Kyoung Gon Kim, 11 Jenny Jun, Scott LaFoy and Ethan Sohn, North Korea’s
‘The All-Purpose Sword: North Korea’s Cyber Operations Cyber Operations (Washington DC: Center for Strategic and
and Strategies’, in T. Minárik et al. (eds), 11th International International Studies, 2016), https://www.csis.org/analysis/
CCDCOE Publications, 2019), pp. 1–20, https://ccdcoe.org/ 12 In-bum Chun, ‘North Korea’s Military Strategy’, Korea Economic
2 Ibid., p. 1. publication/north-korea%E2%80%99s-military-strategy-2018.
Involving the Democratic People’s Republic of Korea: Annual ‘Unit’ is one of the possible translations of the Korean word
Report to Congress, Washington DC’, 2012, https://archive. gug; alternatives include ‘bureau’ and ‘station’.
Security_Developments_Involving_the_DPRK.pdf. go.recordedfuture.com/hubfs/reports/north-korea-activity.pdf.
5 Jenny Jun, ‘Cyber Coercion: Insights from North Korea’s Cyber 15 Kong, Lim and Kim, ‘The All-Purpose Sword’, p. 6, citing
Campaigns’, unpublished paper, 2020, p. 1. Moonbeom Park, ‘Let’s learn about enemy through various
6 Ibid., pp. 6–7. IoCs of real APT cases’, In DragonCon 2018, 8 December 2018,
7 Edgar Alvarez, ‘Sony Pictures Hack: The Whole Story’, Dragon Threat Labs.
Engadget, 10 December 2014, https://www.engadget. 16 Ibid., p. 6, citing Mok Yongjae, ‘6 Cyber Units were built after
8 United Nations Security Council, ‘Report of the Panel of 17 Ibid., p. 6, citing Matthew Ha and David Maxwell, ‘Kim Jong
Experts established pursuant to resolution 1874 (2009), Un’s “All-Purpose Sword” – North Korean Cyber-Enabled
S/2019/691’, 30 August 2019, pp. 2, 26, https://www. Economic Warfare’, Foundation for Defense of Democracies,
8CD3-CF6E4FF96FF9%7D/S_2019_691.pdf. uploads/2018/09/REPORT_NorthKorea_CEEW.pdf.
9 United States US-CERT, ‘North Korea Threat Advisory’, jointly 18 ‘APT 37 (Reaper): The Overlooked North Korean Actor’,
with the Department of State, the Department of Justice and FireEye, 2018, https://www2.fireeye.com/rs/848-DID-242/
Threat_Advisory_04152020_S508C.pdf. fireeye.com/apt/rpt-apt38.
United Nations Security Council, 2 March 2020, https://undocs. 22 US Department of State et al., ‘Guidance on the North
Advisory_04152020_S508C.pdf. internet-sanctions.html.
23 HP Security Research, ‘Profiling an enigma: The mystery 36 Joel Gunter, ‘Analysis of North Korea’s computer system
of North Korea’s cyber threat landscape, 2014’, HP Security reveals spy files’, BBC News, 28 December 2015, https://www.
pdf; and Department of the Army, ‘North Korean Tactics’, p. E-1. business in China despite lower numbers’, Daily NK, 19 April
25 Jason Bartlett, ‘Why Is North Korea So Good at Cybercrime?’, American Technology for Internet Operations’, Insikt Group,
why-is-north-korea-so-good-at-cybercrime. 0606.pdf.
26 Pratik Jakhar, ‘North Korea’s high-tech pursuits: Propaganda 39 See also Martyn Williams, ‘Kim Chaek University ranks 8th in
or progress?’, BBC News, 15 December 2018, https://www.bbc. international programming contest’, North Korea Tech, 4 May
27 Ellen Nakashima, Gerry Shih and John Hudson, ‘Leaked university-icpc-2019; and Kelly Kasulis, ‘North Korean college
documents reveal Huawei’s secret operations to build North coders beat Stanford University in a 2016 competition. Here’s
Korea’s wireless network’, Washington Post, 22 July 2019, why that matters’, Mic, 4 December 2017, https://www.mic.
https://www.washingtonpost.com/world/national-security/ com/articles/186412/north-korean-college-coders-beat-stanford-
leaked-documents-reveal-huaweis-secret-operations-to-build- university-in-a-2016-competition-heres-why-that-matters.
28 Martyn Williams, ‘North Korea’s Koryolink: Built for 5, Keio University Global Research Institute, https://www.kgri.
www.38north.org/2019/07/mwilliams072219. 41 See also Hui, ‘North Korean web developers still in business in
29 ‘ICT in N. Korea 2’, KBS World Radio, 31 January 2019, https:// China despite lower numbers’.
31 Kim Ji-eun and Noh Ji-won, ‘North Korea’s Smartphone Industry Kwangmyongsong-3 and Kwangmyongsong-4 in 2012 and 2016
Rapidly on the Rise’, HanKyoreh, 17 March 2019, http://english. respectively, see ‘KMS 3-2’, NASA Space Science Data and
hani.co.kr/arti/english_edition/e_northkorea/886255.html. Coordinated Archive, 14 May 2020, https://nssdc.gsfc.nasa.
32 ‘How North Korea Revolutionized the Internet as a Tool for gov/nmc/spacecraft/display.action?id=2012-072A; and ‘KMS4’,
Rogue Regimes’, Recorded Future, 9 February 2020, p. 5, https:// NASA Space Science Data and CoordinatedArchive, 14 May 2020,
go.recordedfuture.com/hubfs/reports/cta-2020-0209.pdf. https://nssdc.gsfc.nasa.gov/nmc/spacecraft/display.action?id=
33 Ibid. 2016-009A.
34 Insikt Group, ‘Shifting Patterns in Internet Use Reveal 44 ‘Space Threat 2018: North Korea Assessment’, CSIS
Adaptable and Innovative North Korean Ruling Elite’, Aerospace, 12 April 2018, https://aerospace.csis.org/
35 David E. Sanger, ‘North Korea’s Internet Use Surges, Thwarting New Satellites?’, Asia Times, 19 December 2017, https://asiatimes.
Sanctions and Fueling Theft’, New York Times, 11 June 2020, com/2017/12/real-purposes-pyongyangs-new-satellites.
uploads/2020/03/Harrison_SpaceThreatAssessment20_WEB_ f41773cd5a14_story.html.
FINAL-min.pdf#page=52. 51 ‘Significant Cyber Incidents Since 2006’, Center for Strategic and
47 Bruce Harrison, ‘How North Korea Recruits Its Army of Young International Studies, https://csis-website-prod.s3.amazonaws.
49 International Telecommunication Union, ‘Global Cybersecurity Cyber Strategy 2018’, September 2018, pp. 1–2, https://
D-STR-GCI.01-2018-PDF-E.pdf. STRATEGY_SUMMARY_FINAL.PDF.
50 Karen DeYoung, Ellen Nakashima and Emily Rauhala, 54 ‘Alert (AA20-106A): Guidance on the North Korean Cyber
‘Trump Signed Presidential Directive Ordering Actions to Threat’, Cybersecurity and Infrastructure Security Agency, 15
Pressure North Korea’, Washington Post, 30 September 2017, April 2020 (revised 23 June 2020), https://us-cert.cisa.gov/ncas/
https://www.washingtonpost.com/world/national-security/ alerts/aa20-106a.
Despite the geostrategic instability of its region and a a vibrant start-up culture and a very large talent
keen awareness of the cyber threat it faces, India has pool. The private sector has moved more quickly
made only modest progress in developing its policy than the government in promoting national cyber
and doctrine for cyberspace security. Its approach security. The country is active and visible in cyber
towards institutional reform of cyber governance diplomacy but has not been among the leaders on
has been slow and incremental, with the key global norms, preferring instead to make productive
coordinating authorities for cyber security in the civil practical arrangements with key states. From the
and military domains only established in 2018 and little evidence available on India’s offensive cyber
2019 respectively. They work closely with the main capability, it is safe to assume it is Pakistan-focused
cyber-intelligence agency, the National Technical and regionally effective. Overall, India is a third-
Research Organisation. India has a good regional tier cyber power whose best chance of progressing
cyber-intelligence reach but relies on partners, to the second tier is by harnessing its great digital-
including the United States, for wider insight. The industrial potential and adopting a whole-of-society
strengths of the Indian digital economy include approach to improving its cyber security.
List of acronyms
CERT-In Computer Emergency Response Team India NCCC National Cyber Coordination Centre
DCA Defence Cyber Agency NCIIPC National Critical Information Infrastructure Protection
DIA Defence Intelligence Agency Centre
DSCI Data Security Council of India NTRO National Technical Research Organisation
IB Intelligence Bureau RAW Research and Analysis Wing
ICT information and communications technology
Notes
2 Aditi Agrawal, ‘India’s cybersecurity strategy policy in ‘Joint Doctrine – Indian Armed Forces’, 2017, https://
says-national-cybersecurity-coordinator-rajesh-pant. j.com/MediaReport/DocumentIndianArmyLandWarfareDoctrine
3 Elizabeth Roche, ‘PM Modi says India to have new cyber 2018.pdf.
security policy soon’, Livemint, 15 August 2020, https://www. 8 Tarun Krishnakumar, ‘Cyber Insecurity: Regulating the Indian
could be out of game’, Economic Times, 21 January 2021, 9 B. Raman, ‘Possible Misuse of New TECHINT Capabilities’,
formulating-new-action-plan-chinese-telecom-giants-could- indiandefencereview.com/spotlights/possible-misuse-of-new-
be-out-of-game/80391251. techint-capabilities.
5 Data Security Council of India, ‘National Cyber Security 10 Saikat Datta, ‘Low on the IQ’, Outlook, 4 July 2005, https://
Interception, Monitoring and Decryption of Information) Rules, and Resilience, The Australian Government for the Quad Tech
2009’, The Centre for Internet & Society, https://cis-india.org/ Network, February 2021, p. 8, https://www.orfonline.org/
internet-governance/resources/it-procedure-and-safeguards-for- wp-content/uploads/2021/02/thedigitalindopacific.pdf.
12 Vinod Anand, ‘Defence Reforms and Naresh Chandra Task Force Transform a Connected Nation’, March 2019, https://www.
defence-reforms-and-naresh-chandra-task-force-review. technology%20to%20transform%20a%20connected%20nation/
14 ‘India now has a National Cyber Coordination Centre (NCCC) 23 Romita Majundar, ‘Gender gap in mobile and internet usage
to monitor cyber threats’, India Today, 11 August 2007, https:// in India as per GSMA report’, Business Standard, 9 March 2019,
www.indiatoday.in/education-today/gk-current-affairs/story/ https://www.business-standard.com/article/economy-policy/
nccc-cyber-india-1029203-2017-08-11. gender-gap-in-mobile-and-internet-usage-in-india-as-per-
forces, cyber security, and space’, Jane’s Defence Weekly, 16 May 24 Digital Empowerment Foundation, ‘About’, undated, https://
2019. www.defindia.org/national-digital-literacy-mission.
16 See Mahendra Kumawat and Vinay Kaura, ‘Building the 25 Ray et al., The Digital Indo-Pacific: Regional Connectivity and
17 See Udbhav Tiwari, ‘The Design & Technology Behind India’s theverge.com/2019/11/11/20958932/india-mobile-marketshare-
20 January 2017, https://cis-india.org/internet-governance/ 28 JJiqiang Niu et al., ‘Global research on artificial intelligence
cture_58a3ff6db6d87f499c8b462d.html. chuvpilo.medium.com/ai-research-rankings-2020-can-the-
19 See Musa Tuzuner (ed.), Intelligence Cooperation Practices in the 21st united-states-stay-ahead-of-china-61cf14b1216.
Century: Towards a Culture of Sharing (Amsterdam: IOS Press, 2010). 30 Richa Bhatia, ‘Where Artificial Intelligence Research in India
20 ‘How the IT sector has emerged as a pillar of modern India’, Is Heading’, Analytics India Magazine blog, 27 March 2018,
com/news/national/how-the-it-sector-has-emerged-as-a-pillar- research-in-india-is-heading.
of-modern-india/article32357389.ece. This estimate is based on 31 Anisha Kumari, ‘IIT Hyderabad, NVIDIA Establish First AI
a classic narrow view of the ICT sector, as usually reported in Research Centre in India’, NDTV, 9 July 2020, https://www.ndtv.
have been adopting a definition of the digital economy based 32 Canadian Institute for Advanced Research, ‘Building an
on a broader set of indicators. According to one of these broader AI World: Report on National and Regional AI Strategies
estimates, India’s digital economy was worth US$570bn in Second Edition’, May 2020, p. 22, https://cifar.ca/wp-content/
Implementation: Report – ET CIO’, ETCIO, 26 April 2018, banking and e-commerce across the country, especially by
analytics/india-ranked-third-in-terms-of-artificial-intelligence- business under another name since 2010 and issuing IDs, there
implementation-report/63922875. has been an explosion of the process since 2016, with 1.24bn
34 AIMResearch, ‘Report: Indian AI Startup Funding in 2019’, citizens now registered. See Unique Identification Authority of
report-indian-ai-startup-funding-in-2019. identification-authority-of-india/about.html.
35 Indian Space Research Organisation, ‘About ISRO’, https:// 44 Indian Computer Emergency Response Team, Ministry of
36 The Indian Regional Navigation System Satellite is made up Report (2019)’, p. 3, https://www.cert-in.org.in/Downloader?p
of seven satellites that serve civil purposes but also provide ageid=22&type=2&fileName=ANUAL-2020-0001.pdf.
encrypted data to the Indian armed forces. See G.D. Sharma, 45 Manu Kaushik, ‘200% rise in cyberattacks from China in a
Exploiting Indian Military Capacity in Outer Space (New Delhi: month; India tops hit list post Galwan face-off’, Business Today, 24
Centre for Joint Warfare Studies, 2016), https://cenjows.in/pdf/ June 2020, https://www.businesstoday.in/technology/news/200-
issue/Layout_Exploiting%20Indian%20Military.pdf. percent-rise-in-cyberattacks-from-china-in-a-month-india-tops-
Research Organisation, ‘List of Earth Observation Satellites’, 46 Interview with former official in the Indian government, New
38 Manu Pubby, ‘Navy to Buy Rs 1,589 Crore Satellite From ISRO’, 47 Indian Computer Emergency Response Team, Ministry of
Economic Times, 18 July 2019, https://economictimes.indiatimes. Electronics and Information Technology, ‘CERT-In Annual
isro/articleshow/70283927.cms?from=mdr. ageid=22&type=2&fileName=ANUAL-2019-0123.pdf.
39 Narayan Prasad Nagendra and Prateep Basu, ‘Demystifying 48 National Critical Information Infrastructure Protection Centre,
Space Business in India and Issues for the Development of a ‘NCIIPC Newsletter’, January 2021, p. 2, https://nciipc.gov.in/
vol. 36, 2016, pp. 1–11, https://www.sciencedirect.com/science/ 49 ‘India bans PUBG, 117 other Chinese apps for “stealing,
40 John Sheldon, ‘Indian Military Space: Hughes India and September 2020, https://www.firstpost.com/india/india-bans-
Sterlite Tech Enable Satcom Connectivity for Indian Navy’, pubg-117-other-chinese-apps-for-stealing-transmitting-users-
org/publications/measuring-the-digital-transformation- articleshow/68589549.cms?from=mdr.
43 In 2016 the government set up the Unique Identification Panel of Experts established pursuant to Resolution
Authority of India, which provided a new foundation for 1874 (2009)’, 5 March 2019, S/2019/171, https://www.
53 Reserve Bank of India, ‘Master Direction on Digital Payment the GGE on ‘Developments in the Field of Information and
Security Controls’, 18 February 2021, https://rbidocs.rbi.org.in/ Telecommunications in the Context of International Security’
54 DSCI, ‘National Cyber Security Strategy 2020: DSCI of International Security’. In cyberspace-policy circles it is
55 International Telecommunication Union, ‘Global Cybersecurity Disarmament Affairs, ‘Developments in the field of information
56 Raja Simhan, ‘TN govt working on giving the “cyber 63 Interview with a member of the 2016–17 GGE, August 2017.
resilience” edge to governance’, The Hindu Business Line, 24 64 Nayantara Ranganathan, ‘Cybersecurity and bilateral ties of India
December 2020, https://www.thehindubusinessline.com/info- and the United States: A very brief history’, Internet Democracy
governance/article33409737.ece. cybersecurity-and-india-us-bilateral-ties-a-very-brief-history.
57 Munish Sharma and Cherian Samuel, India’s Strategic Options in a 65 Rahul Roy-Chaudhury, ‘India–UK cybersecurity cooperation:
Changing Cyberspace (Delhi: Pentagon Press, 2018), p. 110, https:// The way forward’, International Institute for Strategic
cyberspace.pdf. analysis/2019/11/sasia-india-uk-cyber-security-cooperation.
58 See, for example, Saikat Datta, ‘Defending India’s Critical 66 Rahul Roy-Chaudury, ‘India–UK cyber security cooperation:
Information Infrastructure’, Internet Democracy Project, 2016, The way forward’, India Global Business, 15 November 2019,
https://internetdemocracy.in/wp-content/uploads/2016/03/ https://www.indiaglobalbusiness.com/igb-archive/india-uk-
Saikat-Datta-Internet-Democracy-Project-Defending- cyber-security-cooperation-the-way-forward-india-global-
Re-conditioning of India’s Cyber Security’, Apeksha News 67 Raj Chengappa and Sandeep Unnithan, ‘How to Punish
Network, 28 September 2020, https://apekshanews.com/ Pakistan’, India Today, 22 September 2016, https://www.
the-need-for-re-conditioning-of-indias-cyber-security. indiatoday.in/magazine/cover-story/story/20161003-uri-
Quint, 1 November 2019, https://www.thequint.com/news/ 68 M.K. Narayanan, ‘The Best among Limited Options’, Hindu,
correct-confirms-npcil. The-best-among-limited-options/article14990381.ece.
60 ‘Chinese cyber attack foiled: Power Ministry’, Hindu, 1 March 2021, 69 Arditi Agrawal, ‘India’s Cybersecurity Strategy Policy in
62 James Crawford, Jacqueline Peel and Simon Olleson, ‘The Conference’, 17 October 2014, https://www.narendramodi.in/
Wrongful Acts: Completion of the Second Reading’, European 71 Vivekananda International Foundation, ‘Credible Cyber
Journal of International Law, vol. 12, no. 5, 2001, pp. 963–91, Deterrence in Armed Forces of India’, March 2019, https://www.
Indonesia’s first formal strategy for civil-sector cyber it participates actively in the G20, the Asia-Pacific
security emerged only in 2018, one year after its prin- Economic Cooperation, the Association of Southeast
cipal cyber agency was created. Cyber-related institu- Asian Nations and the Organisation of Islamic
tional changes within the armed forces began around Cooperation. Indonesia has some cyber-surveillance
2014 but have not yet given rise to a published military and cyber-espionage capabilities, but there is little evi-
cyber strategy or doctrine. Political control of cyber dence of it planning for, or having conducted, offen-
policy is exercised through the president. Indonesia sive cyber operations. Overall, Indonesia is a third-tier
has only limited cyber-intelligence capabilities but cyber power. Given that it is expected to become the
has been investing in cyber surveillance for domes- fourth-largest economy in the world by around 2030,
tic security. It is more engaged than most developing it could be well placed to rise to the second tier if
countries in cyber security and in employing digital the government decides that strategic circumstances
technologies. On international cyberspace policy, demand greater investment in the cyber domain.
List of acronyms
ASEAN Association of Southeast Asian Nations OIC Organisation of Islamic Cooperation
BSSN National Cyber and Crypto Agency TNI Indonesian Armed Forces
MoD Ministry of Defence
Notes
1 Yudhistira Nugraha, ‘The future of cyber security capacity in 12 Usman Hamid and Ary Hermawan, ‘Indonesia’s Shrinking
Indonesia’, Oxford Internet Institute, 2016, https://ora.ox.ac.uk/ Civic Space for Protests and Digital Activism’, Carnegie
2 Its full name is the Indonesia Security Incident Response Team carnegieendowment.org/2020/11/17/indonesia-s-shrinking-
CC). See ‘History Id-SIRTII/CC’, https://idsirtii.or.id/en/page/ 13 Thomas Paterson, ‘Indonesian cyberspace expansion: A
3 Leonardus K. Nugraha and Dinita A. Putri, ‘Mapping the Cyber pp. 216–34, https://www.tandfonline.com/doi/pdf/10.1080/237
4 Badan Siber Dan Sandi Negara. See https://bssn.go.id/tentang. 82 tahun 2014 tentang, Pedoman Pertahanan Siber, https://
5 More precisely, the BSSN took on the responsibilities of the National www.kemhan.go.id/pothan/wp-content/uploads/2016/10/
and Infrastructure, and the Information Security Directorate of the 16 Defence Ministry of the Republic of Indonesia, ‘Defence White
Ministry of Communication and Information Technology. Paper 2015’, November 2015, p. 109, https://www.kemhan.
7 ‘Kemhan Dorong Pertahanan Nirmiliter Jadi Program Nasional’, 19 ‘Kemhan Dorong Pertahanan Nirmiliter Jadi Program
8 Badan Siber Dan Sandi Negara, ‘Indonesian Cyber Security 21 Sri Hidayati and Rudi A.G. Gultom, ‘Analisis Kebutuhan
9 Cabinet Secretariat of the Republic of Indonesia, ‘Cyber Crime Peperangan Siber’, Teknologi Persenjataan, vol. 1, no. 1, 2020, p.
Nasional’, 14 December 2020, https://cloud.bssn.go.id/s/ 23 Badan Siber Dan Sandi Negara, ‘Pimpinan Badan Siber Dan
11 Karis Kuniaran, ‘Ini Strategi BSSN Perkuat Keamanan Siber 24 Mehda Basu and Yun Xuan Poon, ‘Five steps in Indonesia’s cyber
Nasional’, Merdeka, 14 December 2020, https://www.merdeka.com/ battle plan: Interview with Lieutenant General (ret) Hinsa Siburian,
html. See also Sekretariat Kabinet Republik Indonesia, ‘Inilah with-tokopedia. For a Traveloka valuation, see Yoolim Lee,
Perpres No. 62 Tahun 2016 Tentang Susunan Organisasi Tentara ‘Traveloka Nears Fundraising at Lower Valuation’, Bloomberg
Nasional Indonesia (1)’, 19 January 2017, https://setkab.go.id/ Quint, 10 July 2020, https://www.bloombergquint.com/
inilah-perpres-no-62-tahun-2016-tentang-susunan-organisasi- business/traveloka-is-said-near-fundraising-at-sharply-lower-
tentara-nasional-indonesia-1. valuation.
27 The Satsiber unit within the Indonesian Air Force was formally 39 Fauziah Rizki Yuniarti, ‘Indonesia could be Asia’s next Islamic
inaugurated only in September 2020. See Achmad Nasrudin finance hub’, Jakarta Post, 12 January 2021, https://www.
nasional.kompas.com/read/2020/09/17/07393261/bentuk- 40 Eisya A. Eloksari, ‘Indonesian internet users hit 196 million, still
kapushansiber. 41 Ibid.
29 See Kementerian Pertahanan Republik Indonesia, ‘Badan Instalasi 42 ‘Indonesian Internet Users Reach 200 Million Until 2Q
Strategis Pertahanan’, https://www.kemhan.go.id/bainstrahan. of 2020’, The Insider Stories, 10 November 2020, https://
Force (MEF) Dalam Rangka Pembangunan Cyber-Defense’, 43 ‘Global Innovation Index 2020: Who Will Finance Innovation?’,
Jurnal Pertahanan & Bela Negara, vol. 5, no. 3, 2018, pp. 63–85, SC Johnson College of Business – Cornell University,
Cyber Agency’, Jakarta Post, 4 January 2017, https://www. 44 Vience Mutiara Rumata and Ashwin Sasongko
BSSN’, CNN Indonesia, 13 November 2019, https://www. 45 ‘Incar Jawara Dunia, Inilah Strategi RI Dalam Ekonomi
34 Ibid. jawara-dunia-inilah-strategi-ri-dalam-ekonomi-digital/0/
Report 2020’, September 2020, https://digital-competitiveness. 46 Trisha Ray et al., ‘The Digital Indo-Pacific: Regional
32, https://www.thinkwithgoogle.com/_qs/documents/10614/ 47 Eileen Yu, ‘Cloud, Data amongst APAC Digital Skills Most
racing_ahead_bMmKO5b.pdf. article/cloud-data-amongst-apac-digital-skills-most-needed/.
Affairs, ‘Tingkatkan Keamanan Informasi Nasional, Deputi Microsoft Stories Asia, 25 February 2021, https://news.
tingkatkan-keamanan-informasi-nasional-deputi-vii- economy-indonesia-initiative/.
49 ‘UI Gandeng Tokopedia Bangun Pusat Penelitian UU Keamanan dan Ketahanan Siber’ [interview with Colonel
Kecerdasan Buatan, Menristekdikti Harapkan Lulusan Arwin Datumaya Wahyudi Sumari], Cyberthreat.id, 26 April
kebutuhan-sdm-perusahaan-startup. documents/pdf/APCERT_Annual_Report_2018.pdf.
50 Arya Dipa, ‘Bukalapak, ITB Launch AI, Cloud Computing 62 Achmad Rouzni Noor, ‘Strategi Indonesia Menjaga Kedaulatan
Innovation Center’, Jakarta Post, 2 February 2019, https://www. Cyber’, detikinet, 1 February 2016, https://inet.detik.com/
thejakartapost.com/news/2019/02/02/bukalapak-itb-launch-ai- cyberlife/d-3131768/strategi-indonesia-menjaga-kedaulatan-
cloud-computing-innovation-center.html. cyber.
51 Dylan Loh, ‘ASEAN Faces Wide AI Gap as Vietnam and 63 ‘Covid-19 and Cyberattacks: Which Emerging Markets
Philippines Lag Behind’, Nikkei Asia, 9 October 2020, https:// and Sectors Are Most at Risk?’, Oxford Business Group, 17
gap-as-Vietnam-and-Philippines-lag-behind2. 19-and-cyberattacks-which-emerging-markets-and-sectors-are-
the Next AI Start-up Hub’, South China Morning Post, 25 64 Eisya A. Eloksari, ‘Indonesian Businesses Ramp up
August 2020, https://www.scmp.com/tech/article/3098596/ Cybersecurity Budget amid Rampant Attacks’, Jakarta Post, 23
August 2020, https://ai-innovation.id/strategi. 65 ‘Kepala BSSN Resmikan Tim Tanggap Insiden Keamanan Siber
ft.com/content/bcc935fd-ef40-4d6d-9939-ea18498e0283. keamanan-siber-bssn-csirt-demi-tercipta-ruang-siber-yang-
56 ‘Cybersecurity Becomes BSSN’s Challenge in the Digitalization aman-dan-kondusif/.
of Indonesia’, Waktunya Merevolusi Pemberitaan, 28 August 66 In 2020 the BSSN established CSIRTs in institutions including the
2020, https://voi.id/en/technology/12457/cybersecurity-becomes- Ministry of Finance and the Ministry of Education and Culture,
57 The Huawei ASEAN Academy reportedly comprises business, Jakarta, the Riau Islands, West Java and West Sumatra. See
technical and engineering colleges with 100 trainers, more than ‘BSSN Gandeng Pemprov DKI Jakarta Bentuk Tim Tanggap
3,000 courses and more than 100 mirroring environments. Insiden Keamanan Siber’, Badan Siber Dan Sandi Negara, 23
ASEAN Briefing, 4 February 2021, https://www.aseanbriefing. ‘Resmikan Jogjaprov CSIRT, BSSN Harap Bisa Tekan Ancaman
contributing-to-improved-manufacturing-capability. kompas.com/read/2020/10/15/133036728/resmikan-jogjaprov-
Prioritas Strategis BSSN Di Tahun 2020’, Badan Siber Dan Sandi Negara, 4 February 2021, https://bssn.go.id/bssn-menerima-
kemenkeu-csirt-menutup-program-prioritas-strategis-bssn-di- informasi.
69 These drills include the ITU Cyber Drill Exercise 2020, ASEAN tingkatkan-kemampuan-pertahanan-siber.html.
Cert Incident Drill 2020, OIC Cert Cyber Drill 2020, Critical 77 Satsiber, ‘Gubernor Aaal Hadiri Latihan Operasi Pertahanan
Information Infrastructure Cyber Exercise 2020, ASEAN Japan Siber TNI AL 2018’, 12 December 2018, https://satsiber-tni.
Cyber Exercise 2020 and APCERT Drill 2020. See Id-SIRTII/CC, mil.id/gubernur-aal-hadiri-latihan-operasi-pertahanan-siber-
70 ‘APCERT Training: Implementing IoT Security Testing’, 78 International Telecommunication Union, ‘Global Cybersecurity
activity/detail_year/2021/92/apcert-training-implementing- D-STR-GCI.01-2018-PDF-E.pdf.
iot-security-testing.html; and ‘Carnegie Mellon University: 79 Asia Pacific Computer Emergency Response Team, ‘APCERT
Unhide Hidden Cobra’, ID-SIRTII/CC, 15 February 2021, Annual Report 2018’, p. 128.
71 ‘BSSN Beserta 13 Lembaga Pemerintah Formulasikan of Governmental Experts (GGE) has convened for two-year
Rancangan Perpres Perlindungan Infrastruktur Informasi terms to address international-security aspects of cyberspace.
Vital’, Badan Siber Dan Sandi Negara, 10 February 2021, It was known as the GGE on ‘Developments in the Field
72 ‘BSSN Gelar Diseminasi Peraturan dan Kebijakan Sektor in the Context of International Security’. In cyberspace-policy
Infrastruktur Informasi Kritikal Nasional (IIKN)’, Badan circles it is common to refer to it simply as ‘the GGE’. See
Siber Dan Sandi Negara, 10 February 2021, https://bssn. UN Office for Disarmament Affairs, ‘Developments in the
pp. 12, 55. 82 See ‘CodeBali International Cyber Security Conference and
74 Basu and Yun, ‘Five steps in Indonesia’s cyber battle plan: Exhibitions’ website, https://codebali.id.
Interview with Lieutenant General (ret) Hinsa Siburian, 83 Muhammad Nadjib and Hafied Cangara, ‘Cyber Terrorism
Head of the National Cyber and Encryption Agency (BSSN), Handling in Indonesia’, Business and Management Review, vol.
On cyber security, Malaysia was a regional first support of its wider economic-development agenda.
mover and compares well with many other countries. It compensates for some of its shortcomings in cyber
Its ongoing commitment was demonstrated in 2020 capability through international alliances, particu-
with new cyber-security strategies for the civil sector larly with the United States, the United Kingdom,
and for national defence. There is little information Australia and Singapore. Overall, Malaysia is a
available on core cyber-intelligence capabilities or the third-tier cyber power but has clear strengths in
development of offensive cyber, with the policy state- cyber-security policy and strong digital-economic
ments issued in 2020 focusing more on active defence potential. If it realises that potential, it could create
in cyberspace. Malaysia has prioritised the devel- the foundations on which to become a second-tier
opment of an indigenous digital-industrial base in cyber power.
List of acronyms
ASEAN Association of Southeast Asian Nations MAF Malaysian Armed Forces
CDOC Cyber Defence Operations Centre MoD Ministry of Defence
CERT Computer Emergency Response Team NACSA National Cyber Security Agency
ICT information and communications technology NSC National Security Council
IoT Internet of Things
Notes
1 Ministry of Science, Technology and Innovation, Malaysia, Government Administrative Centre, July 2006, https://cnii.
‘National Cyber Security Policy: The Way Forward’, Federal cybersecurity.my/main/ncsp/tncsp.html. The ten pillars of
policy were national defence and security; banking and finance; Communication and Electronic Division.
information and communications; energy; transportation; 14 ‘Dasar Keselamatan Teknologi Maklumat Dan Komunikasi
water; health services; government; emergency services; and (DKICT)’, pp. 23–5.
food and agriculture. 15 National Security Council, ‘Directive No. 20, Policy and
2 See National Cyber Security Agency, ‘RAKKSSA: Rangka Mechanism of National Disaster Management and Relief’,
www.nacsa.gov.my/doc/RAKKSSA-VERSI-1-APRIL- Security_Council.html.
(DKICT)’, January 2017, http://www.stride.gov.my/v2/images/ 17 Philip H. J. Davis, ‘All in Good Faith? Proximity, Politicisation,
4 National Security Council, Prime Minister’s Department, ‘Malaysia Journal of Intelligence and CounterIntelligence, vol. 32, no. 4, May
Cyber Security Strategy 2020–2024’, October 2020, https://asset. 2019, pp. 691–716, https://www.tandfonline.com/doi/abs/10.10
mkn.gov.my/web/wp-content/uploads/sites/3/2019/08/Malaysia 80/08850607.2019.1621105.
5 Stuart Crowley, ‘Malaysia to spend $434m on national 19 Marhalim Abas, ‘Restructuring of the Signals Regiment’,
cybersecurity strategy’, W.media, 16 October 2020, https://w. Malaysian Defence, 19 November 2019, https://www.
media/malaysia-to-spend-434m-on-national-cybersecurity- malaysiandefence.com/restructuring-of-the-signals-regiment.
web.archive.org/web/20181024164353/http://www.mod.gov. 83/129777.pdf.
https://www.malaymail.com/news/malaysia/2020/12/17/national- https://mdec.my/what-we-offer/msc-malaysia.
11 Cyber Security – Towards a Safe and Secure Cyber Environment 82.2% 4G LTE Coverage’, Malaysian Wireless, 18 May 2020,
12 Muhammad Sabu, Hansard, Parliament of Malaysia, 26 B.K. Sidhu, ‘Going beyond fibre for internet throughout
bsep. Note that there are different English translations of the nfcp.my/Nfcp/media/Docs/NFCP-FS002-v5c.pdf.
29 Royce Tan, ‘AI Park Will Help Malaysia Take the Lead in 43 International Telecommunication Union, ‘Global Cybersecurity
Digital Future’, Star, 17 October 2020, https://www.thestar. Index 2018’, p. 38, https://www.itu.int/dms_pub/itu-d/opb/str/
com.my/business/business-news/2020/10/17/ai-park-will-help- D-STR-GCI.01-2018-PDF-E.pdf.
rural homes’, The Malaysian Reserve, 26 November 2018, https:// 47 CyberSecurity Malaysia, ‘Milestones’, https://www.
themalaysianreserve.com/2018/11/26/tnb-expanding-fixed- cybersecurity.my/en/about_us/milestones/main/detail/2325/
broadband-footprint-in-rural-homes. index.html.
33 Telekom Malaysia Berhad, ‘Review of the Year & Key 48 See Chew Kherk Ying, ‘Cyber Security 2020, Malaysia’,
review-of-the-year-key-achivements. practiceguides.chambers.com/practice-guides/
35 Sidhu, ‘Going beyond fibre for internet throughout Malaysia’. ‘Malaysia Cyber Security Strategy 2020–2024’, pp. 30–9.
36 Alexander Wong, ‘Penang is the first state to make fibre optic 50 International Telecommunication Union, ‘Global Cybersecurity
24 December 2020, https://www.soyacincau.com/2020/12/24/ 51 Azian Ibrahim et al., ‘Cyber Warfare Impact to National
37 Caleb Henry, ‘Measat buying single replacement for two Pahang, Kuantan, Pahang, Malaysia, 19–20 August 2019, p.
measat-buying-single-replacement-for-two-satellites. download/5052/10067.
38 Computer Crimes Act 1997, Laws of Malaysia, Act 563, http:// 52 ‘Malaysia’s cybersecurity, forensic labs among most advanced
EN/Act%20563.pdf. my/local/malaysia-s-cybersecurity-forensic-labs-among-most-
39 See International Telecommunication Union, ‘Global advanced-in-the-world-KM916936.
Cybersecurity Agenda’, https://www.itu.int/en/action/ 53 Cyber Security – Towards a Safe and Secure Cyber Environment, p. 53.
cybersecurity/Pages/gca.aspx. The ITU describes the GCA 54 Association of Southeast Asian Nations, ‘Co-Chairs’ Summary
as ‘a framework for international cooperation aimed at Report – 1st ASEAN Regional Forum Inter-Sessional Meeting on
enhancing confidence and security in the information Security of and in the Use of Information and Communication
society’, adding that it was ‘designed for cooperation and Technologies’, Kuala Lumpur, 25–26 April 2018, p. 2, http://
40 ‘Communications and Multimedia Act 1998’, Commonwealth of Governmental Experts (GGE) has convened for two-year
41 Personal Data Protection Act 2010, Laws of Malaysia, Act 709, of Information and Telecommunications in the Context of
it is common to refer to it simply as ‘the GGE’. See UN Office for 57 Along with their counterparts from other ASEAN member
Disarmament Affairs, ‘Developments in the field of information states, Malaysian officials have participated in training
and telecommunications in the context of international security’, workshops led by, among others, the Australian Strategic
https://www.un.org/disarmament/ict-security. Policy Institute (April 2019) and the United Nations Office of
56 United Nations General Assembly, ‘Group of Governmental Disarmament Affairs in cooperation with the Cyber Security
Experts on Developments in the Field of Information and Agency of Singapore (July 2019).
Vietnam has put in place a suite of strategies for cyber of internal subversion probably draw resources away
security and the advancement of its national power from technical cyber-skills training and towards ideo-
in cyberspace, including in the military domain. logical work and the management of public opinion,
The governance structures for cyber policy operate thereby reducing investment in both defensive and
through the ruling Communist Party of Vietnam’s offensive cyber capabilities. While overall offensive
authoritarian political system. The government has cyber capabilities are likely to be nascent or weak, the
implemented several policies that have contributed covert government-linked group APT32 could prob-
to robust growth in the ICT sector and to significant ably launch relatively sophisticated cyber attacks.
progress in the construction of e-government plat- Vietnam is a third-tier cyber power but it has consider-
forms. However, many government agencies still able digital ambition and potential. If it can strengthen
grapple with cyber-security issues because of a lack its key cyber-security skills, support its ICT firms and
of funds and a huge shortage of cyber-security talent. invest in advanced technology to protect its digital
The Communist Party’s concerns regarding the threat infrastructure, it could realise that potential.
List of acronyms
AIS Authority of Information Security MPS Ministry of Public Security
ASEAN Association of Southeast Asian Nations NCSC National Cyber Security Monitoring Centre
CPV Communist Party of Vietnam NSCER National Steering Committee for Emergency Response
ICT information and communications technology VNCERT Vietnam Computer Emergency Response Team
MIC Ministry of Information and Communications VNPT Vietnam Posts and Telecommunications Group
MND Ministry of National Defence VPA Vietnamese People’s Army
Notes
1 Prime Minister’s Decision No. 63/QD-TTg, ‘Approving the 7 The data-localisation obligation for foreign companies applies
National Planning on Development of Digital Information to those that provide telecoms services, data storage and
Security through 2020’, 2010, https://vanbanphapluat.co/ sharing, e-commerce, social media and online electronic games.
2 Prime Minister, ‘Phê Duyệt Phương Hướng, Mục Tiêu, Nhiệm chinh/Luat-quoc-phong-340395.aspx.
Vụ Bảo Dảm An Toàn Thông Tin Mạng Giai Doạn 2016–2020’, 27 9 Politburo Resolution 29NQ/TW dated 25 July 2018. See Vu
May 2016, https://thuvienphapluat.vn/van-ban/Cong-nghe-thong- Van Hien, ‘Enhancing the homeland protection under the
industry include the Vietnam Software and IT Services html; and Ngo Xuan Lich, ‘The whole military resolves to
Association, the Vietnam Association for Information Processing, successfully fulfil the military-defence tasks in 2019’, National
the Vietnam Internet Association, the Vietnam Information Defence Journal, 4 January 2019, http://tapchiqptd.vn/en/theory-
QH13, 19 November 2015. For an official translation, see https:// 10 Ngoc Thuy Tran, ‘Những Vấn Dề về Bảo vệ Tổ Quốc Trên
security-2015. baoquankhu7.vn/nhung-van-de-ve-bao-ve-to-quoc-tren-
12 June 2018, https://luatvietnam.vn/an-ninh-quoc-gia/ 11 Ministry of National Defence, ‘2019 Viet Nam National
cupriv22jun18.pdf. lDefence.pdf.
6 Thomas J. Treutler and Giang Thi Huong Tran, ‘Update on 12 National Assembly, ‘Luật An Ninh Mạng’, 24/2018/QH14.
the Implementation of Vietnam’s New Cybersecurity Law 13 See ‘VNCTERT/CC Trung tâm Ứng cứu khẩn cấp không gian
and Status of Implementing Decrees’, Tilleke & Gibbins, 18 mạng Việt Nam’, http://vncert.gov.vn.
Security.html. Alive and Well: APT32 and the Threat to Global Corporations’,
16 Ministry of Information and Communications, ‘The National FireEye, 14 May 2017, https://www.fireeye.com/blog/threat-
17 ‘Chủ dộng, quyết liệt trong phòng, chống tội phạm trên không Saigon Online, 4 February 2020, https://sggpnews.org.vn/
18 ‘Cục An ninh Văn hóa, thông tin, truyền thông báo công http://lyluanchinhtri.vn/home/en/index.php/practice/item/723-
vn/xa-hoi/cuc-an-ninh-van-hoa-thong-tin-truyen-thong-bao- economy-in-vietnam.html.
19 Ministry of National Defence, ‘2019 Viet Nam National Defence’. Technology, ‘Quánqiú shùzì jīngjì xīn tújǐng (2019 nián)’,
21 ‘Hơn 10.000 người trong ‘Lực lượng 47’ dấu tranh trên bps/201910/P020191011314794846790.pdf.
mạng’, Tuổi Trẻ, 25 December 2017, https://tuoitre.vn/ 31 See Prime Minister, ‘Introducing Program for National Digital
mang-20171225150602912.htm. It is unclear from this source if Decision 749/QD-TTg, 3 June 2020, https://vanbanphapluat.co/
also conduct other cyber operations. digital-transformation. By 2030 this programme aims to
22 Maj. Gen., Associate Prof. Nguyen Hung Oanh, ‘The achieve the following: a digital economy that contributes 30%
Political Officer College grasps and executes the Politburo’s of GDP; digital transformation in the government sector so
Resolution 35’, National Defence Journal, 16 October 2019, that Vietnam becomes one of the top four ASEAN countries
http://tapchiqptd.vn/en/research-and-discussion/the- in the UN e-government ranking; nationwide 5G mobile-
Vietnam’, Critical Studies of the Asia Pacific Series, vol. 31, no. 2, Digital Economy with E-government’, OpenGov Asia, 28
1137347534_7#aboutcontent. committed-to-supporting-its-digital-economy-with-e-government.
24 Hai Thanh Luong et al., ‘Understanding Cybercrimes in 33 Ministry of Information and Communications, ‘VN’s IT
Vietnam: From Leading-Point Provisions to Legislative System industry maintains growth momentum’, 25 December 2019,
25 ‘VN to join Microsoft’s network security protection programme’, for donor collaboration’, Brookings Center for Sustainable
Viêt Nam News, 20 December 2019, https://vietnamnews. Development, December 2020, pp. 31–2, https://www.
vn/society/570139/vn-to-join-microsofts-network-security- brookings.edu/wp-content/uploads/2020/12/Development-
protection-programme.html. Southeast-Asia-Ch2-Digital.pdf.
growth?’, Tech Wire Asia, 3 February 2020, https://techwireasia. 49 Nandini Sarma, ‘Southeast Asian Space Programmes:
38 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United tiền cao nhất khu vực’, Doanh nhân, 24 June 2020, https://
chuvpilo.medium.com/ai-research-rankings-2020-can-the- ma-doc-tong-tien-cao-nhat-khu-vuc-1099286.html.
www.vinai.io/about-us. Summary-2019-Updated.pdf.
41 ‘Vietnam Prioritises Artificial Intelligence Development’, 52 See ‘Giới thiệu về NCSC’, National Cyber Security Monitoring
vn/vietnam-strives-to-enter-worlds-top-50-in-terms-of- 54 Bao Lam and Chau An, ‘Data stealing spyware rears head
43 ‘Việt Nam nhờ Mỹ kiểm dịnh thiết bị 5G do Việt Nam sản xuất net/news/news/data-stealing-spyware-rears-head-in-
dể có dủ khả năng vào thị trường Mỹ’, ICT News, 21 January vietnam-4119828.html.
2020, https://ictnews.vietnamnet.vn/cuoc-song-so/viet-nam- 55 Vu, ‘Enhancing the homeland protection under the Party’s
44 Ministry of Information and Communications, ‘Viettel among 56 Prime Minister, ‘Quyết Dịnh: Ban Hành Quy Dịnh Về Hệ
investors of new high-speed under-sea cable ADC’, 22 June 2020, Thống Phương Án Ứng Cứu Khẩn Cấp Bảo Dảm An Toàn
investors-of-new-high-speed-under-sea-cable-ADC.html. https://vanbanphapluat.co/quyet-dinh-05-2017-qd-ttg-he-
45 Leo Kelion, ‘Giới chuyên gia ngạc nhiên trước tuyên bố của thong-phuong-an-ung-cuu-khan-cap-bao-dam-an-toan-thong-
Viettel về mạng 5G’, BBC News Vietnamese, 21 January 2020, tin-mang-quoc-gia.
https://www.bbc.com/vietnamese/vietnam-51190570. 57 ‘PM sets up national cybersecurity committee’, Vietnam Law
46 ‘Vietnamese telecom giants on race of exporting telecom & Legal Forum, 2 April 2017, https://vietnamlawmagazine.vn/
47 Union of Concerned Scientists, ‘UCS Satellite Database’, Thống Phương Án Ứng Cứu Khẩn Cấp Bảo Dảm An Toàn
satellite-database. 59 ‘Vietnam records more than 6,200 cyber attacks in seven months’,
Acrofan, 20 February 2020, https://us.acrofan.com/detail. exercise’, Viêt Nam News, 26 June 2020, https://vietnamnews.
php?number=239640. vn/society/748743/vietnamese-tech-experts-join-transnational-
for information security tasks’, OpenGov Asia, 9 July 2019, 70 ‘National Cyber Security Center signs deal with Kaspersky
resources-for-information-security-tasks. english.vietnamnet.vn/fms/science-it/216749/national-
62 Ibid. cyber-security-center-signs-deal-with-kaspersky-for-online-
powerhouse: minister’, VnExpress, 17 April 2019, 71 ‘Vietnam–India strategic partnership in the fields of defence
carries-potential-to-be-a-cybersecurity-powerhouse- http://tapchiqptd.vn/en/events-and-comments/vietnam-
minister-3910754.html. india-strategic-partnership-in-the-fields-of-defence-and-
7.8 pct’, VietnamPlus, 4 November 2020, https://en.vietnamplus. 72 ‘Việt Nam, Brunei, boost co-operation in combating crimes’,
down-78-pct/189811.vnp. politics-laws/592275/viet-nam-brunei-boost-co-operation-in-
Index 2018’, p. 63, https://www.itu.int/dms_pub/itu-d/opb/str/ 73 Ministry of Public Security, ‘Vietnam, Malaysia promote
2 October 2019, https://www.channelnewsasia.com/news/ 75 ‘Xây dựng lực lượng Tác chiến không gian mạng, dáp ứng yêu
singapore/asean-cyberspace-working-level-committee- cầu nhiệm vụ bảo vệ Tổ quốc’, Tạp chí Quốc phòng, 17 October
October 2019, https://www.csa.gov.sg/news/press-releases/ 76 ‘Hơn 10.000 người trong ‘Lực lượng 47’ Dấu tranh trên mạng’,
Based on the country studies in the report, we can political culture of each country is immediately visible
draw conclusions about the ways in which states have as the primary determinant of governance arrange-
responded to the opportunities and threats presented ments. Liberal democracies in advanced economies
by cyber capabilities. In addition to considering sepa- such as France, Japan, the United Kingdom and the
rately each of the categories in our methodology, we US tend to have more well-established arrangements
can also draw conclusions about the relative standing for cyber governance compared with democracies in
of the 15 countries and the implications for the broader the wealthier developing countries (India, Indonesia
global balance of power. and Malaysia). In the latter group, governance arrange-
ments have developed more slowly and unevenly, as
Foundations of cyber power have security strategies for cyberspace. In more authori-
On published strategy and doctrine, the country studies tarian countries such as China, Iran, North Korea and
reveal considerable variation in practice, especially on Russia, the governance arrangements are more nar-
the balance between policies for cyber security on the rowly focused and less transparent. Of those four coun-
one hand and policies for intelligence-related, politi- tries, only China might be said to have an established
cal and military uses of cyber assets on the other. All framework for a multi-stakeholder approach to cyber
countries maintain high levels of secrecy around the lat- governance, although its political system favours the
ter three areas. All the countries studied in this report Chinese Communist Party as the dominant stakeholder.
now have some published strategy, doctrine or policy A core cyber-intelligence capability is the primary foun-
in at least one of the diverse aspects of cyber power. dation of cyber power. Any country’s ability to take
The United States led the way by publishing cyber poli- defensive or offensive action in cyberspace is funda-
cies from the mid-1990s onwards. It now has the most mentally dependent on its understanding of the cyber
mature and comprehensive policy settings. While some environment – its cyber situational awareness. This can
other states also produced discrete elements of strate- be constructed by combining all available sources of
gic and doctrinal cyber thinking in the 1990s, it was not information from across the private and public sectors.
until the late 2000s that the first wave of policies compa- The most effective intelligence agencies must also have
rable in breadth and depth to those of the US were pro- the capability to detect and attribute sophisticated state-
duced. This was followed by a second wave from 2015 based cyber attacks and to conduct sophisticated cyber
onwards. Each study reveals a unique blend of civilian operations of their own. While many states around the
and military elements, reflecting the particular strategic world have cyber capabilities focused on their own
circumstances and policy preoccupations of that coun- internal security, and some have developed a regional
try. Given the rapidly evolving nature of cyber threats intelligence footprint, only a few have sufficient reach to
and opportunities, none of the countries studied is com- achieve the level of global cyber understanding essen-
fortable with its level of maturity on strategy. tial for the most sophisticated operations. Those states
National differences also play out in the arrange- are the Five Eyes intelligence allies (Australia, Canada,
ments for governance, command and control. Here, the New Zealand, the UK and the US), which operate
Three cyber-capable allies of the Five Eyes states – France, Israel and Japan
Four countries viewed by the Five Eyes and their allies as cyber threats – China,
Russia, Iran and North Korea