Cyber Capabilities and National Power

Download as pdf or txt
Download as pdf or txt
You are on page 1of 182
At a glance
Powered by AI
The document assesses the cyber capabilities of 15 states using a qualitative methodology across 7 categories and divides states into 3 tiers based on their strengths and weaknesses.

It uses a broad, qualitative methodology assessing each state's capabilities across 7 categories and analyzes each state's cyber ecosystem and how it intersects with security, economic and military issues.

15 states are assessed total: 4 Five Eyes members, 3 allies, 4 viewed as threats, and 4 at earlier stages. They are the US, UK, Canada, Australia, France, Israel, Japan, China, Russia, Iran, North Korea, India, Indonesia, Malaysia, and Vietnam.

CYBER CAPABILITIES AND

NATIONAL POWER:
A Net Assessment
This report sets out a new methodology for assessing cyber power, and then applies
it to 15 states:

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment


Four members of the Five Eyes intelligence alliance – the United States, the
„
United Kingdom, Canada and Australia

Three cyber-capable allies of the Five Eyes states – France, Israel and Japan
„

Four countries viewed by the Five Eyes and their allies as cyber threats – China,
„
Russia, Iran and North Korea

Four states at earlier stages in their cyber-power development – India,


„
Indonesia, Malaysia and Vietnam

The methodology is broad and principally qualitative, assessing each state’s


capabilities in seven different categories. The cyber ecosystem of each state
is analysed, including how it intersects with international security, economic
competition and military affairs.
On that basis the 15 states are divided into three tiers: Tier One is for states with
world-leading strengths across all the categories in the methodology, Tier Two is for
those with world-leading strengths in some of the categories, and Tier Three is for
those with strengths or potential strengths in some of the categories but significant
weaknesses in others.
The conclusion is that only one state currently merits inclusion in Tier One.
Seven are placed in Tier Two, and seven in Tier Three.
This report is the first product of a cyber-power project undertaken by the
International Institute for Strategic Studies. Assessments of the cyber capabilities of
CYBER CAPABILITIES
AND NATIONAL POWER:
many other states will be published in the coming years.

The International Institute for Strategic Studies (IISS)


A Net Assessment
The IISS, founded in 1958, is an independent centre for research, information and
debate on the problems of conflict, however caused, that have, or potentially have,
an important military content.

The International Institute for Strategic Studies – UK


Arundel House | 6 Temple Place | London | wc2r 2pg | UK
t. +44 (0) 20 7379 7676 f. +44 (0) 20 7836 3108 e. iiss@iiss.org www.iiss.org

The International Institute for Strategic Studies – Americas


2121 K Street, NW | Suite 600 | Washington, DC 20037 | USA
t. +1 202 659 1490 f. +1 202 659 1499 e. iiss-americas@iiss.org

The International Institute for Strategic Studies – Asia


9 Raffles Place | #49-01 Republic Plaza | Singapore 048619
t. +65 6499 0055 f. +65 6499 0059 e. iiss-asia@iiss.org

The International Institute for Strategic Studies – Europe


Pariser Platz 6A | 10117 Berlin | Germany
t. +49 30 311 99 300 e. iiss-europe@iiss.org

The International Institute for Strategic Studies – Middle East


14th floor, GBCORP Tower | Bahrain Financial Harbour | Manama | Kingdom of Bahrain
t. +973 1718 1155 f. +973 1710 0155 e. iiss-middleeast@iiss.org
THE INTERNATIONAL INSTITUTE FOR STRATEGIC STUDIES
CYBER CAPABILITIES AND
NATIONAL POWER:
A Net Assessment
The International Institute for Strategic Studies
Contents

Preface i
The Cyber-Power Project: Context and Methodology 1
Country Studies
1. United States 15
2. United Kingdom 29
3. Canada 39
4. Australia 47
5. France 57
6. Israel 69
7. Japan 79
8. China 89
9. Russia 103
10. Iran 115
11. North Korea 125
12. India 133
13. Indonesia 143
14. Malaysia 153
15. Vietnam 161
Net Assessment 171

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment


The International Institute for Strategic Studies
Preface

In February 2019 the International Institute for Strategic actions in cyberspace.5 In March 2020, Trump declared a
Studies (IISS) announced in a Survival article its intention to national emergency in cyberspace,6 the fourth time in five
develop a methodology for assessing the cyber capabilities years that a US president had done so. In April 2021, China
of states and how they contribute to national power.1 Here, referred to the US as the ‘champion’ of cyber attacks.7 A
we set out that methodology, use it to assess 15 countries, month later, the G7 foreign ministers’ meeting called on
and draw out the overarching themes and conclusions. both Russia and China to bring their cyber activities into
This report is intended to assist national decision- line with international norms.8 Overall, this report pro-
making, for example by indicating the cyber capabilities vides substantial further evidence that, for many countries,
that make the greatest difference to national power. Such cyber policies and capabilities have moved to centre stage
information can help governments and major corpora- in international security.
tions when calculating strategic risk and deciding on The countries covered in this report are the US, the
strategic investment. United Kingdom, Canada and Australia (four of the Five
While other organisations have developed index-based Eyes intelligence allies); France and Israel (the two most
methodologies,2 with most focusing principally on cyber cyber-capable partners of the Five Eyes states); Japan (also
security, our methodology is broader: it is principally qual- an ally of the Five Eyes states, but less capable in the secu-
itative and analyses the wider cyber ecosystem for each rity dimensions of cyberspace, despite its formidable eco-
country, including how it intersects with international nomic power); China, Russia, Iran and North Korea (the
security, economic competition and military affairs. principal states posing a cyber threat to Western interests);
The 15 studies represent a snapshot in time: the national and India, Indonesia, Malaysia and Vietnam (four coun-
circumstances of each state will of course evolve, and cyber tries at earlier stages in their cyber-power development).
strategies and investments will face challenges from many We assess each country’s capabilities in seven
sources, including the COVID-19 pandemic. Nevertheless, categories:
for each state, most policies and trends in capability are
likely to endure. • Strategy and doctrine
The studies have been conducted against the back- • Governance, command and control
ground of intensifying international confrontation in • Core cyber-intelligence capability
cyberspace. Several reference points can be cited by way of • Cyber empowerment and dependence
illustration. In 2015, China’s new military strategy declared • Cyber security and resilience
that ‘outer space and cyber space have become new com- • Global leadership in cyberspace affairs
manding heights of strategic competition’ between states.3 • Offensive cyber capability
In 2016, the Unites States accused the Russian government,
and President Vladimir Putin personally, of ordering a sus- Key assessments are summarised in a single para-
tained information attack on the US presidential election.4 graph at the start of each chapter.
In May 2019, then-president Donald Trump foreshadowed The IISS intends to continue its research into cyber
a technology war with China if it continued its malign power and to lead expert dialogue on the subject, guided

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment i


by its teams in Berlin, London, Manama, Singapore and We have relied on the input of many experts and wish
Washington DC. In future publications we intend to to thank all of them. The IISS is the sole author of this
conduct a deeper analysis of offensive cyber campaigns. publication and takes full responsibility for its contents.

Notes

1 See Marcus Willett, ‘Assessing Cyber Power’, Survival: Global Chain’, 15 May 2019, https://trumpwhitehouse.archives.gov/
Politics and Strategy, vol. 61, no. 1, February–March 2019, pp. 85–90. presidential-actions/executive-order-securing-information-
2 Examples include the International Telecommunication communications-technology-services-supply-chain.
Union’s Global Cybersecurity Index, the Potomac Institute’s 6 White House, ‘Text of a Letter from the President to the

Cyber Readiness Index 2.0 and the Harvard Kennedy School’s Speaker of the House of Representatives and the President of

National Cyber Power Index 2020. the Senate’, 30 March 2020, https://trumpwhitehouse.archives.

3 State Council Information Office of the People’s Republic gov/briefings-statements/text-letter-president-speaker-house-

of China, ‘China’s Military Strategy’, 27 May 2015, http:// representatives-president-senate-67.

english.www.gov.cn/archive/white_paper/2015/05/27/ 7 Nick Wadhams, ‘U.S.–China Talks in Alaska Quickly Descend

content_281475115610833.htm. Into Bickering’, Bloomberg, 19 March 2021, https://www.

4 United States Office of the Director of National Intelligence, Assessing bloomberg.com/news/articles/2021-03-18/u-s-china-meeting-

Russian Activities and Intentions in Recent US Elections, 6 January will-underscore-biden-s-continuity-with-trump.

2017, https://www.dni.gov/files/documents/ICA_2017_01.pdf. 8 ‘G7 Foreign and Development Ministers’ Meeting, May 2021:

5 White House, ‘Executive Order on Securing the Information Communiqué’, London, 5 May 2021, http://www.g7.utoronto.ca/

and Communications Technology and Services Supply foreign/210505-foreign-and-development-communique.html.

ii The International Institute for Strategic Studies


The Cyber-Power Project:
Context and Methodology

Over the last 20 years, cyber capabilities have become a These media reports only tell a small part of the story.
formidable new instrument of national power. As well as State cyber operations to reconnoitre and gain a pres-
using such capabilities to obtain state secrets from each ence on relevant networks are occurring every second
other, as in traditional espionage, states have also used and are now a permanent feature of cyberspace. The
them for a range of other, more threatening purposes. risk of miscalculation is high. Reconnaissance or prepo-
These include bolstering their own economic develop- sitioning could be misinterpreted by the defender as an
ment by stealing intellectual property; threatening to actual attack, and therefore provoke retaliation. Inserted
disrupt the financial institutions, oil industries, nuclear code could malfunction, causing an accident. Escalation
plants, power grids and communications infrastructure of could easily spiral out of control as a result, which is
states they regard as adversaries; attempting to interfere perhaps the gravest risk entailed in state-on-state cyber
in democratic processes; degrading and disrupting mili- operations. Other risks include the acquisition of state
tary capabilities in wartime; and, in one case, constraining capabilities by criminals or terrorists, and the ease with
the ability of another state to develop nuclear weapons. which states can find highly effective offensive tools on
The state-on-state cyber operations revealed in the the open market (the so-called ‘low point of entry’).
media include those by the United States and Iran against In short, cyberspace has become, perhaps inevi-
each other; Israel and Iran against each other; Russia tably, a key and risky new environment for statecraft
against Estonia, Georgia and Ukraine; and Chinese and competition between states in the twenty-first
attempts to steal intellectual property on an industrial century. It has also become a major, and arguably the
scale. Russian operations against the democratic process major, domain for organised crime. There are no reli-
in the US and United Kingdom have received consid- able estimates of the costs of cyber crime at a national
erable attention, as have the US retaliatory operations level.1 It is possible to document lower-end estimates of
against the St Petersburg-based group deemed to be certain types of cyber crime, such as credit-card fraud,2
partly responsible. A Russian cyber operation against but such sub-categories cannot capture the full range
the US in late 2020, the ‘SolarWinds hack’, has also been of economic costs from the many types of cyber crime
prominent. There have been operations by Iran against that extend beyond direct losses, for example by caus-
Saudi Arabia, by North Korea against Sony Pictures ing reputational damage or degradation of share value.
and the global banking system, and by the US, the UK Since 2017 there has been a surge in reported losses from
and Australia against the Islamic State (also known as ransomware (malware that prevents access to critical
ISIS or ISIL). Some operations have been conducted in data until the required ransom amount is paid), which
an unrestrained manner, resulting in many unintended have totalled tens of billions of dollars. The damage
victims. For example, the NotPetya malware that the done by the various types of cyber crime has inevitably
Russians used against Ukraine severely damaged the led to a new world of litigation, regulatory fines and
Maersk shipping line, and the WannaCry malware the insurance claims. In addition, terrorist groups such as
North Koreans used against the global banking system ISIS and al-Qaeda aspire to become more cyber-capable,
affected the UK’s National Health Service. while political-activist groups of all stripes now view

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 1


cyberspace as an indispensable medium through which digitally from home as a result of COVID-19 has had
to advance their causes. The threats to any state and its obvious implications for cyber security, with a spike
citizens in cyberspace are many and varied. in malign cyber activity. This should not be a surprise,
States are therefore trying to mitigate the risks that as the restrictions on human mobility have massively
cyber threats pose to their digital economies, critical decreased the opportunities for criminality and state
national infrastructure and citizens by making consid- espionage in the physical world while increasing them
erable investment in protective cyber-security capa- commensurately in the digital one. Opportunities are
bilities. These are fuelling the growth of a globalised now proliferating for individuals who can steal, defraud
cyber-industrial sector. States are incorporating cyber and spy digitally from home. However, there are perhaps
capabilities into their national investment strategies and other, more positive lessons to draw. Before COVID-19,
their military doctrines and plans, and increasing the the world was already dealing with another kind of virus
tempo of their cyber-related activities. pandemic – in cyberspace. Every day, national security
More fundamentally, states have realised the degree and global prosperity are being significantly damaged
to which their economic prosperity, as well as their by cyber infections. While of course the threat to human
national security and geostrategic influence, is depend- health and life is less serious than that from biological
ent on their management of cyber risks. This becomes viruses, it nevertheless remains conceivable that cyber
even more critical as the everyday lives of their busi- operations, if unchecked, will cause even greater destruc-
nesses and citizens become more internet-dependent, tion, and potentially also deaths, either by accident or
given the roll-out of the Internet of Things (‘smart’ design. Lessons from the way states have collaborated
homes in smart cities, with driverless vehicles on smart to fight COVID-19 – for example on movement restric-
roads). States are therefore trying to shape, influence tions and the supply of personal-protection equipment,
and, in some cases, control the future design and gov- and in seeking to develop therapeutic remedies and via-
ernance of the internet. Some states, led by Russia and ble vaccines – might therefore be applicable to dealing
China, have for many years been advocating in the with this cyber pandemic. For example, the international
United Nations for a new internet-governance model approach to establishing meaningful norms of behaviour
that would see greater state control rather than the for cyberspace could be intensified. States could increase
predominant ‘multi-stakeholder’ balance between gov- their efforts to work together to combat cyber crime glob-
ernments, the private sector, interest groups and indi- ally, perhaps with some form of sharing between states
viduals, commonly referred to as ‘internet freedom’. At of the technical ‘DNA’ of cyber-criminal threats in the
the heart of the national strategies of the US and China, same way that the DNA of COVID-19 has been shared.
and the trade war between them, is competition for con- Moreover, some of the post-COVID-19 lessons about the
trol over the technologies that physically underpin the importance of increasing national and global resilience
future of cyberspace – such as microchip production, to strategic shocks will be equally applicable to plans for
computer assembly, mobile internet (such as 5G), cloud dealing with a cyber catastrophe.
architectures, cables and routers. In 2020, moves by the As national prosperity, security and statecraft have
US to ban the Chinese software applications TikTok and become increasingly reliant on cyberspace, understand-
WeChat under the Clean Network programme3 added ing the development and use of cyber power by states
a further dimension, in some ways paralleling China’s has become paramount. That is why the IISS has devel-
long-standing ban on US software applications as part oped a methodology for assessing national cyber power.
of its ‘Great Firewall’. Given the geostrategic, economic
and security advantages that a leadership position in Methodology
advanced information technologies would bring, states A number of organisations have developed method-
in the twenty-first century recognise they can only be ologies for measuring cyber power. The majority have
superpowers if they are digital superpowers. focused principally on cyber security and have been
The huge surge in the number of people working index-based. By contrast, the IISS methodology is

2 The International Institute for Strategic Studies


holistic, covering all the facets outlined above, and is can a state best protect itself against a cyber-capable
principally qualitative. adversary by isolating from the global internet? Our
This report does not consider non-state actors unless assumption is that any dependence on internet con-
we assess that the development and/or use of their cyber nectivity brings with it an inherent vulnerability; but it
capabilities is directed by a state. We include the Iranian also brings the data, global reach and networking that
Cyber Army, for example, as part of Iran’s state capa- empower twenty-first-century economies, statecraft
bility, and the St Petersburg-based Internet Research and warfare. We therefore consider both sides of the
Agency as part of Russia’s. As for cyber criminality, it coin. To understand the contours of the dependence,
is beyond our scope apart from in cases where there is a we look at the vibrancy and scale of the country’s digi-
proven nexus with a state. tal economy, including its international relationships in
We assess each country in seven categories: this area. We are guided by the G20’s definition of the
digital economy, adopted in 2016, which sees it as the
• Strategy and doctrine entirety of the economic impacts of modern informa-
• Governance, command and control tion and communications technology (ICT) throughout
• Core cyber-intelligence capability all sectors, rather than just the estimated value of ICT
• Cyber empowerment and dependence companies’ output of goods and services. We also look
• Cyber security and resilience at what may be termed sovereign economic power in
• Global leadership in cyberspace affairs the cyber domain. It is beyond the scope of this report to
• Offensive cyber capability analyse the whole scientific and technological founda-
tion of each country’s digital economy; instead we use
Under strategy and doctrine, we analyse the most assessments of research into and use of artificial intel-
important government documents, regardless of the ligence (AI) as a proxy indicator.4
formal titles assigned to them. We review, for example, The category of cyber security and resilience cov-
documents that set out priorities and budgets, describe ers a state’s core cyber-security capability, including its
management policy or organisational change, or aim to ability to respond to, and recover from, significant cyber
raise public awareness of national strategy. Unlike most incidents and emergencies. It also includes the setting of
index-based models, we examine the evolution and security standards, technical innovation, sector-specific
judge the quality of the strategies and doctrines, rather risk management, the effectiveness of the indigenous
than just noting their existence. cyber-security industry, and the degree to which the
Under governance, command and control, we cover country has been able to develop and expand a cyber-
the top-level governmental and military structures, as specialist workforce. To provide something of a stand-
well as those at the more operational level. We show ardised measure of national cyber security, we include
how these structures have evolved over time, as well as in each study a reference to the country’s ranking in
examining their effectiveness today. the 2018 Global Cybersecurity Index compiled by the
At the heart of any nation’s cyber capability, both defen- International Telecommunication Union (ITU).
sive and offensive, is the ability to identify and understand Under global leadership in cyberspace affairs, we
threats and opportunities in cyberspace. Many sources of consider the extent to which a country engages in, influ-
information contribute to such situational awareness, but ences and attempts to lead international collaboration
the most vital is a core cyber-intelligence capability (also on cyber matters. The category therefore includes rele-
commonly referred to as a ‘cyber-espionage’ capability). vant international diplomacy, formal alliances, engage-
While we have included this as a category, it has proven ment in international forums, and participation in
hard to measure objectively given the understandable international technical cooperation and arrangements
lack of publicly available information. for mutual assistance.
In considering cyber empowerment and depend- Our use of the term offensive cyber covers cyber oper-
ence, we are addressing a frequently asked question: ations that are principally intended to deliver an effect

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 3


rather than those principally intended to gather intel- worldview of each country, as well as large diver-
ligence. Such operations range from those designed for gences in the quality and quantity of available source
cognitive effects to those designed for physical destruc- material. The content of the studies has been harmo-
tion – whether in peace or war, and regardless of whether nised only to the extent needed to address the main
the operations are run by civilians or the military, or research questions.
whether the targets are civilian or military. Various other The data underpinning our analysis was gathered
terms are commonly used for such operations, includ- through research of published material and, in some
ing ‘computer-network attack’, ‘computer-network cases, interviews with experts. The amount of pub-
operations’, ‘cyber-enabled information operations and licly available data on cyber capabilities is greater than
warfare’, ‘cyber-influence operations’ and ‘cyber effects’. might be expected, making feasible some objective
Terms such as ‘cyber espionage’ and ‘computer-network measurement. This is particularly true of the essen-
exploitation’ apply to intelligence-gathering and are tial protective domain and any national economic and
covered in this report under core cyber-intelligence industrial components. The key facts in the studies
capability. We also consider the factors that dictate each include those that have emerged from published strat-
country’s use of its offensive cyber capability, including egies and plans, known investment of financial and
political will, legal regimes and ethical frameworks. human resources, known operational use, and testing
The countries assessed in this report are: and exercising activities. We have also taken account
of various non-governmental and academic indi-
• Four of the five states that make up the Five ces, including the ITU’s Global Cybersecurity Index.
Eyes intelligence alliance: the US, the UK, Offensive cyber and intelligence capabilities are,
Canada and Australia unsurprisingly, the most difficult to measure objec-
• Three close cyber allies of the Five Eyes part- tively. For example, an absence of evidence for their
ners: France, Israel and Japan existence does not equate to evidence of their absence.
• The four states commonly viewed as the prin- Qualitative judgement therefore also forms a key part
cipal cyber threats to the Five Eyes and allied of the 15 country studies.
states: China, Russia, Iran and North Korea
• Four developing cyber states: India, Indonesia, Analysis
Malaysia and Vietnam.5 This section sets out some of the key themes to emerge
from our analysis of the 15 countries, along with observa-
There are of course many cyber-capable states absent tions about their relative standing in terms of cyber power.
from this list – notably Germany and some of the Nordic
and Baltic states in Europe; New Zealand; Singapore The challenges of national strategy for
and South Korea in the Far East; and Saudi Arabia and cyberspace
some other Gulf states in the Middle East. Taiwan is also All the countries assessed in this report, even the most
worthy of close analysis. This report includes no North powerful, have struggled to shape durable policy
or sub-Saharan African states, and none in Central or frameworks for cyberspace, either for the purpose of
South America. With this first compilation, our inten- exploiting new opportunities or defending against new
tion was to apply the methodology to most of the sig- threats. The dynamism of the cyber environment (in
nificant current cyber powers and to a small selection of technologies, economics, politics and security affairs)
developing powers, before applying it to a wider range has forced leading countries to undertake reappraisals
of states in due course. and revisions to key strategy documents on an almost
Each study was undertaken by a specialist, answer- continuous basis. In ways that vary from country to
ing a set of detailed questions for each of the seven country, the traditional structures of government, cor-
categories in the methodology. The resulting narra- porate management and social organisation consist-
tives inevitably reflect the specific circumstances and ently struggle to adapt in a timely fashion. Though

4 The International Institute for Strategic Studies


‘disruptive’ is perhaps an overused term, it is the pre- most of what is needed for an offensive cyber operation.
dominant characteristic of the forces at play. As a result, organisations such as the National Security
Our research confirms that all countries are still in Agency in the US and Government Communications
the early stages of coming to terms with the strategic Headquarters in the UK have been the driving forces
implications of cyberspace. Ambitions and imagina- behind the national approach to cyber in their respec-
tive visions are plentiful and have already been mani- tive countries.
fested in pioneering projects that include smart cities, The US and the UK are among the countries where
driverless cars, remote surgery and military robotics. the need for greater transparency on cyber security has
In most countries, however, matching those ambitions been recognised. There have been various initiatives to
to national decision-making processes has proved dif- improve openness, including a greater sharing of data
ficult. The consumer-driven private sector remains well on threats and vulnerabilities with industry and the pub-
ahead of government regulation and policy. In several lic. On offensive cyber, it has so far proved difficult even
countries, the cyber-industrial complex is racing ahead to find the language for a more informed national and
with surveillance and intelligence capabilities, prompt- international public debate, but such an effort remains
ing dire warnings about the direction in which human essential if the risks are to be properly managed.
society may be headed. Some governments now see
cyberspace as an arena of existential competition, even High-tech industrial competition
as they try to put in place international collaborative The future cyber resilience of every state depends on the
systems to dampen competitive impulses. A sense of physical infrastructure underpinning the global internet,
crisis and inadequacy is pervasive in political circles, how it is built and by whom. Given the heated debate in
with private actors seemingly saying ‘catch me if you 2020 about Huawei, and the presumed risks entailed in
can’ to governments as they race to maximise immense using foreign equipment in critical national infrastruc-
profits. The impacts on the formulation of national ture, it is instructive to examine the current state of play
strategy have been both positive and negative, but few when it comes to national representation in global digi-
governments believe their current strategies are likely tal assets. The nationalities of the 51 telecommunications
to achieve their stated goals. or technology companies that appear in the 2020 Fortune
The inter-state competition in cyberspace has become ‘Global 500’ rankings reveal the extent to which those
a contest over the ability to develop effective strategies two sectors remain dominated by the US and its allies or
for national development and then implement them. close partners,6 which together provide no fewer than 43
Few countries have scored highly in this regard, but of the companies: 16 are American; ten are Japanese; six
the smaller countries, such as Israel, seem to have per- Taiwanese; two South Korean; eight Western European;
formed better than the larger ones. and one Mexican. The remaining eight companies are
Chinese, with their market share expanding in East and
The role of intelligence agencies Southeast Asia, sub-Saharan Africa and Latin America
Secrecy is one of the issues that impedes a more as part of China’s Digital Silk Road programme.
informed international approach to managing the For all countries, the use of digital technology relies
risks entailed in cyber operations, as sensitive intelli- to some extent on foreign-produced components, with
gence capabilities and the agencies that run them are the Chinese situation particularly instructive. China
at the heart of both the defensive and offensive opera- describes the eight American companies whose prod-
tions of all the leading states. For example, capabilities ucts are prevalent in its digital infrastructure as the
designed by Five Eyes countries to detect online ter- ‘eight guardian warriors’: Apple, Cisco, Google, IBM,
rorist activity after 9/11 have also proved essential in Intel, Microsoft, Oracle and Qualcomm. One way China
detecting and attributing cyber attacks. Likewise, sen- has sought to mitigate this perceived vulnerability is
sitive hacking techniques that states have developed to involve US companies in its internal cyber-security
in order to collect intelligence on adversaries provide governance, including for national technical standards,

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 5


allowing it some oversight of the use of US technology a vibrant, multibillion-dollar cyber-security industry,
in its networks. But achieving such oversight is difficult, as well as large investments in state-of-the art security
given the extent to which some US and Chinese entities by the internet service providers themselves. These
are entangled in cyberspace. For example, in September states also strive to retain a global, multi-stakeholder
2019, IBM and the Bank of China announced that they internet, with governance balanced across national
would expand their existing relationship to co-create governments, the private sector, non-governmental
new digital innovations for the financial industry, sup- organisations and academia.
porting tens of trillions of dollars of daily global finan- It is notable that in the ITU’s Global Cybersecurity
cial exchanges across shared infrastructure with agreed Index, the leading liberal democracies tend to score con-
common or compatible standards. Whether the tech- siderably higher on cyber security than the authoritar-
nical competition between the US and China, which ian states. This in part reflects the greater vibrancy of
intensified in 2020, will inevitably lead to an untangling their cyber-security industrial sectors. In the US, this
of such technical solutions, or even whether such an sector contributes a much larger portion of national
untangling is possible in today’s interconnected global GDP than, for example, in China, although the gap has
economy, remains to be seen. begun to narrow slightly.
In short, both methods for creating a whole-of-society
Whole-of-society approach to cyber security approach to cyber security seem to have strengths and
The most cyber-capable states are all pushing for what weaknesses, but the one employed by liberal democra-
could be described as a ‘whole of society’ response to cies may be the more effective overall.
cyber security. This entails close partnership and shar-
ing of information between the public and private sec- Offensive cyber
tors and academia, and similarly close civilian–military The leading cyber powers employ a variety of
partnerships. It also includes innovative upskilling and approaches to the development and use of offensive
education schemes, and campaigns aimed at heightening cyber capability. Those that can afford the largest
public awareness. investments in terms of personnel and money, such as
There are differences of approach, the US and China, tend to maintain
however. Predictably, the more a clear separation between military-
authoritarian regimes are employing What sets the and civilian-owned capabilities, even
a top-down method, with strict gov- US apart on where military–civilian cooperation is
ernmental control and direction, and strong. Some other countries, such as
are arguably more focused on control-
offensive cyber Australia, France, Israel and the UK,
ling the spread of content (ideas) over is its ability tend towards a more fused military–
the internet than on technical protec- to employ a civilian approach, compensating for
tion of critical networks. Accordingly,
China, Iran and Russia are each
sophisticated, a lack of resources through arguably
greater operational agility.
attempting to develop their own ‘sov- surgical Most states keep the development
ereign’ state-controlled internets to capability at and use of offensive cyber capability
enable them to isolate, if necessary,
from a global internet that they per-
scale under strict government control and
within the bounds of a strict legal
ceive as dominated by the US. regime. However, some governments
Liberal democracies, on the other hand, tend – Russia and Iran in particular – are more tolerant of
towards a more distributed approach, with national ‘patriotic hackers’ (private hackers who further the
innovation largely driven by the private sector and aca- interests of the state) and cyber-criminal groups operat-
demia, and with a key concern being how the privacy ing from their territories, sometimes even coordinating
of individual citizens’ data is protected. The result is with them.

6 The International Institute for Strategic Studies


There are also some key doctrinal differences. For US is more likely to have been the victim of an offen-
both China and Russia, what the West calls ‘offen- sive cyber attack than the perpetrator. The US may be
sive cyber’ is just the technical component of a wider the most powerful cyber state, but arguably other coun-
information-operations capability. It is just one means tries are making greater use of their cyber capabilities
of controlling their own information space, and sub- in order to exert power. This probably explains the US
verting those of their adversaries, in what they see as doctrinal shift in 2018 to the Cyber Deterrence Initiative
an ongoing conflict of ideas with the West. It is there- – a component of which is an attempt to transfer the
fore just as much an arm of those states’ propaganda day-to-day contest from its own networks to those of its
machines, and a means of creating and delivering ‘fake perceived adversaries.
news’, as it is a means of penetrating an adversary’s crit- International dialogue and agreement on the use of
ical infrastructure. In one sense this gives both China offensive cyber capabilities is sparse, given the sensi-
and Russia the advantage of having a more integrated tivity of the capabilities involved. Overarching cyber
approach to how cyber capability is employed as part norms of behaviour (non-binding and voluntary) have
of a wider geopolitical strategy. But this doctrinal dif- been developed under UN auspices, with the norm
ference may have resulted in China and Russia devot- attempting to limit the targeting of critical national
ing fewer resources than the US to developing the types infrastructure of particular relevance.7 In 2020, work
of military offensive cyber capability that are designed led by the International Committee of the Red Cross
surgically to bring down sophisticated critical civil- started to focus on further defining a responsible state
ian and military networks during an armed conflict. use of offensive cyber. This work differentiates between
Russia’s attempts in the United Nations to outlaw such the surgical and controlled use of sophisticated tools
‘military’ capabilities, and its use of relatively blunt designed to minimise collateral damage (as with
tools such as NotPetya against Ukraine, may be indica- Stuxnet) and, for example, the uncontrolled exploitation
tors of this asymmetry in capability. of global IT vulnerabilities with little thought given to
What sets the US apart on offensive cyber is its ability the likelihood of widespread collateral damage (as with
to employ a sophisticated, surgical capability at scale. It NotPetya and WannaCry). These, though, are excep-
has the advantage of being the global first mover, hav- tions that prove the rule. Generally, in order to manage
ing invested earlier and more heavily than China and the risks of uncontrolled proliferation and escalation,
Russia in the underpinnings of cyber power. US offen- more common ground needs to be found for inter-state
sive cyber potential also benefits from close alliances dialogue on offensive cyber. This will involve states
with other cyber-capable states. Notably, the sophisti- thinking creatively about how they balance greater
cated cyber operation to disrupt Iranian nuclear enrich- transparency with the understandable need to protect
ment, revealed in 2010, was only midway through sensitive national capability.
approximately 25 years of experience that the US has
accumulated. That said, offensive cyber operations do Resources
not need to be sophisticated to achieve strategic effect. In trying to measure cyber power, it is necessary to assess
Iran and North Korea, operating alone, have been able the inputs, such as human capital (numbers of people),
to develop and use relatively unsophisticated tech- money invested and the quality of technologies used.
niques against neighbouring countries. They have also However, in the case of every country, the number
reached beyond their regions, including into the main- of people allocated to cyber roles is difficult to gauge.
land US, in ways that their conventional capabilities Published figures often cover only dedicated cyber-
cannot achieve. Russia’s interference in US democratic security professionals in specialist government agencies
processes is another prime example of successful use of and do not take account of wider public- and private-
unsophisticated cyber operations. This means that dur- sector capacity. Measuring the size of the effort dedicated
ing the last decade, given its different doctrinal approach to military effect is particularly difficult. The US military
and greater regard for legal and ethical constraints, the has indicated the size of its dedicated cyber units, but

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 7


such raw numbers (6,000 in the case of Cyber Command, While attempting some estimate of the human and
for example) do not include the large workforce involved physical resources is important, we also acknowledge
in support roles, especially intelligence collection, in that the principal determinants of a state’s ability to
agencies with broader functions. All countries rely on exploit cyber power are political will and the quality of
close partnerships between the armed forces, civilian the cyber operations that are tailored to those particular
agencies and the private sector, and these are delivered political objectives. These are human factors and they
in different ways and proportions by each country. are not easily quantified; indeed, in most cases they are
In the cases of China and Russia, we may know their not even observable.
approximate numbers of dedicated information-warfare
personnel but we should not count all of these as cyber, International alliances
as an unknown proportion of them undertake more What individual countries lack in terms of resources
intelligence-related or traditional information-warfare and expertise, they may be able to make up for through
roles that do not require cyber means. We also cannot international alliances. The dominant cyber alliance
easily distinguish between the numbers of people is without doubt the one built on the 65-year-old Five
allocated exclusively to cyber espionage and those Eyes intelligence partnership. All five countries are
allocated to non-espionage military cyber operations. individually cyber-capable – with the US the most
Nevertheless, the published strategies, doctrines and capable of all – but they each gain significantly from the
plans of the US, China and Russia indicate that they are alliance. France, Israel and Japan are among the other
likely to have the largest numbers of personnel dedicated states that also have mutually beneficial cyber alliances
to military cyber operations (mostly espionage), with with individual Five Eyes members. China, Iran, North
personnel strength amplified particularly in the US by Korea and Russia, meanwhile, do not have a meaning-
the large number of people with cyber-relevant skills ful cyber alliance either with each other or with any
who are employed in the private sector. other state.
However, in cyber operations, while numbers can
make a difference, the crucial factor is skills (indeed, one Military transformation
highly skilled individual could defeat an inadequately Several states have moved decisively to transform their
trained cyber division of 10,000). Every cyber-capable military strategies, doctrines and structures to recognise
country, whether authoritarian or liberal-democratic, both the opportunities and the threats created by cyber-
has therefore identified skills shortages as a major risk. space technologies. Leading states, particularly the US
Each has embarked on upskilling and training initiatives, and China, envisage future warfare being won and lost
although, as our country studies indicate, cyber-related in a cyberspace enabled by artificial intelligence and
research and education appear to be stronger in the space platforms.
liberal-democratic states. From a cyber perspective, the Several factors have shaped those transformations,
education systems of China and Russia remain relatively including the scale of cyber vulnerability in legacy
underdeveloped, as do those of Iran and North Korea. systems, national cyber-industrial and skills potential,
The size of financial investment in cyber capabili- the extent of reliance on civilian intelligence capability,
ties is also hard to measure, for the same reasons. But leadership commitment, and resistance from military
again, the studies suggest that the investments by the traditionalists. No state has yet made a transition in its
US, China and Russia are the largest. As a proportion current armed forces to well-integrated and broadly
of GDP, and taking into account their growing cyber- dispersed cyber capabilities, either for defensive or
related private sectors and academia, investment by the offensive purposes. The US has probably gone furthest.
UK and Israel also looks significant. It is notable that One implication of this gradual and only partial tran-
Chinese specialists regularly bemoan the low propor- sition is that the full potential of military cyber power
tion of GDP that their country spends on cyber security in the medium term – in the 2030s, say – has yet to be
in comparison with the US. demonstrated in practice.

8 The International Institute for Strategic Studies


Strategic shock Movement of 2009, for example). Its development and
The expanding development and use of cyber capabilities use of offensive capabilities, for example against Saudi
by states has to some extent been escalated by strategic Aramco, was direct retaliation for the shock of the
shocks. The first of these came in 1991, during the First Stuxnet hack into its nuclear-enrichment programme.
Gulf War, when the US proved capable of integrating
intelligence and precision-guided weapons to a degree Tiering
that China and Russia had not yet imagined. US opera- Using the methodology to rank the 15 countries by
tions in 1999 against the Federal Republic of Yugoslavia’s cyber capability, we identify three broad tiers. Tier
forces in Kosovo had a similar shock effect, as described One: world-leading strengths in all the categories in
in subsequent speeches by then Chinese president Jiang the methodology. Tier Two: world-leading strengths in
Zemin. Several senior US military figures have alluded some of the categories. Tier Three: strengths or poten-
to the offensive cyber operations that formed part of that tial strengths in some of the categories but significant
campaign. Later, the presumed use of cyber tools in US weaknesses in others. There are also cyber weaknesses
military operations in Iraq in 2003 attracted widespread among the states in Tier Two, and even in Tier One, but
attention, as did the perceived role of the internet in the they are minor when compared with the significant
various so-called ‘colour revolutions’ of the 2000s in weaknesses that consign states to Tier Three. We have
Georgia, Kyrgyzstan and Ukraine. As a result of their drawn the following broad conclusions.
perceived relative vulnerabilities, China and Russia The US remains the most cyber-capable state. Since
began pushing via the UN, as early as 2003, for greater the mid-1990s its leaders have provided clear political
state control over their ‘sovereign’ cyberspace. direction for the pursuit of national cyber power: in that
Arguably the biggest shock was still to come, how- time it has invested heavily in developing relevant civil-
ever: the 2013 Edward Snowden leaks, with their rev- ian and military capabilities, gained extensive opera-
elations about the extent and sophistication of US and tional experience and developed the world’s strongest
allied cyber capabilities, including the role played by digital-industrial base. This is highlighted by the range
leading US digital companies in enabling intelligence of US companies capable of detecting and attributing
collection. China and Russia were at the same time cre- state cyber attacks and the proven sophistication of the
ating their own shocks in cyberspace – most famously US offensive cyber capability, military or otherwise. US
the Chinese theft of Western intellectual property on cyber strength is also founded on a world-class cyber-
an industrial scale, which had been tracked since at intelligence capability with global reach and state-of-
least 2011, and the attempted Russian interference in the-art cryptographic techniques, and is amplified by
US democratic processes, which began in 2014 and highly integrated partnerships with other states that
escalated in 2016. These in turn led the US to shift to are also among the most cyber-capable in the world.
the strategy of ‘persistent engagement’ and ‘defend Nevertheless, the ways in which the US wields its cyber
forward’ under its Cyber Deterrence Initiative, exem- power appear politically and legally constrained when
plified by the reported ‘strike back’ in 2018 against a compared with its main cyber adversaries – Russia,
Russian hacking group, the Internet Research Agency, China, Iran and North Korea. The US has sought to be
in the run-up to the US midterm elections. Russia’s a responsible offensive cyber actor, governed by inter-
intelligence-gathering hack into the US ICT supply national law and at pains to limit potential collateral
chain, discovered in late 2020 – the SolarWinds hack damage. It has also sought to manage its degree of
– seems to have been on a scale sufficient to constitute dependence on cyberspace, not only for the purpose
another strategic shock. of national security but also for economic and political
The story for Iran is similar, with its development of reasons. This challenge is exacerbated by the complex-
defensive cyber capabilities accelerated by its percep- ity of its cyber governance and command-and-control
tion of the role played by the internet in the Arab Spring structures, where the large number of agencies involved
of 2010–11 and in its own internal unrest (the Green is a potential impediment to the agility of operational

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 9


decision-making. These factors have combined to give separate from its cyber intelligence and offensive cyber.
the adversaries of the US an edge in the use of unso- While the French desire for national autonomy on intel-
phisticated cyber techniques that are aimed at subver- ligence may also have limited its progress in some areas,
sion but pitched below the legal threshold for an act this can be considered a strength when compared with
of aggression that might justify an armed response. countries that are overly dependent on international
Doctrinal shifts such as persistent engagement and alliances for cyber mass. France has only one represent-
defend forward are designed to redress this imbalance. ative among the 51 tech or telecoms companies in the
Nevertheless, the US performs strongly across all cat- 2020 Fortune Global 500.
egories of the methodology and is alone in Tier One. Canada has a particularly strong digital economy,
Below the US there is a second tier of seven coun- with a vibrant technical start-up ecosystem. It is one of
tries: in alphabetical order they are Australia, Canada, the world leaders on cyber security, founded on crea-
China, France, Israel, Russia and the UK. Each has tive partnering between its public and private sectors
world-leading strengths in some of the categories in and an innovative approach to developing skills. For
the methodology. Canada, and also for Australia, membership of the Five
Compared with the other countries in the second Eyes alliance is seen as a key means of compensating for
tier, the UK and Israel are particularly strong on any shortfall in indigenous capability. Canada’s devel-
cyber security, core cyber-intelligence (including opment and use of offensive cyber capabilities remains
cryptographic) capability, and the development and use nascent, however, whereas Australia has a developed
of sophisticated offensive cyber capability. With clear capability that it has used, for example, in joint oper-
political direction, both benefit from a whole-of-society ations with the US and the UK. Australia is trying to
approach to cyber security with a strong and growing boost its cyber-security and tech sectors, in which
cyber-security industrial base and innovative approaches it is starting from a lower base than Canada. Neither
to increasing their skilled capacity. They also possess a Canada nor Australia has a representative among the 51
vibrant technical-innovation and start-up ecosystem. tech/telecoms companies in the 2020 Fortune Global 500.
Israel’s cyber-intelligence strength appears to be heavily China and Russia both lag behind the Five Eyes
focused on its region, where it has no equal. The evidence nations, and Israel and France, in terms of cyber security.
indicates that the UK, on the other hand, has a cyber- Evidence for this comes from their own internal reports,
intelligence capability with a broader, worldwide reach. their low rankings in the ITU Global Cybersecurity
The UK also has two of the 51 tech or telecoms companies Index, their push at the UN since 2003 for greater state
that appear in the 2020 Fortune Global 500, while Israel control of sovereign cyberspace and their pursuit of some
has none.8 Both countries lag behind the US, Japan, technical isolation from the global internet (with China
China and others in their capacity to build future internet seemingly further ahead than Russia in this regard). A
infrastructure; both compensate for a comparative lack of contributory factor may be the comparative immaturity
cyber mass through close partnerships with the US, with of their cyber-security industries and their low skills
each other and with other cyber-capable nations; and bases. That said, both may have secretly improved their
both have conducted offensive cyber operations jointly defensive capabilities in response to the 2013 Snowden
with the US. revelations, although it is worth noting that particularly
France is also particularly strong on cyber security damning internal reports on the state of China’s cyber
and has a wide intelligence reach. But these capabili- security were produced in 2017 and 2018.
ties, together with French offensive cyber, probably lag In their development of offensive cyber mass, the
behind those of the US and the UK in terms of strength scale of their respective operational experience, their
and depth, given France’s surprise at the Five Eyes proven reach on cyber espionage and the clarity of their
capability revealed by Snowden. One contributory fac- political direction and doctrinal thinking, China and
tor may be that, unlike all the other countries in this sec- Russia probably surpass all other states except the US.
ond tier, France keeps its cyber security organisationally Furthermore, their adoption of cyber techniques for mass

10 The International Institute for Strategic Studies


influence and subversion as part of wider information building new capability with the help of key interna-
campaigns against adversaries is arguably without tional partners – including the US, the UK and France
parallel. But the degree to which both Russian and Chinese – and by looking to concerted international action to
cyber operations are detected and attributed, particularly develop norms of restraint.
by specialist Western companies, raises important Indonesia has ambitious plans to develop its digital
questions. It is difficult to ascertain whether the detection economy (only 73% of Indonesians currently use the
of those operations is mainly the result of their lacking the internet) but is a late starter on cyber security, with pro-
highest levels of technical sophistication and employing gress slow in the face of the major threats it faces from
poor tradecraft, whether China and Russia care less than cyber crime and cyber-based terrorist propaganda. Its
Five Eyes countries about getting caught, or even whether cyber-intelligence capabilities are well developed for
other, more sophisticated capabilities may be concealed internal surveillance but are embryonic elsewhere, as
in the sheer volume of activity. Finally, while none of the too is its offensive cyber capability.
51 tech/telecoms companies in the 2020 Fortune Global Iran has used relatively unsophisticated offensive
500 are Russian, eight are Chinese, and that number will cyber capabilities for diverse goals: to counter domestic
probably rise in coming years. This means that overall, subversion, for its own subversive operations abroad
despite questions about its cyber security, China is the and for power projection. In doing so, it has shown a
only state currently on a trajectory to join the US in the relatively high level of operational maturity and a clear
first tier of cyber powers. This trajectory might be slowed leadership embrace of cyber operations as useful instru-
by the moves the US has made since 2019 to close its ments of power, allowing it to reach outside its immedi-
markets, and those of its allies, to certain Chinese digital ate region in ways that are beyond its more conventional
companies. However, China has two distinct advantages: capabilities. Iran’s cyber capabilities are amplified by its
it is home to one billion of the world’s estimated four- use of internal proxies such as the Mabna Institute and
and-a-half billion internet users (more than the US and the Iranian Cyber Army. Iran has also provided some
Europe combined); and the comparative cheapness of cyber tools and training to its favoured external part-
Chinese technology makes it attractive to developing ner, Hizbullah. However, Iran almost certainly lacks
countries, especially those inclined to use it for internal any high-intensity-warfare-grade offensive cyber capa-
surveillance. China is attempting to exploit the latter bility. The ITU has listed a range of Iranian deficiencies
advantage under the Digital Silk Road component of its on cyber security, giving the country a low position in
Belt and Road Initiative. its cyber-security index. Iran’s population is increas-
Of the 15 countries assessed in this report, seven are ingly internet-dependent, with the government aiming
in a third tier. These countries are at much earlier stages to provide certain services entirely online, but generally
in their cyber journeys, each having strengths or poten- the country lacks digital resilience and contingency pre-
tial strengths in some of the categories in the meth- paredness owing to technological, organisational and
odology but significant weaknesses in others. A more economic deficiencies. It is aiming for a strategic solu-
granular ranking within this third tier could cut sev- tion by investing heavily in creating its own national
eral ways, depending on which of the categories in the internet platform – but, despite its claims to the con-
methodology are deemed the most important. Below, trary, that is not a near-term prospect. Iranian cyber-
the countries are simply listed in alphabetical order. intelligence capabilities are strong regionally, and may
India has a large digital economy but, as in other have benefited from some intelligence cooperation with
areas, its complex bureaucracy slows its advance in Russia during the war in Syria.
cyber security, leaving it in a low position in the ITU’s Japan has the advantage of a world-leading internet-
Global Cybersecurity Index. The country has some related high-tech industry. It has ten of the 51 tech/
cyber-intelligence and offensive cyber capabilities but telecoms companies in the 2020 Fortune Global 500 –
they are regionally focused, principally on Pakistan. It ahead of China and Western Europe, and second only
is currently aiming to compensate for its weaknesses by to the US. But its cyber-security capability is not strong,

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 11


and it is now seeking to compensate for that by closer and are highly vulnerable to disruption. This means the
partnerships with the US and others. For constitutional country is often obliged to deploy its operators abroad in
reasons, Japan has so far developed no offensive cyber order to deliver any type of cyber effect.
capability. There are indications, however, that it may Vietnam has prioritised the development of its ICT
be willing to reconsider how its constitutional bounda- sector and the construction of e-government platforms.
ries apply to the cyber domain. Although policies surrounding information security
Malaysia was the first member of the Association have been published and basic cyber-security structures
of Southeast Asian Nations to move strongly on cyber- established, the fact that a comprehensive national cyber-
security policy and to focus on expanding its ICT sector. security strategy remains unpublished both undermines
It remains highly regarded for its policies and its inter- the potential mobilisation of key stakeholders and lim-
national leadership in cyberspace affairs, but it does its public awareness. Government agencies still grapple
not make a strong contribution to the global ICT sector. with cyber-security issues owing to limited budgets and
There is little evidence of either core cyber-intelligence a severe shortage of cyber-security talent. The ruling
capabilities or the development of offensive cyber. Communist Party of Vietnam’s fear of internal subver-
North Korea has shown itself capable of significant sive threats may also tend to draw resources away from
harassment in cyberspace. It has used a proto-criminal technical cyber-skills training towards ideological work
modus operandi to conduct large-scale cyber fraud and and the management of public opinion, reducing the
extortion; to steal intellectual property and intimidate focus on the development of either defensive or offen-
other states in its region, especially South Korea; and sive cyber capabilities. To realise its digital ambitions
occasionally also for sabotage – either deliberate, as with Vietnam needs to strengthen training in cyber security,
Sony Pictures in 2014, or accidental, as with WannaCry prioritise support for domestic ICT firms and invest in
in 2017, when it lost control of a capability. But it lacks more advanced technologies for cyber security.
any sophisticated offensive cyber or cyber-intelligence
capability, and its cyber security is assessed by the ITU to Moving up
be among the weakest in the world. Generally, given its Of all the factors potentially contributing to a country
isolation, North Korea is hampered by a low cyber-skill moving up from one tier to the next, the most decisive
base, even though (contrary to popular belief) it has at appears to be strength in the core ICT industries. That
least four million devices connected to internal 3G mobile is why China, on its current trajectory and providing it
networks, its government operates an intranet, and parts addresses its weakness in cyber security, is best placed
of its critical national infrastructure rely on internet con- to join the US in Tier One. It is also why Japan, despite
nectivity. Its connections to the global internet are lim- the many weaknesses it needs to address, is the Tier
ited, rely on Chinese and Russian service providers, Three country best placed to rise into Tier Two.

Notes

1 For a discussion of the challenges, see Eileen Decker, ‘Full Count? workshop ‘Economics of Information Security’, Boston,

Crime Rate Swings, Cybercrime Misses and Why We Don’t Really US, 3–4 June 2019, pp. 5–8, http://orca.cf.ac.uk/122684/1/

Know the Score’, Journal of National Security Law & Policy, vol. 10, Levi_Measuring%20the%20Changing%20Cost%20of%20

no. 3, 13 February 2020, pp. 583–604, https://jnslp.com/wp-content/ Cybercrime.pdf.

uploads/2020/05/Crime-Rate-Swings-Cybercrime-Misses.pdf. 3 The US government’s Clean Network programme is aimed

2 See, for example, Ross Anderson et al., ‘Measuring the at protecting US citizens’ privacy and US companies’ most

changing cost of cybercrime’, paper presented to the 2019 sensitive information ‘from aggressive intrusions by malign

12 The International Institute for Strategic Studies


actors, such as the Chinese Communist Party’. See US 5 We decided to examine four developing cyber states from roughly

Department of State, ‘Announcing the Expansion of the Clean the same region of the world, choosing South and Southeast Asia.

Network to Safeguard America’s Assets’, 5 August 2020, https:// 6 For the tech companies in the 2020 Fortune Global 500 ranking, see

china.usembassy-china.org.cn/announcing-the-expansion-of- https://fortune.com/global500/2020/search/?sector=Technology.

the-clean-network-to-safeguard-americas-assets. For the telecoms companies, see https://fortune.com/

4 Because AI research is largely a globalised enterprise, attributing global500/2020/search/?sector=Telecommunications.

nationality to it is not easy. There are discrete sub-fields (up to 7 Agreement was reached in 2015 within a Group of Governmental

ten, depending on one’s perspective) and more than 20 sectors Experts appointed by the UN General Assembly on possible

of economic and social activity to which those sub-fields can voluntary norms governing international behaviour of states

be applied. The US leads the world by a wide margin in AI in cyberspace. The relevant UN document is Secretary-General,

applications for the health sector, and China may well rank quite ‘Group of Governmental Experts on Developments in the Field

highly in AI applications for energy efficiency. Moreover, as the of Information and Telecommunications in the Context of

Organisation for Economic Co-operation and Development International Security’, A/70/174, 22 July 2015, https://undocs.

(OECD) has noted, every country has its own distinct priorities org/A/70/174.

and enablers when it comes to exploiting AI for economic 8 See the lists of the leading tech and telecoms companies

gain – see OECD, Artificial Intelligence in Society (Paris: OECD among the 2020 Fortune Global 500: https://fortune.com/

Publishing, 2019), https://doi.org/10.1787/eedfee77-en. The same global500/2020/search/?sector=Technology and https://fortune.

caution about over-generalisation applies to the use of AI for com/global500/2020/search/?sector=Telecommunications

national-security or military purposes. respectively.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 13


14 The International Institute for Strategic Studies
1. United States

Dominance in cyberspace has been a strategic goal positions in certain aspects of the ICT sector,
of the United States since the mid-1990s. It is the though all but one (China) are close US allies or
only country with a heavy global footprint in both strategic partners. The US has moved more effec-
civil and military uses of cyberspace, although it tively than any other country to defend its critical
now perceives itself as seriously threatened by national infrastructure in cyberspace but recog-
China and Russia in that domain. In response, it is nises that the task is extremely difficult and that
taking a robust and urgent approach to extending major weaknesses remain. This is one reason why
its capabilities for cyber operations, both for sys- the country has for more than two decades taken a
tems security at home and for its ambitions abroad leading role in mobilising the global community to
in the diplomatic, political, economic and military develop common security principles in cyberspace.
spheres. The US retains a clear superiority over all The US capability for offensive cyber operations is
other countries in terms of its ICT empowerment, probably more developed than that of any other
but this is not a monopoly position. At least six country, although its full potential remains largely
European or Asian countries command leadership undemonstrated.

Strategy and doctrine


The United States has a series of well-developed national To complement and buttress the national-security
strategies for defence and security in cyberspace that has strategies, the US has also been developing its civil-sector
been maturing for more than 30 years. There are three cyber-security policy since the mid-1990s, initially with a
broad directions: homeland defence, low-intensity con- focus on countering cyber crime and preventing losses to
flict and high-intensity war. These are captured in rel- the corporate sector. Its formal strategy of 2018 has been
evant sections of the 2017 ‘National Security Strategy of followed by a very large number of executive orders
the United States’,1 the 2018 ‘Cyber Strategy of the United (including one on former president Donald Trump’s
States’2 and the 2018 ‘Department of Defense Cyber penultimate day in office),4 policy statements, action
Strategy’.3 These are supported by policy statements and plans and other decisions. Throughout the last three
doctrine manuals that run to several thousand pages. decades there has been a sharp and intensifying concern

List of acronyms
CDI Cyber Deterrence Initiative ISAC Information Sharing and Analysis Center
CISA Cybersecurity and Infrastructure Security Agency ITU International Telecommunication Union
DHS Department of Homeland Security NSA National Security Agency
DNI Director of National Intelligence NSC National Security Council
DoD Department of Defense ODNI Office of the Director of National Intelligence
ICT information and communications technology

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 15


about protecting the country’s critical information infra- in a highly advanced position in this regard. The strate-
structure (the cyber aspects of what most other countries gies and policies are comprehensive, as well as widely
simply refer to as ‘critical infrastructure’ or, as in the and effectively disseminated. Significant sections of
United Kingdom, ‘critical national infrastructure’).5 Key government, the armed forces, the business commu-
stakeholders (business, academics, government, state nity, civil society and academia are engaged in develop-
authorities, defence interests, the National Guard and ing those strategies and executing them. The strategies
privacy-protection groups) have become highly mobi- also recognise how rapidly the circumstances of cyber-
lised around ensuring an integrated national response, space are changing and the huge complexities that must
covering the human as well as the technical challenges be overcome in exploiting adversary weaknesses. The
involved in improving cyber security. speed at which the cyber threat has continued to evolve
The concern has been to plug the gaps that had resulted has proven highly disruptive even to a policy process as
in spectacular leaks of state secrets, theft of intellectual advanced as that of the US.
property, foreign interference through cyberspace in A key component of the 2018 cyber strategy is its
US politics, and the poor cyber-security performance of Cyber Deterrence Initiative (CDI).10 This states that the
many sectors of the economy and society. US will work closely with allies in responding to cyber
In military affairs, the US aims to provide cyber- attacks (including through intelligence-sharing), attrib-
attack options in all phases of operations and at every uting attacks, formulating public statements of support
level of command.6 On the defensive for actions taken and jointly impos-
side, the aim is to ensure that cyber ing consequences against those
defences are wide-ranging, robust and
Cyber responsible. While the national
highly resilient. In both regards the US governance in cyber strategy makes it clear that
has made more progress than any other the US is highly there are many non-cyber ways to
country. However, in the event of a retaliate, the 2018 DoD strategy sets
major conflict, it remains the case that
pluralistic out the role US cyber operations
the US – including its military – could are intended to play in assertively
be severely damaged by cyber attacks, given the coun- defending national interests. These include ‘defending
try’s high degree of digital dependence. Comprehensive forward’ on adversary networks in order to pre-empt
defence in cyberspace would be difficult or perhaps attacks, and competing constantly with adversary cyber
impossible to ensure in wartime.7 operators (‘persistent engagement’).
The US international strategy for cyberspace in peace
and war – as framed by the head of US Cyber Command, Governance, command and control
General Paul Nakasone – is to ‘achieve and maintain The US has been a world leader in promoting and
cyberspace superiority’.8 This formulation also precisely practising multi-stakeholder governance of security
captures the intention of the country’s political leaders. in cyberspace, doing so in a way that owes much to
The 2018 Department of Defense (DoD) strategy for its liberal political culture and institutions and to
cyberspace offers additional detail.9 In it, the US Joint robust opposition by the corporate sector to regula-
Chiefs of Staff set near-term objectives that recognise tion of private businesses. The latter factor is particu-
the limitations of current cyberspace capabilities, both larly relevant to the protection of critical infrastructure
offensive and defensive, with a clear view that offensive since most of it is in the hands of private businesses.
cyber operations will be directed towards maximising The federal character of the national political system
existing advantages, whether kinetic or informational. assigns to the 50 states, alongside other small politi-
Since the main positive impact of extensive and cal entities and administrations, significant roles in
detailed planning for cyberspace operations is the national cyber security, especially in countering cyber
potential for nationwide mobilisation of resources, both crime and in education. Cyber governance in the US is
for daily operations and emergencies, the US is clearly highly pluralistic.

16 The International Institute for Strategic Studies


In US cyber policy there are many channels of execu- authority for offensive operations. The unifying pur-
tive authority that flow from the president: the intel- pose has been to improve the capability and effective-
ligence community, the armed forces, departments of ness of defence and offence in cyberspace. The US has
state (Homeland Security, Defense, Justice, Commerce, invested heavily in these changes. For the 2021 fiscal
Energy and Transport) and other agencies (such as year the government requested US$18.7 billion for spe-
National Laboratories). These are all coordinated cific security initiatives.16
through the National Security Council (NSC), chaired For national-security policy in cyberspace, there are
by the president, and its Principals Committee, chaired many departments and agencies involved in authoris-
by the national security advisor.11 ing, commanding and controlling cyber operations.
For civil-sector cyber security, the federal govern- In addition to the White House and DHS, the most
ment has had two main channels for its policymaking. important are the DoD, as it contains the National
The first is in the White House, through the cyber direc- Security Agency (NSA) and Cyber Command; the State
tor on the staff of the NSC. The president is directly Department; the Office of the Director of National
supported by the homeland security advisor (serv- Intelligence (ODNI), which coordinates all the intel-
ing under the national security advisor) and a deputy ligence agencies; and the Central Intelligence Agency
national security advisor for cyber security and emerg- (CIA), which reports directly to the president while
ing technology.12 The second channel is outside the coordinating with the DNI.
White House, through the secretary of the Department For military planning and operations, the command-
of Homeland Security (DHS), a full member of the and-control arrangements match those of all military
NSC, and a new organisation set up in 2018 under activities. The president is the commander-in-chief, to
DHS, the Cybersecurity and Infrastructure Security whom the unified (theatre/domain) commands and the
Agency (CISA). single-service chiefs (army, navy, air force and marines)
These agencies rely on a long-standing policy of mobi- report. The function of commander-in-chief is exercised
lising (or sometimes effectively co-opting) private-sector through the secretary of defense, under a mechanism
and public participation in their initiatives. One vehicle called the National Command Authority. In 2012, then-
for this has been the president’s National Infrastructure president Barack Obama ordered that offensive cyber
Advisory Council, which brings together senior execu- operations conducted by the military required multi-
tives from the private sector and state and local govern- agency agreement and presidential authorisation. In
ments to advise on how to reduce ‘physical and cyber 2018, in response to sustained cyber attacks on the US
risks and improve the security and resilience of the below the threshold of armed conflict, then-president
nation’s critical infrastructure sectors’.13 The agencies Trump approved the CDI and in a classified directive
have introduced a range of strategic initiatives, including provided for the devolution of authority for offensive
the Information Sharing and Analysis Centers (ISACs),14 cyber operations to various agencies in certain cases.
the first of which was created during the presidency Within the DoD, the list of cyber agencies with oper-
of Bill Clinton; the Cyber Risk and Resilience Review ational and capability-development roles is a long one,
framework,15 jointly devised in 2009 by the DHS and including single-service cyber commands and the DoD
Carnegie Mellon University; and the National Initiative chief information officer, responsible for securing all
for Cybersecurity Education, an organisation within the DoD computerised systems (not including deployed
National Institute of Standards and Technology in the weapons platforms, which are managed by the single-
Department of Commerce. service cyber commands or combatant commands).
In the development of command and control for Governance of cyber policy in the US is enriched by
cyber operations, two main trends have been discern- the diversity of talents and interests represented in the
ible: a filling of policy gaps through the creation of new various powerful institutions that are involved. Policy
organisations and/or posts for a wide range of missions is inevitably consensus-based and therefore perhaps
and responsibilities, and a gradual decentralisation of less focused than in other, less pluralistic systems, but

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 17


there is larger buy-in by stakeholders throughout the agencies, the size and complexity of the US intelligence-
US system. Since it is based on strict observance of the and-security community make it notoriously difficult to
law, the US system is highly predictable, though there- coordinate, even following the post-9/11 creation of the
fore more constrained than in countries where the law is ODNI, which was designed to address the problem.
less respected or more arbitrary. Command-and-control
arrangements are worked out in exquisite detail, with Cyber empowerment and dependence
high levels of redundancy built in, and with command The US remains the most powerful country in terms of
nodes enjoying a high degree of intelligence support. ICT capability, whether gauged by the size of its digi-
tal economy, its leading role in global innovation or the
Core cyber-intelligence capability unrivalled partnership between industry, government
There is copious public evidence indicating the world- and academia. Global consumer demand for US ICT has
leading sophistication, breadth and depth of US core led to the unprecedented commercial success of com-
cyber-intelligence capabilities. These are centred on the panies such as Apple, Google and Microsoft, which has
extensive military-led cyber capabilities of the NSA, the in turn stimulated their shaping of the future of cyber-
complementary civilian-led cyber capabilities of the CIA, space through their extensive investment in research
with its covert overseas remit, and those of the Federal and development (R&D). The result is a high degree
Bureau of Investigation (FBI), with its domestic-security of global dependence on US commercial products and
remit. The director of the NSA also heads the US mili- intellectual property, with the technology involved in
tary’s Cyber Command, and both organisations have computer microchips, undersea communication cables,
cyber-intelligence, cyber-security and offensive cyber communication satellites and cloud computing being
functions so as to maximise the synergies across such prime examples. The other side of the coin is that the US
closely related activities. Core US cyber-intelligence economy and civil infrastructure are more dependent
capabilities are enhanced further through many inter- on cyberspace than those of most other countries, and
national intelligence partnerships, with the long-estab- therefore more vulnerable in many respects.19
lished Five Eyes alliance as the centrepiece. The Five Eyes The US is a world leader in both personal and busi-
is arguably the most powerful international intelligence ness use of the internet and mobile technology. The
partnership in history. level of demand has contributed to domestic innova-
The US intelligence agencies collaborate exten- tion, which has in turn fuelled even higher demand. The
sively with private-sector firms and universities for the US digital economy is the biggest in the world.
development and evaluation of key technologies.17 The According to the standard methods used by the US
extent of civil–military and private–public integration government’s Bureau of Economic Analysis, the digital
can be seen in the March 2019 report by the National economy contributed 9% of the country’s GDP in 2018.20
Academies of Sciences, Engineering, and Medicine on But this estimate excludes the output of sectors where
the future directions the intelligence community could large amounts of wealth are generated by ICT products
take in order to adapt to, or exploit, rapidly changing and services, such as financial services. It is not possible
technologies.18 The very tight integration of govern- to gauge the full strength of the US digital and cyber
ment, industry and academia in shaping the US intel- economy just by using the traditional ICT output data
ligence capability is unmatched in scale, focus and from the national accounts for the ICT sector.21 Other
investment by any other country, including China. The sectors of the US economy – such as agriculture, bank-
country’s cyber-intelligence capability also benefits ing and healthcare – leverage ICT goods and services to
from the maturity and scope of the centralised process create their own innovations and wealth in ways that
for all-source intelligence fusion and assessment. are not included in national statistics for the ICT sector.22
With an annual budget request of US$85bn for the 2021 For example, every day in the US, trillions of dollars’
fiscal year, and the involvement of multiple government worth of financial transactions are conducted in ways
departments in addition to the three core intelligence that are only possible because of ICT systems.23 One of

18 The International Institute for Strategic Studies


the favoured techniques is algorithmic trading of stocks, Private investment in the US high-tech sector has
derivatives and currency, where ICT systems are pre- been a central part of this dominance in a way not
set to buy and sell according to certain pre-determined matched by any other country. In 2019, the available
parameters. This has resulted in a new form of auto- data suggested that total venture-capital investment
mated, high-speed wealth creation, making the US the in the US was more than three times greater than in
global centre for ‘digital capitalism’.24 Using the broader China (US$135bn versus US$40bn).31 In the 2020 IMD
measure of the digital economy adopted by the G20,25 World Competitiveness Ranking, which assesses a
the digital economy’s share of US GDP is about 60%.26 country’s ability to ‘adopt and explore digital tech-
Overall, it is clear that the US enjoys a significant nologies’ across government, business and wider
level of cyber empowerment compared with all other society, the US was in tenth place and China was in
countries. Some countries, including China, aspire 20th.32 According to the United Nations Conference on
to emulate US achievements in this regard. In fact, Trade and Development, the US accounts for 68% of
between 2013 and 2016, according to an estimate by the market-capitalisation value of the world’s 70 larg-
the Organisation for Economic Co-operation and est digital platforms, compared with China’s 22%.33
Development (OECD), China was already one of the In terms of its share of total global spending on R&D,
five countries – together with the US, Taiwan, Japan and using a purchasing-power-parity estimate, the US was
South Korea – that together produced at least 70%, and in first place in 2019, just ahead of China.34 Taking the
in some cases almost 100%, of the patents for each of the last two decades as a whole, the gap between the two
25 new technologies considered by the OECD to repre- countries is much wider, with US R&D investment
sent the ‘digital technology frontier’.27 However, the US almost double that of China, and the impact of that ear-
share of global production was greater than China’s for lier spending remains significant today.
all but two of those technologies (control arrangements Taking investment in and outputs from research in the
and organic-materials devices).28 field of artificial intelligence (AI) as an important proxy
The strength of US digital services lies largely in indicator of cyber empowerment, we can see several
their culture of technical expertise and innovation-led trends. Between 2008 and 2017, US venture-capital invest-
investment. The US is home to 59 of the universities in ments in AI outpaced those in China (US$694bn versus
the Times Higher Education list of the global top 200 (see US$185bn).35 China overtook the US in 2018, but later
Table 1.1, which includes only the countries that fea- that year its entire venture-capital sector suffered a col-
ture in this report), and its tech and entrepreneurship lapse. In terms of research, in 2016 the 28 European Union
ecosystem has no equal. According to one industry sur- member states and the US were responsible for the two
vey, there were 65,321 start-ups listed in the US in 2019, greatest shares of highly cited AI-related publications,
which was approximately nine times the number in the 23% and 15% respectively, but those shares declined to
second-placed country, India.29 17% and 12% in 2018.36 China overtook both, with a share
of 28% in 2018, while India’s share skyrocketed to 11%.
Table 1.1. Universities in the Times Higher Education global (Note, however, that this ranking demonstrates scientific
top 200, 202130
achievement rather than economic power, since open-
US 59
source publications are available to be used in any coun-
UK 29
try, not just the one in which they were produced. And in
China (incl. Hong Kong) 12
most cases the researchers producing such publications
Australia 12
are likely to include some foreigners, so in that sense the
Canada 8
scientific achievement does not belong entirely to the
France 5
source country.) Overall, the statistics do not capture the
Japan 2 quality and dynamism of the US AI sector, which was
Israel 1 demonstrated in 2018, for example, by the Massachusetts
Institute of Technology’s creation of a special school of

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 19


computer science for the purpose of developing the Indonesia 9
AI-related research of non-IT departments.37 Malaysia 5
In February 2019, Trump announced a national AI Vietnam 4
initiative (two years after China had done so), saying Iran 2
that ‘continued American leadership in AI is of para-
mount importance to maintaining the economic and The US also remains dominant in the manufacturing
national security of the United States and to shaping of computer chips (see Table 1.3), an essential compo-
the global evolution of AI in a manner consistent with nent in all modern computing. Not only does it have by
our nation’s values, policies, and priorities’.38 In 2020, far the largest share of the global market, but US compa-
the government reported that it was on track to dou- nies that design, manufacture and sell semiconductors
ble its investment in non-defence AI by 2022, including – so-called integrated device manufacturers – account
through the allocation of US$850 million for AI activi- for 51% of global sales.
ties at the National Science Foundation.39
The global footprint of US-based telecoms and high- Table 1.3. National semiconductor industries’ share of global
market (%), 202044
tech companies is also very large, one example being the
Country Type of semiconductor
ownership and repair arrangements for global under- Logic Analogue Memory Discrete
sea communications cables.40 Google is the biggest US 61 63 23 23

single owner of undersea cables, and US corporations South Korea 6 65 5


have 36 representatives among the 169 members of the Europe 9 22 42
International Cable Protection Committee, compared Japan 6 9 9 25
with China’s one.41 The US has identified foreign-based China 9 5
cable-landing stations, including several in China, as
Taiwan 9 3
part of its own critical national infrastructure.42 How it
would respond to any Chinese government interference However, for all its digital economic power, the US
with those installations is uncertain. relies on a globalised market and supply chain. This
In terms of space connectivity, the US operates at played out in private-sector complaints against the
least three times as many satellites as China (see Table Trump administration regarding its efforts to ban com-
1.2, which includes only the countries that feature in this panies around the world from relying on computer
report). US military cyber activity is heavily dependent chips manufactured wholly or even partly in China, as
on its space assets, since the vast majority of military part of a multinational supply chain.45 Many tech and
cyber activity is executed via outer space – especially telecoms companies, including giants such as Intel and
intelligence collection, damage assessment and targeting. Motorola, have long relied on manufacturing in China
to sustain their business model.
43
Table 1.2. Numbers of satellites (January 2021)

US 1,897 Cyber security and resilience


China 410 Since the late 1990s the US has moved more decisively
Russia 176 than any other country to defend its critical informa-
UK 167 tion infrastructure in cyberspace, but it also recognises
Japan 84 that the task is extremely difficult and that major weak-

India 63 nesses remain. The country relies on a unique mix of

Canada 43 assets, institutions and political foundations for its

France 22
cyber civil defence.46
Since 2011, policy has been influenced by a deepen-
Israel 16
ing sense of urgency around homeland cyber defence
Australia 13
due to espionage and attempted sabotage (with the

20 The International Institute for Strategic Studies


latter posing a threat to both infrastructure and politi- that statement, the achievement of a secure election was
cal processes). As a result, the Trump administration testimony to the administration’s sustained efforts in
encouraged a sense of national crisis in an attempt this area of policy.
to quickly improve US national cyber preparedness. In summary, the US remains intensely aware of its
The main milestones included, in 2018, the reports high dependence on cyberspace and the many threats
‘Support to Critical Infrastructure at Greatest Risk’47 it faces, and is therefore very dissatisfied with the cur-
and ‘Supporting the Growth and Sustainment of the rent state of its cyber defences. Overall, however, the
Nation’s Cybersecurity Workforce’;48 National Security US approach to national resilience and cyber security
Presidential Memorandum 13, authorising retaliatory is highly sophisticated, as reflected, for example, by the
cyber attacks against countries engaging in systematic International Telecommunication Union’s 2018 Global
cyber attacks on the US;49 and the recognition of the role Cybersecurity Index, in which it was placed second
of Cyber Command in homeland defence, especially in (behind the United Kingdom) out of 175 countries.57
coordinating cyber missions against terrorists in US ter- This assessment is unchanged by the discovery at the
ritory.50 In May 2019 Trump issued an executive order end of 2020 of the Russian cyber-espionage operation
that included a declaration by the White House of a that had hacked into software provided by the US com-
national emergency in cyberspace.51 And a year later, pany SolarWinds and infected the company’s many cli-
in May 2020, the US became the first country to issue a ents, including nine US government departments and
public memorandum on cyber security in space.52 about 100 private companies (investigations are ongo-
The seriousness of the US moves was exemplified by ing). Although this will have heightened dissatisfac-
the May 2019 executive order, which foreshadowed the tion with the country’s cyber defences, it should also
termination, in certain circumstances, of all ICT trade be noted that the operation was detected, and is being
and technology transfer between the US and China on disrupted, by the US private sector.
national-security grounds. On the same day as the exec-
utive order, the Department of Commerce announced Global leadership in cyberspace affairs
that it was adding Huawei and 68 of its non-US affiliates The US has played a leading role in improving inter-
to the Entity List,53 meaning that US firms and individu- national collaboration on cyberspace issues. One of
als would require an export licence for the sale or trans- its most focused and successful efforts led to the G8’s
fer of US technology to them.54 adoption in 2003 of 11 principles for protecting criti-
In March 2020 the Cyberspace Solarium Commission cal information infrastructure.58 One of those princi-
issued a report, mandated by Congress, proposing a ples concerned the development and coordination of
‘strategy of layered cyber deterrence’.55 Warning of a emergency warning systems; the sharing and analys-
series of potentially devastating cyber attacks against ing of information regarding vulnerabilities, threats
the US, the report divided its numerous recommen- and incidents; and the coordination of investigations
dations into three categories: ‘Shape Behavior’ (build into attacks on countries’ infrastructure in accordance
partnerships and influence other cyberspace actors), with their domestic laws. At the time, the G8 included
‘Deny Benefits’ (build stronger cyber defences) and Russia. The US was also one of the driving forces
‘Impose Costs’ (threaten retaliation). Among the more behind the adoption by a United Nations Group of
interesting recommendations are a return to paper bal- Governmental Experts,59 in 2015, of possible volun-
loting, a public–private partnership to counteract the tary norms for protecting infrastructure in cyberspace
impact of cyber attacks, and the creation of a Bureau of – the culmination of a process that had taken more
Cyberspace Security and Emerging Technologies. than ten years.60
In November 2020 the head of CISA, Chris Krebs, Nevertheless, by that time, US views about the reli-
was able to attest that the previous week’s presidential ability of China and Russia as partners in multilateral
election had been the most secure in the country’s his- cyberspace endeavours had hardened considerably.
tory.56 Even though Krebs was dismissed by Trump for Quite apart from the espionage and sabotage threats that

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 21


China and Russia presented, the US was leading, or at combat and in situations below the level of armed conflict.
least working with, many like-minded liberal democ- It may be tempting to judge the US offensive cyber
racies to promote their view of a free and open global capability simply by the number of people in US Cyber
internet in the face of the more authoritarian countries’ Command, although it is difficult to identify those who
desire for increased sovereign control of cyberspace. This are dedicated to offence rather than defence among its
campaign played out in many forums, but a major focus 6,000 military and civilian personnel. But that would be
of the US effort was the perceived need to oppose the to ignore significant capabilities residing elsewhere, for
use of advanced ICT for censorship or excessive domes- example in the NSA, CIA and parts of the private sector.
tic surveillance. The US has concluded that the scale of A focus on numbers might also cloud the point that qual-
the attacks being carried out against it (and key allies) ity is probably more important than quantity for the most
by Russia and China is sufficient to render meaningful sophisticated cyber operations.
dialogue almost impossible. In fact, in 2018, in National Nevertheless, we judge that the US has a wide range
Security Presidential Memorandum 13 (see previous sec- of offensive cyber capabilities at all levels of sophistica-
tion), the US shifted to a position of retaliatory attacks tion. Significantly, as long ago as 2008, it was already
in cyberspace and retaliatory diplomatic measures. This capable of conducting the highly complex Stuxnet
has included leading more than 20 countries in publicly operation that involved intrusions by several discrete
attributing many of the attacks. malware packages over several years, sustained sys-
The US occupies a position of tem surveillance, and eventually the
unmatched pre-eminence in global execution of an attack that caused
cyberspace affairs, as demonstrated by US offensive physical damage to around 1,000
its highly successful cyber diplomacy, cyber centrifuges used by Iran for uranium
the high number of leadership roles
that its citizens occupy in international
capabilities enrichment. The US envisages the
use of such offensive capabilities in a
professional organisations such as the are more wide range of scenarios, which may
Institute of Electrical and Electronics developed than include disabling adversary strategic
Engineers (IEEE) and ISACA,61 and its
those of any command-and-control systems and
presence alongside allied countries in the navigational systems of missiles.
technical-standards groups.62
other country Russia certainly assumes that the US
has the capability and plans in place
Offensive cyber capability to do so,63 since several senior US military sources have
The US has been prepared to disclose some of its offen- made public statements to that effect. We can be more
sive cyber potential by publicly avowing a small num- certain that the US envisages the use of cyber capabilities
ber of its operations and by publicly announcing its in both high- and low-intensity conventional combat,
CDI, encompassing the principles of defend forward with targeting options likely to include command-and-
and persistent engagement. Overall, however, the cyber control assets, intelligence assets, weapons systems and
arsenal and its planned uses are among the most care- platforms, and critical national infrastructure such as
fully guarded state secrets. power grids and transport systems.
US offensive cyber capabilities are more developed It is harder to judge how US capabilities stack up for
than those of any other country. All the principal founda- offensive cyber operations below the threshold of war,
tions are in place: a high-grade cyber-intelligence capa- particularly for influence-and-information operations.
bility complemented by high-grade human intelligence As Cyber Command’s capabilities are overtly military,
collection; leadership of the technologically advanced Five their use is carefully restricted under stringent US gov-
Eyes intelligence alliance; a powerful cyber-industrial and ernmental authorities, hence their careful signalling
academic base; and mature doctrine and legal authori- under the strategy of defend forward and its retaliatory
ties, allowing for the responsible use of US capabilities in premise. CIA cyber operations may be more prevalent

22 The International Institute for Strategic Studies


in this space, but the fact that they are covert makes it in the last decade, some avowed publicly by the govern-
impossible to judge their extent or effectiveness. Overall, ment – including attacks against the Islamic State (also
it is likely that US cyber-enabled influence operations known as ISIS or ISIL) and a Russian online group, the
are far less prolific than those conducted by the Russians Internet Research Agency – and some revealed in the
and Chinese, given the number of the latter that have media (against China, Iran and North Korea). One of
been detected and publicly revealed. But that should not the more interesting pieces of media reporting was the
lead us to judge that the US has substantially less capa- alleged use, in 2014 and 2015, of cyber means to disable
bility or weaker intent. We might instead conclude that North Korean ballistic missiles prior to their launch.64
the US use of its capability is more sophisticated, with An interesting avowal was Trump’s admission that he
less chance of detection, and that it is more controlled authorised a cyber attack on Iran in 2019 in retaliation
and responsible (or, from a different perspective, more for its shooting down of a US drone.65 The US ampli-
constrained). It remains an open question whether the fies its own offensive cyber capabilities by partnering
Russians and Chinese have gained an advantage owing with cyber-capable international allies, for example in
to their growing peacetime operational experience in the Stuxnet attack against Iran (with Israel) and in the
the aggressive use of offensive cyber for influence-and- campaign against the Islamic State in 2016 (with the UK
information operations. It is likely that the CDI is an and Australia). Through these attacks and other actions,
attempt to redress any perceived imbalance by moving the US has demonstrated a maturing determination and
the peacetime contested space from the United States’ high levels of organisational coherence for sustained
own networks to those of its adversaries. offensive cyber operations when it chooses to under-
The US has used cyber means to disrupt or destroy take them. These capabilities have not yet been demon-
enemy IT systems or other capabilities in several settings strated at their full potential.

Notes

1 White House, ‘National Security Strategy of the United States 5 The term ‘critical information infrastructure’, in common use

of America’, December 2017, https://trumpwhitehouse.archives. both in the US and internationally, refers to all the information

gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf. systems underpinning critical national infrastructure.

2 White House, ‘National Cyber Strategy of the United States of 6 United States Cyber Command, ‘Beyond the Build: Delivering

America’, September 2018, https://trumpwhitehouse.archives. Outcomes through Cyberspace – The Commander’s Vision and

gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf. Guidance for US Cyber Command’ 2015, https://nsarchive2.

3 See US Department of Defense, ‘Summary: Department of gwu.edu/dc.html?doc=2692135-Document-27.

Defense Cyber Strategy 2018’, https://media.defense.gov/2018/ 7 There were significant new elements in the 2015 policy

Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_ statements from the Pentagon, including recognition in ‘Beyond

FINAL.PDF. the Build’ that the cyber defences in the Department of Defense

4 White House, ‘Executive Order on Taking Additional Steps to were inadequate to deal with the threats it was facing and

Address the National Emergency with Respect to Significant that military units needed to be able to operate with degraded

Malicious Cyber-Enabled Activities’, 19 January 2021, https:// systems and a lack of cyber situational awareness (including

trumpwhitehouse.archives.gov/presidential-actions/executive- command and control, intelligence and targeting data).

order-taking-additional-steps-address-national-emergency- 8 United States Cyber Command, ‘Achieve and Maintain Cyberspace

respect-significant-malicious-cyber-enabled-activities. Superiority: Command Vision for US Cyber Command’, 2018, https://

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 23


www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20 16 Office of Management and Budget, ‘A Budget for America’s

Vision%20April%202018.pdf?ver=2018-06-14-152556-010. Future: Analytical Perspectives’, Washington DC, 2020, p. 265,

9 See US Department of Defense, ‘Summary: Department of Defense https://www.govinfo.g.ov/content/pkg/BUDGET-2021-PER/

Cyber Strategy 2018’, p. 1: ‘The Department must take action in pdf/BUDGET-2021-PER.pdf.

cyberspace during day-to-day competition to preserve U.S. 17 Director of National Intelligence, ‘Industry Snapshot: Summary

military advantages and to defend U.S. interests. Our focus will of Partner Responses to the FY 2015–2019 IC S&T Investment

be on the States that can pose strategic threats to U.S. prosperity Landscape’, 2015, p. 5, http://www.dni.gov/files/documents/

and security, particularly China and Russia. We will conduct atf/In-STeP%20-%20Industry%20Snapshot.pdf. This document

cyberspace operations to collect intelligence and prepare military provides valuable insight into the ‘industrial’ foundations of

cyber capabilities to be used in the event of crisis or conflict.’ the US intelligence community.

10 White House, ‘National Cyber Strategy of the United States of 18 National Academies of Sciences, Engineering, and Medicine,

America’, September 2018, p. 21. ‘A Decadal Survey of the Social and Behavioral Sciences: A

11 White House, ‘Memorandum on Renewing the National Security Research Agenda for Advancing Intelligence Analysis’, 2019,

Council System’, 4 February 2021, https://www.whitehouse.gov/ https://www.nap.edu/catalog/25335/a-decadal-survey-of-the-

briefing-room/statements-releases/2021/02/04/memorandum- social-and-behavioral-sciences-a.

renewing-the-national-security-council-system. The Principals 19 For example, on the high dollar value of foreign inputs

Committee is the ‘senior interagency forum for consideration of into the US digital sector, the Organisation for Economic

policy issues affecting national security. … Its regular members Co-operation and Development (OECD) stated that ‘while

will be the Secretary of State, the Secretary of the Treasury, the United States has the lowest share of foreign value added

the Secretary of Defense, the Attorney General, the Secretary in domestic demand of OECD countries (12%), the sheer size

of Energy, the Secretary of Homeland Security, the Director of its economy means that in [dollar] terms it is by far the

of the Office of Management and Budget, the Representative biggest consumer of foreign value added: 2.2 USD trillion,

of the United States of America to  the United Nations, the of which, 1.2 USD trillion (55%) comes from more digital-

Administrator of the United States Agency for International intensive industries’. See OECD, ‘Measuring the Digital

Development, and the Chief of Staff to the President. The Director Transformation’, March 2019, p. 228, https://www.oecd-

of National Intelligence, the Chairman of the Joint Chiefs of Staff, ilibrary.org/sites/a87fd918-en/index.html?itemId=/content/

and the Director of the Central Intelligence Agency shall attend component/a87fd918-en#:~:text=However%2C%20while%20

in an advisory capacity. The Principal Deputy National Security the%20United%20States,comes%20from%20more%20

Advisor, the Counsel to the President, the NSC Legal Advisor, digital%2Dintensive.

and the National Security Advisor to the Vice President shall be 20 Jessica R. Nielsen, ‘New Digital Economy Estimates’, Bureau of

invited to attend every meeting of the PC.’ Economic Analysis, August 2020, https://www.bea.gov/system/

12 Ibid. and Natasha Bertrand, ‘Biden taps intelligence veteran files/2020-08/New-Digital-Economy-Estimates-August-2020.pdf.

for new White House cybersecurity role’, Politico, 6 21 For a description of how the US measures the ICT sector, see

January 2021, https://www.politico.com/news/2021/01/06/ Nielsen, ‘New Digital Economy Estimates’.

biden-white-house-cybersecurity-neuberger-455508. 22 See Erik Brynjolfsson and Avinash Collis, ‘How Should

13 See CISA, ‘National Infrastructure Advisory Council’, https:// We Measure the Digital Economy?’, Harvard Business

www.cisa.gov/niac. Review, November–December 2019, https://hbr.org/2019/11/

14 For further information, see the website of the ISACs National how-should-we-measure-the-digital-economy.

Council: https://www.nationalisacs.org. 23 See US Federal Reserve, ‘Fedwire Funds Service Monthly Statistics’,

15 For further information, see ‘Assessments: Cyber Resilience https://www.frbservices.org/resources/financial-services/wires/

Review (CRR)’, Cybersecurity and Infrastructure Security volume-value-stats/monthly-stats.html.

Agency, https://www.us-cert.gov/resources/assessments; and 24 See Dan Schiller, Digital Capitalism: Networking the Global Market

United States Department of Homeland Security, ‘Cyber System (Cambridge, MA: MIT Press, 2000).

Resilience Review’, Factsheet, https://www.cisa.gov/sites/default/ 25 See, for example, G20, ‘G20 Digital Economy Development

files/publications/Cyber-Resilience-Review-Fact-Sheet-508.pdf. and Cooperation Initiative’, 8 September 2016, http://

24 The International Institute for Strategic Studies


www.g20chn.org/English/Documents/Current/201609/ 32 Institute for Management Development, ‘World Competitiveness

P020160908736971932404.pdf. The G20 definition of the digital Ranking 2020’, https://www.imd.org/news/updates/IMD-2020-

economy, decided at its meeting in China in 2016, is ‘a broad World-Competitiveness-Ranking-revealed.

range of economic activities that includes using digitised 33 United Nations Conference on Trade and Development,

information and knowledge as the key factor of production, ‘Digital Economy Report 2019’, Geneva, p. 2, https://unctad.

and modern information networks as the important activity org/system/files/official-document/der2019_en.pdf.

space’. The challenges of measuring and comparing different 34 Congressional Research Service, ‘Global Research and

countries’ digital economies have also been addressed in several Development Expenditures: Fact Sheet’, updated 29 April 2020,

OECD studies, such as the 2019 report ‘Measuring the Digital p. 2, fig. 2, https://fas.org/sgp/crs/misc/R44283.pdf.

Transformation: A Roadmap for the Future’, 11 March 2019, 35 Xiaomin Mou, ‘Artificial Intelligence: Investment Trends and

https://www.oecd-ilibrary.org/docserver/9789264311992-en. Selected Industry Uses’, EMCompass, International Finance

pdf?expires=1595284992&id=id&accname=guest&checksum= Corporation, World Bank Group, September 2019, http://

DC8358091A60B496B5A6F525ECD799E6. documents1.worldbank.org/curated/ar/617511573040599056/

26 Longmei Zhang and Sally Chen, ‘China’s Digital Economy: pdf/Artificial-Intelligence-Investment-Trends-and-Selected-

Opportunities and risks’, International Monetary Fund Industry-Uses.pdf.

Working Paper, no. WP/19/16, 17 January 2019, p. 4, 36 Stefano Baruffaldi et al., ‘Identifying and measuring

https://www.imf.org/en/Publications/WP/Issues/2019/01/17/ developments in artificial intelligence: Making the impossible

Chinas-Digital-Economy-Opportunities-and-Risks-46459. possible’, OECD Science, Technology and Industry Working

27 OECD, ‘Measuring the Digital Transformation’, pp. 15, 30, Papers, no. 2020/05, p. 54, https://doi.org/10.1787/5f65ff7e-en.

The 25 technologies were: Control arrangements, Organic 37 MIT News, ‘MIT reshapes itself to shape the future’, 15 October

materials devices, Digital data transfer, Miscellaneous digital 2018, http://news.mit.edu/2018/mit-reshapes-itself-stephen-

storage, Biological models algorithms, Wireless channel schwarzman-college-of-computing-1015.

access, Traffic control for aircraft, Multiple transmissions, 38 White House, ‘Artificial Intelligence for the American People’,

Synchronisation arrangements, Traffic control for vehicles, https://trumpwhitehouse.archives.gov/ai.

Film devices, Interactive television, VOD Network and 39 White House, ‘American Artificial Intelligence Initiative: Year

access restrictions, Speech or voice analysis, Connection One Annual Report’, 2020, p. 5, https://www.whitehouse.gov/

management, Other computational models, 3D objects wp-content/uploads/2020/02/American-AI-Initiative-One-

manipulation, Electromagnetic waves reflection, Wireless Year-Annual-Report.pdf.

communication services, Image analysis, Mathematical 40 Doug Brake, ‘Submarine Cables: Critical Infrastructure
models algorithms, Transmission arrangements, Near-field for Global Communications’, Information Technology &

transmission systems, Payment protocols, and Security and Innovation Foundation, April 2019, http://www2.itif.org/2019-

authentication. submarine-cables.pdf.
28 See OECD, ‘Measuring the Digital Transformation’, p. 30. 41 See International Cable Protection Committee, ‘Member List’,

29 See the assessment by StartupRanking.com: https://www. https://www.iscpc.org/about-the-icpc/member-list.

startupranking.com/countries. It defines a start-up as ‘an 42 According to a US diplomatic cable, the National Infrastructure

organisation with high innovation competence and strong Protection Plan ‘requires compilation and annual update of

technological base, which has the faculty of an accelerated a comprehensive inventory of CI/KR [critical infrastructure/

growth and maintains independence through time’. The IISS key resources] that are located outside U.S. borders and

has not independently verified this ranking. whose loss could critically impact the public health, economic

30 Times Higher Education World University Rankings, 2021, https:// security, and/or national and homeland security of the United

www.timeshighereducation.com/world-university-rankings/2021/ States. DHS in collaboration with State developed the Critical

world-ranking#!/page/0/length/25/sort_by/rank/sort_order/asc/ Foreign Dependencies Initiative (CFDI) to identify these

cols/stats. critical U.S. foreign dependencies – foreign CI/KR that may

31 Data for the US comes from the OECD, and for China from affect systems within the U.S. directly or indirectly.’ See Geoff

Chinese sources. Manaugh, ‘Open Source Design 02: WikiLeaks Guide/Critical

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 25


Infrastructure’, Domus, 29 June 2011, http://www.domusweb. executive-order-securing-information-communications-

it/en/architecture/2011/06/20/open-source-design-02-wikileaks- technology-services-supply-chain.

guide-critical-infrastructure.html. 52 White House, ‘Memorandum on Space Policy Directive-5 –

43 Union of Concerned Scientists, ‘UCS Satellite Database’, Cybersecurity Principles for Space Systems’, 4 September 2020,

updated 1 January 2021, https://www.ucsusa.org/resources/ https://trumpwhitehouse.archives.gov/presidential-actions/

satellite-database. memorandum-space-policy-directive-5-cybersecurity-

44 Semiconductor Industry Association, ‘2020 – State of the U.S. principles-space-systems.

Semiconductor Industry’, 2020, p. 8, https://www.semiconductors. 53 Under the US Export Authorization Act, the Entity List is a

org/wp-content/uploads/2020/07/2020-SIA-State-of-the-Industry- compilation of ‘names of certain foreign persons – including

Report-FINAL-1.pdf. Note that not all the columns add up to businesses, research institutions, government and private

100%, because other countries not named in the chart are also organizations, individuals, and other types of legal persons – that

involved in the sector. are subject to specific license requirements for the export, reexport

45 For a brief insight into this issue, see Saif M. Khan, ‘US and/or transfer (in-country) of specified items’. See Bureau of

Semiconductor Exports to China: Current Policies and Trends’, Industry and Security, ‘Entity List’, https://www.bis.doc.gov/

CSET Issues Brief, Georgetown University, October 2020, https:// index.php/policy-guidance/lists-of-parties-of-concern/entity-list.

cset.georgetown.edu/wp-content/uploads/U.S.-Semiconductor- 54 Department of Commerce, ‘Department of Commerce

Exports-to-China-Current-Policies-and-Trends.pdf. Announces the Addition of Huawei Technologies Co. Ltd.

46 Greg Austin, ‘US Policy: From Cyber Incidents to National to the Entity List’, 15 May 2019, https://www.commerce.

Emergencies’, in Greg Austin (ed.), National Cyber Emergencies: The gov/news/press-releases/2019/05/department-commerce-

Return to Civil Defence (Abingdon: Routledge, 2020), pp. 31–59. announces-addition-huawei-technologies-co-ltd.

47 For a summary, see Department of Homeland Security, 55 United States Cyberspace Solarium Commission, ‘Final

‘Support to Critical Infrastructure at Greatest Risk (“Section Report’, March 2020, https://drive.google.com/file/d/1ryMCIL_

9 Report”) Summary’, 8 May 2018, https://www.cisa.gov/ dZ30QyjFqFkkf10MxIXJGT4yv/view.

publication/support-critical-infrastructure-greatest-risk- 56 Chris Cillizza, ‘The end of the Trump White House is *exactly*

section-9-report-summary. as bad as we thought it would be’, CNN, 18 November 2020,

48 National Institute of Standards and Technology, ‘A Report to https://edition.cnn.com/2020/11/18/politics/donald-trump-chris-

the President on Supporting the Growth and Sustainment of the krebs-fired/index.html.

Nation’s Cybersecurity Workforce: Building the Foundation for 57 International Telecommunication Union, ‘Global Cybersecurity

a More Secure American Future’, 10 May 2018, https://csrc.nist. Index 2018’, p. 62, https://www.itu.int/dms_pub/itu-d/opb/str/
gov/publications/detail/white-paper/2018/05/30/supporting- D-STR-GCI.01-2018-PDF-E.pdf.

growth-and-sustainment-of-the-cybersecurity-workforce/ 58 Group of Eight, ‘G8 Principles for Protecting Critical Information

final. Infrastructures’, May 2003, http://www.cybersecuritycooperation.


49 This document is classified. For a media report, see Ellen org/documents/G8_CIIP_Principles.pdf.
Nakashima, ‘White House authorizes “offensive cyber 59 Since a UN General Assembly resolution in 2004, a UN Group

operations” to deter foreign adversaries’, Washington Post, of Governmental Experts (GGE) has convened for two-year

21 September 2018, https://www.washingtonpost.com/world/ terms to address international-security aspects of cyberspace.

national-security/trump-authorizes-offensive-cyber-operations- It was known as the GGE on ‘Developments in the Field

to-deter-foreign-adversaries-bolton-says/2018/09/20/b5880578- of Information and Telecommunications in the Context of

bd0b-11e8-b7d2-0773aa1e33da_story.html. International Security’ until 2018, when it was renamed the GGE

50 Joint Chiefs of Staff, ‘Homeland Defense’, Joint Publication on ‘Advancing Responsible State Behaviour in Cyberspace in the

3-27, April 2018, https://www.jcs.mil/Portals/36/Documents/ Context of International Security’. In cyberspace-policy circles it

Doctrine/pubs/jp3_27.pdf. is common to refer to it simply as ‘the GGE’. See UN Office for

51 White House, ‘Executive Order on Securing the Information Disarmament Affairs, ‘Developments in the field of information

and Communications Technology and Services Supply Chain’, and telecommunications in the context of international security’,

15 May 2019, https://www.whitehouse.gov/presidential-actions/ undated, https://www.un.org/disarmament/ict-security.

26 The International Institute for Strategic Studies


60 United Nations General Assembly, ‘Group of Governmental is still behind Germany (DIN, holding 132 Secretariats), the US

Experts on Developments in the Field of Information and (ANSI, 104 Secretariats), the United Kingdom (BSI, 77 Secretariats),

Telecommunications in the Context of International Security’, France (AFNOR, 77 Secretariats), and Japan (JISC, 74 Secretariats).

A/70/174, 22 July 2015, https://www.un.org/ga/search/view_ In IEC, Germany holds the most secretariat positions (36),

doc.asp?symbol=A/70/174. followed by the US (26), Japan (24), France (22), United Kingdom

61 ISACA – formerly the Information Systems Audit and Control (20), and Italy (13). China leads as many TCs and SCs in IEC as the

Association, but now known only by its acronym – is dedicated Republic of Korea (both holding 10 secretariats).’

to system security: see http://www.isaca.org. It has 75 chapters 63 See Greg Austin and Pavel Sharikov, ‘Preemption Is Victory:

in the US but only one in China (and that is in Hong Kong). Aggravated Nuclear Instability of the Information Age’, Non-

As for the IEEE, it is the largest professional organisation in proliferation Review, vol. 23, nos. 5–6, pp. 691–704.

the world, and influential in international cyberspace policy. 64 See David E. Sanger  and William J. Broad, ‘Trump Inherits a

In 2020, almost half of its 419,000 members were in the US. See Secret Cyberwar against North Korean Missiles’, New York Times,

https://www.ieee.org/about/at-a-glance.html. 4 March 2017, https://www.nytimes.com/2017/03/04/world/asia/

62 For an overview, see Tim Nicholas Rühlig, ‘Technical north-korea-missile-program-sabotage.html?action=click&mod

standardisation, China and the future international order: A ule=RelatedCoverage&pgtype=Article&region=Footer.

European perspective’, Heinrich Böll Foundation, Berlin, 2020, p. 65 Ellen Nakashima, ‘Trump approved cyber-strikes against

22, https://eu.boell.org/sites/default/files/2020-03/HBS-Techn%20 Iranian computer database used to plan attacks on oil tankers’,

Stand-A4%20web-030320.pdf. The data on chairs of standards Washington Post, 23 June 2019, https://www.washingtonpost.

committees/secretariats held by citizens of different countries com/world/national-security/with-trumps-approval-pentagon-

shows the US in a very strong position, second only to Germany: launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-

‘In absolute terms, however, China (SAC, holding 63 Secretariats) 11e9-b570-6416efdc0803_story.html.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 27


28 The International Institute for Strategic Studies
2. United Kingdom

The United Kingdom is a highly capable cyber state, UK’s key weaknesses, in common with most other
with clear strategic oversight at the political level. It states, are shortfalls in its skilled cyber workforce
has world-class strengths in its cyber-security ecosys- and that it cannot afford to invest in cyber capabili-
tem, centred on the National Cyber Security Centre, ties on the same scale as the United States or China.
and in its related cyber-intelligence capability centred These are offset in part by the breadth and depth of
on the Government Communications Headquarters. the UK’s proven international alliances, particularly
There is a strengthening partnership between gov- with the US. Another area of potential comparative
ernment and industry, and an attempt to develop weakness is that the UK lacks the indigenous indus-
a whole-of-society approach to improve national trial base required to build and export the equipment
cyber-security capability. There is significant invest- that might ultimately dictate the future of global
ment in cyber research and development and inno- cyberspace, meaning it can only seek to manage the
vation, with the government looking to the strengths attendant risks. The country uses its international
of the private sector and academia. To increase its influence to shape the future of cyberspace and is a
reservoir of cyber skills, the UK appears to be pursu- strong advocate for the application of existing inter-
ing widespread and innovative collaboration across national law to the use of cyber capabilities. The UK
all sectors. Its economy, society and armed forces has developed, and used, offensive cyber capabilities
all greatly benefit from digital connectivity but are since at least the early 2000s, and is investing further
potentially more vulnerable as a result. Perhaps the in their expansion.

Strategy and doctrine


Cyber defence has been highlighted as a high-priority defence, those strategies also included clear allusions to
national-security issue in the United Kingdom’s strat- the development of offensive capabilities.
egy papers since the late 1990s, and featured promi- The 2016 NCSS lays out a strategy of ‘defend, deter
nently in the UK’s first National Security Strategy in and develop’, with the last of those three rubrics cov-
2008. The first National Cyber Security Strategy (NCSS) ering the national cyber-industrial capability, the skills
was produced in 2009 and updated in 2011 and 2016. base and the country’s associated analytical capability.1
Although they concentrated on cyber security and One indication of the importance the UK places on cyber

List of acronyms
DCMS Department for Digital, Culture, Media & Sport NCF National Cyber Force
GCHQ Government Communications Headquarters NCSC National Cyber Security Centre
ICT information and communications technology NCSP National Cyber Security Programme
JFCyG Joint Forces Cyber Group NCSS National Cyber Security Strategy
MoD Ministry of Defence NOCP National Offensive Cyber Programme
NAO National Audit Office

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 29


issues is the sizeable and increasing investment the gov- points to the perceived need to integrate the military’s
ernment made in cyber capabilities during a period of approach to cyber, electromagnetic, information and
financial austerity: the 2016–21 plan saw a doubling of kinetic operations,7 and gives a view of military cyber
investment to £1.9 billion (US$2.5bn). The increase was operations not dissimilar to the US concept of informa-
justified by asserting that previous commitments had tion dominance, but without using the term.
‘not achieved the scale and pace of change required to
stay ahead of the fast-moving threat’.2 Governance, command and control
The NCSS is supported by a National Cyber Security Strategic direction on cyber capability is set by the prime
Programme (NCSP) and, for offensive cyber, a National minister and other key cabinet members, supported by
Cyber Force (NCF). The NCF was publicly avowed in officials in the Cabinet Office, and enacted through the
December 2020 and subsumed the previously existing NCSS, NCSC and NCF. Ministerial roles are well estab-
National Offensive Cyber Programme (NOCP), which lished, with the home secretary, defence secretary, for-
had been running since 2014. Together, the NCSP and eign secretary and secretary of state for Digital, Culture,
the new NCF execute the national cyber strategy under Media and Sport (DCMS) all having defined strategic
the oversight of government ministers and parliamen- roles. The supporting civilian cyber-security ecosystem
tary committees.3 is described later in this chapter.
The NCSP is strongly geared to improving public- Unlike the US and some other states, the UK has not
and private-sector cooperation on cyber security under created a military cyber command with unified com-
the leadership of the UK’s innovative National Cyber mand and control of all military (but in the US case, only
Security Centre (NCSC). Delivery of the NCSP is evalu- military) cyber operations and assets, both defensive
ated annually by the UK’s National Audit Office (NAO) and offensive. That said, the UK military is fully respon-
and the results made public. sible for protecting its own networks. Command and
Now continued under the NCF, the NOCP’s role was control for doing so rests with UK Strategic Command,
described as providing a ‘dedicated capability to act enacted through its subordinate Joint Forces Cyber
in cyberspace’ with ‘appropriate offensive cyber capa- Group (JFCyG). Created in 2013 and originally known
bilities that can be deployed at a time and place of our as the Defence Cyber Operations Group, the JFCyG
choosing, for both deterrence and operational purposes, commands the centre for UK military cyber security
in accordance with national and international law’.4 The (MoD Corsham), various joint-forces cyber units, tri-
UK first avowed its offensive cyber capability in 2015, service information-assurance units and a cyber-reserve
stating a preparedness to use cyber capabilities to deter component based on assets in the British Army, Royal
and counter threats, including for warfighting. A 2019 Air Force and Royal Navy. But it is in command and
speech by the UK’s Chief of the Defence Staff high- control of offensive cyber that the UK is most unlike the
lighted the UK’s perception of the daily ‘war’ in cyber- US, having developed a globally unique solution with
space resulting from great-power competition and the the creation of the NCF.
battle of ideas with non-state actors, while noting that The NCF combines the relevant cyber elements of
this was not war as it had been understood in the past.5 Government Communications Headquarters (GCHQ) –
Guided by national strategies and investment, the the UK’s cyber-intelligence and security agency – with
armed forces set their strategy and capability objec- those of the MoD, the Secret Intelligence Service (SIS)
tives through directives from the secretary of state for and the Defence Science and Technology Laboratory in
defence and the Chief of the Defence Staff. The need for a single organisation under unified command. It covers
and use of cyber capabilities is copiously covered in UK the full range of the UK’s national-security priorities,
military doctrine, with the Ministry of Defence (MoD) from tackling serious criminality, international terror-
Joint Doctrine Publication 0-50 on ‘UK Cyber Doctrine’ ism and the malign activity of states to preparing for
presumably the most important (its contents remain war. As such, there is nothing comparable anywhere
classified).6 In general, publicly available UK doctrine else in the world. In US terms, it is the equivalent of

30 The International Institute for Strategic Studies


bringing together the offensive cyber capabilities Five Eyes nations, the UK has, with GCHQ, centred its
of Cyber Command, the National Security Agency, core cyber-security and cyber-intelligence capabilities in
Central Intelligence Agency and Federal Bureau of a single organisation, drawing on the traditional intelli-
Investigation into a single organisation. The NCF com- gence and security principle that poachers make the best
mander reports to both the head of GCHQ and the com- gamekeepers and vice versa. The NCSC is an integral
mander of Strategic Command, with NCF operations part of GCHQ.
politically authorised by either the foreign secretary The evidence also points to a mature system for
or the defence secretary, depending on the nature of assessing, sharing and making use of cyber intelligence,
the mission. While predominantly including an ability to fuse it with
focused in peacetime on tackling other sources of information. This
non-military targets, the NCF also The UK has is founded on the UK’s long-estab-
prepares the UK for the use of cyber retained a lished Joint Intelligence Committee
capabilities in armed conflict.
world-leading and the maturity of its wider intel-
Greater efficiency is one reason ligence system. Reports by parlia-
why the UK has chosen to create the
cryptographic mentary committees indicate close
NCF, having fewer personnel and capability collaboration between GCHQ and
less money to devote to cyber than, the other two main intelligence agen-
for example, the US or China. It gives the UK greater cies – SIS, specialising in overseas human intelligence
operational agility, allowing it to prioritise across all collection and covert operations, and MI5, specialising
national requirements, concentrating skills and tech- in the UK’s domestic security. For specifically cyber-
nical capabilities where they are needed most. It is a security-related intelligence, the NCSC acts as a hub for
move that also recognises the need to ensure that mili- combining high-grade secret intelligence with informa-
tary operations in cyberspace take full account of the tion acquired by the private sector.
domain’s centrality to civilian society and the global The UK’s armed forces both benefit directly from the
economy, allowing for full civilian–military opera- above capabilities and have their own cyber-intelligence
tional coordination. assets that add to the UK’s overall situational awareness.
These include ‘field’ interception undertaken by each
Core cyber-intelligence capability armed service and by special forces, intelligence assess-
In the last 30 years, GCHQ has successfully adapted the ment undertaken by the MoD’s Defence Intelligence
UK’s century-old signals-intelligence and information- organisation, and the ability to fuse cyber information
security capability so that it can obtain the breadth of quickly with intelligence from other military assets.
intelligence needed from cyberspace. The evidence
for this is the UK’s history of detecting, attributing Cyber empowerment and dependence
and disrupting malign cyber activity, its intelligence- The UK is one of the most digitally connected European
led disruption of terrorist activity, its efforts against countries, with a very high internet penetration rate
online criminality, and the many hints in the Edward (above 90%). According to the approach adopted by
Snowden leaks about the sophistication and global the G20, the UK’s digital economy ranked second in the
reach of GCHQ’s capabilities. It is safe to assume, draw- world in its share of GDP (just over 55%) in 2018, with
ing on material from the Snowden leaks, that the UK the US in first place (59%) and Japan (46%) in third.8
has retained a world-leading cryptographic capability, While this reliance on digital capacity and digital enter-
continuing a tradition of mathematical ingenuity that prise brings significant economic and social benefits
dates back to Alan Turing and beyond. GCHQ’s capa- to the UK, the government has nevertheless noted the
bilities are amplified by its long-standing and close part- vulnerability inherent in such dependence. It is there-
nership with the US and by its membership of the Five fore working with the private sector to gauge more
Eyes intelligence alliance. In common with the other accurately the extent of UK network resilience now and

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 31


in the future, including the degree to which the digi- were working on recognition technologies and another
tal economy is dependent on the commercial energy 250 on data-mining for business solutions. UK universi-
network. One stated aim, stemming from the 2019–20 ties are ranked among the most influential business and
debate about the use of Huawei equipment, is to cre- academic organisations in the world in AI research: for
ate a greater diversity of ICT suppliers and solutions to example, in 2020, in a top-40 list based on contributions
serve UK needs. to the two leading academic conferences in the field,
The UK armed forces are a microcosm of the wider Oxford was in seventh position, Cambridge in 22nd and
situation. Their activities are greatly enabled by a University College London in 30th.11 China’s Tsinghua
sophisticated networked capability, with the ability to University was in ninth position, Peking University in
communicate, move and fuse data globally for tasks 24th and Shanghai Jiaotong University in 43rd. By this
such as targeting, navigation, surveillance, and com- measure the UK is approximately at level pegging with
mand and control. They are heavily reliant on space- China, at least for now. However, in a separate rank-
based technology for most of this capability.9 The MoD ing of countries according to their contributions to AI
is consequently moving towards the idea of ‘defence research in the health sector, based simply on the num-
as a platform’, which includes smaller contracts and ber of titles published in the previous 40 years, the UK
shorter development time frames, potentially as a way did not figure in the top 20.12 This illustrates that in a
of reducing its reliance on a small number of large IT field as wide and diverse as AI, a state can lead in one
systems with long development time frames. area of research and be weak in another.
The UK’s approach to research and development The UK government states that ‘having a sustainable
(R&D) and innovation in cyber capabilities and related supply of home-grown cyber security professionals is
technology, such as artificial intelligence (AI), is highly part of our wider ambition to be a world leader in cyber
distributed across the public and pri- security. Put simply, we cannot be a
vate sectors and academia, in part
The AI sector in global leader in cyber security with-
mirroring the cyber-security eco- out access to the best cyber security
system described below. The stated
the UK has great talent.’13 A 2020 government inquiry,
aim is to recognise where industry strengths however, found that the UK lacked
can innovate more quickly than gov- cyber expertise across the board, from
ernment, and therefore to foster strong public–private basic skills to specialists.14 In response to those findings,
partnership wherever possible. The result is a plethora a wide range of measures have been introduced, largely
of cyber-specific incubators, accelerators, start-ups, driven by the NCSC and DCMS, with the aim of stimu-
research institutes and academic centres of excellence. lating growth in the requisite skills through the educa-
The amount of investment across such a distributed sys- tion sector and wider society. The CyberFirst initiative
tem is difficult to ascertain, but some UK cyber-security launched in May 2016, for example, has been expanded
companies are now valued in the hundreds of millions and is now part of an £84 million (US$114m) govern-
of pounds, with a presumed commensurate investment ment cyber-education programme. It has courses for
in R&D. Large companies from the US defence sector, school-age children, undergraduate bursaries, degree
such as Lockheed Martin and Northrop Grumman, are apprenticeships, and sponsored doctorates in cyber
also investing heavily in UK cyber R&D. security and related fields. There is significant emphasis
It is evident that the AI sector in the UK has great on encouraging girls to develop cyber-security skills. It
strengths. By 2018, AI-related companies numbered is too soon to assess the success of these initiatives, but
about 6,000, of which about 2,800 advertised them- the diagnosis of the problem appears to be accurate and
selves as working in that field.10 Of those, about 400 the proposed treatment potentially effective.
specialised in deep learning (using automated data The UK’s armed forces are again a microcosm of the
analytics), with another 300 focusing on robotics, vir- broader UK picture. The MoD works on cyber R&D with
tual reality and the Internet of Things. About 250 firms a range of companies including BAE Systems, Lockheed

32 The International Institute for Strategic Studies


Martin, Northrop Grumman, QinetiQ, Raytheon, Roke operators. Huawei’s contribution ranges from 5% of the
and Thales UK. There are cyber-recruitment initiatives equipment used by O2 to more than 30% of that used
across each armed service, and for a Joint Cyber Reserve by Vodafone. Huawei’s involvement (right down to the
Force. However, specialists with deep experience of the coding) is closely monitored by the UK government at
UK’s cyber capabilities assert that its armed forces will a facility in the town of Banbury. Other foreign suppli-
find it hard to develop the required depth of expertise if ers used across the network include Cisco, Ericsson,
they do not emulate the US by creating opportunities for Fujitsu, Nokia and Siena, with no equivalent oversight.
entire military careers in cyber. It is believed that the UK In short, the UK relies to a considerable extent on for-
military is addressing this under the new NCF construct. eign manufacture of much of the equipment under-
Perhaps the greatest area of complexity for the UK, pinning its telecommunications, from microchips to
however, is the limited degree to which it controls its communications switches. This infrastructure com-
own national telecommunications infrastructure, and plexity is typical of the Western model of a free, multi-
whether this really matters. Design of the network is stakeholder internet.
currently undertaken by the company BT, which used Data crossing the UK network takes the most suitable
to have a monopoly as the UK’s sole network provider. route across various platforms and systems, based on
Due to its size, BT runs what might be considered the factors such as cost, time and available bandwidth. Much
core public network, though providers such as Virgin of the data is encrypted by ‘over the top’ applications
Media compete with it, especially since the migration such as Facebook, Google, Microsoft, Signal, Telegram
of the network to new-generation and WhatsApp, making the content
IP-based services. BT is the dominant largely invisible to the infrastructure
provider of telephone exchanges and The UK’s providers (of whatever nationality),
owns much of the access-network networks rely on and to the UK government, unless
infrastructure (the element ‘down- they receive assistance from the pro-
stream’ of the exchanges). But all the
foreign supply viders of those applications.
telecoms companies present in the chains to a The complexity of its networks is
UK (including those with foreign greater extent in many ways an advantage for the
ownership) have their own networks,
while the UK is looking to open up as
than those of the UK since it provides a certain level
of redundancy and resilience. For
much of BT’s network and infrastruc- US or China example, the country is so well con-
ture to other firms as possible. In real- nected to the internet through auton-
ity, it is impractical for competing operators to replicate omous nodes (second only to Germany in that respect)
completely the scale of BT’s network, so instead they that multiple nodes would have to be put out of action
rely on acquiring capacity or facilities from it. The result for there to be a significant impact on the function-
is that those companies can install their own hardware, ing of the system. Also, the UK has 88 undersea-cable
voice lines and broadband services and can take over landing points in its territory, providing a high degree
the existing physical lines. Overall, the growth and of redundancy if several of the cables were disabled,
development of the UK’s telecommunications network although the risk that even one of the cables might be
has been driven principally by market forces. interfered with or cut by an adversary remains a con-
UK mobile networks include foreign-owned equip- cern. It is still the case that the UK’s networks rely on
ment that uses either networks provided by the for- foreign supply chains to a greater extent than those of
eign companies or BT’s ‘backbone’ networks. For the the US or China and are therefore more exposed to the
UK’s 4G mobile networks, for example, the Chinese attendant risk. Furthermore, the UK’s weaker position in
company Huawei provides radio equipment, such as the global market for network infrastructure compared
masts, that broadcast mobile-network signals and relay with the US or China means it has less influence than
communications back to the core network for several they do in shaping the physical infrastructure of global

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 33


cyberspace.15 The government seems to have recognised National Cyber Crime Unit and by the Regional
the risk to its national networks, having announced initi- Organised Crime Units. Through GCHQ, the NCSC is
atives to improve security standards for equipment and also organisationally connected to the NCF.
to encourage greater diversification of suppliers. There has been a strengthening partnership between
In July 2020 the government ended a long-running government and the private sector on cyber security.
controversy when it announced a ban on purchases of Through its Cyber Security Information Sharing
Huawei equipment for its new 5G networks, to come Partnership the NCSC has designed a way for government
into force in 2021, and the stripping out of all Huawei and industry to exchange information in real time, and
equipment from all its networks by 2027.16 This over- it has accredited about 100 companies as suppliers of
turned an earlier government decision to manage the cyber security to government through its Cyber Growth
security risk by limiting the presence of Huawei equip- Partnership. The UK’s critical national infrastructure
ment to non-sensitive parts of the networks. However, officially consists of 13 sectors,19 each of which is required
an intervening US ban on the export of US microchip by government to produce an annual Sector Security
technology to Huawei undermined the quality and reli- and Resilience Plan, incorporating cyber-security issues,
ability of the Chinese company’s product, forcing the while individual companies are responsible for their own
UK’s hand. The pressure applied by the US to both business-continuity and resilience plans. There is a proven
Huawei and the UK therefore seemed to be more about system for incident-alerting and response, cyber-defence
curtailing the global expansion of Chinese digital tech- exercises involving government and industry, and a
nology than dealing with an immediate security risk. dedicated national risk register. Awareness programmes
for the wider public include Cyber Aware, Cybersecurity
Cyber security and resilience Challenge, Cyber Essentials and Get Safe Online.
The UK has developed a national cyber-security ecosys- Importantly, there was evidence of a shift in approach
tem that aspires to a whole-of-society approach, seeking in the 2016 version of the UK’s cyber-security strategy.
to ensure that government, the private sector, academia The pre-2016 versions of the strategy had relied on mar-
and individual citizens work together to improve over- ket forces to bring about more secure practices among
all national cyber security. The efficacy of that ecosys- companies but had not achieved the scale and pace of
tem was reflected in the UK being ranked first out of 175 change required to keep ahead of threats. In the 2016
countries in the 2018 Global Cybersecurity Index com- strategy the government adopted a more intervention-
piled by the International Telecommunication Union.17 ist role to deliver the required improvements. This was
At the heart of the ecosystem sits the NCSC, which partly embodied in the NCSC’s Active Cyber Defence
became operational in October 2016. This rationalised initiative, also launched in 2016, which has involved
the government’s cyber-security effort, bringing together working with internet service providers to find ways of
functions previously distributed across several depart- blocking and disrupting malicious activity at the network
ments and aiming to provide a central point of refer- level, with the aim of protecting most UK citizens from
ence on cyber security for ministers and the private and most high-volume/low-sophistication attacks most of the
public sectors.18 The NCSC includes the UK’s national time. The first tranche of activity has focused on citizens’
Computer Emergency Response Team (CERT-UK). interactions with government and has had an impact
As part of GCHQ, the NCSC is able to draw upon on, for example, the phishing threat – the UK’s share of
the government’s principal source of cyber expertise global phishing attacks fell from 5.3% to 2.2% between
and threat data. The NCSC’s headquarters was deliber- 2016 and 2018, according to the NAO.20 The plan is now
ately kept separate from GCHQ, however, so it would to incorporate UK industry sectors within this approach.
be more accessible to private companies, the media While the various processes that make up the UK’s
and the public. The NCSC has good connections with cyber-security ecosystem appear to be well estab-
UK law enforcement, where cyber-security capabilities lished, it is harder to evaluate the human and techni-
have been developed by the National Crime Agency’s cal capacity that supports it. The investment of £1.9bn

34 The International Institute for Strategic Studies


(US$2.5bn) under the current five-year programme is Netherlands, the UK drove through the adoption
substantial in the context of overall UK government of an EU sanctions regime to directly penalise com-
funding, although the NAO has reported some delivery puter hackers. The UK’s withdrawal from the EU may
issues. The 740 staff allocated to the NCSC also repre- weaken important channels for influence over pan-
sent a substantial commitment but are only a small part European cyber-security policy and cyber-crime con-
of the personnel dedicated to cyber security across gov- trol. The UK has actively participated in the UN Group
ernment and the private sector. The approximately 100 of Governmental Experts on cyberspace security since
companies accredited to deliver cyber-security services its creation in 2004.25
to government indicate considerable private-sector The UK has long-standing international alliances on
capacity,21 with a 2020 report noting a 44% increase in cyber intelligence and cyber security, for example with
the number of cyber-security firms in the UK, and a 37% its Five Eyes partners, a broad range of European states
increase in cyber-related jobs, between 2017 and 2019.22 and as a member of NATO. There is evidence of grow-
The challenge for the UK may lie in ensuring it has suf- ing cooperation on cyber security with a wider range of
ficient personnel with crucial deep cyber-security skills countries across the Middle East, the Asia-Pacific and
and expertise, hence the various upskilling initiatives Latin America. There is also evidence of the UK operat-
being driven by the NCSC. ing with close allies on offensive cyber operations, for
The current state of cyber security in the UK is example with the US and Australia against the Islamic
reflected in a 2020 report23 showing that cyber attacks State (also known as ISIS or ISIL). The UK and the US
are being detected more frequently, with almost half signed an agreement in 2016 to advance their collabora-
of businesses reporting cyber-security breaches dur- tive development of both offensive and defensive cyber
ing the previous 12 months. However, businesses also capabilities. The UK’s cyber capability is almost cer-
reported a higher level of resilience, and the average tainly amplified by this proven ability to work in con-
cost of individual breaches was quite low (£3,230, or less cert with other cyber-capable nations.
than US$5,000). The qualitative research nevertheless
revealed some confusion about incident reporting and Offensive cyber capability
highlighted the important role for key players such as Government ministers have stated unambiguously that
banks and insurance companies in guiding the private the UK is prepared to use cyber capabilities to deter and
sector on cyber security. counter threats, including from terrorists, serious crimi-
nals and malign cyber actors; that they consider offensive
Global leadership in cyberspace affairs cyber operations integral to modern warfare; and that
The UK aspires to shape the global cyber future by pur- the UK military is committed to using its offensive cyber
suing international action and exerting its influence in capability as a warfighting tool.26 Offensive cyber is cov-
international forums. It advocates the application of ered in detail in published UK military doctrine, includ-
existing international law (including the laws of armed ing its use to create freedom of manoeuvre, to project
conflict) in cyberspace and promotes the establishment power, for destructive military effect and for deterrence.
of voluntary, non-binding norms of state behaviour and The UK’s development of an offensive cyber capa-
the development and implementation of confidence- bility has been a joint venture between GCHQ and the
building measures. MoD. From 2014, this was under the auspices of the
The UK has sponsored or led cyber-security initia- NOCP, which was subsumed in 2020 by the NCF. It
tives in the United Nations, the European Union and seems the investment of people and money was already
the Commonwealth. For example, it has implemented substantial under the NOCP and will increase under the
international programmes helping more than 80 coun- NCF. Evidence from parliamentary committees in 2016–
tries to improve their cyber security, supported by 17 shows that the NOCP had instigated a step change in
the UK-developed ‘Cybersecurity Capacity Maturity the UK’s effort on offensive cyber, with the development
Model for Nations’;24 and in May 2019, alongside the of the full spectrum of capabilities from those required

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 35


for peacetime influence-and-information operations to if they are for military effect, they must also proceed
those relevant to high- and low-intensity combat. The through the MoD’s well-established and ministerially
committees also highlighted an increase in GCHQ efforts led targeting process (adding the principles of discrimi-
on computer-network exploitation (hacking), which is a nation and humanity). This means considerations of
vital part of an effective offensive cyber capability. unintended consequences and collateral damage are an
The evidence available on actual capability is under- integral part of the UK system. Like the US, though, the
standably scant, given the need for secrecy, although in UK reserves the right to use its offensive cyber capa-
2018 the UK became one of only three countries to have bilities for more than deterrent effect, its strategy stat-
publicly acknowledged the use of offensive cyber capa- ing that it will deploy them at a time and place of its
bilities (the others being the US and Australia). Judging choosing, including for national operational purposes.29
from indications in the Snowden leaks, GCHQ had been Like other cyber-capable states that operate within strict
pioneering the development and use of offensive cyber international and domestic legal limits, the UK proba-
techniques since the turn of the millennium, particu- bly needs to find a way of generating a better-informed
larly for disruptive cognitive effect against international public debate on the use of offensive cyber to ensure
terrorists.27 Furthermore, as well as exercising its capa- it retains the necessary political licence to operate. This
bilities on cyber ranges and incorporating cyber dimen- will probably entail a greater level of openness on its
sions into war games, it is clear that the UK has used plans for developing and using such capabilities.
its military operations in Afghanistan and elsewhere as Perhaps the principal challenge facing the UK’s
operational proving grounds for its integration of cyber offensive cyber capability is the need for continued
action into modern warfare.28 investment both in terms of money and personnel,
Whether for intelligence-gathering or offensive pur- especially in order to increase capacity in core techni-
poses, the UK states that it will use its cyber capabilities cal skills. This is something the creation of the NCF is
responsibly and according to strict thresholds dictated intended to address. Overall, however, the available
by domestic and international law. The overarching evidence seems to back the UK claim in its 2016 NCSS
principle in UK law is that all such operations have that, together with the US, it is a world leader on offen-
to be proved necessary and proportionate, and that sive cyber.

Notes

1 HM Government, ‘National Cyber Security Strategy 2016–2021’, 5 Dominic Nicholls, ‘Britain is “at war every day” due to

2016, https://assets.publishing.service.gov.uk/government/ constant cyber attacks, Chief of the Defence Staff says’,

uploads/system/uploads/attachment_data/file/567242/national_ Telegraph, 29 September 2019, https://www.telegraph.co.uk/

cyber_security_strategy_2016.pdf. news/2019/09/29/britain-war-every-day-due-constant-cyber-

2 Ibid., p. 9. attacks-chief-defence.

3 ‘The National Security Secretariat, a division of the Cabinet 6 A public source giving some insight into doctrine is UK Ministry

Office (the Department), manages the Programme on the of Defence, ‘Joint Doctrine Note 1/18, Cyber and electromagnetic

National Security Adviser’s behalf.’ See National Audit Office, activities’, 21 February 2018, https://www.gov.uk/government/

‘Progress of the 2016–2021 National Cyber Security Programme’, publications/cyber-and-electromagnetic-activities-jdn-118.

15 March 2019, p. 20, https://www.nao.org.uk/wp-content/ 7 UK Ministry of Defence, ‘Joint Concept Note 2/17, Future

uploads/2019/03/Progress-of-the-2016-2021-National-Cyber- of Command and Control’, September 2017, https://assets.

Security-Programme.pdf. publishing.service.gov.uk/government/uploads/system/

4 HM Government, ‘National Cyber Security Strategy 2016– uploads/attachment_data/file/643245/concepts_uk_future_c2_

2021’, p. 51. jcn_2_17.pdf.

36 The International Institute for Strategic Studies


8 Longmei Zhang and Sally Chen, ‘China’s Digital Economy: 16 UK Government, ‘Huawei to be removed from UK 5G

Opportunities and risks’, International Monetary Fund networks by 2027’, 14 July 2020, https://www.gov.uk/

Working Paper, no. WP/19/16, 17 January 2019, p. 4, https:// government/news/huawei-to-be-removed-from-uk-5g-

www.imf.org/en/Publications/WP/Issues/2019/01/17/ networks-by-2027#:~:text=HUAWEI%20will%20be%20

Chinas-Digital-Economy-Opportunities-and-Risks-46459. completely%20removed,sanctions%20against%20the%20

9 As well as access to US systems, the UK military has its own telecommunications%20vendor.

Skynet satellite constellation. The MoD is considering options for 17 International Telecommunication Union, ‘Global Cybersecurity

maintaining the continuity of Skynet services beyond August 2022, Index 2018’, pp. 30, 62, https://www.itu.int/dms_pub/itu-d/

when the current Skynet 5 financing arrangement comes to an end. opb/str/D-STR-GCI.01-2018-PDF-E.pdf.

10 Organisation for Economic Co-operation and Development, 18 Those functions include the production of national assessments,

‘Measuring the Digital Transformation: A roadmap for the protection of critical national infrastructure, information

the future’, 11 March 2019, p. 34, https://www.oecd. assurance, and national-level computer-emergency response

org/publications/measuring-the-digital-transformation- teams.

9789264311992-en.htm. 19 The 13 sectors making up the UK’s critical national

11 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United infrastructure are chemicals, civil nuclear, communications,

States Stay Ahead of China?’, 21 December 2020, https://chuvpilo. defence, emergency services, energy, finance, food, government,

medium.com/ai-research-rankings-2020-can-the-united-states- health, space, transport and water – see Centre for the Protection

stay-ahead-of-china-61cf14b1216. This ranking has weaknesses, of National Infrastructure, ‘Critical National Infrastructure’,

however, as do all rudimentary scoring systems. https://www.cpni.gov.uk/critical-national-infrastructure-0.

12 Bach Xuan Tran et al., ‘Global evolution of research in artificial 20 National Audit Office, ‘Progress of the 2016–2021 National

intelligence in health and medicine: A bibliometric study’, Cyber Security Programme’, 2019, p. 11, https://www.nao.org.

Journal of Clinical Medicine, vol. 8, no. 3, 14 March 2019, p. 9, uk/wp-content/uploads/2019/03/Progress-of-the-2016-2021-

https://www.mdpi.com/2077-0383/8/3/360/pdf. National-Cyber-Security-Programme.pdf.

13 Department for Digital, Culture, Media and Sport, ‘Initial 21 More UK companies offer cyber-security services than the 100

National Cyber Security Skills Strategy: Increasing the UK’s or so that are accredited – the UK government estimates the

cyber security capability – a call for views’, 3 May 2019, number is around 800. On one level, such diversity is a strength;

https://www.gov.uk/government/publications/cyber-security- on another, it dilutes their market presence compared with

skills-strategy/initial-national-cyber-security-skills-strategy- large, well-known foreign companies such as FireEye. The UK’s

increasing-the-uks-cyber-security-capability-a-call-for-views. cyber-security industry has many start-ups and small companies


14 Daniel Pedley et al., ‘Cyber security skills in the UK labour struggling to grow; some market consolidation is needed.

market 2020: Findings report’, 2020, https://assets.publishing. 22 Sam Donaldson et al., ‘UK Cyber Security Sectoral Analysis

service.gov.uk/government/uploads/system/uploads/ 2020’, Department for Digital, Culture, Media and Sport,

attachment_data/file/869506/Cyber_security_skills_report_in_ January 2020, pp. 2, 44, 63, 73, https://assets.publishing.service.

the_UK_labour_market_2020.pdf. gov.uk/government/uploads/system/uploads/attachment_data/
15 The UK is nonetheless an active exporter of telecommunications file/861945/UK_Cyber_Sectoral_Analysis__2020__Report.pdf.
equipment. For example, BT and Vodafone install and operate 23 UK Department for Digital, Culture, Media and Sport, ‘Cyber

systems in many other countries. In any case, it could be argued Security Breaches Survey 2020’, 26 March 2020, https://www.

that the nationality of the design of a completed product is gov.uk/government/statistics/cyber-security-breaches-survey-

not a reliable guide to where that product’s components were 2020.

manufactured – hence the impact on US chip manufacturers of 24 Global Cyber Security Capacity Centre, ‘Cybersecurity

the US ban on Huawei products. Supply-chain risks may be an Capacity Maturity Model for Nations’, Oxford University, 2017,

inevitable consequence of the globalisation of the development https://cybilportal.org/tools/cybersecurity-capacity-maturity-

and production of technology. If so, all states will need to model-for-nations-cmm-revised-edition.

manage those risks, and the UK’s approach may later be 25 Since a UN General Assembly resolution in 2004, a UN Group

regarded as having been in the vanguard. of Governmental Experts (GGE) has convened for two-year

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 37


terms to address international-security aspects of cyberspace. Wallace%20said,ability%20to%20conduct%20cyber%20

It was known as the GGE on ‘Developments in the Field operations.

of Information and Telecommunications in the Context of 27 The UK government continues to neither confirm nor deny the

International Security’ until 2018, when it was renamed the GGE information leaked by Snowden.

on ‘Advancing Responsible State Behaviour in Cyberspace in the 28 Apart from its statements with regard to the Islamic State, the

Context of International Security’. In cyberspace-policy circles it UK has made no formal acknowledgement of its offensive

is common to refer to it simply as ‘the GGE’. See UN Office for cyber operations. But for a mention of such operations in

Disarmament Affairs, ‘Developments in the field of information Afghanistan, see Gordon Corera, ‘UK’s National Cyber Force

and telecommunications in the context of international security’, comes out of the shadows’, BBC News, 20 November 2020,

https://www.un.org/disarmament/ict-security. https://www.bbc.com/news/technology-55007946.

26 For a collection of such statements, see GCHQ, ‘National 29 UK Parliament, ‘Electronic Warfare: Question for Ministry of

Cyber Force transforms country’s cyber capabilities to protect Defence’, UIN 201591, tabled on 12 December 2018, https://

the UK’, November 2020, https://www.gchq.gov.uk/news/ questions-statements.parliament.uk/written-questions/

national-cyber-force#:~:text=Defence%20Secretary%20Ben%20 detail/2018-12-12/201591.

38 The International Institute for Strategic Studies


3. Canada

Canada is a highly digitised middle power with an ICT systems. Its national resilience policy is well
advanced economy. It pursues a whole-of-society organised but less practised than it needs to be.
approach to cyber security that sits comfortably with Elements of its critical infrastructure are shared with
its system of government and foreign policy. Its cyber the US (a common electric grid, for example). Canada
policies, like those of the United States and United is active in a multitude of diplomatic forums and
Kingdom, recognise a rich mix of stakeholders, and in building cyber capacity in other states. Its cyber
it has a relatively mature civil-sector cyber capabil- potential is enhanced by its proven ability to operate
ity buttressed by appropriate laws and regulations. in alliance with other cyber-capable states: this gives
The Canadian government is also proactive in pro- it access to additional assets, especially those based
moting digital transformation. A strong, and in some in outer space. Canada is not a global operator in
regards world-leading, tech economy gives Canada cyberspace in the same way that the US and the UK
an advantage over many states with similarly sized are, and offensive cyber, for which the country estab-
economies. It relies, however, on other countries to lished a legal basis only in 2018, is the area in which
provide most of the hardware that powers modern it can do most to improve its overall cyber power.

Strategy and doctrine


Canada’s public documents reveal that the country has infrastructure. The two pivotal cyber-focused docu-
prioritised a whole-of-society response to cyber security ments were Canada’s cyber-security strategies of 2010
above all other cyber considerations, with the develop- and 2018. The 2010 strategy clearly prioritised the secur-
ment of military and offensive capabilities therefore ing of government systems, leading to the development
given less prominence in its published strategy than is of technical solutions subsequently emulated by some
the case in other cyber-capable states. of the country’s close allies. At the time, the strategy’s
The National Security Policy of 2004 provided a emphasis on fostering a closer partnership between the
comprehensive policy overview1 and is still regarded public and private sectors, and on initiatives aimed at
as the guiding policy document.2 Subsequent policy the online security of Canadian citizens, was ground-
documents have focused more on individual security breaking. Nevertheless, the strategy itself was very top-
challenges, especially counter-terrorism, while also level, with little detail on the underpinning initiatives or
paying increasing attention to the security of critical the allocation of resources.

List of acronyms
CAF Canadian Armed Forces DCIO Defence Chief Information Officer
CSE Communications Security Establishment DND Department of National Defence
CSIS Canadian Security Intelligence Service ICT information and communications technology

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 39


The 2018 strategy sought to address this, with about officers such as the director of the Communications
CA$500 million (US$400m) allocated to eight depart- Security Establishment (CSE), the director of the
ments over five years (on top of existing cyber-security- Canadian Security Intelligence Service (CSIS) and the
related departmental budgets), covering substantive commander-in-chief of the CAF. Like its close allies,
new cross-government initiatives ranging from the Canada pursues a multi-stakeholder approach to gov-
creation of a Canadian Centre for Cyber Security and a ernance of cyber-security policy and related industrial
National Cyber Crime Coordination Unit to incentives and educational policy. Other government bodies with a
for innovation, economic growth and the development close involvement include the Royal Canadian Mounted
of cyber talent. Uniquely, the 2018 strategy was itself Police, Industry Canada, the Treasury Board Secretariat
created using a whole-of-society approach, with a wide and the Privacy Commissioner.7
consultation process that included the general pub- This multi-stakeholder approach has been criticised
lic. Led by Public Safety Canada, implementation has within Canada on the grounds that it lacks a clearly
appeared to be broadly on track, with further initiatives, defined leading authority.8 However, Public Safety
announced in 2020, focusing on combating online child Canada claims the leadership role in coordinating civil-
sexual exploitation and on improving the resilience of sector cyber policy,9 while CSE’s Cyber Centre focuses
physical and digital critical national infrastructure. The on the operational aspects of cyber security.10 Although
strategy’s implementation has been publicly reported by the lines of responsibility are intricate, CSE, CSIS and
the government in a notably transparent way. the CAF are accountable to the highest levels of govern-
The Canadian Armed Forces (CAF) and the ment and report to, or are run by, cabinet-level govern-
Department of National Defence (DND) rely on no ment ministers. Inside Public Safety Canada there is a
fewer than 12 governmental and departmental policies Director General for National Cyber Security reporting
to enable effective cyber security and defensive cyber to the Senior Assistant Deputy Minister (the country’s
operations,3 although when it comes to the details of second-most senior civil servant).11
implementation, a paucity of documentation within Historically, Canada’s military cyber capabilities
the public domain limits the depth of any assessment. have tended to be defensive, and although other uses
A 2009 Capstone Concept did establish, however, that for cyber had already been envisaged in CAF/DND
Canada sees cyberspace as a realm of warfare, with an doctrine (the 2009 Capstone Concept, for example), it
emphasis on using cyber operations in conjunction with was only in 2019 that a cyber force was established in
other military capabilities to create integrated effects.4 preparation for offensive cyber warfare. Employment of
Considerations of the operational aspects of cyber Canada’s offensive cyber capabilities must be approved
were also taking place well before the publication of ‘by the Government on a mission-by-mission basis con-
the 2009 document.5 Military cyber operations moved sistent with the employment of other military assets
firmly into the public discussion in a 2017 defence pol- and will be subject to the same rigour as other military
icy, which set out a broad role for the military around uses of force’,12 and offensive cyber operations require
cyber and stated that the CAF would ‘ensure that new the approval of both the minister of national defence
challenges in the space and cyber domains do not and the minister of foreign affairs.13
threaten Canadian defence and security objectives and For control of military operations, Canada has a Joint
strategic interests, including the economy’.6 Force Cyber Component Commander. Responsibility for
developing cyber capability and readiness sits with the
Governance, command and control Defence Chief Information Officer (DCIO), a civilian ac-
As Canada is a parliamentary democracy in the British countable to both the Chief of the Defence Staff and the
mould, command and control of cyber organisations Deputy Minister for Defence (the senior civil servant in the
rests ultimately with the prime minister, who oversees DND).14 Reporting to the DCIO is a military officer at one-
the minister of public safety and emergency prepared- star level, the Director General Cyber,15 who is charged
ness, the minister of national defence and other statutory with development of military cyber capabilities, as well as

40 The International Institute for Strategic Studies


responsibility for strategic and operational command and Although Canada has restrictive policies that limit
control, communications, computing and information.16 the operations of US telecommunications and internet
The Canadian Forces Network Operations Centre defends providers within its borders, there is a very high level
and monitors DND networks,17 although it is unclear of cyberspace integration between the two countries.
which precise activities this entails as back-office networks Canada is the primary beneficiary of that relationship,
and government data are also the responsibility of CSE especially when it comes to managing its dependencies
and Shared Services Canada. Cyber situational awareness and vulnerabilities. The US is by far the leading destina-
is provided through CSIS, CSE, Canadian Forces Intelli- tion for Canada’s ICT exports and ranks second among
gence Command and the Armed Forces Information Op- the suppliers of Canada’s ICT imports.22 Just as the two
erations Group’s Cyber Support Detachments. In 2019, the countries have a common interest and joint operations
government launched a high-priority effort to improve in- in air defence, they also work closely on the protection
tegration of these diverse centres of information.18 of critical infrastructure.
The country’s digital potential, but also the challenge
Core cyber-intelligence capabilities it faces in maintaining a market edge in innovation, is
Canada’s core cyber-intelligence capability is centred illustrated by the Canadian company BlackBerry having
on CSE, which is civilian-led and subordinate to the produced an early smartphone that was popular world-
minister of national defence. Internationally recognised wide until eventually it was superseded by Apple’s
for its technical expertise, CSE’s capabilities are sig- iPhone. The government has taken an active role in
nificantly enhanced through membership of the Five expanding the digital economy, for example launching a
Eyes alliance. Like its equivalents in the other Five Eyes national strategy for artificial intelligence (AI) in 2017.23
countries, CSE is responsible for both cyber intelligence Also in 2017, the government launched an innovation
and cyber security, allowing each discipline to benefit initiative in which certain areas with high concentrations
from the organisation’s expertise in the other. of tech companies and universities were designated as
CSE is part of a well-developed Canadian intelli- ‘superclusters’ in five areas of research, including AI and
gence and security community in which responsibil- digital technology.24 Toronto is the main hub, account-
ity both for overseas human intelligence collection and ing for 26% of Canada’s ICT output and claiming to be
for domestic security lies with the Canadian Secret the third-largest tech sector by region and the second-
Intelligence Service. In common with its Five Eyes part- largest financial centre in North America.25
ners, Canada’s defence organisation has its own dedi- The 2019 Canadian Digital Charter recognises the
cated intelligence capabilities, under Canadian Forces need for government to work with the private sec-
Intelligence Command. In terms of geographical reach tor and academia in expanding cyber expertise,26 and
and budgets, the Canadian intelligence community as a the 2018 National Cyber Security Strategy aimed to
whole operates at a lower level than those of the United increase the number of cyber firms and boost innova-
States and the United Kingdom, although the reach and tion.27 Canada has four innovation clusters in the World
impact of CSE’s cyber-intelligence capabilities are rec- Intellectual Property Organization’s list of the top 100,
ognised by allies as a Canadian strong point. which puts it on a similar footing to the UK (four) and
Japan (five).28
Cyber empowerment and dependence In terms of AI research and exploitation, Canada
Canada enjoys a high level of digital empowerment, has some notable achievements, for example occu-
with an internet penetration rate above 90%.19 Canadians pying eighth position, just below Australia, in
use mobile phones (90% of households) far more than the Organisation for Economic Co-operation and
landlines (41%), while around one-third of households Development’s ranking of countries according to num-
rely exclusively on wireless services.20 Information and ber of top-cited AI research papers their institutions
communications technology (ICT) is one of the fastest- produce.29 However, the country’s leading research
growing sectors in the Canadian economy.21 institute has stated that the national AI strategy,

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 41


although the first of its kind in the world when it was the National Cross-Sector Forum, for example, link-
launched in 2017, has since fallen behind those of most ing federal, provincial and territorial governments,
of other countries with similar programmes.30 critical infrastructure sectors and a Federal–Provincial–
The CAF has a high degree of dependence on digital Territorial Critical Infrastructure Working Group.
systems and space-based communication. It has space The Canadian Network for Security Information
capabilities of its own but is also uniquely placed by Exchange aims to foster cooperation between private-
having been part of the US–Canada North American sector cyber-security stakeholders (for example in the
Aerospace Defense Command (NORAD) since 1957. telecommunications, financial and energy sectors) and
By sharing a land border with the US, Canada also the government.38 In all of these areas of critical infra-
obtains unique dependability for its land-based tel- structure there is significant interdependence between
ecommunications assets. In 2019, Canada joined Canada and the US39 – a power outage on either side of
with France, Germany, the UK and the US to create the border, for example, would potentially also have an
the Combined Force Space Component Command impact on the other country.40 As early as 2004, the two
(CFSCC), following decades of space cooperation with countries signed a treaty for cooperation on the cyber
those countries.31 security of critical infrastructure.41 Cyber is a key compo-
nent of the comprehensive bilateral defence cooperation
Cyber security and resilience that Canada maintains with the US.42 A joint initiative
Canada’s high level of preparedness for a cyber by Public Safety Canada and the US Department of
emergency is illustrated by the wide-ranging series Homeland Security seeks to enhance collaboration on
of plans and policies it has established, based in part cyber-incident management by the national operations
on provincial and territorial organisations.32 There is centres, establish information-sharing with the private
a comprehensive Cyber Security Event Management sector on cyber security and continue cooperation on
Plan that lists the stakeholders and public-awareness efforts.43
outlines the actions required to deal Canada continues to suffer the
with cyber-security incidents,33 and
Canada has same types of cyber attack as its Five
clear reporting lines for cyber issues well-developed Eyes partners: escalating cyber crime,
to be escalated to the appropriate
processes cyber bullying, privacy breaches,
government level and department. state-based intrusions and attempts to
Industry regulators and non-state
to protect use cyberspace for political-influence
actors supplement sector-specific its critical operations.44 An annual survey cov-
legislation. The Canadian Centre for infrastructure ering business, government and the
Cyber Security hosts the national non-profit sector found in 2020 that
Computer Emergency Response
from cyber the number of respondents anxious
Team.34 Military systems are overseen threats about high-level cyber threats had
by the CAF/DND, which also have increased since 2019, but the number
clear procedures for reporting and escalating issues.35 of organisations intending to increase their investments
During certain cyber-security incidents or threat events, in cyber security had fallen.45
the CAF/DND can come to the aid of the government.36 Overall, with the high priority Canada has given to
Canada has well-developed processes to protect its cyber security since 2010, the renewed focus of its in-
critical infrastructure from cyber threats.37 The gov- vestments since it produced its 2018 cyber-security
ernment maintains a Canadian Critical Infrastructure strategy, and the maturity of its approach to cyber resil-
Asset List, although it is not publicly available, and ience, Canada performs strongly in this category of the
CSE is mandated to protect critical infrastructure if methodology. The International Telecommunication
operators request assistance. Public–private collabo- Union’s 2018 Global Cybersecurity Index reflected this,
ration is another element of Canadian resilience, with placing Canada ninth out of 175 countries.46

42 The International Institute for Strategic Studies


Public Safety Canada has stated that coordination team54 and has a cyber-trained officer working on policy
within the Five Eyes intelligence alliance has been at NATO headquarters.
‘pivotal in ensuring cyber security resilience within Canada has joined a US-led initiative to name and
our respective countries’ and that the ‘strategic dia- shame malicious state actors in cyberspace – part of the
logue has made significant progress on cyber security Cyber Deterrence Initiative.55 Since its launch in 2018,
issues, particularly with respect to information sharing 22 countries have participated in different joint (or syn-
on the threat environment, coordinated cyber incident chronous) attribution statements.
response, and international policy coordination’.47
Offensive cyber capability
Global leadership in cyberspace affairs Canada is open about its ability and willingness to use
Canada is active in international forums on cyberspace offensive cyber56 in close adherence to international
affairs, often seeking to shape the debate. Its 2019 National law,57 and has possibly done so against the Islamic State
Cyber Security Action Plan outlined a broad diplomatic (also known as ISIS or ISIL).58 However, its offensive
strategy, setting the goal of ‘work[ing] to shape the inter- cyber capabilities are still nascent. While the CAF/DND
national cyber security environment’ in Canada’s own have some offensive cyber capacity,59 they rely heav-
interests through collaboration and coordination ‘of ily on the cyber expertise of CSE, a civilian organisa-
strategic cybersecurity and cybercrime issues amongst tion, albeit one that reports to the minister of national
stakeholders, and by advocating for an open, free and defence. Therefore, as in the UK, there is no clear dis-
secure internet’.48 This approach has seen the country par- tinction between military and civilian offensive cyber
ticipate in cyber-security discussions at an international capabilities, only between how their use is authorised
level, such as in the United Nations Group of Govern- politically, depending on which piece of domestic or
mental Experts on cyberspace security.49 Canada has also international law is engaged. Consequently, CSE and
run anti-crime and counter-terrorism capacity-building the Canadian military are considering adopting the
programmes through which it has contributed CA$15.6 UK’s model and creating a national cyber force com-
million (US$12m) to cyber-security prised of both military and civilian
capacity-building in North and South Canada has personnel.60 This follows the passage
America and Southeast Asia.50 It is a
joined a US- into law in 2019 of Bill C-59 and the
signatory to the 2018 Paris Call for CSE Act, which together allow CSE
Trust and Security in Cyberspace, and
led initiative to perform offensive cyber functions
has ratified the Convention on Cyber to name and on behalf of the CAF/DND, operating
Crime.51 In 2019, Canada oversaw the shame malicious under their legal mandate.61 Given
creation of the Rapid Response Mech- this clarification of the Canadian
anism, aimed at sharing information
state actors in legal position, Canada has put itself
and threat analyses with other G7 cyberspace in a better position to develop and
countries so as to identify opportuni- use a wider set of offensive cyber
ties for coordinated responses to cyber attacks.52 capabilities. In doing so, it can draw upon the offensive
Despite only announcing its intention to join the cyber experience of its close partners the US, the UK
NATO Cooperative Cyber Defence Centre of Excellence and Australia, in terms of both running operations and
in 2019, as a NATO member Canada has become capability development. One of the major advantages of
involved in the Alliance’s efforts to strengthen its cyber belonging to a mature international cyber alliance such
capabilities. In 2013, for example, Canada headed a as the Five Eyes, therefore, is that it enables a country
Multinational Cyber Defence Capability Development like Canada to develop and scale cyber capabilities
project to improve NATO’s surveillance and defensive more quickly and more efficiently than it otherwise
capabilities.53 It is also active in NATO’s cryptographic would be able to.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 43


Notes

1 Canada Privy Council Office, ‘Securing an Open Society: planning, see https://www.canada.ca/en/department-national-

Canada’s National Security Policy’, 2004, http://publications. defence/corporate/reports-publications/proactive-disclosure/

gc.ca/collections/Collection/CP22-77-2004E.pdf. cow-estimates-a-2019-20/joint-capabilities.html.

2 See, for example, Public Safety Canada, ‘Securing an Open 13 Numerous statements made during a Public Safety Committee

Society: Canada’s National Security Policy’, 2015, https://www. meeting, 22 March 2018, https://openparliament.ca/committees/

publicsafety.gc.ca/cnt/ntnl-scrt/scrng-en.aspx. public-safety/42-1/101/?singlepage=1.
3 Public Works and Government Services Canada, ‘Defensive 14 Len Bastien (Defence Chief Information Officer and Assistant

Cyber Operations’, Letter of Interest, Solicitation No. W6369- Deputy Minister, Information Management, Department

17DE25/B, 2017, p. 1, https://buyandsell.gc.ca/cds/public/2017 of National Defence) statement at the National Defence

/12/18/637ad14072ef720ed0c51146992cca46/ABES.PROD.PW__ Committee, 30 January 2018, https://openparliament.ca/

QE.B049.E26594.EBSU000.PDF. committees/national-defence/42-1/77/len-bastien-1/only.

4 Canadian Department of National Defence, ‘Integrated 15 Ibid.

Capstone Concept’, 2009, pp. 28–30, http://publications.gc.ca/ 16 Commodore Richard Feltham (Director General,

collections/collection_2012/dn-nd/D2-265-2010-eng.pdf. Cyberspace, Department of National Defence) statement at

5 Canadian House of Commons, ‘Standing Committee on the National Defence Committee, 30 January 2018, https://

National Defence, Evidence, Tuesday 30 January 2018’, https:// openparliament.ca/committees/national-defence/42-1/77/

www.ourcommons.ca/DocumentViewer/en/42-1/NDDN/ commodore-richard-feltham-1/only.

meeting-77/evidence. 17 LCDR J.T.D.S. Turner, ‘Royal Canadian Navy Cyber Incident

6 Canadian Armed Forces, ‘Strong, Secure, Engaged: Canada’s Response Team’, Canadian Forces College, 2016, p. 3, https://

Defence Policy’, 2017, http://dgpaapp.forces.gc.ca/en/canada- www.cfc.forces.gc.ca/259/290/318/192/turner.pdf.

defence-policy/docs/canada-defence-policy-report.pdf. 18 See Government of Canada, ‘Canadian Armed Forces Cyber

7 Public Safety Canada, ‘Cyber Security in the Canadian Federal Activities’, 2019, https://www.canada.ca/en/department-

Government’, 2018, https://www.publicsafety.gc.ca/cnt/ntnl- national-defence/corporate/reports-publications/proactive-

scrt/cbr-scrt/fdrl-gvrnmnt-en.aspx. disclosure/cow-estimates-a-2019-20/joint-capabilities.html.

8 The Standing Senate Committee on Banking, Trade and 19 International Telecommunication Union, ‘Core Household

Commerce, ‘Cyber Assault: It Should Keep You Up at Night’, Indicators’, June 2019, https://www.itu.int/en/ITU-D/Statistics/

2018, p. 29, https://sencanada.ca/content/sen/committee/421/ Documents/statistics/2019/CoreHouseholdIndicators_


BANC/Reports/BANC_Report_FINAL_e.pdf. Jun2019.xlsx.

9 Public Safety Canada, ‘National Cyber Security Action Plan 20 Canadian Wireless and Telecommunications Association,

2019–2024’, undated, https://www.publicsafety.gc.ca/cnt/rsrcs/ ‘Facts & Figures’, 2019, https://www.cwta.ca/facts-figures.

pblctns/ntnl-cbr-scrt-strtg-2019/index-en.aspx. 21 International Trade Administration (United States), ‘Canada:

10 Public Safety Canada, ‘Speech on Canada’s evolving national Country Commercial Guide’, 3 August 2020, https://www.

security architecture in a constantly changing and very trade.gov/knowledge-product/canada-information-and-

difficult world’, 15 January 2019, https://www.canada.ca/ communications-technology-ict#:~:text=The%20Canadian%20

en/public-safety-canada/news/2019/01/speech-on-canadas- ICT%20sector%20is,with%20%249.3%20billion%20in%202019.

evolving-national-security-architecture-in-a-constantly- 22 Ibid.

changing-and-very-difficult-world.html. 23 OECD, Digital Economy Outlook 2020, Chapter 11,

11 Government of Canada, ‘Executive and Equivalent Level ‘Artificial intelligence’, https://www.oecd-ilibrary.org/sites/

Organizational Charts’, 9 April 2020, https://www.publicsafety. bb167041-en/1/3/11/index.html?itemId=/content/publication/

gc.ca/cnt/trnsprnc/brfng-mtrls/trnstn-bndrs/20191211/002/ bb167041-en&_csp_=509e10cb8ea8559b6f9cc53015e8814d&ite

index-en.aspx. mIGO=oecd&itemContentType=book#section-213.

12 Canadian Armed Forces, ‘Strong, Secure, Engaged: Canada’s 24 The initiative was designed to foster further investment in

Defence Policy’, p. 72. For more information on the CAF’s cyber these areas, based in part on a commitment of US$750 million

44 The International Institute for Strategic Studies


in matching grants from the government. See Government of 37 For further information, see Public Safety Canada, ‘Critical

Canada, ‘About Canada’s Supercluster Initiative program’, Infrastructure’, updated 19 August 2020, https://www.

1 December 2020, https://www.ic.gc.ca/eic/site/093.nsf/ publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-en.aspx.

eng/00016.html. 38 Government of Canada, ‘National Cyber Protection’, 2006, p. 2,

25 Toronto Global, ‘Quick Facts’, https://torontoglobal.ca/ http://publications.gc.ca/collections/Collection/Iu64-28-2005E.pdf.

Discover-Toronto-region/Toronto-region-quick-facts. 39 Prime Minister of Canada, ‘Joint Statement from

26 Innovation, Science and Economic Development President Donald J. Trump and Prime Minister Justin

Canada, ‘Canada’s Digital Charter in Action: A Plan by Trudeau’, 13 February 2017, https://pm.gc.ca/en/news/

Canadians, for Canadians’, 2019, https://www.ic.gc.ca/eic/ statements/2017/02/13/joint-statement-president-donald-j-

site/062.nsf/vwapj/Digitalcharter_Report_EN.pdf/$file/ trump-and-prime-minister-justin.

Digitalcharter_Report_EN.pdf. 40 Ibid.; and Murray Brewster, ‘Norad asked Canada to

27 Public Safety Canada, ‘National Cyber Security Strategy – “identify and mitigate” cyberthreats to critical civilian sites’,

Canada’s Vision for Security and Prosperity in the Digital CBC, 9 September 2019, https://www.cbc.ca/news/politics/

Age’, 2018, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ norad-cyber-civilian-1.5273917.

ntnl-cbr-scrt-strtg/ntnl-cbr-scrt-strtg-en.pdf. 41 Government of Canada, ‘Agreement Between the

28 Cornell University, INSEAD and the World Intellectual Government of Canada and the Government of

Property Organization, ‘Global Innovation Index 2020: Who the United States of America for Cooperation in

Will Finance Innovation?’, pp. 54–6, https://www.wipo.int/ Science and Technology for Critical Infrastructure

edocs/pubdocs/en/wipo_pub_gii_2020.pdf. Protection and Border Security’, Signed 1 June 2004,

29 OECD, ‘Measuring the Digital Transformation: A Roadmap https://www.treaty-accord.gc.ca/text-texte.aspx?id=105000.

for the Future', 2019, p. 37, https://www.oecd.org/publications/ 42 National Defence and the Canadian Armed Forces, ‘The

measuring-the-digital-transformation-9789264311992-en.htm. Canada–U.S. Defence Relationship’, Backgrounder, 4

30 Canadian Institute for Advanced Research, ‘Building an AI December 2014, http://www.forces.gc.ca/en/news/article.

World: Report on National and Regional AI Strategies Second page?doc=the-canada-u-s-defence-relationship/hob7hd8s.

Edition’, May 2020, https://cifar.ca/wp-content/uploads/2020/10/ 43 Public Safety Canada, ‘Cybersecurity Action Plan between

building-an-ai-world-second-edition.pdf. Public Safety Canada and the Department of Homeland

31 Cody Chiles, ‘CFSCC establishment ceremony held at Security’, 2015, https://www.publicsafety.gc.ca/cnt/rsrcs/

Vandenberg’, Air Force Space Command, 2 October 2019, https:// pblctns/cybrscrt-ctn-plan/index-en.aspx.

www.afspc.af.mil/News/Article-Display/Article/1983986/ 44 Canadian Centre for Cyber Security, ‘National Cyber Threat

cfscc-establishment-ceremony-held-at-vandenberg. Assessment 2020’, 20 November 2020, https://cyber.gc.ca/sites/

32 Government of Canada, ‘Emergency management organizations’, default/files/publications/ncta-2020-e-web.pdf.

Get Prepared website, https://www.getprepared.gc.ca/cnt/rsrcs/ 45 Canadian Internet Registration Authority (CIRA), ‘CIRA

mrgnc-mgmt-rgnztns-en.aspx. 2020 Cyber Security Report’, https://www.cira.ca/


33 Government of Canada, ‘Government of Canada Cyber Security cybersecurity-report-2020.
Event Management Plan (GC CSEMP) 2019’, https://www. 46 International Telecommunication Union, ‘Global Cybersecurity

canada.ca/en/government/system/digital-government/online- Index 2018’, p. 56, https://www.itu.int/dms_pub/itu-d/opb/str/

security-privacy/security-identity-management/government- D-STR-GCI.01-2018-PDF-E.pdf.

canada-cyber-security-event-management-plan.html. 47 Amaliah Reiskind, ‘Canada’s Cyber Security: A

34 Canadian Centre for Cyber Security, ‘About the Cyber Centre’, Discussion with Public Safety Canada’, NATO Association

https://www.cyber.gc.ca/en/about-cyber-centre. Canada, 22 August 2018, http://natoassociation.ca/

35 Public Works and Government Services Canada, ‘Defensive canadas-cyber-security-a-discussion-with-public-safety-canada.

Cyber Operations’, Letter of Interest, Solicitation No. W6369- 48 Public Safety Canada, ‘National Cyber Security Action Plan

17DE25/B, 2017, pp. B1–3. 2019–2024’.

36 Government of Canada, ‘Government of Canada, Cyber 49 Since a UN General Assembly resolution in 2004, a UN Group

Security Event Management Plan (GC CSEMP) 2019’. of Governmental Experts (GGE) has convened for two-year

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 45


terms to address international-security aspects of cyberspace. Department of National Defence] at 8:45 a.m., National
It was known as the GGE on ‘Developments in the Field Defence Committee on Jan. 30th, 2018’, https://openparliament.
of Information and Telecommunications in the Context of ca/committees/national-defence/42-1/77/len-bastien-1.
International Security’ until 2018, when it was renamed the GGE 55 Communications Security Establishment, ‘Canada and Allies

on ‘Advancing Responsible State Behaviour in Cyberspace in the Identify China as Responsible for Cyber-Compromise’, 20

Context of International Security’. In cyberspace-policy circles it December 2018, https://cse-cst.gc.ca/en/media/media-2018-12-20.

is common to refer to it simply as ‘the GGE’. See UN Office for 56 Ibid., p. 7.

Disarmament Affairs, ‘Developments in the field of information 57 Commodore Richard Feltham (Director General, Cyberspace,

and telecommunications in the context of international security’, Department of National Defence) statement at the National

https://www.un.org/disarmament/ict-security. Defence Committee, 30 January 2018; and Canadian Armed

50 Reiskind, ‘Canada’s Cyber Security: A Discussion with Public Forces, ‘Strong, Secure, Engaged: Canada’s Defence Policy’,

Safety Canada’. p. 72.

51 Chart of signatures and ratifications of Treaty 185, Council of 58 Cormac Mac Sweeney, ‘Canada’s Military Will Soon Be Able

Europe, 2019, https://www.coe.int/en/web/conventions/full-list/-/ to Disrupt ISIS: Defence Minister’, News 1130, 8 June 2017,

conventions/treaty/185/signatures?p_auth=zrS8ISMY. https://www.citynews1130.com/2017/06/08/canadas-military-

52 Stephanie Carvin, ‘Canada and Cyber Governance: Mitigating will-soon-able-disrupt-isis-defence-minister.

Threats and Building Trust’, in Governing Cyberspace during a 59 Howard Yu, ‘Decentralized Cyber Forces: Cyber Functions at

Crisis in Trust, Centre for International Governance Innovation, the Operational and Tactical Levels’, Canadian Forces College,

2019, p. 93, https://www.cigionline.org/sites/default/files/ 2018, https://www.cfc.forces.gc.ca/259/290/405/305/yu.pdf.

documents/Cyber%20Series%20Web2.pdf. 60 Government of Canada, ‘Future Force Design’, 17 April 2019,

53 NATO Association Canada, ‘In Pursuit of Total and https://www.canada.ca/en/department-national-defence/

Unbreachable Protection of Cyberspace, Part I: Canada, corporate/reports-publications/departmental-plans/departmental-

a Leader in Cyber Defence’, 2018, http://natoassociation. plan-2019-20-index/planned-results/future-force-design.html.

ca/in-pursuit-of-total-and-unbreachable-protection-of- 61 Government of Canada, ‘Order Fixing August 1, 2019 as the

cyberspace-part-i-canada-a-leader-in-cyber-defence. Day on which Part 3 of that Act Comes into Force: SI/2019-70’,

54 ‘Statement by Len Bastien [Defence Chief Information Officer Canada Gazette, Part II, vol. 153, no. 15, http://www.gazette.

and Assistant Deputy Minister, Information Management, gc.ca/rp-pr/p2/2019/2019-07-24/html/si-tr70-eng.html.

46 The International Institute for Strategic Studies


4. Australia

Australia’s cyber-security strategies have concen- more mature cyber capabilities than its modest
trated on national security, commercial cyber secu- defence and intelligence budgets might suggest. It
rity, the industrial base for sovereign capability, is active in global diplomacy for cyber norms and
workforce development and good international cyber capacity-building. In 2016 it acknowledged for
citizenship. The Australian Signals Directorate, the the first time that it possessed offensive cyber capa-
country’s principal cyber-related agency, remains bilities – examples of their use against the Islamic
the most influential in national policymaking. The State (also known as ISIS or ISIL) were subsequently
country is still developing its military cyber strat- put into the public domain. Australia has actively
egies and policies after setting up an Information supported the United States-led Cyber Deterrence
Warfare Division in 2017. Australia can boast some Initiative, which aims to use cyber means to coun-
research and industry credentials in the field of ter the malign cyber activity of other states. For
information and communications technology and Australia to become a more effective cyber power, it
cyber security, but these are growing from a low will need to make dramatically greater investments
base. In part because of its 70-year membership of in cyber-related tertiary education and carve out a
the Five Eyes intelligence alliance, Australia has more viable sovereign cyber capability.

Strategy and doctrine


Australia’s first Cyber Security Strategy, released in identity protection, expanding and upskilling the cyber
2009,1 was the result of a review of ‘e-security’ the pre- workforce, and enhancing international collaboration.
vious year. It had two main initiatives: to create an offi- It did not propose significant new investments in sup-
cial national Computer Emergency Response Team to port of its rhetorical commitments, except in the area of
complement or supersede the one that had been operat- national security.
ing since 1994, which was based in a university;2 and to In April 2016 the government launched a new Cyber
establish a national Cyber Security Operations Centre. Security Strategy.3 Subtitled ‘Enabling Innovation,
But the document consisted largely of rhetorical poli- Growth and Prosperity’, the plan was as much about
cies – laudable intentions around topics such as shared better exploiting the economic opportunities of the
governmental and private-sector responsibility, facing information age as it was about security. The security-
the increasing threats, protecting Australian values, related themes were familiar from the existing strategy

List of acronyms
ACSC Australian Cyber Security Centre DSCC Defence Signals Intelligence and Cyber Command
ADF Australian Defence Force ICT information and communications technology
ASD Australian Signals Directorate IWD Information Warfare Division
ASIO Australian Security Intelligence Organisation

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 47


documents of other countries, such as the United States, higher levels of military integration, inter-operability
the United Kingdom and France: detect, deter and and intelligence-sharing.7 This included cyber policy and
respond to threats in cyberspace, including through operations. Cyber threats were identified as one of six
better anticipation of risks.4 However, in comparison key drivers of Australian military strategy.8 The govern-
with previous strategies, the tone was more urgent. The ment assessed that the US would remain the pre-eminent
document included a large number of new approaches global military power over the next two decades, in large
to security, particularly around information-sharing part because of its scientific and industrial capability.
between government and the private sector. It also The military also saw organisational reform on cyber
acknowledged for the first time the government’s use of that occurred in tandem with the shake-up of the civil
offensive cyber capabilities to deter or respond to mali- sector. On 30 June 2017, the Australian Defence Force
cious cyber attacks. (ADF) established a new Information Warfare Division
Within 18 months, however, the planning processes for (IWD), commanded at two-star level, which was subor-
cyber strategy in the civilian sector were thrown into tem- dinate to a new Joint Capabilities Group, commanded
porary disarray by major structural reforms that included at three-star level (equivalent in rank in Australia to the
changes to the status of the Australian Signals Directorate, chiefs of the single services).
the Australian Security Intelligence Organisation, the One practical implication of the reforms was that new
Australian Cyber Security Centre and the Attorney operational concepts and doctrines needed to be ironed
General’s Department in order to carry through the crea- out. This had less of an impact in the civil agencies but
tion of a new Department of Home Affairs, established even there the changes were significant. In 2018 the
formally in December 2017. It was government abandoned its commit-
modelled closely on the UK’s Home ment to an annual update of the 2016
Office but inspired also by the United
In 2020 Australia cyber-security strategy and decided
States’ creation of its Department of released an even it was no longer fit for purpose. The
Homeland Security in 2002. more ambitious policy environment had changed
In 2020 Australia released an significantly with the escalation of
even more ambitious Cyber Security
Cyber Security threats in cyberspace, including the
Strategy, with notably higher levels of Strategy increasing use of the information
funding and reflecting an even greater domain by Russia and China for
sense of urgency.5 It adopted a much sharper tone around political interference, most notably by the Russians in
the threats from other countries (which were not named, the run-up to the 2016 US presidential election.
even though the government had been vocal about ban- Australia issued a Defence Strategic Update9 and a
ning Huawei from national systems since at least 2012) Force Structure Plan10 in July 2020, followed in August
and highlighted the risks associated with rapidly chang- by the new Cyber Security Strategy. All three docu-
ing technologies and even higher levels of connectivity. ments demonstrate heightened concern about threats
It was clear from this new document that cyber security in cyberspace, continuing commitment to previously
had moved to the centre stage of Australian government announced reforms, and some acceleration of the pace
thinking about national security. of reforms and spending commitments. In the defence
The transition between the 2016 and 2020 cyber- context, Prime Minister Scott Morrison saw new cyber-
security strategies was also evident in the domain of strike capabilities as an important part of a stiffened
defence policy. The 2016 Defence White Paper made posture of credible deterrence.11 For the first time in
large-scale provision for the expansion of cyber and intel- such military-policy documents, there was a greater
ligence capabilities as part of a new strategic orientation and more urgent emphasis on strengthening informa-
around war in the information domain.6 It repeated one tion and cyber capabilities than on the traditional cat-
of the fundamental planks of Australian security policy: egories of land, sea and air. The two defence documents
deepening partnership with the US, especially through together represent a distinct evolution towards the

48 The International Institute for Strategic Studies


view that ‘information underpins all effective military and cyber personnel working within ASD together in a
operations’,12 even though the government and the ADF more refined command structure’.15
continue to shy away from the concept of information The DSCC provides a means of unifying ASD’s pri-
dominance as used by the US. A new ADF military doc- mary responsibility for offensive cyber operations with
trine for cyberspace operations was also issued in 2020 the clearly competing need for the ADF to share control
but remains classified. It is understood to be essentially of that command function. The IWD is not the com-
an Australian version of the US doctrine on cyberspace mand authority within the ADF for those operations,
operations, with some changes of emphasis reflecting since that falls to ASD. The IWD has a role similar to the
the country’s quite different circumstances. ‘raise, train and sustain’ functions of the chiefs of ser-
vice, who defer to combatant commanders for control
Governance, command and control of operations.16
Major decisions on security policy are made by the ASD retains the lead role in civil-sector cyberspace
National Security Committee of Cabinet, with the prime policy, in large part through its subordinate agency,
minister acting as de facto commander-in-chief of the the Australian Cyber Security Centre (ACSC) which
armed forces and ultimate authority for all government manages domestic affairs in this field. In that role, the
decisions. This operates in parallel with a system of ACSC and ASD report to the home affairs minister,
ministerial responsibility (including for the intelligence even though ASD is accountable more directly to the
agencies) and statutory responsibility for the Chief of prime minister and the minister for defence. ASD works
the Defence Force in military matters. The National with the Australian Security Intelligence Organisation
Security Committee of Cabinet sets broad policy, such (ASIO) on joint cyber operations inside Australia.
as approval of new strategies, and the operational
priorities of the agencies. The Expenditure Review Core cyber-intelligence capabilities
Committee of Cabinet approves funding plans, some- ASD provides the bulk of the country’s core cyber-
times merely endorsing those made by the other com- intelligence capabilities, which are closely combined
mittees because of some overlap in membership. with its cyber-security and cyber-warfare functions.
The main cyber-related intelligence agency, the It has strong regional cyber expertise, with a focus on
Australian Signals Directorate (ASD), reports directly Southeast and East Asia, particularly Indonesia and
to the minister for defence, who authorises operations China. ASD’s wider intelligence reach is not so strong
and sets the standards for protecting the privacy of citi- but is significantly enhanced through membership of
zens.13 While therefore under civilian political control, the Five Eyes alliance.
there is also a de facto line of authority flowing from ASD is part of a mature national intelligence com-
the Chief of the Defence Force, given that ASD includes munity and works in close partnership with the domes-
a large number of military personnel. The personnel tic security agency, ASIO, and the external agency, the
strength of ASD is not revealed publicly. Australian Secret Intelligence Service, which specialises
Within the ADF, the IWD has continued to evolve. in overseas human intelligence collection and covert
When it was created in mid-2017, the IWD’s most operations. Drawing on the example of the US, Australia
important element was the Joint Cyber Unit, projected created the post of Director of National Intelligence in
to acquire about 1,000 personnel within a ten-year 2018, to give the government a single source of author-
time frame. The ADF announced in January 2018 that ity for coordination of the analytical and collection
the Joint Cyber Unit and a newly created Joint SIGINT work of all the intelligence agencies, as well as oversight
Unit, alongside civilian teams from ASD, would oper- of covert activity.
ate under a new structure within the IWD, the Defence
Signals Intelligence and Cyber Command (DSCC), Cyber empowerment and dependence
headed by a one-star officer who had previously led Australia is among the world’s leading countries in terms
teams in ASD.14 The aim was to bring ‘all ADF SIGINT of average internet usage, per capita mobile-broadband

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 49


subscriptions and the proportion of companies that are In 2018 the government set up the National Space
engaged in e-commerce.17 However, it falls outside the Agency to help reverse the country’s near-total
top ten in many other indicators of innovation, competi- dependence on foreign-owned satellites. It is funded
tiveness and cyber security. at a modest level – A$9.8 million (US$6.8m) in 2019–20
Since the turn of the century, Australia’s digital – and operates 13 satellites.25 In October 2019 the coun-
economy has mostly stood still in relative terms – for try joined a small space force with Canada, France,
example, its information industries’ share of total global Germany, the UK and the US.
value added hardly increased between 2006 and 2016.18 Overall, Australia has a modest capability to assess
There is a mismatch between its innovation inputs the security implications of imported technologies,
(knowledge, research and investment), in which it with the best capabilities concentrated largely in gov-
ranked 13th in the world in 2020, and its innovation out- ernment and in several larger corporations. The coun-
puts, in which it ranked only 31st (with a particularly try contributes significantly to collaborative research
low position, 40th, in the specific area of knowledge both in the commercial and open-source scientific sec-
outputs).19 According to the same analysis, the country tors, and in classified work with its closest intelligence
ranks among the world’s top ten in terms of the exper- and military allies.
tise of its institutions and scientists, and access to ven-
ture capital, but performs much less well when it comes Cyber security and resilience
to the commercialisation of scientific knowledge. Successive Australian governments have made important
This mismatch is reflected in the approach to arti- efforts to improve national cyber security and the resil-
ficial intelligence (AI). For example, Australia was in ience of the country’s critical infrastructure.26 An educa-
11th position in a 2020 ranking of countries accord- tion campaign was launched in 2011 around the ‘top four’
ing to the number of top-cited AI research papers they threats to cyber security,27 based on a list of mitigation
produced,20 yet it lacks the industrial capability to fully strategies advocated by ASD. The four became an ‘essen-
exploit this research in economic tial eight’ mitigation strategies in 2017,
terms. A 2019 report commissioned and ASD’s full list of 35 strategies was
by the government estimated that by
Since the turn augmented to 38. The programme has
2030 the country will need to train at of the century, been emulated in the UK and Canada.
least 32,000 and perhaps as many as
Australia’s digital By 2020 the government had signifi-
161,000 workers as AI specialists if it cantly improved its cyber-security
is to realise the economic potential of
economy has guidance for all sectors.28
its research strengths.21 There have mostly stood still The state of Australia’s national
been efforts to address this issue – in in relative terms cyber security has been well docu-
2019, for example, the government’s mented in numerous government
main scientific research body pub- statements, several of which have
lished an AI road map and issued a call for public sub- found significant weaknesses in the government’s
missions on AI policy – but these initiatives will take own practices. The Australian National Audit Office
many years to bear fruit.22 has identified considerable recalcitrance on the part of
Australia boasts an increasing number of successes government agencies when it comes to upgrading their
in the ICT sector, including in fields such as quantum cyber security – for example, its 2018 audit of three gov-
computing, but research is often funded by US gov- ernment agencies revealed that only one was compliant
ernment agencies or US venture capital.23 That said, with the ASD top four, which were not even a particu-
the Department of Defence maintains a vigorous and larly rigorous set of standards,29 and in 2019 it found
highly regarded Defence Science and Technology that the Australian postal service had not been able
Group, which has an active research and development to manage cyber-security risks effectively.30 In 2020, a
(R&D) programme in cyberspace technologies.24 parliamentary committee called for more reviews of

50 The International Institute for Strategic Studies


cyber security in government departments because of in 2019 that the skills shortage was more severe than
a continuing shortfall in compliance.31 Nevertheless, initially imagined.39 By 2020 the government had real-
Australia was ranked tenth out of 175 in the 2018 Global ised that a cyber-security workforce of the necessary
Cybersecurity Index compiled by the International size would not be created without immigration, so it
Telecommunication Union (ITU).32 has introduced radical new visa programmes to entice
In 2016 the government created a cyber-security workers from abroad into the field.40 But Australian
‘growth centre’ to drive better national performance and universities’ response to the new opportunities and
reduce the levels of dependence on imported ICT equip- demand for cyber-security education could not match
ment and foreign workers.33 Now the government’s ambition, particu-
called AustCyber, it provides regular Many in larly since the government was not
updates on the global competitive- prepared to invest sufficient funds.
ness of the country’s cyber-security
the policy The 2020 Cyber Security Strategy
sector.34 Its 2019 update, which was community invested more heavily in workforce
notably sober in tone, reported that see Israel as an development, education and commu-
‘Australian demand and employment nity initiatives, providing A$50m
is dominated by outsourced cyber
exemplar of what (US$35m),41 but this is unlikely to give
security services, and more than three- Australia could universities much incentive because
quarters of this market is controlled achieve the government prefers community-
by foreign companies’, even though and business-based solutions.
these operated mostly ‘from local bases and employ- Australia has moved towards a more coherent pol-
ing Australians’.35 Such shortcomings are not surprising icy and legislative framework for cyber security and
given that most members of the G20 – including China, resilience, but the changes need to be reflected in bet-
France, Germany, Japan, Russia and the UK – also rely ter governmental coordination and more consistent use
very heavily on foreign-made ICT. The document also of standardised tools. The country has not yet made
assessed that ‘several hurdles are making it difficult adequate investments to defend against the most seri-
for Australia to fully harness existing advantages and ous potential threats.42 Its providers of critical national
develop a sizeable worldclass cyber security sector’. infrastructure appear not to have a sufficient under-
The 2019 AustCyber update concluded that Australia standing of the risks and the situation is aggravated by
needed to address its skills shortage in the cyber-security a shortage of personnel with the relevant skills, includ-
sector, do better at R&D, improve the business environ- ing at board level.43 However, such issues are common
ment for start-ups, improve access to global markets, and to all the countries studied in this report.
develop credible metrics to assess the development of the
sector and its economic impacts on the broader econo- Global leadership in cyberspace affairs
my.36 To make those steps a reality, the report urged the Australia has taken an active role in the management of
creation of a more advanced and resilient cyber-security cyberspace issues within the framework of several inter-
mindset. If such changes are made, many in the policy national organisations, including the United Nations,
community see Israel as an exemplar of what Australia ITU, Association of Southeast Asian Nations (ASEAN)
could achieve. and Asia-Pacific Economic Cooperation group. A prime
The 2016 cyber-security strategy did not have sufficient example was its role as co-chair of a working group on
funding to properly address the problems it identified.37 cyber security in the ASEAN Plus framework. It has
One area that needed more attention was digital literacy, always cooperated closely with its allies in this regard,
especially in tertiary (post-secondary) education – the based on the principle laid out in its 2016 Defence White
strategy promised only A$3.5m (US$2.7m) over four Paper that, despite having no shortage of resources,
years for its main initiative in that area, a programme it could only deliver national security effectively by
for academic centres of excellence.38 AustCyber reported working with partners.44 In 2017, following the example

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 51


of other countries such as the US and China, Australia excluded all Chinese companies.49 It has not had simi-
published an International Cyber Engagement Strategy lar success with Papua New Guinea, which is reliant
addressing all diplomatic aspects of cyberspace manage- on Australian aid but determined to resist pressure to
ment, including cyber crime, digital trade, cyber security, abandon Huawei.50
human rights, privacy and international security.45 The The country conducts bilateral and multilateral dia-
most innovative part of the strategy was the emerging logues on cyberspace affairs, including with Canada,
commitment, shared with its closest allies, to undertake China, India, Indonesia, Japan, New Zealand, South
active defence in cyberspace, involving the setting of Korea, the UK and the US. The US–Japan–Australia tri-
expectations for state behaviour, practical confidence- lateral dialogue is particularly important as a way for
building measures and responding to unacceptable Canberra to signal its positions on internet freedom and
behaviour by states.46 Australia has also participated in malign behaviour by states.
the UN Group of Governmental Experts on cyberspace
security, including by chairing it from 2013–15.47 Offensive cyber capability
Australia has been implementing a modest programme In 2016 Australia officially avowed that it possessed an
of capacity-building for cyber security in Southeast Asia offensive cyber capability and had used it against the
and the South Pacific since 2016. This has probably Islamic State (also known as ISIS or ISIL).51 The head of
achieved the greatest impact in partnership with other ASD confirmed in 2019 that those operations had been
donor governments, rather than in the projects delivered conducted jointly with coalition partners and that the
solely by Australian providers, but the effectiveness of Australian dimension, under the direction of the ADF’s
some aspects of the programme is open to question. It is Chief of Joint Operations, involved both the degrad-
arguably unrealistic to aim to build cyber-security capac- ing of Islamic State battlefield communications and an
ity in states with very low levels of economic develop- online influence operation.52 He added that the coun-
ment in the ICT sector, scarce resources for education try’s capabilities would also be directed at ‘organised
and only very few officials in cyberspace-related roles. offshore cyber criminals’.53 Australia has also provided
Countries as poor as Cambodia or Laos, or the micro- support to the US Cyber Deterrence Initiative, which
states of the South Pacific, are less likely to profit from involves public attribution of foreign attacks and
such projects than Indonesia or Vietnam. engagement in cyberspace to disrupt them. Australian
The country has aligned more closely than most offensive cyber operations are conducted in accordance
other US allies with Washington’s move to exclude the with the country’s understanding of international law
Chinese company Huawei from national 5G networks, and are closely scrutinised by a growing number of
and was in the vanguard of international lobbying to government lawyers specialising in the field.
that effect.48 In August 2018 it became the first Five In its five-year corporate plan published in 2019,
Eyes member to advise its telecoms operators to avoid ASD reiterated its mission on offensive cyber opera-
purchasing 5G equipment or services from Huawei. tions, linking it to domestic requirements (countering
This not only soured relations with China but also put cyber crime) as well as to warfighting needs.54 The plan
Australia at odds with the UK and Canada on the issue aimed to build a world-class offensive cyber capability55
for almost two years. The extent to which the deci- while emphasising that ASD’s ability to conduct opera-
sion was the outcome of broader geopolitical concerns, tions would be underpinned by its close international
rather than specific technical issues, remains unclear. partnerships.56
Australia has been opposed to China’s increasing Overall, Australia has effective offensive cyber capa-
investment in the ICT sectors of regional countries, bilities. Its close partnership and joint operations with
especially in the South Pacific – a position demonstrated the US and the UK secure its place in the front rank of
most strikingly in 2018 when it successfully pressured states in terms of offensive cyber, while its membership
the Solomon Islands to abandon a deal with Huawei for of the Five Eyes alliance provides it with the enhanced
an undersea cable to Australia in favour of a deal that intelligence and situational awareness needed for

52 The International Institute for Strategic Studies


top-end operations. At the same time, in terms of well be the limited extent of its national skills base and
resources and available personnel, Australia does not pipeline. ASD official documents regularly allude to this
match the capabilities of its senior allies. challenge, and many of its public statements, including
In common with all other states, the biggest con- revelations of offensive cyber operations, are accompa-
straint on Australia’s offensive cyber capability may nied by recruitment appeals.

Notes

1 Australian Government, Attorney-General’s Department, 13 Australian Government, Australian Signals Directorate,

‘Cyber Security Strategy’, Canberra, November 2009, https:// ‘Accountability’, https://www.asd.gov.au/accountability.

www.enisa.europa.eu/topics/national-cyber-security- 14 Australian Government, Department of Defence, ‘Defence

strategies/ncss-map/AGCyberSecurityStrategyforwebsite.pdf. Chief Announces New Command’, Canberra, 30 January

2 See Gary Waters, ‘National Cyber Emergency Policy for 2018, https://news.defence.gov.au/media/media-releases/

Australia: Critical Infrastructure’, in Greg Austin (ed.), National defence-chief-announces-new-command.

Cyber Emergencies: The Return to Civil Defence (Abingdon: 15 Ibid.

Routledge, 2020), pp. 93–105. 16 This is explained by IWD as follows: ‘IWD is developing the

3 Australian Government, Department of the Prime Minister information warfare capabilities for the ADF to employ in all its

and Cabinet, ‘Australia’s Cyber Security Strategy: Enabling activities, such as protecting its networks and missions systems,

Innovation, Growth and Prosperity’, Canberra, 2016, https:// conducting exercises and training events, supporting the

www.homeaffairs.gov.au/cyber-security-subsite/files/PMC- community and our region in disaster relief, stability and security

Cyber-Strategy.pdf. operations through to full conflict and war. The capabilities

4 Ibid., p. 6. IWD develops are put into operation by the ADF. Chief of Joint

5 Australian Government, Department of Home Affairs, Operations [sic] is responsible for how the capabilities are used

‘Australia’s Cyber Security Strategy’, Canberra, August 2020, to meet the directions of the Australian Government.’

https://www.homeaffairs.gov.au/cyber-security-subsite/files/ 17 See International Telecommunication Union, ‘Statistics’, https://

cyber-security-strategy-2020.pdf. www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx; and

6 Australian Government, Department of Defence, ‘2016 Defence Organisation for Economic Co-operation and Development
White Paper’, Canberra, 2016, https://www.defence.gov.au/ (OECD), ‘Measuring the Digital Transformation: A roadmap

WhitePaper/Docs/2016-Defence-White-Paper.pdf. for the future’, 11 March 2019, pp. 54, 101, 121, https://www.

7 Ibid., p. 35. oecd.org/publications/measuring-the-digital-transformation-

8 Ibid., p. 41. 9789264311992-en.htm.

9 Australian Government, Department of Defence, ‘2020 Defence 18 OECD, ‘Measuring the Digital Transformation: A roadmap for

Strategic Update’, Canberra, July 2020, https://www.defence. the future’, p. 71.

gov.au/StrategicUpdate-2020/docs/2020_Defence_Strategic_ 19 SC Johnson College of Business Cornell University, INSEAD and

Update.pdf. the World Intellectual Property Organisation, Global Innovation

10 Australian Government, Department of Defence, ‘2020 Force Index 2020: Who Will Finance Innovation?, 2020, pp. xxxiv, xxxvi,

Structure Plan’, Canberra, July 2020, https://www.defence.gov. 15, https://www.globalinnovationindex.org/Home.

au/StrategicUpdate-2020/docs/2020_Force_Structure_Plan.pdf. 20 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United

11 Australian Government, Prime Minister of Australia, States Stay Ahead of China?’, 21 December 2020, https://

‘Address – Launch of the 2020 Defence Strategic Update’, chuvpilo.medium.com/ai-research-rankings-2020-can-the-

Canberra, 1 July 2020, https://www.pm.gov.au/media/ united-states-stay-ahead-of-china-61cf14b1216.

address-launch-2020-defence-strategic-update. 21 Australian Government, ‘Artificial Intelligence: Solving

12 Ibid., p. 36. problems, growing the economy and improving our

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 53


quality of life’, 2019, p. iv, https://data61.csiro.au/~/media/ 30 Australian National Audit Office, ‘Cyber Resilience

D61/AI-Roadmap-assets/19-00346_DATA61_REPORT_ of Government Business Enterprises and Corporate

AI-Roadmap_WEB_191111.pdf?la=en&hash=58386288921D9C Commonwealth Entities’, Auditor General Report, no. 1

21EC8C4861CDFD863F1FBCD457. of 2019–20, 4 July 2019, https://www.anao.gov.au/work/

22 For an overview of Australian AI policy, see the OECD AI performance-audit/cyber-resilience-government-business-

Observatory, https://oecd.ai/dashboards/countries/Australia. enterprises-and-corporate-commonwealth-entities.

23 See, for example, the case of quantum computing at the 31 Joint Committee on Public Audit and Accounts, ‘Report

University of Sydney, as reported in ‘Global VC Bets on 485 Cyber Resilience’, December 2020, https://www.

Australian Quantum Computing Start-Up Q-Ctrl in Us$15m aph.gov.au/Parliamentary_Business/Committees/Joint/

Series A’, Quantaneo, 10 September 2019, https://www. Public_Accounts_and_Audit/CyberResilience2019-20/Report.

quantaneo.com/Global-VC-bets-on-Australian-quantum- 32 International Telecommunication Union, ‘Global Cybersecurity

computing-start-up-Q-CTRL-in-US15m-Series-A_a205. Index 2018’, p. 58, https://www.itu.int/dms_pub/itu-d/opb/str/

html; and IARPA, ‘US investing in quantum tech at Sydney D-STR-GCI.01-2018-PDF-E.pdf.

University’, Technology Decisions, 9 May 2016, https://www. 33 The goals of the growth-centres initiative in the designated

technologydecisions.com.au/content/it-management/article/ sector are to increase collaboration and commercialisation;

us-investing-in-quantum-tech-at-sydney-uni-672014055. to improve international opportunities and market access;

24 Australian Government, Department of Defence, ‘Defence to enhance management and workforce skills; and to

Science and Technology Group’, https://www.dst.defence.gov. identify opportunities for regulatory reform. See Australian

au/division/cyber-and-electronic-warfare-division. Government, Department of Industry, Science, Energy and

25 Union of Concerned Scientists, ‘UCS Satellite Database’, Resources, ‘Industry Growth Centres’, https://www.industry.

updated 1 January 2021, https://www.ucsusa.org/resources/ gov.au/strategies-for-the-future/industry-growth-centres.

satellite-database. 34 AustCyber, ‘Australia’s Cyber Security Sector Competitiveness

26 See Waters, ‘National Cyber Emergency Policy for Australia: Plan – 2019 Update’, December 2019, https://www.austcyber.com/

Critical Infrastructure’. resource/australias-cyber-security-sector-competitiveness-

27 For a discussion, see Stilgherrian, ‘Australia’s cyber defence plan-2019.

“pretty ordinary” before ASD’s Top Four’, ZDNet, 2 June 2015, 35 Ibid., p. 33.

https://www.zdnet.com/article/australias-cyber-defence- 36 Ibid., p. 10.

pretty-ordinary-before-asds-top-four. 37 Abbey Dorian, ‘Meeting Australia’s Cyber Security Challenge’,

28 See, for example, the Australian Government Information Australian Institute of International Affairs, 17 October 2019,
Security Manual (ISM), which ‘assists in the protection of http://www.internationalaffairs.org.au/australianoutlook/

information that is processed, stored or communicated by meeting-australias-cyber-security-challenge.

organisations’ systems’. Australian Government, Australian 38 Australian Government,  ‘Portfolio budget statements 2016–17:

Signals Directorate, ‘Australian Government Information Budget related paper no. 1.5: Education and Training Portfolio’, pp.

Security Manual’, September 2019, https://www.cyber.gov.au/ 14, 20, https://www.dese.gov.au/download/3174/education-and-

ism; Australian Government, Australian Signals Directorate, training-portfolio-budget-statements-2016-17-full-version/18354/

‘Strategies to Mitigate Cyber Security Incidents’ (which document/pdf.

complements the advice in the ISM), February 2017, https:// 39 AustCyber, ‘Cyber Security Competitiveness Plan – 2019

www.cyber.gov.au/publications/strategies-to-mitigate-cyber- Update’, p. 11.

security-incidents; and Australian Government, Australian 40 It took Australia several years to set its immigration policies

Signals Directorate, ‘The Essential Eight Maturity Model’, 26 in a way that would attract higher numbers of cyber-security

June 2020, https://www.cyber.gov.au/acsc/view-all-content/ professionals. The government started in 2017 with the

publications/essential-eight-maturity-model. overarching Global Talent Employer Sponsored (GTES)

29 Australian National Audit Office, ‘Cyber Resilience’, Auditor programme, which aimed to find talent for ‘highly-skilled

General Report, no. 53 of 2017–18, 28 June 2018, https://www. niche positions’ (without specifying cyber security) that could

anao.gov.au/work/performance-audit/cyber-resilience-2017-18. not be filled by Australians or through other visa programmes

54 The International Institute for Strategic Studies


such as those for short-term and medium-term skilled of Governmental Experts (GGE) has convened for two-year

temporary residents. This was followed in 2018 by a scheme terms to address international-security aspects of cyberspace.

that focused on seven ‘future-focused fields’, including cyber It was known as the GGE on ‘Developments in the Field

security, but employer sponsorship was still required – the of Information and Telecommunications in the Context of

aim was to recruit 5,000 immigrants in the scheme’s first year International Security’ until 2018, when it was renamed the GGE

of operation. In November 2019, the government launched on ‘Advancing Responsible State Behaviour in Cyberspace in the

a new programme for skilled migration that would allow Context of International Security’. In cyberspace-policy circles it

applications from individuals, not just from the sponsoring is common to refer to it simply as ‘the GGE’. See UN Office for

employer. See Greg Austin, ‘Twelve Dilemmas of Reform in Disarmament Affairs, ‘Developments in the field of information

Cyber Security Education’, in Greg Austin (ed.), Cyber Security and telecommunications in the context of international security’,

Education: Principles and Policies (Abingdon: Routledge, 2020), https://www.un.org/disarmament/ict-security.

pp. 208–21. 48 See ‘Australia, Huawei and 5G’, IISS Strategic Comments, vol.

41 Australian Government, Department of Home Affairs, 25, no. 28, October 2019, https://www.iiss.org/publications/

‘Australia’s Cyber Security Strategy 2020’, p. 42. strategic-comments/2019/australia-huawei-and-5g.

42 ‘Australia Needs Civil Defence against the Cyber Storm: Policy 49 Rosie Perper, ‘Australia snubbed Huawei and completed

Report’, Research Group on Cyber War and Peace UNSW, its undersea cable project to bring high-speed internet to

University of New South Wales Canberra, 31 March 2019, p. Pacific Islands’, Business Insider, 28 August 2019, https://

3, https://www.unsw.adfa.edu.au/unsw-canberra-cyber/sites/ www.businessinsider.com.au/australia-snubs-huawei-finishes-

accs/files/uploads/Policy%20Report%20Cyber%20Civil%20 undersea-cables-for-pacific-islands-2019-8?r=US&IR=T.

Defence%2031%20March%202019_1.pdf. 50 Alan Burkitt-Gray, ‘Australia slams Huawei for “security

43 Rajiv Shah, ‘Protecting critical national infrastructure in an era vulnerabilities” in PNG data centre’, Capacity Media, 12

of IT and OT convergence’, Australian Strategic Policy Institute, August 2020, https://www.capacitymedia.com/articles/3826128/

Policy Brief, no. 18/2019, 12 July 2019, https://www.aspi.org.au/ australia-slams-huawei-for-security-vulnerabilities-in-png-

report/protecting-critical-national-infrastructure-era-it-and-ot- data-centre.

convergence. 51 Parliament of Australia, ‘National Security Update on Counter

44 Australian Government, Department of Defence, ‘2016 Terrorism: Address to the House of Representatives, Parliament

Defence White Paper’, Canberra, 2016, p. 45, https://www. House, Canberra’, 23 November 2016, https://parlinfo.aph.gov.

defence.gov.au/WhitePaper/Docs/2016-Defence-White- au/parlInfo/search/display/display.w3p;query=Id:%22media/

Paper.pdf. ‘While Australia is the world’s twelfth largest pressrel/4951827%22.


economy and has sophisticated and growing military 52 Australian Signals Directorate, ‘Director-General ASD speech

capabilities, Australia does not have the capacity to to the Lowy Institute’, 27 March 2019, https://www.asd.gov.au/

unilaterally protect and further our global security interests. publications/speech-lowy-institute-speech.

This means we will be working with our alliance partner the 53 Ibid.

United States, ASEAN countries, the North Atlantic Treaty 54 On warfighting, the plan says: ‘ASD supports Australian

Organisation (NATO), the United Nations and other partners Defence Force (ADF) operations around the globe, including

to achieve our common goals in protecting and promoting a by providing intelligence and offensive cyber capabilities to

stable rules-based global order.’ enable the warfighter and protect ADF personnel and assets’.

45 See Australian Government, Department of Foreign Australian Government, Australian Signals Directorate, ‘ASD

Affairs and Trade, ‘Australia’s International Cyber Corporate Plan 2019–20’, Canberra, 2019, p. 7, https://www.

Engagement Strategy’, October 2017, https://www.dfat. asd.gov.au/sites/default/files/2019-08/ASD_Corporate_Plan_

gov.au/international-relations/themes/cyber-affairs/Pages/ final_12.pdf. The title is a little misleading, however, as the

australias-international-cyber-engagement-strategy. document actually covers the period 2019–23.

46 Ibid., p. 44. 55 Ibid., p. 8.

47 Since a UN General Assembly resolution in 2004, a UN Group 56 Ibid., p. 13.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 55


56 The International Institute for Strategic Studies
5. France

The French government has robust strategies for favours regulation as a means of addressing cyber
security in cyberspace, supported by mature insti- threats, exemplified by new laws on election interfer-
tutions and regular budget infusions. France has a ence and protecting critical national infrastructure.
wide cyber-intelligence reach but keeps its cyber- On the international stage France has promoted mul-
security functions organisationally separate from its tilateralism on cyber issues. Its offensive cyber capa-
intelligence community. In terms of digitisation of its bility is mature but probably lags behind those of the
society and economy, France is not one of the lead- United States and the United Kingdom. Its desire for
ers among the world’s developed countries, though national autonomy on key cyber capabilities denies
its ICT sector has clear strengths. It has shown itself France the potential gain from a more integrated
to be highly capable and innovative on cyber secu- approach with key allies, but as a result it is less
rity, advocating a whole-of-society approach. It also dependent on them.

Strategy and doctrine


Until 2011, France’s approach to issues of cyberspace of the National Cybersecurity Agency (ANSSI)2 under
security was based on a mix of technical security needs, the direction of the Secretariat-General for Defence and
commercial perspectives and military interests. It has National Security (SGDSN).3 The first national cyber-
since moved more decisively towards a model that gives security strategy, published in 2011, after government
precedence to a unified view of national security in cyber- ministries had been targeted in cyber attacks,4 explic-
space. There is a striking contrast between its early strat- itly declared France’s ambition to be a global cyber
egy documents and those that have emerged since 2018. power, if only in a defensive sense. A 2013 defence
The theme of digital security was prominent in a white paper mandated the creation of a national doc-
2008 defence white paper that noted the challenges trine for responding to major cyber threats, consist-
posed by the rapid spread of information and ideas via ing of a coordinated defensive posture mixed with
new technology, including in the political arena.1 This a graduated response.5 Importantly, the 2013 white
was the first time a French public-policy document paper also contained France’s official recognition of
had acknowledged cyber- and information-warfare cyberspace as a military operational domain, two
threats, and expressed determination to counter them. years after the United States had done so and three
This intention was reflected in the creation a year later years before NATO.

List of acronyms
ANSSI National Cybersecurity Agency ICT information and communications technology
CDSN Defence and National Security Council MdA Ministry of the Armed Forces
DGA General Directorate for Armaments SGDSN Secretariat-General for Defence and National Security
DGSE General Directorate for External Security SOC Security Operations Centre

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 57


At that time, France’s security environment was an unlawful use of force.15 It identified three technologies
beginning to change as the result of a series of security essential to national cyber security: detection of attacks,
shocks: the Edward Snowden leaks in 2013; jihadist ter- encryption, and the radio and mobile-telephone network
rorism between 2012 and 2016; and major data breaches for use in a national emergency.16
including the so-called ‘Macron Leaks’ (the leaking of In its very wide scope and urgent tone, the 2018
emails from Emmanuel Macron’s 2017 presidential- review stood out from most of the equivalent documents
election campaign, linked to Russian political interfer- that other countries had published by then. Although it
ence in favour of the National Front candidate, Marine remains the case that France is broadly in line with the
Le Pen).6 These events pushed France to adopt a positions of the US and the United Kingdom – espe-
whole-of-society approach and to give more attention cially on whole-of-society coordination, national indus-
to the threat of political interference, disinformation trial imperatives and skills development – the review
and extremist propaganda in defining its cyber strate- conveyed novel postures on a number of issues. Also
gies and policies. of note, in September 2018 the MdA introduced a pol-
The first strong indication of a major shift in cyber icy for the armed forces to counter disinformation.17
policy came in January 2017, when the Ministry of the This was followed by two further policies in 2019: the
Armed Forces (MdA)7 established a Cyber Defence Ministerial Policy for Defensive Cyber Warfare18 and
Command, known as ComCyber, to coordinate mili- Public Elements for the Military Doctrine for Offensive
tary cyber operations.8 France has had an offensive Cyber Warfare.19 Presented as supporting the country’s
cyber doctrine since then.9 The Strategic Review of strategy of achieving cyberspace superiority, the poli-
Cyber Defence, in February 2018, represented another cies foreshadowed the recruitment of 1,000 new cyber
important turning point, with major institutional personnel and allocated €1.5 billion (US$1.8bn) to the
reforms announced in recognition of the gravity of the armed forces up to 2025.20
threat.10 It clarified the organisation and integration of In 2020 and 2021 the government announced new
cyber operations among government entities, along spending plans that reflected escalating concerns about
with the national and international legal framework cyber threats. The first of these provided a modest €136
surrounding their use.11 Drawing from airspace moni- million (US$161m), directed at better protection of gov-
toring and defence, it established a standing cyber- ernment systems,21 but in February 2021 the cash injec-
security posture for a range of circumstances from tion was €1bn (US$1.2bn), apparently over five years,
peacetime to wartime.12 It also marked a clear evolu- accompanied by what was in effect a new cyber-security
tion away from the passive-defence model of 2008 to strategy.22 Though published only as a 33-page press
one of active defence, including through the develop- kit, it contains radical targets.23 These are broadly in line
ment of offensive cyber capabilities, strategy and doc- with the overall themes of the 2018 Strategic Review of
trine that focused on adversaries’ military systems. Cyber Defence but reveal a new urgency and a greater
The departure point of the 2018 review was the fact emphasis on sovereign capability and economic com-
that, despite considerable efforts, France considered that petitiveness in the ICT sector. In the cyber-security sec-
it was lagging behind the other four permanent mem- tor, one goal is to double the workforce from 37,000 to
bers of the United Nations Security Council in terms of 75,000 over five years.24
cyber defences.13 The document stated that France would France maintains a clear separation between defen-
commit itself to analysing cyber threats with appropri- sive and offensive cyber operations. This means that
ate thoroughness and in sufficient detail.14 It laid out new ANSSI, the leading cyber-security agency, is dedicated
objectives for promoting stability in cyberspace, includ- exclusively to defensive operations and is not part
ing through disincentives for those who might attack of the intelligence community, unlike the National
French targets. It included a new system of classification Security Agency (NSA) in the US or Government
for cyber attacks, suggesting that the highest level would Communications Headquarters (GCHQ) in the UK.
probably justify classification under the UN Charter as This distinction is important for some in France, based

58 The International Institute for Strategic Studies


on an assumption that the purposes and remit of an Information Systems Security32 conducts penetration
intelligence agency, not least its disposition towards testing and security audits on military systems. The
secrecy, can interfere with some of the purposes and deployable branch of ComCyber is the 807th Signals
practices needed for civil-sector cyber security, includ- Company, based in Rennes, whose mission in opera-
ing the need for greater transparency around cyber tions is to secure communications and weapons sys-
breaches. tems. ComCyber had 3,400 personnel in late 2019 and
plans to reach 4,500 by 2025.33
Governance, command and control As with other leading cyber powers, the efficiency
The course France takes on cyber issues is set by the pres- of the command arrangements for French cyber opera-
ident, with the assistance of two bodies set up in 2018. tions is facilitated by high-quality technical systems,
Political decisions around the formulation of cyber- strong consensus within the relevant agencies, and
defence policy are the responsibility of the Defence and political leadership that understands the value of
National Security Council (CDSN),25 in which ANSSI is cyber capabilities for a variety of missions.
represented by the head of the SGDSN and ComCyber
is represented by the Chief of the General Staff. Another Core cyber-intelligence capability
body, the Cyber Defence Executive Committee, under The focal point for the production of cyber intelli-
the authority of the president, is tasked with high- gence in France is the General Directorate for External
level implementation of the decisions taken by the Security (DGSE).34 But, as in the Five Eyes countries, all
CDSN. The responsibility of the Cyber Defence Steering the French intelligence agencies have cyber capabilities
Committee, under the SGDSN, is to report once a year and, in accordance with their specific areas of compe-
to the prime minister on the implementation of national tence, cyber responsibilities. Other key agencies in the
cyber-security strategy.26 In practice, premier cercle of the intelligence com-
meaningful decision-making on cyber munity are the Defence Intelligence
security and defence begins in min-
In the cyber- and Security Directorate,35 the
isterial offices and extends up to the security sector, Directorate of Military Intelligence36
prime minister and the president.27 one goal is to and the General Directorate for
The SGDSN then transmits the impe-
tus of political leadership, sets the
double the Internal Security.37
Unlike in the Five Eyes countries,
agenda and ensures the application of workforce from the French cyber model involves, at the
the measures decided.28 37,000 to 75,000 national level, the strict institutional
There are four channels of opera-
over five years separation of offensive from defen-
tional accountability: in the civil sector, sive capabilities, and of core cyber
through ANSSI to the prime minister; intelligence from core cyber security.
in the military, through ComCyber to the Chief of the ComCyber, a military entity, takes the lead in offensive
General Staff; in the intelligence agencies, through the cyber operations, while cyber security is the responsibil-
heads of agency to the relevant ministers; and for mat- ity of ANSSI. Another contrast with the Five Eyes coun-
ters related to cyber crime, through the police, who work tries is that the DGSE is an entity with overall national
with prosecutors and judges.29 responsibility both for signals intelligence and for human
Below the head of ComCyber, each service remains intelligence collection. This means that the development
responsible for its own defensive cyber operations and of national cyber-intelligence capabilities is just part of
operates its own Security Operations Centre (SOC).30 the DGSE’s remit: there is no French agency dedicated
The Centre for the Analysis of Cyber Defence31 is entirely to that role, in the way that the NSA is in the
the MdA’s SOC. It assesses global cyber risk so that US or GCHQ in the UK. While this is just one of a num-
ComCyber can then act and also advise the relevant ber of factors that make direct comparisons problematic,
government officials. The Centre for the Review of the evidence suggests that France’s annual investments

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 59


in core cyber-intelligence capabilities are markedly less digital performers, with FinTech alone having created
than, for example, the UK’s. Whether France’s organisa- 120,000 jobs.44 French companies are highly interna-
tional integration of its human and technical capabilities tionalised: web companies on average generate 39% of
and separation of cyber intelligence from cyber security their turnover in international markets,45 while 52% of
have some practical advantages over the model used by FinTech start-ups operate in more than one country.46
its Five Eyes peers is a subject of much debate. And France is also a major consumer of digital services:
Overall, French cyber-intelligence capabilities seem its companies spend more on information technology
strong on certain geographical regions, such as North and cyber security than their counterparts elsewhere in
Africa, but lack the global reach of the Five Eyes coun- Europe or in the US (and incur the lowest costs when
tries, in particular the US and the UK. Indeed, the French cyber incidents occur).47
intelligence agencies were surprised by the sophistication France’s start-up and innovation environment, which
of the Five Eyes capabilities revealed in has benefited from reforms initiated
the Snowden leaks. However, France’s under President Macron, is dynamic
capabilities are amplified by inter-
The French and expanding. Station F in Paris, for
national intelligence partnerships, intelligence example, is one of the largest start-up
including particularly close ones with agencies were incubators in Europe and includes
some Western European states, includ- cyber-security projects supported by
ing the UK, and with the US, as well
surprised by the Thales Digital Factory and Microsoft.
as intelligence-sharing arrangements sophistication The main areas of expertise among
with some of its former colonies. of the Five Eyes cyber-security start-ups are artificial
Another key contrast with the Five
Eyes countries is the support that
capabilities intelligence (AI), blockchain, privacy
and secure collaborative tools. Almost
French intelligence services provide revealed in the 20% of them are ANSSI-accredited,48
to French industry’s involvement in Snowden leaks which not only certifies the reliability
extensive industrial espionage. One of their products and services but also
former director of the DGSE claims that, during his ten- allows them to supply the government.
ure, it devoted as much as a quarter of its resources to France has considerable strengths in AI research and
such activities.38 Businesses, meanwhile, have an incen- its commercialisation, ranking among the top five EU
tive to collaborate with the intelligence agencies because countries in that respect.49 It ranked fifth in the world in
of the prospect of receiving intelligence in return. The terms of its contributions to the two most prestigious AI
cyber component has apparently become a key part of conferences in 2020.50 The government announced an AI
these industrial-espionage efforts, with targets reportedly strategy in 2018, with key aims including the promotion
including European multinational firms, Iranian organi- of data-sharing between the private and public sectors;
sations and several francophone African countries.39 renewing the four strategic sectors of healthcare, the
environment, transport, and defence and security; and
Cyber empowerment and dependence establishing interdisciplinary AI research hubs with
In terms of the digitisation of society and the economy, links to industry.51 The government planned to provide
France is not one of the leaders among the world’s funding of €1.5bn (US$1.75bn) over five years, until the
developed countries. In 2020 it was ranked 15th out end of 2022.52
of the 28 members of the European Union (which still France’s internet infrastructure is becoming more
included the UK) in the EU’s Digital Economy and resilient through the diversification of its points of pres-
Society Index,40 while the ICT sector accounted for 4% ence, the increased capacity if its interconnections and
of GDP,41 comprised about 110,000 companies42 and sus- its high number of international points of entry. It ranks
tained more than 700,000 jobs.43 In the digital economy fifth in Europe in terms of its number of interconnection
more broadly, the banking sector is one of the strongest points,53 representing about 4% of the worldwide total.54

60 The International Institute for Strategic Studies


As for regional integration, Orange maintains a long- France’s Space Command, its Space Academy, leading
distance optical network (WELDON) connecting the 25 international space companies, and related laboratories
largest French cities to other European metropolitan cen- and research centres).60
tres such as Barcelona, Frankfurt, London and Madrid.55
In terms of network sovereignty, it seems France’s core Cyber security and resilience
networks rely mostly on US-made servers.56 However, France is in many respects the leading country in the EU
the industrial landscape seems sufficiently strong and for cyber-security and resilience planning. In 2020, for
diversified to offer avenues for a ‘nationalisation’ of example, an authoritative report assessed that compa-
France’s core network if that were to become necessary: nies in France devoted a higher proportion of their IT
Thales, Atos-Bull and Orange are all Europe-leading spending to cyber-security measures than in any other
or world-leading companies either in terms of mass or EU country.61 A study of cyber security in companies
secure telecommunications. Legislation passed by the listed in the world’s six leading stock-market indexes
National Assembly in July 2019 means ISPs now need found the companies listed in Paris’s CAC 40 to have
to obtain approval from the government before using the highest levels of maturity.62 Nevertheless, in 2021
foreign hardware.57 As a result, the main French pro- the government revealed its dissatisfaction with private-
viders have turned their backs on Huawei. France is and public-sector responses to cyber-security threats by
second only to the UK as a European landing point for announcing an acceleration programme and appointing
transatlantic cables and is also a hub for those from Asia a national coordinator.63 One of the most serious threats
(through the Red Sea). it identified was a fourfold increase in ransomware
France has a policy of maintaining sovereign capa- attacks during 2020, with local-government services
bilities for its key military hardware (such as sensors, among the most frequent targets.64
command and control, stealth technology and core The branch of government in charge of coordinating
networks). Thales is designing, manufacturing and the security of France’s infrastructure is the SGDSN.
deploying secure networks for the MdA and for the gov- Its responsibilities include implementing govern-
ernment as a whole.58 The armed forces are increasingly ment policies on critical national infrastructure and
relying on information and communications technology choosing the companies responsible for operating it.
for their flagship platforms (next-generation frigates, The Defence Planning Law 2014–19 created regula-
and the Rafale F4 and Scorpion programmes) but hope to tory obligations for those companies, whether public
be able to operate successfully in environments with de- or private, in terms of the security of their networks
graded communications, command and control. and industrial-control systems, their threat-detection
France owns and maintains a wide range of military capabilities and their penetration testing. Government
satellites for the purposes of secure communications, agencies are empowered under domestic law to
imagery and signals intelligence. It has taken a stronger audit and test the companies’ cyber defences65 and to
stance on security aspects of outer space, which it now undertake cyber operations to neutralise the source of
sees as a military domain in its own right, not merely attacks (‘hack back’).66 In 2019 the government signed
the location of supporting infrastructure for terrestrial three-year agreements with eight leading manufactur-
operations. It considers space situational awareness ing companies to improve their cyber security,67 and
to be the first pillar of its strategic autonomy in space. the Financial Markets Authority published new regu-
The MdA is allocating €4.3bn (US$5.1bn) to the mod- lations requiring digital-assets providers to have resil-
ernisation of all its satellites and radars, as well as to ient information systems.68
the passive and active protection of space assets.59 In In an attempt to improve public–private cooperation
February 2021 the government announced the opening on cyber security, the government has announced the
in Toulouse of a NATO Centre of Excellence for space creation of a ‘national cyber-security campus’. Its three
research, intending to exploit what the government main goals will be to double down on public awareness-
claims to be Europe’s largest space ecosystem (home to raising and training; to foster the sharing of skills, tools

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 61


and data among cyber-security actors; and to build up Global leadership in cyberspace affairs
domestic industrial capability for cyber security.69 The On the international stage, France sees its responsi-
head of project is the CEO of Orange Cybersecurity. bilities in the light of its status as one of the five per-
ANSSI is also making progress on public–public coop- manent members of the UN Security Council and its
eration, for example having signed partnerships with leading positions in the EU and NATO. It seeks to
the financial, railway and civil-aviation authorities.70 maintain a form of inclusive multilateralism and to
France’s defensive capabilities are of a high standard. open up debates on cyberspace governance to non-
At the NATO Locked Shields exercise in 2019, the French state actors. Its ‘International Digital Strategy’ places
team came first out of the 23 participating states.71 In great emphasis on promoting an ‘open, diverse and
the 2018 Global Cybersecurity Index compiled by the trusted’ cyberspace, in which it anticipates the EU
International Telecommunication Union, France was can be a key player.81 France aims to promote exist-
ranked third out of 175 countries.72 ing institutional mechanisms in order to ‘limit hack-
France’s defence-procurement agency, the General ing and destabilising activities’ in cyberspace, notably
Directorate for Armaments (DGA),73 has a long-standing through an international initiative, the ‘Paris Call
cyber-security department as part of its information- for Trust and Security in Cyberspace’,82 unveiled in
control (Maîtrise de l’information) branch. Tasked with November 2018. It is also actively involved in the
protecting the information and weapons systems of related UN Group of Governmental Experts83 and has
the armed forces, it provides technical expertise in been influential in the framing of the EU Cybersecurity
threat intelligence, upstream research and crisis sup- Act. In 2019 France joined New Zealand in launch-
port.74 As part of its responsibilities it conducts vul- ing the Christchurch Call to Eliminate Terrorist and
nerability research on the armed forces’ systems,75 Violent Extremist Content Online, having earlier
and since 2015 it has organised cyber war games.76 In called for the creation of an appropriate regulatory
cyber defence, the DGA’s research-and-development framework within the EU.84
priorities are to produce highly resilient information France pursues vigorous cyber diplomacy with key
systems, to find solutions that will ensure the security states on a bilateral level, as well as through mechanisms
of weapons systems and to identify the best uses of AI such as the G7. In 2020, for example, France and Germany
in cyber operations (including offensive operations). A published their third annual ICT security assessment.85
government-supported equity fund dedicated to defence In 2019 the third India–France cyber dialogue was held,86
investments, DefInvest, was set up in 2017 with an initial and France’s presidency of the G7 saw the launch of an
budget of €50m (US$59m) to support small and medium initiative on sharing best practices and lessons learned
enterprises.77 from the implementation of voluntary norms for cyber-
France has established a unit within the SGDSN, space.87 In 2018, in the Organisation for Economic
the Committee against Information Manipulation,78 Co-operation and Development, France initiated the
to address the problem of politically motivated disin- annual Global Forum on Digital Security for Economic
formation.79 There have been at least two cases of sig- Prosperity, aimed at promoting the established French
nificant cyber-enabled foreign interference: the hacking position that the private sector has a significant role to
of TV5Monde in 2016 and the Macron Leaks in 2017. play in the security and stability of cyberspace.88
Specialists confidently attributed both incidents to France has played a leading role in mobilising the EU’s
Russia. Though a new law in 2018 established vari- adoption of sanctions against the perpetrators of cyber
ous mechanisms to prevent the spread of manipulated attacks targeting European and national interests. In 2020
information during election campaigns, it remains to it joined the first EU sanctions against Russia and China
be seen how effective it will be. To raise awareness and in response to their cyber attacks,89 which included a
promote good practices among allies, the MdA worked travel ban and asset freezes on four members of Russia’s
with the Atlantic Council in producing a ‘post-mortem’ military intelligence directorate (GRU) and two Chinese
analysis of the Macron Leaks.80 nationals.90 In its interpretation of international law,

62 The International Institute for Strategic Studies


France adopts a different position from its closest allies to General François Lecointre of the French Army, the
on the right to retaliate against cyber attacks below the country has also conducted cyber operations against
threshold of armed attack, taking the view that it would terrorist groups in the Sahel and the Sahara.96 Although
be legitimate to retaliate against a series of attacks that there is little public evidence of France carrying out
together constitute hostile intent, even if, taken individu- other destructive cyber operations, its record of robust
ally, none of them crosses the threshold.91 retaliatory responses in national-security situations
suggests it is prepared to do so in certain circum-
Offensive cyber capability stances, as its leaders have acknowledged.97 Official
France’s ComCyber has an operational complement of policy concerning offensive cyber operations places
approximately 3,400 personnel (of which around 600 great emphasis on considering and mitigating political,
are reported to be ICT specialists), and aims to have legal and military risks of collateral damage to civil-
4,500 by 2025.92 Its commander, General Didier Tisseyre, ian infrastructure.98 It is therefore unlikely that France
has stated that 40% of the personnel work on offensive would rely on private companies for offensive opera-
operations, a share that is expected to grow in the com- tions, beyond technical support.
ing years.93 Overall, we believe that France has a considerable
Official and unofficial statements, as well as leaked offensive cyber capability. However, as in the closely
forensic reports, have confirmed France’s use of cyber- related area of core cyber-intelligence capabilities, it
space for both disruption94 and espionage.95 According probably lags behind the US and the UK.

Notes

1 Ministère des Armées, ‘Livre blanc: Défense et sécurité nationale’, 9 Ministère des Armées, ‘Éléments publics de doctrine militaire

2008, http://archives.livreblancdefenseetsecurite.gouv.fr/2008/ de lutte informatique offensive’, 2019, p. 4, https://www.

information/les_dossiers_actualites_19/livre_blanc_sur_ defense.gouv.fr/fre/content/download/551497/9393997/

defense_875/livre_blanc_1337/livre_blanc_1340/index.html. El%C3%A9ments%20publics%20de%20doctrine%20

2 Agence nationale de la sécurité des systèmes d’information militaire%20de%20lutte%20informatique%20OFFENSIVE.pdf.

3 Secrétariat général de la défense et de la sécurité nationale It was revealed in this 2019 document that an offensive cyber
4 Agence nationale de la sécurité des systèmes d’information, doctrine had been in place in 2017.

‘Défense et sécurité des systèmes d’information: Stratégie de la 10 Secrétariat Général de la Défense et de la Sécurité Nationale,

France’, 2011, https://www.ssi.gouv.fr/uploads/IMG/pdf/2011- ‘Revue stratégique de cyberdéfense’, 12 February 2018, http://

02-15_Defense_et_securite_des_systemes_d_information_ www.sgdsn.gouv.fr/uploads/2018/02/20180206-np-revue-

strategie_de_la_France.pdf. cyber-public-v3.3-publication.pdf.

5 Ministère des Armées, ‘Livre blanc: Défense et sécurité 11 François Delerue and Aude Gery, ‘France’s Cyberdefense

nationale’, 2013, http://www.livreblancdefenseetsecurite.gouv. Strategic Review and International Law’, Lawfare, 23 March 2018,

fr/pdf/le_livre_blanc_de_la_defense_2013.pdf. https://www.lawfareblog.com/frances-cyberdefense-strategic-

6 Jean-Baptiste Jeangène Vilmer, ‘The “#Macron Leaks” review-and-international-law.

operation: A post-mortem’, Atlantic Council, 20 June 2019, 12 Arthur P. Laudrain, ‘French Cyber Security and Defence: Strategy,

https://www.atlanticcouncil.org/in-depth-research-reports/ Policy-Making and Coordination’, SSRN Working Paper Series,

report/the-macron-leaks-operation-a-post-mortem. v.2.3.3, 2019, p. 20, http://dx.doi.org/10.2139/ssrn.3432338.

7 Ministère des Armées 13 Secrétariat Général de la Défense et de la Sécurité Nationale,

8 Ministère des Armées, ‘Le commandement de la cyberdéfense ‘Révue stratégique de cyberdéfense’, p. 7.

(COMCYBER)’, https://www.defense.gouv.fr/ema/organismes- 14 Ibid., p. 135.

interarmees/le-comcyber/le-comcyber/comcyber. 15 Ibid., p. 80.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 63


16 Ibid., pp. 96–100. September 2019, https://twitter.com/ComcyberFR/status/117

17 Florence Parly, ‘Déclaration de Mme Florence Parly, ministre 2186486134968322.

des armées, sur la manipulation de l’information’, Vie 34 Direction générale de la sécurité extérieure

publique, 4 September 2018, https://www.vie-publique.fr/ 35 Direction du Renseignement et de la Sécurité de la Défense

discours/206652-declaration-de-mme-florence-parly-ministre- 36 Direction du renseignement militaire

des-armees-sur-la-manipulat. 37 Direction générale de la sécurité intérieure

18 Ministère des Armées, ‘Politique ministérielle de lutte 38 Isabelle Laumonier, ‘Internet sous l’oeil des services de

informatique défensive’, 2019. renseignement’, Memoire Online, c. 2003, https://www.

19 Ministère des Armées, ‘Éléments publics de doctrine militaire memoireonline.com/05/06/155/m_internet-sous-l-oeil-des-

de lutte informatique offensive’, 2019. services-de-renseignement14.html.

20 Ministère des Armées, ‘Communiqué: La France se dote d’une 39 ‘France and economic intelligence’, Tarlogic, 6 November 2019,

doctrine militaire offensive dans le cyberespace et renforce sa https://www.tarlogic.com/en/blog/france-and-economic-

politique de lutte informatique défensive’, 18 January 2018, intelligence.

https://www.defense.gouv.fr/fre/salle-de-presse/communiques/ 40 European Commission, ‘EU Digital Economy and Society

communique_la-france-se-dote-d-une-doctrine-militaire- Index 2020’, https://ec.europa.eu/digital-single-market/en/desi.

offensive-dans-le-cyberespace-et-renforce-sa-politique-de- 41 Eurostat, ‘Percentage of the ICT Sector on GDP’, https://ec.europa.

lutte-informatique-defensive. eu/eurostat/web/products-datasets/-/tin00074.

21 Agence nationale de la sécurité des systèmes d’information, ‘Le 42 Ministry of the Economy and Finance, ‘Numérique: Chiffres

Volet Cybersécurité de France Relance’, September 2020, https:// clés’, 14 March 2019, https://www.entreprises.gouv.fr/

www.ssi.gouv.fr/agence/cybersecurite/le-volet-cybersecurite-de- etudes-et-statistiques/numerique-chiffres-cles.

france-relance. 43 G. De Prato (ed.), The 2018 PREDICT Key Facts Report: An Analysis

22 ‘Un plan à 1 milliard d’euros pour renforcer la cybersécurité’, of ICT R&D in the EU and Beyond, European Commission, JRC

Gouvernement.fr, 18 February 2021, https://www.gouvernement. Technical Report, 2018, https://publications.jrc.ec.europa.eu/

fr/un-plan-a-1-milliard-d-euros-pour-renforcer-la-cybersecurite. repository/bitstream/JRC112019/jrc112019_2018_predict_key_

23 ‘Dossier de presse – Cybersécurité, faire face à la menace: facts_report.pdf.

la stratégie française’, Gouvernement.fr, 18 February 2021, 44 Ministry of the Economy and Finance, ‘La Fintech, le numérique

https://www.gouvernement.fr/sites/default/files/contenu/ au service du secteur financier’, 19 January 2018, https://www.

piece-jointe/2021/02/210218_dp_cyber_vfinale.pdf. economie.gouv.fr/entreprises/fintech-innovation-finance.

24 Ibid., p. 6. 45 ‘La French Tech’, Gouvernement.fr, https://lafrenchtech.com/en.

25 Conseil de defense et de sécurité nationale 46 ‘Baromètre EY - FD’, France Digitale blog, accessed 8 July 2019,

26 Secrétariat Général de la Défense et de la Sécurité Nationale, http://www.francedigitale.org/barometre-ey-fd.

‘Revue stratégique de cyberdéfense’. 47 Hiscox, ‘Hiscox Cyber Readiness Report 2019’, https://www.

27 Laudrain, ‘French Cyber Security and Defence’, p. 24. hiscox.co.uk/sites/uk/files/documents/2019-04/Hiscox_Cyber_


28 Ibid. Readiness_Report_2019.PDF.
29 This was recommended in the ‘Revue stratégique de 48 Ibid.

cyberdéfense’, p. 53, and implemented by 2019. See Institut 49 European Commission, Joint Research Centre, ‘AI Watch:

des hautes études du ministère de l’Intérieur, ‘Organisation TES Analysis of AI Worldwide Ecosystem in 2009–2018’, JRC

de l’État français en gestion de crise cybernétique majeure’, Technical Reports, LU: European Commission, 2020, pp. 30–1,

2019, https://inhesj.fr/articles/organisation-de-letat-francais-en- https://data.europa.eu/doi/10.2760/85212.

gestion-de-crise-cybernetique-majeure. 50 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United

30 Laudrain, ‘French Cyber Security and Defence’, p. 19. States Stay Ahead of China?’, 21 December 2020, https://

31 Centre d’analyse de lutte informatique défensive chuvpilo.medium.com/ai-research-rankings-2020-can-the-

32 Centre d’audit de la sécurité des systèmes d’information united-states-stay-ahead-of-china-61cf14b1216.

33 COMCYBER, ‘GDA Tisseyre: “On est 3400 cybercombattants 51 ‘AI for Humanity’, AI for Humanity, 29 March 2018, https://

et on deviendra 4500 en 2025”’, @ComcyberFR on Twitter, 12 www.aiforhumanity.fr.

64 The International Institute for Strategic Studies


52 Ibid. 64 Ibid., pp. 7–11.

53 Arcep, ‘Baromètre de l’interconnexion de données en France’, 65 ‘Loi N° 2013-1168 Du 18 Décembre 2013 Relative à La

27 June 2019, https://www.arcep.fr/cartes-et-donnees/nos- Programmation Militaire Pour Les Années 2014 à 2019 et Portant

publications-chiffrees/linterconnexion-de-donnees/barometre- Diverses Dispositions Concernant La Défense et La Sécurité

de-linterconnexion-de-donnees-en-france.html. Nationale – Article 22 | Legifrance’, accessed 29 March 2019,

54 Calculations based on data provided by Rowan Klöti et al., ‘A https://www.legifrance.gouv.fr/eli/loi/2013/12/18/2013-1168/jo/

Comparative Look into Public IXP Datasets’, ACM SIGCOMM article_22.

Computer Communication Review, vol. 46, no. 1, 11 January 2016, 66 ‘Code de La Défense – Article L2321-2’, L2321-2 Code de la

pp. 21–9, https://doi.org/10/f8bkst. défense § (2013).

55 Orange, ‘Les Réseaux d’Orange: dossier de presse’, February 67 G20 Research Group, ‘2019 G20 Osaka Summit Interim

2019, https://www.orange.com/sirius/edossiers/pdfs/reseaux- Compliance Report’, p. 223, http://www.g20.utoronto.ca/

orange-2017-fr/dp_reseaux_orange_fr_full.pdf. compliance/2019osaka-interim/08-2019-g20-compliance-

56 France IX, ‘France-IX’s Infrastructure’, https://www.franceix. interim-cyber-resilience.pdf. The companies were Airbus,

net/en/technical/infrastructure. ArianeGroup, Dassault Aviation, MBDA, Naval Group, Nexter,

57 Wei Shi, ‘French parliament passes “Huawei Law” to Safran and Thales.

govern 5G security’, telecoms, 26 July 2019, https://telecoms. 68 Ibid.

com/498728/french-parliament-passes-huawei-law-to- 69 ‘Un campus cybersécurite pour renforcer l’écosystème

govern-5g-security. français’, Gouvernement.fr, accessed 25 July 2019, https://www.

58 ‘Thales Modernise Les Réseaux de Télécommunications Du gouvernement.fr/partage/11104-un-campus-cybersecurite-

Ministère de La Défense’, Thales Group, accessed 9 July 2019, pour-renforcer-l-ecosysteme-francais.

https://www.thalesgroup.com/fr/monde/press-release/thales- 70 Agence nationale de la sécurité des systèmes d’information,

modernise-les-reseaux-de-telecommunications-du-ministere-de- ‘Rapports d’activités’, https://www.ssi.gouv.fr/agence/missions/

la-defense; and ‘Thales Assure La Sécurité de l’accès à Internet rapports-dactivites.

Du Réseau Interministériel de l’État’, Thales Group, accessed 12 71 ‘France Wins Cyber Defence Exercise Locked Shields 2019’,

July 2019, https://www.thalesgroup.com/fr/worldwide/securite/ NATO CCDCOE, 12 April 2019, https://ccdcoe.org/news/2019/

press-release/thales-assure-la-securite-de-lacces-internet-du-reseau. france-wins-cyber-defence-exercise-locked-shields-2019.

59 Arthur Laudrain, ‘France’s “Strategic Autonomy” Takes to 72 International Telecommunication Union, ‘Global Cybersecurity

Space’, International Institute for Strategic Studies, Military Index 2018’, pp. 30, 62, https://www.itu.int/dms_pub/itu-d/

Balance blog, 14 August 2019, https://www.iiss.org/blogs/ opb/str/D-STR-GCI.01-2018-PDF-E.pdf.


military-balance/2019/08/france-space-strategy. 73 Direction générale de l’armement

60 Ministère de l’Europe et des Affaires Étrangères, ‘Defence 74 Ministère des Armées, ‘Livre blanc: Défense et sécurité

– Establishment of the NATO space centre of excellence in nationale’, 2013.

Toulouse – Communiqué issued by the Ministry for the Armed 75 Assemblée nationale, ‘Rapport d’information de Mme

Forces’, 5 February 2021, https://www.diplomatie.gouv.fr/ Alexandra Valetta Ardisson et M. Bastien Lachaud Déposé En

en/french-foreign-policy/security-disarmament-and-non- Application de l’article 145 Du Règlement, Par La Commission

proliferation/news/article/defence-establishment-of-the-nato- de La Défense Nationale et Des Forces Armées, En

space-centre-of-excellence-in-toulouse. Conclusion Des Travaux d’une Mission d’information Sur La

61 European Union Agency for Cybersecurity, ‘NIS Investments Cyberdéfense’, 4 July 2018, http://www2.assemblee-nationale.

Report’, December 2020, p. 7, https://www.enisa.europa.eu/ fr/documents/notice/15/rap-info/i1141/#P439_94811.

publications/nis-investments/at_download/fullReport. 76 ‘La DGA Développe Les Jeux de Cyberguerre à Bruz’,

62 Wavestone, ‘Top Companies Cybersecurity Index: 2020 Annual IntelligenceOnline, 11 March 2015, https://www.

Reports’, https://www.wavestone.com/app/uploads/2020/07/ intelligenceonline.fr/renseignement-d-etat/2015/03/11/la-dga-

Wavestone-Cyberindex-top-companies-2020-EN.pdf. developpe-les-jeux-de-cyberguerre-a-bruz,108065256-bre.

63 ‘Dossier de presse – Cybersécurité, faire face à la menace: la 77 BPI France, ‘Definvest: Fonds d’investissement dédié aux

stratégie française’, Gouvernement.fr, p. 12. entreprises stratégiques de la Défense’, accessed 8 July 2019, https://

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 65


www.bpifrance.fr/Toutes-nos-solutions/Participation-au-capital/ and-non-proliferation/fight-against-organized-criminality/

Fonds-d-investissement-thematiques/Definvest. cyber-security/article/indo-french-bilateral-cyber-dialogue-20-06-19.

78 Comité de lutte contre la manipulation de l’information (CLMI) 87 Ministère de l’Europe et des Affaires Étrangères, ‘G7 French

79 Sénat, ‘Délégation Parlementaire au Renseignement: Rapport presidency – Cyber Norm Initiative: Synthesis of Lessons

d›activité 2019–2020’, 11 June 2020, http://www.senat.fr/rap/r19- Learned and Best Practices’, 26 November 2019, https://

506/r19-50638.html. www.diplomatie.gouv.fr/en/french-foreign-policy/digital-

80 Jeangène Vilmer, ‘The “#Macron Leaks” operation: A diplomacy/news/article/g7-french-presidency-cyber-norm-

post-mortem’. initiative-synthesis-of-lessons-learned-and.

81 Ministère de l’Europe et des Affaires Étrangères, ‘Stratégie 88 Ministère de l’Europe et des Affaires Étrangères, ‘Guaranteeing

internationale de la France pour le numérique’, Paris, 15 December Cybersecurity’, undated, https://www.diplomatie.gouv.fr/en/

2017, https://www.diplomatie.gouv.fr/fr/politique-etrangere-de- french-foreign-policy/digital-diplomacy/france-s-international-

la-france/diplomatie-numerique/la-strategie-internationale-de-la- digital-strategy/article/guaranteeing-cybersecurity.

france-pour-le-numerique/#:~:text=Pr%C3%A9sent%C3%A9e%20 89 Ministère de l’Europe et des Affaires Étrangères, ‘EU – Cyberattacks

par%20le%20ministre%20de,diplomatique%20des%20 – Q&A from the press briefing’, 30 July 2020, https://www.

ann%C3%A9es%20%C3%A0%20venir.&text=Elle%20 diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/

s’articule%20autour%20de,%3A%20gouvernance%2C%20 france-and-cyber-security/article/eu-cyberattacks-q-a-from-the-

%C3%A9conomie%2C%20s%C3%A9curit%C3%A9. press-briefing-30-jul-20.

82 Arthur Laudrain, ‘Avoiding A World War Web: The Paris Call 90 Lorie Maglana and Sunny Man, ‘Europe: EU imposes the first

for Trust and Security in Cyberspace’, Lawfare, 4 December ever sanctions against cyber-attacks’, Global Compliance News,

2018, https://www.lawfareblog.com/avoiding-world-war-web- 21 August 2020, https://globalcompliancenews.com/eu-imposes-

paris-call-trust-and-security-cyberspace. the-first-ever-sanctions-against-cyber-attacks-20200810.

83 Since a UN General Assembly resolution in 2004, a UN Group 91 Ministère des Armées, ‘Droit International Appliqué Aux

of Governmental Experts (GGE) has convened for two-year Opérations Dans Le Cyberespace’, 9 September 2019, https://

terms to address international-security aspects of cyberspace. www.defense.gouv.fr/content/download/565895/9750877/file/

It was known as the GGE on ‘Developments in the Field Droit+internat+appliqu%C3%A9+aux+op%C3%A9rations+

of Information and Telecommunications in the Context of Cyberespace.pdf.

International Security’ until 2018, when it was renamed the GGE 92 Ministère des Armées, ‘Le COMCYBER’, 4 February 2021,

on ‘Advancing Responsible State Behaviour in Cyberspace in the https://www.defense.gouv.fr/ema/organismes-interarmees/

Context of International Security’. In cyberspace-policy circles it le-comcyber/le-comcyber/comcyber.


is common to refer to it simply as ‘the GGE’. See UN Office for 93 Laurent Lagneau, ‘Environ 40% des effectifs du

Disarmament Affairs, ‘Developments in the field of information Commandement de la cyberdéfense sont tournés vers les actions

and telecommunications in the context of international security’, offensives’, Zone Militaire, 9 May 2020, http://www.opex360.

https://www.un.org/disarmament/ict-security. com/2020/05/09/environ-40-des-effectifs-du-commandement-
84 Ministère de l’Europe et des Affaires Étrangères, ‘Guaranteeing de-la-cyberdefense-sont-tournes-vers-les-actions-offensives.
Cybersecurity’, undated, https://www.diplomatie.gouv.fr/en/ 94 Nathalie Guibert, ‘Général Lecointre: “L’indicateur de réussite

french-foreign-policy/digital-diplomacy/france-s-international- n’est pas le nombre de djihadistes tués”’, Le Monde, 13 July

digital-strategy/article/guaranteeing-cybersecurity. 2019, https://www.lemonde.fr/international/article/2019/07/12/

85 Federal Office for Information Security (Germany) and Agence general-lecointre-l-indicateur-de-reussite-n-est-pas-le-nombre-

Nationale de la Sécurité des Systèmes d’Information, ‘Third de-djihadistes-tues_5488379_3210.html.

edition of the Franco-German common situational picture’, 2020, 95 Martin Untersinger and Jacques Follorou, ‘La France suspectée

https://www.ssi.gouv.fr/uploads/2020/12/anssi-bsi-common_ de cyberespionnage’, Le Monde, 21 March 2014, https://

situational_picture_2020.pdf. www.lemonde.fr/international/article/2014/03/21/la-france-

86 Ministère de l’Europe et des Affaires Étrangères, ‘Indo-French suspectee-de-cyberattaque_4387232_3210.html.

Bilateral Cyber Dialogue’, 20 June 2019, https://www.diplomatie. 96 Simon Pascal, ‘Cyberdéfense. “Nous allons accroître encore

gouv.fr/en/french-foreign-policy/security-disarmament- les capacités de la plaque rennaise”’, Ouest-France.fr, 18

66 The International Institute for Strategic Studies


December 2020, https://www.ouest-france.fr/politique/defense/ Security Studies, 2018, https://css.ethz.ch/content/dam/ethz/

cyberdefense-nous-allons-accroitre-encore-les-capacites-de-la- special-interest/gess/cis/center-for-securities-studies/pdfs/

plaque-rennaise-7091506. Cyber-Reports_National_Cybersecurity_and_Cyberdefense_

97 Robert S. Dewar (ed.), ‘National Cybersecurity and Policy_Snapshots_Collection_1.pdf.

Cyberdefense Policy Snapshots: Collection 1’, Center for 98 Laudrain, ‘French Cyber Security and Defence’, p. 9.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 67


68 The International Institute for Strategic Studies
6. Israel

Israel was one of the first countries to identify cyber- strategy that includes close cooperation between
space as a potential threat to its national security, government, the private sector and academia, and
and started to address the issue more than 20 years with international partners. This cooperation, led
ago. Initially it perceived that the main threat was by the INCD, has created both a vibrant cyber eco-
of cyber attacks against its critical national infra- system and a relatively high level of preparedness
structure, but that perception has evolved to include and resilience within the private sector. On offensive
attacks against other nationally significant targets. cyber operations, little has been publicly avowed,
Technological and geopolitical changes have driven but notable attacks that have been attributed to
various organisational reforms in the way Israel’s Israel include the use of the Stuxnet worm against
national-security system responds to cyber threats, Iran, between 2008 and 2010, and an attack against
a process culminating in 2018 with the formal estab- an Iranian port in 2020. Based on such evidence, it
lishment of the Israeli National Cyber Directorate appears that Israel has a well-developed capacity for
(INCD) within the office of the prime minister. The offensive cyber operations and is prepared to under-
country has also drafted a formal national cyber take them in a wide range of circumstances.

Strategy and doctrine


It was around the year 2000 when Israel identified cyber- comprised staff from key agencies involved with cyber
space as an emerging domain of threat to its national security. Their main practical recommendation was the
security, and 2002 when the government decided need for a new governmental cyber-security organisa-
to establish a dedicated agency for the protection of tion that would coordinate all policy efforts in order to
critical information infrastructure.1 Cyber security promote national capability in cyberspace and improve
became a much more explicit national-security objec- Israel’s preparedness to deal with cyber threats.2
tive in November 2010, when Prime Minister Benjamin The first National Cyber Security Strategy, published
Netanyahu ordered the formation of a special team to in 2017, set out the vision that Israel would become ‘a
formulate a national strategy for placing Israel among leading nation in harnessing cyberspace as an engine
the top five leading countries in the cyber-security field. of economic growth, social welfare and national secu-
Labelled the National Cyber Initiative, the work was rity’. The focus was mostly on the security aspect,
led by Professor Isaac Ben Israel, head of the National where the aim was that of ‘keeping cyberspace safe and
Council for Research and Development, whose team … confronting the various cyber threats, in accordance

List of acronyms
IDF Israel Defense Forces NISA National Information Security Authority
INCD Israeli National Cyber Directorate

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 69


with the country’s national interests’. The strategy also a political leadership that understands the value of
declared that Israel intended to continue ‘as a leader in cyber capabilities.
technological innovation and as an active partner in the By 2010, changes in Israel’s perception of the cyber
global processes of shaping cyberspace’.3 threat had led policymakers to the conclusion that the
In contrast with its relative transparency on the civil- Israeli Security Agency (Shin Bet) could not remain
ian use of cyberspace, Israel has been much less forth- the lead authority for protecting the information sys-
coming in terms of publicly available information about tems of the Israeli private sector. They decided that a
its military use. Indeed, it has never released a military more bespoke solution to coordinating national cyber-
cyber strategy. But the outlines of Israel’s approach are defence activities was needed.10
discernible from statements by senior military officers In August 2011, Prime Minister Netanyahu announced
in 2009 that depicted cyberspace as a strategic warfare the establishment of the National Cyber Bureau (NCB),
and operating space, and one that particularly suited which operated under his supervision and was intended
the country’s need for asymmetric defences.4 In 2012 the to protect critical national infrastructure against cyber
Israel Defense Forces (IDF) declared that the country attacks emanating either from other countries or terrorist
was ready and able to use cyber weapons,5 although the groups.11 Within a few years the government perceived a
conditions under which it would do so – and the nature need for a separate operational authority for cyber secu-
of the weapons themselves – remain undisclosed. rity, so in 2016 the National Cyber Security Authority
In 2015, the IDF’s first publicly available defence (NCSA) was established.12 Cyber governance was further
doctrine laid out its strategic and operational response rationalised in 2018 by the merger of the NCB and the
to the threats it faced, including its view on the role NCSA into the Israeli National Cyber Directorate (INCD),
of cyber capabilities.6 The doctrine described cyber tasked with protecting Israeli cyberspace and promoting
defence as especially important in order to safeguard Israeli leadership in the global cyber arena.13 The INCD
the functioning of state institutions and the armed forc- deals with national cyber security and does not conduct
es.7 The IDF’s cyber capabilities were presented as ena- offensive cyber operations, which are handled by Israel’s
bling it to leverage intelligence, carry out networked military and intelligence agencies.
operations in a coalition, influence adversaries’ percep- The proposed regulatory powers of the INCD,
tions and achieve legitimacy,8 while cyber warfare was and the legal basis for its activities, are set out in the
presented as playing a part in strengthening the IDF’s 2018 Cyber Security and National Cyber Directorate
strategic and tactical deterrence.9 Bill.14 This proposed law, introduced by Netanyahu,
has sparked controversy among various civilian and
Governance, command and control defence groups in Israel. Some specialists are con-
The formulation of cyberspace policy in Israel follows cerned that it would provide the prime minister with
the principle of ministerial responsibility in a parlia- unchecked powers to dictate cyber operations, thus
mentary democracy, where key national decisions potentially facilitating attacks on political opponents.
emanate from the prime minister, other ministers and The unpopularity of the bill also stems from the absence
senior officials in a system of cabinet government with of restrictions on the future collection and distribution
ministerial accountability to parliament. This is com- of information by the INCD.15
plemented by a system of multi-stakeholder consul- Throughout the reorganisation process, the National
tation between government, business, academics and Information Security Authority (NISA),16 established in
community groups on issues including ICT industry 2002 within the Shin Bet, has retained responsibility for
policy, research and development (R&D), and pri- instructing, guiding and coordinating activities between
vacy of personal information in ICT systems. Israel’s the public entities and private companies considered
command arrangements benefit from the use of high- critical for Israel’s cyber security. NISA supervises the
quality technical systems, a strong commitment to implementation of various information-security and
cyber operations within the relevant agencies, and information-protection policies.17

70 The International Institute for Strategic Studies


Based on publicly available information, two main in the United States and Government Communications
bodies within the IDF have cyber responsibilities: Headquarters in the United Kingdom, with responsibil-
ity for Israel’s signals-intelligence, cyber-defensive and
1. Unit 8200, the largest unit of the Military cyber-offensive capabilities.26 Unit 8200 is credited with
Intelligence Directorate,18 was entrusted with developing the Stuxnet worm used against Iran’s ura-
the IDF’s offensive cyber capabilities in 2009 nium-enrichment programme between 2008 and 2010.27
and reportedly created a special ‘cyber staff’ The pressures of the Arab Spring and rapid evolu-
in 2011 to develop and deploy offensive cyber tion of technology led to a restructuring of Aman in
weapons. In around 2012, as funding and the early 2010s, described by insiders as a reorienta-
personnel for military cyber programmes tion away from traditional radio and telephone sig-
increased, an Office of Capabilities and nals intelligence towards internet-based capabilities.28
Operations was created within Unit 8200.19 Both the Mossad and the Shin Bet make extensive use
of cyber-intelligence capabilities, whether their own or
2. The General Staff’s C4I20 and Cyber Defense those of Unit 8200. In 2019 the head of the Mossad, Yossi
Directorate is tasked with advanced techno- Cohen, identified cyber as its ‘main tool’ in combating
logical support for IDF land, sea and air oper- terrorism,29 and Shin Bet chief Nadav Argaman asserted
ations, including cyber-defence missions.21 in 2017 that cyber capabilities had been responsible for
preventing more than 2,000 terrorist attacks.30
The Israeli intelligence agencies have a particularly
Core cyber-intelligence capability symbiotic relationship with the country’s booming
The Israeli intelligence architecture consists of three key digital-technology sector, with the agencies investing
agencies: the Military Intelligence Directorate (often in innovative start-ups to develop cutting-edge cyber
referred to by its Hebrew abbrevia- capability while the start-ups carve
tion, Aman), the largest, is respon- out a high-value specialisation in the
sible for most aspects of air, naval,
The Israeli global market for cyber-intelligence
ground and signals intelligence; the intelligence capability.
Secret Intelligence Service (Mossad)
agencies have Overall, owing to the audacity,
is charged with Israel’s foreign intel- controversy and success of their
ligence activities; and the Israeli
a particularly operations, Israel’s intelligence ser-
Security Agency (Shin Bet) adminis- symbiotic vices have acquired a formidable
ters internal intelligence operations, relationship with reputation. That said, and despite
including those in the Israeli-occupied the regional superiority of its cyber-
territories.22 Unsurprisingly, given the
the country’s intelligence capabilities, Israel lacks
troubled and often hostile relation- booming digital- the global intelligence reach of some
ship between Israel and its Middle technology other states. It compensates for this
Eastern neighbours, Israel spends through a particularly close relation-
considerably more per capita on its
sector ship with the US cyber-intelligence
intelligence services than other devel- community, and also through collab-
oped states.23 oration with the UK’s agencies and a few other signifi-
The development of cyber-intelligence capabili- cant partnerships (for example with France, Singapore
ties has been a major priority during Prime Minister and the United Arab Emirates).
Netanyahu’s tenure (2009–present).24 These are mainly
centred in Aman’s Unit 8200.25 Representing approxi- Cyber empowerment and dependence
mately 80% of Aman’s personnel, the unit has a role Over the past decade Israel has created a unique cyber
similar to that of the National Security Agency (NSA) ecosystem that incorporates the government, academia

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 71


and industry, based on the conception that investments sector accounted for 9.2% of the Israeli job market and
in human capital and industry are necessary for main- offered an average salary that was roughly double the
taining high-quality cyber defences and cyber superi- national average. However, it also reported a slowing of
ority over its neighbours. One of the flagship initiatives the rate at which multinational companies were open-
in this respect is the CyberSpark Innovation Arena in the ing R&D centres in Israel.37
southern city of Be’er Sheva. Established in 2014 as a joint Israel has been among the few countries where
venture on the part of the INCD, the Be’er Sheva munici- courses in cyber security can be studied at high-school
pal government, Ben Gurion University and industrial level,38 and the IDF sends officers into high schools to
partners such as EMC-RSA, Lockheed Martin, IBM, identify potential recruits.39 Notable cyber-related edu-
Deutsche Telekom, JVP Cyber Labs and Elbit systems, cation programmes include Magshimim, which provides
CyberSpark has created a multi-stakeholder ‘ecosystem’ after-school training for gifted young computer coders
for government, academia, industry, local government and hackers from underprivileged areas – the majority
and civil society to develop and test new ideas and con- of those who complete the programme are recruited
cepts regarding cyber security.31 into the IDF’s cyber and intelligence units.40 In 2017 the
The annual survey of 500 leading cyber-security Israeli government also established the National Center
companies published in Cybercrime Magazine dem- for Cyber Education, aiming to expand the talent pool
onstrates the global competitiveness of Israel’s cyber that the military cyber organisations draw on.41
industry.32 In 2018, with no fewer than 42 companies In terms of artificial intelligence (AI) research, Israel
in the list, Israel was second only to the US (354 com- scores well. It was ranked tenth, for example, in a list of
panies). The UK, ranked third, had only half as many the top 50 countries according to their contributions to
companies as Israel in the list, while China had only the two most prestigious AI conferences in 2020.42 The
six. In fact, the gap between Israel and first place was IDF has deployed weapons with significant autonomy,
smaller than it appeared, given that about 40 of the ‘US’ such as the Harpy loitering munition and fully auto-
companies were registered there for tax and other com- mated self-driving military vehicles.43 The AI start-up
mercial reasons but physically located in Israel. In 2020 scene is thriving, with no fewer than 1,150 AI-focused
Israel was also in second place in the same magazine’s start-ups reported in April 2020.44 Israeli firms have
list of 150 up-and-coming cyber-security companies.33 A a comparative advantage in developing AI services
further indication of Israel’s remarkable strength in this for robotics and automation.45 At the end of 2020 the
area is that in 2020 it received 37% of the global total of Israel Innovation Authority announced a five-year
venture-capital funding for cyber-security companies.34 AI programme with a planned budget of NS5 billion
A distinctive feature of Israel’s cyber industry is its (US$1.55bn).46 Although the funding is likely to be sig-
close relationship with the IDF’s Unit 8200. Within Unit nificantly reduced for budgetary and political reasons,47
8200 there is a technology section, Unit 81, that focuses the programme outlined some initial urgent projects
on in-house R&D of cutting-edge technology for its own – developing a supercomputer, promoting R&D (espe-
personnel.35 Many people working in Israel’s cyber- cially for neuro linguistic programming), developing
security start-ups – including the founders of Palo Alto human resources and procuring advanced equipment
Networks, NSO and Checkpoint – had served previously for Israel’s universities.
in Unit 8200 as combat or technology personnel. The
close collaboration between Israel’s military and private Cyber security and resilience
sectors provides a unique technological advantage for In a January 2020 report, Israel claimed there had been
both, with new cyber technologies tried and tested on no successful cyber attacks against its critical national
real battlegrounds, ensuring their effectiveness and scal- infrastructure in the previous 12 months,48 but noted
ability before they are released on the global market.36 an increasing number of attempted attacks by Iran.
According to a 2019 report by Start-Up Nation An example from later in the year (April 2020) was
Central and the Israel Innovation Authority, the tech a reportedly unsuccessful Iranian cyber attack on

72 The International Institute for Strategic Studies


Israeli water-treatment facilities, which prompted a initiatives: the country’s first national cyber-incident-
retaliatory Israeli attack on infrastructure facilities response plan;55 guidance to all businesses on how to
in an Iranian port.49 The Iranian attack prompted build crisis-response teams in preparation for a cyber
the head of the INCD to warn that a ‘cyber winter’ incident;56 and a national cyber exercise, ‘Magic Circle
was coming, an allusion to increasing attacks on the 2’, to examine the effectiveness of its cooperation with
country and the worsening threat environment.50 In the private sector. In 2020 the INCD issued guidelines on
2021 the Manufacturers Association of Israel assessed ‘Reducing Cyber Risks for Industrial Control Systems’57
that additional measures were needed to stem the tide and ‘Recommendations on Using Zoom Safely’.58
of cyber attacks, and announced a plan to establish a Another important element in Israel’s cyber-defence
cyber-security headquarters – modelled on the UK’s operations is the Cyber Emergency Response Team, whose
government-run National Cyber Security Centre – that responsibilities include maintaining an around-the-clock
would coordinate mutual support among members.51 reporting mechanism between the INCD and enterprises
Israel is a particular target of cyber attacks for geo- throughout the country, whether in the private sector or
political and ideological reasons, but also because of its governmental.59 Its analysts include former members of
rich ICT R&D environment and its position as a lead- IDF cyber units.
ing exporter of weapons. The country’s overall cyber-
security situation is quite solid, resting as it does on one Global leadership in cyberspace affairs
of the most vibrant domestic cyber-security sectors in In pursuit of the goal of becoming one of the world’s
the world, so it may be something of an anomaly that it leading cyber powers, Israel is expanding and deepen-
ranked only 39th out of 175 countries in the 2018 Global ing its cooperation with a range of other countries. This
Cybersecurity Index compiled by the International effort includes negotiating bilateral and multilateral
Telecommunication Union.52 agreements with friendly states, establishing closer ties
The mandate of the INCD includes responsibility for with international organisations and maintaining con-
all aspects of cyber defence in the civilian sphere, rang- tacts with multinational companies. The best example
ing from the formulation of policy and building techno- of Israel’s strong international collaborative profile has
logical power to operational defence in cyberspace. The been its participation in work on possible voluntary
INCD provides incident-handling services and guid- norms for cyberspace in the United Nations Group of
ance for civil-sector firms, especially those managing Governmental Experts.60 Israel engages regularly in
critical national infrastructure, and works to increase international forums on such issues.61 It has also signed a
the resilience of civilian cyberspace.53 number of bilateral cyber-cooperation agreements: with
The INCD guides private companies and managers Japan and India in 2018,62 Croatia, Romania and Australia
of critical national infrastructure on the implementation in 2019,63 and India (again)64 and Greece65 in 2020.
of new technological platforms and helps them acquire Collaboration and knowledge-sharing with private
the knowledge necessary to protect their systems against organisations around the world is a key strand of Israel’s
cyber attacks. A system called ‘Showcase’, launched in effort to enhance its international cyber profile. In
2019, connects private-sector firms with the INCD and November 2018, for example, the INCD – together with
enables them to access a comprehensive, real-time picture the Export Institute and the Ministry of Economy and
of the level of cyber risk that they are exposed to. This will Industry – staged the ‘Cyber Edge 2.0’ seminar for the
enable the INCD to integrate capabilities and knowledge chief information security officers of large corporations
held by government agencies and private firms, and to from 14 countries.66 Earlier that year the INCD had joined
develop metrics for rating the cyber risks they face.54 with the Hebrew University of Jerusalem, the Ministry
The INCD regularly publishes guidelines and recom- of Economy and Industry and the Inter-American
mendations to help Israeli private companies and citi- Development Bank to hold a two-week training work-
zens secure their information and reduce cyber risks. In shop for representatives and cyber professionals from
November 2018, for example, it launched three related 22 Latin American countries.67 In 2020, Israel’s annual

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 73


international exhibition-style event for the private sec- to attack in the cyber domain, and though he empha-
tor, Cyber Tech, attracted 18,000 participants, including sised that it was more important to invest in defensive
representatives from some 200 companies.68 capabilities than offensive ones, he admitted that Israel
The INCD is not the only agency taking a lead- was engaged in developing both.70
ing role in international cyber cooperation. The IDF’s In fact, there had already been a significant indica-
C4I and Cyber Defense Directorate, for example, held tion of Israel’s offensive capabilities through public
its fourth Cyberdome exercise in collaboration with US exposure of the Stuxnet malware in 2010. Reportedly
Cyber Command in November 2019. The Israeli delega- the result of collaboration between the US (the NSA)
tion was led by the commander of the Cyber Defense and Israel (Unit 8200), Stuxnet was designed to target
Brigade and included representatives from Aman, the the supervisory control and data acquisition (SCADA)
Israeli Air Force, the Israeli Navy and the Israeli Ground systems of Iran’s uranium-enrichment centrifuges.71
Forces.69 This is only part of the bilateral military cyber- Since then, Unit 8200 has reportedly continued to
cooperation programme with the US. develop Israel’s ability to sabotage the critical national
These examples show that Israel’s efforts to establish infrastructure of potential enemies, particularly Iran.72
itself as a leader in cyber technology and cyber security For example, the Flame malware used against Iran in
place a heavy emphasis on making tangible and practi- 2012 was reportedly also the result of collaboration
cal progress on mutually important cyber issues when between Unit 8200 and the US.73 And in 2020, members
creating new international partnerships or maintaining of Unit 8200 received medals for a cyber attack report-
existing ones. edly aimed at sabotaging facilities in an Iranian port
in retaliation for an attempt by Iran to sabotage water-
Offensive cyber capability treatment facilities in Israel.74 An Israeli official stated
Israel has not publicly provided any details about its that at the time that the retaliatory cyber attack would
development or use of offensive cyber capabilities, just be the first of many.75
as it has never publicly disclosed information regarding Overall, it is likely that Israel is continuing to
its cyber-intelligence capabilities. But various official develop highly capable offensive cyber tools commen-
statements have provided insights into the existence surate with its advanced cyber-intelligence capacities,
of such capabilities and Israel’s approach to employing and that those offensive capabilities are amplified by
them. In June 2012, then-minister of defense Ehud Barak close collaboration with key international partners,
made the first official public reference to Israel’s ability especially the US.

Notes

1 In 2002 the Ministerial Committee for National Security adopted within the Israeli Security Agency (Shin Bet). See Gil Baram,

Resolution B/84 on ‘Responsibility for Protecting Computer ‘The Effect of Cyberwar Technologies on Force Buildup: The

Systems in Israel’, which provided the basis for the creation of Israeli Case’, Military and Strategic Affairs, vol. 5, no. 1, May 2013,

a steering committee charged with identifying all public and p. 29, https://www.inss.org.il/wp-content/uploads/systemfiles/

private computer systems essential to Israel’s national security MASA5-1Eng4_Baram.pdf.

and therefore requiring constant protection. Some of these 2 A similar process is currently under way with regard to

systems were not operated by the Israel Defense Forces but by artificial intelligence, aiming to establish Israel among the top

civilian or government companies. The resolution also mandated five countries in the field – see, for example, Éanna Kelly, ‘Israel

the creation of the National Information Security Authority, the sets out to become the next major artificial intelligence player’,

unit responsible for the protection of computerised systems Science Business, 2 July 2019, https://sciencebusiness.net/

74 The International Institute for Strategic Studies


news/israel-sets-out-become-next-major-artificial-intelligence- https://www.haaretz.com/israel-news/.premium-cyber-bill-

player; and Lior Tabansky and Isaac Ben Israel, Cybersecurity would-give-israeli-prime-minister-unsupervised-powers-

in Israel (Cham: Springer International Publishing, 2015), experts-warn-1.7040402?v=A1C59A1E1CE4E3490E38639

pp. 47–50. FFA872186.

3 State of Israel, Prime Minister’s Office, National Cyber 16 NISA is known as ‘Re’em’ in Hebrew.

Directorate, ‘Israel National Cyber Security Strategy in Brief’, 17 Lior Tabansky, ‘Critical infrastructure protection against cyber

September 2017, p. 5, https://cyber.haifa.ac.il/images/pdf/ threats’, Military and Strategic Affairs, vol. 3, no. 2, November

cyber_english_A5_final.pdf. 2011, pp. 72–3, https://www.inss.org.il/wp-content/uploads/

4 Amir Oren, ‘Zeyret helheymh hhedshh shel tesh”l nemtesat sites/2/systemfiles/(FILE)1326273687.pdf.

bershetvet mheshebyem’, Haaretz, 1 January 2010, http://www. 18 Israel Defense Forces, ‘Military Intelligence Directorate’, https://

haaretz.co.il/misc/1.1182490. www.idf.il/en/minisites/military-intelligence-directorate.

5 Gili Cohen and Oded Yaron, ‘Barak Acknowledges Israel’s 19 Yaacov Katz, ‘Security and Defense: Israel’s Cyber

Cyber Offensive for First Time’, Haaretz, 6 June 2012, https:// Ambiguity’, Jerusalem Post, 31 May 2012, http://www.jpost.

www.haaretz.com/barack-acknowledges-israel-s-cyber- com/Features/Front-Lines/Security-and-Defense-Israels-

offensive-for-first-time-1.5170714. Cyber-Ambiguity; and Matthew S. Cohen, Charles D.

6 Graham Allison, ‘Deterring Terror: How Israel Confronts the Freilich and Gabi Siboni, ‘Israel and cyber space: Unique

Next Generation of Threats – English Translation of the Official threat and response’,  International Studies Perspectives, vol.

Strategy of the Israel Defense Forces’, Special Report, Belfer 17, no. 3, August 2016, p. 8, https://www.researchgate.net/

Center for Science and International Affairs, Harvard Kennedy publication/288823312_Israel_and_Cyberspace_Unique_

School, August 2016, https://www.belfercenter.org/sites/ Threat_and_Response.

default/files/legacy/files/IDF%20doctrine%20translation%20 20 C4I refers to ‘command, control, communications, computers

-%20web%20final2.pdf. and intelligence’.

7 Ibid., p. 22. 21 See Israel Defense Forces, ‘C4I and Cyber Defense Directorate’,

8 Ibid., p. 38. https://www.idf.il/en/minisites/c4i-and-cyber-defense-directorate.

9 Ibid., p. 48. 22 Antonella Colonna Vilasi, ‘The Israeli Intelligence Community’,

10 Government of Israel, ‘Mesper hhelth 3270’, 17 December 2017, Sociology Mind, vol. 8, March 2018, pp. 114–22, https://www.

https://www.gov.il/he/Departments/policies/dec_3270_2017. scirp.org/pdf/SM_2018032915444002.pdf.

11 Baram, ‘The Effect of Cyberwar Technologies on Force Buildup: 23 Richard Silverstein, ‘Israeli Intelligence Budget Nearly Doubles

The Israeli Case’, pp. 29–32. in Past Decade Under Netanyahu’, Tikun Olam, 5 May 2017,
12 Government of Israel, ‘Resolution no. 2444’, 15 February 2015, https://www.richardsilverstein.com/2017/05/05/israeli-

https://www.ictrp.org/wp-content/uploads/2019/02/Government- intelligence-budget-nearly-doubles-past-decade-netanyahu.

Resolution-No-2444-Advancing-the-National-Preparedness- 24 Kacy Zurkus, ‘Netanyahu Boasts of Israel’s Cyber Intelligence’,

for-Cyber-Security.pdf. This presented Israel’s operational Info Security, 26 June 2019, https://www.infosecurity-magazine.

cyber-defence strategy for the civilian economy, calling for greater com/news/netanyahu-boasts-of-israels-cyber-1.

coordination of all national cyber-defence bodies and laying the 25 Israel Defence Forces, ‘Military Intelligence Directorate’.

foundations for the creation of the NCSA for this purpose. 26 Sean Cordey, ‘The Israeli Unit 8200: An OSINT-based study’,

13 Yigal Unna, ‘National Cyber Security in Israel’, Cyber, Center for Security Studies, Cyber Defense Project, December

Intelligence, and Security, vol. 3, no. 1, May 2019, p. 170, https:// 2019, p. 8, https://css.ethz.ch/content/dam/ethz/special-interest/

www.inss.org.il/publication/national-cyber-security-in-israel. gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-

14 Amir Cahane, ‘The New Israeli Cyber Draft Bill – A Preliminary 2019-12-Unit-8200.pdf.

Overview’, The Federmann Cyber Security Research Center – 27 Amir Mizroch, ‘Rise of Computer Vision Brings Obscure Israeli

Cyber Law Program, undated, https://csrcl.huji.ac.il/news/ Intelligence Unit Into Spotlight’, Forbes, 28 May 2018, https://

new-israeli-cyber-law-draft-bill. www.forbes.com/sites/startupnationcentral/2018/05/28/rise-of-

15 Yaniv Kubovich, ‘Cyber Bill Would Give Netanyahu computer-vision-brings-obscure-israeli-intelligence-unit-into-

Unsupervised Powers, Experts Warn’, Haaretz, 19 March 2019, spotlight/#91acc643c193.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 75


28 Amir Rapaport, ‘Revolution in the Intelligence Agencies’, 38 Gil Press, ‘6 Reasons Israel Became A Cybersecurity Powerhouse

Israel Defense, 19 April 2014, https://www.israeldefense.co.il/ Leading the $82 Billion Industry’, Forbes, 18 July 2017, https://

en/content/revolution-intelligence-agencies. www.forbes.com/sites/gilpress/2017/07/18/6-reasons-israel-

29 Jonah Jeremy Bob, ‘Mossad chief Yossi Cohen: Cyber intel became-a-cybersecurity-powerhouse-leading-the-82-billion-

is main tool against terrorism’, Jerusalem Post, 26 June 2019, industry/#29c1c94b420a.

https://www.jpost.com/israel-news/mossad-chief-yossi-cohen- 39 Cordey, ‘The Israeli Unit 8200: An OSINT-based study’, pp. 3, 12.

cyber-intel-is-main-tool-against-terrorism-593617. 40 Isaac Kfir, ‘Learning from Israel’s cyber playbook’, Asia and

30 ‘Shin Bet head says over 2,000 terror attacks thwarted the Pacific Policy Society, 5 November 2018, https://www.

with cybertech’, Times of Israel, 27 June 2017, https://www. policyforum.net/learning-israels-cyber-playbook.

timesofisrael.com/shin-bet-head-says-over-2000-attacks- 41 Daniel Estrin, ‘In Israel, teaching kids cyber skills is a national

thwarted-with-cybertech. mission’, Times of Israel, 4 February 2017, https://www.

31 Deborah Housen-Couriel, ‘National Cyber Security timesofisrael.com/in-israel-teaching-kids-cyber-skills-is-a-

Organisation: Israel’, NATO Cooperative Cyber Defence national-mission.

Centre of Excellence, 2017, pp. 14–15, https://ccdcoe.org/ 42 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United

uploads/2018/10/IL_NCSO_final.pdf. States Stay Ahead of China?’, 21 December 2020, https://chuvpilo.

32 Steve Morgan, ‘Cybersecurity 500 by the Numbers: Breakdown medium.com/ai-research-rankings-2020-can-the-united-states-

by Region’, Cybercrime Magazine, 21 May 2018, https:// stay-ahead-of-china-61cf14b1216.

cybersecurityventures.com/cybersecurity-500-by-the-numbers- 43 Kirsten Gronlund, ‘State of AI: Artificial Intelligence, the Military

breakdown-by-region. and Increasingly Autonomous Weapons’, Future of Life Institute,

33 In the 2020 listing of the top 150 cyber-security companies, the US 9 May 2019, https://futureoflife.org/2019/05/09/state-of-ai.

had 95 companies, Israel 16, the UK eight, Russia one, and China 44 Kyle Wiggers, ‘Israel Risks Falling Behind in AI Despite

none. See Steve Morgan, ‘Hot 150 Cybersecurity Companies Growth’, VentureBeat, 17 February 2020, https://venturebeat.
to Watch in 2021’, Cybercrime Magazine, 5 January 2021, https:// com/2020/02/17/israel-risks-falling-behind-in-ai-despite-growth.
cybersecurityventures.com/cybersecurity-companies-list- 45 European Commission, Joint Research Centre, ‘AI Watch:

hot-150. Although quite subjective, the list indicates the amount TES Analysis of AI Worldwide Ecosystem in 2009–2018’,
of attention that Israeli companies in this sector attract. JRC Technical Reports, 2020, p. 29, https://data.europa.eu/
34 Israel National Cyber Directorate, ‘The Israeli cyber industry doi/10.2760/85212.
continues to grow: Record fundraising in 2020’, 21 January 46 ‘Israel Launches National AI Plan at Cost of 1.63 Bln USD’,

2021, https://www.gov.il/en/departments/news/2020ind. Xinhuanet, 23 December 2020, http://www.xinhuanet.com/


35 Sophie Shulman, ‘Unit 81: The elite military unit that caused a english/2020-12/23/c_139613874.htm.
big bang in the Israeli tech scene’, CTech, 8 January 2021, https:// 47 Meir Orbach, ‘Israel Launches National AI Program, but

www.calcalistech.com/ctech/articles/0,7340,L-3886512,00.html. Lack of Budget Threatens Its Implementation’, CTECH,


36 Thomas McMullan, ‘Israel’s Silent Cyberpower Is Reshaping 22 December 2020, https://www.calcalistech.com/ctech/
the Middle East’, OneZero, 16 April 2019, https://onezero. articles/0,7340,L-3883355,00.html.
medium.com/israels-silent-cyberpower-is-reshaping-the- 48 Israel National Cyber Directorate, ‘Zero Successful Cyber

middle-east-af1458d16a15. Attacks on Critical National Infrastructures’, 29 January 2020,

37 ‘High-Tech Human Capital Report 2019’, Start-Up Nation https://www.gov.il/en/departments/news/cybertech2020.

Central, Israel Innovation Authority, February 2019, http:// 49 Israel National Cyber Directorate, ‘The Israel National Cyber

mlp.startupnationcentral.org/rs/663-SRH-472/images/ Directorate: Iran is a main cyber threat on [sic] the Middle

Start-Up%20Nation%20Centrals%20High%20Tech%20 East’, 29 June 2019, https://www.gov.il/en/departments/news/

Human%20Capital%20Report%202019.pdf. For a summary, unna_cyber_week_2019.

see Lilach Baumer, ‘Israel’s Tech Sector Grows, but 50 ‘“Cyber winter is coming,” warns Israel cyber chief after attack

Demand Still Outstrips Supply, Says Report’, Calcalist, on water systems’, Times of Israel, 28 May 2020, https://www.

26 February 2019, https://www.calcalistech.com/ctech/ timesofisrael.com/israeli-cyber-chief-attack-on-water-systems-a-

articles/0,7340,L-3796731,00.html. changing-point-in-cyber-warfare.

76 The International Institute for Strategic Studies


51 Naveen Goud, ‘Israel to Build a Cybersecurity Headquarters Operations’, 8 December 2020, https://www.ejiltalk.org/israels-

Serving Manufacturers’, Cybersecurity Insiders, 7 January perspective-on-key-legal-and-practical-issues-concerning-the-

2021, https://www.cybersecurity-insiders.com/israel-to-build-a- application-of-international-law-to-cyber-operations/.

cybersecurity-headquarters-serving-manufacturers/. 62 Israel National Cyber Directorate, ‘Lerashevnh, heskem shet”p

52 International Telecommunication Union, ‘Global Cybersecurity lheylevpey meyd’ vesheytevpey mev”p bethevm hesyeyber

Index 2018’, p. 64, https://www.itu.int/dms_pub/itu-d/opb/str/D- beyn yesheral veypen’, 28 November 2018, http://www.gov.il/he/

STR-GCI.01-2018-PDF-E.pdf. departments/news/cooperationjapan; and Israel National Cyber

53 See Israel National Cyber Directorate, http://www.gov.il/en/ Directorate, ‘Rash memshelt yesheral, benyemyen netneyhev

departments/israel_national_cyber_directorate. verash memshelt hevdev nernedrh mevdey, nepgeshev heyvem

54 Uri Berkowitz, ‘Hesvet hemdeynh: hekyerv at hem’erekt shetkeyn bem’even hayervh hershemy shel memshelt hevdev, vhetmev ‘el

at hhebrh shelkem lemteqpet Bhesyeyber hebah’, Globes, 5 May shevret heskemyem beyn hemdeynevt’, 15 January 2018, www.

2019, http://www.globes.co.il/news/article.aspx?did=1001284397. gov.il/he/departments/news/india.

55 Israel National Cyber Directorate, ‘National Cyber Concept 63 Israel National Cyber Directorate, ‘Heskem hebnevt lesheytevp

for Crisis Preparedness and Management’, 6 November 2018, p’evelh bethevm hegnet hesyeyber beyn yesheral leqrevateyh’, 12

https://www.gov.il/BlobFolder/news/cybercrisispreparedness/en/ September 2019, www.gov.il/he/departments/news/cybercroatia;

Management%20of%20crisis%20situations%20english%20final. Israel National Cyber Directorate, ‘Heskem hebnevt lesheytevp

pdf. p’evelh bethevm hegnet hesyeyber beyn yesheral lervemneyh’,

56 Israel National Cyber Directorate, ‘Organizational Preparedness 6 June 2019, www.gov.il/he/departments/news/israel_rumania;

for a Cyber Crisis: Characterization & Requirements from Crisis Israel National Cyber Directorate, ‘Australian–Israeli cooperation

Management Team and IR Team’, 8 November 2019, https:// in the field of cyber’, 29 January 2019, http://www.gov.il/he/

www.gov.il/BlobFolder/news/cybercrisisforir/en/Cyber%20 departments/news/agree_australia.

crisis_575941_eng%20final%2028.11.pdf. 64 ‘India and Israel Sign Agreement to Expand Cooperation in

57 Israel National Cyber Directorate, ‘Guidelines on Protecting Cyber Security’, RepublicWorld.com, 16 July 2020, https://www.

Industrial Control Systems’, 13 May 2020, https://www.gov.il/en/ republicworld.com/india-news/general-news/india-and-israel-

departments/general/icssolutions. sign-agreement-to-expand-cooperation-in-cyber-security.html.

58 Israel National Cyber Directorate, ‘Recommendations on Using This agreement with India expanded on areas of cooperation

Zoom Safely’, 5 May 2020, https://www.gov.il/en/departments/ covered in the two countries’ 2018 agreement.

general/zoom. 65 Israel National Cyber Directorate, ‘Joint statement on cybersecurity

59 Israel National Cyber Directorate, ‘Cyber Emergency Response signed between Greece and Israel’, 16 June 2020, https://www.gov.
Team’, https://www.gov.il/en/departments/news/119en. il/en/departments/news/greece.

60 Since a UN General Assembly resolution in 2004, a UN Group of 66 Israel National Cyber Directorate, ‘Semyenr beynelavemy

Governmental Experts (GGE) has convened for two-year terms to pevrets derk lentesyegy hebrevt vemmeshelvet memdeynevt

address international-security aspects of cyberspace. It was known yedyedvetyevt’, 18 November 2018, http://www.gov.il/he/

as the GGE on ‘Developments in the Field of Information and departments/news/cyberedge.

Telecommunications in the Context of International Security’ until 67 Israel National Cyber Directorate, ‘Shet”p bethevm hegnet

2018, when it was renamed the GGE on ‘Advancing Responsible hesyeyber beyn yesheral lemdeynevt ameryeqh helteyneyt

State Behaviour in Cyberspace in the Context of International vheqareybeyyem’, 28 March 2018, http://www.gov.il/he/

Security’. In cyberspace-policy circles it is common to refer to departments/news/iadb.

it simply as ‘the GGE’. See UN Office for Disarmament Affairs, 68 Jean-Christophe Noël, ‘Israeli Cyberpower: The Unfinished

‘Developments in the field of information and telecommunications Development of the Start-up Nation’, French Institute of

in the context of international security’, https://www.un.org/ International Relations, November 2020, p. 21, https://www.ifri.

disarmament/ict-security. org/sites/default/files/atoms/files/noel_israeli_cyberpower_2020.pdf.

61 See, for example, a speech by Deputy Attorney General Roy 69 ‘Israel, US Conclude Joint Cyber Defense Exercise’, Israel

Schöndorf, ‘Israel’s perspective on Key Legal and Practical Defense, 10 November 2019, http://www.israeldefense.co.il/en/

Issues Concerning the Application of International Law to Cyber node/40871.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 77


70 Gili Cohen and Oded Yaron, ‘Sher hebyethevn hevdh threat and response’, p. 8.

lerashevnh bep’eyelvet seyyebr hetqepyet shel yesheral’, 73 Tabansky and Israel, Cybersecurity in Israel, pp. 66–7.

Haaretz, 6 June 2012, http://www.haaretz.co.il/news/ 74 ‘IDF’s cyber warrior 8200 intelligence unit gets medal for

politics/1.1725069. “recent operations”’, Times of Israel, 25 June 2020, https://www.

71 David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the timesofisrael.com/idfs-cyber-warrior-8200-intelligence-unit-

Cyber Age (New York: Broadway Books, 2018), p. 25. gets-medal-for-recent-operations.

72 Cohen, Freilich and Siboni, ‘Israel and cyber space: Unique 75 Ibid.

78 The International Institute for Strategic Studies


7. Japan

Japan has been among the global leaders in the with many corporations unwilling to meet the costs
commercial application of information and com- of bolstering them. The country’s resilience planning
munications technologies since the early 1980s, but has been rather limited, though this intensified in the
its readiness to deal with the security aspects of run-up to the 2020 Olympic and Paralympic Games
cyberspace is a much more recent phenomenon. Its (postponed due to COVID-19). Japan still does not
first mature cyber-security strategy was issued in have an official military cyber strategy or an official
2013, building on several earlier policies that were military doctrine pertaining to cyberspace, though it
focused on rhetorical principles of classic informa- has made modest organisational changes in its armed
tion security of a narrow technical kind. Japan now forces, including the creation of some dedicated cyber
has a well-developed approach to the governance units. Its offensive cyber capabilities remain under-
of cyberspace, but this constitutes a looser set of developed because of the constitutional and politi-
arrangements than in countries such as the United cal constraints on the country’s use of force. By 2020,
States and the United Kingdom, particularly in terms prompted in part by the US and Australia, Japan had
of information-sharing by the private sector. Japan’s shifted to a more robust cyber posture because of ris-
defences in cyberspace are not especially strong, ing concerns about China and North Korea.

Strategy and doctrine


As its title suggests, Japan’s ‘First National Strategy The strategy published in 2013, the first under the title
on Information Security’, in 2006, was the earliest of ‘Cybersecurity Strategy’, was a watershed event that
document of its kind.1 (At the time, many countries reflected organisational measures undertaken during
preferred the term ‘information security’ to ‘cyber the previous year.2 In comparison with the earlier docu-
security’.) It did not lead to many changes in policy, ments it had a stronger overall emphasis on national
however, and focused largely on narrow technical security and focused much more on cyberspace as an
aspects of cyber security that had been topical since operational environment for politics, economics, diplo-
the mid-1990s. Several related policy documents macy and global influence. It was the first Japanese gov-
followed. ernment document to call for the Ministry of Defense

List of acronyms
ASEAN Association of Southeast Asian Nations IPv6 Internet Protocol Version 6
CCDCOE Cooperative Cyber Defence Centre of Excellence JSDF Japan Self-Defense Forces
CSSH Cyber Security Strategic Headquarters MoD Ministry of Defense
DIH Defense Intelligence Headquarters NISC National Center of Incident Readiness and Strategy for
DSI Directorate for Signals Intelligence Cybersecurity
ICT information and communications technology NTT Nippon Telegraph and Telephone
IoT Internet of Things

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 79


(MoD) to defend against strategic cyber attacks by other incident readiness against massive cyber attacks, new
states. Referring to cyberspace as a new domain of war- initiatives for the protection of critical infrastructure, and
fare, it outlined the creation of the first cyber-defence unit enhanced collaboration between stakeholders. Another
within the Japan Self-Defense Forces (JSDF) and stronger stated priority was to improve cyber security in the pri-
coordination between civilian and military entities in vate sector, with a policy of ‘Proactive Cyber Defence’
cyber defence. Furthermore, it noted the importance of including better sharing and utilisation of threat informa-
norms in cyberspace and the need for a multi-stakeholder tion and system vulnerabilities by businesses.
approach towards internet governance. In 2013 Japan The 2018 Cybersecurity Strategy also represented a
also released a new National Security Strategy, although landmark in being the first such document to refer to
cyber capabilities did not feature prominently within Japan’s deterrence capabilities in cyberspace. It speci-
it; the principal emphasis was on developing norms for fied that these capabilities should be coordinated by the
behaviour in cyberspace and closer cooperation with like- National Security Secretariat, which provides support
minded countries in cyber defence.3 to the National Security Council, an inter-agency body
A revised Cybersecurity Strategy was issued in 2015, established in 2013 to coordinate national-security poli-
calling for uniform cyber-security standards across gov- cies. As yet, however, there is neither an official national
ernment and for stronger reporting and coordination military cyber strategy nor an official JSDF military doc-
requirements in response to cyber threats.4 It also under- trine pertaining to cyberspace in the public domain.
lined the need for a more comprehensive approach to Japan’s military cyber journey began in earnest in
cyber security in the light of Tokyo’s anticipated host- 2012 with a plan to set up a 100-strong cyber-defence
ing of the 2020 Olympic and Paralympic Games. It was unit,8 though in previous years the Japanese armed
the country’s first strategy document to address the forces had already conducted various cyber-related
potential benefits and dangers posed by the Internet of activities. The most relevant document from which a
Things (IoT), a topic on which the government issued a doctrinal approach can be inferred is the 2019 National
separate document in 2016.5 It also reiterated the grow- Defense Program Guidelines. This emphasised the
ing role of the MoD in defending against cyber attacks need for jointness and inter-operability within the JSDF
and stressed the importance of closer ties with the in order to create a multi-domain force that can seam-
United States military under the updated ‘Guidelines lessly integrate itself into any US defence architecture
for U.S.–Japan Defense Cooperation’.6 The 2015 strat- in East Asia. It also referred to space, cyberspace and
egy document was the first to be considered at cabinet the electromagnetic spectrum as domains of warfare.
level, reflecting a greater recognition of the importance Regarding military operations in cyberspace, its empha-
of cyberspace security among the upper echelons of the sis lay clearly on defence, in line with the JSDF’s overall
Japanese government. force posture, but it also noted the importance of achiev-
The Cybersecurity Strategy released in July 2018 – ing ‘superiority’ in the cyber domain and further hinted
covering the period 2018–21, with a special emphasis on at the need for offensive cyber capabilities as part of
the Olympic and Paralympic Games – represented a fur- defensive operations to ‘disrupt’ enemy cyber attacks.9
ther evolution in Japanese policy.7 It clearly recognised Similarly, the 2018 Cybersecurity Strategy stated that
the potential cyber threat from hostile states, referring on acquiring ‘capabilities to prevent malicious cyber actors
its first page to the growing danger of ‘organised, sophis- from using cyberspace’ should be considered.10
ticated, and possibly state-sponsored’ cyber attacks. It Japan’s 2020 defence white paper emphasises that
noted the gradual merging of ‘cyberspace and real space’ cyberspace ‘could drastically change the conduct of war-
as a result of increasingly sophisticated cyber technolo- fare’ and specifically calls for the strengthening of capabil-
gies including artificial intelligence (AI), the IoT, robot- ities in order to enable cross-domain operations in space,
ics and 3D printers – capabilities at the core of Japan’s cyberspace and the electromagnetic domain.11 While
concept of an information society, or ‘Society 5.0’ as the it underlines the need to strengthen cyber-intelligence
government refers to it. The strategy called for improved capabilities, the document also stresses the importance

80 The International Institute for Strategic Studies


of ‘building the capability to disrupt C4I [command, The CSSH coordinates closely with the Japanese
control, communications, computers and intelligence] National Security Council and the IT Strategic
of opponents’.12 Headquarters on questions of policy. The NISC in turn
Another crucial document concerning the JSDF’s role coordinates the implementation of policy with the rel-
in cyberspace is the Medium Term Defense Program, evant ministries, which share with the providers of crit-
which outlined defence priorities for 2019 to 2023.13 It ical national infrastructure a legal obligation to report
placed special emphasis on the need to create additional back to the CSSH on cyber-relevant topics.15 Specifically,
cyber units within the ground forces, which may indi- the NISC is tasked with integrating and advancing the
cate a particular capability deficit in that branch of the country’s cyber-security strategy, a role which includes
JSDF. The document also underlined the need for better developing common standards, protecting infrastruc-
protection of the JSDF’s C4I capabilities; for the expan- ture, developing human resources and implementing a
sion of the existing cyber-defence unit and the creation research-and-development strategy.16
of new ones by 2023; and for Japan to participate in The second amendment to the Basic Act on
bilateral and multilateral cyber exercises. Cybersecurity, passed in December 2018 with an eye on
security for the Olympic and Paralympic Games, also
Governance, command and control established a Cybersecurity Council to exchange and
In 2014 the Japanese government began a process of collaborate on cyber-security-related information across
rationalising and improving the civilian command-and- government, the private sector and academia. Its role is
control structure that coordinates cyber activities at the to work in close coordination with the NISC, the national
national level. They now resemble those of allied states Computer Emergency Response Team (JPCERT) and
such as the US and the United Kingdom, although coor- other institutions such as the National Institute of
dination between the public and private sectors remains Information and Communications Technology and the
comparatively weak. Japanese military cyber command Information-Technology Promotion Agency, both of
and control is less advanced than in allied states. which aim to promote information-sharing between
The groundwork for establishing the current struc- government and the private sector.17
tures was laid in 2014 with the passing of the Basic In cyber affairs, Japan’s military command-and-
Act on Cybersecurity (subsequently amended in control structure remains less advanced than its civil-
2016 and 2018). As a result of this new law, which ian equivalent. In 2008 the MoD established the C4
came into effect in January 2015, the Cyber Security Systems Command, reporting directly to the chief of
Strategic Headquarters (CSSH) was created, taking staff of the Joint Staff Office, which was tasked with mon-
over the role of the institutionally weak Information itoring the defence of military networks and responding
Security Policy Council. Another important body is to cyber attacks. The C4 Systems Command reports to the
the National Center of Incident Readiness and Strategy MoD, which in turn cooperates with civilian authorities.
for Cybersecurity (NISC), which acts as the executive Each branch of the armed forces has a separate cyber-
organ within the Cabinet Secretariat. Both the CSSH defence unit tasked with network and information-
and the NISC have legal authority to coordinate and systems defence, principally against internal threats.18
implement Japan’s national cyber-security strategy. In March 2019 the JSDF also established the first regional
The CSSH is officially ‘the command and control cyber-defence unit as part of the Western Army of the
body of national cybersecurity’.14 Chaired by the Chief Japan Ground Self-Defense Force (JGSDF), with about
Cabinet Secretary, it also includes the chair of the 60 personnel. The first of a number of similar regional
National Public Safety Commission, the head of the formations due to be created in the coming years, the
National Police Agency, four ministers (internal affairs unit is tasked with defending and protecting JSDF
and communications; foreign affairs; economy, trade systems and networks.19
and industry; defense), and eight cyber specialists who A Cyber Defense Group, responsible for coordinat-
chair expert panels. ing cyber defence across the JSDF as a whole and for

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 81


defending its information infrastructure, was created in its cyber situational awareness and its development of
March 2014. In 2021 it is due to expand from approxi- intelligence capabilities.
mately 220 personnel to 290.20 According to media
reports the total number of JSDF personnel deployed in Cyber empowerment and dependence
cyber defence will reach 500 by around 2024.21 Japan remains a world leader in cyberspace technolo-
gies. A 2019 study by the International Monetary Fund
Core cyber-intelligence capability concluded that the country’s digital economy accounted
For a variety of political reasons, including the for 49% of its GDP (the figure in the US was 60%, and in
constitutional arrangements put in place after the China 30%).25 Of the 51 telecoms or tech companies in
Second World War, Japan’s intelligence organisations the 2020 Fortune ‘Global 500’, the US had 16 and Japan
are small and underfunded in comparison to those was in second place with ten (just ahead of China with
of other states of similar size. For example, Article 21 eight, while the combined total for the countries of
of Japan’s constitution severely limits the extent to Western Europe was also eight).26
which the government can collect signals intelligence As the pre-eminent producer of industrial robotics27
and consequently conduct cyber reconnaissance. and a world leader in the development of digital
Nevertheless, Japan has a suite of relevant organisations, infrastructure,28 Japan’s economy is both empowered
including the Defense Intelligence Headquarters (DIH)22 by and increasingly dependent on the ICT sector.
and its largest subordinate organisation, the Directorate The country has an established sovereign microchip-
for Signals Intelligence (DSI). Additionally, Japan has manufacturing capability, with the companies Tokyo
long hosted US signals-intelligence facilities as part of a Ohka Kogyo Co., Ltd. (TOK), JSR Corporation and Shin-
close intelligence partnership. Etsu Chemical together dominating
The DSI is the equivalent of the
The total number global production of the extreme
National Security Agency (NSA) in the ultraviolet (EUV) photoresists used
US and Government Communications of JSDF personnel in the manufacture of cutting-edge
Headquarters in the UK, though deployed in seven-nanometre chips.29
considerably smaller than both.
cyber defence Japan is home to the fourth-
Previously focused on collecting infor- largest telecommunications group
mation from communications satel-
will reach 500 by in the world, Nippon Telegraph and
lites, the DSI commenced intelligence around 2024 Telephone (NTT), which comprises a
support to cyber operations in 2012, series of subsidiary branches includ-
with assistance from the US through the NSA. At the time, ing NTT Communications (international communica-
it described these operations as experimental.23 Budget tions), NTT Domoco (mobile-device communication)
requests for restructuring and further developing the DSI and NTT World Engineering Marine Corporation
were submitted for the 2020 fiscal year,24 but resource (ground-cable installation and maintenance).30
choices in favour of expensive weapons platforms, and the According to open-source IPv6 2019 data, the top five
Article 21 legal barrier, have so far prevented the establish- internet service providers in Japan are all indigenous:
ment of a stronger Japanese signals-intelligence agency. Bbix, Biglobe, Jpne, Mf-native6 and Ocn.31 NTT World
The comparatively well-funded Cabinet Intelligence Engineering Marine Corporation’s small fleet of cable-
and Research Office is also likely to play an important laying vessels enables the country to maintain a sover-
role. Reporting directly to the prime minister, it also eign and indigenous telecommunications backbone.32
acts as the coordinating and assessment body for the Japan is currently lagging behind many other mem-
Japanese intelligence community. bers of the Organisation for Economic Co-operation
Overall, Japan’s indigenous cyber-intelligence capa- and Development (OECD) in terms of technological
bilities are embryonic, with the country largely reliant productivity, with an OECD survey suggesting the
on key international partners, especially the US, for country needs greater investment in skills and digital

82 The International Institute for Strategic Studies


competence – ‘particularly for middle-aged and older ‘technological sovereignty’, as well as bringing a public
workers’ – in order to close the gap.33 There is wide- good to the Asia-Oceania region.42 The QZSS is currently
spread concern about the digital divide between the being reviewed for formal recognition by the Worldwide
younger and older generations – a situation illustrated Radio Navigation System under the auspices of the
in particularly embarrassing fashion for the government International Maritime Organization, a process already
in 2018, when the minister responsible for cyber security completed for peers such as GPS, GLONASS (Russia)
was forced to admit he had never used a computer.34 and Beidou (China).43
Japan has nevertheless formulated a thorough Japan has become very focused on national-security
Cyber/Physical Security Framework,35 and in April aspects of outer space. It is concerned about North
2019 the Ministry of Economy, Trade and Industry Korea’s missile capability and China’s growing mili-
launched ‘Society 5.0’, a national policy aimed at ‘inte- tary power, while remaining keen to expand its own
grating cyberspace and physical space in a sophisti- space capabilities. In 2020 it established a Strategic
cated manner’.36 This initiative set out to implement Headquarters for National Space Policy in the Cabinet
standards and regulations for governmental and com- Office, announced the creation within the Joint Staff of
mercial entities operating in cyberspace, and to improve a military unit that would be ‘responsible for planning
the resilience of the domestic supply chain, as well as to pertaining to joint operations in the space domain’,44
address concerns about Japan’s ageing population and and created a Space Operations Squadron to prepare
shrinking labour force.37 for the introduction in 2022 of a Space Situational
In the field of AI, Japan is competitive. It was placed Awareness system.
ninth, for example, in a study that ranked the top 50
countries based on their contributions to the two most Cyber security and resilience
prestigious AI conferences in 2020.38 Japanese compa- Digital and cyber technologies are at the heart of Japan’s
nies are very active in AI research, with nine of them economy and society, and the overall degree of digital
featuring in a list of the world’s leading 100 companies connectedness suggests that a sustained cyber attack on
in that regard, compared with six from South Korea the country’s infrastructure would be highly compro-
and none from India. Nevertheless, the aggregate con- mising, especially since national cyber resilience is still
tribution that Japan’s industrial sector makes to AI at a developmental stage.45
research still falls behind that of South Korea.39 Japan’s efforts to raise its level of resilience in cyber-
Much of Japan’s digital technology has the potential to space were driven principally by security concerns
be further integrated into military applications, although surrounding the planned 2020 Tokyo Olympic and
currently that remains little more than a policy aspiration. Paralympic Games. The guiding document in that respect
Japan’s annual defence white papers have addressed in was the Cybersecurity Policy for Critical Infrastructure
general terms the global trend towards digital depend- Protection, adopted in April 2018, which focused on the
ence in military operations, acknowledging the need for importance of public–private partnerships in boosting
the Japanese armed forces to increase the resilience of resilience and recovering quickly from damage to critical
their command-and-control systems.40 infrastructure caused by cyber attacks.46 This is unsurpris-
In terms of Japan’s indigenous satellite capability, the ing, as 90% of Japan’s ICT assets are in the private sector.47
Cabinet Office approved plans to implement and expand The national-level Computer Emergency Response
the Quasi-Zenith Satellite System (QZSS/Michibiki) pro- Team, JPCERT, coordinates with equivalent bodies in
gramme, headed by Japan’s Aerospace Exploration other countries and with tactical incident-response
Agency, in 2002.41 The programme launched its first sat- teams across the Japanese public and private sec-
ellite in 2010, followed by three more between 2016 and tors. The governmental CERT, NISC, also houses the
2018. Originally designed to augment the functionality of Government Security Operation Coordination Team,
the US Global Positioning System (GPS), the QZSS gives which is responsible for accurate and prompt informa-
Japan a degree of what the Cabinet Office describes as tion-sharing across the CERT structure.48

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 83


In the private sector, the major obstacle to improving norms of behaviour for states in cyberspace and, as part of
cyber resilience is the lack of willingness among compa- that norms-based approach, actively promotes the multi-
nies to share information regarding cyber incidents. This stakeholder model of internet governance. The govern-
is partly the result of cultural and structural factors. These ment has a policy of leading international debate on how
include a general lack of familiarity with cyber-security to ensure a ‘free, fair, and secure cyberspace, strengthen-
issues among senior business leaders, an overreliance ing coordination with other countries’.55 This policy has
on government regulators to establish cyber-security three pillars: promoting the rule of law in cyberspace,
requirements and traditional Japanese business practices developing confidence-building measures and enhanc-
that hinder collaboration between companies. According ing international cooperation on capacity-building.
to government statistics, Japanese companies have been At the global level, Japan has participated in five ses-
slow to integrate cyber security into their corporate gov- sions of the United Nations Group of Governmental
ernance, especially their risk planning.49 Experts56 and has been promoting the rule of law and
The Ministry of Economy, Trade and Industry and confidence-building in cyberspace within the framework
one of its subsidiaries, the Information-Technology of the UN.57 Tokyo participates in the G7 Cyber Expert
Promotion Agency, Japan, have published ‘Cybersecurity Group and various dialogues with regional organisa-
Management Guidelines’ for business leaders in an effort tions, such as the ASEAN–Japan Information Security
to promote cyber-security measures and standards in the Policy Meeting and the ASEAN–Japan Cybercrime
private sector.50 The fact that these guidelines are based on Dialogue.58 Japan is also a party to the Convention on
the Cybersecurity Framework of the US National Institute Cybercrime and actively aims to strengthen interna-
of Standards and Technology illustrates both a tendency tional law in that respect by promoting the convention
towards the adoption of the US view on cyber security and in international forums.59
an absence of significant domestic innovation on the issue. In regional diplomacy, Japan has been partnering
Within the Japanese government, a framework for rais- with members of the Association of Southeast Asian
ing cyber-security standards – the Common Standards on Nations (ASEAN) on the protection of critical infrastruc-
Information Security Measures for Government Agencies ture and rapid incident response. Tokyo was a leading
and Related Agencies – has been in place since 2016.51 The force in establishing the ASEAN–Japan Cybersecurity
government’s engagement with certain aspects of cyber Capacity Building Centre, in Bangkok, which facilitates
security since 2006, and the strong ICT sector, probably the development of a standardised incident-reporting
contributed to Japan being ranked 14th out of 175 coun- framework across Southeast Asia,60 and was also instru-
tries in the 2018 Global Cybersecurity Index compiled by mental in setting up the ASEAN Computer Emergency
the International Telecommunication Union.52 Response Team (ASEAN-CERT).
The government has also been holding regular cyber As one of NATO’s global partners and a member
exercises involving both the public and private sectors, of the Partnership for Peace (PfP), Japan became a
some of which have been on quite a large scale – the one contributing member of NATO’s Cooperative Cyber
in November 2019, for example, had about 5,000 par- Defence Centre of Excellence (CCD COE) in March
ticipants.53 As an example of partnerships with the pri- 2019.61 The CCD COE’s mission is to enhance coopera-
vate sector, in July 2013 the MoD set up a Cyber Defense tion and information-sharing on cyber defence among
Council consisting of around ten defence contractors. Its NATO members and partners.62 Japan participated in
aim is to coordinate exchanges of information between the CCD COE-led exercise dubbed Cyber Coalition 2019
the defence industry and the government, and to organ- in December 2019; the aim, according to the Japanese
ise joint cyber exercises.54 MoD, was ‘to deepen the knowledge of how to cooper-
ate with NATO on cyber defence’ and to improve the
Global leadership in cyberspace affairs ‘tactical skills’ of the MoD and the JSDF.63
Japan has set itself the goal of becoming a leader in cyber Japan’s longest and closest international cyber part-
diplomacy. Tokyo aims to solidify international rules and nership, however, is with the US. The current Japan–US

84 The International Institute for Strategic Studies


Cyber Dialogue and the Japan–US Policy Cooperation views on the post-Second World War pacifist constitu-
Dialogue on the Internet Economy are of particular impor- tion. Article 9 of the constitution denies the country the
tance to the Japanese government, given that the US is the right to military forces of any kind. Though this has
ultimate guarantor of Japan’s security. The Japanese MoD been ignored since 1954, when the Self-Defense Forces
and the Pentagon have established the Cyber Defense Act was passed, every government has had to make
Policy Working Group, aiming to deepen information- complex legal and political arguments to massage pub-
sharing, organise joint exercises, promote policy discus- lic opinion each time the reach and mission of Japan’s
sions and cooperate in training cyber-security experts.64 forces have been extended. Since 2015 the government
Japan has CERT cooperation agreements with other has made additional reinterpretations to make it pos-
Asian countries, including India, and with Australia. sible, under certain circumstances, to come to the aid of
Japanese CERT officials meet annually with Chinese an ally even if Japan itself is not under attack.69 This shift
and South Korean counterparts, and also cooperate is now also seen as allowing collective self-defence and
with the Asia-Pacific Computer Emergency Response active defence in cyberspace.70
Team (APCERT) on the TSUBAME project, a traffic- At the same time, there have been hints in official doc-
monitoring system that shares data between 23 national uments of a subtle shift in Japanese policy from focusing
CERTs.65 Japanese CERTs cooperate effectively with purely on defence to developing offensive capabilities,
their US counterparts, and with others in the Asia- for which there has been a low-key push by the JSDF.71
Pacific region, but less so with those in Europe. The 2020 defence white paper states that the armed
Japan has established bilateral cyber dialogues with forces would act to disrupt enemy cyber operations
11 countries – Australia, Estonia, during an attack on Japan.72 Some
France, Germany, India, Israel, senior policymakers have also sug-
Russia, South Korea, Ukraine, the
Japan’s longest gested that offensive cyber is being
UK and the US – and also with the and closest considered as a way of providing a
European Union (EU) and NATO. international ‘deterrence by punishment’ option
Besides participating in the ASEAN– for Japan, including as part of its mis-
Japan Cybersecurity Policy Meeting,
cyber partnership sile-defence strategy. However, this
where the focus is on capacity-build- is with the US would require Japan’s Self-Defense
ing, Japan also holds trilateral cyber Forces Law to be revised.73
discussions with China and South Korea, focusing on The fact remains that, for the foreseeable future,
North Korean operations.66 The UK and the EU have Japan will probably remain reliant on its alliance
dialogues with Japan at the ministerial and expert lev- with the US for any kind of offensive response to a
els, as well as technical cooperation and joint capacity- cyber threat. It is notable that the 2015 guidelines for
building.67 Japan and the EU have also been jointly US–Japan defence cooperation74 include an entire sec-
promoting better data protection, with the European tion dedicated to cyberspace, setting out the circum-
Commission having agreed with Japan on arrangements stances under which the US can lend cyber support
for data exchange without further reference to national in Japan’s defence. The narrowest interpretation of
authorities for approval – a move that facilitates the the text would limit US assistance to the protection
gradual streamlining of data-privacy standards.68 of Japanese critical information infrastructure used by
US forces in Japan, but in the broadest interpretation
Offensive cyber capability the text is analogous to NATO’s Article 5, with a seri-
The development of any offensive military capability is ous cyber attack on Japan being treated like an attack
constrained by Japan’s military history and by current on the US.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 85


Notes

1 Information Security Council, The First National Strategy on gathering and analysis on domestic and foreign cybersecurity;
Information Security: Toward the Realisation of a Trustworthy the promotion of international cooperation and collaboration;
Society, 2 February 2006, http://www.nisc.go.jp/eng/pdf/ and cybersecurity workforce development for and by the
national_strategy_001_eng.pdf. governmental bodies’. National Center of Incident Readiness
2 Information Security Council, Cybersecurity Strategy: Towards a and Strategy for Cybersecurity, Organisational Structure, http://
World-Leading, Resilient and Vigorous Cyberspace, 10 June 2013, http:// www.nisc.go.jp/about/organize.html.
www.nisc.go.jp/active/kihon/pdf/cybersecuritystrategy-en.pdf. 16 National Center of Incident Readiness and Strategy for

3 Japan Ministry of Foreign Affairs, National Security Strategy, 17 Cybersecurity, Cybersecurity Framework in the Government of

December 2013, http://japan.kantei.go.jp/96_abe/documents/2013/ Japan (handout), September 2019.

__icsFiles/afieldfile/2013/12/17/NSS.pdf. 17 Cyber Security Strategy in Japan: Present Situation and Challenges,

4 Government of Japan, Cybersecurity Strategy, 4 September 2015, presentation delivered by Tomoo Yamauchi, Deputy Director-

http://www.nisc.go.jp/eng/pdf/cs-strategy-en.pdf. General, NISC, to the Foreign Press Center of Japan, 4 July

5 National Center of Incident Readiness and Strategy for 2019, https://fpcj.jp/wp/wp-content/uploads/2019/07/190704-

Cybersecurity, General Framework for Secure IoT Systems, 26 August Cybersecurity-StrategyForeign-Press-Center-1.pdf.

2016, http://www.nisc.go.jp/eng/pdf/iot_framework2016_eng.pdf. 18 Ministry of Defense, ‘Regarding Response to Cyber Attack’,

6 US Department of Defense, ‘The Guidelines for U.S.–Japan undated, https://www.mod.go.jp/e/publ/answers/cyber/index.

Defense Cooperation’, 27 April 2015, https://archive.defense. html.

gov/pubs/20150427_--_GUIDELINES_FOR_US-JAPAN_ 19 Franz-Stefan Gady and Yuka Koshino, ‘Japan and Cyber

DEFENSE_COOPERATION.pdf. The ‘guidelines’ framework Capabilities: How Much Is Enough?’, Military Balance blog,
has been used since 1979 to set the parameters of defence International Institute for Strategic Studies, 28 August 2020,
cooperation between the two countries. https://www.iiss.org/blogs/military-balance/2020/08/

7 National Center of Incident Readiness and Strategy for japan-cyber-capabilities.

Cybersecurity, Cybersecurity Strategy, 27 July 2018, https:// 20 ‘Japan Embraces AI Tools to Fight Cyberattacks with US$237

www.nisc.go.jp/eng/pdf/cs-senryaku2018-en.pdf. Million Investment’, CISO Magazine, 6 April 2020, https://

8 Richard J. Samuels, Special Duty: A History of the Japanese cisomag.eccouncil.org/japan-embraces-ai-tools-to-fight-

Intelligence Community (Ithaca, NY: Cornell University Press, cyberattacks-with-us237-mn-investment.

2019), pp. 228–9. 21 Daishi Abe, ‘Lagging China and the US, Japan to beef up

9 Ministry of Defense, National Defense Program Guidelines for FY cyberdefense’, Nikkei Asia, 20 June 2020, https://asia.nikkei.com/

2019 and beyond, 18 December 2018, https://www.mod.go.jp/j/ Politics/Lagging-China-and-the-US-Japan-to-beef-up-cyberdefense.

approach/agenda/guideline/2019/pdf/20181218_e.pdf. 22 DIH is Japan’s largest intelligence organisation, with around

10 National Center of Incident Readiness and Strategy for 2,000 personnel in 2020.

Cybersecurity, Cybersecurity Strategy, 27 July 2018. 23 Samuels, Special Duty: A History of the Japanese Intelligence

11 Ministry of Defense, Defense of Japan 2020, 2020, p. 41, https://www. Community, p. 232.

mod.go.jp/e/publ/w_paper/wp2020/DOJ2020_EN_Full.pdf. 24 Ministry of Defense, Defense Programs and Budget of Japan:

12 Ibid., pp. 218, 267. Overview of FY2020 Budget Request, 2019, https://www.mod.

13 Ministry of Defense, Medium Term Defense Program (FY 2019 go.jp/e/d_act/d_budget/pdf/200225a.pdf.

– FY 2023), 18 December 2018, https://www.mod.go.jp/j/ 25 Longmei Zhang and Sally Chen, ‘China’s Digital Economy:

approach/agenda/guideline/2019/pdf/chuki_seibi31-35_e.pdf. Opportunities and risks’, International Monetary Fund

14 Government of Japan, Cybersecurity Strategy, 4 September 2015. Working Paper, no. WP/19/16, 17 January 2019, p. 4, https://

15 These include: ‘the network-based vigilance and monitoring www.imf.org/en/Publications/WP/Issues/2019/01/17/

of malicious activities against information systems of Chinas-Digital-Economy-Opportunities-and-Risks-46459.

administrative organs; fact-finding on the cause of incidents 26 For technology companies in 2020, see https://fortune.com/

and audit of relevant governmental bodies; information global500/2020/search/?sector=Technology. For telecoms

86 The International Institute for Strategic Studies


companies in 2020, see https://fortune.com/global500/2020/sear 43 Quasi-Zenith Satellite System (QZSS), ‘[Report] Deliberations

ch/?sector=Telecommunications. on QZSS at the 7th Session of the IMO’s NCSR’, 5 March 2020,

27 Hiroshi Fujiwara, ‘Why Japan leads industrial robot production’, https://qzss.go.jp/en/events/imo_200305.html.

International Federation of Robotics (IFR), 17 December 2018, 44 Ministry of Defense, Defense of Japan 2020, pp. 266–7.

https://ifr.org/post/why-japan-leads-industrial-robot-production. 45 National Center of Incident Readiness and Strategy for

28 OECD, Japan, OECD Economic Surveys, April 2019, p. 44, https:// Cybersecurity, Cybersecurity Strategy, 27 July 2018.

www.oecd-ilibrary.org/economics/oecd-economic-surveys- 46 National Center of Incident Readiness and Strategy for

japan-2019_fd63f374-en. Cybersecurity, ‘Summary of Cybersecurity Policy for CIP

29 Osamu Tsukimori, ‘Japanese manufacturers use decades of (4th Edition)’, 25 July 2018, https://www.nisc.go.jp/eng/pdf/

experience to dominate key chemical market for cutting edge cs_policy_cip_eng_v4_summary.pdf.

chips’, Japan Times, 9 October 2019, https://www.japantimes. 47 Mihoko Matsubara, ‘A Glimpse into Private Sector Security in

co.jp/news/2019/10/09/business/japanese-manufacturers-use- Japan’, Lawfare, 26 June 2018, https://www.lawfareblog.com/

decades-experience-dominate-key-chemical-market-cutting- glimpse-private-sector-cybersecurity-japan.

edge-chips/#.Xc7ePS10eHo. 48 National Center of Incident Readiness and Strategy for

30 Nippon Telegraph Telephone (NTT) Group, https://www.ntt. Cybersecurity, ‘The Guidance on Operations of Information

co.jp/index_e.html. Security Measures of Government Agencies and Related

31 Ipv6 Test, ‘IPv6 in Japan’, October 2019, https://ipv6-test.com/ Agencies’, 31 August 2016, Revised 25 July 2018, https://www.

stats/country/JP. nisc.go.jp/eng/pdf/shishin30-en.pdf.

32 NTT WE Marine, ‘Cable-Laying Vessels’, https://www.nttwem. 49 Information Technology Promotion Agency, ‘Fact-finding

co.jp/english/ship. survey on corporate CISOs and promotion of security

33 OECD, Japan, OECD Economic Surveys, April 2019, p. 44. measures’, 25 March 2020, https://www.ipa.go.jp/security/

34 BBC News, ‘Japan’s cyber-security minister has “never used a fy2019/reports/2019DL_index.html.

computer”’, 15 November 2018, https://www.bbc.co.uk/news/ 50 Ministry of Economy, Trade and Industry, ‘Cybersecurity

technology-46222026. Management Guidelines Revised’, press release, 16 November

35 Ministry of Economy, Trade and Industry, The Cyber/Physical 2017, https://www.meti.go.jp/english/press/2017/1116_001.html.

Security Framework: To ensure trusthworthiness of a new type of 51 National Center of Incident Readiness and Strategy for

supply chain in ‘Society 5.0’, so-called ‘value creation process’, Cybersecurity, ‘The Guidance on Operations of Information

18 April 2019, https://www.meti.go.jp/english/press/2019/ Security Measures of Government Agencies and Related Agencies’.

pdf/0418_001b.pdf. 52 International Telecommunication Union, ‘Global Cybersecurity

36 Ministry of Economy, Trade and Industry, Cyber/Physical Index 2018’, p. 62, https://www.itu.int/dms_pub/itu-d/opb/str/

Security Framework (CPSF) Formulated, 18 April 2019, https:// D-STR-GCI.01-2018-PDF-E.pdf.

www.meti.go.jp/english/press/2019/0418_001.html. 53 ‘Jūyō infura 14 bun’ya ni yoru bun’ya ōdan-teki enshū o kaisai,

37 Ibid. yaku 5, 000-mei ga sanka (NISC)’, ScanNetSecurity, 12 November


38 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United 2019, https://scan.netsecurity.ne.jp/article/2019/11/12/43217.html.
States Stay Ahead of China?’, 21 December 2020, https:// 54 ‘Inauguration and Initiatives of the Cyber Defense Council’,

chuvpilo.medium.com/ai-research-rankings-2020-can-the- Japan Defense Focus, no. 44, September 2013, https://www.mod.

united-states-stay-ahead-of-china-61cf14b1216. go.jp/e/jdf/sp/no44/sp_activities.html#article03.

39 Ibid. 55 Ministry of Foreign Affairs, Cybersecurity presentation,

40 Ministry of Defense, Defense of Japan 2019, 2019, p. 229, https:// undated, https://www.mofa.go.jp/files/000412327.pdf.

www.mod.go.jp/e/publ/w_paper/wp2019/pdf. 56 Since a UN General Assembly resolution in 2004, a UN Group

41 Cabinet Office, ‘Juntenchōeisei shisutemu ni tsuite’, undated, of Governmental Experts (GGE) has convened for two-year

https://www8.cao.go.jp/space/qzs/qzs.html. terms to address international-security aspects of cyberspace.

42 Quasi-Zenith Satellite System (QZSS), ‘Overview of the It was known as the GGE on ‘Developments in the Field

Quasi-Zenith Satellite System (QZSS)’, https://qzss.go.jp/en/ of Information and Telecommunications in the Context of

overview/services/sv01_what.html. International Security’ until 2018, when it was renamed the GGE

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 87


on ‘Advancing Responsible State Behaviour in Cyberspace in the 66 The latest trilateral dialogue was held in December 2020. See

Context of International Security’. In cyberspace-policy circles it Ministry of Foreign Affairs of Japan, ‘The 5th Trilateral Cyber

is common to refer to it simply as ‘the GGE’. See UN Office for Policy Consultation’, 10 December 2020, https://www.mofa.

Disarmament Affairs, ‘Developments in the field of information go.jp/press/release/press24e_000019.html.

and telecommunications in the context of international security’, 67 Wilhelm M. Vosse, ‘Japan’s Cyber Diplomacy’, Research in

https://www.un.org/disarmament/ict-security. Focus, EU Cyber Direct, October 2019, https://eucyberdirect.

57 United Nations, Report of the Group of Governmental Experts on eu/wp-content/uploads/2019/10/vosse_rif_topublish.pdf.

Developments in the Field of Information and Telecommunications 68 European Commission, ‘European Commission adopts

in the Context of International Security, 22 July 2015, https://www. adequacy decision on Japan, creating the largest area of safe

un.org/ga/search/view_doc.asp?symbol=A/70/174. data flows’, press release, 22 January 2019, https://ec.europa.

58 Ministry of Defense, Defense of Japan 2019. eu/commission/presscorner/detail/en/IP_19_421.

59 Council of Europe, ‘Japan joins Budapest Convention’, 69 Franz-Stefan Gady, ‘Toothless tiger: Japan Self-Defence

press release, 3 July 2012, https://www.coe.int/en/web/ Forces’, BBC News, 14 October 2015, https://www.bbc.com/

cybercrime/news/-/asset_publisher/S73WWxscOuZ5/content/ news/world-asia-34485966.

japan-joins-budapest-convention?inheritRedirect=false. 70 See Daisuke Akimoto, ‘Cybersecurity and Japan’s

60 ‘Asean cybersecurity centre opens in Bangkok’, Bangkok Post, 14 Right to Self-Defense’, Institute for Security and

September 2018, https://www.bangkokpost.com/world/1540082/ Development Policy, undated, https://isdp.eu/

southeast-asian-cyber-security-centre-opens-in-thailand. cybersecurity-japans-right-to-self-defense.

61 NATO Cooperative Cyber Defence Centre of Excellence 71 Also, in 2019, according to a media report, the Ministry of

(CCD COE), ‘Japan to Join the NATO Cooperative Cyber Defense contracted private-sector companies to develop

Defence Centre of Excellence in Tallinn’, press release, 12 offensive cyber capabilities for defensive purposes. See ‘Japan

January 2018, https://ccdcoe.org/news/2018/japan-to-join- to develop 1st defense use computer virus against cyberattacks’,

the-nato-cooperative-cyber-defence-centre-of-excellence-in- Kyodo News, 30 April 2019, https://english.kyodonews.net/

tallinn. news/2019/04/e9e4df950d3d-japan-to-develop-1st-defense-

62 NATO Cooperative Cyber Defence Centre of Excellence, ‘About use-computer-virus-against-cyberattacks.html.

Us’, https://ccdcoe.org/about-us. 72 Ministry of Defense, Defense of Japan 2020, p. 218.

63 Ministry of Defense, ‘Participation in NATO Cyber Defence 73 See Franz-Stefan Gady and Yuka Koshino, ‘Japan and Cyber

Exercise “Cyber Coordination 2019”’, press release, 27 November Capabilities: How Much Is Enough?’, Military Balance blog,

2019, https://www.mod.go.jp/j/press/news/2019/11/27a.html. International Institute for Strategic Studies, 28 August 2020,


64 Ministry of Defense, Defense of Japan 2019. https://www.iiss.org/blogs/military-balance/2020/08/japan-

65 Asia Pacific Computer Emergency Response Team, ‘TSUBAME cyber-capabilities.

Working Group’, https://www.apcert.org/about/structure/ 74 US Department of Defense, ‘The Guidelines for U.S.–Japan

tsubame-wg/index.html. Defense Cooperation’.

88 The International Institute for Strategic Studies


8. China

China’s leaders have moved decisively to embrace the those of the United States, and cyber-resilience poli-
information revolution. They started from a position cies for its critical national infrastructure are only
of relative backwardness in electronics in the 1990s, in the early stages of development. China has been
but with the advantages of a rapidly growing economy locked in a battle with the United States and its allies
and technology transfer from abroad. The country has over global cyber governance since the early 2000s, a
since established the world’s most extensive cyber- contest aggravated by US determination to sanction
enabled domestic surveillance and censorship system, Chinese tech firms in response to China’s malicious
which is tightly controlled by the leadership. China’s behaviour in cyberspace. Since the early 2000s China
intention of becoming a cyber power was reflected in has conducted large-scale cyber operations abroad,
its military strategy released in 2015 and its first for- aiming to acquire intellectual property, achieve politi-
mal cyber-security strategy in 2016. The country has cal influence, carry out state-on-state espionage and
ambitious goals for the indigenous manufacture of position capabilities for disruptive effect in case of
the core internet technologies it relies on, aiming to future conflict. China is a second-tier cyber power but,
become a world leader in such technologies by 2030. given its growing industrial base in digital technology,
Its core cyber defences remain weak compared with it is the state best placed to join the US in the first tier.

Strategy and doctrine


China’s strategic approach to the security aspects of 2003 onwards, at the United Nations, it advocated the
cyberspace has been dominated by its perception of principle of ‘cyber sovereignty’ whereby states would
the ideological, economic and military threat from the be able to exert more control over their ‘sovereign’ por-
United States: the early development of US military tion of the internet. It was also in 2003 that China began
cyber doctrine in the 1990s; the use of cyber in US mili- implementing its ‘Golden Shield Project’, a programme
tary campaigns in Kosovo in 1999 and Iraq in 2003; and of internet-based internal surveillance and censorship
US support for the internet-based political revolts in that became known as the Great Firewall of China – an
states in the former Soviet bloc and North Africa. attempt to exert sovereign control. As part of this, from
From the outset, China’s main strategic preoccupa- 2009 onwards China undertook efforts to block certain
tion in cyberspace has been domestic – to prevent the US software applications (such as Facebook, Twitter and
spread of Western liberal thinking via the internet. From YouTube) because of conflicts with its censorship laws.

List of acronyms
BRI Belt and Road Initiative MPS Ministry of Public Security
CAC Cyberspace Administration of China MSS Ministry of State Security
CCP Chinese Communist Party PLA People’s Liberation Army
ICT information and communications technology SSF Strategic Support Force

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 89


In 2013, after ten years of partial reforms aimed at cyber-industrial ambitions, with the ban on sales of
enhancing the country’s cyber capabilities, the leaders microchip technology to Huawei a prime example of
of the Chinese Communist Party (CCP) were shocked US and allied tactics. It is not yet clear how damaging
by the revelations in the leaks by US defector Edward these tactics will be. They may push China to redouble
Snowden. The leaks made clear the continuing gulf its Made in China 2025 effort, to exploit the potential of
between the US and China on cyber capability, and its massive internal market (the country has one billion
particularly the weakness of China’s cyber defences (in of the world’s estimated four and a half billion internet
terms of protecting networks rather than controlling users), and to step up sales of Chinese technology to the
content). In 2014 President Xi Jinping instigated a wave developing world through the BRI.
of internet-related organisational reforms and new laws The other key dimension to China’s cyber strategy
and regulations, with the aim of making China a cyber since the early 2000s has been its use of cyber opera-
power. This included reconfiguring and assuming per- tions abroad for strategic effect. These have included
sonal leadership of the main CCP body in charge of industrial-scale espionage operations designed to
cyber policy1 and establishing a new government body acquire both commercial intellectual property and
alongside it, the Cyberspace Administration of China personal data. China has also actively used disruptive
(CAC). Numerous cyber-related strategies and meas- cyber operations, while being careful to pitch them
ures for the civil sector followed. China’s first national below the threshold that might trigger an escalatory
Cyberspace Security Strategy was published in 20162 response – its attempts to influence electoral processes
and was supported by China’s first Cybersecurity Law in Taiwan are one example.
in 2017.3 The strategy set nine core tasks, with a heavy China’s strategy and doctrine for the military use
emphasis on sovereignty and improving cyber-defence of cyber capabilities date from the early 2000s, with its
enablers (industry and education).4 2004 focus on ‘Winning Local Wars under Informatised
On the industry side, the ‘Made in China 2025’ Conditions’ an early example.8 This strategy envisioned
strategy, announced in 2015, is of particular signifi- the incorporation of information technology into every
cance. Identifying reliance on foreign vendors for its facet of military activity, with the information domain
core internet technology as China’s biggest cyber risk, seen not as separate but as integral to the land, air
this ambitious strategy intended to ensure that 70% of and sea domains. By 2005 this had redefined Chinese
the core internet technology the country depended on military doctrine, which stated that the protection or
would be manufactured domestically by 2025, and that destruction of information systems would be a ‘method
it would become a world leader in such technology of war’ for the People’s Liberation Army (PLA).9
by 2030. This is complemented by the Belt and Road It is important to note that Chinese military doctrine
Initiative (BRI), in which the Digital Silk Road compo- views ‘network’-related activities (what most other
nent is designed to open up markets in the developing states call ‘cyber operations’) as a component of infor-
world to Chinese technology. mation war.10 The Chinese military sees information
By 2020, many of these policy measures had begun to warfare as a struggle against adversaries to dominate
bear fruit, including a reported decline in the incidence the production and flow of information in order to sup-
of domestic cyber crime.5 But serious issues remained, port its strategic goals. Achieving this in a conflict envi-
including a reported doubling of intrusions into ronment – while degrading or constraining adversaries’
Chinese websites, with government sites a particular efforts – is termed ‘information dominance’.11
target.6 Implementation of the cyber strategy has been This is closely linked to the Chinese concept of ‘sys-
hampered by various constraints, the biggest internal tems confrontation’, informed by the Chinese percep-
one being the low priority given to cyber-security skills tion that the US defeated Iraq in the First Gulf War
in China’s education system and training institutions.7 (1990–91) by destroying Iraq’s operational command-
The main external impediment has been the intensifying and-control system.12 As set out in China’s The Science of
campaign by the US and its allies to constrain China’s Military Strategy, pre-emption is also a long-standing and

90 The International Institute for Strategic Studies


fundamental part of Chinese military thinking and has In the military cyber sphere, in 2015 Xi established the
become even more prominent in ‘information war’: vul- Strategic Support Force (SSF), where most of the PLA’s
nerability to a paralysing attack on one’s own command- cyber capabilities are now centred. This was part of sys-
and-control system places a premium on a first strike.13 tem-wide reforms to the PLA’s force structure, administra-
This thinking has matured under Xi’s leadership. One tion and command-and-control mechanisms. The SSF was
example is China’s first military strategy to recognise the not a new force created from scratch but instead the result
centrality of cyberspace in strategic and military policy, of the restructuring of existing units from across the armed
published in 2015, which stated that information would forces, consolidated under a single command structure.18
play a leading role in any conflict rather than being merely Today the SSF consists of two main elements: the Space
an enabler.14 By 2019 numerous PLA Systems Department, responsible for
sources were referring to the possibil- space operations, and the Network
ity that the acceleration of changes in The SSF will Systems Department, responsible for
military strategy, combined with new improve China’s strategic information operations.
technological opportunities, would The creation of the SSF is signifi-
lead to an arms race in ‘intelligentisa-
war readiness cant: not only does it report directly
tion’, meaning the use of artificial intel- to China’s paramount military deci-
ligence (AI) in military operations, intelligence collection sion-making body, the Central Military Commission,
and decision-making.15 but it has also combined disparate capabilities into an
The transitions foreshadowed in such doctrinal state- integrated whole. Previously the PLA’s information-
ments will take a long time to implement. As part of operations units had been grouped according to mis-
its aspiration to have a ‘world class military’ by 2050, sion type – namely reconnaissance, attack, defence and
China has set out a timetable to 2035 for the organisa- psychological warfare. For example, cyber espionage
tional reforms, including changes to force structure, and signals intelligence had been handled by the now-
that might turn doctrine into reality in the cyber realm.16 defunct Third Department of the General Staff; offen-
Like the US, China is pursuing a strategy of informa- sive cyber operations and electronic countermeasures
tion dominance in cyberspace, but acknowledges that had been siloed in the former Fourth Department; psy-
its armed forces will need to undergo a transformation chological warfare had been the responsibility of the
before that goal is reached.17 General Political Department; and most aspects of mil-
itary network security had been managed by the Gen-
Governance, command and control eral Staff Department’s Informatisation Department.
Since 2014, Xi has been at the top of the chain of com- Consolidating these functions into the SSF reflects
mand for all matters concerning cyberspace, both civil- the PLA’s new conception of space, cyber and the elec-
ian and military. His organisational changes to cyber tromagnetic spectrum as a unique warfighting domain
policy in the civil and military sectors suggest that he rather than adjunct functions serving other forms of
wanted to accelerate the transformations and score combat.19 The implications of the SSF for China’s mili-
some early successes in reducing the vulnerability of tary cyber capability are twofold. Firstly, a more uni-
Chinese networks to infiltration and attack. fied force will be able to prosecute the type of complex,
On the civilian side, the CAC has become the focal multidimensional information operations that the PLA
point of all cyberspace policy, although powerful inde- foresees in future conflicts. Psychological, electronic,
pendent nodes remain – such as the Ministry of Public cyber and kinetic actions can be incorporated into a
Security (MPS), the Ministry of State Security (MSS) and single information-warfare strategy, each deployed for
the Ministry of Industry and Information Technology. specific effects at different points in a crisis or conflict.20
The CAC has formalised the new agenda through Secondly, in terms of warfighting, the SSF will
national legislation and by setting up offices in each of improve China’s war readiness and help the PLA
the country’s 31 provincial-level administrations. shift more smoothly from a peacetime to a wartime

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 91


posture. By combining espionage and attack functions intelligence-analysis work carried out by key depart-
across electronic-, cyber- and space-warfare units, and ments of the CCP such as the Office for Taiwan Affairs,
by bringing them under a single command, the PLA the United Front Department, the Central Cyberspace
aims to survey the battlefield, prepare combined-arms Affairs Commission,24 the Central Commission for
operations and develop specific capabilities that can Politics and Law and the Central Military Commission.
be continuously adapted to match the requirements Partly in reaction to the process of opening up to the
of fast-moving situations.21 This includes malware and world through internet access and the increase in inter-
other cyber weapons, which can be developed, refined national exchanges of all kinds, and partly because of
and deployed in a continuous loop that draws on both enduring regime preferences, China has built the world’s
reconnaissance and offensive functions. most powerful domestic surveillance system. Its domes-
While the SSF has subsumed the PLA’s strategic tic intelligence capability depends not just on the agencies
information-warfare units, there are still units with described above but also on a complex web of enforce-
related functions that are attached to the single services ment mechanisms that operate in parallel. One of the
and continue to operate within the PLA’s newly cre- most important is the Central Discipline and Inspection
ated joint-theatre commands. It is unclear how effec- Commission of the CCP, which collects intelligence on
tively these units could operate alongside the SSF, and leading members of the party. Another is the web of CCP
whether they have a national mission or are able to coor- committees that extends throughout all levels of govern-
dinate and de-conflict their respective missions dur- ment, large commercial enterprises, hospitals, schools
ing operations. According to a PLA assessment of SSF and universities. In addition, the Golden Shield Project,
reforms, ‘cross-unit forces transfer and handover are launched in 2003, involves the use of information and
progressing smoothly; new adjustment and formation communications technology (ICT) to transform the way
of units are being completed and delimited according China’s security services collect, analyse and transmit
to plan; the system of systems architecture and contours information. China has also implemented a range of
of new-type combat forces is starting to appear’.22 While other initiatives to enhance its surveillance capabilities,
this authoritative assessment suggests optimism on the including Skynet, a massive video-surveillance network
part of the PLA, it also indicates that reforms are at an that comprises at least 200 million cameras nationwide,25
early stage, which is likely to limit the SSF’s ability to and Sharp Eyes, an extension of the Skynet network that
conduct multidimensional information-warfare opera- focuses on rural areas and leverages big data and AI for
tions in the short to medium term. social control.26
China also has a nationwide system that aspires to
Core cyber-intelligence capability consolidate data from street-level surveillance platforms,
China has unsurprisingly organised its intelligence agen- private and public services, and the digitised records
cies according to its unique political system and strategic that the party-state maintains on every citizen, aiming
needs. The priorities of the intelligence agencies include to allow the authorities to track individuals in real time
sustaining the rule of the CCP, public order, economic as they move across offline and online spaces. From the
and commercial intelligence, scientific and technical publicly available evidence, it is not clear how compre-
intelligence, military intelligence and covert operations hensive this system is or how effective it has been.
(with the latter including political-influence operations). While China’s core cyber-intelligence capabilities are
These intelligence goals are pursued by compet- therefore formidable domestically, it has also devel-
ing bureaucracies. Some are stand-alone, dedicated oped and extensively used cyber for overseas espio-
intelligence and security agencies such as the MSS,23 nage. These intelligence efforts are often characterised
the MPS and, within the PLA, the SSF. But unlike in terms of their volume rather than sophistication,
their counterparts in Western countries, these agen- with Chinese intrusions featuring heavily among those
cies all have significant operational roles in deliver- detected and attributed by Western intelligence agen-
ing internal security. They are complemented by the cies and cyber-security companies. That said, China

92 The International Institute for Strategic Studies


may have learned from the sophisticated Western intel- have subsequently increased the momentum, and under
ligence capabilities revealed in the Snowden leaks, and Xi there have been two particularly important develop-
may now possess more advanced capabilities either ments: his 2014 declaration of China’s aim of becoming
held in reserve or hidden in the sheer volume of its a cyber power and the government launch, in 2015, of
other operations.27 the Made in China 2025 industrial strategy.
China’s analysis and dissemination of intelligence is A government white paper in 2020 stated that China
less mature than that of the US and its key allies. While had moved from a period of rapid development of its
some security officials have suggested that there is now indigenous ICT industry to one in which there would
an unmanageable glut of data generated by ‘informa- be a deep and integrated digitisation of the economy
tised’ surveillance, the information ecosystem in China and society.29 It was not alone in this assessment. The
remains highly politicised and therefore difficult to International Monetary Fund has highlighted China’s
reform. It is characterised not just by a repressive and world-leading position in e-commerce and in some
closed institutional disposition and organisational cul- aspects of FinTech, describing its rate of digitisa-
ture, but also by the ferocity and intensity of the anti- tion as the fastest in the world.30 The scale of China’s
corruption campaign that Xi has led since he took office value-added digital economy reached RMB 35.8 trillion
as head of the CCP in November 2012. This campaign (US$5.12trn) in 2019, accounting for 36.2% of GDP – a
has purged thousands of officials from the intelligence higher share than in countries such as Brazil, India and
and security agencies, including many at senior levels. South Africa but still far behind the US (50%).31 China’s
Chinese intelligence analysis is very different from the fast-expanding ICT sector was valued in 2019 at RMB
systems operating in the US, the United Kingdom and in 7.1trn (US$1.02trn), or just over 7% of GDP. Provinces
many other Western governments: it remains ideology- with the most developed digital economies enjoyed
driven and is increasingly enmeshed with questions of the highest rates of economic growth (Beijing, Fujian,
prestige around the political goals of the CCP leaders, Guangdong, Shanghai and Zhejiang, for example).
making it less independent from political influence than China’s influence in the global ICT economy has risen
its Western equivalents. commensurately, including through its development of
online platforms. The China Academy of Information
Cyber empowerment and dependence and Communications Technology said in 2020 that with
China’s participation in the globalised ICT industrial the online-platform sector, led by Alibaba and Tencent,
sector began in 1984 and was boosted by relationships the country’s role had changed from ‘imitation and
with corporations based in the US (initially Motorola, catch-up’ to ‘leading global innovation’.32 Before the US
and later Microsoft). The sector expanded dramatically moved against it in 2020, the Chinese-owned company
once China had secured US agreement for public con- TikTok had set off a global short-video boom.
nectivity to the internet and the World Wide Web in Overall, however, a large obstacle in the way of
1995. A major force behind this expansion was former China’s cyber empowerment is its ongoing depend-
Chinese leader Jiang Zemin, who consistently advo- ence on foreign vendors for core internet technol-
cated industrial transformation through electronics and ogy, despite the Made in China 2025 strategy and
information technology. By 2000, due in part to Jiang’s indeed the emphasis science-and-technology policy
leadership, China regarded the information society as has placed on self-reliance ever since the founding of
an all-encompassing phenomenon that would be cru- the People’s Republic. The Chinese media has coined
cial for its future prosperity and security.28 By then, the the phrase ‘eight guardian warriors’ to refer to the US
still-nascent private sector was also playing a role in companies that remain enmeshed in China’s telecom-
the digital-technology sector, with Alibaba starting up munications infrastructure: Apple, Cisco, Google, IBM,
in 1999 and the emerging computer company Lenovo Intel, Microsoft, Oracle and Qualcomm.33 The issue was
getting a huge boost in 2005 when it acquired the desk- underlined in 2020 by the US using its domination of
top business of global tech giant IBM. Jiang’s successors the global microchip industry to undermine Huawei.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 93


Indeed, in a sign that China views its reliance on foreign as a connection via satellite over a smaller distance.40
technology companies as likely to be long term, some Chinese researchers announced in 2021 that a 4,600-km
of them – including Cisco, IBM, Intel and Microsoft – quantum-communications network was ready for use
were invited to join China’s leading consultative group after two years of experimental operations.41
for writing national standards related to cyber security. Space-based platforms related to cyber are an area
The move gives China better oversight of the use of US where China has achieved greater self-reliance. Its total
technology in its networks. Meanwhile, despite multiple satellite fleet numbers 410.42 It operates a large-scale
attempts to move away from Microsoft Windows, China space-based intelligence, surveillance and reconnais-
is yet to develop its own operating system to replace sance (ISR) capability, drawing on a fleet of 132 dedi-
those of Microsoft or Apple.34 cated military satellites that is the second largest in the
One of the technologies prioritised by Xi as part of world after that of the US.43 According to a 2019 report
the Made in China 2025 strategy is AI. In 2017 the gov- from the US Defense Intelligence Agency, China’s ISR
ernment issued its first development strategy specifi- satellites are capable of offering electro-optical and syn-
cally for AI, aiming for China to become a world leader thetic aperture radar (SAR) imagery as well as electronic
in the field by 2030.35 A summary of the 14th five-year and signals-intelligence data.44 They include the dual-use
plan (2020–25), released in October 2020, emphasises Yaogan satellite fleet45 and the Haiyang series of ocean sat-
investment in home-grown innovations and includes ellites, which provide global identification and tracking
AI in a list of ‘forward-looking and strategic’ technolo- for military and civilian vessels.46
gies alongside quantum communications, integrated China has also developed a sovereign capability in
circuits and biological engineering.36 Chinese firms satellite navigation through its Beidou system, rivalling
are leaders in some aspects of AI, the United States’ GPS and, impor-
especially concerning facial recog- Chinese firms are tantly, ending Chinese dependence
nition, but otherwise lag far behind on the US system for guiding its own
Microsoft and Google. The US still
leaders in some missiles. The Beidou network had cov-
leads in developing the foundational aspects of AI, but ered the entire Asia-Pacific region by
platform and support architecture otherwise lag far 2012 and achieved global coverage by
of AI, for example developing 66% mid-2020. Chinese military analysts
of global AI open-source software
behind Microsoft acknowledge that as China follows the
compared with China’s 13%.37 The and Google US into reliance on space- and cyber-
level of private-equity investment in based capabilities, it will inevitably
AI in China is still far below that in the US, which has come to have the same vulnerabilities during conflict.47
accounted for two-thirds of the global total since 2011.38 In summary, China has made significant progress in
China was placed second, behind the US, in a ranking of developing an indigenous digital-industrial base but
the top 50 countries according to their contributions to – given US dominance of global microchip supply,48 as
the two most prestigious AI conferences in 2020.39 The illustrated during the US–China trade war launched by
story is similar for quantum computing: in 2017 Chinese the Trump administration – it is likely to remain funda-
scientists succeeded in entangling ten superconducting mentally reliant on the US for its core internet technology
qubits, breaking Google’s prior world record of nine, for the foreseeable future. China has some advantages,
but since then Google has claimed a 54-qubit machine for example an enormous internal market that provides
(in 2019) and IBM has developed something similar. solid foundations for winning a substantial portion of the
Nevertheless, China may be a world leader in research developing world’s digital market. But it is notable that
and development (R&D) associated with quantum com- in 2019, in contrast to some of his previous rhetoric, Xi
munications, having declared the installation of the described the task facing China as a new ‘Long March’,49
world’s longest quantum-communications cable (2,000 seemingly an acceptance of the time and effort it will take
kilometres) between Beijing and Shanghai, as well to overcome the challenge posed by the US.

94 The International Institute for Strategic Studies


Cyber security and resilience ‘backdoors’.55 Also, the number of vulnerabilities iden-
Information security has been a priority for the Chinese tified in high-risk systems more than doubled from the
government since the 1990s, yet for much of that time previous year.56
the focus has been on ‘content security’, namely the The sheer number of new institutions, laws, regula-
censoring of politically subversive information in cyber- tions and announcements since 2014 suggests that China
space. Beijing’s preoccupation with content – rather is still in the early stages of building its cyber resilience
than the physical networks that transport it – reflects and contingency measures. Government, industry and
the party-state’s conception of state security, which is academia have begun institutionalised exchanges through
more expansive and ideological than Western notions the Cybersecurity Association of China, created in 2016,
of national security. China’s leaders see the security of which reportedly aligns the three sectors around a com-
the regime as constantly under threat.50 It is likely that mon set of objectives.57 Also in 2016, Beijing announced
the focus on promoting content security to meet censor- a major reform of its national cyber-standards commit-
ship objectives has diminished efforts to advance other tee, the National Information Security Standardisation
forms of network-centred (cyber) security, and that this Technical Committee (NISSTC), with representatives from
constraining effect will persist. across government, from hundreds of Chinese companies
A succession of shocks has produced a sea change and from a much smaller number of foreign companies.
in China’s approach to network security. In 2013, apart By 2018 the NISSTC had published more than 300 new
from the Snowden leaks, China had to deal with the cyber-security standards, covering critical-information-
humiliating exposure of a PLA cyber-espionage unit infrastructure protection, product review and other are-
(61398) by Mandiant, a US cyber-security firm, which as.58 In December 2019, the Multi-level Protection Scheme
revealed deeply concerning gaps in 2.0 (MLPS 2.0) was implemented,
the Chinese military’s cyber security. broadening the scope for regulation
Meanwhile, the eavesdropping on Beijing’s own of network operators and imposing
China’s top leaders ordered by the dis- assessments of heightened regulatory requirements.59
graced former internal-security chief To strengthen the security of its criti-
Zhou Yongkang in 2012 had high-
its cyber security cal information infrastructure, China
lighted the vulnerability of leadership have been sober published ‘Cybersecurity Review
communications and the dangers of a Measures’ in 2020, outlining a set of
cyber-espionage capability beyond central control.51 rules to govern the review of supply-chain reliability
Beijing’s own assessments of its cyber secu- and security underlying the products and services used
rity have been sober. A 2017 report by the National by the operators of the infrastructure.60 The government
Computer Network Emergency Response Technical also released a draft Data Security Law in July 202061 and
Team (CNCERT) stated that attacks from foreign states a draft Personal Information Protection Law in October
(advanced persistent threats) were frequent and becom- 2020, representing the first comprehensive legislation
ing ‘normal’, and were directly threatening national secu- relating to the security of personal data.62
rity.52 The report referred to serious damage to data and Additionally, China’s domestic cyber-security indus-
rampant fraud, noting that the number of attacks against try is much smaller than its US counterpart. Its total rev-
industrial control systems was increasing, with many enue in 2019, according to the Cybersecurity Association
important safety incidents.53 In September 2020, the six- of China, was RMB 52.09bn (US$8.09bn),63 which repre-
monthly report released by the China Internet Network sented less than 7% of the global cyber-security industry
Information Center noted that personal cyber security (estimated at US$120bn in 2019).64 The leading cyber-
had improved, especially in the area of online fraud, but security firms in China have much lower revenues than
the country’s overall cyber-security situation had wors- those in the US, and much smaller global footprints. In
ened.54 It reported a significant increase in the number the first quarter of 2020, for example, Cisco Systems, Palo
of websites affected, some of which were infected with Alto Networks and Fortinet respectively accounted for

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 95


9.1%, 7.8% and 5.9% of the global market 65 and the total its interests. The first step, in 2014, was its creation of
US share was estimated at around 40%.66 the Wuzhen Internet Forum, partly in response to a
China was ranked 27th out of 175 countries in the series of internet-governance conferences launched in
2018 Global Cybersecurity Index compiled by the Inter- London by the UK and like-minded countries in 2011.
national Telecommunication Union (ITU).67 Its abil- In March 2017 the Ministry of Foreign Affairs and the
ity to improve cyber security in the short to medium State Internet Information Office published China’s
term will be constrained by its lack of a well-developed vision in an ‘International Strategy of Cooperation in
cyber-industrial complex – the enterprises, researchers Cyberspace’, stating that the ‘existing global govern-
and investors that help design and develop cyber-secu- ance system of basic internet resources hardly reflects
rity technology. Cyber-security research and education the desires and interests of the majority of countries’.73
in China is still at a basic level, with the country hav- Central to the document was the concept of ‘cyber sover-
ing no world-class universities in the field according eignty’: while Beijing has yet to define the term explicitly,
to the Chinese University Alumni Association’s 2019 it encompasses the idea that a state should have control
ranking.68 over networks and content within its own borders.74
Also, in September 2020, China moved assertively to
Global leadership in cyberspace affairs propose a ‘Global Data Security Initiative’ during a high-
Since 2002, China has engaged in efforts through the level international symposium in Beijing, in direct oppo-
UN, the ITU and other forums to establish new inter- sition to the United States’ Clean Network programme
national governance and norms of behaviour for cyber- announced a month earlier.75 Besides advocating a
space, often leading like-minded states in arguing for ‘comprehensive and objective’ approach towards data-
greater censorship and state sovereignty.69 It has worked security issues, the initiative also demands respect for
closely in this process with Russia and other members the ‘sovereignty, jurisdiction and security management
of the Shanghai Cooperation Organisation. Since at least rights’ of other countries, aligning with China’s concept
2010, when then US secretary of state Hillary Clinton of cyber sovereignty.76
made a major speech on internet freedom,70 China has Domestically, Beijing has passed legislation to
found itself locked in an ideological battle with major compel foreign companies in China to store data on
Western states on the human-rights and security aspects domestic servers and hand over sensitive intellectual
of norm-setting for cyberspace. property (IP) and source code for verification and test-
On rare occasions China has joined an international ing – examples include the State Security Law (2015) and
consensus. In 2013, for example, its representative in the Cybersecurity Law (2017). Other laws, for example the
UN Group of Governmental Experts (GGE)71 supported National Encryption Law of 2019, have further asserted
the collective agreement that international law applied China’s national-security interests in terms of its con-
in cyberspace, and in 2015 it joined a consensus position trol of information technologies.77 Such regulations pre-
on possible voluntary norms for cyberspace. However, sent obvious risks of intellectual-property theft but also
China subsequently took the view that the GGE pro- exemplify the type of norms and behaviours Beijing is
cess was not adequate for its purposes and became a increasingly promoting in international forums. China
leader in the push for an Open-Ended Working Group is pushing for reform of international institutions such
(OEWG), seen as a means of diluting Western influence as the UN Internet Governance Forum (IGF),78 aiming to
and allowing unfiltered participation by all states in a strengthen their decision-making capacity. Beijing sees
UN-sponsored process.72 The OEWG was created in UN rule-making in cyberspace as embodying the state-
2018 and began operating a year later. led approach to cyber governance, which it favours,
China’s move away from the consensus position rather than the West’s vision of relatively unrestricted
in the UN norms forums was mirrored on the global information flows.79
diplomatic stage by its leadership of an agenda on The normative effect of China’s cyber-governance
global internet governance much more in line with model is becoming increasingly apparent in other

96 The International Institute for Strategic Studies


authoritarian states, such as Vietnam and Russia, which the International Electrotechnical Commission and the
have passed strikingly similar laws on internet regula- ITU.81 However, Western and allied countries continue
tion. Beijing has enabled oppressive politics in other states to exert a strong influence in this arena through their
through the export of surveillance technology, in which world-leading corporations. Of the 51 tech or telecoms
China is now an industry leader. Huawei, for example, companies in the 2020 Fortune ‘Global 500’, China had
has worked with the security forces in Zimbabwe to build only eight; the US and its allies or close partners had the
voice- and facial-recognition systems, and is also widely other 43.82
exporting its ‘smart cities’ technology, whose combina-
tion of bulk data collection, storage and AI-enabled sur- Offensive cyber capability
veillance offers governments a greatly increased capacity China, like Russia, has made extensive use of lower-end
for surveillance and social control. cyber capabilities for peacetime influence-and-infor-
Beijing has advanced its cyber interests through the mation operations, and thereby gained considerable
Digital Silk Road, a sub-strand of the BRI. This is a geo- experience of the relevant techniques. Based on pub-
economic initiative aiming to place China at the centre lished doctrine and proven cyber-intelligence reach, it
of a global digital supply chain dominated by Chinese is likely that China has also developed effective offen-
digital goods and services, and held together by Chinese sive cyber tools for combat use.
infrastructure, technological standards, laws and regu- Though China has not published a cyber-warfare
lations. Though the initiative is still in its early stages, doctrine, and it may be the case that none exists,83
Chinese telecoms firms already provide products and authoritative PLA writings acknowledge the existence
services that sit at the core of telecoms infrastructure in of an offensive cyber capability. The 2013 edition of The
many countries. Science of Military Strategy, for example, dedicates a sec-
Chinese IT companies enjoy significant state backing tion to conflict in cyberspace and divides operations into
in the form of subsidies and R&D inputs, and some of the four categories of reconnaissance, attack, defence
them, in particular Huawei, now enjoy global leader- and deterrence, the first two of which are offensive in
ship in 5G technology alongside Western corporations. nature.84 Computer reconnaissance is the use of comput-
The potential for Chinese firms to provide 5G technol- ers to identify, monitor and analyse enemy computer
ogy to networks across the world has met with fierce networks and systems. It aims to prepare the ground in
resistance from some Western states, peacetime for future military opera-
whose political elites fear the security tions by identifying weaknesses in
implications of Chinese technology
Beijing has adversary systems. As the require-
and its potential to be used for espio- passed ments for successful penetration of an
nage or disruption.80 By mid-2020 legislation to adversary system for reconnaissance
the campaign against Huawei had purposes are similar to those in a ‘net-
significantly damaged its business
compel foreign work strike’, it is possible to switch
prospects in major developed coun- companies in from reconnaissance to attack at the
tries but had not achieved the same China to store appropriate moment.85
impact in most other states, nor pre- The Chinese view is that network
vented the company from making a
data on domestic strikes could potentially follow soon
profit overall. servers after the outbreak of a conflict and
China now plays a powerful role would serve to disable an adversary
in global standard-setting in emerging technologies system.86 The Science of Military Strategy asserts that
such as the Internet of Things, Internet Protocol Version civilian as well as military infrastructure is a potential
6 (IPv6) and 5G, and Beijing has attained key posi- target during conflict, partly as the former sustains the
tions in international standard-setting agencies such latter but also because network strikes against civilian
as the International Organisation for Standardisation, targets are less likely to escalate the conflict.87 The PLA

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 97


is also considering the use of more advanced capabili- or war is unknown. Nevertheless, the PLA and Chinese
ties such as ‘integrated network electronic warfare’, intelligence agencies have successfully penetrated US
which would enable it to insert malicious algorithms government and commercial networks on multiple
into an adversary network even if a wire connection occasions, deploying malware to steal classified infor-
does not exist. For example, Dai Qingmin, a former mation and intellectual property. During a conflict the
head of the Fourth Department of the General Staff, PLA’s offensive cyber forces could presumably deploy
wrote as early as 1999 about the potential to use wire- similar capabilities to try to cripple the critical systems
less (radio-based) cyber attacks to intercept satellites’ of an adversary. The knowledge acquired through past
communications or gain control over their command- operations may also have shed light on vulnerabilities
and-control systems.88 that could be exploited during wartime.89 The PLA has
Chinese assertions about the role and efficacy of such both the capability and the will to penetrate adversary
cyber attacks by their armed forces remain untested, so systems for the purpose of intelligence collection and
their potential impact in an actual combat engagement offensive operations.

Notes

1 This CCP body was known as the Small Leading Group on P020191112539794960687.pdf. The report covers the first six

Informatisation and Cyber Security until 2018, when it was months of 2019.

upgraded to the status of a CCP commission and renamed the 6 Ibid., p. 74.

Central Commission for Informatisation and Cyber Security 7 See Greg Austin and Wenze Lu, ‘Five Years of Cyber Security

(CCIC). This put it on a similar level to powerful entities such Education Reform in China’, in Greg Austin (ed.), Cyber Security

as the Central Military Commission. Its name in English is Education: Principles and Policies (Abingdon: Routledge, 2020).

often shortened to the Central Cyberspace Affairs Commission 8 For an overview of the early military developments, see Greg

(CCAC). The equivalent government body remains the Austin, ‘China’s Security in the Information Age’, in Lowell

Cyberspace Administration of China, which operates in part as Dittmer and Maochun Yu (eds), Routledge Handbook of Chinese

the secretariat or office for the CCIC. Security (Abingdon: Routledge, 2015), pp. 355–70.

2 Cyberspace Administration of China, ‘National Cyberspace 9 Yan Weifeng, Cong Meijun ‘konghai yiti zhan’ gouxiang kan zhanyi

Security  Strategy’, 2016, https://chinacopyrightandmedia. fazhan (Beijing: Haichao Press, 2016), p. 197.

wordpress.com/2016/12/27/national-cyberspace-security-strategy. 10 Parallel concepts employed by the PLA also include

3 Rogier Creemers, Paul Triolo and  Graham Webster, ‘network space’ (wangluo kongjian) instead of ‘cyberspace’,

‘Translation: Cybersecurity Law of the People’s Republic of and ‘network warfare’ (wangluo zhan) instead of ‘cyber

China (Effective June 1, 2017)’, New America, 2018, https:// operations’. The PLA’s dictionary of military terms

www.newamerica.org/cybersecurity-initiative/digichina/blog/ defines network warfare as ‘operations to destroy an

translation-cybersecurity-law-peoples-republic-china. enemy’s network systems and network information, [and]

4 For an overview, see Greg Austin, Cybersecurity in China: The degrade their effectiveness, while protecting one’s own

Next Wave (New York: Springer, 2018), p. 8. network systems and network information’. See Military

5 China Internet Network Information Center, ‘Statistical Terminology Committee, Academy of Military Sciences,

Report on Internet Development in China’, August 2019, pp. Military Terminology of the People’s Liberation Army (Beijing:

72–3, https://cnnic.com.cn/IDR/ReportDownloads/201911/ AMS Publishing, 2011), p. 286.

98 The International Institute for Strategic Studies


11 Dean Cheng, ‘Winning Without Fighting: The Chinese 24 See endnote 1.

Psychological Warfare Challenge’, The Heritage Foundation, 25 Brendon Hong, ‘The American Money Behind Blacklisted

12 July 2013, p. 2, https://www.heritage.org/global-politics/ Chinese AI Companies’, Daily Beast, 2 January 2021,  https://

report/winning-without-fighting-the-chinese-psychological- www.thedailybeast.com/the-american-money-behind-

warfare-challenge/#_ftn1. blacklisted-chinese-artificial-intelligence-companies. 

12 Jeffrey Engstrom, ‘Systems Confrontation and Systems 26 Josh Rudolph, ‘Sharper Eyes: Surveilling the Surveillers (Part 1)’,

Destruction Warfare: How the People’s Liberation Army China Digital Times, 9 September 2019, https://chinadigitaltimes.

Seeks to Wage Modern Warfare’, RAND Corporation, 2018, p. net/2019/09/sharper-eyes-surveilling-the-surveillers-part-1.

10, https://www.rand.org/content/dam/rand/pubs/research_ 27 Nicholas Eftimiades, Chinese Intelligence Operations (Abingdon:

reports/RR1700/RR1708/RAND_RR1708.pdf. Routledge, 2017).

13 China Aerospace Studies Institute, In Their Own Words: Foreign 28 See Greg Austin, Cyber Policy in China (Cambridge: Polity, 2014), p. 1.

Military Thought – Science of Military Strategy 2013, 8 February 29 China Academy of Information and Communications

2021, pp. 58,  160–1, 221, https://www.airuniversity.af.edu/ Technology, ‘Zhōngguó shùzì jīngjì fāzhǎn báipíshū’, May–July

Portals/10/CASI/documents/Translations/2021-02-08%20 2020, pp. 49–50, http://www.caict.ac.cn/kxyj/qwfb/bps/202007/

Chinese%20Military%20Thoughts-%20In%20their%20 P020200703318256637020.pdf.

own%20words%20Science%20of%20Military%20Strategy%20 30 Tahsin Saadi Sedik, ‘Asia’s Digital Revolution’, Finance &

2013.pdf?ver=NxAWg4BPw_NylEjxaha8Aw%3d%3d. Development, vol. 55, no. 3, September 2018, https://www.imf.org/

14 State Council Information Office of the People’s Republic of external/pubs/ft/fandd/2018/09/asia-digital-revolution-sedik.htm.

China, ‘China’s Military Strategy’, May 2015, http://eng.mod. 31 China Academy of Information and Communications
gov.cn/Database/WhitePapers/2014.htm. Technology, ‘Zhōngguó shùzì jīngjì fāzhǎn báipíshū’, p. 8.

15 See, for example, ‘Réngōng zhìnéng jūnbèi jìngsài zhèngzài 32 Ibid., p. 27. Alibaba ranked 132nd in the 2020 Fortune Global 500

qiǎorán xīngqǐ’, China Youth Daily, 17 October 2019, https://m. and Tencent 197th.

chinanews.com/wap/detail/zw/gn/2019/10-17/8981224.shtml. 33 Shannon Tiezzi, ‘New Report Highlights China’s Cybersecurity

16 ‘Xi calls for building a strong army’, Xinhua, 26 October 2017, Nightmare’, Diplomat, 18 February 2015, https://thediplomat.

http://www.xinhuanet.com//english/2017-10/26/c_136708142.htm. com/2015/02/new-report-highlights-chinas-cybersecurity-nightmare.

17 See Greg Austin, ‘The Strategic Implications of China’s Weak 34 Davey Winder, ‘China Prepares to Drop Microsoft Windows,

Cyber Defences’, Survival: Global Politics and Strategy, vol. 62, Blames US Hacking Threat’, Forbes, 30 May 2019, https://

no. 5, September–October 2020, pp. 119–38. www.forbes.com/sites/daveywinder/2019/05/30/china-

18 John Costello and Joe McReynolds, ‘China’s Strategic Support prepares-to-drop-microsoft-windows-blames-u-s-hacking-


Force: A Force for a New Era’, China Strategic Perspectives, threat/?sh=d0a00282c50d.

Institute for National Strategic Studies, National Defense 35 State Council of the People’s Republic of China, ‘Notice of

University, 2018, p. 5, https://ndupress.ndu.edu/Portals/68/ the State Council Issuing the New Generation of Artificial

Documents/stratperspective/china/china-perspectives_13.pdf. Intelligence Development Plan’, State Council Document no. 35,


19 The Science of Military Strategy, produced by the PLA’s Academy 8 July 2017, https://flia.org/wp-content/uploads/2017/07/A-New-
of Military Science, terms this development ‘integrated Generation-of-Artificial-Intelligence-Development-Plan-1.pdf.
reconnaissance, attack, and defense’ [zhen gongfang yitihua]. See 36 Matt Ho, ‘China’s Hi-Tech Direction for the next Five Years’,

Costello and McReynolds, ‘China’s Strategic Support Force: A South China Morning Post, 11 November 2020, https://www.

Force for a New Era’, p. 12. scmp.com/news/china/politics/article/3109316/chinas-hi-tech-

20 Ibid., p. 40. direction-next-five-years.

21 Ibid., pp. 40–1. 37 Jeffrey Ding, ‘China’s Current Capabilities, Policies and

22 ‘Zhànlüè zhīyuán bùduì jīcéng jiànshè gōngzuò shùpíng’, Industrial Ecosystem in AI – Testimony before the U.S.–China

Xinhuanet, 24 September 2017, http://www.xinhuanet.com/ Economic and Security Review Commission Hearing on

mil/2017-09/27/c_129713342.htm. Technology, Trade, and Military–Civil Fusion: China’s Pursuit

23 MSS is the main civilian intelligence and counter-intelligence of Artificial Intelligence, New Materials, and New Energy’,

agency. US–China Economic and Security Review Commission,

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 99


7 June 2019, p. 4, https://www.uscc.gov/sites/default/ 49 ‘China’s Xi Jinping warns of new “long march” as trade war

files/June%207%20Hearing_Panel%201_Jeffrey%20Ding_ with US intensifies’, Straits Times, 22 May 2019, https://www.

China’s%20Current%20Capabilities,%20Policies,%20and%20 straitstimes.com/asia/east-asia/chinese-president-xi-jinping-

Industrial%20Ecosystem%20in%20AI.pdf. warns-of-new-long-march-as-trade-war-intensifies.

38 Ibid., p. 40. 50 Elliott Zaagman, ‘Cyber Sovereignty and the PRC’s Vision

39 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United for Global Internet Governance’, China Brief, vol. 18, no. 10, 5

States Stay Ahead of China?’, 21 December 2020, https:// June  2018, https://jamestown.org/program/cyber-sovereignty-

chuvpilo.medium.com/ai-research-rankings-2020-can-the- and-the-prcs-vision-for-global-internet-governance.

united-states-stay-ahead-of-china-61cf14b1216. 51 Roger Faligot, Chinese Spies: From Chairman Mao to Xi Jinping

40 Priyankar Bhunia, ‘World’s longest unhackable (Melbourne: Scribe, 2019), p. 395.

communications link opened between Beijing and Shanghai’, 52 China National Computer Network Emergency Response Team,

OpenGovAsia, 28 October 2017, https://opengovasia.com/ ‘2016 Nián wǒguó hùliánwǎng wǎngluò ānquán tàishì zòngshù’,

worlds-longest-unhackable-communications-link-opened- National Computer Network Emergency Technology Processing

between-beijing-and-shanghai. Coordination Center, April 2017, pp. 14–20, http://www.cac.gov.

41 Liu Zhen, ‘China’s experiment in quantum communication cn/wxb_pdf/CNCERT2017/2016situation.pdf.

brings Beijing closer to creating a hack-proof network’, South 53 Ibid., p. 15.

China Morning Post, 9 January 2021, https://www.scmp. 54 China Internet Network Information Center, ‘Statistical

com/news/china/science/article/3117005/chinas-experiment- Report on Internet Development in China’, September 2020,

quantum-communication-brings-beijing-closer. p. 69, https://cnnic.com.cn/IDR/ReportDownloads/202012/

42 Union of Concerned Scientists, ‘UCS Satellite Database’, P020201201530023411644.pdf.

updated 1 January 2021, https://www.ucsusa.org/resources/ 55 Ibid., pp. 70–2.

satellite-database.  56 Ibid., p. 73.

43 IISS, The Military Balance 2021 (Abingdon: Routledge for the 57 Samm Sacks and Robert O’Brien, ‘What to Make of the Newly

IISS, 2021), pp. 48, 191, 250. Established Cybersecurity Association of China’, Center for
44 Defence Intelligence Agency, ‘Challenges to Security in Strategic and International Studies, 25 May 2016, https://
Space’, January 2019, https://www.dia.mil/Portals/27/ www.csis.org/analysis/what-make-newly-established-
Documents/News/Military%20Power%20Publications/ cybersecurity-association-china.
Space_Threat_V14_020119_sm.pdf. 58 Samm Sacks and Manyi Kathy Li, ‘How Chinese Cybersecurity

45 Andrew Tate, ‘China integrates long-range surveillance Standards Impact Doing Business in China’, CSIS, 2
capabilities’, Jane’s Intelligence Review, vol. 29, no. 12, December August 2018, https://www.csis.org/analysis/how-chinese-
2017. See also Timothy Heath, ‘China’s Pursuit of Overseas cybersecurity-standards-impact-doing-business-china.
Security’, RAND Corporation, 2018, p. 30, https://www. 59 Dora Wang, Charmian Aw and Cindy Shen, ‘MLPS 2.0: China’s

rand.org/content/dam/rand/pubs/research_reports/RR2200/ Enhanced Data Security Multi-Level Protection Scheme and


RR2271/RAND_RR2271.pdf. Related Enforcement Updates’, ReedSmith, 9 October 2019,
46 ‘Haiyang-2 (HY-2 or Ocean-2)’, Globalsecurity.org, https:// https://www.reedsmith.com/en/perspectives/2019/10/mlps-
www.globalsecurity.org/space/world/china/hy-2.htm. 20-chinas-enhanced-data-security-multi-level-protection.
47 Kevin L. Pollpeter, Michael S. Chase and Eric Heginbotham, ‘The 60 Lauren Dudley et al., ‘China’s Cybersecurity Reviews Eye

Creation of the PLA Strategic Support Force and its Implications “Supply Chain Security” in “Critical” Industries [Translation]’,

for Chinese Military Space Operations’, RAND Corporation, New America, 27 April 2020, http://newamerica.org/

2017, p. 7, https://www.rand.org/content/dam/rand/pubs/ cybersecurity-initiative/digichina/blog/chinas-cybersecurity-

research_reports/RR2000/RR2058/RAND_RR2058.pdf. reviews-eye-supply-chain-security-critical-industries-translation.

48 Semiconductor Industry Association, ‘2020 – State of the U.S. 61 Emma Rafaelof et al., ‘Translation: China’s Data

Semiconductor Industry’, p. 8, https://www.semiconductors.org/ Security Law (Draft)’, New America, 2 July 2020, http://

wp-content/uploads/2020/07/2020-SIA-State-of-the-Industry- newamerica.org/cybersecurity-initiative/digichina/blog/

Report-FINAL-1.pdf. translation-chinas-data-security-law-draft. 

100 The International Institute for Strategic Studies


62 Bryan Cave, ‘China’s Draft Personal Information Protection of Information and Telecommunications in the Context of

Law: What Businesses Should Know’, Lexology, 2 International Security’ until 2018, when it was renamed the GGE

December 2020, https://www.lexology.com/library/detail. on ‘Advancing Responsible State Behaviour in Cyberspace in the

aspx?g=f7f7b85c-545a-4fbe-a114-833044603750.  Context of International Security’. In cyberspace-policy circles it

63 Cybersecurity Association of China (CAICT), ‘2020 Nián is common to refer to it simply as ‘the GGE’. See UN Office for

zhōngguó wǎngluò ānquán chǎnyè tǒngjì bàogà’, p. 8, https:// Disarmament Affairs, ‘Developments in the field of information

www.cybersac.cn/News/getNewsDetail/id/1545. The estimate and telecommunications in the context of international security’,

of RMB 52.309bn is for the annual revenue from technology https://www.un.org/disarmament/ict-security.

products and services in cyber security for companies whose 72 United Nations General Assembly, ‘Resolutions adopted by

revenue arising from that sector is at least 50% of their total the General Assembly on 5 December 2018: Developments in

revenue. This report includes the data from around 500 cyber- the field of information and telecommunications in the context

security companies in China and can be regarded as a reliable of international security’, Resolution 73/27, 11 December

estimate compatible with similar estimates made in previous 2018, https://undocs.org/en/A/RES/73/27. The OEWG’s full

years for the sector as a whole. The CAICT has published a name is the Open-ended Working Group on Developments

much higher estimate but that includes many products and in the Field of Information and Telecommunications in the

services not normally included in the cyber-security sector. Context of International Security. For details on its activities,

64 See Gartner, ‘Gartner Forecasts Worldwide Security and Risk see United Nations Office for Disarmament Affairs, ‘Open-

Management Spending Growth to Slow but Remain Positive ended Working Group’, https://www.un.org/disarmament/

in 2020’, 17 June 2020, https://www.gartner.com/en/newsroom/ open-ended-working-group.

press-releases/2020-06-17-gartner-forecasts-worldwide- 73 Tai Ming Cheung, ‘The rise of China as a cybersecurity industrial

security-and-risk-managem. power: Balancing national security, geopolitical, and development

65 Statista, ‘Leading cybersecurity vendors by market share priorities’, Journal of Cyber Policy, vol. 3, no. 3, 2018, p. 313.

worldwide from 2017 to 2020’, 2 July 2020, https://www.statista. 74 Zaagman, ‘Cyber Sovereignty and the PRC’s Vision for Global

com/statistics/991308/worldwide-cybersecurity-top-companies-by- Internet Governance’.

market-share. 75 Chun Han Wong, ‘China Launches Initiative to Set Global

66 Ibid. Data-Security Rules’, Wall Street Journal, 8 September 2020,

67 International Telecommunication Union, ‘Global Cybersecurity https://www.wsj.com/articles/china-to-launch-initiative-to-set-

Index 2018’, p. 63, https://www.itu.int/dms_pub/itu-d/opb/str/ global-data-security-rules-11599502974. 

D-STR-GCI.01-2018-PDF-E.pdf. 76 China Ministry of Foreign Affairs, ‘Quánqiú shùjù ānquán

68 See Austin and Lu, ‘Five Years of Cyber Security Education chàngyì’, 8 September 2020, https://www.fmprc.gov.cn/web/

Reform in China’. wjbzhd/t1812949.shtml. 

69 An overview of China’s participation in debates on global norms 77 See National People’s Congress of the People’s Republic of

for cyberspace can be found in Greg Austin, ‘International legal China, ‘Zhōnghuá rénmín gònghéguó mìmǎ fǎ (2019 nián 10

norms in cyberspace: Evolution of China’s national security yuè 26 rì dì shísān jiè quánguó rénmín dàibiǎo dàhuì chángwù

motivations’, in Anna Maria Osula and Henry Roigas (eds), wěiyuánhuì dì shísì cì huìyì tōngguò’), 26 October 2019, http://

International Cyber Norms: Legal, Policy & Industry Perspectives www.npc.gov.cn/npc/c30834/201910/6f7be7dd5ae5459a8de8ba

(Tallinn: NATO CCDCOE Publications, 2016), pp. 172–201. f36296bc74.shtml.


70 US Department of State, ‘Remarks on Internet Freedom’, Hillary 78 The IGF is a multi-stakeholder discussion forum set up in 2006

Rodham Clinton, Secretary of State, Washington DC, 21 January in the framework of the World Summit for the Information

2010, https://2009-2017.state.gov/secretary/20092013clinton/rm/ Society, a UN body left in place after related summits in

2010/01/135519.htm. 2002 and 2003. See ‘The Internet Governance Forum (IGF)’,

71 Since a UN General Assembly resolution in 2004, a UN Group UN Internet Governance Forum, 24 June 2015, https://www.

of Governmental Experts (GGE) has convened for two-year intgovforum.org/cms/2015/IGF.24.06.2015.pdf.

terms to address international-security aspects of cyberspace. 79 Adam Segal, ‘When China Rules the Web: Technology in Service

It was known as the GGE on ‘Developments in the Field of the State’, Foreign Affairs, vol. 7, no. 5, September–October

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 101


2018, pp. 10–14, 16–18, https://www.foreignaffairs.com/ Politics in the Digital Domain (New York: Oxford University

articles/china/2018-08-13/when-china-rules-web. Press, 2015).

80 Nigel Inkster, China’s Cyber Power, Adelphi 456 (Abingdon: 84 Amy Chang, ‘Warring State: China’s Cybersecurity Strategy’,

Routledge for the IISS, 2015). Center for a New American Security, December 2014, p. 25,

81 Kristin Shi-Kupfer and Mareike Ohlberg, ‘China’s Digital https://s3.us-east-1.amazonaws.com/files.cnas.org/documents/

Rise: Challenges for Europe’, MERICS Papers on China, CNAS_WarringState_Chang_report_010615.pdf?mtime=20160

no. 7, April 2019, p. 21, https://merics.org/sites/default/ 906082142&focal=none.

files/2020-06/MPOC_No.7_ChinasDigitalRise_web_final_2. 85 Joe McReynolds, ‘China’s Evolving Perspectives on Network

pdf. Warfare: Lessons from the Science of Military Strategy’, China

82 For the tech companies in the 2020 Fortune Global 500 ranking, Brief, vol. 15, no. 8, April 2015, p. 5, https://jamestown.org/

see ‘Global 500’, Fortune, https://fortune.com/global500/2020/ program/chinas-evolving-perspectives-on-network-warfare-

search/?sector=Technology. For the telecoms companies, see lessons-from-the-science-of-military-strategy.

‘Global 500’, Fortune, https://fortune.com/global500/2020/searc 86 Pollpeter, ‘Chinese Writings on Cyberwarfare and Coercion’, p. 7.

h/?sector=Telecommunications. 87 McReynolds, ‘China’s Evolving Perspectives on Network

83 Kevin Pollpeter, ‘Chinese Writings on Cyberwarfare and Warfare: Lessons from the Science of Military Strategy’, p. 5.

Coercion’, in Jon R. Lindsay, Tai Ming Cheung and Derek S. 88 Pollpeter, ‘Chinese Writings on Cyberwarfare and Coercion’, p. 8.

Reveron (eds), China and Cybersecurity: Espionage, Strategy, and 89 Ibid., pp. 13–14.

102 The International Institute for Strategic Studies


9. Russia

Russia’s cyber strategy is dictated by its confronta- the West, and particularly the United States. It has
tion with the West, in which it sees cyber operations credible offensive cyber capabilities and has used
as an essential component of a wider information them extensively as part of a much broader strat-
war. Its cyber governance is centralised, hierarchi- egy aimed at disrupting the policies and politics of
cal and under the president’s personal control. The perceived adversaries, especially the US. It has run
country is highly dependent on foreign ICT corpo- extensive cyber-intelligence operations, some of
rations and has a less impressive digital economy which reveal increasing levels of technical sophisti-
than, for example, the United Kingdom or France. cation. However, Russia appears not to have given
It is seeking to redress key weaknesses in its cyber priority to developing the top-end surgical cyber
security through government regulation and the capabilities needed for high-intensity warfare.
creation of a sovereign internet, and by encouraging Overall, Russia is a second-tier cyber power. To join
the development of an indigenous digital industry. the US in the first tier it would need to substantially
Given its economic circumstances, these ambitions improve its cyber security, increase its share of the
may prove unrealistic. For two decades Russia has global digital market and probably make further
led, with some successes, diplomatic efforts to cur- progress in developing the most sophisticated offen-
tail what it sees as the dominance of cyberspace by sive military cyber tools.

Strategy and doctrine


Russian strategy and doctrine see cyber security and cyber between peace and war mentioned in a magazine article
operations as components of an information confronta- by the Chief of the General Staff (CGS), Valery Gerasimov,
tion with the West. Russian sources refer more often to in 2013.1 There was evidence of these approaches in the
‘information space’ than to ‘cyberspace’ and are doctri- Russian information operations against Estonia (2007),
nally hardwired to integrate technical cyber operations Georgia (2008) and Ukraine (2014–15), each of which had
with other means of achieving information superiority a component that Western observers described as ‘cyber
(for example by manipulating social media). In the last ten attacks’. But perhaps the most notorious example was the
years Russia has sought to use such information capabili- Russian ‘hack and leak’ operation against the Democratic
ties to achieve strategic effect against its adversaries, a pol- National Committee during the presidential-election cam-
icy articulated to some extent in the concept of a ‘grey zone’ paign in the United States in 2016.

List of acronyms
FSB Federal Security Service KGB Committee of State Security
FSTEK Federal Service for Technical and Export Control SORM operational investigative-measures system
GRU Main Intelligence Directorate SVR External Intelligence Service
ICT information and communications technology

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 103


This thinking was brought together in Russia’s is assumed to lie behind all online activities emanating
Information Security Doctrine of December 2016,2 from the West.6
which, like the National Security Strategy of 2015, The 2014 Military Doctrine was notable for its rec-
portrayed the country as under constant information ognition that modern warfare would involve a highly
attack.3 The 2016 doctrine was similar in many respects novel integration of ‘military force and political, eco-
to its equivalents in the other countries studied in this nomic, informational or other non-military measures
report. It covered strategic deterrence; the information implemented with a wide use of the protest potential
security of government agencies, the armed forces, criti- of the population and of special operations forces’.7
cal national infrastructure and citizens; and countering It placed information risks 12th in a list of external
the threats posed by adversary states, terrorists and threats, but first in its list of internal ones. In its list
criminals. The main differences lay in the lack of any of the ten main features of modern warfare, the first
real distinction between military and civil-sector infor- three were information-related. And in its long list of
mation security, and the focus on countering ‘informa- main tasks necessary in order to deter and prevent an
tion’ and ‘psychological actions’ aimed at undermining armed attack against Russia, information operations
Russia’s ‘history’, ‘patriotism’ and ‘traditional moral were placed first.
and spiritual values’. Russia’s strategy seems to put In 2017, after a long period in development, Russia
special emphasis on controlling the information and announced that ‘information-operations troops’ were
content available on its networks, which the authorities joining its armed forces.8 These units were intended to
clearly see as a primary threat. This is consistent with fill a gap in capabilities that became apparent during the
the Russian view that cyber threats are a component 2008 conflict in Georgia. Although the new formations
of broader information campaigns being conducted by have been perceived in the Western media as primarily
its adversaries, aimed at changing the fabric of Russian providing a cyber capability, their role so far seems
society. As a result, the 2016 doctrine advocated an more in keeping with the broader Russian definition of
increased role for Russia’s own internet management information warfare. In exercises – and on deployment
and greater domestic production of information tech- to Syria – they have in some cases used traditional
nology. Interestingly, it also described how, in the psychological-operations techniques such as leaflet
interests of national security, Russia would be able to drops and loudspeaker broadcasts in foreign languages.9
counter its adversaries by employing its own informa- They are also equipped with systems for interference
tion campaigns against them. All subsequent govern- with civilian mobile-phone communications, including
ment documents on information security have made broadcasting content to them. These electronic capabilities
numerous references to the 2016 doctrine. have been used for disinformation, demoralisation and
The Information Security Doctrine of 2016 also propaganda purposes in Syria and Ukraine, and against
drew heavily on earlier Russian military concepts for NATO personnel in the Baltic states.10
the use of cyberspace, encapsulated in a Ministry of Russia’s traditional lack of military digitisation
Defence publication from 2011,4 and in the Military (compared, for example, with the US) has begun to
Doctrine of 2014.5 The 2011 publication provided an be redressed, both at tactical level and at the level of
indication of how the Russian armed forces saw their national command and control. There is a recognition
role in cyberspace but it appeared incomplete, focusing that new organisations and new leadership dispositions
on situational and threat awareness, and on force will be necessary to enable Russia to compete with the
protection, while making no mention of offensive cyber US and its allies, and that this will require a whole-of-
or information operations. Its preamble included an society approach supported by networked and inte-
official statement on the threat to Russia’s information grated communications. Though Russia has produced
security posed by other states’ development of very little in the way of formal documents for military
information-warfare policies – further evidence of a strategic planning for cyberspace since 2017, the subject
conspiratorial view of the world in which hostile intent is a highly topical one. CGS Gerasimov observed in a

104 The International Institute for Strategic Studies


2020 briefing to military attachés that strategic confron- The FSB, the country’s main domestic intelligence agency,
tation in cyberspace is intensifying and that there is a is tasked with defence against attacks on government
risk of it interfering with the command and control of systems and critical national infrastructure. It inherited
strategic nuclear systems.11 A year earlier, another mili- the functions of earlier cyber and signals-intelligence
tary commentary stated that dominance in cyberspace agencies that were disbanded during President Putin’s
(alongside military power) is a precondition for vic- early years. In 2018 the FSB set up a National Coordination
tory in modern war.12 Specialist military commentaries Centre for Computer Incidents, whose commander is
have continued to focus as much on the cognitive and also the director of the FSB’s Centre for Data Protection
psychological aspects of cyber conflict as on the other and Special Communications.16
dimensions, and have shown a particular interest in The Federal Service for Technical and Export Control
China’s information warfare.13 (FSTEK),17 part of the Ministry of Defence, is charged
with certain roles in protecting critical information infra-
Governance, command and control structure across the country, taking the lead in defensive
The president takes the lead on cyber-security governance measures against any foreign technology-based intelli-
and exercises national command and control of key gence operations, technical defence of information, and
agencies through the Security Council. Policy documents policy for export controls on technology.18 One its most
make reference to a multi-stakeholder approach to important duties is technical counter-intelligence opera-
the management of national cyber security – in which tions inside Russia. FSTEK activities cover a wide range
business and community groups of policy, including the the regula-
supposedly have input, alongside Russia’s tions covering the use of foreign infor-
regional governments – but in reality mation technology.
the system is presidential and state-
traditional At an early stage in the debate on
controlled. The secretary of the lack of military new units dedicated to information
Security Council is mandated under digitisation operations, following the 2008 con-
the 2016 Information Security Doctrine
has begun to flict in Georgia, the FSB appeared
to provide annual reports to the to publicly denounce plans by the
president on the state of the country’s be redressed, armed forces to develop their own
cyber security. There is an assigned both at tactical information-warfare capability, stat-
lead officer for cyber-security policy
level and at the ing that such a capability should be
within the Security Council, at deputy- the preserve of the FSB. The FSB’s
secretary level. The leading cyber
level of national monopoly has since been eroded, how-
agencies are represented at higher command and ever, judging by evidence of the role
levels within the Security Council:
control of the Russian military-intelligence
its permanent members include the service in information-warfare activi-
defence minister and the head of the ties globally and by the assignment to
Federal Security Service (FSB),14 and its other members FSTEK in 2017 of key cyber-defence-policy responsibili-
include the Chief of the General Staff.15 ties involving national politics and the economy.
In terms of the leadership and coordination of cyber The National Defence Management Centre in
policy and operations, President Vladimir Putin appears Moscow is Russia’s strategic command post, established
to give priority to the Ministry of Defence. For offensive in 2014 to operate around the clock as the country’s first
operations, the Main Directorate of the General Staff fusion hub for information and communications from
(formerly the Main Intelligence Directorate or GRU) has all agencies. It is located close to the Kremlin and fulfils
primary responsibility. The 8th Directorate of the General four functions: high command; coordination for mili-
Staff provides cryptographic services and supervises the tary operations; command of strategic nuclear forces;
management of military secrets relating to cyber affairs. and coordination of the peacetime work of the security

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 105


ministries and agencies, including cyber security.19 By well-documented set of regulations that controls Russian
initially combining 49 military, police, economic, infra- internet service providers (ISPs).30 SORM provides
structure and other authorities under the stewardship Russian law-enforcement bodies with a wide range of
of the General Staff, the centre has improved the speed cyber-surveillance material,31 capturing meta-data and
of government reaction and information exchange.20 By content from mobile and landline calls (SORM-1), inter-
2020 it was involved in coordinating military exercises net traffic (SORM-2) and all other media (SORM-3). In
with much larger numbers of entities – in the Kavkaz theory, retrieval of intercepted data requires court orders,
2020 exercise, for example, there were 160 participating but in practice this is most likely ignored by the Russian
entities and the centre coordinated 380 joint actions.21 security services.
As in China, the perceived misuse of social media is
Core cyber-intelligence capability regarded as a significant national-security issue, with
After the collapse of the Soviet Union in 1991, its intel- controls in place to prevent distribution of informa-
ligence agencies were regrouped within the Russian tion hostile to the state. The powers of surveillance of
Federation. The former Committee of State Security the Russian state have been further enhanced by laws
(KGB)22 was split into two agencies, both of which had and measures ostensibly aimed at data protection and
acquired their current names by 1995: the FSB,23 which combating terrorism, with increasingly stringent rules
took over the KGB’s internal-security functions, and the requiring ISPs to collect and store data on user activ-
External Intelligence Service (SVR),24 which took over ity. This includes the capturing of user information for
its activities abroad. The role of the armed forces’ Main periods of between six months and three years – includ-
Intelligence Directorate (GRU)25 ing all written, audio and video com-
changed very little, though its name munications; home address; passport
was shortened to Main Directorate As in China, the details; lists of relatives, friends and
(GU)26 in 2010 (Putin later said that perceived misuse contacts; social-media accounts; lan-
the word ‘Intelligence’ should have
been maintained). The intelligence
of social media guages spoken; and records of all
e-payments.
agencies enjoy the highest level of is regarded as Given the growing number of
political support and supervision, a significant overseas cyber attacks that Western
with Putin relying on them for his
national-security governments and companies have
domestic power in an authoritarian attributed to the GU and other
type of guided democracy. This has issue Russian actors, and that some of
involved ruthless exploitation of the those attacks appear to have been
intelligence power of the state, manifested in assas- complex intelligence-gathering operations, it is safe to
sinations of political opponents, both inside and out- assume that Russia also possesses extensive regional
side Russia, and in Putin’s personal authorisation of a and global cyber-intelligence capabilities.
campaign of political interference in the 2016 US presi- As with other aspects of Russian intelligence opera-
dential election.27 Indeed, the nature and increasing vol- tions, the tradecraft sometimes appears less sophisti-
ume of Russia’s overseas intelligence activity suggests cated than that employed by Western cyber operators,
the country’s security and intelligence agencies have but in such cases the Russians may care less than their
inherited the KGB’s doctrine of intelligence as a form foreign counterparts about getting caught. This even
of ‘political struggle’ and are in a permanent state of applies to the well-publicised and widespread Russian
‘political war’ against the West, albeit with adjustments cyber-intelligence operations detected by the US at the
to the realities of the twenty-first century.28 end of 2020, which employed some sophisticated tech-
For the purposes of internal security the Russian niques to evade US private-sector cyber security but
state monitors online activity by using its opera- still made indiscriminate use of ubiquitous IT vulner-
tional investigative-measures system (SORM),29 a abilities. (The attack involved the hacking of software

106 The International Institute for Strategic Studies


supplied by the US company SolarWinds to a wide The number of Russian internet users continues to
range of US government and private-sector clients.)32 rise, though the rate of growth has slowed. According
In comparison, a Russian intelligence operation in 2008 to the 2020 edition of a large-scale survey carried out by
that penetrated US Department of Defense networks Russia’s Public Opinion Foundation, 69% of respondents
appeared to be much more carefully targeted.33 had been online at some point in the preceding 24 hours.39
Russia has fewer financial resources to invest in intel- Smartphones are the most popular way for Russians
ligence capabilities than the US or China. One means of to access the internet. Internet penetration in the met-
compensating for this, it seems, is to blur the dividing line ropolitan hubs of Moscow and St Petersburg is sig-
between state and non-state actors.34 The use of so-called nificantly above the national average – around 80%
‘patriotic hackers’ and organised cyber-crime expertise of adults, compared with about 60% in rural areas.40
is believed to substantially enhance Russia’s cyber capa- Prices are quite low by international standards, with
bilities.35 Since the attack by Russian hackers on Estonia in the Economist putting the country in 12th position in its
2007, the Kremlin has sourced technology and even intel- ranking of overall affordability of mobile and fixed-line
ligence information from such groups operating within internet charges.41 In terms of ‘readiness’ (the popu-
its near abroad. It is unclear precisely how much direc- lation’s ‘capacity to access the Internet’, taking into
tion patriotic hackers and cyber criminals are given by account skills, cultural acceptance and supporting pol-
the Kremlin, but often their activities have no discernible icy) the Economist put Russia in 59th position.
motive apart from furthering the aims of the Russian state. The most dramatic and high-profile expression of
Russia’s focus on cyber empowerment and independ-
Cyber empowerment and dependence ence is its attempt to create a separate domestic inter-
Russia’s adoption of a digital economy has been grad- net – a concept it refers to as the ‘sovereign RuNet’.
ual. According to the Russian Association of Electronic The Kremlin’s determination to significantly increase
Communications (RAEC), internet-dependent indus- its control over the internet became clear soon after
tries account for up to 20% of GDP. However, the RAEC Putin returned to the Kremlin in 2012 for his third term
has also estimated that some of the onerous regulatory as president. The use of social media to organise mass
demands already introduced or set to be introduced, protests in Moscow in 2011 and an awareness of its
especially data-storage requirements contained in anti- role in the Arab Spring convinced the newly re-elected
terrorism laws passed in 2016, could hamper the further president and his supporters that the RuNet could no
development of the digital economy. Russia is only a longer be left to its own devices. Two events reinforced
mid-level performer in digital competitiveness, demon- this view and allowed the Kremlin to present its policy
strated in part by it not having any of the 51 tech or of internet control as an issue of national security: the
telecoms companies that appeared in the 2020 Fortune 2013 leaks by US defector Edward Snowden, revealing
‘Global 500’, whereas the US had 16 and China eight.36 the extent and nature of US cyber intelligence; and the
In 2017, President Putin issued a decree on the need 2013–14 Euromaidan protests in Ukraine, in which plat-
for Russia to become an ‘information society’.37 A forms such as Facebook again proved indispensable in
follow-on to a similar document in 2008, it highlighted allowing disparate protesters to join forces to oppose
the challenges the country was facing as it attempted and ultimately overthrow the regime of pro-Russian
to build a stronger digital economy. Its aims included president Victor Yanukovych.
an expansion of Russian encryption technologies; the Much of the internet legislation passed in Putin’s
replacement of foreign ICT equipment by domestically third term (2012–18) was clearly linked to the pursuit
produced technologies (especially in critical information of information sovereignty. One of the stated aims was
infrastructure); and improvements in the effectiveness to isolate the RuNet from the global internet. In 2016
of domestic communications networks to support a the Communications Ministry set the goal of ensur-
‘centralized system of monitoring and management of ing that 99% of internet traffic in the RuNet would be
the Russian electronic grid’.38 routed within Russia itself by 2020,42 a target figure that

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 107


dropped to 90% within a year. It should be noted, how- officials. All employees have their own secure work-
ever, that the ambition is not to regularly prevent inter- email accounts that can only be accessed from a special
net traffic from leaving Russian servers but instead to IP address using a designated computer, but  roll-out
provide the capability to insulate the country from inter- of the system is reportedly patchy.56 
national traffic (inwards and outwards) in the event of a The government has also been pursuing other regula-
crisis.43 Russia’s aim of becoming a digital economy and tory efforts, including a data-localisation law that requires
society would not be achieved if it enforced a lockdown corporations, including social-media platforms, to store
of internet traffic for more than a couple of weeks. All Russian users’ data within the country’s borders.46 For
international transactions in financial services are based instance, Roskomnadzor, the federal body that oversees
on the internet, for example, as is the international data compliance and censorship,  has pushed Apple to
exchange of information on health issues. store certain kinds of data in Russia rather than outside
The Russian government claimed in December 2019 the country.  In 2016 Russia blocked LinkedIn for non-
to have successfully tested the disconnection of the compliance with the data-localisation law,47 and in 2020
RuNet from the internet. It stated that several disconnec- a Moscow court fined Twitter and Facebook US$63,000
tion scenarios had been tested, including a simulation of each for non-compliance.48 However, data localisation is
a state-backed cyber attack and a response described as generally very difficult for any country to enforce strictly.
‘combat mode’.44 The tests involved government agen-   A range of Computer Emergency Response Teams
cies and telecoms companies, including local ISPs. (CERTs) are nominally operational in Russia. They
Russia is a self-sufficient space power, operating its include both government and private-sector entities, such
own satellite-communications and satellite-navigation as CERT.GOV.RU, responsible for governmental net-
constellations, serving both civil and military pur- works; FinCERT for the Bank of Russia; Kaspersky ICS
poses, as well as satellites for a range of other func- CERT for industrial control systems; and CERT-GIB.49 A
tions. Its satellite-navigation system, GLONASS (Global range of state research institutes and commercial com-
Navigation Satellite System), is equivalent to the US panies are also involved in the work on cyber defences.
Global Positioning System (GPS) and its 24 operational The government has also relied on public–private
satellites provide complete global coverage. In normal information-sharing arrangements, primarily through
circumstances, each of these national systems can rely a system created in 2013 and known as GosSOPKA,50
on others for enhanced accuracy. As of January 2021, the ‘state system for the detection, warning and liquida-
Russia was operating 176 satellites while China had tion of the consequences of computer attacks’. It aims
more than double that number (412) and the US more to establish a constantly monitored perimeter to shield
than ten times as many (1,897).45 all government information resources within a sin-
gle network.51 The perimeter is intended to extend to
Cyber security and resilience all critical national infrastructure, with information on
Putin has made national cyber resilience and security cyber attacks coordinated by a central body that would
a high priority during his two decades as leader of determine the nature of the attack and transmit appro-
Russia, beginning in 2000 with the release of the first priate security recommendations to the rest of the sys-
Information Security Doctrine, within months of his tem. In early 2019 a Russian analyst assessed that the
inauguration as president. In 2016 the government development of the system was still at an early stage.52
intensified its efforts, issuing a raft of new laws and The Republic of Tyva was the first Russian constituent
reforms to address social and technical aspects of the entity to be connected to GosSOPKA, in 2019,53 and the
challenge, along with an updated Information Security rules for the provision of subsidies for the creation of
Doctrine. Key elements of this resilience policy have GosSOPKA ‘industry’ centres were also approved.54
included the RuNet and the SORM surveillance regime. March 2020 saw the inauguration of a Security Code
Another element is a secure government net- Monitoring and Response Centre that will contribute to
work,  RSNet, for the use of Russian government the functioning of the system.55

108 The International Institute for Strategic Studies


In 2019 and 2020 the government took steps to make Vedomosti, more than half of the simulated cyber attacks
the use of intrusion-detection software compulsory in carried out in 2019 were successful in penetrating the
Russian IT systems, with FSTEK playing a key role. The country’s cyber defences.66
FSB mandated that companies registered as ‘informa-
tion dissemination organisers’ install equipment that Global leadership in cyberspace affairs
would allow its intelligence officers constant decrypted Since 1998, Russia has sponsored an annual United
access to user communications without the need for Nations General Assembly resolution entitled ‘Devel-
authorisation.56 In December 2019 the government opments in the field of information and telecommuni-
passed the Law on Software Pre-installation, requir- cations in the context of international security’, which
ing the downloading of Russian-made software into expresses concern that malicious activity in cyberspace
digital devices such as smartphones, computers and can undermine international peace and security. The
televisions entering the Russian market. A list of appli- resolution was initially uncontroversial, but early in the
cations to be installed was approved, to take effect from presidency of George W. Bush the US and its allies came
1 January 2021 (after an earlier date of entry into force to see it as a potential vehicle for promoting an author-
was deferred because of the COVID-19 pandemic).57 itarian agenda on the part of Russia, China and like-
Once enforced, the new law means users face the pos- minded states, aimed at limiting internet freedom. The
sibility that their devices will contain surveillance apps resolution was used to create the UN Group of Govern-
and traffic-decryption certificates.58 The government mental Experts (GGE)67 process on cyber norms, begin-
has also reportedly begun to step up efforts to apply ning in 2002. Despite limited progress in reconciling the
deep packet inspection.54 Russian cyber systems are conflicting views of the opposing camps, GGE meet-
now probably among the most regulated in the world. ings have led to consensus reports on the applicability of
The aim is clear: to have a flexible, if complex, national international law to cyberspace on two occasions (2013
cyber-defence system that might give Russia an advan- and 2015). These reports included acceptance of the
tage in a cyber conflict with another major power.59 So applicability of international law to cyberspace, and rec-
far, however, there is little indication of whether these ommendations on a set of norms, capacity-building and
measures will be effective. the importance of confidence-building measures.68 Rus-
In the 2018 Global Cybersecurity Index compiled sia has been leading an international campaign aimed
by the International Telecommunication Union, Russia at establishing international agreements or treaties on
ranked 26th out of 175 countries.60 Like most other coun- information security, especially since tabling a Draft
tries, it is facing an escalation in successful cyber attacks. Convention on International Information Security in
In 2020, for example, its online retailers saw a doubling 2010. In 2020 it added a proposal for a non-intervention
of distributed-denial-of-service attacks61 and the num- pledge regarding ICT-based attacks on the electoral pro-
ber of data-leak incidents in the financial-services sector cess in other countries.69
grew by 36.5%.62 In January 2021 the government issued The dialogue between Russia and Western states on
a warning about possible US retaliatory cyber attacks cyberspace issues has been characterised by mutual
on the country.63 In February 2021 Putin addressed incomprehension and apparent intransigence. Norms
the board of the FSB, urging it to pay more attention that one side takes for granted tend to be seen as
to cyber security, among other threats, and noting that threatening by the other. This divergence undermines
in 2020, ‘if we take only those regarded as  the  most attempts to reach agreement on common principles or
dangerous, the number of attacks on Russian websites, rules of behaviour for cyberspace, despite Russia hav-
including government websites, surged by  almost 350 ing repeatedly presented norms to which it invited
percent’.64 In March 2021 the president informed the other states to subscribe.
Interior Ministry Board that the number of cyber crimes Russia cooperates quite closely with China in cyber
had increased more than tenfold during the previous six diplomacy, especially through multilateral forums. This
years.65 According to the Russian business newspaper was evident in their joint leadership of the initiative to

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 109


set up the UN Open-Ended Working Group (OEWG) Russia employs a wide variety of techniques for such
on cyberspace security in 2018,70 which was open to all cyber operations, but all are based on some version of the
UN member states and aimed at countering the influ- classic cycle of reconnaissance, penetration, collection,
ence Western powers were exercising through the GGE. analysis and action. These operations have included the
Russia is wary, however, about any operational collabo- leaking of hacked information into the public domain
ration with China on technical aspects of cyber policy. through online proxies, often deliberately amplified
by Russian media outlets. The best-known example of
Offensive cyber capability this is the passing to WikiLeaks of emails hacked from
Russia has developed its cyber capabilities and doctrine the Democratic National Committee in the US in 2016.
over more than two decades, successfully integrating Other tactics include the aggressive deployment of
them into its wider strategic thinking and its political teams into the field to gain access to the devices and
agenda and goals. A characteristic of the Russian use of systems of political opponents; jamming, controlling
offensive cyber is a proven ability to integrate it fully into and inserting fake information into telecommunications
strategic information campaigns and into full-spectrum networks; and the use of cyber criminals and so-called
low-intensity state-on-state military operations. This patriotic hackers. Russia has also become notorious
could expose a weakness in any Western approach to for the ubiquitous use of trolls (online profiles run by
cyber security that overly focuses on technical responses humans) and bots (those run by automated processes)
to technical threats while disregarding the interface with to plant, disseminate and lend credibility to disinforma-
a broader campaign. For the Russians, such a campaign tion by exploiting certain features of the relationship
could see the seamless melding of dis- between traditional and social media.
information, subversion, and kinetic-, Russia is today Russia also appears to be explor-
cyber- and electronic-warfare opera- using offensive ing the potential deployment of
tions to achieve highly ambitious other assets for strategic cyber effect
aims, up to and including regime
cyber capabilities in a time of crisis. It is reported, for
change in the target state. extensively example, to be contemplating the use
The list of detected and attributed as part of a of submarine assets to surveil or cut
operations is a long one. It includes internet traffic between the US and
operations against the critical
much broader Europe,71 and the use of space vehi-
national infrastructure of states, such strategy aimed cles to similarly degrade Western
as denying access to critical commu- at disrupting satellite-based communications.
nications media – examples include
Estonia (2007), Georgia (2008), and
adversaries It is likely that each of the three
main Russian intelligence agencies
Ukraine (2015). It includes interfer- (the FSB, GU/GRU and SVR) pos-
ence in elections in the West, most notably the 2016 US sesses, and uses, offensive cyber capabilities. For exam-
presidential election. And it includes attempts to dis- ple, as well as having its own cyber specialists, the FSB
rupt international investigations, for example into dop- reportedly recruits hackers to launch cyber attacks
ing in sport, the shooting-down of Malaysia Airlines when it wants to punish or silence the Kremlin’s rivals.
flight MH17 and the use of a chemical weapon in the But although the many exposures of its operations
United Kingdom. There has also been the disinfor- might not be the best indicator, the GU/GRU seems to
mation campaign waged by the St Petersburg-based have emerged as the main Russian proponent of offen-
Internet Research Agency, nominally a private organi- sive cyber operations. It hacked a French television sta-
sation, set up in 2013, that nevertheless has close links to tion under the false flag of the Cyber Caliphate in 2015,72
President Putin. US authorities detected in 2016 that it it was a main actor in the hack of the US Democratic
was conducting disinformation and social-media opera- National Committee in 2016, and it deployed the highly
tions during the US presidential-election campaign. disruptive NotPetya computer virus against Ukraine

110 The International Institute for Strategic Studies


in 2017.73 In 2020 the Security Service of Ukraine neu- strategy aimed at disrupting and competing with per-
tralised 103 Russian cyber attacks against websites of ceived adversaries, especially the US. However, much
Ukrainian public authorities – the attacks had been of the detected tradecraft is relatively unsophisticated,
intended to infiltrate information systems in order and at times reckless, in comparison with the methods
to modify or destroy data, or to delegitimise the designed by the US and several of its allies for high-
Ukrainian authorities by spreading disinformation.74 intensity warfare and/or surgical strategic effect. For
It is unknown whether the Russian cyber-intelligence example, there is no publicly known indication that
operations that hacked software supplied by the US Russia could match the capability used by the US and
company SolarWinds to a wide range of US govern- Israel in the 2008–10 Stuxnet operation against Iran.
ment and private-sector clients, discovered in late 2020, A possible indication that the Russians themselves
were conducted with any offensive-cyber purpose (it suspect they are outmatched in this respect is their
seems unlikely, but US investigations are ongoing).75 repeated attempts in international forums to make the
In summary, Russia is today using offensive cyber military use of offensive cyber tools illegal under inter-
capabilities extensively as part of a much broader national law.

Notes

1 Valery Gerasimov, ‘Tsennost’ nauki v predvidenii’, Voenno- 6 See the chapter ‘Russia under Threat’ in Keir Giles, Moscow

promyshlennyi kurier, 27 February 2013, https://vpk-news.ru/ Rules: What Drives Russia to Confront the West (Washington DC:

sites/default/files/pdf/VPK_08_476.pdf. Translation available Brookings Institution Press, 2019), pp. 35–58.

in Mark Galeotti, ‘The “Gerasimov Doctrine” and Russian 7 Office of the President, ‘The Military Doctrine of the Russian

Non-Linear War’, In Moscow’s Shadows blog, 6 July 2014, Federation’.

https://inmoscowsshadows.wordpress.com/2014/07/06/ 8 ‘V Minoborony RF sozdali voiska informatsionnykh operatsii’,

the-gerasimov-doctrine-and-russian-non-linear-war. Interfax, 22 February 2017, http://www.interfax.ru/russia/551054.


2 Presidential Administration, ‘Doktrina informatsionnoi 9 See Mikhail Klikushin, ‘Putin’s Army Demands “NATO

bezopasnosti Rossiiskoi Federatsii’, 6 December 2016, https:// Soldiers! Hands Up! Lay Down Your Weapons!”’, Observer.

rg.ru/2016/12/06/doktrina-infobezobasnost-site-dok.html. com, 19 August 2016, http://observer.com/2016/08/putins-army-

3 Katri Pynnöniemi and Martti J. Kari. ‘Russia’s New demands-nato-soldiers-hands-up-lay-down-your-weapons.

Information Security Doctrine: Guarding a besieged cyber 10 Keir Giles, ‘Assessing Russia’s Reorganized and Rearmed

fortress’, Finnish Institute of International Affairs, Comment Military’, Carnegie Endowment for International Peace, May 2017,

no. 26/2016, December 2016, https://www.fiia.fi/wp-content/ https://carnegieendowment.org/2017/05/03/assessing-russia-

uploads/2017/04/comment26_russia_s_new_information_ s-reorganized-and-rearmed-military-pub-69853. For instances

security_doctrine.pdf. of the use of similar techniques, see Dasha Zubkova, ‘Defense

4 Ministry of Defence, ‘Kontseptual’nye vzgliady na Ministry: Russia Sending SMS Messages Asking Residents of

deiatel’nost’ Vooruzhionnykh Sil Rossiiskoi Federatsii v Ukrainian Border Regions to Appear at Nearest Military Units’,

informatsionnom prostranstve’, 22 December 2011, http:// Ukrainian News, 27 November 2018, https://ukranews.com/en/

ens.mil.ru/science/publications/more.htm?id=10845074@ news/598565-defense-ministry-russia-sending-sms-messages-

cmsArticle. asking-residents-of-ukrainian-border-regions-to-appear.

5 Office of the President, ‘The Military Doctrine of the Russian 11 Ministry of Defence, ‘Nachal’nik General’nogo shtaba VS RF

Federation’, 25 December 2014, https://rusemb.org.uk/press/2029. general armii Valeriy Gerasimov provel brifing dlya inostrannykh

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 111


voyennykh attashe’, 24 December 2020, https://function.mil.ru/ Federation, the protection of internal sea waters, the territorial

news_page/country/more.htm?id=12331668@egNews. sea, the exclusive economic zone, the continental shelf and

12 Ministry of Defence, ‘Prevoskhodstvo v kiberprostranstve their natural resources, ensuring the information security

stanovitsya odnim iz usloviy pobedy v voynakh’, 22 April of Russia and exercising the basic functions of the federal

2019, https://function.mil.ru/news_page/country/more.htm?id= security services specified in the Russian legislation, as well

12227079@egNews. as coordinating the counterintelligence efforts of the federal

13 This observation is based on a review of the contents in two executive bodies’. See Russian Government, ‘Federal Security

key journals, Voennaia mysl’ and Informatsionnye voiny, from Service’, http://government.ru/en/department/113.

2017 to 2021. A possible explanation of the lack of attention to 24 Sluzhba vneshnei razvedki

the technical aspects is that in Russia there is much less public 25 Glavnoe razvedyvatel’noe upravlenie

information on those subjects. 26 Glavnoe upravlenie

14 Federal’naia sluzhba bezopasnosti 27 United States Office of the Director of National Intelligence,

15 See President of Russia, ‘Security Council structure’, http:// ‘Assessing Russian Activities and Intentions in Recent US

en.kremlin.ru/structure/security-council/members. Elections’, 6 January 2017, p. ii, https://www.dni.gov/files/

16 ‘Russian domestic security service launch new dedicated documents/ICA_2017_01.pdf.

center to counter cyberattacks’, Russia Today, 11 September 28 Mark Galeotti, ‘Russian intelligence is at (political) war’, NATO

2018, https://www.rt.com/russia/438142-russian-security-cyber- Review, May 2017, https://www.nato.int/docu/review/2017/

attacks. also-in-2017/russian-intelligence-political-war-security/en/

17 Federal’naia sluzhba po tekhnicheskomu i eksportnomu index.htm.

kontroliu 29 Sistema operativno-razysknykh meropriiatii

18 Responsibility for key missions was assigned to FSTEK in 30 Keir Giles and Kim Hartmann, ‘Socio-Political Effects of Active

Decree no. 569 of 25 November 2017, ‘Ukaz Prezidenta RF ot Cyber Defence Measures’, in P. Brangetto, M. Maybaum and

25 noiabria 2017 g. N 569 “O vnesenii izmenenii v Polozhenie J. Stinissen (eds), 6th International Conference on Cyber Conflict,

o Federal’noi sluzhbe po tekhnicheskomu i eksportnomu Proceedings (Tallinn: NATO CCDCOE Publications, 2014),

kontroliu, utverzhdennoe Ukazom Prezidenta Rossiyskoi https://www.ccdcoe.org/uploads/2018/10/d0r0s0_giles.pdf.

Federatsii ot 16 avgusta 2004 g. N 1085’”, http://ivo.garant.ru/#/ 31 Ibid.

document/71818302/paragraph/1:0. 32 David E. Sanger, Nicole Perlroth and Julian E. Barnes, ‘As

19 Roger McDermott, ‘Russia Activates New Defense Understanding of Russian Hacking Grows, So Does Alarm’,

Management Center’, Eurasia Daily Monitor, vol. 11, no. New York Times, 2 January 2021, https://www.nytimes.
196, 2 November 2014, https://jamestown.org/program/ com/2021/01/02/us/politics/russian-hacking-government.html.

russia-activates-new-defense-management-center. 33 Ellen Nakashima, ‘Cyber Intruder Sparks Response,

20 Keir Giles, ‘Russia’s “New” Tools for Confronting the West – Debate’, Washington Post, 8 December 2011, https://www.

Continuity and Innovation in Moscow’s Exercise of Power’, washingtonpost.com/national/national-security/cyber-intruder-

Russia and Eurasia Programme, Chatham House, March sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html.

2016, p. 25, https://www.chathamhouse.org/sites/default/files/ 34 Andrew Foxall, ‘Putin’s Cyberwar: Russia’s Statecraft in the

publications/2016-03-russia-new-tools-giles.pdf. Fifth Domain’, Russia Studies Centre Policy Paper no. 9 (2016),

21 Ministry of Defence, ‘Nachal’nik NTsUO general-polkovnik The Henry Jackson Society, May 2016, https://www.

Mikhail Mizintsev vystupil s dokladom na konferentsii “Razvitiye stratcomcoe.org/afoxall-putins-cyberwar-russias-statecraft-

sistemy mezhvedomstvennogo vzaimodeystviya v oblasti fifth-domain.

oborony v 2020 godu”’, 20 November 2020, https://function.mil. 35 Cory Bennett, ‘Kremlin’s ties to Russian cyber gangs sow US

ru/news_page/country/more.htm?id=12325783@egNews. concerns’, Hill, 11 October 2015, http://thehill.com/policy/

22 Komitet gosudarstvennoi bezopasnosti cybersecurity/256573-kremlins-ties-russian-cyber-gangs-sow-

23 The FSB has ‘authority to implement government policy in the us-concerns.

national security of the Russian Federation, counterterrorism, 36 For the tech companies in the 2020 Fortune Global 500 ranking,

the protection and defence of the state border of the Russian see ‘Global 500’, Fortune, https://fortune.com/global500/2020/

112 The International Institute for Strategic Studies


search/?sector=Technology. For the telecoms companies, see https://meduza.io/en/news/2020/02/13/russian-court-fines-

‘Global 500’, Fortune, https://fortune.com/global500/2020/searc twitter-62-840-dollars-for-refusing-to-localize-user-data.

h/?sector=Telecommunications. 48 Ibid.

37 Office of the President, ‘Ukaz Prezidenta Rossiiskoi Federatsii o 49 CERT-GIB was originally a Russian private-sector initiative,

Strategii po razvitii informatsionnogo obshchestva v Rossiiskoi in 2011, which has since grown into a global business. See

Federatsii na 2017–2030 gody’, 10 May 2017, http://publication. Group-IB, https://www.group-ib.com.

pravo.gov.ru/Document/View/0001201705100002?index=0&ra 50 Gosudarstvennaya sistema obnaruzheniya, preduprezhdeniya

ngeSize=1. i likvidatsii posledstvii komp’yuternikh atak

38 Sergey Sukhankin, ‘Russia Adopts New Strategy for 51 Dmitriy Kuznetsov, ‘GosSOPKA: chto takoe, zachem nuzhna i

Development of Information Society’, Eurasia Daily Monitor, kak ustroena’, Anti-Malware.ru, 2 April 2019, https://www.anti-

vol. 14, no. 66, 16 May 2017, https://jamestown.org/program/ malware.ru/analytics/Technology_Analysis/gossopka-what-

russia-adopts-new-strategy-development-information- is-it-how-it-works. A list of the relevant laws and regulations,

society. in Russian, can be found at ‘Normativnye dokumenty v

39 Fond obshchestvennoe mnenie, ‘Internet i onlain servisy’, 31 oblasti GosSOPKA i bezopasnosti KII’, Positive Technologies,

March 2020, https://fom.ru/SMI-i-internet/14402. 23 July 2019, https://www.ptsecurity.com/ru-ru/research/

40 Ibid. knowledge-base/terminology-gossopka-kii-full-version.

41 ‘The Inclusive Internet Index 2020’, Economist Intelligence 52 Kuznetsov, ‘GosSOPKA: chto takoe, zachem nuzhna i kak

Unit, https://theinclusiveinternet.eiu.com/explore/countries/ ustroena’.

performance?category=affordability. 53 ‘“InfoTeKS” podklyuchil pervyi region k GosSOPKA’, Comnews,

42 ‘Russia’s Communications Ministry plans to isolate the RuNet 12 July 2019, http://www.comnews.ru/content/120767/2019-07-12/

by 2020’, Vedomosti, 13 May 2016, carried by meduza.io, https:// infoteks-podklyuchil-pervyy-region-k-gossopka.

meduza.io/en/news/2016/05/13/communications-ministry-plans- 54 ‘Ob utverzhdenii Pravil predostavleniia subsidiy iz

to-isolate-runet-by-2020. federal’nogo byudzheta na sozdanie otraslevogo tsentra

43 See Juha Kukkola, ‘The Russian Segment of the Internet as a Gosudarstvennoi sistemy obnaruzheniia, preduprezhdeniia

Resilient Battlefield’, in Juha Kukkola, Mari Ristolainen and likvidatsii posledstvii komp’iuternykh atak (GosSOPKA) i

Juha-Pekka Nikkarila (eds), GAME PLAYER: Facing the structural vklyuchenie ego v sistemu avtomatizirovannogo obmena

transformation of cyberspace (Helsinki: Finnish Defence Research informatsiei ob aktual’nykh kiberugrozakh’, Ofitsial’nyi

Agency, 2019), pp. 117–32, https://maanpuolustuskorkeakoulu. internet-portal pravovoi informatsii, 9 October 2019, http://

fi/documents/1948673/10330463/PVTUTKL+julkaisuja+11+Ga publication.pravo.gov.ru/Document/View/0001201910090023.
me+Player.pdf/9ff35e9b-3513-c490-c188-3e3f18e71bdd/PVTUT 55 ‘2020: Zapusk Tsentra monitoringa i reagirovaniia s pravom

KL+julkaisuja+11+Game+Player.pdf. ispolniat’ funktsii tsentra GosSOPKA’, TAdviser, 5 March

44 Justin Sherman, ‘Russia’s Domestic Internet Is a Threat to 2020, https://www.tadviser.ru/index.php/Продукт:Код_

the Global Internet’, Slate, 24 October 2019, https://slate.com/ Безопасности:_Центр_ мониторинга_и_реагирования.

technology/2019/10/russia-runet-disconnection-domestic- 56 Valeria Pozychanyuk and Petr Mironenko, ‘FSB potrebovala

internet.html. ot internet-servisov onlain-dostup k dannym i perepiske

45 Union of Concerned Scientists, ‘UCS Satellite Database’, 1 pol’zovatelei’, The Bell, 11 February 2020, https://thebell.io/fsb-

January 2021, https://www.ucsusa.org/resources/satellite-database. potrebovala-ot-internet-servisov-onlajn-dostup-k-dannym-i-

46 The data-localisation law was passed in 2015 and perepiske-polzovatelej.

augmented in 2019 with tougher penalties for non- 57 GMA Consult Group, ‘Russia Authorizes 16 Preinstalled

compliance. See Gorodissky and Partners, ‘Russia Sets Applications for All Smartphones and Tablets’, 20 December

$280,000 Fine for Breaching Data Localization Law’, 10 2020, https://www.gma.trade/single-post/russia-authorizes-16-

September 2019, https://www.lexology.com/library/detail. preinstalled-applications-for-all-smartphones-and-tablets.

aspx?g=5b43dda3-d68f-4f5b-8767-9846b649b5d9. 58 ‘Russia: Growing Internet Isolation, Control, Censorship’,

47 ‘Russian court fines Twitter and Facebook 62,840 dollars each Human Rights Watch, 18 June 2020, https://www.hrw.org/news/

for refusing to localize user data’, Meduza, 13 February 2020, 2020/06/18/russia-growing-internet-isolation-control-censorship.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 113


59 Kukkola, ‘The Russian Segment of the Internet as a Resilient Foreign Relations, 29 October 2018, https://www.cfr.org/blog/

Battlefield’, p. 117. unpacking-competing-russian-and-us-cyberspace-resolutions-

60 International Telecommunication Union, ‘Global Cybersecurity united-nations.

Index 2018’, p. 62, https://www.itu.int/dms_pub/itu-d/opb/str/ 69 Anton Troianovski and David E. Sanger, ‘Putin Wants a Truce

D-STR-GCI.01-2018-PDF-E.pdf. in Cyberspace – While Denying Russian Interference’, New York

61 ‘DDoS attacks on Russian online retailers double in 2020’, Times, 25 September 2020, https://www.nytimes.com/2020/09/25/

TASS, 16 February 2021, https://tass.com/economy/1256821. world/europe/russia-cyber-security-meddling.html.

62 ‘Data leaks from Banks of Russia’, TAdviser, 29 January 2021, 70 The OEWG’s full name is the Open-ended Working

https://tadviser.com/index.php/Article:Date_leaks_from_ Group on Developments in the Field of Information and

Banks_of_Russia#.2A_The_number_of_leaks_from_the_ Telecommunications in the Context of International Security.

financial_sector_in_Russia_grew_by_a_third. For details on its activities, see United Nations Office for

63 Lawrence Abrams, ‘Russian government warns of US Disarmament Affairs, ‘Open-ended Working Group’, https://

retaliatory cyberattacks’, Bleeping Computer, 23 January www.un.org/disarmament/open-ended-working-group.

2021, https://www.bleepingcomputer.com/news/security/ 71 Michael Birnbaum, ‘Russian submarines are prowling around

russian-government-warns-of-us-retaliatory-cyberattacks/. vital undersea cables. It’s making NATO nervous’, Washington

64 Presidential Administration, ‘Federal Security Service Board Post, 22 December 2017, https://www.washingtonpost.com/

meeting’, 24 February 2021, http://en.kremlin.ru/events/ world/europe/russian-submarines-are-prowling-around-

president/news/65068. vital-undersea-cables-its-making-nato-nervous/2017/12/22/

65 Presidential Administration, ‘Extended meeting of  Russian d4c1f3da-e5d0-11e7-927a-e72eac1e73b6_story.html.

Interior Ministry Board’, 3 March 2021, http://en.kremlin.ru/ 72 Andy Greenberg, ‘A Brief History of Russian Hackers’ Evolving

events/president/news/65090. False Flags’, Wired, 21 October 2019, https://www.wired.com/

66 Angelina Krechetova and Ekaterina Kinyakina, ‘Minkomsviazi story/russian-hackers-false-flags-iran-fancy-bear.

povelo itogi pervykh uchenii po zakonu o “suverennom 73 Anton Troianovski and Ellen Nakashima, ‘How Russia’s

RuNete”’, Vedomosti, 23 December 2019, https://www. military intelligence agency became the covert muscle in

vedomosti.ru/technology/news/2019/12/23/819484-suverennom- Putin’s duels with the West’, Washington Post, 28 December

runete. 2018, https://www.washingtonpost.com/world/europe/how-

67 Since a UN General Assembly resolution in 2004, a UN Group russias-military-intelligence-agency-became-the-covert-

of Governmental Experts (GGE) has convened for two-year muscle-in-putins-duels-with-the-west/2018/12/27/2736bbe2-

terms to address international-security aspects of cyberspace. fb2d-11e8-8c9a-860ce2a8148f_story.html.


It was known as the GGE on ‘Developments in the Field 74 ‘SBU Blocks 103 Russian Cyber Attacks to Prevent Theft of State

of Information and Telecommunications in the Context of Bodies Data: Security Service of Ukraine’, Security Service of

International Security’ until 2018, when it was renamed the GGE Ukraine, 6 May 2020, https://www.sbu.gov.ua/en/news/1/

on ‘Advancing Responsible State Behaviour in Cyberspace in the category/1/view/7559#.SMNp6d9O.dpbs.

Context of International Security’. In cyberspace-policy circles it 75 White House, ‘Press Briefing by Press Secretary Jen Psaki and

is common to refer to it simply as ‘the GGE’. See UN Office for Deputy National Security Advisor for Cyber and Emerging

Disarmament Affairs, ‘Developments in the field of information Technology Anne Neuberger, February 17, 2021’, https://

and telecommunications in the context of international security’, www.whitehouse.gov/briefing-room/press-briefings/2021/02/17/

https://www.un.org/disarmament/ict-security. press-briefing-by-press-secretary-jen-psaki-and-deputy-national-

68 Alex Grigsby, ‘Unpacking the Competing Russian and U.S. security-advisor-for-cyber-and-emerging-technology-anne-

Cyberspace Resolutions at the United Nations’, Council on neuberger-february-17-2021.

114 The International Institute for Strategic Studies


10. Iran

Iran regards itself as being in an intelligence and Iran will not be able to boost its indigenous cyber-
cyber war with its enemies. In 2010, when the Stuxnet defence capability easily or quickly. Its overall cyber
attack on Iran by the United States and Israel was capabilities do not match the scale and sophistica-
revealed, the country had little access to international tion of its ballistic-missile or nuclear programme. For
cyber-security suppliers and only a very small num- example, it lacks the resources, talent and technical
ber of domestic researchers in the field. Since then, infrastructure needed to develop and deploy sophis-
however, it has become a determined cyber actor ticated offensive cyber capabilities, even though it has
against US, Gulf Arab and Israeli interests. At the used lower-level offensive cyber techniques widely,
same time, a perceived need to quell domestic oppo- with some success. Iran is a third-tier cyber power
sition through increased internal cyber surveillance that makes use of less sophisticated cyber technolo-
has dovetailed with the government’s desire to coun- gies and operational capabilities to serve its strategic
ter external threats. However, economic depression, goals, which include espionage, power projection
political turmoil and internal deficiencies suggest that and strategic signalling.

Strategy and doctrine


Iran’s approach to cyberspace is inherently bound to its doctrines. The main indicators are therefore organisa-
domestic authoritarian policies and its international con- tional reforms and associated legislation. The Iranian
frontations. The stage for current domestic policy was Cyber Army, a group of pro-regime hackers with pre-
set in 2009 when the Islamic Revolutionary Guard Corps sumed links to the IRGC and pledging loyalty to Supreme
(IRGC) took over the Telecommunications Company of Leader Ayatollah Ali Khamenei, began operating in 2009
Iran after large-scale protests against the regime that as the direct result of concern among conservative forces
were fuelled by social media.1 The development of in Iran about anti-government and pro-Western internet-
Iran’s international cyber policy can be traced back to based propaganda. The armed forces set up a Cyber
the Stuxnet attacks on the country that were revealed in Defense Command in 2010, and in 2011 a Cyber Police
2010 and attributed to the United States and Israel. Force was created with the aim of protecting ‘national and
In most areas related to security in cyberspace, Iran religious identity, community values, legal liberty and
has not published any formal strategy documents or critical national infrastructure from electronic attack’.2

List of acronyms
CERT Computer Emergency Response Team MOIS Ministry of Intelligence and Security
ICT information and communications technology NCC National Cyberspace Center
IRGC Islamic Revolutionary Guard Corps NPDO National Passive Defense Organization
IRGC-IO Islamic Revolutionary Guard Corps Intelligence
Organization

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 115


A Supreme Council for Cyberspace, headed by the tactics’.7 In July 2020 the General Staff of the armed
Supreme Leader, was created in 2012 with the twin goals forces issued a declaration on Iran’s view of its right to
of ‘fully exploiting the positive potential of Iranian cyber- retaliate against cyber attacks, a document that could
space’ and ‘protecting the country and people from the almost be regarded as an official statement of the coun-
negative potential of cyberspace’.3 Two of its more specific try’s cyber strategy.8 Its aim was to clarify the ‘concepts,
objectives were to provide government support to pro- macro policies and the framework of the activities of
regime hacker groups and to develop science, research, the armed forces against increasing and various threats
cultural policy and strategic studies related to cyberspace.4 of cyberspace’. The declaration stated that Iran would
In 2013, parliament passed a law to set up a National regard ‘any intentional use of cyber force with tangi-
Cyberspace Center (NCC) with wide-ranging policy ble or non-tangible implications’ within its borders as
aims. The text of the legislation stated the aims of the a violation of its sovereignty, and reserved the right to
NCC in such detail that it resembled the cyber-security retaliate with military force if a cyber operation crossed
strategy documents of some countries.5 The provisions the threshold of a ‘conventionally armed attack’.
included expanding the country’s sovereign ICT capabil- In summary, Iran’s strategic outlook has a great bear-
ity in the face of powerful global corporations. They fore- ing on its approach to the threats and opportunities that
shadowed an increase in domestic content for the World cyberspace presents. This is particularly the case with
Wide Web, the promotion of religious and state ideol- its doctrine of strategic depth, which is aimed against
ogy, and preparations for a ‘culture war’ with the coun- its traditional regional adversaries (Israel, and the
try’s enemies. The law also called for diplomatic actions Sunnis led by Saudi Arabia) and in which it perceives
on the international stage, aimed at limiting the influ- an opportunity to penetrate the networks of the US. Its
ence of any superpower over governance of the internet cyber capabilities are also moulded by internal organi-
and protecting what it called the ‘international rights’ of sational rivalries. As with Iranian strategy in general,
Iranian internet users. The NCC appears to have coordi- the approach to cyberspace has an innate duality, with
nating responsibilities on behalf of the Supreme Council pragmatic regional-security considerations coexisting
across all the cyber organisations. In some areas of policy uncomfortably with a more dogmatic attempt to protect
the Supreme Council has chosen to work directly with and export Iran’s Islamic Revolution.9
lower-level entities such as the Ministry of Information
and Communications Technology. Governance, command and control
On the international front, Iran remains preoccupied The Supreme Council for Cyberspace, chaired by the
with the US, Israel and the Gulf Arab states. After car- president, is Iran’s highest policymaking authority
rying out successful cyber attacks against US banks in in the field. It comprises 27 members from different
2012 without significant retaliation, the Iranian regime areas of government and society, including the armed
felt that it was getting its cyberspace-security policy in forces, the IRGC, the judiciary, parliament, state-run
order. An IRGC general declared in 2013 that Iran was radio and television stations, the police, and the minis-
the ‘fourth-biggest cyber power among the world’s tries of Information and Communications Technology,
cyber armies’,6 a claim based on unverified reports that Intelligence and Security, Culture and Science. It over-
the government could rely on a cyber militia force of sees the regime’s censorship policies as they apply to the
120,000 specialists. These appear to be exaggerated. internet, and regulates the country’s internet exchange
In 2019, the commander-in-chief of the IRGC, Major- points (IXPs), network separation and content-filtering.10
General Hossein Salami, declared that Iran was ‘in an The main cyber agencies in Iran are as follows:
atmosphere of full-blown intelligence war with the US’
and other ‘enemies of the Revolution and the Islamic • the NCC
system’, with the country subjected to a combination • the National Passive Defense Organization
of ‘psychological warfare and cyber operations, mili- (NPDO), responsible for cyber civil defence
tary provocations, public diplomacy and intimidation and the protection of critical infrastructure

116 The International Institute for Strategic Studies


• the Cyber Police Core cyber-intelligence capability
• the IRGC Intelligence Organization (IRGC-IO), The MOIS is Iran’s primary signals-intelligence agency.
responsible for offensive cyber operations Despite its designation as a ministry, and the fact that
• Cyber Defense Command, part of the armed the minister is appointed by the president (subject to
forces, and also involved in offensive cyber approval by the Supreme Leader), the MOIS acts more
operations as an independent executive body. It has a remit to
• the Ministry of Intelligence and Security monitor domestic political threats, undertake foreign
(MOIS), responsible for signals intelligence intelligence collection and conduct counter-intelligence
• the Intelligence Protection Organizations operations.16 It oversees all covert operations and usu-
within the armed forces and other govern- ally carries out domestic operations itself, while the
ment agencies.11 IRGC Quds Force runs extraterritorial operations such
as sabotage, assassinations and human intelligence
There are therefore five main channels of command: collection. It is the MOIS that cooperates with foreign
through the NCC, the IRGC, the armed forces, the MOIS intelligence agencies, most notably Russia’s External
and the civil sector (including the NPDO and the police, Intelligence Service. The country’s cyber-intelligence
which often vie for influence). Through its militia force capabilities are probably affected by the duplication
the Basij, the IRGC commands cyber units and prox- and competition that exist between its two main intel-
ies including the IRGC Electronic Warfare and Cyber ligence organisations, the IRGC-IO and the MOIS.17 The
Defense Organization and the Basij Cyber Council.12 IRGC-IO is perhaps the most powerful security agency
The governance of cyber policy in Iran has devel- in Iran and almost certainly plays a role in foreign and
oped through two decades of political turmoil, a sense domestic cyber operations and in policy-setting.18
of victimhood in the face of international confronta- Iran continues to be outmatched by Israel in terms
tion and sanctions, and the imperative of defeating of regional intelligence reach, with Stuxnet just an early
domestic and foreign enemies of the regime. The example. Though Iranian cyber operations have been
country has been involved in proxy wars in Iraq, detected in networks in the US, the United Kingdom and
Syria and Yemen, and there has been regular military elsewhere, the speculative and unsophisticated nature of
tension with US and Israeli forces in the region. The those operations suggests Iran lacks any meaningful global
Supreme Council for Cyberspace nominally provides a cyber-intelligence reach. It remains to be seen whether, in
multi-stakeholder forum where non-political and non- the wake of the Syrian conflict, Iranian capabilities might
military needs, such as cyber security for commer- in time benefit from closer cooperation with Russia.
cial enterprises, can be addressed. Although it does Little detail is known about the numbers of Iranian
indeed carry out that role, national security is always cyber-intelligence personnel or their level of training.
a priority and has intensified since the assassinations However, the published budgets are small in compar-
in 2020 of Major-General Qasem Soleimani, the com- ison with those of states such as the UK. Skilled per-
mander of the Quds Force in the IRGC,13 and Mohsen sonnel with the right political allegiances are in short
Fakhrizadeh, who had led Iran’s nuclear programme supply, and most Iranian cyber operations use basic
for more than two decades.14 techniques. Many of those operations are contracted
Iran’s national Computer Emergency Response out, especially to research institutes.19
Team (CERT) is under the direction of the Ministry of
Information and Communications Technology. It coop- Cyber empowerment and dependence
erates with domestic agencies such as the Cyber Police The Iranian government has declared high ambitions for
and the NPDO’s Cyber Defense Command, cyber- the digital economy, though starting from a low base –
security centres in Iranian universities and also foreign in 2020 it stated that the digital sector accounted for 6.5%
CERTs in order to protect Iran’s cyberspace, investigate of GDP, in comparison with a global average of 15.5%.20
or mitigate incidents, and issue warnings.15 In early 2020 the Supreme Council for Cyberspace

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 117


discussed a five-year plan21 that would see the digital relocate overseas.29 In 2018, according to unofficial esti-
economy provide 10% of GDP by 2025 – potentially a mates, they accounted for less than 1% of GDP.30
significant expansion but still a far smaller contribu- The development of Iran’s digital economy has
tion than those made by the ICT sectors of Iran’s main been severely hampered by the authoritarian political
adversaries, Israel and the US. Targets for 2024 include environment and the consequences of geopolitical
internet or mobile infrastructure to reach 80% of rural confrontation with Western countries, particularly
villages with more than 20 households, and 80% of sanctions related to Iran’s lack of transparency over
Iranian households to have broadband access (with a its international nuclear obligations. United Nations
speed of at least 20 Mbps).22 In a global survey of digital sanctions were in force from 2006 to 2015 and the US
inclusion covering the period 2017–20, Iran was one of re-imposed its own sanctions in 2018 after withdrawing
the top ten most improved countries, though again start- from the Joint Comprehensive Plan of Action (JCPOA).
ing from a low base – it was ranked only 37th overall.23 In 2016 and 2017, the first two years of the JCPOA, Iran’s
In 2020 the Ministry of Information and GDP grew by 12.5% and 3.7% respectively, but with the
Communications Technology launched several infra- return of US sanctions it contracted by 5.4% in 2018 and
structure projects aimed at improving the country’s 6.5% in 2019.31 Even if the nuclear-related sanctions were
digital economy. These include the construction of a to be lifted completely, opposition among Western states
data centre in Tehran, the development of the National to other aspects of Iranian policy (on human rights,
Information Network – Iran’s tightly support for Hizbullah in Lebanon and
controlled domestic internet, which Iran is among the relations with Israel) would continue
has been under construction since to restrict ICT trade with European,
2013 – and a plan to support digital
top 20 countries North American, Japanese and South
businesses impacted by the COVID-19 in some areas Korean firms.
pandemic.24 The data centre in Tehran, of scientific Among the states actively
costing US$63 million, would pur- involved in AI research, Iran is one
portedly increase Iran’s overall data
research, of the least advanced. It was placed
capacity by 25%. Another large-scale including certain 33rd, for example, in a ranking
data centre has been built in Tabriz, aspects of AI based on contributions to the two
contributing to the sustainability of most prestigious AI conferences in
Iran’s network infrastructure and its capacity for cloud 2020.32 For AI in health/medicine research it has been
computing.25 ranked higher, for example in lists of the top countries
Iran is among the top 20 countries in some areas of according to numbers of published articles (12th posi-
scientific research, including certain aspects of artifi- tion) and citation rate (16th).33 Iran is looking to aug-
cial intelligence (AI),26 and Tehran appears in a list of ment its AI research capabilities through cooperation
the world’s top 50 research clusters in terms of patent- with Russia.34 It has been applying AI in the military
able research.27 However, the level of investment in ICT domain, for example in a large-scale drone-combat
research and development (R&D), both in the civilian drill35 and in the coordination of exercises involving
and the military domains, is probably lower than in air, sea and land assets.36
most countries with high ambitions in the sector: Iran Iran’s space programme has been developing slowly
spends less than 1% of GDP on government R&D across for two decades, with a mixture of civil-sector scientific
all sectors, a figure that rather contradicts the govern- inputs and very important military involvement (prin-
ment narrative about its scientific ambitions.28 Sanctions cipally the ballistic-missile programme).37 Its satellite-
imposed on Iran have also created a difficult business launch programme for civil-sector research began in
environment for the country’s tech start-ups and con- 2009. After several failed launches of civilian satellites
strained their growth. Although they enjoyed a boom in 2019 and early 2020, the IRGC successfully launched
period from 2013 to 2016, many have since tried to its first military-reconnaissance satellite, Noor, in April

118 The International Institute for Strategic Studies


2020, using a previously unknown space-launch vehi- approved national cyber-security frameworks, including
cle.38 While Noor is expected to be used for intelligence- for implementing recognised standards and accreditation
gathering and securing communications for the military, across the public and private sectors.48 Similarly, Iran
Iran’s progress in satellite launches has aroused con- still does not have any government-backed national
cerns about its possible use of the same technology in benchmarking system for assessing cyber security.
its missile programme.39 In February 2021 the country The global professional body for information-security
successfully test-launched a new rocket capable of lift- professionals, ISACA, has chapters in 188 countries but
ing a 220-kilogram satellite.40 none in Iran.49

Cyber security and resilience Global leadership in cyberspace affairs


Given the Iranian regime’s premium on secrecy and Iran’s cyber diplomacy has mainly focused on high-
deception, it is perhaps unsurprising that it has never lighting attacks against it by the US and Israel, with
published a meaningful cyber strategy. That does not much made of the Stuxnet attack in particular. Like
mean, however, that no coherent strategy exists. Attempts China and Russia, it wishes to reshape the future of
have been made to improve the systems for handling cyberspace and contest its domination by the West.
cyber emergencies. The NPDO, a quasi-military entity However, unlike China (or India for that matter), it
staffed mostly by IRGC and Basij personnel, is tasked does not have sufficient technical resources to do so,
with protecting critical national infrastructure. Its role either globally or within its region, and it also lacks the
and budget have expanded steadily since its formation diplomatic firepower to coalesce with other states in
in 2003.41 a way that would significantly influence international
The Ministry of Information and Communications cyberspace policy.
Technology is responsible for the development of a Nevertheless, Iran participates in several inter-
National Information Network designed to improve the national cyber initiatives. For example, the Ministry
security of internal data centres and ensure necessary of Information and Communications Technology
bandwidth. The regulation establishing the Supreme declares periodic civil cyber exercises with Russian
Council for Cyberspace called for increased national-level partners, listing several Iranian university cyber cen-
cyber training, as well as improvements to Iran’s systems tres as participants.50 Iran is an observer to the Shanghai
for detection, warning and information-sharing.42 The Cooperation Organisation, which is one of the main
NPDO began conducting modest cyber-defence exer- vehicles used by Russia and China to promote their
cises in 2010,43 and other agencies have also reported agenda on internet sovereignty, a vision that Tehran
occasional exercises since then. In 2018 the NCC set up shares. The national CERT is part of the team oper-
a special task force to counter US cyber operations and ated by the Organisation of Islamic Cooperation (OIC-
the armed forces announced a new, secure communica- CERT) and is a member of the Cybersecurity Alliance
tions system that they said was domestically designed for Mutual Progress led by South Korea’s Internet and
and produced.44 In 2019 the Ministry of Information and Security Agency.51 Overall, though, Iran’s priority has
Communications Technology announced that it was been its own cyber security rather than a broader role
implementing a cyber-defence programme called ‘Digital in global cyberspace affairs.
Fortress’.45 Overall, however, Iran’s scientific capabilities
in the area of cyber defence are not advanced, and there Offensive cyber capability
is little in the way of government planning that seems The Iranian regime first acknowledged its use of an
likely to change that.46 offensive cyber capability in 2010, when it disrupted the
Iran ranked only 60th out of 175 countries in the website of a domestic human-rights group in response
2018 Global Cybersecurity Index compiled by the to dissidents’ use of social media during the country’s
International Telecommunication Union (ITU).47 The ITU unrest in 2009. It is likely that domestic dissidents have
had previously highlighted the country’s lack of officially remained a priority target ever since.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 119


Iran’s first use of disruptive cyber capabilities interesting exception – it may have been an attempt to
against foreign targets, following the discovery of the pre-position a cyber capability on US critical national
Stuxnet virus in its nuclear centrifuges in 2010, was a infrastructure. But perhaps it also indicated the limits
series of basic denial-of-service attacks against banks in of Iran’s cyber-intelligence reach, as the dam was tiny
the US in 2012.52 Later in 2012 it carried out an attack in comparison to some of the United States’ colossal
against Saudi Aramco that was more audacious, using hydroelectric structures.58
a wiper virus (Shamoon) that disabled 30,000 comput- Overall, Iran has deployed offensive cyber for diverse
ers. Disruptive and destructive cyber operations have goals and against a range of targets worldwide. Its cumu-
remained a staple of Iranian statecraft, though used lative experience now represents a relatively high level of
quite sparingly.53 Information operations on Western operational maturity, with the regime’s embrace of cyber
social-media platforms, a new Iranian tactic, emerged operations firmly established as a useful instrument of
from around 2018.54 In 2020 Iran was allegedly behind national power. Most strikingly, cyber capabilities have
an unsuccessful cyber attack intended to disrupt Israeli enabled Iran to reach and deliver effect into the US in
critical national infrastructure (water supply and waste- ways it cannot achieve with conventional capabilities.
water treatment). 55 It also allegedly carried out attacks Nevertheless, the operations lack technical sophistica-
against more than 80 Israeli companies in retaliation tion. They show little sign of innovative indigenous tech-
for the November 2020 assassination of Fakhrizadeh, niques or procedures and seem to be readily detected
which it attributed to Israel.56 These included infiltrat- and attributed by Western companies. In part this may
ing the systems of Israel’s largest defence contractor be the result of relying on research institutes in univer-
and leaking its data.57 sities to devise and execute many of the attacks. Iran’s
While Iran has continued to conduct cyber opera- cyber capabilities are much less developed than those of
tions further afield, for example into commercial net- the West, both in quality and scale. Within its region its
works in the US, most of these appear to have been capabilities are certainly outmatched by those of Israel,
speculative and mainly for the purpose of data theft although Tehran has had successes in offensive cyber
rather than disruption. Its 2013 breach of the network against Saudi Arabia59 and some of the anti-government
of a small dam near New York appears to have been an groups in Syria.60

Notes

1 Daniel Baldino and Jarrad Goold, ‘Iran and the emergence of com/service/iran/archive/2013/02/02/387239/story.

information and communications technology: The evolution html.

of revolution?’,  Australian Journal of International Affairs, vol. 7 Zak Doffman, ‘Iran: “We Will Beat U.S. in Intelligence War” and

68, no. 1, 2014, pp. 17–35, p. 28. “Punish Mistakes With Crushing Strikes”’, Forbes, 19 May 2019,

2 See United Nations Institute for Disarmament Research, https://www.forbes.com/sites/zakdoffman/2019/05/19/iran-

UNIDIR Cyber Policy Portal, ‘Iran (Islamic Republic of)’, https:// we-will-beat-u-s-in-intelligence-war-and-punish-mistakes-

cyberpolicyportal.org/en/state-pdf-export/eyJjb3VudHJ5X2 with-crushing-strikes/?sh=9a225d25e16d.

dyb3VwX2lkIjoiNjUifQ. 8 ‘General Staff of Iranian Armed Forces Warns of Tough Reaction

3 See Small Media, ‘Iranian Internet Infrastructure and Policy to Any Cyber Threat’, Fars News Agency, 17 August 2020,

Report’, February 2014, p. 3, https://smallmedia.org.uk/sites/ https://www.farsnews.ir/en/news/13990527000544/General-Saff-

default/files/u8/IIIP_Feb2014.pdf. f-Iranian-Armed-Frces-Warns-f-Tgh-Reacin-Any-Cyber-Threa.

4 Ibid., p. 7. 9 See also International Institute for Strategic Studies, Iran’s Networks

5 Ibid., p. 4. of Influence in the Middle East (London: IISS, 2019), pp. 27–8.

6 ‘Iran Enjoys 4th Biggest Cyber Army in World’, Ahlul 10 Official Gazette of Iran, ‘Mosavabbe shoraye aali fazaye

Bayt News Agency, 2 February 2013, https://en.abna24. majazi dar khosoos siyasat haye hakem bar rah andazi noghat

120 The International Institute for Strategic Studies


tabadol terrafik dakheili (IXP) va ijad tamayoz beyne’, 22 21 ‘Iran Gov’t Outlines Projects to Expand Digital Economy’,

March 2013, http://www.rooznamehrasmi.ir/laws/ShowLaw. Financial Tribune, 2 February 2020, https://financialtribune.com/

aspx?Code=1152. articles/sci-tech/101979/iran-gov-t-outlines-projects-to-expand-

11 The Intelligence Protection Organisations operate as counter- digital-economy.

intelligence agencies, but also act as political police to suppress 22 Jamal Sophieh, ‘An Overview of Digital Economy and

opponents of the regime. Digital Transformation in Iran’, Ministry of Information and

12 Congressional Research Service, ‘Iranian Offensive Cyber Communications Technology, workshop presentation, July

Attack Capabilities’, 13 January 2020, https://fas.org/sgp/crs/ 2019, p. 22, https://www.itu.int/en/ITU-D/Regional-Presence/

mideast/IF11406.pdf. AsiaPacific/SiteAssets/Pages/Events/2019/jul-iran-dtx/

13 ‘Qasem Soleimani: US strike on Iran general was unlawful, Workshop-on-%E2%80%9CDigital-Transformation-in-Digital-

UN expert says’, BBC News, 9 July 2020, https://www.bbc. Economy%E2%80%9D/Session%2014%20-%20Iran.pdf.

com/news/world-middle-east-53345885. According to the BBC, 23 ‘Qatar, UAE, Iran and Egypt Making Big Strides in Digital

Soleimani was one of the most powerful intelligence officials in Inclusion’, Consultancy-me.com, 3 March 2021, https://www.

Iran, with a role that included directing clandestine missions in consultancy-me.com/news/3430/qatar-uae-iran-and-egypt-

other countries. making-big-strides-in-digital-inclusion.

14 ‘Mohsen Fakhrizadeh: “Machine-gun with AI” used to kill Iran 24 ‘Iran Unveils Four Mega Projects to Boost Digital Economy’,

scientist’, BBC News, 7 December 2020, https://www.bbc.com/ Iran Front Page, 28 May 2020, https://ifpnews.com/

news/world-middle-east-55214359. iran-unveils-four-mega-projects-to-boost-digital-economy.

15 See ‘Markazeh modiriyat emdaad va hamahangie amaliyate 25 ‘Iran to Open Second Largest Data Center over Weekend:

rokhdad haye rayaneh ei’, https://cert.ir/index. Minister’, Pars Today, 25 June 2020, https://parstoday.com/en/

16 Carl Anthony Wege, ‘Iran’s Intelligence Establishment’, news/iran-i122999.

Intelligencer, Summer 2015, pp. 64–5, https://www.afio.com/ 26 See S.F. Wamba et al., ‘Are we preparing for a good AI society?

publications/WEGE%20Iranian%20Intel%20Services%20 A bibliometric review and research agenda’, Technological

2015%20Sep%2001%20FINAL.pdf. Forecasting and Social Change, 2020, https://www.sciencedirect.

17 Eric Randolph, ‘Iranian IRGC consolidates primacy com/science/article/abs/pii/S0040162520313081?dgcid=rss_

in intelligence operations’, Janes, 19 August 2020, sd_all; and Jiqiang Niu et al., ‘Global research on artificial

https://www.janes.com/defence-news/news-detail/ intelligence from 1990–2014: Spatially-explicit bibliometric

iranian-irgc-consolidates-primacy-in-intelligence-operations. analysis’, ISPRS International Journal of Geo-Information, vol. 5,

18 Insikt Group, ‘Despite Infighting and Volatility, Iran Maintains no. 66, pp. 7–9, https://www.mdpi.com/2220-9964/5/5/66/pdf.
Aggressive Cyber Operations Structure’, Recorded Future, 27 Kyle Bergquist and Carsten Fink, ‘The Top 100 Science

2020, pp. 13–21, https://go.recordedfuture.com/hubfs/reports/ and Technology Clusters’, World Intellectual Property

cta-2020-0409.pdf. Organisation, 2020, p. 44, https://www.wipo.int/edocs/


19 Levi Gundert, Sanil Chohan and Greg Lesnewich, ‘Iran’s pubdocs/en/wipo_pub_gii_2020-chapter2.pdf.
Hacker Hierarchy Exposed: How the Islamic Republic of 28 Mehdi Garshasbi, ‘R&D still unappreciated’, Tehran

Iran Uses Contractors and Universities to Conduct Cyber Times, 2 January 2021, https://www.tehrantimes.com/

Operations’, Future’, 2018, https://go.recordedfuture.com/ news/456487/R-D-still-unappreciated.

hubfs/reports/cta-2018-0509.pdf. 29 Mohsen Tavakol, ‘Sanctions and Domestic Constraints Cripple

20 ‘Iran Unveils Four Mega Projects to Boost Digital Economy’, Iran’s Startups’, Atlantic Council, 7 February 2020, https://www.

IFP News, 28 May 2020, https://ifpnews.com/iran-unveils-four- atlanticcouncil.org/blogs/iransource/sanctions-and-domestic-

mega-projects-to-boost-digital-economy. For an assessment constraints-cripple-irans-startups/.

by Iranian economists, see Amir Hossein Mozayani and 30 Najmeh Bozorgmehr, ‘Start-up Republic: Can Iran’s Booming

Niloofar Moradhassel, ‘How Much Has ICT Contributed Tech Sector Thrive?’, Financial Times, 17 April 2018, https://

to Iran Economic Growth’, International Journal of Economics www.ft.com/content/ca7ab580-3d71-11e8-b9f9-de94fa33a81e.

and Politics, vol. 1, no. 1, 2020, pp. 57–68, http://jep.sbu.ac.ir/ 31 International Monetary Fund, ‘Islamic Republic of Iran’,

article_87384.html. October 2020, https://www.imf.org/en/Countries/IRN.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 121


32 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United conclusions drawn was that ‘85% of the country’s infrastructures

States Stay Ahead of China?’, 21 December 2020, https:// can keep operating if the Internet is cut off’. He also reported plans

chuvpilo.medium.com/ai-research-rankings-2020-can-the- to conduct 64 exercises during the following two months. See

united-states-stay-ahead-of-china-61cf14b1216. ‘Tehran: No Sign of US Cyber Attack after Drone Downing’, Fars

33 Bach Xuan Tran et al., ‘Global evolution of research in artificial News Agency, 21 October 2019, https://www.farsnews.ir/en/

intelligence in health and medicine: A bibliometric study’, news/13980729000775/Tehran-N-Sign-f-US-Cyber-Aack-afer-

Journal of Clinical Medicine, vol. 8, no. 3, 14 March 2019, p. 9, Drne-Dwning.

https://www.mdpi.com/2077-0383/8/3/360/pdf. 44 ‘Defense Minister unveils Iran’s new cyber achievements’,

34 ‘Iran, Russia to Cooperate on Artificial Intelligence Research’, Iran Press, 22 December 2018, https://iranpress.com/en/

Islamic Republic News Agency, 3 September 2020, https://en.irna. iran-i130976-defense_minister_unveils_iran’s_new_cyber_

ir/news/84025992/Iran-Russia-to-cooperate-on-artificial-intelligence- achievements.

research. 45 Khosro Kalbasi, ‘Iran Sets Up Digital Fortress to Forestall

35 ‘Iran uses “artificial Intelligence” in drone drill’, Mehr Rising Cyber Threats’, Financial Tribune, 19 May 2019, https://

News Agency, 7 January 2021, https://en.mehrnews.com/ financialtribune.com/articles/sci-tech/98058/iran-sets-up-digital-

news/168208/Iran-uses-artificial-intelligence-in-drone-drill. fortress-to-forestall-rising-cyber-threats.

36 Michael Rubin, ‘Even Iran Wants an AI-Powered Military 46 See Y.M. Ramezan et al., ‘The Role and Influence of the

Drones’, National Interest, 25 December 2020, https:// Digital Economy on the Strategic Model for Development of

nationalinterest.org/blog/reboot/even-iran-wants-ai-powered- Cryptographic Science and Technology in the Islamic Republic

military-drones-175202. of Iran’, Journal of National Security, vol. 10, no. 35, Spring

37 Andrew Hanna, ‘Iran’s Ambitious Space Program’, The 2020, pp. 327–58, https://www.sid.ir/en/journal/ViewPaper.

Iran Primer, United States Institute for Peace, updated 1 aspx?ID=749286. The Journal of National Security is published

February 2021, https://iranprimer.usip.org/blog/2020/jun/23/ by the Supreme National Defense University of Iran. In the

iran%E2%80%99s-ambitious-space-program. abstract of their article, the authors state that ‘the main issue

38 ‘Iran Launches Its First Military Satellite’, Al-Jazeera, 22 … is the lack of a well-designed and strategic model for the

April 2020, https://www.aljazeera.com/news/2020/4/22/ development of cryptographic science and technology’.

iran-launches-its-first-military-satellite. 47 International Telecommunication Union, ‘Global Cybersecurity

39 Michael Elleman and Mahsa Rouhi, ‘The IRGC Gets into the Index 2018’, p. 64, https://www.itu.int/dms_pub/itu-d/opb/str/

Space-Launch Business’, International Institute for Strategic D-STR-GCI.01-2018-PDF-E.pdf.

Studies blog, 1 May 2020, https://www.iiss.org/blogs/ 48 International Telecommunication Union, ‘Global Cybersecurity

analysis/2020/05/iran-military-satellite-launch-irgc. Index & Cyberwellness Profiles’, 2015, p. 242, https://www.itu.

40 Hanna, ‘Iran’s Ambitious Space Program’. int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.

41 Farzin Nadimi, ‘Iran’s Passive Defense Organisation: Another 49 ISACA – formerly the Information Systems Audit and Control

Target for Sanctions’, The Washington Institute, 16 August 2018, Association, but now known only by its acronym – is dedicated

https://www.washingtoninstitute.org/policy-analysis/view/ to system security. See http://www.isaca.org.

irans-passive-defense-organization-another-target-for-sanctions. 50 For more information on the partner centres, see https://cert.ir/

42 Mehdi Safari, Hesam Seyedin and Katayoun Jahangiri, partners.

‘Disaster risk governance in Iran: Document analysis’, Journal 51 The Cybersecurity Alliance for Mutual Progress brings together

of Education and Health Promotion, vol. 8, 2019, Table 5, https:// government bodies, public organisations and non-profit

www.ncbi.nlm.nih.gov/pmc/articles/PMC6691616. organisations from 46 countries (as of 2020), most of which are

43 BBC Monitoring, ‘Iranian Passive Defence Organization organizes developing economies. See https://www.cybersec-alliance.org/

“cyber exercises”’, Islamic Republic News Agency, 21 August camp/membership.do.

2011. The head of the NPDO, Brigadier-General Gholamreza 52 For some background, see ‘U.S.–Iran Tensions: Implications

Jalali, reported in October 2019 that it had held five exercises for Homeland Security’, Hearing before the Committee

in the year from 21 March 2018 to 20 March 2019, focusing on on Homeland Security, House of Representatives, 116th

the ‘functioning of cyberspace and the internet’. Among the Congress, 2nd Session, 15 January 2020, https://www.

122 The International Institute for Strategic Studies


govinfo.gov/content/pkg/CHRG-116hhrg41269/html/CHRG- 57 Omer Benjakob, ‘Iranian Cyberattack Claims New Victim –

116hhrg41269.htm. and Israeli Hackers Vow Revenge’, Haaretz, 4 January 2021,

53 For a list of similar attacks in the years since 2012, see Andrew https://www.haaretz.com/israel-news/tech-news/.premium.

Hanna, ‘The Invisible U.S.–Iran Cyber War’, The Iran Primer, HIGHLIGHT-iranian-cyberattack-claims-new-victim-and-

United States Institute for Peace, updated 5 November 2020, israeli-hackers-vow-revenge-1.9404606.

https://iranprimer.usip.org/blog/2019/oct/25/invisible-us-iran- 58 ‘Seven Iranian Hackers Indicted over Alleged Cyber Attacks

cyber-war. Targeting US Banks and NY Dam’, Trend Micro, 29 March

54 Ed Parsons and George Michael, ‘Understanding the Cyber 2016, https://www.trendmicro.com/vinfo/de/security/news/

Threat from Iran’, F-Secure, undated, https://www.f-secure. cyber-attacks/seven-iranian-hackers-indicted-over-attacks-on-

com/en/consulting/our-thinking/understanding-the- banks-ny-dam.

cyber-threat-from-iran. 59 Seth G. Jones et al., ‘Iran’s Threat to Saudi Critical

55 Catalin Cimpanu, ‘Two more cyber-attacks hit Israel’s water Infrastructure: The Implications of U.S.–Iranian Escalation’,

system’, ZDNet, 20 July 2020, https://www.zdnet.com/article/ CSIS, August 2019, https://csis-website-prod.s3.amazonaws.

two-more-cyber-attacks-hit-israels-water-system/. com/s3fs-public/publication/Jones_IransThreatSaudi_layout_

56 Jacob J, ‘Iranian Hacker Group Pay2Key Attacks Top Israeli UPDATE_09.17.pdf.

Defense Corporation, Leaks Data on Dark Web’, International 60 Insikt Group, ‘Despite Infighting and Volatility, Iran Maintains

Business Times, 21 December 2020, https://www.ibtimes.sg/ Aggressive Cyber Operations Structure’, Recorded Future,

iranian-hacker-group-pay2key-attacks-top-israeli-defense- 2020, p. 16, https://go.recordedfuture.com/hubfs/reports/cta-

corporation-leaks-data-dark-web-54341. 2020-0409.pdf.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 123


124 The International Institute for Strategic Studies
11. North Korea

North Korea’s cyber strategy is probably not formal- government and depends on a very small number of
ised and its operations have been characterised by gateways provided by Chinese and Russian service
opportunism. Little is known of its cyber-policy eco- providers – a lack of diversity that makes the con-
system. Since 2015 its publicly revealed cyber activity nections highly vulnerable to disruption. The coun-
has consisted mainly of large-scale cyber fraud and try’s level of cyber security is among the lowest in
extortion as a way of bolstering the country’s access the world. North Korea’s undertakings in cyberspace
to hard currency. It has also carried out acts of cyber are hampered by a low cyber-skills base, largely the
sabotage, including in retaliation for perceived insults result of its self-imposed isolation, weak education
to the leadership of the ruling Korean Workers’ Party. system and underdeveloped ICT sector. It has played
Control of cyber policy is firmly in the hands of the almost no part in global cyber diplomacy and has few
leadership, operating through the structures of the international relationships to support its cyber ambi-
party and the armed forces. North Korea lacks any tions. Despite its penchant for conducting offensive
sophisticated cyber-intelligence capability. It has a cyber operations, the techniques used are relatively
basic digital ecosystem, with between three and five basic, as it lacks the capability for sustained or sophis-
million devices connected to internal mobile net- ticated operations. Overall, though its cyber opera-
works, including via a government intranet. Access tions have achieved some global notoriety, North
to the global internet is strictly controlled by the Korea is a third-tier cyber power.

Strategy and doctrine


There is little evidence that North Korea has a formal because of financial and trade sanctions, classic espio-
cyber strategy or doctrine. Its approach can be gleaned nage (especially relating to strategic weapons systems),
partly from statements by the leadership, but conclu- and the occasional high-profile use of cyber operations
sions must otherwise be based on its observed activity. to score retaliatory geopolitical points.
The statements suggest North Korea has a mixture of According to South Korean sources, North Korean
grandiose and more conventional ideas about the use of leader Kim Jong-un views cyber power as central to
cyber operations during military conflict. The observed modern political and military competition.1 He is also
activity suggests the country’s priorities are domestic reported to have said prior to 2013 that ‘cyber warfare is
surveillance, threatening South Korea, stealing money an all-purpose sword that guarantees the North Korean
to gain access to hard currency otherwise unavailable People’s Armed Forces ruthless striking capability,

List of acronyms
ICT information and communications technology RGB Reconnaissance General Bureau
KWP Korean Workers’ Party

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 125


along with nuclear weapons and missiles’.2 His father North Korea has also engaged in industrial
and predecessor as leader, Kim Jong-il, is reported to espionage, with the armed forces targeting industries
have expressed similar sentiments. In 2010 he is reported in the aerospace, high-tech and manufacturing sectors
to have said: ‘If warfare was about bullets and oil until in South Korea and elsewhere in Asia. In 2020 the UN
now, warfare in the twenty-first century is about infor- Security Council Sanctions Committee on North Korea
mation. War is won and lost by who has greater access published a detailed report on the country’s criminal
to the adversary’s military technical information in activities in cyberspace, which consisted of stealing
peacetime, how effectively one can disrupt the adver- money from banks to fund the nuclear-weapons and
sary’s military command-and-control information, and missile-development programmes that are subject to
how effectively one can utilise one’s own information.’3 UN sanctions.10
Beyond this, North Korea’s strategy and doctrine The North Korean armed forces are believed to have
have to be deduced from what is known of the country’s developed offensive cyber capabilities for military
history of cyber attacks. Some analysts have attributed a purposes, with the aim of aiding conventional opera-
reasonable degree of coherence to its cyber operations. tions as part of its ‘quick war, quick end’ strategy.11
The United States Department of Defense, for example, Also known as the ‘short and decisive strategy’, this
has suggested that North Korea is able to leverage the adopts a blitzkrieg-like model of fast manoeuvre and
asymmetric edge that the cyber domain provides as local overwhelming force.12 But there is scant public
part of a ‘coercive diplomacy strategy’.4 evidence of planning or capability for sustained mili-
However, few North Korean attacks have reached the tary cyber operations beyond classic electronic warfare.
threshold that might be associated with the idea of coer- In wartime, North Korea would be likely to use cyber
cion.5 Most attacks have resembled outlaw raids, includ- weapons against South Korean civilian infrastructure
ing acts of retaliation, rather than a facet of sustained and could probably cause severe disruption even with
diplomacy. The main exception to this, and one that limited attacks. The country is likely also to have devel-
receives too little attention in the media, is the consist- oped plans to target South Korean military command-
ent cyber pressure North Korea exerts on South Korea’s and-control assets or other military systems.
institutions and civil infrastructure, including public
threats in 2014 against its civil nuclear industry.6 One of Governance, command and control
the most prominent examples of retaliation by sabotage North Korea’s cyber operations are conducted by the
was the compromising of Sony Pictures’ servers in 2014 armed forces and the intelligence agencies under the
before the release of The Interview, a comedy deriding direction of the Korean Workers’ Party (KWP). Kim
Kim Jong-un. Internal emails and employees’ personal Jong-un, as leader of the KWP and chairman of the
data were leaked, and company computers wiped clean.7 National Defense Commission, can exert direct control
In the wake of the economic sanctions imposed by over such operations. This direct connection between the
the United Nations in 2013, North Korea sought new leadership and the cyber units potentially increases the
ways to finance its cyber activities. From 2014 onwards, price of failure for the personnel involved.
experts detected, and attributed to North Korea, a series The Reconnaissance General Bureau (RGB, also
of complex extortion schemes and attacks on financial known as Unit 586) is the main intelligence organisa-
institutions and cryptocurrency dealers. A UN report tion. It was created in 2009 within the structure of the
in 2019 estimated that the gains from such operations General Staff of the armed forces, but most sources
totalled US$2 billion.8 One of the operations, in 2017, assume it now operates independently of the General
used the WannaCry ransomware in an unsophisticated Staff and reports directly to the leadership.
and uncontrolled way: the attack caused much more As for which units of the RGB are involved in cyber
widespread damage than it intended, shutting down operations, there are contradictory reports around the
untargeted computers in public services, institutions, structures and names. The lead cyber agency appears to
corporations and homes in about 150 countries.9 be the Cyber Warfare Guidance Unit (also referred to as

126 The International Institute for Strategic Studies


Unit 121 or Bureau 121).13 Its missions include assessment cyber-security company FireEye, these units focus on
of enemy computer systems and network vulnerabilities, intimidation, industrial espionage and preparations
exploiting such vulnerabilities for disruptive effect, and for high-intensity conflict, in which their role would
committing financial cyber crimes. Unit 121 appears to be be to disrupt adversaries’ command-and-control sys-
subordinate to the Technical Bureau of the RGB. At least tems in support of conventional military operations.
one source suggests it was set up in 2013 or 2014, and the Their targets are not only other countries’ armed forces
2014 Sony Pictures hack was attributed to it.14 and industries but also a diverse group of foreign anti-
There are reports suggesting that other units are regime activists, researchers and journalists.21
becoming more prominent, most notably Lab 110
(though this may just be a reorganised version of Unit Core cyber-intelligence capability
121 or a sub-unit of it). Identified units that are part of While little is known about North Korean core cyber-
Lab 110, or related to it, include: intelligence capabilities, it is safe to assume they have
two main priorities: regime continuity and early warn-
• Office 98, which focuses on surveillance of ing against military attack by the South Korean and
defectors (and their support networks) and US military forces stationed on or near the Korean
university professors in South Korea and Peninsula. Intelligence operations are also used to steal
overseas money from the international financial system to help
• Office 414, with facilities in China as well as mitigate the effects of economic sanctions.
Pyongyang, which targets foreign govern- The restrictions on internet access inside North Korea
ments and corporations for espionage and make it relatively easy for the regime to conduct compre-
possible disruption hensive surveillance of internet use. This would allow most
• Office 35, the technical bureau, which devel- of North Korea’s cyber-intelligence effort to be directed
ops malware and explores adversaries’ cyber at the South Korean and US military forces. Beyond the
vulnerabilities.15 Korean Peninsula, however, it is likely that North Korea’s
cyber-intelligence reach is very limited, except for small-
Unit 91, probably at the same administrative level as scale, short-term operations. The operations that have been
Lab 110, is responsible for high-priority projects such detected suggest a low level of tradecraft, though accord-
as targeting South Korea’s civil infrastructure and for ing to US assessments it is becoming more sophisticated.22
cyber espionage against foreign targets possessing According to reports from defectors, the total num-
nuclear and weapons-related technology.16 Unit 180 ber of personnel in North Korea’s cyber units increased
undertakes criminal cyber activities against foreign tar- to about 3,000 under Kim Jong-il and then to 6,000
gets for the purpose of stealing money.17 under Kim Jong-un , with most of the increase absorbed
Cyber-security companies in the West often refer to by Unit 121 of the RGB.23 A 2021 report suggests there
the RGB as ‘APT38’ (the acronym stands for ‘advanced has been a small further increase, to 6,800 personnel,
persistent threat’), and another distinct group, ‘APT37’, but that only 1,700 of them are ‘hackers’.24 The more
has also been identified.18 The latter is known for cov- specialised personnel are unlikely to be highly skilled,
ering its tracks by aggressively destroying forensic evi- given the low throughput of IT graduates from the
dence.19 ‘Lazarus’ and ‘TEMP. Hermit’ are the names North Korean education system and their limited access
given to two other groups connected to the RGB. to leading ICT technologies. The majority of the hack-
Although they all differ in their targeting patterns, some ers are probably involved in espionage. The number of
appear to be sharing tools and personnel.20 The nature of North Korean citizens formally educated in cyber tech-
their relationships with the RGB, including the degree nologies and eligible for recruitment into the cyber-
to which they are controlled by it, remains unknown. intelligence units is estimated to be quite low, with only
The General Staff reportedly also controls other around 100 students per year graduating from the rele-
cyber units apart from the RGB. According to the vant courses at the principal military university.25

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 127


Cyber empowerment and dependence In addition to restrictions on internet access, the
North Korea aims for total national self-reliance, includ- regime imposes controls in other parts of the network.
ing in advanced technology. However, the country’s For example, in order to facilitate government sur-
economy and education system provide very weak foun- veillance, the use of North Korea’s local Wi-Fi service
dations for this aspiration.26 Its people and businesses (Mirae) requires a SIM card for access. North Korea has
are denied access to the knowledge and wealth-creation also developed a modified Linux operating system, Red
opportunities available via the World Wide Web. Star, that can track users’ movements.36 Red Star was
The main mobile-phone network in North Korea developed by the regime’s IT-research institute, the
was introduced in 2008, when the 3G mobile net- Korean Computer Center, which was made into a com-
work Koryolink was first established through a joint mercial enterprise in 2015.37 Ownership of a computer
venture by Orascom Telecom Holding, an Egyptian depends on government approval, but many users can
company, and the Korea Post and Telecommunica- access US software.38
tions Corporation.27 The Chinese company Huawei was North Korea possesses notable software-
the underlying supplier that laid the foundations for development capabilities39 and has sought to emulate
Koryolink’s telecommunications structure, including India by becoming a hub for production outsourced
network integration and software services; it also helped by neighbouring countries (China, Japan and South
build a local encryption system.28 In 2014 an estimated Korea).40 Its tech firms, often operating behind front
2.8 million North Koreans, out of a companies, offer a wide range
population of about 25m, were using of capabilities to international
the Koryolink network.29 By 2019 the
North Korea’s customers, including website and
total number of mobile-phone users people and app development,41 business-
had risen to about 5m.30 North Korea’s businesses are management software, biometric-
mobile networks do not have direct identification applications, virtual
access to the global internet and must
denied access to private networks and facial-
instead operate via the government’s the knowledge and recognition software.42
intranet.31 The only mobile-phone wealth-creation The country has an active, if
users permitted to access the internet modest, space programme and
are within the higher echelons of the
opportunities has successfully launched two
KWP – fewer than 10,000 people in available via the satellites,43 in 2012 and 2016, fol-
total – and that access is encrypted. World Wide Web lowing three failed attempts.44
In the .kp range there are reportedly Although these satellites could
only nine top-level domains (such as potentially be used for recon-
co.kp, gov.kp and edu.kp) and around 25 subdomains naissance and precision-targeting purposes for its
available.32 Apart from using the IP addresses provided missile programmes,45 there is little publicly available
through these domains, North Koreans with permission evidence of North Korea attempting to establish a civil-
to do so can access the internet through one Chinese sector space-industrial base.46
and one Russian outlet, respectively China Netcom North Korea’s education system focuses on nurtur-
and a Russian satellite company apparently based ing technological talent, especially in its top universi-
in Lebanon.33 It seems the country’s ruling elite are ties – Kim Il-sung University, Kim Chaek University
internet savvy and also conscious of cyber security.34 It of Technology and Pyongyang University of Science
has been reported that their use of the internet surged and Technology. Courses in hacking are offered at
by 300% between 2017 and 2019, and that much of Moranbong University, with outstanding program-
the increase was due to the cyber-crime operations mers handpicked to attend.47 The existence of the new
aimed at alleviating the financial impact of UN and US Kim Jong-un University of National Defense, which is
sanctions.35 likely to focus on science and technology, was revealed

128 The International Institute for Strategic Studies


in 2020.48 For younger students, computing courses are their homes, Western states would have few qualms
part of the curriculum from elementary school onwards. about targeting cyber attacks at the national grid dur-
ing a conflict.
Cyber security and resilience
North Korea has very weak cyber defences, as indi- Global leadership in cyberspace affairs
cated by its very low position –171st out of 175 coun- As a member of the UN, North Korea has a place in
tries – in the 2018 Global Cybersecurity Index compiled organisations such as the ITU and at forums such as the
by the International Telecommunication Union (ITU).49 World Summit on the Information Society, but it has no
This stems from a low average level of technical skills record of diplomatic action on cyber norms and policies, or
and the government’s policy of isolation from the out- technical standards, that could be regarded as leadership.
side world – in comparison, even China has made use Its diplomatic interventions on such subjects are rare. In
of foreign specialists, including from the US, to help the UN General Assembly it regularly votes with Russia
develop national cyber security. There is no publicly and China on annual resolutions on cyberspace issues –
available plan for national cyber defence. in 2018, for example, it voted with 118 other countries
Although North Korea does not depend on the (against 46 Western-aligned ones) to support a resolution
global internet to the same degree as other states, it backed by Russia and China to establish the UN Open-
cannot entirely isolate itself. The fact that it relies on Ended Working Group on international-security aspects
only two international internet gateways is a key vul- of ICT developments.
nerability, and often even means that its hacker teams
can only be effective if deployed outside the country. Offensive cyber capability
Attacks aimed at disrupting North Korea’s internet North Korea has regularly conducted offensive cyber
connectivity have been a regular occurrence.50 An operations against South Korea since at least 2009. These
attack in March 2013 that severely restricted inter- have usually consisted of basic denial-of-service attacks
net access51 seems to have been retaliation by the US against, and leaking or wiping of data from, internet-
and South Korea after North Korean denial-of-service facing government and private-sector sites. Since the
attacks against South Korean television networks and imposition of harsher UN sanctions in 2013, North Korea
banks. In 2014 there was an internet blackout for two has used cyber capabilities to steal money from the
days after US president Barack Obama threatened global financial system: targets have included the SWIFT
retaliation for the attack on Sony Pictures.52 In 2018 the international-banking system, and banks in Bangladesh,
US announced a policy of ‘defend forward’ in cyber- Chile, South Korea, Taiwan and Vietnam. It also famously
space, aimed at disrupting the malicious behaviour in hacked and leaked data from Sony Pictures in 2014 and
cyberspace of countries including North Korea.53 In a was responsible for the indiscriminate 2017 WannaCry
conflict it would potentially be easy for an adversary to attack. A 2020 report by the US Cybersecurity and
deny North Korea all internet access by closing down Infrastructure Security Agency highlighted the ongoing
the two gateways it operates. threat that North Korean cyber operations pose to the
Though digital systems are not part of the daily stability of the international financial system.54 There
lives of the majority of North Koreans, they are cru- are also indications of some basic North Korean cyber-
cial for the country’s power stations and other infra- reconnaissance activity on critical national infrastructure
structure, including communications. Most of the in the region, especially in South Korea.
power stations have antiquated electronic control Overall, the methods employed by North Korea in its
systems and are likely to be highly insecure. The offensive cyber operations, and their level of sophistica-
most modern include the four hydroelectric plants tion, are largely indistinguishable from those of cyber
jointly operated by China, but these too would still be criminals. These include using and adapting capabili-
highly vulnerable to cyber attack. Since the majority ties developed by others: the attack on Sony Pictures
of North Koreans already live without electricity in used a variation of Iran’s Shamoon wiper capability,

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 129


while WannaCry was based on a capability leaked from and disrupt hardened networks. If tensions rise on the
a US intelligence agency. There is widespread detec- Korean Peninsula, as they did in 2010, the intensity of
tion and attribution of North Korean cyber activity by North Korean cyber operations is likely to increase.
Western cyber-security companies. Perhaps the greatest danger is that, either intentionally
North Korea’s cyber options in a major conflict would or by miscalculation, such operations would cross the
therefore be limited, and it certainly lacks the sort of threshold that separates virtual and financial impacts
cyber-intelligence reach that would allow it to penetrate from physical damage.

Notes

1 See Ji Young Kong, Jong In Lim and Kyoung Gon Kim, 11 Jenny Jun, Scott LaFoy and Ethan Sohn, North Korea’s

‘The All-Purpose Sword: North Korea’s Cyber Operations Cyber Operations (Washington DC: Center for Strategic and

and Strategies’, in T. Minárik et al. (eds), 11th International International Studies, 2016), https://www.csis.org/analysis/

Conference on Cyber Conflict: Silent Battle (Tallinn: NATO north-korea%E2%80%99s-cyber-operations.

CCDCOE Publications, 2019), pp. 1–20, https://ccdcoe.org/ 12 In-bum Chun, ‘North Korea’s Military Strategy’, Korea Economic

uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf. Institute of America, Washington DC, 2018, http://www.keia.org/

2 Ibid., p. 1. publication/north-korea%E2%80%99s-military-strategy-2018.

3 Ibid., p. 2. 13 Headquarters, Department of the Army, ‘North Korean Tactics’,

4 US Department of Defense, ‘Military and Security Developments 2020, p. E-1, https://fas.org/irp/doddir/army/atp7-100-2.pdf.

Involving the Democratic People’s Republic of Korea: Annual ‘Unit’ is one of the possible translations of the Korean word

Report to Congress, Washington DC’, 2012, https://archive. gug; alternatives include ‘bureau’ and ‘station’.

defense.gov/pubs/Report_to_Congress_on_Military_and_ 14 ‘North Korean Cyber Activity’, Recorded Future, 2017, p. 6, https://

Security_Developments_Involving_the_DPRK.pdf. go.recordedfuture.com/hubfs/reports/north-korea-activity.pdf.

5 Jenny Jun, ‘Cyber Coercion: Insights from North Korea’s Cyber 15 Kong, Lim and Kim, ‘The All-Purpose Sword’, p. 6, citing

Campaigns’, unpublished paper, 2020, p. 1. Moonbeom Park, ‘Let’s learn about enemy through various

6 Ibid., pp. 6–7. IoCs of real APT cases’, In DragonCon 2018, 8 December 2018,

7 Edgar Alvarez, ‘Sony Pictures Hack: The Whole Story’, Dragon Threat Labs.
Engadget, 10 December 2014, https://www.engadget. 16 Ibid., p. 6, citing Mok Yongjae, ‘6 Cyber Units were built after

com/2014/12/10/sony-pictures-hack-the-whole-story. Kim Jong-un regime’, RFA, 22 November 2017.

8 United Nations Security Council, ‘Report of the Panel of 17 Ibid., p. 6, citing Matthew Ha and David Maxwell, ‘Kim Jong

Experts established pursuant to resolution 1874 (2009), Un’s “All-Purpose Sword” – North Korean Cyber-Enabled

S/2019/691’, 30 August 2019, pp. 2, 26, https://www. Economic Warfare’, Foundation for Defense of Democracies,

securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C- October 2018, p. 13, https://www.fdd.org/wp-content/

8CD3-CF6E4FF96FF9%7D/S_2019_691.pdf. uploads/2018/09/REPORT_NorthKorea_CEEW.pdf.

9 United States US-CERT, ‘North Korea Threat Advisory’, jointly 18 ‘APT 37 (Reaper): The Overlooked North Korean Actor’,

with the Department of State, the Department of Justice and FireEye, 2018, https://www2.fireeye.com/rs/848-DID-242/

the Federal Bureau of Investigation, 15 April 2020, p. 3, https:// images/rpt_APT37.pdf.

us-cert.cisa.gov/sites/default/files/2020-04/DPRK_Cyber_ 19 ‘APT 38: Un-usual suspects’, FireEye, p. 22, https://content.

Threat_Advisory_04152020_S508C.pdf. fireeye.com/apt/rpt-apt38.

10 UN Sanctions Committee, ‘Report of the Panel of Experts 20 Ibid.

established pursuant to resolution 1874 (2009), S/2020/151’, 21 Ibid., pp. 6–8.

United Nations Security Council, 2 March 2020, https://undocs. 22 US Department of State et al., ‘Guidance on the North

org/S/2020/151. Korean Cyber Threat’, 15 April 2020, p. 2, https://us-cert.

130 The International Institute for Strategic Studies


cisa.gov/sites/default/files/2020-04/DPRK_Cyber_Threat_ https://www.nytimes.com/2020/02/09/us/politics/north-korea-

Advisory_04152020_S508C.pdf. internet-sanctions.html.

23 HP Security Research, ‘Profiling an enigma: The mystery 36 Joel Gunter, ‘Analysis of North Korea’s computer system

of North Korea’s cyber threat landscape, 2014’, HP Security reveals spy files’, BBC News, 28 December 2015, https://www.

Briefing Episode 16, August 2014, https://time.com/wp-content/ bbc.com/news/world-asia-35188570.

uploads/2014/12/hpsr_securitybriefing_episode16_northkorea. 37 Mun Dong Hui, ‘North Korean web developers still in

pdf; and Department of the Army, ‘North Korean Tactics’, p. E-1. business in China despite lower numbers’, Daily NK, 19 April

24 ‘Bae saibeo jeonsa 6,800myeong … yeongjaehaggyoseo haekeo 2019, https://www.dailynk.com/english/north-korean-web-

yugseong’, Yunhap News, 18 February 2021, https://www.yna. developers-still-in-business-in-china-despite-lower-numbers.

co.kr/view/MYH20210218017300038. 38 Priscilla Moriuchi and Fred Wolens, ‘North Korea Relies on

25 Jason Bartlett, ‘Why Is North Korea So Good at Cybercrime?’, American Technology for Internet Operations’, Insikt Group,

Diplomat, 13 November 2020, https://thediplomat.com/2020/11/ 2018, https://go.recordedfuture.com/hubfs/reports/cta-2018-

why-is-north-korea-so-good-at-cybercrime. 0606.pdf.

26 Pratik Jakhar, ‘North Korea’s high-tech pursuits: Propaganda 39 See also Martyn Williams, ‘Kim Chaek University ranks 8th in

or progress?’, BBC News, 15 December 2018, https://www.bbc. international programming contest’, North Korea Tech, 4 May

com/news/world-asia-46563454. 2019, https://www.northkoreatech.org/2019/05/04/kim-chaek-

27 Ellen Nakashima, Gerry Shih and John Hudson, ‘Leaked university-icpc-2019; and Kelly Kasulis, ‘North Korean college

documents reveal Huawei’s secret operations to build North coders beat Stanford University in a 2016 competition. Here’s

Korea’s wireless network’, Washington Post, 22 July 2019, why that matters’, Mic, 4 December 2017, https://www.mic.

https://www.washingtonpost.com/world/national-security/ com/articles/186412/north-korean-college-coders-beat-stanford-

leaked-documents-reveal-huaweis-secret-operations-to-build- university-in-a-2016-competition-heres-why-that-matters.

north-koreas-wireless-network/2019/07/22/583430fe-8d12- 40 Koichiro Komiyama, ‘The Information Technology Industry in

11e9-adf3-f70f78c156e8_story.html. North Korea’, KGRI Working Papers, no. 4, February 2019, p.

28 Martyn Williams, ‘North Korea’s Koryolink: Built for 5, Keio University Global Research Institute, https://www.kgri.

Surveillance and Control’, 38 North, 22 July 2019, https:// keio.ac.jp/docs/S180620190226.pdf.

www.38north.org/2019/07/mwilliams072219. 41 See also Hui, ‘North Korean web developers still in business in

29 ‘ICT in N. Korea 2’, KBS World Radio, 31 January 2019, https:// China despite lower numbers’.

world.kbs.co.kr/service/contents_view.htm?lang=e&menu_ 42 Andrea Berger et al., ‘The Shadow Sector: North Korea’s

cate=northkorea&id=&board_seq=356891&page=6&board_ Information Technology Networks’, CNS Occasional Paper, no.


code=korea_closeup. 36, May 2018, https://www.nonproliferation.org/wp-content/

30 Williams, ‘North Korea’s Koryolink: Built for Surveillance uploads/2018/05/op36-the-shadow-sector.pdf.

and Control’. 43 For details of the successful launches of the satellites

31 Kim Ji-eun and Noh Ji-won, ‘North Korea’s Smartphone Industry Kwangmyongsong-3 and Kwangmyongsong-4 in 2012 and 2016
Rapidly on the Rise’, HanKyoreh, 17 March 2019, http://english. respectively, see ‘KMS 3-2’, NASA Space Science Data and
hani.co.kr/arti/english_edition/e_northkorea/886255.html. Coordinated Archive, 14 May 2020, https://nssdc.gsfc.nasa.
32 ‘How North Korea Revolutionized the Internet as a Tool for gov/nmc/spacecraft/display.action?id=2012-072A; and ‘KMS4’,
Rogue Regimes’, Recorded Future, 9 February 2020, p. 5, https:// NASA Space Science Data and CoordinatedArchive, 14 May 2020,
go.recordedfuture.com/hubfs/reports/cta-2020-0209.pdf. https://nssdc.gsfc.nasa.gov/nmc/spacecraft/display.action?id=
33 Ibid. 2016-009A.
34 Insikt Group, ‘Shifting Patterns in Internet Use Reveal 44 ‘Space Threat 2018: North Korea Assessment’, CSIS

Adaptable and Innovative North Korean Ruling Elite’, Aerospace, 12 April 2018, https://aerospace.csis.org/

Recorded Future, 25 October 2018, https://go.recordedfuture. space-threat-2018-north-korea.

com/hubfs/reports/cta-2018-1025.pdf. 45 Robert E. McCoy, ‘What Are the Real Purposes of Pyongyang’s

35 David E. Sanger, ‘North Korea’s Internet Use Surges, Thwarting New Satellites?’, Asia Times, 19 December 2017, https://asiatimes.

Sanctions and Fueling Theft’, New York Times, 11 June 2020, com/2017/12/real-purposes-pyongyangs-new-satellites.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 131


46 Todd Harrison et al., ‘Threat Assessment 2020’, CSIS Aerospace, trump-signed-presidential-directive-ordering-actions-to-

March 2020, p. 36, https://aerospace.csis.org/wp-content/ pressure-north-korea/2017/09/30/97c6722a-a620-11e7-b14f-

uploads/2020/03/Harrison_SpaceThreatAssessment20_WEB_ f41773cd5a14_story.html.

FINAL-min.pdf#page=52. 51 ‘Significant Cyber Incidents Since 2006’, Center for Strategic and

47 Bruce Harrison, ‘How North Korea Recruits Its Army of Young International Studies, https://csis-website-prod.s3.amazonaws.

Hackers’, NBC News, 8 December 2017, https://www.nbcnews. com/s3fs-public/210129_Significant_Cyber_Events.pdf.

com/news/north-korea/how-north-korea-recruits-trains-its- 52 Yashwant Raj, ‘North Korea suffers internet blackout after

army-hackers-n825521. Sony hack’, Hindustan Times, 24 December 2014, https://www.

48 ‘NK establishes university named after leader Kim’, Yonhap hindustantimes.com/world/north-korea-suffers-internet-blackout-

News Agency, 14 October 2020, https://en.yna.co.kr/view/ after-sony-hack/story-Iz7HFvyAPyWaYHd1Zqj52I.html.

AEN20201014003000325. 53 US Department of Defense, ‘Summary Department of Defense

49 International Telecommunication Union, ‘Global Cybersecurity Cyber Strategy 2018’, September 2018, pp. 1–2, https://

Index 2018’, p. 68, https://www.itu.int/dms_pub/itu-d/opb/str/ media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_

D-STR-GCI.01-2018-PDF-E.pdf. STRATEGY_SUMMARY_FINAL.PDF.

50 Karen DeYoung, Ellen Nakashima and Emily Rauhala, 54 ‘Alert (AA20-106A): Guidance on the North Korean Cyber

‘Trump Signed Presidential Directive Ordering Actions to Threat’, Cybersecurity and Infrastructure Security Agency, 15

Pressure North Korea’, Washington Post, 30 September 2017, April 2020 (revised 23 June 2020), https://us-cert.cisa.gov/ncas/

https://www.washingtonpost.com/world/national-security/ alerts/aa20-106a.

132 The International Institute for Strategic Studies


12. India

Despite the geostrategic instability of its region and a a vibrant start-up culture and a very large talent
keen awareness of the cyber threat it faces, India has pool. The private sector has moved more quickly
made only modest progress in developing its policy than the government in promoting national cyber
and doctrine for cyberspace security. Its approach security. The country is active and visible in cyber
towards institutional reform of cyber governance diplomacy but has not been among the leaders on
has been slow and incremental, with the key global norms, preferring instead to make productive
coordinating authorities for cyber security in the civil practical arrangements with key states. From the
and military domains only established in 2018 and little evidence available on India’s offensive cyber
2019 respectively. They work closely with the main capability, it is safe to assume it is Pakistan-focused
cyber-intelligence agency, the National Technical and regionally effective. Overall, India is a third-
Research Organisation. India has a good regional tier cyber power whose best chance of progressing
cyber-intelligence reach but relies on partners, to the second tier is by harnessing its great digital-
including the United States, for wider insight. The industrial potential and adopting a whole-of-society
strengths of the Indian digital economy include approach to improving its cyber security.

Strategy and doctrine


The main lines of India’s current approach can be found and the drafting of information-security policies. It also
in ministerial speeches and in government regulations or set out national objectives, including the training of
legislation, rather than in policy documents. In 2013, how- 500,000 cyber-security professionals over the following
ever, the Ministry of Communications and Information five years, the development of indigenous cyber-secu-
Technology did release the country’s first National Cyber rity technologies, the establishment of public–private
Security Policy,1 a short document affirming the need to partnerships, and the promotion of a culture of cyber
protect the government, businesses and citizens from security and privacy that would encourage responsible
cyber attacks either by state or non-state actors. It pre- behaviour by internet users.
sented basic recommendations for government organi- India’s thinking on cyber policy for the civil sector
sations and private companies, including the allocation continues to develop. Government officials had planned
of budgets and personnel for cyber-security purposes to issue a new national cyber-security strategy in 2020

List of acronyms
CERT-In Computer Emergency Response Team India NCCC National Cyber Coordination Centre
DCA Defence Cyber Agency NCIIPC National Critical Information Infrastructure Protection
DIA Defence Intelligence Agency Centre
DSCI Data Security Council of India NTRO National Technical Research Organisation
IB Intelligence Bureau RAW Research and Analysis Wing
ICT information and communications technology

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 133


to address developments in 5G, ransomware and the Cyber capabilities also featured prominently in the
Internet of Things.2 That effort appears to have stalled but new Land Warfare Doctrine released by the Indian
the government is actively reframing all areas of cyber- Army in late 2018.7 Again subsumed within informa-
security policy, including education, skills, import con- tion warfare, cyberspace was designated as a new
trols and national security. The military confrontation dimension of warfare and an important factor in win-
with China in the disputed Ladakh border area in June ning future battles. The document foreshadowed the
2020, followed by a sharp increase in Chinese activity increasing integration of cyber capabilities into the
against Indian networks, has heightened Indian con- conventional and sub-conventional realms, including
cerns about cyber security, not least in systems supplied for covert operations. In it, the army set itself the task
by China. In a speech on Independence Day in August not only of developing or upgrading cyber-deterrence
2020, Prime Minister Narendra Modi devoted a para- and cyber-defence capabilities, but also of retaining the
graph to the new cyber-security strategy, promising it capability to fight in the face of prolonged attempts at
would soon emerge.3 In January 2021 a high-level gov- cyber disruption.
ernment meeting was held to discuss a security strategy
for the telecoms sector.4 Key planks of India’s cyber- Governance, command and control
security policy will probably align quite closely with India’s cyber command-and-control structure has been
the priorities laid out in a consultation paper released under development since the early 2000s but remains
by the Data Security Council of India (DSCI), the prin- decentralised. Cyber-security powers are spread across
cipal private-sector organisation in the field.5 The paper a number of agencies, with reports of overlapping com-
addresses 21 different areas of policy while depicting a petencies and bureaucratic turf wars.8 The situation is
backdrop of increasing threats and, in the opinion of the further complicated by the country’s federal political
DSCI, insufficient government action. structure. Several key institutions were set up between
As for the approach taken by India’s armed forces, 2004 and 2008, all operating under the direction of min-
in 2017 they publicly released a joint doctrine in which isters and coming together in the National Security
cyberspace, though subsumed under the rubric of infor- Council of the Cabinet, which sits at the apex of security
mation warfare, was afforded a prominent role.6 Placing decision-making. The main cyber agency, the National
strong emphasis on the integration of capabilities across Technical Research Organisation (NTRO), set up in 2004
the armed forces, cyber power – defined as ‘the ability to and modelled on the US National Security Agency,
use cyberspace freely and securely to gain an advantage reports to the national security advisor and is tasked
over the adversary while denying the same to him in vari- with technical intelligence-gathering, signals intercep-
ous operational environments’ – was presented as equal in tion and influence operations.9 A National Information
importance to land, sea, air and space power and special- Board, responsible for information security, was estab-
forces operations. Treating cyber capabilities as one of a lished in 2004 as an advisory committee, in part to formu-
triad of integrated strategic forces alongside space and late a national policy on information warfare.10 In 2003
special operations, the doctrine presaged the establish- the government set up a national Computer Emergency
ment of a Defence Cyber Agency, eventually created in Response Team (CERT-In) which operates under the
2019. It also emphasised the importance of cyber secu- Ministry of Electronics and Information Technology.
rity for India’s economy and critical national infrastruc- In 2008, amendments to the Information Technology
ture, placing the defence of the country’s cyberspace on Act of 2000 gave government agencies wide-ranging
a par with the defence of its territory, airspace and trade powers to ‘issue directions for interception, monitor-
routes. Moreover, the doctrine identified cyber warfare ing or decryption of any information through any
as a component of hybrid warfare, which it described as computer resource’.11 The legislation also sought
a key element in ‘current fifth generation war’ (though protections for ‘critical information infrastructure’
there was no clear definition of hybrid warfare or fifth- networks. It was also in 2008 that the main private-
generation war from India’s perspective). sector body representing the ICT sector, the National

134 The International Institute for Strategic Studies


Association of Software and Service Companies, set up Core cyber-intelligence capability
the DSCI, which has proved an effective advocate in India’s intelligence priorities are deeply shaped by
mobilising more effective government responses in the internal and external terrorist threats, internal political
area of cyber security. violence and the ongoing conflict with Pakistan over
A security review in 2011–12, ordered by the prime Kashmir. The internally focused Intelligence Bureau
minister, identified cyber security as a key area of devel- (IB) is responsible for counter-terrorism and counter-
opment and recommended the establishment of a cen- intelligence, in cooperation with the state police and
tralised cyber command and analogous civilian entities national paramilitary forces.16 India’s foreign intel-
with oversight powers across government agencies.12 ligence agency is the Research and Analysis Wing
By 2013, following allegations about cyber espionage (RAW). The Defence Intelligence Agency (DIA), cre-
conducted against India by several countries (includ- ated in 2002, now coordinates all defence-intelligence
ing the United States and China) and leaks concerning assets, including the Signals Intelligence Directorate
India’s own offensive cyber capabilities, the govern- and the DCA. Intelligence collection by these three
ment was keenly aware of the need for improved policy main agencies is digitally enabled via a real-time intel-
and action. However, institutional development over ligence grid (NATGRID) that links citizen-data sources
the next few years was quite piecemeal. A National across multiple government and private databases to
Critical Information Infrastructure facilitate the monitoring of terrorist
Protection Centre (NCIIPC) was
Beyond the activities that pose a threat to bank-
established in 2014 under the direc- ing, finance and transportation net-
tion of the NTRO.13 A National
domestic threats, works. In addition, the IB and RAW
Cyber Coordination Centre (NCCC), India’s cyber- are empowered to monitor internet
subordinate to CERT-In, finally intelligence traffic through a system enabling
began operations in 2018 (having the interception of internet commu-
first received ministerial approval
capabilities have nications, including social media.17
in 2013). The NCCC is responsible unsurprisingly While the IB, RAW and DIA each
for intelligence-sharing between been focused on represent a part of India’s cyber-
government agencies and for coor- intelligence capability, they are
dinating government responses to
its near abroad, all heavily reliant for core capabil-
cyber attacks.14 particularly ity on the technical-intelligence
The Defence Cyber Agency Pakistan agency, the NTRO. Various parts
(DCA), created in 2019, is central of the Ministry of Home Affairs,
to the command and control of including the Cyber Crime Wing
India’s military cyber capabilities. Its intended role is and Central Forensics Science Laboratory, are also
to integrate and coordinate the cyber, space and spe- important sources of cyber intelligence.
cial-forces capabilities of the three armed services. It is Beyond the domestic threats, India’s cyber-intelligence
part of the Integrated Defence Staff, a tri-service head- capabilities have unsurprisingly been focused on its near
quarters which includes civilian representation from abroad, particularly Pakistan. For example, there are
the Ministry of External Affairs and other ministries. indications that, since about 2010, Indian cyber teams
It comprises a sizeable tri-service staff of about 1,000, have been targeting IP addresses in Pakistan (and to a
divided into several teams based at a command centre lesser extent in China), as well as secessionist movements
in Delhi and in other locations around the country.15 By within India itself, in a significant cyber-surveillance and
operationalising the 2017 joint doctrine’s focus on capa- cyber-espionage operation.18 Further afield, however,
bility integration, the DCA represents both an impor- India’s cyber-intelligence reach appears weak: it tends
tant institutional evolution and a significant maturing to rely on partnerships such as those with the US, the
of India’s approach to military uses of cyberspace. United Kingdom and France for a higher level of cyber

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 135


situational awareness and to help it develop a greater – for example, four of the top five mobile devices by
reach of its own in future. market share are manufactured by Chinese compa-
Mirroring the UK, the Indian government has set up nies.27 Almost all the country’s most popular mobile
a Joint Intelligence Committee attached to the office of apps – such as Facebook Messenger, PlayerUnknown’s
the prime minister, tasked with collecting, assessing and Battlegrounds (PUBG), SHAREit, TikTok (at least until
prioritising inputs from all the country’s intelligence India’s ban on Chinese apps in 2020), Truecaller, UC
agencies.19 A Multi-Agency Centre (MAC) has also Browser and WhatsApp – were designed abroad. One
been established under the IB, together with subsidi- exception, in 2020, was Aarogya Setu, the Indian gov-
ary MACs in different states, with the aim of enhancing ernment’s COVID-19 contact-tracing app. As a result,
the sharing of information between intelligence units, and despite breakthroughs by Indian companies in
including finance and defence ministries at the state app development and plans to develop 5G systems, the
and national levels. government has limited agency over the way in which
devices and platforms manage the flow of data through
Cyber empowerment and dependence their systems.
India is an ICT powerhouse, with a digital economy In the field of artificial intelligence (AI), India’s
estimated in value at US$190 billion20 and a tech start- research capability has been placed quite highly in
up sector assessed to be the third largest in the world.21 global rankings, achieving ninth28 and 13th29 position,
According to one estimate, core digital sectors such as for example, in two authoritative studies. The lion’s
ICT-enabled services and electronics manufacturing share of AI research and development (about 85%) is
will contribute around 10% of GDP by 2025.22 However, conducted by universities rather than industry.30 The
only slightly more than half of India’s 1.4bn people Indian Institute of Technology (IIT) Hyderabad has col-
have access to the internet, and the levels of mobile- laborated with Nvidia, an American multinational tech-
phone ownership and internet use are far higher among nology company, to establish India’s first AI Technology
men than women.23 Most Indians who access the inter- Centre, aimed at accelerating research and its commer-
net do so by mobile phone, though download speeds cial adoption.31 The centre intends to focus on advanced
are below the global average. Agriculture, which still AI research in areas of agriculture, smart cities and lan-
provides the livelihoods of hundreds of millions of guage-understanding, in line with the priorities stated in
Indians, is undergoing some digitisation and employ- India’s national strategy for AI.32 In terms of the applica-
ing tools and techniques that rely on automated and tion of AI to industrial processes, it is notable that India
autonomous machines. However, the vast majority of was ranked third, after the US and China, in a 2018 study
the population (about 90%) lack basic digital skills.24 As by the Boston Consulting Group.33 The country’s AI
one way of addressing the issue, the government has start-ups received total investment of US$762m in 2019,
been increasing the availability of apps and digital ser- a 44% increase in comparison with 2018.34
vices in a greater number of local languages. The space industry is led by the Indian Space
Foreign investment plays a large part in India’s digi- Research Organisation (ISRO), which is one of the
tal economy, with the country providing outsourced IT world’s six largest space agencies and owns one of the
services around the world and serving as a major pro- largest fleets of communication and remote-sensing
duction hub for global brands, such as Dell computers. satellites used for civil and military purposes.35 ISRO
From 2014 to 2020, US ICT investment totalled US$30bn also operates satellites for surveillance and navigation
and Japanese investment US$12bn.25 As for Chinese ICT purposes – including the Indian Regional Navigation
investment, it surpassed US$4bn in the same period, Satellite System;36 dual-use surveillance satellites in the
with Alibaba and Tencent accounting for three-quarters Cartostat and RISAT series;37 and EMISAT, launched
of the total.26 in 2019, which can detect an adversary’s electromag-
The infrastructure at the heart of India’s digital netic signals.38 Owing to capacity limitations in its own
economy is built largely from imported equipment agencies,39 the Indian government has begun to rely

136 The International Institute for Strategic Studies


more on commercial enterprises to develop and pro- Indian networks and platforms. In 2020, India had the
duce space equipment such as satellites and propulsion second-highest incidence of ransomware attacks in the
systems. Like many other countries, India still relies world48 and the government banned 117 Chinese mobile
on foreign suppliers for the space sector, with Hughes applications because of security concerns.49
Communications India appointed to provide a high- India regards its financial institutions as particu-
performance satellite broadband system for India’s larly vulnerable to cyber attack.50 In August 2018, in a
Naval Communication Network.40 It has, however, persistent attack on Cosmos Bank by a North Korean
achieved self-reliance in the production of launch vehi- group, US$13.5m was siphoned off from customers’
cles and some satellite technologies.41 accounts.51 A United Nations Security Council panel
A unique characteristic of the Indian cyber economy of experts, appointed to study North Korea’s attempts
is the huge number of graduates in ICT-related subjects to evade UN sanctions, suggested in a July 2019 report
entering the job market every year: in 2019 the figure was that Indian banks may have been the victims of cyber
almost 600,000, which was five times more than in the US.42 theft by North Korea amounting to nearly US$200m
over a three-year period.52 On the other hand, thanks
Cyber security and resilience to stringent guidelines from the Reserve Bank of India
India’s state administrations have numerous cyber- (RBI), the financial sector is more secure than other
security-related offices with large numbers of staff, areas of the Indian economy. For example, two-factor
and much attention has been paid to cyber crime since authentication, strictly audited by the RBI, is the norm
2009, when the country became one of the first to intro- in internet banking and e-commerce.53
duce cyber-crime courts and cyber police stations. But Although India’s central government has been slow
perhaps the most distinctive feature of India’s cyber- in addressing cyber security, the private sector has been
security infrastructure is the importance of the private far more active and more effective. The DSCI, which
sector, which has led the way in developing strong promotes best practices and standards for cyber secu-
policies and standards. The rapid integration of the rity and privacy, undertakes capacity-building projects
internet into everyday economic life, albeit from a low with a focus on training and certification, including for
base, has created the need for new cyber-security capa- the government sector. In 2020 it said there was a ‘dire
bilities on a scale and at a pace unseen in any other need’ for the government to play its part in promot-
country – hundreds of millions of Indians have begun ing cyber security in the country, and recommended a
to participate in e-commerce in the last five years, for quadrupling of government expenditure on cyber secu-
example.43 The main challenges lie in policy coordina- rity as the country’s digital economy expands.54 India
tion, ensuring consistency around the country, and was ranked 47th out of 175 countries in the International
addressing the general lack of depth in cyber-security Telecommunication Union’s 2018 Global Cybersecurity
skills relative to the size of the population and the Index, well behind its geopolitical rival China (27th).55
needs of industry. In cyber-resilience policy and preparedness for emer-
India has frequently been the victim of cyber attacks, gencies, India has some foundations in place, with the
including on its critical infrastructure, and has attributed NCIIPC active in promoting policies and procedures
a significant proportion of them to China or Pakistan. throughout the country since it was created in 2014.
CERT-In reported, for example, that there were more Progress in emergency-response planning has in many
than 394,499 incidents in 2019,44 and 2020 saw an cases been slower at the state level, with Tamil Nadu,
upsurge in attacks from China.45 Of particular concern to for example, only introducing a cyber-security strategy
the Indian government are cyber attacks by North Korea in 2020.56 In contrast, the state of Maharashtra, which
that use Chinese digital infrastructure.46 The vast major- contains the commercial and financial hub of Mumbai,
ity of the cyber incidents flagged by CERT-In appear has a well-established cyber-security team in its police
to have been attempts at espionage,47 but they could force and dedicated cyber ‘police stations’ in various
also have resulted in serious damage to the integrity of parts of Mumbai.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 137


However, compared with equivalent bodies in some increase its geopolitical influence, India is the target of
wealthier countries, the NCIIPC is not well equipped to cyber espionage by a wide range of states. However, it
handle cyber emergencies and wider resilience-planning knows its defensive capabilities are relatively weak. As
– for example, as of 2018, there was only one sector a result, it pursues diplomatic efforts to bring the gov-
(power) where it had been able to organise stakeholders ernance of cyberspace within the rules-based interna-
around those objectives.57 There are also indications tional order, while maintaining a realistic approach to
that the NCIIPC has not coordinated well with other dealing with the states that are targeting its networks.
government bodies.58 It is unclear, for example, if steps In its National Cyber Security Policy of 2013,
have been taken to improve cyber defences at the Unique India’s diplomatic goals included the development of
Identification Authority of India, after its database of bilateral and multilateral cyber-security relationships
citizens’ biometric information (the second-largest in the as well as global cooperation between national law-
world) was reported to have been breached in 2017, or enforcement agencies, security services, judicial sys-
the Kudankulam Nuclear Power Plant, which in 2019 was tems and armed forces.
the target of a serious cyber attack that it initially denied Unsurprisingly, the challenges involved in defending
and then downplayed.59 In Maharashtra, where the its open networks (and largely imported infrastructure)
power sector was targeted by Chinese hackers (dubbed have prompted India to advocate international norms of
the Red Echo group) from early restraint. It appears to have aban-
2020, it seems the cyber-security doned its previous opposition to
department in the state police were
India knows its emerging international legal princi-
informed of the threat by CERT-In defensive cyber ples such as the possible voluntary
in November 2020 but the NCIIPC capabilities are norms on security in cyberspace
only alerted the Ministry of Power put forward by the UN Group of
on 12 February 2021.60
relatively weak Governmental Experts (GGE) in
Though the National Cyber 2015.62 As a member of the 2016–17
Security Coordinator conducts periodic whole-of- GGE, India endorsed the inclusion in the final report of a
government audits involving relevant agencies, the right to self-defence in cyberspace, although the draft did
government has faced an uphill battle in trying to not receive the unanimous consent of all participating
make new entities such as the NCIIPC work seamlessly experts.63 It is unclear whether India will further endorse
alongside long-established public-sector bodies that are the right to retaliatory measures for acts that fall below
in various stages of digitising their infrastructure. The the thresholds that qualify as a ‘threat or use of force’ or
NCIIPC has taken private enterprises under its wing, ‘armed attack’ under international law.
including oil and gas companies, and tries to ensure India’s most developed bilateral cyber partnership
that the public and private sectors work in tandem on is with the US. The two countries have held a regular
cyber security. cyber dialogue since the early 2000s, intensifying in
The first reported cyber exercise in the Indian 2015 with the decision to convene a ‘Track 1.5’ pro-
Armed Forces, CyberEx, was conducted by the Indian gramme that seeks to convene government officials
Defence University on 29–30 April 2019.61 It involved and business leaders to collaborate on cyber questions.
the NTRO, the three services, the National Security Cyber is also envisioned as a component of several
Council Secretariat, CERT-In, the Defence Research and other US–India agreements, including on intelligence-
Development Organisation, the National Informatics sharing and mutual legal assistance.64
Centre, academia and industry. India has also pursued bilateral cyber dialogues with
several other partners, including the European Union,
Global leadership in cyberspace affairs Russia and the UK. The cyber partnership with the UK
As a nuclear power with large conventional forces, a is particularly well developed, with a regular dialogue
burgeoning digital economy and a determination to dating back to 2012. In April 2018 the two countries

138 The International Institute for Strategic Studies


signed a framework agreement identifying avenues for It is difficult to gauge the extent or orientation of
bilateral cooperation on cyber security and establishing India’s current investment in offensive capabilities but
working groups on cyber diplomacy, cyber crime, inci- there are some indications that the focus may have
dent response and the digital economy.65 They have also shifted more to countering China, given its growing
agreed in principle to establish a joint Cyber Security economy and regional power.69 There is also evidence
Training Centre of Excellence.66 dating back to 2014 of Prime Minister Modi’s interest
in creating a ‘Digital Armed Force’, in part for deter-
Offensive cyber capability rent purposes.70 A 2019 report commissioned by an
Public statements by Indian officials and other open- influential Indian think tank with close links to the
source material indicate that India has developed rela- ruling Bharatiya Janata Party urged the rapid devel-
tively advanced offensive cyber capabilities focused on opment of offensive cyber capabilities but cautioned
Pakistan. It is now in the process of expanding these against any public declaration until those capabilities
capabilities for wider effect. were in place.71
India reportedly considered a cyber response against Overall, India’s focus on Pakistan will have given it
Pakistan in the aftermath of the November 2008 terror- useful operational experience and some viable regional
ist attacks in Mumbai, with the NTRO apparently at the offensive cyber capabilities. It will need to expand its
forefront of deliberations.67 A former national security cyber-intelligence reach to be able to deliver sophisti-
advisor has since indicated publicly that India pos- cated offensive effect further afield, but its close collab-
sesses considerable capacity to conduct cyber-sabotage oration with international partners, especially the US,
operations against Pakistan,68 which appears credible. will help it in that regard.

Notes

1 Ministry of Communications and Information Technology, sites/default/files/documents/resource_centre/National%20


‘National Cyber Security Policy 2013’, 2 July 2013, https:// Cyber%20Security%20Strategy%202020%20DSCI%20
www.meity.gov.in/sites/upload_files/dit/files/National%20 submission.pdf.
Cyber%20Security%20Policy%20%281%29.pdf. 6 Headquarters Integrated Defence Staff, Ministry of Defence,

2 Aditi Agrawal, ‘India’s cybersecurity strategy policy in ‘Joint Doctrine – Indian Armed Forces’, 2017, https://

2020, says National Cybersecurity Coordinator Rajesh bharatshakti.in/wp-content/uploads/2015/09/Joint_Doctrine_

Pant’, Medianama, 22 June 2019, https://www.medianama. Indian_Armed_Forces.pdf.

com/2019/06/223-indias-cybersecurity-strategy-policy-in-2020- 7 Indian Army, ‘Land Warfare Doctrine 2018’, http://www.ssri-

says-national-cybersecurity-coordinator-rajesh-pant. j.com/MediaReport/DocumentIndianArmyLandWarfareDoctrine

3 Elizabeth Roche, ‘PM Modi says India to have new cyber 2018.pdf.

security policy soon’, Livemint, 15 August 2020, https://www. 8 Tarun Krishnakumar, ‘Cyber Insecurity: Regulating the Indian

livemint.com/news/india/pm-modi-says-india-to-soon-have- Financial Sector’, Oxford University Faculty of Law, 21 August

cyber-security-policy-11597461750194.html. 2017, https://www.law.ox.ac.uk/business-law-blog/blog/2017/08/

4 ‘Govt formulating new action plan, Chinese telecom giants cyber-insecurity-regulating-indian-financial-sector.

could be out of game’, Economic Times, 21 January 2021, 9 B. Raman, ‘Possible Misuse of New TECHINT Capabilities’,

https://telecom.economictimes.indiatimes.com/news/govt- Indian Defence Review, 5 December 2011, http://www.

formulating-new-action-plan-chinese-telecom-giants-could- indiandefencereview.com/spotlights/possible-misuse-of-new-

be-out-of-game/80391251. techint-capabilities.

5 Data Security Council of India, ‘National Cyber Security 10 Saikat Datta, ‘Low on the IQ’, Outlook, 4 July 2005, https://

Strategy 2020: DSCI submission’, 2020, https://www.dsci.in/ magazine.outlookindia.com/story/low-on-the-iq/227823.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 139


11 ‘Information Technology (Procedure and Safeguards for 21 Trisha Ray et al., The Digital Indo-Pacific: Regional Connectivity

Interception, Monitoring and Decryption of Information) Rules, and Resilience, The Australian Government for the Quad Tech

2009’, The Centre for Internet & Society, https://cis-india.org/ Network, February 2021, p. 8, https://www.orfonline.org/

internet-governance/resources/it-procedure-and-safeguards-for- wp-content/uploads/2021/02/thedigitalindopacific.pdf.

interception-monitoring-and-decryption-of-information-rules-2009. 22 McKinsey Global Institute, ‘Digital India: Technology to

12 Vinod Anand, ‘Defence Reforms and Naresh Chandra Task Force Transform a Connected Nation’, March 2019, https://www.

Review’, Vivekananda International Foundation, 13 September mckinsey.com/~/media/mckinsey/business%20functions/

2012, https://www.vifindia.org/article/2012/september/13/ mckinsey%20digital/our%20insights/digital%20india%20

defence-reforms-and-naresh-chandra-task-force-review. technology%20to%20transform%20a%20connected%20nation/

13 Government of India, National Technical Research digital-india-technology-to-transform-a-connected-nation-full-

Organisation, https://ntro.gov.in/welcome.do. report.ashx.

14 ‘India now has a National Cyber Coordination Centre (NCCC) 23 Romita Majundar, ‘Gender gap in mobile and internet usage

to monitor cyber threats’, India Today, 11 August 2007, https:// in India as per GSMA report’, Business Standard, 9 March 2019,

www.indiatoday.in/education-today/gk-current-affairs/story/ https://www.business-standard.com/article/economy-policy/

nccc-cyber-india-1029203-2017-08-11. gender-gap-in-mobile-and-internet-usage-in-india-as-per-

15 Rahul Bedi, ‘India setting up tri-service commands for special gsma-report-119030900696_1.html.

forces, cyber security, and space’, Jane’s Defence Weekly, 16 May 24 Digital Empowerment Foundation, ‘About’, undated, https://

2019. www.defindia.org/national-digital-literacy-mission.

16 See Mahendra Kumawat and Vinay Kaura, ‘Building the 25 Ray et al., The Digital Indo-Pacific: Regional Connectivity and

resilience of India’s internal security apparatus’, Observer Resilience, p. 9.

Research Foundation, Occasional Paper 176, November 2018, 26 Ibid.

https://www.orfonline.org/wp-content/uploads/2018/11/ORF_ 27 Sam Byford, ‘Realme Takes Chunk of India Mobile Market as

OccasionalPaper_176_Security_NEWFinalPDF.pdf. Samsung Slides’, The Verge, 11 November 2019, https://www.

17 See Udbhav Tiwari, ‘The Design & Technology Behind India’s theverge.com/2019/11/11/20958932/india-mobile-marketshare-

Surveillance Programmes’, The Centre for Internet & Society, q3-2019-idc-realme-samsung-xiaomi.

20 January 2017, https://cis-india.org/internet-governance/ 28 JJiqiang Niu et al., ‘Global research on artificial intelligence

blog/the-design-technology-behind-india2019s-surveillance- from 1990–2014: Spatially-explicit bibliometric analysis’, ISPRS

programmes#_ftnref13. International Journal of Geo-Information, vol. 5, no. 5, p. 8, https://

18 Snorre Fagerland et al., ‘Operation Hangover: Unveiling an www.mdpi.com/2220-9964/5/5/66/pdf.


Indian Cyber Attack Infrastructure’, Norman Shark, May 2013, 29 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United

http://docshare.tips/unveiling-an-indian-cyberattack-infrastru States Stay Ahead of China?’, 21 December 2020, https://

cture_58a3ff6db6d87f499c8b462d.html. chuvpilo.medium.com/ai-research-rankings-2020-can-the-
19 See Musa Tuzuner (ed.), Intelligence Cooperation Practices in the 21st united-states-stay-ahead-of-china-61cf14b1216.
Century: Towards a Culture of Sharing (Amsterdam: IOS Press, 2010). 30 Richa Bhatia, ‘Where Artificial Intelligence Research in India

20 ‘How the IT sector has emerged as a pillar of modern India’, Is Heading’, Analytics India Magazine blog, 27 March 2018,

Hindu, 14 August 2020, https://www.thehindubusinessline. https://analyticsindiamag.com/where-artificial-intelligence-

com/news/national/how-the-it-sector-has-emerged-as-a-pillar- research-in-india-is-heading.

of-modern-india/article32357389.ece. This estimate is based on 31 Anisha Kumari, ‘IIT Hyderabad, NVIDIA Establish First AI

a classic narrow view of the ICT sector, as usually reported in Research Centre in India’, NDTV, 9 July 2020, https://www.ndtv.

national accounts. However, the Organisation for Economic com/education/iit-hyderabad-nvidia-establish-first-ai-research-

Co-operation and Development and other research institutions centre-in-india.

have been adopting a definition of the digital economy based 32 Canadian Institute for Advanced Research, ‘Building an

on a broader set of indicators. According to one of these broader AI World: Report on National and Regional AI Strategies

estimates, India’s digital economy was worth US$570bn in Second Edition’, May 2020, p. 22, https://cifar.ca/wp-content/

2019, equivalent to about 20% of GDP. uploads/2020/10/building-an-ai-world-second-edition.pdf.

140 The International Institute for Strategic Studies


33 ‘India Ranked Third in Terms of Artificial Intelligence biometric identification to support more secure electronic

Implementation: Report – ET CIO’, ETCIO, 26 April 2018, banking and e-commerce across the country, especially by

https://cio.economictimes.indiatimes.com/news/business- mobile phone. While the organisation had been conducting

analytics/india-ranked-third-in-terms-of-artificial-intelligence- business under another name since 2010 and issuing IDs, there

implementation-report/63922875. has been an explosion of the process since 2016, with 1.24bn

34 AIMResearch, ‘Report: Indian AI Startup Funding in 2019’, citizens now registered. See Unique Identification Authority of

28 January 2020, p. 4, https://analyticsindiamag.com/ India, ‘About UIDAI’, https://uidai.gov.in/about-uidai/unique-

report-indian-ai-startup-funding-in-2019. identification-authority-of-india/about.html.

35 Indian Space Research Organisation, ‘About ISRO’, https:// 44 Indian Computer Emergency Response Team, Ministry of

www.isro.gov.in/about-isro. Electronics and Information Technology, ‘CERT-In Annual

36 The Indian Regional Navigation System Satellite is made up Report (2019)’, p. 3, https://www.cert-in.org.in/Downloader?p

of seven satellites that serve civil purposes but also provide ageid=22&type=2&fileName=ANUAL-2020-0001.pdf.

encrypted data to the Indian armed forces. See G.D. Sharma, 45 Manu Kaushik, ‘200% rise in cyberattacks from China in a

Exploiting Indian Military Capacity in Outer Space (New Delhi: month; India tops hit list post Galwan face-off’, Business Today, 24

Centre for Joint Warfare Studies, 2016), https://cenjows.in/pdf/ June 2020, https://www.businesstoday.in/technology/news/200-

issue/Layout_Exploiting%20Indian%20Military.pdf. percent-rise-in-cyberattacks-from-china-in-a-month-india-tops-

37 See Government of India, Department of Space, Indian Space hit-list-post-galwan-face-off/story/407806.html.

Research Organisation, ‘List of Earth Observation Satellites’, 46 Interview with former official in the Indian government, New

https://www.isro.gov.in/spacecraft/list-of-earth-observation-satellites. Delhi, 4 October 2019.

38 Manu Pubby, ‘Navy to Buy Rs 1,589 Crore Satellite From ISRO’, 47 Indian Computer Emergency Response Team, Ministry of

Economic Times, 18 July 2019, https://economictimes.indiatimes. Electronics and Information Technology, ‘CERT-In Annual

com/news/defence/navy-to-buy-rs-1589-crore-satellite-from- Report (2018)’, p. 6, https://www.cert-in.org.in/Downloader?p

isro/articleshow/70283927.cms?from=mdr. ageid=22&type=2&fileName=ANUAL-2019-0123.pdf.

39 Narayan Prasad Nagendra and Prateep Basu, ‘Demystifying 48 National Critical Information Infrastructure Protection Centre,

Space Business in India and Issues for the Development of a ‘NCIIPC Newsletter’, January 2021, p. 2, https://nciipc.gov.in/

Globally Competitive Private Space Industry’, Space Policy, documents/NCIIPC_Newsletter_Jan21.pdf.

vol. 36, 2016, pp. 1–11, https://www.sciencedirect.com/science/ 49 ‘India bans PUBG, 117 other Chinese apps for “stealing,

article/abs/pii/S0265964616300078. transmitting users’ data” to servers outside India’, FirstPost, 20

40 John Sheldon, ‘Indian Military Space: Hughes India and September 2020, https://www.firstpost.com/india/india-bans-
Sterlite Tech Enable Satcom Connectivity for Indian Navy’, pubg-117-other-chinese-apps-for-stealing-transmitting-users-

Spacewatch, January 2019, https://spacewatch.global/2019/01/ data-to-servers-outside-india-8778561.

indian-military-space-hughes-india-and-sterlite-tech-enable- 50 ‘Banks Most Vulnerable to Cyber Threats: National Cyber

satcom-connectivity-for-indian-navy. Security Coordinator’, New Indian Express, 20 February 2019,


41 Rajeswari Pillai Rajagopalan, Pulkit Mohan and Rahul Krishna, https://www.newindianexpress.com/business/2019/feb/20/banks-
‘India in the Final Frontier: Strategy, Policy and Industry’, most-vulnerable-to-cyber-threats-national-cyber-security-
ORF Special Report no. 100, Observer Research Foundation, coordinator-1941363.html.
29 January 2020, https://www.orfonline.org/research/ 51 Rashmi Rajput, ‘UN Security Council Panel Finds Cosmos

india-in-the-final-frontier-strategy-policy-and-industry-60834. Bank Cyber Attack Motivated by N Korea’, Economic Times,

42 Organisation for Economic Co-operation and Development, 27 March 2019, https://economictimes.indiatimes.com/

Measuring the Digital Transformation: A Roadmap for the Future industry/banking/finance/banking/un-security-council-

(Paris: OECD Publishing, 2019), p. 144, https://www.oecd. panel-finds-cosmos-bank-cyber-attack-motivated-by-n-korea/

org/publications/measuring-the-digital-transformation- articleshow/68589549.cms?from=mdr.

9789264311992-en.htm. 52 United Nations Security Council, ‘Report of the

43 In 2016 the government set up the Unique Identification Panel of Experts established pursuant to Resolution

Authority of India, which provided a new foundation for 1874 (2009)’, 5 March 2019, S/2019/171, https://www.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 141


securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C- Experts (GGE) has convened for two-year terms to address

8CD3CF6E4FF96FF9%7D/s_2019_171.pdf. international-security aspects of cyberspace. It was known as

53 Reserve Bank of India, ‘Master Direction on Digital Payment the GGE on ‘Developments in the Field of Information and

Security Controls’, 18 February 2021, https://rbidocs.rbi.org.in/ Telecommunications in the Context of International Security’

rdocs/notification/PDFs/MD7493544C24B5FC47D0AB12798C6 until 2018, when it was renamed the GGE on ‘Advancing

1CDB56F.PDF. Responsible State Behaviour in Cyberspace in the Context

54 DSCI, ‘National Cyber Security Strategy 2020: DSCI of International Security’. In cyberspace-policy circles it is

submission’. common to refer to it simply as ‘the GGE’. See UN Office for

55 International Telecommunication Union, ‘Global Cybersecurity Disarmament Affairs, ‘Developments in the field of information

Index 2018’, p. 58, https://www.itu.int/dms_pub/itu-d/opb/str/ and telecommunications in the context of international

D-STR-GCI.01-2018-PDF-E.pdf. security’, https://www.un.org/disarmament/ict-security.

56 Raja Simhan, ‘TN govt working on giving the “cyber 63 Interview with a member of the 2016–17 GGE, August 2017.

resilience” edge to governance’, The Hindu Business Line, 24 64 Nayantara Ranganathan, ‘Cybersecurity and bilateral ties of India

December 2020, https://www.thehindubusinessline.com/info- and the United States: A very brief history’, Internet Democracy

tech/tn-govt-working-on-giving-the-cyber-resilience-edge-to- Project, 30 September 2015, https://internetdemocracy.in/reports/

governance/article33409737.ece. cybersecurity-and-india-us-bilateral-ties-a-very-brief-history.

57 Munish Sharma and Cherian Samuel, India’s Strategic Options in a 65 Rahul Roy-Chaudhury, ‘India–UK cybersecurity cooperation:

Changing Cyberspace (Delhi: Pentagon Press, 2018), p. 110, https:// The way forward’, International Institute for Strategic

idsa.in/system/files/book/book_indias-strategic-options-in- Studies blog, 22 November 2019, https://www.iiss.org/blogs/

cyberspace.pdf. analysis/2019/11/sasia-india-uk-cyber-security-cooperation.

58 See, for example, Saikat Datta, ‘Defending India’s Critical 66 Rahul Roy-Chaudury, ‘India–UK cyber security cooperation:

Information Infrastructure’, Internet Democracy Project, 2016, The way forward’, India Global Business, 15 November 2019,

https://internetdemocracy.in/wp-content/uploads/2016/03/ https://www.indiaglobalbusiness.com/igb-archive/india-uk-

Saikat-Datta-Internet-Democracy-Project-Defending- cyber-security-cooperation-the-way-forward-india-global-

Indias-CII.pdf; and Shatabdi Mazumder, ‘The Need for business.

Re-conditioning of India’s Cyber Security’, Apeksha News 67 Raj Chengappa and Sandeep Unnithan, ‘How to Punish

Network, 28 September 2020, https://apekshanews.com/ Pakistan’, India Today, 22 September 2016, https://www.

the-need-for-re-conditioning-of-indias-cyber-security. indiatoday.in/magazine/cover-story/story/20161003-uri-

59 Sushovan Sircar and Vakasha Sachdev, ’Kudankulam Cyber attack-narendra-modi-pakistan-terror-kashmir-nawaz-sharif-


Attack Did Happen, Says NPCIL a Day After Denial’, The india-vajpayee-829603-2016-09-22.

Quint, 1 November 2019, https://www.thequint.com/news/ 68 M.K. Narayanan, ‘The Best among Limited Options’, Hindu,

india/kudankulam-nuclear-power-plant-malware-attack- 1 November 2016, https://www.thehindu.com/opinion/lead/

correct-confirms-npcil. The-best-among-limited-options/article14990381.ece.
60 ‘Chinese cyber attack foiled: Power Ministry’, Hindu, 1 March 2021, 69 Arditi Agrawal, ‘India’s Cybersecurity Strategy Policy in

https://www.thehindu.com/news/national/attacks-by-chinese- 2020, Says National Cybersecurity Coordinator Rajesh

groups-thwarted-power-ministry/article33965683.ece. Pant’, Medianama, 22 June 2019, https://www.medianama.

61 Press Information Bureau, ‘Cyber Exercise on Scenario com/2019/06/223-indias-cybersecurity-strategy-policy-in-2020-

Building & Response’, 29 April 2019, http://pib.nic.in/ says-national-cybersecurity-coordinator-rajesh-pant.

newsite/PrintRelease.aspx?relid=189871. 70 Narendra Modi, ‘PM’s Address at the Combined Commanders’

62 James Crawford, Jacqueline Peel and Simon Olleson, ‘The Conference’, 17 October 2014, https://www.narendramodi.in/

ILC’s Articles on Responsibility of States for Internationally amp/pms-address-at-the-combined-commanders-conference.

Wrongful Acts: Completion of the Second Reading’, European 71 Vivekananda International Foundation, ‘Credible Cyber

Journal of International Law, vol. 12, no. 5, 2001, pp. 963–91, Deterrence in Armed Forces of India’, March 2019, https://www.

http://www.ejil.org/pdfs/12/5/1557.pdf. Since a UN General vifindia.org/sites/default/files/Credible-Cyber-Deterrence-in-

Assembly resolution in 2004, a UN Group of Governmental Armed-Forces-of-India_0.pdf.

142 The International Institute for Strategic Studies


13. Indonesia

Indonesia’s first formal strategy for civil-sector cyber it participates actively in the G20, the Asia-Pacific
security emerged only in 2018, one year after its prin- Economic Cooperation, the Association of Southeast
cipal cyber agency was created. Cyber-related institu- Asian Nations and the Organisation of Islamic
tional changes within the armed forces began around Cooperation. Indonesia has some cyber-surveillance
2014 but have not yet given rise to a published military and cyber-espionage capabilities, but there is little evi-
cyber strategy or doctrine. Political control of cyber dence of it planning for, or having conducted, offen-
policy is exercised through the president. Indonesia sive cyber operations. Overall, Indonesia is a third-tier
has only limited cyber-intelligence capabilities but cyber power. Given that it is expected to become the
has been investing in cyber surveillance for domes- fourth-largest economy in the world by around 2030,
tic security. It is more engaged than most developing it could be well placed to rise to the second tier if
countries in cyber security and in employing digital the government decides that strategic circumstances
technologies. On international cyberspace policy, demand greater investment in the cyber domain.

Strategy and doctrine


Until 2017, cyberspace policy in Indonesia was largely Crypto Agency.5 Also in 2017, the national police force
undeveloped. Institutions, coordination and legal foun- announced the expansion of its cyber-crime unit from
dations were all weak and there was no overall national 40 to 100 personnel.6 The country began to frame its
strategy.1 Only some basic institutional foundations cyber defence in very broad terms as part of its concept
were in place: the National Crypto Agency (founded in of ‘total defence’.7
1946) had been strengthened to some extent; a Computer The first national cyber-security strategy was pub-
Emergency Response Team (CERT) had been created in lished by the BSSN in 2018, setting out five objectives:
1998 through a private initiative; there was a govern- cyber resilience, security of public services, enforce-
ment infrastructure-incident-response team (another ment of cyber law, a culture of cyber security, and cyber
CERT, in practice), set up in 2007;2 14 additional CERTs security in the digital economy.8 The strategy was also
were in place by 2016; and some relevant laws and regu- intended to support the country’s counter-terrorism
lations had been refined.3 policies. Its stated goals included the promotion of
The principal development in 2017 was the estab- multi-stakeholder engagement and fostering global
lishment, by presidential decree, of the National Cyber trust in Indonesia’s management of its cyberspace. As
and Crypto Agency (BSSN),4 replacing the National in most countries, the publication of a formal strategy

List of acronyms
ASEAN Association of Southeast Asian Nations OIC Organisation of Islamic Cooperation
BSSN National Cyber and Crypto Agency TNI Indonesian Armed Forces
MoD Ministry of Defence

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 143


provided a foundation for further measures. Later in and electronic warfare.16 It described cyber security as
2018, for example, the national police force set up a central to national defence capabilities, highlighted the
Cyber Crime Directorate to counter disinformation importance of integrating cyber with all other instru-
spread though digital media.9 ments of national power,17 and declared a commitment
In December 2020 the BSSN released the draft of a to modernising the country’s cyber capabilities.18
new national cyber-security strategy for public consul- In 2017 the MoD began promoting a ‘civil-defence
tation.10 It places greater emphasis on nationally signifi- concept’ in coordination with the National Development
cant cyber incidents and focuses on seven specific areas: Planning Agency, aiming to ensure that methods of
risk management in national cyber security; prepared- ‘non-military defence’ – including in cyberspace – were
ness and resilience; critical information infrastructure; adopted by all ministries and state institutions.19 The
capacity-building; increasing awareness; legislation and initiative was widely seen in defence circles as con-
regulation; and international cooperation. Other stated sistent with the country’s concept of total defence in
objectives include protecting the country from any inter- which all citizens are regarded as potential combatants,
ference in cyberspace that might disrupt public order, including in cyberspace.
and building on improved cyber security to expand the Also in 2017, the armed forces carried out their first
potential of the digital economy. The new draft follows major institutional reform by setting up a cyber unit –
Regulation No. 71 of 2019 on the Implementation of Satuan Siber, or Satsiber – to develop doctrine, policy,
Electronic Systems and Transactions,11 which raised the procedures and tactics to deal with cyber threats.20
status of the cyber-security strategy by declaring it to be Its primary mission is to ensure the cyber security of
part of national-security policy. defence-related critical national infrastructure, though
Given the deteriorating security situation in there is a long-term plan to develop offensive capabili-
Indonesia, one of the government’s priorities has been ty.21 Satsiber has also been assigned an early-warning
to counter domestic terrorism and online extremism, as role in monitoring foreign-military movements (espe-
well as to clamp down on political protest. For exam- cially those of units equipped with missiles) in the
ple, after a large protest in October 2020, disinforma- immediate region. The development of military cyber
tion laws were invoked to allow the police to take action strategy and doctrine appears embryonic and there is
online against political activists12 and Islamist groups, no substantive evidence of it in unclassified sources.
including the Muslim Cyber Army hacker group
responsible for spreading religious intolerance online.13 Governance, command and control
There is now a debate in Indonesian politics about the The BSSN, the principal cyber-security agency, operates
extent to which government policy should involve cen- within the framework of the Coordinating Ministry for
soring cyberspace.14 Political, Legal and Security Affairs and reports directly
On military cyber policy, the debates and analyses to the president.22 The head of the BSSN has four depu-
have generally been more advanced than those in the ties, responsible for threat identification and detection,
civil sector but have not always led to concrete progress. protection, response and recovery, and technical policies
The Ministry of Defence (MoD) laid out comprehen- for monitoring and control.23 The BSSN set up the first
sive guidelines for national cyber defence in 2014,15 with government CERT in 2018,24 building on the previously
the focus more on securing defence assets against cyber existing private CERT and the government’s incident-
attacks rather than on any concept of sustained cyber- response team.
enabled warfare. Besides acknowledging the need for In the Indonesian armed forces (TNI)25 there has been
counter-attack capabilities for the purpose of deter- clear organisational cyber command and control since
rence, the guidelines did not cover offensive cyber. the creation of Satsiber in 2017, though the command
A 2015 defence white paper went further, presenting arrangements are split between the Commander TNI,
cyber defence as one of four pillars of Indonesia’s overall when Satsiber undertakes military operations,26 and the
defence posture, alongside air defence, strategic strike Chief of the General Staff, for day-to-day management.

144 The International Institute for Strategic Studies


Satsiber has subordinate cyber units in each of the three and transport systems) and recruiting graduates of the
armed services.27 Complementing the work of Satsiber, required calibre.34 This suggests that Indonesia’s cyber-
the Cyber Defence Centre28 operates under the com- intelligence capabilities are relatively unsophisticated
mand of the Defence Intelligence Agency within the and that any wider intelligence reach, beyond the focus
Ministry of Defence.29 The technical means for undertak- on domestic terrorism, is severely under-resourced.
ing operational cyber command and control, however,
probably mirror the weaknesses in communications sys- Cyber empowerment and dependence
tems reported elsewhere in the armed forces.30 By 2020 Indonesia had established itself as a rising digi-
The Ministry of Foreign Affairs set up its own Digital tal power within the G20, albeit still at a lower level
Command Centre for the twin purposes of improving than most other members and with a long way to go to
crisis-management procedures for national emergen- achieve its ambitions in the sector.35 The government has
cies in cyberspace and managing launched ambitious education pro-
Indonesia’s international diplomacy grammes, attempted to attract tal-
on cyber matters. The combining of
The average ent through its immigration policies,
two such different functions in one level of digital and promoted a start-up culture.36
entity is unusual, since crisis man- skills among The digital economy was pro-
agement of cyber incidents requires
the Indonesian jected to reach double-digit annual
a very different skill set from con- growth (11%) in 2020.37 E-commerce
ducting cyber diplomacy, with little population does remains the main driver of growth
crossover in the day-to-day work of not match the in the economy as a whole. Three
the two missions.
government’s of Indonesia’s start-ups (Gojek,
Changes in doctrine, technology Tokopedia and Traveloka) have
and personnel planning are needed
ambitions reached high capitalisation lev-
if Indonesia is to establish a basic els (US$10.5 billion, US$7.5bn and
capability for cyber warfare. So too is greater cohesion, US$2.75bn respectively), largely by having expanded
as divergent views have been observed among policy- internationally.38 The country aspires to become a global
makers and those responsible for implementing the hub for Islamic finance, though in that respect it is still
development of cyber defence. in fourth place (behind Malaysia, Saudi Arabia and the
United Arab Emirates) in terms of annual value traded.39
Core cyber-intelligence capability Although the overall internet penetration rate is quite
The lead coordinating agency for national civil-sector high (73% of the population in mid-2020),40 there is a
cyber intelligence is the BSSN.31 The body mainly wide gap between Java and all the other islands.41 There
responsible for foreign and military intelligence is are individual cities with particularly high figures, for
the Strategic Intelligence Agency (BAIS),32 which has example Jakarta (85%), Surabaya (83%) and Bandung
proved capable of assisting the police by, for example, (82.5%).42 More than 90% of Indonesians who use the
conducting cyber surveillance against potential threats internet do so via mobile phone. The country was
to the 2018 regional elections. ranked 85th in the 2020 Global Innovation Index, which
The BSSN was allocated 2.2 trillion rupiah (US$127 indicates the weak foundations of its digital economy.43
million) in the 2020 budget but its director at the time The digital sector accounts for only 12% of GDP accord-
said 3trn rupiah (US$190m) would be needed to achieve ing to a 2020 estimate,44 though the government hopes
its objectives.33 The goals he mentioned included devel- to see that figure rise to 15% by 2025.45
oping indigenous technology and the National Cyber The average level of digital skills among the popu-
Security Operations Centre (tasked with monitoring lation does not match the government’s ambitions.46
the digital networks of Indonesia’s critical national Research commissioned by Amazon Web Services
infrastructure, including the energy, communications in six Asia-Pacific countries found that only 19% of

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 145


Indonesian respondents use digital skills in their jobs boost cyber-security skills in the country.57 In January
– very different from Australia and Singapore, for 2021, China and Indonesia signed a memorandum of
example, where the corresponding figures are 64% and understanding on cooperation and investment in the
63% respectively.47 The skills shortage could inhibit ICT sector, with a focus on security.58 While Chinese
the development of the indigenous digital industry. companies have a large slice of the Indonesian mar-
Indonesia’s reliance on foreign suppliers for its tel- ket, they face competition from well-established US,
ecommunications infrastructure was highlighted in Japanese and European firms. For example, early in
2019 during the Huawei controversy, which led a sen- 2021, Microsoft announced plans to provide training
ior official in the Coordinating Ministry for Political, in digital skills for an additional 3m Indonesians, con-
Legal and Security Affairs to declare the need for ‘a tinuing a commitment in that area that has already
special, reliable, integrated and secure telecommuni- lasted for more than 25 years. The initiative is based on
cations system against cyber threats both from within a shared project with the Ministry of Communication
the country and abroad’, and to admit that the exist- and Information Technology and four universi-
ing system had not been able to ‘answer the need for ties, aimed at educating Indonesians in AI, cyber
national information security’.48 security and data science through a digital-literacy
Although Indonesia’s research in artificial intelli- curriculum.59
gence (AI) is growing, it is still a relative newcomer to
the field. It has accelerated efforts to improve collabo- Cyber security and resilience
ration between academia and industry on AI research, Indonesian views on cyber security were strongly
for example between the University of Indonesia and influenced by the 2013 Edward Snowden leaks about
Tokopedia49 and between the Bandung Institute of Australia’s cyber capabilities, including its monitoring
Technology and Bukalapak.50 Meanwhile, investment of Indonesia’s leaders. Though the country’s security
by Indonesian companies in AI solutions is still much agencies were already aware of Australia’s espionage
lower (US$0.20 per capita) than in more developed activity to some degree, the revelations were a shock
economies such as Singapore (US$68 per capita).51 to the Indonesian public. The government’s response
Nevertheless, it was reported in August 2020 that has included the Secretariat General of the National
Indonesia had 74 AI-focused start-ups.52 Also in August Resilience Council drawing up a national contin-
2020, the government launched a National Strategy for gency plan against cyber attacks in 2016,60 and cyber-
Artificial Intelligence aimed at guiding the develop- emergency exercises such as the drill conducted by
ment of AI through to 2045.53 The strategy foreshadows the national CERT ahead of the 2018 Asian Games in
a focus on applying AI to social services, education and Jakarta.61 Indonesian specialists have identified high-pri-
research, health services, food security, mobility, smart ority assets that need the strongest protection, including
cities and public-sector reform.54 telecommunications and banking networks, online-
China looks set to make a large contribution to payment systems and key government, military and
the development of Indonesia’s digital economy. private-sector closed networks and data centres.62 The
Following India’s implementation of rules to restrict country’s basic cyber defences and incident-response
Chinese takeovers in early 2020, Chinese venture- capability are still not highly developed, however.
capital and tech investors have switched their focus to Indonesia experienced a sixfold increase in cyber
Indonesia, contributing to a 55% surge in investment attacks between January and October 2020, with its
in the country’s tech sector in the first half of 2020.55 e-commerce firms the major targets. Tokopedia suffered
Huawei has forged links with several Indonesian gov- an attack that caused the personal data of 91m users to
ernment agencies to help accelerate their digitisation, be leaked, while Bhinneka announced that 1.2m of its
including through cloud-based infrastructure for stor- accounts had been accessed by hackers.63 According
ing national data.56 Besides offering its technology, to a survey by Palo Alto Networks, 84% of Indonesian
Huawei has committed to nurture digital talent and companies plan to increase their IT budgets, of which

146 The International Institute for Strategic Studies


44% intend to allocate more than half of those funds to of the Maritime Information Centre.75 The Indonesian
cyber-security investment.64 Navy has carried out cyber-defence training since 2016,
Apart from launching a public consultation on the including a major eight-day exercise in 201876 that
new cyber-security strategy in 2020, the government has involved more than 500 personnel and had three main
been pursuing a raft of additional reforms. In February aspects: denial, countermeasures and cyber support for
2021 the BSSN launched a national Computer Security operations.77 In 2019 the navy added a cyber dimension
Incident Response Team (CSIRT) that will also serve to its largest annual exercise, Armada Jaya.
as the national and the government CSIRT.65 Fifteen In the International Telecommunication Union’s 2018
lower-level CSIRTs66 had already been established in Global Cybersecurity Index, Indonesia was ranked 41st
2020,67 and the government aims to set up another 27 out of 175 countries, a low position relative to its wealth
across its ministries and other public-sector bodies in and economic ambition.78
2021.68 In 2020 the BSSN participated in several cyber
drills,69 and in early 2021 it took part in training events Global leadership in cyberspace affairs
on Internet of Things security-testing that were jointly Since about 2005 the Indonesian government has worked
organised with the United States Embassy and Carnegie within the frameworks of the Association of Southeast
Mellon University.70 The BSSN is working with several Asian Nations (ASEAN), the ASEAN Regional Forum, the
government agencies in preparing a Draft Presidential Asia-Pacific Economic Cooperation, the United Nations
Regulation on Vital Information Infrastructure and the Organisation of Islamic Cooperation (OIC) on
Protection, which will cover the designation of strategic various aspects of fighting cyber crime, especially cyber
sectors and measures to protect critical information infra- terrorism, and on efforts to build international govern-
structure, increase cyber readiness and accelerate recov- ance frameworks to promote strategic stability in cyber-
ery from cyber incidents.71 The BSSN has also engaged space through discussion of cyber norms.
all relevant owners and operators to ensure their famili- Indonesian specialists who had set up the country’s
arity with the regulations and policies concerning the first private CERT worked with Australian and Japanese
country’s critical information infrastructure.72 counterparts to set up the Asia-Pacific CERT (APCERT)
Despite ambitious policy declarations, Indonesia in 1998. Indonesia is also a member of the OIC’s CERT,
suffers from a severe shortage of cyber skills. A 2016 of which it became deputy chair in 2018,79 and has par-
study by Oxford University found that the country ticipated in international cyber exercises such as the
lacked ‘minimal educational programmes in cyberse- China–ASEAN Network Security Emergency Response
curity’, ‘accreditation in cybersecurity education’ and a Capacity Building Seminar in 2018.80 In 2019 Indonesia
‘national budget to support the cybersecurity capacity joined the UN’s Group of Governmental Experts81 on
programmes’; that there were ‘few professional instruc- cyber norms, and since 2015 it has staged an annual
tors in cybersecurity’; and that knowledge transfer from international cyber conference, CodeBali.82 In 2020 it
trained cyber-security employees in the private sector participated in the G20 Digital Economy Ministers
existed only ‘on an ad hoc basis’.73 In 2020, comment- Meeting that issued a wide-ranging development
ing on the national skills shortage, the head of the BSSN agenda in the sector, including many security aspects.
reported that typically it took six months for the organi- It has collaborated with China in fighting cyber crime,
sation to fill a cyber-security position.74 It might there- including by deporting hundreds of Chinese citizens
fore take Indonesia two decades or more to develop a alleged to have been conducting attacks from Indonesia
sovereign capability for military cyber defence, given against targets in China.
the number of sensitive posts requiring cyber expertise
that would be needed. Offensive cyber capability
Given that Indonesia is a nation of islands, maritime Indonesia has reasonably well-developed capabilities
cyber security is of particular importance. The BSSN has for domestic cyber surveillance. For example, a special
been working on increasing the cyber-security capacity counter-terrorism unit in the police, Detachment 88, has

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 147


been building its cyber-surveillance capabilities with during any crisis or period of hostility. The prospect
the support of international partners such as Australia.83 of Indonesia catching up with the offensive cyber capa-
The available information on any wider offensive bilities of the states of particular interest to it – such
cyber capability is patchy, but it suggests Indonesia as Australia, China, Malaysia and Vietnam – seems a
is weakly positioned to use cyber means to respond distant one.

Notes

1 Yudhistira Nugraha, ‘The future of cyber security capacity in 12 Usman Hamid and Ary Hermawan, ‘Indonesia’s Shrinking

Indonesia’, Oxford Internet Institute, 2016, https://ora.ox.ac.uk/ Civic Space for Protests and Digital Activism’, Carnegie

objects/uuid:70392ace-4bd6-4066-818e-a3adc1eeedf3. Endowment for International Peace, 17 November 2020, https://

2 Its full name is the Indonesia Security Incident Response Team carnegieendowment.org/2020/11/17/indonesia-s-shrinking-

on Internet and Infrastructure/Coordination Center (ID-SIRTII/ civic-space-for-protests-and-digital-activism-pub-83250.

CC). See ‘History Id-SIRTII/CC’, https://idsirtii.or.id/en/page/ 13 Thomas Paterson, ‘Indonesian cyberspace expansion: A

history-id-sirtii-cc.html. double-edged sword’, Journal of Cyber Policy, vol. 4, no. 2, 2019,

3 Leonardus K. Nugraha and Dinita A. Putri, ‘Mapping the Cyber pp. 216–34, https://www.tandfonline.com/doi/pdf/10.1080/237

Policy Landscape: Indonesia’, Global Partners Digital, November 38871.2019.1627476?needAccess=true.

2016, pp. 14–15, https://www.gp-digital.org/wp-content/ 14 Ibid., p. 217.

uploads/2017/04/mappingcyberpolicy_landscape_indonesia.pdf. 15 Peraturan Menteri Pertahanan Republik Indonesia, Nomor

4 Badan Siber Dan Sandi Negara. See https://bssn.go.id/tentang. 82 tahun 2014 tentang, Pedoman Pertahanan Siber, https://

5 More precisely, the BSSN took on the responsibilities of the National www.kemhan.go.id/pothan/wp-content/uploads/2016/10/

Crypto Agency, the Security Incident Response Team on Internet Permenhan-No.-82-Tahun-2014-tentang-Pertahanan-Siber.pdf.

and Infrastructure, and the Information Security Directorate of the 16 Defence Ministry of the Republic of Indonesia, ‘Defence White

Ministry of Communication and Information Technology. Paper 2015’, November 2015, p. 109, https://www.kemhan.

6 Marguerite Afra Sapiie, ‘Police Playing Tough in Combating go.id/wp-content/uploads/2016/05/2015-INDONESIA-

Cybercrimes in Indonesia’, Jakarta Post, 6 February 2017, DEFENCE-WHITE-PAPER-ENGLISH-VERSION.pdf.

https://www.thejakartapost.com/news/2017/02/06/police- 17 Ibid., p. 110.

playing-tough-in-combating-cybercrimes-in-indonesia-.html. 18 Ibid., p. 45.

7 ‘Kemhan Dorong Pertahanan Nirmiliter Jadi Program Nasional’, 19 ‘Kemhan Dorong Pertahanan Nirmiliter Jadi Program

Antara, 8 May 2019, https://www.antaranews.com/berita/860413/ Nasional’, Antara.

kemhan-dorong-pertahanan-nirmiliter-jadi-program-nasional. 20 Satsiber, ‘Sejarah’, https://satsiber-tni.mil.id/sejarah-20181230304.

8 Badan Siber Dan Sandi Negara, ‘Indonesian Cyber Security 21 Sri Hidayati and Rudi A.G. Gultom, ‘Analisis Kebutuhan

Strategy’, https://bssn.go.id/strategi-keamanan-siber-nasional. Senjata Siber Dalam Meningkatan Pertahanan Indonesia Di Era

9 Cabinet Secretariat of the Republic of Indonesia, ‘Cyber Crime Peperangan Siber’, Teknologi Persenjataan, vol. 1, no. 1, 2020, p.

Directorate Established to Combat Fake News’, 4 October 2018, 90, http://139.255.245.7/index.php/TPJ/article/viewFile/474/451.

https://setkab.go.id/en/cyber-crime-directorate-established-to- 22 ‘Jokowi Strengthens Role of Cyber Agency’, Tempo, 3 January

combat-fake-news. 2018, https://en.tempo.co/read/914520/jokowi-strengthens-role-

10 Badan Siber Dan Sandi Negara, ‘Strategi Keamanan Siber of-cyber-agency.

Nasional’, 14 December 2020, https://cloud.bssn.go.id/s/ 23 Badan Siber Dan Sandi Negara, ‘Pimpinan Badan Siber Dan

qQZmyWaFf8ooc26/download. Sandi Negara’, https://bssn.go.id/pejabat.

11 Karis Kuniaran, ‘Ini Strategi BSSN Perkuat Keamanan Siber 24 Mehda Basu and Yun Xuan Poon, ‘Five steps in Indonesia’s cyber

Nasional’, Merdeka, 14 December 2020, https://www.merdeka.com/ battle plan: Interview with Lieutenant General (ret) Hinsa Siburian,

peristiwa/ini-strategi-bssn-perkuat-keamanan-siber-nasional.html. Head of the National Cyber and Encryption Agency (BSSN),

148 The International Institute for Strategic Studies


Indonesia’, GovInsider, 17 September 2020, https://govinsider. 38 For Gojek and Tokopedia valuations, see ‘Indonesia’s Gojek

asia/security/bssn-five-steps-in-indonesias-cyber-battle-plan. Mulls $18 Billion Merger With Tokopedia’, PYMTS.com, 5

25 Tentara Nasional Indonesia January 2021, https://www.pymnts.com/news/partnerships-

26 TNI, ‘Organizational Structure’, https://int.tni.mil.id/struktur. acquisitions/2021/indonesias-gojek-mulls-18-billion-merger-

html. See also Sekretariat Kabinet Republik Indonesia, ‘Inilah with-tokopedia. For a Traveloka valuation, see Yoolim Lee,

Perpres No. 62 Tahun 2016 Tentang Susunan Organisasi Tentara ‘Traveloka Nears Fundraising at Lower Valuation’, Bloomberg

Nasional Indonesia (1)’, 19 January 2017, https://setkab.go.id/ Quint, 10 July 2020, https://www.bloombergquint.com/

inilah-perpres-no-62-tahun-2016-tentang-susunan-organisasi- business/traveloka-is-said-near-fundraising-at-sharply-lower-

tentara-nasional-indonesia-1. valuation.

27 The Satsiber unit within the Indonesian Air Force was formally 39 Fauziah Rizki Yuniarti, ‘Indonesia could be Asia’s next Islamic

inaugurated only in September 2020. See Achmad Nasrudin finance hub’, Jakarta Post, 12 January 2021, https://www.

Yahya, ‘Bentuk Peperangan Makin Tak Dapat Diprediksi, TNI thejakartapost.com/academia/2021/01/12/indonesia-could-be-

AU Bentuk Satuan Siber’, Kompas, 17 September 2020, https:// asias-next-islamic-finance-hub.html.

nasional.kompas.com/read/2020/09/17/07393261/bentuk- 40 Eisya A. Eloksari, ‘Indonesian internet users hit 196 million, still

peperangan-makin-tak-dapat-diprediksi-tni-au-bentuk- concentrated in Java: APJII survey’, Jakarta Post, 11 November

satuan-siber. 2020, https://www.thejakartapost.com/news/2020/11/11/

28 Pushansiber. See Kementerian Pertahanan Republik Indonesia, indonesian-internet-users-hit-196-million-still-concentrated-

‘Kapushansiber’, https://www.kemhan.go.id/bainstrahan/ in-java-apjii-survey.html.

kapushansiber. 41 Ibid.

29 See Kementerian Pertahanan Republik Indonesia, ‘Badan Instalasi 42 ‘Indonesian Internet Users Reach 200 Million Until 2Q

Strategis Pertahanan’, https://www.kemhan.go.id/bainstrahan. of 2020’, The Insider Stories, 10 November 2020, https://

30 Alex Firmansiyah Rahman, Syaiful Anwar and Arwin theinsiderstories.com/indonesian-internet-users-reach-200-

Datumaya Wahyudi Sumari, ‘Analisis Minimum Essential million-until-2q-of-2020.

Force (MEF) Dalam Rangka Pembangunan Cyber-Defense’, 43 ‘Global Innovation Index 2020: Who Will Finance Innovation?’,

Jurnal Pertahanan & Bela Negara, vol. 5, no. 3, 2018, pp. 63–85, SC Johnson College of Business – Cornell University,

http://jurnal.idu.ac.id/index.php/JPBH/article/view/370. INSEAD and WIPO, September 2020, p. 17, https://www.

31 Margareth S. Aritonang, ‘Police to Support National globalinnovationindex.org/Home.

Cyber Agency’, Jakarta Post, 4 January 2017, https://www. 44 Vience Mutiara Rumata and Ashwin Sasongko

thejakartapost.com/news/2017/01/04/police-to-support- Sastrosubroto, ‘The Paradox of Indonesian Digital Economy


national-cyber-agency.html. Development’, IntechOpen, 27 May 2020, https://www.

32 Badan Intelijen Strategis intechopen.com/online-first/the-paradox-of-indonesian-

33 ‘DPR “Ngotot” Perjuangkan Dana Rp20 Triliun Untuk digital-economy-development.

BSSN’, CNN Indonesia, 13 November 2019, https://www. 45 ‘Incar Jawara Dunia, Inilah Strategi RI Dalam Ekonomi

cnnindonesia.com/teknologi/20191113191757-185-448102/ Digital’, Kementerian Komunikasi dan Informatika Republik

dpr-ngotot-perjuangkan-dana-rp20-triliun-untuk-bssn. Indonesia, November 2018, http:///content/detail/15306/incar-

34 Ibid. jawara-dunia-inilah-strategi-ri-dalam-ekonomi-digital/0/

35 European Center for Digital Competitiveness, ‘Digital Riser sorotan_media.

Report 2020’, September 2020, https://digital-competitiveness. 46 Trisha Ray et al., ‘The Digital Indo-Pacific: Regional

eu/wp-content/uploads/ESCP_Digital-Riser-Report_2020-1.pdf. Connectivity and Resilience’, Quad Tech Network, ANU,

36 Ibid., p. 7. CNAS, GRIPS, ORF, February 2021, p. 17, https://crawford.

37 ‘e-Conomy SEA 2020 – At full velocity: Resilient and racing anu.edu.au/sites/default/files/publication/nsc_crawford_anu_

ahead’, Google, Temasek, Bain & Company, November 2020, p. edu_au/2021-02/thedigitalindopacific.pdf.

32, https://www.thinkwithgoogle.com/_qs/documents/10614/ 47 Eileen Yu, ‘Cloud, Data amongst APAC Digital Skills Most

e-Conomy_SEA_2020_At_full_velocity__Resilient_and_ Needed’, ZDNet, 25 February 2021, https://www.zdnet.com/

racing_ahead_bMmKO5b.pdf. article/cloud-data-amongst-apac-digital-skills-most-needed/.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 149


48 Coordinating Ministry for Political, Legal and Security as Part of Berdayakan Ekonomi Digital Indonesia Initiative’,

Affairs, ‘Tingkatkan Keamanan Informasi Nasional, Deputi Microsoft Stories Asia, 25 February 2021, https://news.

VII Kominfotur Laksanakan FGD Merevival Kedaulatan microsoft.com/apac/2021/02/25/microsoft-to-establish-first-

Telekomunikasi’, 27 June 2019, https://polkam.go.id/ datacenter-region-in-indonesia-as-part-of-berdayakan-digital-

tingkatkan-keamanan-informasi-nasional-deputi-vii- economy-indonesia-initiative/.

kominfotur-laksanakan. 60 Arif Rahman and Oktarina Paramitha Sandy, ‘Ini Urgensi

49 ‘UI Gandeng Tokopedia Bangun Pusat Penelitian UU Keamanan dan Ketahanan Siber’ [interview with Colonel

Kecerdasan Buatan, Menristekdikti Harapkan Lulusan Arwin Datumaya Wahyudi Sumari], Cyberthreat.id, 26 April

Indonesia Penuhi Kebutuhan SDM Perusahaan Startup’, 2019, https://cyberthreat.id/read/305/Ini-Urgensi-UU-Keamanan-

Ristek-Brin, 28 March 2019, https://www.ristekbrin.go.id/ dan-Ketahanan-Siber.

ui-gandeng-tokopedia-bangun-pusat-penelitian-kecerdasan- 61 Asia Pacific Computer Emergency Response Team, ‘APCERT

buatan-menristekdikti-harapkan-lulusan-indonesia-penuhi- Annual Report 2018’, p. 125, http://www.apcert.org/

kebutuhan-sdm-perusahaan-startup. documents/pdf/APCERT_Annual_Report_2018.pdf.

50 Arya Dipa, ‘Bukalapak, ITB Launch AI, Cloud Computing 62 Achmad Rouzni Noor, ‘Strategi Indonesia Menjaga Kedaulatan

Innovation Center’, Jakarta Post, 2 February 2019, https://www. Cyber’, detikinet, 1 February 2016, https://inet.detik.com/

thejakartapost.com/news/2019/02/02/bukalapak-itb-launch-ai- cyberlife/d-3131768/strategi-indonesia-menjaga-kedaulatan-

cloud-computing-innovation-center.html. cyber.

51 Dylan Loh, ‘ASEAN Faces Wide AI Gap as Vietnam and 63 ‘Covid-19 and Cyberattacks: Which Emerging Markets

Philippines Lag Behind’, Nikkei Asia, 9 October 2020, https:// and Sectors Are Most at Risk?’, Oxford Business Group, 17

asia.nikkei.com/Business/Technology/ASEAN-faces-wide-AI- February 2021, https://oxfordbusinessgroup.com/news/covid-

gap-as-Vietnam-and-Philippines-lag-behind2. 19-and-cyberattacks-which-emerging-markets-and-sectors-are-

52 Hugh Harsono, ‘Why Indonesia Is Poised to Become most-risk.

the Next AI Start-up Hub’, South China Morning Post, 25 64 Eisya A. Eloksari, ‘Indonesian Businesses Ramp up

August 2020, https://www.scmp.com/tech/article/3098596/ Cybersecurity Budget amid Rampant Attacks’, Jakarta Post, 23

why-indonesia-poised-become-next-ai-start-hub. July 2020, https://www.thejakartapost.com/news/2020/07/22/

53 Indonesia National Secretariat of Artificial Intelligence, indonesian-businesses-ramp-up-cybersecurity-budget-amid-

‘Indonesia National Strategy for Artificial Intelligence’, 10 rampant-attacks.html.

August 2020, https://ai-innovation.id/strategi. 65 ‘Kepala BSSN Resmikan Tim Tanggap Insiden Keamanan Siber

54 Ibid. (BSSN-CSIRT) Demi Tercipta Ruang Siber Yang Aman Dan


55 Mercedes Ruehl, ‘China’s Tech Investors Turn from India to Kondusif’, Badan Siber Dan Sandi Negara, 25 February 2021,

Indonesia’, Financial Times, 29 November 2020, https://www. https://bssn.go.id/kepala-bssn-resmikan-tim-tanggap-insiden-

ft.com/content/bcc935fd-ef40-4d6d-9939-ea18498e0283. keamanan-siber-bssn-csirt-demi-tercipta-ruang-siber-yang-
56 ‘Cybersecurity Becomes BSSN’s Challenge in the Digitalization aman-dan-kondusif/.
of Indonesia’, Waktunya Merevolusi Pemberitaan, 28 August 66 In 2020 the BSSN established CSIRTs in institutions including the

2020, https://voi.id/en/technology/12457/cybersecurity-becomes- Ministry of Finance and the Ministry of Education and Culture,

bssns-challenge-in-the-digitalization-of-indonesia. and in provinces including Central Java, East Java, Gorontalo,

57 The Huawei ASEAN Academy reportedly comprises business, Jakarta, the Riau Islands, West Java and West Sumatra. See

technical and engineering colleges with 100 trainers, more than ‘BSSN Gandeng Pemprov DKI Jakarta Bentuk Tim Tanggap

3,000 courses and more than 100 mirroring environments. Insiden Keamanan Siber’, Badan Siber Dan Sandi Negara, 23

58 Chris Devonshire-Ellis, ‘Investment Infrastructure Projects in December 2020, https://bssn.go.id/bssn-gandeng-pemprov-

Indonesia Contributing to Improved Manufacturing Capability’, dki-jakarta-bentuk-tim-tanggap-insiden-keamanan-siber; and

ASEAN Briefing, 4 February 2021, https://www.aseanbriefing. ‘Resmikan Jogjaprov CSIRT, BSSN Harap Bisa Tekan Ancaman

com/news/investment-infrastructure-projects-in-indonesia- Siber di Yogyakarta’, KOMPAS.com, 15 October 2020, https://biz.

contributing-to-improved-manufacturing-capability. kompas.com/read/2020/10/15/133036728/resmikan-jogjaprov-

59 ‘Microsoft to Establish First Datacenter Region in Indonesia csirt-bssn-harap-bisa-tekan-ancaman-siber-di-yogyakarta.

150 The International Institute for Strategic Studies


67 ‘Resmi Dibentuk, Kemenkeu-CSIRT Menutup Program Kerjasama Keamanan Informasi’, Badan Siber Dan Sandi

Prioritas Strategis BSSN Di Tahun 2020’, Badan Siber Dan Sandi Negara, 4 February 2021, https://bssn.go.id/bssn-menerima-

Negara, 29 December 2020, https://bssn.go.id/resmi-dibentuk- kunjungan-bakamla-dalam-rangka-kerjasama-keamanan-

kemenkeu-csirt-menutup-program-prioritas-strategis-bssn-di- informasi.

tahun-2020. 76 TNI, ‘TNI AL Tingkatkan Kemampuan Pertahanan Siber’,

68 Ibid. 6 November 2018, https://tni.mil.id/view-140439-tni-al-

69 These drills include the ITU Cyber Drill Exercise 2020, ASEAN tingkatkan-kemampuan-pertahanan-siber.html.

Cert Incident Drill 2020, OIC Cert Cyber Drill 2020, Critical 77 Satsiber, ‘Gubernor Aaal Hadiri Latihan Operasi Pertahanan

Information Infrastructure Cyber Exercise 2020, ASEAN Japan Siber TNI AL 2018’, 12 December 2018, https://satsiber-tni.

Cyber Exercise 2020 and APCERT Drill 2020. See Id-SIRTII/CC, mil.id/gubernur-aal-hadiri-latihan-operasi-pertahanan-siber-

‘Activity’, 2020, https://idsirtii.or.id/en/activity/year/2020.html. tni-al-2018-20181212674.

70 ‘APCERT Training: Implementing IoT Security Testing’, 78 International Telecommunication Union, ‘Global Cybersecurity

ID-SIRTII/CC, 23 February 2021, https://idsirtii.or.id/en/ Index 2018’, p. 58, https://www.itu.int/dms_pub/itu-d/opb/str/

activity/detail_year/2021/92/apcert-training-implementing- D-STR-GCI.01-2018-PDF-E.pdf.

iot-security-testing.html; and ‘Carnegie Mellon University: 79 Asia Pacific Computer Emergency Response Team, ‘APCERT

Unhide Hidden Cobra’, ID-SIRTII/CC, 15 February 2021, Annual Report 2018’, p. 128.

https://idsirtii.or.id/en/activity/detail_year/2021/94/carnegie- 80 Ibid., p. 88.

mellon-university-unhide-hidden-cobra.html. 81 Since a UN General Assembly resolution in 2004, a UN Group

71 ‘BSSN Beserta 13 Lembaga Pemerintah Formulasikan of Governmental Experts (GGE) has convened for two-year

Rancangan Perpres Perlindungan Infrastruktur Informasi terms to address international-security aspects of cyberspace.

Vital’, Badan Siber Dan Sandi Negara, 10 February 2021, It was known as the GGE on ‘Developments in the Field

https://bssn.go.id/bssn-beserta-13-lembaga-pemerintah- of Information and Telecommunications in the Context of

formulasikan-rancangan-perpres-perlindungan-infrastruktur- International Security’ until 2018, when it was renamed the

informasi-vital. GGE on ‘Advancing Responsible State Behaviour in Cyberspace

72 ‘BSSN Gelar Diseminasi Peraturan dan Kebijakan Sektor in the Context of International Security’. In cyberspace-policy

Infrastruktur Informasi Kritikal Nasional (IIKN)’, Badan circles it is common to refer to it simply as ‘the GGE’. See

Siber Dan Sandi Negara, 10 February 2021, https://bssn. UN Office for Disarmament Affairs, ‘Developments in the

go.id/bssn-gelar-diseminasi-peraturan-dan-kebijakan-sektor- field of information and telecommunications in the context

infrastruktur-informasi-kritikal-nasional-iikn. of international security’, https://www.un.org/disarmament/

73 Nugraha, ‘The future of cyber security capacity in Indonesia’, ict-security.

pp. 12, 55. 82 See ‘CodeBali International Cyber Security Conference and

74 Basu and Yun, ‘Five steps in Indonesia’s cyber battle plan: Exhibitions’ website, https://codebali.id.

Interview with Lieutenant General (ret) Hinsa Siburian, 83 Muhammad Nadjib and Hafied Cangara, ‘Cyber Terrorism

Head of the National Cyber and Encryption Agency (BSSN), Handling in Indonesia’, Business and Management Review, vol.

Indonesia’. 9, no. 2, November 2017, pp. 278–9, https://cberuk.com/cdn/

75 ‘BSSN Menerima Kunjungan Bakamla Dalam Rangka conference_proceedings/conference_30092.pdf.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 151


152 The International Institute for Strategic Studies
14. Malaysia

On cyber security, Malaysia was a regional first support of its wider economic-development agenda.
mover and compares well with many other countries. It compensates for some of its shortcomings in cyber
Its ongoing commitment was demonstrated in 2020 capability through international alliances, particu-
with new cyber-security strategies for the civil sector larly with the United States, the United Kingdom,
and for national defence. There is little information Australia and Singapore. Overall, Malaysia is a
available on core cyber-intelligence capabilities or the third-tier cyber power but has clear strengths in
development of offensive cyber, with the policy state- cyber-security policy and strong digital-economic
ments issued in 2020 focusing more on active defence potential. If it realises that potential, it could create
in cyberspace. Malaysia has prioritised the devel- the foundations on which to become a second-tier
opment of an indigenous digital-industrial base in cyber power.

Strategy and doctrine


The development of Malaysia’s cyber policies, strategy combination of public policies and incentives for busi-
and doctrine has been shaped more by its industriali- nesses, including significant investment in creating the
sation and development agenda than by international- necessary technical infrastructure. The goal was to accel-
security considerations. Closely tied to the economic erate the transition from an agriculture-based economy
imperative is the aim of guaranteeing a free and open to one based on manufacturing and services, and then
digital environment for innovation and the need for a ultimately to a fully fledged knowledge economy.
stable domestic environment to underpin investment. In 2006 the government announced a National Cyber
The country’s cyber policies have also been shaped by Security Policy (NCSP) that identified ‘ten pillars’ of
the high priority successive governments have attached ‘Critical National Information Infrastructure’ and rec-
to issues of internal security. ognised their interdependence.1 The NCSP outlined a
Malaysia’s interest in cyberspace can be traced back piecemeal approach to building up cyber-security capa-
to the 1990s, when the government first recognised bilities at the national level.
the potential of the internet to transform its provision In 2016 the government published a Public Sector
of public services and catalyse the country’s develop- Cyber Security Framework to consolidate the various
ment. It set out to foster a digital ecosystem through a directives since 2000 that had been aimed at bolstering

List of acronyms
ASEAN Association of Southeast Asian Nations MAF Malaysian Armed Forces
CDOC Cyber Defence Operations Centre MoD Ministry of Defence
CERT Computer Emergency Response Team NACSA National Cyber Security Agency
ICT information and communications technology NSC National Security Council
IoT Internet of Things

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 153


public-sector cyber resilience,2 and in 2017 the Ministry Things (IoT) and artificial intelligence (AI). The white
of Defence (MoD) introduced an ICT security policy paper tasked the MAF with reviewing existing doctrine
that included an ICT steering committee responsible for in order to incorporate more automated and autono-
assessing and approving ICT needs within the MoD and mous technologies, including reforming the force struc-
the Malaysian Armed Forces (MAF). The committee is ture and posture where necessary.7
chaired by the MoD’s secretary-general or their deputy. In many ways the aspirations presented in the 2020
There is also a technical committee to oversee technical defence white paper were similar to those in a much
aspects of the MoD’s and the MAF’s ICT requirements.3 earlier document, the National Defence Policy of 2010,
A new Cyber Security Strategy, covering the period which had emphasised the importance of information-
2020–24, was released in 2020.4 It was the first such doc- domain dominance at the operational, tactical and stra-
ument since 2006, and addressed five pillars of policy: tegic levels in order to protect national sovereignty.8 It
governance, legislative framework and enforcement, had stated that developing a cyber-warfare capability
world-class innovation, capacity-building and educa- would be an ‘important step towards counterbalancing
tion, and global collaboration. It covered much of the the ability of other countries in the region and to defend
same ground as the corresponding strategies in other important national targets from all forms of threats’.
states, particularly in its emphasis on fighting cyber
crime, protecting critical national infrastructure, inno- Governance, command and control
vation, and educating more people to fill gaps in the The National Security Council (NSC), chaired by the
cyber workforce. Its other priorities included fighting prime minister, is the highest decision-making body
terrorism and violent extremism, especially by coun- on cyber-security matters. It has a sub-committee on
tering internet-based incitement and recruitment. It cyber security, chaired by a senior security minister,
stated a commitment to pursuing three broad strategic which met for the first time in December 2020.9 The
priorities: the governance ecosystem, improving pri- sub-committee is supported by the National Cyber
vate-sector security (especially for infrastructure oper- Security Agency (NACSA), created in 2017, which takes
ators) and improving the handling of cyber-security the lead at the national level in formulating, overseeing,
incidents. The government announced that the strat- coordinating and synchronising the implementation
egy would entail investment of US$434 million over the of cyber-security policy across the public and private
four-year period.5 sectors. NACSA’s responsibilities also include legis-
A 2020 defence white paper announced a much lative and enforcement efforts related to cyber secu-
stronger policy direction towards active cyber defence rity and internal and external collaboration covering
across the civil and military sectors.6 It also implied the both the public and private sectors.10 NACSA coordi-
development of some offensive cyber capability, albeit nates all the other government agencies that intersect
to be used only in response to a cyber attack on Malaysia. with cyber security, including the Attorney General’s
It identified three pillars of national-defence strategy Chambers, the office of the Chief Government Security
– concentric deterrence, comprehensive defence and Officer, CyberSecurity Malaysia, the Ministry of
credible partnerships – and emphasised cyber resilience Communications and Multimedia, and the Ministry of
as part of a whole-of-society concept of defence. Domestic Trade and Consumer Affairs.11
The white paper presented the concept of the ‘Future In 2016 the MoD and the MAF established a Cyber
Force’ that would be needed to implement concentric Defence Operations Centre (CDOC) to protect their
deterrence. One of its central characteristics would be collective ICT systems and networks. Fully opera-
‘interoperability’, indicating a commonality of doc- tional since 2017, the CDOC monitors threats and
trines, procedures, systems and equipment across the mitigates the impacts of cyber-security incidents.12
MAF. The Future Force would also be ‘technology- In December 2020, after more than a year of plan-
based’, meaning it would incorporate the latest digital ning, the MAF announced the creation of the Defence
technologies by, for example, embracing the Internet of Communication and Electronic Division tasked with

154 The International Institute for Strategic Studies


improving offensive and defensive capabilities for cooperation between Kuala Lumpur and these other
cyber operations, and conducting electronic warfare.13 countries is tied closely to intelligence collection in the
This replaced the Communications and Electronics South China Sea and to counter-terrorism.
Division, created in 1993.
Both the MoD and the MAF have their own Computer Cyber empowerment and dependence
Emergency Response Teams (CERTs) – MinDefCERT and Malaysia’s digital economy contributes about 20% of
MAFCERT respectively. MinDefCERT reports incidents GDP20 and the government anticipates that through tech-
to the government CERT (GCERT MAMPU) whereas nological innovation the sector can play an increasing role
MAFCERT reports directly to the NSC. MAFCERT is led in economic growth.21 Leading this effort is the Malaysia
by the head of the CDOC and includes the ICT managers Digital Economy Corporation,22 whose role includes
working in each of the three armed services.14 overseeing the development of the Multimedia Super
Corridor (modelled on California’s Silicon Valley), home
Core cyber-intelligence capability to almost 3,000 ICT companies.23 In partnership with the
Malaysia’s intelligence community is directed by the private sector the government has launched numerous
NSC under the Prime Minister’s Department,15 whose policies and road maps related to the digital economy,
main role is to coordinate national-security policies, including the National Industry 4WRD Policy, focused
including during emergencies.16 Among its ten subdi- on Industry 4.0; the National eCommerce Roadmap;
visions are the National Intelligence Committee (NIC) a national Big Data Analytics ecosystem; a Digital Free
and its supporting National Intelligence Division.17 The Trade Zone, aimed at making Malaysia an e-commerce
NIC is tasked with coordinating the work of the other and e-fulfilment hub; and a National IoT Framework.24 A
intelligence agencies, namely Special Branch (under National AI Framework is also being drafted.
the Royal Malaysia Police), the Malaysian External In 2019 the Ministry of Communications and
Intelligence Organisation (under the Prime Minister’s Multimedia recorded 43.38m broadband subscrip-
Department) and the Defence Staff Intelligence Division tions among Malaysia’s population of 32m.25 However,
(under the MAF). there is an urban–rural digital divide, with at least 3.5m
The main signals-intelligence capability lies with the Malaysians in rural or semi-urban areas having very
Royal Signals Regiment (RSD)18 slow internet speeds.26 The National
and the Royal Intelligence Corps, Malaysia’s Fiberisation and Connectivity Plan
in the army, and the Defence Staff
AI research aims to establish a fibre network
Intelligence Division (equivalent to serving 70% of schools, hospitals,
the US Defense Intelligence Agency), capabilities are libraries, police stations and post
as part of a very broad suite of less developed offices by 2022, and to provide aver-
national-security missions and tasks.
than those of some age internet speeds of 30 Mbps in
MAF restructured the RSD in 2018, 98% of populated areas by 2023.27
which resulted in the creation of a
other Southeast Malaysia’s AI research capabili-
specialised cyber unit (designated Asian states ties are less developed than those of
99 RSD).19 Special Branch conducts some other Southeast Asian states.
cyber surveillance of internal threats from terrorism and For example, in a ranking of the world’s top 50 countries
subversion. The Malaysian foreign-intelligence organisa- based on their contributions to the two most prestigious
tion, formally known as the Research Department of the AI conferences in 2020, Malaysia was placed 47th, which
Prime Minister, may have a small cyber-intelligence unit. was lower than Singapore (12th), Vietnam (27th) and
Malaysia relies on collaboration with international Thailand (44th) but ahead of Indonesia, which did not
partners, especially the United States, the United feature in the list.28 There have been some notable invest-
Kingdom, Australia and Singapore, for the wider ments in AI in the private sector. In 2020, G3 Global Bhd,
regional and global cyber-intelligence picture. Security a Malaysian company specialising in IoT solutions and

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 155


AI, signed an agreement with two Chinese tech com- related to computer offences.38 In 2008 it was accorded
panies to establish Malaysia’s first AI park in Kuala the unique honour of becoming the repository of the
Lumpur, apparently aiming to invest more than US$1 Global Cybersecurity Agenda (GCA) launched by the
billion by 2025.29 Malaysia’s AI-adoption rate (8.1%) is International Telecommunication Union (ITU).39 A super-
still slow compared with, for example, Indonesia (24.6%) visory and regulatory authority, the Communications and
or Thailand (17.1%).30 Multimedia Commission, had been in place since 1998,40
Most of the country’s fibre-optic cables are owned and a Personal Data Protection Act was passed in 2010.41
and operated by two corporations, either directly In 2011 Malaysia created a National Cyber
or through shareholdings in smaller companies. Coordination and Command Centre to monitor and
Tenaga Nasional Berhad, Malaysia’s largest electricity manage cyber incidents, and to determine the level and
company,31 owns 12,000 kilometres of fibre-optic cables potential impact of cyber-security threats.42 It receives
nationwide, using only a small portion of the available data from CyberSecurity Malaysia and the Malaysian
bandwidth.32 Telekom Malaysia Berhad, which has Communications and Multimedia Commission,43
links to the government and is the only company with whose mission during a crisis is to perform a techni-
a high-speed broadband network cal advisory role in support of the
as part of a public–private part- National Cyber Crisis Management
nership, wires 2.5m homes across
Malaysia has Committee.44
the country. Worldwide, it has the potential A pilot project to tackle mal-
more than 20 undersea cable sys- to achieve an ware threats at the national level
tems, spanning more than 190,000
advanced level of has been implemented under the
km, and more than 560,000 km of Coordinated Malware Eradication
fibre-optic cables.33 Malaysia itself cyber resilience and Remediation Project, and the
is served by only four undersea ITU’s 2018 Global Cybersecurity
cables. The other, smaller companies that run their own Index highlights several inter-agency initiatives to com-
fibre-optic cables are Fibrecomm, with 110,000 km of bat online banking fraud, operate digital forensic labo-
cables nationwide;34 TIME dotCom, with 7,000 km run- ratories and exchange information in technical areas
ning throughout the North–South Expressway; and of cyber security. There is also collaboration between
Fiberail, with 4,800 km along railway tracks. Mobile- the government and industry to develop best-practice
telecommunications companies such as Celcom Axiata, guidelines for cloud security.45
Digi and Maxis also own fibre networks.35 In December Malaysian and multinational companies play impor-
2020, Penang became the first Malaysian state to tant roles in increasing the country’s resilience against
make fibre-optic cabling mandatory in new property cyber threats, working with the government to boost
developments.36 domestic capacity and capability. The Malaysian com-
Malaysia’s satellite-communications capability pany Cyber Intelligence, for example, has set up cyber
is operated by MEASAT Global Berhad, which has ranges in collaboration with CyberSecurity Malaysia
a fleet of five satellites with coverage over Asia, the and the International Islamic University Malaysia.46
Middle East and Africa. It has commissioned Airbus At the technical level, Malaysia began conducting
to build a new satellite, MEASAT-3d, to be launched national cyber drills involving public and private
in 2021. This would enhance the delivery of 4G and 5G stakeholders in the Critical National Information
mobile networks.37 Infrastructure in 2008. Codenamed X-Maya and
led by CyberSecurity Malaysia and the National
Cyber security and resilience Security Council, those drills tested the technical and
Malaysia was a regional first mover in cyber-security collaborative skills of personnel throughout each ‘pillar’
policy. With its Computer Crime Act of 1997, it was of the infrastructure.47 The latest public reporting of
one of the first countries in Asia to enact legislation such drills was in 2017. Since then, government policy

156 The International Institute for Strategic Studies


seems to have focused on a sector-based approach, Malaysia has also contributed to various other
for example requiring financial institutions to develop technical and standards-related platforms, includ-
cyber-incident-response plans and to test them by ing the Forum of Incident Response and Security
holding annual exercises.48 The 2020 Cyber Security Teams, the Internet Corporation for Assigned Names
Strategy prioritised the enhancement of measures and Numbers, the ASEAN Telecommunications and
to protect critical national infrastructure, including Information Technology Ministers’ Meeting, and the
much stronger obligations for the operators of that Asia-Pacific Telecommunity.53
infrastructure to prevent cyber incidents or, if they On the international-security front, Malaysia has
occur, to mitigate their consequences.49 been actively leading discussions within the ASEAN
Given that the key cyber-security foundations are in Regional Forum (ARF) for several years. It co-
place – especially policy commitment on the part of the chairs, together with Japan and Singapore, the ARF
government, and high-quality education in the field – Inter-Sessional Meeting on the Security and Use of
Malaysia has the potential to achieve an advanced level of Information and Communications Technology, whose
cyber resilience. It was ranked eighth out of 175 countries objectives include assessing ‘regional needs for capacity
in the ITU’s 2018 Global Cybersecurity Index, and second building on ICTs Security’ and assisting ‘the develop-
in the Asia-Pacific region behind Singapore.50 But ques- ment of a peaceful, secure, open and cooperative envi-
tions remain about the detection and reporting of cyber ronment for the expansion of ICTs Security among ARF
attacks, and about incident-response capabilities. There Participants’.54
appears to be room for improvement when it comes to Malaysia also participated in the United Nations
coordination between cyber-security actors, with one Group of Governmental Experts (GGE)55 in 2014–
2019 analysis reporting a ‘lack of unity of effort’.51 15, which produced a consensus report on possible
voluntary norms despite the widely differing views
Global leadership in cyberspace affairs and interests of its members,56 and in regional
On the technical front, Malaysia continues to play a capacity-building efforts to promote, clarify and
leading role in regional and global forums. Through initiate implementation of the GGE’s 11 norms within
CyberSecurity Malaysia the country has become the Southeast Asia.57
permanent secretariat of the Organisation of Islamic
Cooperation’s Computer Emergency Response Team Offensive cyber capability
(OIC-CERT). It conducted the first Association of Aside from the aspirations set out in the 2010 National
Southeast Asian Nations (ASEAN) cyber capacity- Defence Policy and the 2020 defence white paper, there
building programme in 2015, and has served twice has been little indication of Malaysian activity in the
as deputy chair of the Asia-Pacific CERT (APCERT). sphere of offensive cyber. Policy guidance at the highest
CyberSecurity Malaysia’s digital forensic laboratory levels suggests that the government’s overriding prior-
– which can conduct computer, multimedia, mobile, ity is to use cyberspace to further its economic-develop-
biometric, cloud-computing and embedded-device ment agenda, and this priority is not expected to shift.
forensics – was the first in the Asia-Pacific to receive Any progress towards achieving offensive cyber ambi-
Interpol recognition.52 tions is therefore likely to remain slow.

Notes

1 Ministry of Science, Technology and Innovation, Malaysia, Government Administrative Centre, July 2006, https://cnii.

‘National Cyber Security Policy: The Way Forward’, Federal cybersecurity.my/main/ncsp/tncsp.html. The ten pillars of

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 157


Critical National Information Infrastructure outlined in the entity’s name. The name used by the MAF is the Defence

policy were national defence and security; banking and finance; Communication and Electronic Division.

information and communications; energy; transportation; 14 ‘Dasar Keselamatan Teknologi Maklumat Dan Komunikasi

water; health services; government; emergency services; and (DKICT)’, pp. 23–5.

food and agriculture. 15 National Security Council, ‘Directive No. 20, Policy and

2 See National Cyber Security Agency, ‘RAKKSSA: Rangka Mechanism of National Disaster Management and Relief’,

Kerja Keselamatan Siber Sektor Awam’, April 2016, https:// https://www.adrc.asia/management/MYS/Directives_National_

www.nacsa.gov.my/doc/RAKKSSA-VERSI-1-APRIL- Security_Council.html.

2016-BM.pdf. 16 Majlis Keselamatan Negara, ‘Sejarah’, 20 January 2019, https://

3 See ‘Dasar Keselamatan Teknologi Maklumat Dan Komunikasi www.mkn.gov.my/web/ms/sejarah-mkn.

(DKICT)’, January 2017, http://www.stride.gov.my/v2/images/ 17 Philip H. J. Davis, ‘All in Good Faith? Proximity, Politicisation,

contents/DKICT-MINDEF_VER-5_1-JAN-2017.pdf. and Malaysia’s External Intelligence Organisation’, International

4 National Security Council, Prime Minister’s Department, ‘Malaysia Journal of Intelligence and CounterIntelligence, vol. 32, no. 4, May

Cyber Security Strategy 2020–2024’, October 2020, https://asset. 2019, pp. 691–716, https://www.tandfonline.com/doi/abs/10.10

mkn.gov.my/web/wp-content/uploads/sites/3/2019/08/Malaysia 80/08850607.2019.1621105.

CyberSecurityStrategy2020-2024Compressed.pdf. 18 Regimen Semboyan Diraja

5 Stuart Crowley, ‘Malaysia to spend $434m on national 19 Marhalim Abas, ‘Restructuring of the Signals Regiment’,

cybersecurity strategy’, W.media, 16 October 2020, https://w. Malaysian Defence, 19 November 2019, https://www.

media/malaysia-to-spend-434m-on-national-cybersecurity- malaysiandefence.com/restructuring-of-the-signals-regiment.

strategy/#:~:text=The%20first%20pillar%20will%20 20 ‘Malaysia’s digital economy now contributes one fifth to GDP’,

look,and%20formulating%20laws%20on%20cybersecurity. Consultancy.asia, 7 July 2020, https://www.consultancy.asia/

6 Ministry of Defence, ‘Defence White Paper: A Secure, Sovereign news/3370/malaysias-digital-economy-now-contributes-one-

and Prosperous Malaysia’, Kuala Lumpur, 2020, http://www. fifth-to-gdp.

mod.gov.my/images/mindef/article/kpp/DWP.pdf. 21 World Bank Group, ‘Malaysia’s Digital Economy: A

7 Ibid. New Driver of Development’, September 2018, https://

8 ‘Malaysia’s National Defence Policy’, 2010, pp. 12–13, https:// openknowledge.worldbank.org/bitstream/handle/10986/303

web.archive.org/web/20181024164353/http://www.mod.gov. 83/129777.pdf.

my/images/mindef/lain-lain/ndp.pdf. 22 Malaysia Digital Economy Corporation, ‘Who We Are’, https://

9 ‘National Security Council: Govt to set up special task force to mdec.my/about-mdec/who-we-are.


identify cyber security issues’, Malay Mail, 17 December 2020, 23 Malaysia Digital Economy Corporation, ‘What We Offer’,

https://www.malaymail.com/news/malaysia/2020/12/17/national- https://mdec.my/what-we-offer/msc-malaysia.

security-council-govt-to-set-up-special-task-force-to-identify- 24 Malaysia Digital Economy Corporation, ‘A Nation’s

cyb/1932893. Commitment to the Digital Economy’, https://mdec.my/


10 National Security Council, Prime Minister’s Department, about-malaysia/government-policies.
‘Frequently Asked Questions’, https://www.nacsa.gov.my/faq.php. 25 ‘MCMC: 43.38 million Broadband Subscription in Malaysia,

11 Cyber Security – Towards a Safe and Secure Cyber Environment 82.2% 4G LTE Coverage’, Malaysian Wireless, 18 May 2020,

(Kuala Lumpur: Academy of Sciences Malaysia, 2018), pp. https://www.malaysianwireless.com/2020/05/mcmc-fixed-

30–3, https://issuu.com/asmpub/docs/cybersecurity. broadband-mobile-subscribers-malaysia.

12 Muhammad Sabu, Hansard, Parliament of Malaysia, 26 B.K. Sidhu, ‘Going beyond fibre for internet throughout

D.R.30.10.2018, 30 October 2018, p. 137. Malaysia’, Star, 28 January 2019, https://www.thestar.com.

13 ‘Launch Ceremony of Cyberand Electromagnetic Division my/business/business-news/2019/01/28/going-beyond-

Defence (BSEP)’, Malaysia Military Times, 19 December 2020, fibre.

https://mymilitarytimes.com/index.php/2020/12/19/launch- 27 Malaysian Communications and Multimedia Commission,

ceremony-of-cyber-and-electromagnetic-division-defence- ‘National Fiberisation and Connectivity Plan’, https://www.

bsep. Note that there are different English translations of the nfcp.my/Nfcp/media/Docs/NFCP-FS002-v5c.pdf.

158 The International Institute for Strategic Studies


28 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United http://www.agc.gov.my/agcportal/uploads/files/Publications/

States Stay Ahead of China?’, Medium.com, 20 December 2020, LOM/EN/Act%20709%2014%206%202016.pdf.

https://chuvpilo.medium.com/ai-research-rankings-2020-can- 42 National Cyber Coordination and Command Centre, ‘About

the-united-states-stay-ahead-of-china-61cf14b1216. Us’, http://www.nc4.gov.my/about_us.

29 Royce Tan, ‘AI Park Will Help Malaysia Take the Lead in 43 International Telecommunication Union, ‘Global Cybersecurity

Digital Future’, Star, 17 October 2020, https://www.thestar. Index 2018’, p. 38, https://www.itu.int/dms_pub/itu-d/opb/str/

com.my/business/business-news/2020/10/17/ai-park-will-help- D-STR-GCI.01-2018-PDF-E.pdf.

malaysia-take-the-lead-in-digital-future.  44 National Cyber Coordination and Command Centre, ‘About Us’.

30 Ibid. 45 International Telecommunication Union, ‘Global Cybersecurity

31 Tenaga Nasional, ‘Corporate Profile’, https://www.tnb.com. Index 2018’, p. 38.

my/about-tnb/corporate-profile. 46 Cyber Intelligence, ‘Cyber Intelligence (CI)’, https://www.

32 P. Prem Kumar, ‘TNB expanding fixed broadband footprint in cybersecurityintelligence.com/cyber-intelligence-ci-4798.html.

rural homes’, The Malaysian Reserve, 26 November 2018, https:// 47 CyberSecurity Malaysia, ‘Milestones’, https://www.

themalaysianreserve.com/2018/11/26/tnb-expanding-fixed- cybersecurity.my/en/about_us/milestones/main/detail/2325/

broadband-footprint-in-rural-homes. index.html.

33 Telekom Malaysia Berhad, ‘Review of the Year & Key 48 See Chew Kherk Ying, ‘Cyber Security 2020, Malaysia’,

Achievements’, 2020, https://www.tm.com.my/annualreport/#/ Chambers and Partners, 16 March 2020, https://

review-of-the-year-key-achivements. practiceguides.chambers.com/practice-guides/

34 Fibrecomm Network, ‘Company profile’, https://www. cybersecurity-2020/malaysia.

fibrecomm.net.my/?page_id=10830. 49 National Security Council, Prime Minister’s Department,

35 Sidhu, ‘Going beyond fibre for internet throughout Malaysia’. ‘Malaysia Cyber Security Strategy 2020–2024’, pp. 30–9.

36 Alexander Wong, ‘Penang is the first state to make fibre optic 50 International Telecommunication Union, ‘Global Cybersecurity

infrastructure mandatory for new developments’, SoyaCincau, Index 2018’, p. 58.

24 December 2020, https://www.soyacincau.com/2020/12/24/ 51 Azian Ibrahim et al., ‘Cyber Warfare Impact to National

penang-fibre-optic-broadband-infrastructure-basic-utility- Security – Malaysia Experiences’, paper presented to FGIC

first-state-malaysia. 2nd Conference on Governance and Integrity 2019, Yayasan

37 Caleb Henry, ‘Measat buying single replacement for two Pahang, Kuantan, Pahang, Malaysia, 19–20 August 2019, p.

satellites’, SpaceNews, 6 May 2019, https://spacenews.com/ 222, https://knepublishing.com/index.php/KnE-Social/article/

measat-buying-single-replacement-for-two-satellites. download/5052/10067.
38 Computer Crimes Act 1997, Laws of Malaysia, Act 563, http:// 52 ‘Malaysia’s cybersecurity, forensic labs among most advanced

www.agc.gov.my/agcportal/uploads/files/Publications/LOM/ in the world’, Sun Daily, 27 May 2019, https://www.thesundaily.

EN/Act%20563.pdf. my/local/malaysia-s-cybersecurity-forensic-labs-among-most-
39 See International Telecommunication Union, ‘Global advanced-in-the-world-KM916936.
Cybersecurity Agenda’, https://www.itu.int/en/action/ 53 Cyber Security – Towards a Safe and Secure Cyber Environment, p. 53.

cybersecurity/Pages/gca.aspx. The ITU describes the GCA 54 Association of Southeast Asian Nations, ‘Co-Chairs’ Summary

as ‘a framework for  international cooperation  aimed at Report – 1st ASEAN Regional Forum Inter-Sessional Meeting on

enhancing confidence and security in the information Security of and in the Use of Information and Communication

society’, adding that it was ‘designed for cooperation and Technologies’, Kuala Lumpur, 25–26 April 2018, p. 2, http://

efficiency, encouraging  collaboration with and between all aseanregionalforum.asean.org/wp-content/uploads/2019/01/

relevant partners and building on existing initiatives to avoid ANNEX-12.pdf.

duplicating efforts’. 55 Since a UN General Assembly resolution in 2004, a UN Group

40 ‘Communications and Multimedia Act 1998’, Commonwealth of Governmental Experts (GGE) has convened for two-year

Legal Information Institute, http://www.commonlii.org/my/ terms to address international-security aspects of cyberspace.

legis/consol_act/cama1998289. It was known as the GGE on ‘Developments in the Field

41 Personal Data Protection Act 2010, Laws of Malaysia, Act 709, of Information and Telecommunications in the Context of

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 159


International Security’ until 2018, when it was renamed the GGE Telecommunications in the Context of International Security’,

on ‘Advancing Responsible State Behaviour in Cyberspace in A/70/174, 22 July 2015, https://www.un.org/ga/search/view_

the Context of International Security’. In cyberspace-policy circles doc.asp?symbol=A/70/174.

it is common to refer to it simply as ‘the GGE’. See UN Office for 57 Along with their counterparts from other ASEAN member

Disarmament Affairs, ‘Developments in the field of information states, Malaysian officials have participated in training

and telecommunications in the context of international security’, workshops led by, among others, the Australian Strategic

https://www.un.org/disarmament/ict-security. Policy Institute (April 2019) and the United Nations Office of

56 United Nations General Assembly, ‘Group of Governmental Disarmament Affairs in cooperation with the Cyber Security

Experts on Developments in the Field of Information and Agency of Singapore (July 2019).

160 The International Institute for Strategic Studies


15. Vietnam

Vietnam has put in place a suite of strategies for cyber of internal subversion probably draw resources away
security and the advancement of its national power from technical cyber-skills training and towards ideo-
in cyberspace, including in the military domain. logical work and the management of public opinion,
The governance structures for cyber policy operate thereby reducing investment in both defensive and
through the ruling Communist Party of Vietnam’s offensive cyber capabilities. While overall offensive
authoritarian political system. The government has cyber capabilities are likely to be nascent or weak, the
implemented several policies that have contributed covert government-linked group APT32 could prob-
to robust growth in the ICT sector and to significant ably launch relatively sophisticated cyber attacks.
progress in the construction of e-government plat- Vietnam is a third-tier cyber power but it has consider-
forms. However, many government agencies still able digital ambition and potential. If it can strengthen
grapple with cyber-security issues because of a lack its key cyber-security skills, support its ICT firms and
of funds and a huge shortage of cyber-security talent. invest in advanced technology to protect its digital
The Communist Party’s concerns regarding the threat infrastructure, it could realise that potential.

Strategy and doctrine


Vietnam’s laws and regulations surrounding cyber information security; and to enhance the legal frame-
security were rather disparate until 2010, when it work for information security, especially relating to
released its first national road map, ‘Approving computer crime and encryption. Funding was pro-
the National Planning on Development of Digital vided to train personnel in state agencies and bolster
Information Security’.1 The plan was more comprehen- information security in the Ministry of Information and
sive and ambitious than those that most other countries Communications (MIC), the Ministry of Public Security
had produced by that point. Its four overarching goals, (MPS), the Government Cipher Committee and the
aimed at addressing technical and legal weaknesses in Ministry of Industry. The road map also identified the
the country’s information security, were: to ensure the need to encourage research and development (R&D).
security of network and information infrastructure; to A Network Information Security Plan was launched
ensure the safety of data and applications; to train cyber- in 2016, aiming to augment the 2010 road map by
security professionals and increase public awareness of outlining further objectives for the period 2016–20.2

List of acronyms
AIS Authority of Information Security MPS Ministry of Public Security
ASEAN Association of Southeast Asian Nations NCSC National Cyber Security Monitoring Centre
CPV Communist Party of Vietnam NSCER National Steering Committee for Emergency Response
ICT information and communications technology VNCERT Vietnam Computer Emergency Response Team
MIC Ministry of Information and Communications VNPT Vietnam Posts and Telecommunications Group
MND Ministry of National Defence VPA Vietnamese People’s Army

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 161


It emphasised R&D and governmental cooperation The first official public document to convey
with Vietnamese information-security firms through Vietnam’s perspective on applying cyber to the military
outsourcing, and set targets for the establishment of domain was the National Defence Law, also introduced
home-grown brands of information-security products. in 2018.8 It described ‘information warfare’ as ‘activi-
Vietnamese ICT associations were identified as key ties and measures to disable the enemy’s information
players in promoting this initiative.3 The plan also systems and secure Vietnam’s information systems’,
advocated the nationwide coordination of responses which it included in the concept of ‘all-people national
to security incidents. It foreshadowed the development defense’ (Article 2), and specifically mentioned both
of minimum security requirements for key national cyber warfare and information warfare. The same year
systems (both critical infrastructure and more sensitive saw a Politburo resolution announcing a new ‘Strategy
government communications). Individual companies for the Homeland Protection in Cyberspace’,9 designed
would be obliged to take responsibility for security to develop a whole-of-society response, though centred
by adhering to the relevant regulations, and to submit on the armed forces, and to combine cyber defence with
to regular audits of this compliance. The plan also counter-attack.10
promoted cyber-security drills for government- and A defence white paper published in 2019 presented
private-sector entities, along with their participation in cyberspace as the fifth operational domain – alongside
international forums. land, air, sea and space – in which to defend Vietnam’s
For the Vietnamese government, cyber security is national sovereignty.11
not just a technical question of protecting networks
but also involves controlling the political content car- Governance, command and control
ried by those networks – as demonstrated, for example, Security policy, including for cyberspace, is directed by
by the Law on Network Information Security passed the Politburo of the Communist Party of Vietnam (CPV).
in November 2015.4 While this law focused primari- The armed forces, through their Cyber Command, have
ly on technical and management aspects of preventing a more central role in censorship and political surveil-
unauthorised access to ICT systems, it made clear that lance than is the case in most countries, and therefore
censorship and monitoring of domestic political expres- the Central Military Commission of the CPV, Vietnam’s
sion would be a high priority for the government. It also highest decision-making body for national security, is
flagged the need to control international exchanges in probably the main command and governance authority
cyberspace, defining as illegal any information-related for cyberspace policy. Other departments close to the
activity that the government considered a threat to na- party leadership, such as the Propaganda Department,
tional security, whether carried out by Vietnamese or also play a role in dealing with the most sensitive secu-
foreign entities. rity issues.
The Cyber Security Law passed in June 2018 was even The cyber policies dictated by the CPV leadership are
more overtly political in its purpose, aiming to protect implemented primarily by the MIC, the MPS and the
national security and ensure ‘social order and safety in Ministry of National Defence (MND), with the MIC as
cyberspace’ (Article 1).5 It included extensive definitions the coordinator for more technical aspects of cyber secu-
around content acceptability that were not part of the rity as well as broad policies on content management.12
2015 law. For example, in Article 8, it described as ‘strictly Within the MIC, the Vietnam Computer Emergency
prohibited’ any attempt to ‘oppose the State’ or to distort Response Team (VNCERT)13 coordinates nationwide
history by ‘denying revolutionary achievements’. One incident-response activities, collects and shares infor-
of the most controversial elements of the 2018 law was mation on incidents and malware, directs cyber opera-
enforced data localisation6 for all domestic and foreign tions, and undertakes the testing of the cyber defences
companies operating in Vietnam, a move seen by the for- of public- and private-sector entities.14 The Authority of
eign companies as infringing on their business confiden- Information Security (AIS) formulates laws and policies
tiality and intellectual-property rights.7 regarding information security, and implements technical

162 The International Institute for Strategic Studies


measures to protect critical information infrastructure,15 Core cyber-intelligence capability
while the National Electronic Authentication Centre Vietnam’s cyber-intelligence capabilities lie in the
secures electronic transactions through digital signatures MPS, MND and MIC. Within the MPS, the General
and other authentication services.16 Department of Intelligence and the General Department
The MPS has two cyber-security departments – of Security (GDS) collect domestic and foreign intel-
Cyber Security and High-tech Crime Prevention (A05), ligence. Inside the GDS, the specialist unit A42 moni-
and Information Security and Communications (A87). tors telephone calls, emails and the internet using
A05 is tasked with preventing cyber crime, including systems procured from foreign vendors.23 Also within
online gambling and the spreading of false information, the MPS, the Department for Cyber Security and High-
and cooperates with foreign investigation agencies on tech Crime Prevention (AO5 – see previous section)
cases involving foreign cyber criminals. It also provides has invested in modern technical equipment24 and has
advice on cyber-security laws and policies, and pro- joined Microsoft’s Government Security Program to
motes high-tech solutions aimed at boosting the gov- enhance its awareness of cyber threats.25
ernment’s capacity to counter cyber crime.17 A87 plays Within the MND, the General Department of
an advisory role on matters of policy, on legal aspects of Military Intelligence is responsible for domestic and
security in the fields of culture, information and com- foreign intelligence. Cyber Command, although not an
munication, and on countering criticism of the CPV and intelligence agency, is likely to possess cyber-intelligence
the leaking of state secrets.18 capabilities that would have evolved from the VPA’s
The MND directs two cyber-security departments – proven signals-intelligence capacity during the Vietnam
Cyber Command and the Government Cryptographic War. Also operating within the MND, the Government
Agency. Cyber Command, established in August 2017 Cryptographic Agency is a vital part of Vietnam’s
as an upgrade of the former Information Technology cyber-intelligence capability, being responsible for
Department, reports to the Chief of the General Staff, ensuring the cyber security of the country’s civilian
who in turn is subordinate to the defence minister and military leaders.
(a Politburo member). Comprising the Command In its role as coordinator for all government depart-
Headquarters, three brigades, testing centres and a data ments concerned with cyber security, the MIC also
centre, its responsibilities include political work, techni- possesses cyber-intelligence capabilities. Its National
cal and logistical issues, and professional cyber opera- Cyber Security Monitoring Centre works alongside
tions.19 The Government Cryptographic Agency is in the VNCERT and provincial Cyber Security Control
charge of securing the state’s encrypted networks and Centres26 in monitoring Vietnamese cyberspace for
R&D of related technologies.20 potential threats.
The Vietnamese People’s Army (VPA) contains a Vietnam’s cyber-intelligence capability is amplified
special cyber unit, Force 47, tasked with protecting the to some degree by a group known to cyber-security
CPV against ‘false news’ and disseminating state prop- companies as APT32.27 Though apparently a non-state
aganda. It has a task force whose personnel, numbering entity, it is assessed to have informal links to the gov-
more than 10,000,21 have received training in ideological ernment. Its cyber-espionage operations have been
discipline and information warfare.22 They often oper- widely documented by US cyber-security companies
ate on social-media platforms, including Facebook and and appear to have been quite proficient, with tar-
YouTube, aiming to pre-empt any spreading of hostile gets including foreign companies, the Association of
information prior to major political events. Southeast Asian Nations (ASEAN) and Chinese govern-
There is not enough information in the public ment institutions (including those managing China’s
domain to allow a confident assessment of the effective- response to COVID-19). Overall, however, Vietnam’s
ness of the governance and command arrangements cyber-intelligence capability is likely to be weak, in part
for Vietnam’s cyber forces, beyond the observation that because of the country’s shortage of skilled workers in
strict obedience to the chain of command is enforced. the ICT domain.28

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 163


Cyber empowerment and dependence Vietnam has a reasonable degree of national own-
In 2019 the Politburo announced the target that ership of its telecommunications networks, owning
Vietnam’s digital economy should contribute 20% of about 75% of the equipment, and hopes to achieve 100%
GDP by 2025 and at least 30% by 2030,29 as compared domestic production of that equipment by 2022.43 Viettel,
with 15% in 2018.30 This will only be achievable with sig- a military-owned telecoms carrier, is part of a consortium
nificant policy reform and large-scale new investment. developing a high-performance undersea cable, capable
The government has been pushing forward initiatives of carrying more than 140 Tb/s of traffic, that will con-
such as the National Digital Transformation Programme, nect China (Hong Kong and Guangdong), Japan, the
launched in 2020,31 and has prioritised e-government pro- Philippines, Singapore, Thailand and Vietnam as part of
jects.32 It also claims that the ICT sector has been growing the Asia Direct Cable project, due to be completed by the
at an impressive average annual end of 2022.44 It has also successfully
rate of 30% for a number of years
Vietnam has tested 5G technology.45 Vietnam
(the precise period is not stated).33 Posts and Telecommunications
However, in almost all indicators a reasonable Group (VNPT) exports to more
of ICT readiness, Vietnam ranks degree of national than 30 countries.46
behind Malaysia and far behind
ownership of its In terms of space-based connec-
Singapore, though just ahead of tivity, VNPT operates two com-
Indonesia.34 In 2020 the country’s
telecommunications munications satellites, VINASAT-1
internet penetration rate reached networks and VINASAT-2.47 Vietnam also has
70%35 and its e-commerce market two Earth-observation satellites,
was the third biggest in Southeast Asia, just behind those operated by the Vietnam National Space Centre (VNSC)
in Indonesia and Thailand.36 Though significant progress and the Space Technology Institute of the Vietnam
has been made, there is still some way to go in terms of Academy of Science and Technology. The space indus-
digital transformation. For example, cashless payments try relies heavily on foreign assistance and investment
account for only a small proportion of total payments, – for example, Japanese experts were involved in build-
and cash-on-delivery payment methods are preferred ing one of the Earth-observation satellites, the VNSC’s
even for e-commerce transactions.37 MicroDragon, launched from Japan in 2019,48 and India
In the field of artificial intelligence (AI), Vietnam fared has been collaborating with Vietnam’s National Remote
quite well in a ranking of the top 50 countries based on Sensing Department in building a tracking and telemetry
their contributions to the two most prestigious AI con- station that potentially has military uses.49
ferences in 2020: it was placed 27th, ahead of Malaysia
and Thailand but behind Singapore.38 The same study Cyber security and resilience
compiled a ranking of the global top 100 companies in Vietnam has been constructing an elaborate set of mech-
AI research in 2020: it was dominated by US and Chinese anisms, policies and laws for national cyber security for
companies but Vietnam’s VinAI was also included, in over a decade. The efforts have paid off to some degree
32nd place.39 Founded by a former employee of Google but there is much progress still to be made. According
DeepMind, VinAI provides applied AI solutions and is to Microsoft reporting in 2020, the country had the high-
also the first Vietnamese research laboratory to cover est rate of ransomware attacks in the Asia-Pacific, it was
areas such as machine learning and deep learning.40 one of the three countries in the region most affected by
AI has already been applied in sectors such as health- malware attacks50 and it ranked sixth in the world for
care, education, transport, agriculture and e-commerce, unintentional downloads of malicious code.51
though overall it is still in the early stages of develop- In response to the growing cyber threats, the
ment.41 The government announced a ten-year strategy National Cyber Security Monitoring Centre52 (NCSC)
for AI R&D in January 2021, setting the goal of becoming was established under the AIS in 2018. Its primary
one of the world’s top 50 countries in the field by 2030.42 focus is to support and supervise the cyber security of

164 The International Institute for Strategic Studies


all public- and private-sector entities, to provide early the NSCER is capable of coordinating effectively across
warnings against cyber attacks, and to share information the public and private sectors. The MIC has stated that
with domestic and international agencies. In partnership there are not enough trained personnel to create the nec-
with a coalition of information-security companies, essary CERTs and that the emergency-response network
the NCSC has launched an information-sharing and is ‘unconnected’ and ‘unprofessional’.61 Investments in
security-monitoring system that connects the ministries research and training that were approved in 2014 have
of the central government with the country’s provincial yet to be implemented;62 a 2019 study suggested that
administrations.53 In 2020, for example, it cooperated almost half of government agencies lacked the funds
with the MIC and MPS in containing the VN84App necessary to implement cyber security;63 and in 2020,
spyware that was targeting smartphone users.54 reporting on its campaign to upgrade cyber security,
In terms of overall national resilience, it is difficult the government noted that 30% of ministries had not yet
to form a clear picture. The ‘Strategy for the Homeland reached the target level.64 Vietnam ranked 50th out of 175
Protection in Cyberspace’55 and its implementation plan countries in the 2018 Global Cybersecurity Index com-
would appear to be the main policy document setting piled by the International Telecommunication Union.65
out the response plans for serious cyber incidents, but
the texts are not available. Vietnam responds to such Global leadership in cyberspace affairs
incidents through the National Steering Committee for Vietnam focuses its cyber diplomacy on ASEAN,
Emergency Response (NSCER),56 which the MIC assists enthusiastically promoting cyber-security cooperation
by directing and coordinating emergency-response between members and with the group’s external
efforts domestically or internationally.57 The VNCERT partners. Under the ASEAN Plus Three framework,
is responsible for responding to lower-level cyber inci- for example, Hanoi hosted a December 2020 meeting
dents but participates in the NSCER with China, Japan and South Korea
along with cyber-related agencies Vietnam still faces on international collaboration in
in the MIC, MPS and the MND. The cyber security and countering cyber
VNCERT also works with other,
significant cyber- crime.66 Within ASEAN, Vietnam
smaller CERTs at the ministerial, security challenges works actively towards cooperation
provincial and local levels; with on cyber norms67 and the creation of
enterprises engaged in telecommunications, internet a formal cyber-security cooperation mechanism.68 The
services, data storage, banking and financial activities; VNCERT hosted the June 2020 ASEAN–Japan Cyber
and with organisations that manage critical information Exercise, which focused on methods for countering
infrastructure or industrial control systems.58 In 2019 fake websites.69
VNCERT conducted a nationwide cyber-security exer- Vietnam frequently collaborates with foreign
cise with almost 300 participants.59 governments and corporations to broaden its cyber-
The private sector has been playing an increasing security capabilities. In 2019, for example, the
role in promoting information security, including by NCSC signed a contract with Kaspersky to address
creating its own cyber-security industry – for example, information-security challenges,70 and in 2020 the MPS
Viettel has created a subsidiary providing managed collaborated with India,71 Brunei72 and Malaysia73 on
cyber-security services;60 VNPT conducts cyber-security countering cyber crime. The country is part of the global
research and invests in relevant start-ups; and eight com- Forum of Incident Response and Security Teams and
panies have come together to form the Vietnam Cyber the Asia-Pacific Computer Emergency Response Team
Security Assessment and Audit Club, aiming to improve (APCERT).74 It has privately expressed an interest in
the assessment and auditing of cyber-security services close collaboration with the United States and Australia
nationwide. in matters of cyber security, but there are diplomatic
Overall, however, Vietnam still faces significant obstacles because of human-rights concerns regarding
cyber-security challenges. It remains to be seen whether Vietnamese cyber-security law. Nevertheless, both the

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 165


US and Australia undertake activities with Vietnam and cyber weapons.75 Force 47 probably does not pos-
in less sensitive areas of cyberspace policy such as sess the technical abilities for significant offensive cyber
international legal training and the development of because its mission is primarily political, mainly involv-
smart cities. ing the management of public opinion by countering
hostile viewpoints and creating propaganda.76 The covert
Offensive cyber capability government-linked group APT32 is mainly engaged in
It is unlikely that Vietnam’s Cyber Command is well industrial and other types of espionage rather than offen-
positioned to engage in offensive cyber operations sive cyber, but it probably possesses some capabilities
against foreign adversaries, given its extensive domestic that could be repurposed for an offensive effect. Overall,
political roles and responsibilities and, according to its developing an offensive cyber capability does not appear,
chief of staff, its lack of appropriate facilities, equipment so far, to have been a high priority for the CPV.

Notes

1 Prime Minister’s Decision No. 63/QD-TTg, ‘Approving the 7 The data-localisation obligation for foreign companies applies

National Planning on Development of Digital Information to those that provide telecoms services, data storage and

Security through 2020’, 2010, https://vanbanphapluat.co/ sharing, e-commerce, social media and online electronic games.

decision-no-63-qd-ttg-approving-the-national-planning-on- 8 National Assembly, ‘Luật Quốc Phòng’, 22/2018/QH14, 8

development-of-digital-information-security-through-2020. June 2018, https://thuvienphapluat.vn/van-ban/bo-may-hanh-

2 Prime Minister, ‘Phê Duyệt Phương Hướng, Mục Tiêu, Nhiệm chinh/Luat-quoc-phong-340395.aspx.

Vụ Bảo Dảm An Toàn Thông Tin Mạng Giai Doạn 2016–2020’, 27 9 Politburo Resolution 29NQ/TW dated 25 July 2018. See Vu

May 2016, https://thuvienphapluat.vn/van-ban/Cong-nghe-thong- Van Hien, ‘Enhancing the homeland protection under the

tin/Quyet-dinh-898-QD-TTg-phuong-huong-muc-tieu-nhiem-vu- Party’s platform’, National Defence Journal, 10 November

bao-dam-an-toan-thong-tin-mang-2016-2020-313149.aspx. 2020, http://tapchiqptd.vn/en/theory-and-practice/enhancing-

3 Key players in promoting the Vietnamese information-security the-homeland-protection-under-the-partys-platform/16265.

industry include the Vietnam Software and IT Services html; and Ngo Xuan Lich, ‘The whole military resolves to

Association, the Vietnam Association for Information Processing, successfully fulfil the military-defence tasks in 2019’, National
the Vietnam Internet Association, the Vietnam Information Defence Journal, 4 January 2019, http://tapchiqptd.vn/en/theory-

Security Association and the Vietnam E-commerce Association. and-practice/the-whole-military-resolves-to-successfully-

4 National Assembly, ‘Luật an toàn thông tin mạng’, 86/2015/ fulfil-the-militarydefence-tasks-in-2019/13088.html.

QH13, 19 November 2015. For an official translation, see https:// 10 Ngoc Thuy Tran, ‘Những Vấn Dề về Bảo vệ Tổ Quốc Trên

vanbanphapluat.co/law-no-86-2015-qh13-on-cyberinformation- Không Gian Mạng’, Quan khu 7, 3 October 2019,  https://

security-2015. baoquankhu7.vn/nhung-van-de-ve-bao-ve-to-quoc-tren-

5 National Assembly, ‘Luật An Ninh Mạng’, 24/2018/QH14, khong-gian-mang--191939649-0015044s34010gs.

12 June 2018, https://luatvietnam.vn/an-ninh-quoc-gia/ 11 Ministry of National Defence, ‘2019 Viet Nam National

luat-an-ninh-mang-2018-164904-d1.html. For an unofficial Defence’, October 2019, p. 52, http://news.chinhphu.vn/

translation, see https://data.allens.com.au/pubs/pdf/priv/ Uploaded_VGP/phamvanthua/20191220/2019VietnamNationa

cupriv22jun18.pdf. lDefence.pdf.

6 Thomas J. Treutler and Giang Thi Huong Tran, ‘Update on 12 National Assembly, ‘Luật An Ninh Mạng’, 24/2018/QH14.

the Implementation of Vietnam’s New Cybersecurity Law 13 See ‘VNCTERT/CC Trung tâm Ứng cứu khẩn cấp không gian

and Status of Implementing Decrees’, Tilleke & Gibbins, 18 mạng Việt Nam’, http://vncert.gov.vn.

December 2019, https://www.lexology.com/library/detail. 14 Ministry of Information and Communications, ‘Cybersecurity

aspx?g=8833627c-e189-4d60-a472-6ee742cc38fd. Emergency Response Center established’, 14 October 2019, https://

166 The International Institute for Strategic Studies


english.mic.gov.vn/Pages/TinTuc/139865/Cybersecurity- 26 Le Linh, ‘Xây dựng trung tâm diều hành an ninh mạng dầu

Emergency-Response-Center-established.html. tiên cả nước’, Diễn Dàn, 17 May 2019, https://enternews.vn/

15 Ministry of Information and Communications, ‘Authority xay-dung-trung-tam-dieu-hanh-an-ninh-mang-dau-tien-ca-

of Information Security’, 19 July 2020, https://english.mic. nuoc-150441.html.

gov.vn/pages/thongtin/114301/Authority-of-Information- 27 For some background, see Nick Carr, ‘Cyber Espionage is

Security.html. Alive and Well: APT32 and the Threat to Global Corporations’,

16 Ministry of Information and Communications, ‘The National FireEye, 14 May 2017, https://www.fireeye.com/blog/threat-

Electronic Authentication Centre’, 19 July 2020, https://english. research/2017/05/cyber-espionage-apt32.html.

mic.gov.vn/pages/thongtin/114304/NEAC.html. 28 Tran Luu, ‘Vietnam determines to develop digital economy’,

17 ‘Chủ dộng, quyết liệt trong phòng, chống tội phạm trên không Saigon Online, 4 February 2020, https://sggpnews.org.vn/

gian mạng’, Thua Thien Hue Provincial Party Committee, 21 science_technology/vietnam-determines-to-develop-digital-

January 2020, https://tinhuytthue.vn/tin-tuc-trong-nuoc/kh-cn/ economy-85491.html.

chu-dongquyet-liet-trong-ph-ograve-ngchong-toi-pham-tr- 29 Bui Thanh Truan, ‘Difficulties and challenges in the development

ecirc-n-kh-ocirc-ng-gian-mang.htm. of digital economy in Vietnam’, Political Theory, 25 August 2020,

18 ‘Cục An ninh Văn hóa, thông tin, truyền thông báo công http://lyluanchinhtri.vn/home/en/index.php/practice/item/723-

dâng Bác’, Tiền Phong, 5 May 2018, https://www.tienphong. difficulties-and-challenges-in-the-development-of-digital-

vn/xa-hoi/cuc-an-ninh-van-hoa-thong-tin-truyen-thong-bao- economy-in-vietnam.html.

cong-dang-bac-1269610.tpo. 30 Chinese Academy of Information and Communications

19 Ministry of National Defence, ‘2019 Viet Nam National Defence’. Technology, ‘Quánqiú shùzì jīngjì xīn tújǐng (2019 nián)’,

20 Ibid., pp. 66–7. October 2019, p. 12, http://www.caict.ac.cn/kxyj/qwfb/

21 ‘Hơn 10.000 người trong ‘Lực lượng 47’ dấu tranh trên bps/201910/P020191011314794846790.pdf.

mạng’, Tuổi Trẻ, 25 December 2017, https://tuoitre.vn/ 31 See Prime Minister, ‘Introducing Program for National Digital

hon-10-000-nguoi-trong-luc-luong-47-dau-tranh-tren- Transformation by 2025 with Orientations Towards 2030’,

mang-20171225150602912.htm. It is unclear from this source if Decision 749/QD-TTg, 3 June 2020, https://vanbanphapluat.co/

the personnel engage only in political surveillance or if some decision-749-qd-ttg-2020-introducing-program-for-national-

also conduct other cyber operations. digital-transformation. By 2030 this programme aims to

22 Maj. Gen., Associate Prof. Nguyen Hung Oanh, ‘The achieve the following: a digital economy that contributes 30%

Political Officer College grasps and executes the Politburo’s of GDP; digital transformation in the government sector so

Resolution 35’, National Defence Journal, 16 October 2019, that Vietnam becomes one of the top four ASEAN countries
http://tapchiqptd.vn/en/research-and-discussion/the- in the UN e-government ranking; nationwide 5G mobile-

political-officer-college-grasps-and-executes-the-politburos- network coverage; and access to broadband internet for the

resolution-35/14514.html. entire population.


23 Carlyle A. Thayer, ‘The Apparatus of Authoritarian Rule in 32 Samaya Dharmaraj, ‘Vietnam Committed to Supporting its

Vietnam’, Critical Studies of the Asia Pacific Series, vol. 31, no. 2, Digital Economy with E-government’, OpenGov Asia, 28

2014, pp. 279–83, https://link.springer.com/chapter/10.1057/978 November 2019, https://www.opengovasia.com/vietnam-

1137347534_7#aboutcontent. committed-to-supporting-its-digital-economy-with-e-government.

24 Hai Thanh Luong et al., ‘Understanding Cybercrimes in 33 Ministry of Information and Communications, ‘VN’s IT

Vietnam: From Leading-Point Provisions to Legislative System industry maintains growth momentum’, 25 December 2019,

and Law Enforcement’, International Journal of Cyber Criminology, https://english.mic.gov.vn/Pages/TinTuc/140438/VN-s-IT-

vol. 13, no. 2, 2019, https://www.cybercrimejournal.com/ industry-maintains-growth-momentum.html.

LuongetalVol13Issue2IJCC2019.pdf. 34 George Ingram, ‘Development in Southeast Asia: Opportunities

25 ‘VN to join Microsoft’s network security protection programme’, for donor collaboration’, Brookings Center for Sustainable

Viêt Nam News, 20 December 2019, https://vietnamnews. Development, December 2020, pp. 31–2, https://www.

vn/society/570139/vn-to-join-microsofts-network-security- brookings.edu/wp-content/uploads/2020/12/Development-

protection-programme.html. Southeast-Asia-Ch2-Digital.pdf.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 167


35 Simon Kemp, ‘Digital 2020: Vietnam’, DataReportal, 18 February January 2019, https://spacewatch.global/2019/01/vietnams-

2020, https://datareportal.com/reports/digital-2020-vietnam. microdragon-earth-observation-satellite-successfully-

36 ‘How can Vietnam’s e-commerce players foster greater market launched-from-japan.

growth?’, Tech Wire Asia, 3 February 2020, https://techwireasia. 49 Nandini Sarma, ‘Southeast Asian Space Programmes:

com/2020/02/how-can-vietnams-e-commerce-players-foster- Capabilities, challenges and collaborations’, Observer

greater-market-growth. Research Foundation, 7 March 2019, https://www.orfonline.

37 ‘Cashless payment remains low in Vietnam: CIEM’, org/research/southeast-asian-space-programmes-capabilities-

VietnamPlus, 24 June 2019, https://en.vietnamplus.vn/cashless- challenges-collaborations-48799/#_ednref12.

payment-remains-low-in-vietnam-ciem/154911.vnp. 50 M. Anh, ‘Việt Nam là quốc gia có tỷ lệ nhiễm mã dộc tống

38 Gleb Chuvpilo, ‘AI Research Rankings 2020: Can the United tiền cao nhất khu vực’, Doanh nhân, 24 June 2020, https://

States Stay Ahead of China?’, 21 December 2020, https:// doanhnhansaigon.vn/it/viet-nam-la-quoc-gia-co-ty-le-nhiem-

chuvpilo.medium.com/ai-research-rankings-2020-can-the- ma-doc-tong-tien-cao-nhat-khu-vuc-1099286.html.

united-states-stay-ahead-of-china-61cf14b1216. 51 Microsoft, ‘Microsoft Security Endpoint Threat Summary

39 Ibid. 2019’, June 2020, https://3er1viui9wo30pkxh1v2nh4w-

40 ‘Who We Are – The First AI Research Lab in Vietnam with a wpengine.netdna-ssl.com/wp-content/uploads/prod/

Focus on Fundamental Research’, VinAI Research, https:// sites/570/2020/02/Microsoft-Security-Endpoint-Threat-

www.vinai.io/about-us. Summary-2019-Updated.pdf.

41 ‘Vietnam Prioritises Artificial Intelligence Development’, 52 See ‘Giới thiệu về NCSC’, National Cyber Security Monitoring

Star, 9 September 2019, https://www.thestar.com.my/ Centre, https://khonggianmang.vn/intro.

business/smebiz/2019/09/09/vietnam-prioritises-artificial- 53 Phan Nghia, ‘Vietnam introduces new information security system

intelligence-development. to facilitate e-governance’, VnExpress, 29 November 2019, https://e.

42 ‘Vietnam strives to enter world’s Top 50 in terms of AI by vnexpress.net/news/news/vietnam-introduces-new-information-

2030’, VietnamPlus, 28 January 2021, https://en.vietnamplus. security-system-to-facilitate-e-governance-4019639.html.

vn/vietnam-strives-to-enter-worlds-top-50-in-terms-of- 54 Bao Lam and Chau An, ‘Data stealing spyware rears head

ai-by-2030/195485.vnp. in Vietnam’, VnExpress, 23 June 2020, https://e.vnexpress.

43 ‘Việt Nam nhờ Mỹ kiểm dịnh thiết bị 5G do Việt Nam sản xuất net/news/news/data-stealing-spyware-rears-head-in-

dể có dủ khả năng vào thị trường Mỹ’, ICT News, 21 January vietnam-4119828.html.

2020, https://ictnews.vietnamnet.vn/cuoc-song-so/viet-nam- 55 Vu, ‘Enhancing the homeland protection under the Party’s

nho-my-kiem-dinh-thiet-bi-5g-do-viet-nam-san-xuat-de-co- platform’; Ngo, ‘The whole military resolves to successfully


du-kha-nang-vao-thi-truong-my-40145.html. fulfil the military-defence tasks in 2019’.

44 Ministry of Information and Communications, ‘Viettel among 56 Prime Minister, ‘Quyết Dịnh: Ban Hành Quy Dịnh Về Hệ

investors of new high-speed under-sea cable ADC’, 22 June 2020, Thống Phương Án Ứng Cứu Khẩn Cấp Bảo Dảm An Toàn

https://english.mic.gov.vn/Pages/TinTuc/142715/Viettel-among- Thông Tin Mạng Quốc Gia’, 05/2017/QD-TTg, 16 March 2017,

investors-of-new-high-speed-under-sea-cable-ADC.html. https://vanbanphapluat.co/quyet-dinh-05-2017-qd-ttg-he-
45 Leo Kelion, ‘Giới chuyên gia ngạc nhiên trước tuyên bố của thong-phuong-an-ung-cuu-khan-cap-bao-dam-an-toan-thong-
Viettel về mạng 5G’, BBC News Vietnamese, 21 January 2020, tin-mang-quoc-gia.
https://www.bbc.com/vietnamese/vietnam-51190570. 57 ‘PM sets up national cybersecurity committee’, Vietnam Law

46 ‘Vietnamese telecom giants on race of exporting telecom & Legal Forum, 2 April 2017, https://vietnamlawmagazine.vn/

equipments’, Xinhua, 24 February 2017, http://www.xinhuanet. pm-sets-up-national-cybersecurity-committee-5785.html.

com//english/2017-02/24/c_136082932.htm. 58 Prime Minister, ‘Quyết Dịnh: Ban Hành Quy Dịnh Về Hệ

47 Union of Concerned Scientists, ‘UCS Satellite Database’, Thống Phương Án Ứng Cứu Khẩn Cấp Bảo Dảm An Toàn

updated 1 January 2021, https://www.ucsusa.org/resources/ Thông Tin Mạng Quốc Gia’.

satellite-database. 59 ‘Vietnam records more than 6,200 cyber attacks in seven months’,

48 ‘Vietnam’s MicroDragon Earth Observation Satellite AsiaOne, 1 August 2019, https://www.asiaone.com/digital/

Successfully Launched From Japan’, SpaceWatch Asia Pacific, vietnam-records-more-6200-cyber-attacks-seven-months.

168 The International Institute for Strategic Studies


60 ‘The first information security ecosystem built by Vietnamese’, 69 ‘Vietnamese tech experts join transnational cyber-attack

Acrofan, 20 February 2020, https://us.acrofan.com/detail. exercise’, Viêt Nam News, 26 June 2020, https://vietnamnews.

php?number=239640. vn/society/748743/vietnamese-tech-experts-join-transnational-

61 Samaya Dharmaraj, ‘Vietnam strengthens human resources cyber-attack-exercise.html.

for information security tasks’, OpenGov Asia, 9 July 2019, 70 ‘National Cyber Security Center signs deal with Kaspersky

https://www.opengovasia.com/vietnam-strengthens-human- for online security’, VietNamNet, 24 January 2019, https://

resources-for-information-security-tasks. english.vietnamnet.vn/fms/science-it/216749/national-

62 Ibid. cyber-security-center-signs-deal-with-kaspersky-for-online-

63 Chau An, ‘Vietnam carries potential to be a cybersecurity security.html.

powerhouse: minister’, VnExpress, 17 April 2019, 71 ‘Vietnam–India strategic partnership in the fields of defence

https://e.vnexpress.net/news/business/economy/vietnam- and security’, National Defence Journal, 29 August 2017,

carries-potential-to-be-a-cybersecurity-powerhouse- http://tapchiqptd.vn/en/events-and-comments/vietnam-

minister-3910754.html. india-strategic-partnership-in-the-fields-of-defence-and-

64 ‘Cyber attacks targeting Vietnam’s information systems down security/10541.html.

7.8 pct’, VietnamPlus, 4 November 2020, https://en.vietnamplus. 72 ‘Việt Nam, Brunei, boost co-operation in combating crimes’,

vn/cyber-attacks-targeting-vietnams-information-systems- Viêt Nam News, 14 February 2020, https://vietnamnews.vn/

down-78-pct/189811.vnp. politics-laws/592275/viet-nam-brunei-boost-co-operation-in-

65 International Telecommunication Union, ‘Global Cybersecurity combating-crimes.html.

Index 2018’, p. 63, https://www.itu.int/dms_pub/itu-d/opb/str/ 73 Ministry of Public Security, ‘Vietnam, Malaysia promote

D-STR-GCI.01-2018-PDF-E.pdf. cooperation in security’, 14 February 2020, http://en.bocongan.

66 Ministry of Public Security, ‘Asean +3 conference on cyber gov.vn/international-relations-cooperation/vietnam-malaysia-

security opens in Hanoi’, 29 December 2020, http://en.bocongan. promote-cooperation-in-security-t6508.html.

gov.vn/international-relations-cooperation/asean-3-conference- 74 Adam Bannister, ‘APCERT holds cyber drill to stress-test

on-cyber-security-opens-in-hanoi-t7615.html. response capabilities of 32 CSIRTs’, The Daily Swig, 6 April

67 Li Ying Lee, ‘New ASEAN committee to implement norms 2020, https://portswigger.net/daily-swig/apcert-holds-cyber-

for countries’ behaviour in cyberspace’, Channel News Asia, drill-to-stress-test-response-capabilities-of-32-csirts.

2 October 2019, https://www.channelnewsasia.com/news/ 75 ‘Xây dựng lực lượng Tác chiến không gian mạng, dáp ứng yêu

singapore/asean-cyberspace-working-level-committee- cầu nhiệm vụ bảo vệ Tổ quốc’, Tạp chí Quốc phòng, 17 October

cybersecurity-11963602. 2019, http://tapchiqptd.vn/vi/bao-ve-to-quoc/xay-dung-luc-


68 ‘ASEAN Member States Agree to Move Forward on a Formal luong-tac-chien-khong-gian-mang-dap-ung-yeu-cau-nhiem-

Cybersecurity Coordination Mechanism’, CSA Singapore, 2 vu-bao-ve-to-quoc/14505.html.

October 2019, https://www.csa.gov.sg/news/press-releases/ 76 ‘Hơn 10.000 người trong ‘Lực lượng 47’ Dấu tranh trên mạng’,

amcc-release-2019. Tuổi Trẻ.

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 169


170 The International Institute for Strategic Studies
Net Assessment

Based on the country studies in the report, we can political culture of each country is immediately visible
draw conclusions about the ways in which states have as the primary determinant of governance arrange-
responded to the opportunities and threats presented ments. Liberal democracies in advanced economies
by cyber capabilities. In addition to considering sepa- such as France, Japan, the United Kingdom and the
rately each of the categories in our methodology, we US tend to have more well-established arrangements
can also draw conclusions about the relative standing for cyber governance compared with democracies in
of the 15 countries and the implications for the broader the wealthier developing countries (India, Indonesia
global balance of power. and Malaysia). In the latter group, governance arrange-
ments have developed more slowly and unevenly, as
Foundations of cyber power have security strategies for cyberspace. In more authori-
On published strategy and doctrine, the country studies tarian countries such as China, Iran, North Korea and
reveal considerable variation in practice, especially on Russia, the governance arrangements are more nar-
the balance between policies for cyber security on the rowly focused and less transparent. Of those four coun-
one hand and policies for intelligence-related, politi- tries, only China might be said to have an established
cal and military uses of cyber assets on the other. All framework for a multi-stakeholder approach to cyber
countries maintain high levels of secrecy around the lat- governance, although its political system favours the
ter three areas. All the countries studied in this report Chinese Communist Party as the dominant stakeholder.
now have some published strategy, doctrine or policy A core cyber-intelligence capability is the primary foun-
in at least one of the diverse aspects of cyber power. dation of cyber power. Any country’s ability to take
The United States led the way by publishing cyber poli- defensive or offensive action in cyberspace is funda-
cies from the mid-1990s onwards. It now has the most mentally dependent on its understanding of the cyber
mature and comprehensive policy settings. While some environment – its cyber situational awareness. This can
other states also produced discrete elements of strate- be constructed by combining all available sources of
gic and doctrinal cyber thinking in the 1990s, it was not information from across the private and public sectors.
until the late 2000s that the first wave of policies compa- The most effective intelligence agencies must also have
rable in breadth and depth to those of the US were pro- the capability to detect and attribute sophisticated state-
duced. This was followed by a second wave from 2015 based cyber attacks and to conduct sophisticated cyber
onwards. Each study reveals a unique blend of civilian operations of their own. While many states around the
and military elements, reflecting the particular strategic world have cyber capabilities focused on their own
circumstances and policy preoccupations of that coun- internal security, and some have developed a regional
try. Given the rapidly evolving nature of cyber threats intelligence footprint, only a few have sufficient reach to
and opportunities, none of the countries studied is com- achieve the level of global cyber understanding essen-
fortable with its level of maturity on strategy. tial for the most sophisticated operations. Those states
National differences also play out in the arrange- are the Five Eyes intelligence allies (Australia, Canada,
ments for governance, command and control. Here, the New Zealand, the UK and the US), which operate

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 171


collectively; their two most cyber-capable partners, industrial sector, but only a small number of states, all
Israel and France, whose indigenous capabilities are sig- of them liberal democracies, are succeeding. Among the
nificantly amplified by those of their allies; and China authoritarian states, though China is the most advanced
and Russia. In the case of every cyber-capable state, the in terms of cyber-resilience policy, it faces substantial
intelligence agencies have tended to dominate the for- challenges in that area. Overall, no country is satisfied
mulation of national strategy and policy, having a par- with its level of cyber security and resilience.
ticularly strong influence over the military’s approach to On global leadership in cyberspace affairs, most countries
offensive cyber. Overall, for all the countries studied in are diplomatically active but fall into two broad blocs –
this report, the centrality of highly sensitive intelligence those led by the US, and those led by China and Russia.
capabilities to cyber operations imposes severe restric- The former bloc tends to argue for the application of
tions on the amount of publicly available information existing international law to cyberspace and for the con-
regarding many aspects of cyber policy. tinuation of current ‘internet freedoms’; the latter argues
In all the country studies, the analysis of cyber for new international treaties that would give states
empowerment and dependence reveals tensions between greater control over their sovereign cyberspace (‘cyber
the globalised character of the ICT sector and national sovereignty’). The view of the US-led bloc has prevailed
ambitions for domestic industrial development. Israel so far, but China is making significant efforts to influ-
and Malaysia provide interesting examples of small ence the relevant diplomatic processes (one example is
countries taking ambitious steps to bridge this divide. a Chinese official having secured the post of secretary-
In the case of the high-tech industries that underpin general of the International Telecommunication Union).
cyberspace, US geopolitical influence is heightened by China has also realised the extent to which US predomi-
the fact that it is home to so many of the dominant com- nance in global cyberspace affairs is underpinned by US
panies and that most of the other leading companies are technological supremacy. It is therefore contesting that
from countries that are US allies. The only state contest- supremacy, for example through the Digital Silk Road
ing this situation is China, whose share of the global component of its Belt and Road Initiative and, in the
ICT market is growing significantly. All states are grap- field of mobile telecommunications, through companies
pling with the risks arising from the presence of foreign such as Huawei. The states that are particularly vocal
equipment in their national networks, with indications diplomatically, whichever bloc they align with, are
that a protectionist, risk-averse approach may be unre- those that have relatively poor cyber security but face
alistic and potentially self-defeating. The challenges are cyber threats that are growing exponentially – India is
exacerbated by increasing competition between states a prime example. The concept of cyber sovereignty can
in emerging breakthrough technologies such as quan- appear attractive to them, which means the US cannot
tum computing and artificial intelligence (AI). take for granted its pre-eminence in international cyber
On cyber security and resilience, the most cyber-capable diplomacy.
states are developing whole-of-society responses that When it comes to offensive cyber capability, there are
involve close partnership between the private and public a wide variety of doctrinal approaches and differ-
sectors and academia, and between the military and ing degrees of constraint. The US and its closest allies
civil sectors, along with efforts aimed at raising public have the most technically sophisticated tools, capable
awareness and expanding the skilled workforce. There of delivering controlled, surgical effect against criti-
is considerable variation in the range and effectiveness of cal networks, including as part of high-intensity war-
measures from country to country, with some attempting fare – but their use of those tools is highly constrained.
top-down approaches directed by the government Russia and China, on the other hand, have greater
while others pursue more federated approaches with experience of achieving strategic effect through more
diverse nodes of initiative and authority. All states seem extensive use of less technically sophisticated capabili-
to recognise the importance of nurturing their cyber- ties, delivering cyber-enabled operations for influence,
security companies so that they come to form an effective and subversion operations, in the ‘grey zone’ below

172 The International Institute for Strategic Studies


the threshold of armed attack. A similar approach has the shock to the US and its allies, after 2011, of the new
enabled Iran to punch above its cyber weight. The US revelations regarding the extent and effects of com-
doctrinal shift in 2018 under its ‘defend forward’ initia- mercial espionage by China; the impact on Russia and
tive is in part designed to redress the balance on such China of the revelation of Five Eyes capabilities in the
lower-threshold operations by countering them directly Edward Snowden leaks in 2013; and the attempted
on its adversaries’ networks. Overall, states have yet to interference by Russia in electoral processes in the US
establish a common understanding of what constitutes and some European countries in 2016. The cycle of
an irresponsible use of an offensive cyber capability. For shock and response, including the diplomatic ructions
this to be achieved, states will need to talk more openly that go with it, appears to speed up with each passing
about those capabilities. year. For most countries, we can trace the origins of
It is difficult to judge the impact of moves by states to major cyber-policy changes to such shocks. However,
increase the resourcing of their cyber strategies, partly given that no state has yet suffered a cyber catastrophe
because measuring human and financial resources is in resulting in significant destruction and loss of life, the
most cases not straightforward. Nevertheless, it is clear average rate of progress in reforming cyber policy is
that the investments made by the US, China and Russia, no faster than for major reforms in any other area – it
in terms of both personnel and money, outstrip those is a process that can take up to a decade to produce
of the other cyber-capable states. Some of those other meaningful change, and one that can never be said to
states compensate through close alliances, especially be complete. A significant impediment for each state
with the US. The most mature, sophisticated and effec- is the size of its skilled cyber workforce, with per-
tive alliance is the Five Eyes. The authoritarian states haps only Israel having adopted a sufficiently radical
have nothing remotely equivalent. approach to upskilling its citizens (notably through
No state has progressed far enough on  military its use of military conscription). A lesson from the
transformation to allow its armed forces to claim well- COVID-19 pandemic that can perhaps be applied to
integrated and broadly dispersed cyber capabilities cyber resilience is that states cannot afford to wait for a
covering the continuum of defence and offence. But catastrophe to trigger the required rate of investment.
based on publicly available information, the US moved
earliest and has gone furthest on key fronts such as Relative standing
doctrinal, training and force-structure reform. No other Given the secrecy that surrounds much of the relevant
state, except perhaps Israel, has succeeded in dispersing information, a ranking of the 15 countries in terms of
cyber capabilities through its broader force structure to cyber capability, based on the categories in the meth-
anything like the same extent. While close integration odology, cannot be definitive. Nevertheless, it is possi-
between the cyber capabilities of the armed forces and ble to identify a hierarchy and to place each country in
key intelligence agencies seems to be central to military one of the three broad tiers described in the introduc-
transformation, there are indications that it can lead to tion to this report, with the first tier for countries with
issues with command and control. This is illustrated by world-leading strengths across all the categories; the
the ongoing argument in the US as to whether the head second tier for those with world-leading strengths in
of US Cyber Command should remain dual-hatted as some of the categories; and the third tier for those with
head of the National Security Agency. strengths or potential strengths in some of the catego-
After the US made the first moves to develop and ries but significant weaknesses in others. There are also
acknowledge the role of cyber capabilities in national cyber weaknesses among the states in Tier Two, and
power in the 1990s, the significant leaps forward in this even in Tier One, but they are minor when compared
area have normally been in response to strategic shock. with the significant weaknesses that consign states to
Examples include Iran’s reaction to the revelation in Tier Three.
2010 of the US–Israeli Stuxnet attack aimed at imped- Only the US is strong enough across all the catego-
ing its capacity to produce highly enriched uranium; ries to be placed in the top tier. In the second tier we can

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 173


put Australia, Canada, China, France, Israel, Russia and Balance-of-power considerations
the UK. In the third tier we can put the remaining seven There is a broad consensus in international relations,
countries: India, Indonesia, Iran, Japan, Malaysia, North among both states and political elites, that gains in cyber
Korea and Vietnam. Any attempt at a more granular rank- power, and the application of that power in grey-zone
ing within the second and third tiers would depend on operations, have the potential to upset the broader balance
the weighting given to each category. For example, in the of power between the US and its allies on the one hand, and
second tier, if a combination of world-class cyber secu- China and Russia on the other. Beyond that broad consen-
rity, world-class cyber intelligence, sophisticated offen- sus, there is not much agreement on how this technological
sive cyber capability and powerful cyber alliances were competition can be assessed or measured in power terms,
deemed key, Israel and the UK would probably be top. a situation compounded by the frequent emergence of
Alternatively, if the decisive factors were the amount of new technologies (such as nano chips, carbon-based chips,
resources – both human and financial – devoted to cyber, cloud architectures, quantum computing, AI, autonomous
unrestrained operational boldness and day-to-day expe- weapons systems and military robots).
rience of running cyber-enabled information operations, Leading states agree that cyber capability underpins
China and Russia would probably be the leading second- military power and can radically affect decision-making
tier states. In the third tier, if core strength in cyber secu- and the control of most military systems and force for-
rity were the most important criterion, Malaysia would mations. This report confirms that the traditional notion
be top; but if operational boldness and experience were of balance of power based on geopolitical arrangements
key, Iran would lead. is being superseded by the idea of an informational bal-
However, it could be argued that strength in the core ance of power. The US and China both pursue doctrines
industries that underpin the future development of of information dominance, which includes attempting
cyberspace is the decisive category, given how impor- to dominate the global production of information tech-
tant those industries are to a country’s cyber resil- nology. The US believes it still has the edge, and indeed
ience. If so, with its current trajectory, and providing it China concedes that is the case. Moreover, the old geo-
addresses its weaknesses in cyber security, China would political realities remain in play, especially given the
be best placed to join the US in the first tier. And Japan, United States’ international alliances (through NATO,
in the long term, would be best placed to rise from the and with Australia, Israel, the Gulf Arab states, Japan
third tier to the second. and South Korea). These alliances retain their geo-
The report makes a clear judgement about the relative graphical importance but now carry a new overlay of
national cyber power of the US and China at present, cyber partnership.
seeing the former as clearly superior. China may well This report takes the view that US digital-industrial
join the US in the top tier in the future – but for that to superiority, including through alliance relations, is
happen, it would need to do at least two things. Firstly, likely to endure for at least the next ten years. There
it would need to create a cyber-industrial complex on are two strands to this judgement. The first is that in
the same scale as that of the US and with many of the advanced cyber technologies and their exploitation for
same characteristics. This would require a much more economic and military power, the US is still ahead of
productive relationship between university research, China. The second is that since 2018, the US and several
industry and government. Secondly, China would need of its leading allies have agreed to restrict, with differ-
to radically improve educational outcomes in cyber-rel- ing degrees of severity, China’s access to some Western
evant fields, including basic cyber security. Once these technologies. By doing so, they have endorsed a partial
domestic foundations of cyber-power equivalence were decoupling of the West and China that could potentially
in place, China would then face a diplomatic challenge. impede the latter’s ability to develop its own advanced
To be able to wield its cyber power for global effect, it technology. How robustly the US continues this strat-
would have to begin to demonstrate an ability to work egy, and how China responds, will dictate the future
in alliance with other cyber-capable states. balance of cyber power.

174 The International Institute for Strategic Studies


CYBER CAPABILITIES AND
NATIONAL POWER:
A Net Assessment
This report sets out a new methodology for assessing cyber power, and then applies
it to 15 states:

CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment


Four members of the Five Eyes intelligence alliance – the United States, the
„
United Kingdom, Canada and Australia

Three cyber-capable allies of the Five Eyes states – France, Israel and Japan
„

Four countries viewed by the Five Eyes and their allies as cyber threats – China,
„
Russia, Iran and North Korea

Four states at earlier stages in their cyber-power development – India,


„
Indonesia, Malaysia and Vietnam

The methodology is broad and principally qualitative, assessing each state’s


capabilities in seven different categories. The cyber ecosystem of each state
is analysed, including how it intersects with international security, economic
competition and military affairs.
On that basis the 15 states are divided into three tiers: Tier One is for states with
world-leading strengths across all the categories in the methodology, Tier Two is for
those with world-leading strengths in some of the categories, and Tier Three is for
those with strengths or potential strengths in some of the categories but significant
weaknesses in others.
The conclusion is that only one state currently merits inclusion in Tier One.
Seven are placed in Tier Two, and seven in Tier Three.
This report is the first product of a cyber-power project undertaken by the
International Institute for Strategic Studies. Assessments of the cyber capabilities of
CYBER CAPABILITIES
AND NATIONAL POWER:
many other states will be published in the coming years.

The International Institute for Strategic Studies (IISS)


A Net Assessment
The IISS, founded in 1958, is an independent centre for research, information and
debate on the problems of conflict, however caused, that have, or potentially have,
an important military content.

The International Institute for Strategic Studies – UK


Arundel House | 6 Temple Place | London | wc2r 2pg | UK
t. +44 (0) 20 7379 7676 f. +44 (0) 20 7836 3108 e. iiss@iiss.org www.iiss.org

The International Institute for Strategic Studies – Americas


2121 K Street, NW | Suite 600 | Washington, DC 20037 | USA
t. +1 202 659 1490 f. +1 202 659 1499 e. iiss-americas@iiss.org

The International Institute for Strategic Studies – Asia


9 Raffles Place | #49-01 Republic Plaza | Singapore 048619
t. +65 6499 0055 f. +65 6499 0059 e. iiss-asia@iiss.org

The International Institute for Strategic Studies – Europe


Pariser Platz 6A | 10117 Berlin | Germany
t. +49 30 311 99 300 e. iiss-europe@iiss.org

The International Institute for Strategic Studies – Middle East


14th floor, GBCORP Tower | Bahrain Financial Harbour | Manama | Kingdom of Bahrain
t. +973 1718 1155 f. +973 1710 0155 e. iiss-middleeast@iiss.org
THE INTERNATIONAL INSTITUTE FOR STRATEGIC STUDIES

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy