Summary of the International Institute for Strategic Studies’ Nation-State Cyber Power Assessment

Executive Summary

This report is a summary of a recent study, conducted by the International Institute for Strategic Studies, assessing the cyber power of 15 different nation-states. Each state was assessed in seven categories: Strategy and doctrine; Governance, command and control; Core cyber-intelligence capability; Cyber empowerment and dependence; Cyber security and resilience; Global leadership in cyberspace affairs; Offensive cyber capability. Countries were then assigned to one of three tiers, with Tier 1 representing the most powerful and Tier 3 representing the least powerful.

Significant Conclusions of the Study

The first tier is reserved for states with leading strengths across all seven categories. According to this measure, the United States is the only nation to have earned a place in the first tier. As the United States does perceive threats from Russia and China, it has taken a robust approach to extending and strengthening its capabilities. This includes a recent Executive Order from President Biden which moves to improve information sharing between the Government and the Private Sector as well as establishing an official review board to analyze significant cyber incidents and make recommendations to improve security. The United States enjoys superiority in terms of information and communications empowerment, and 5 of the 6 countries that could be considered peers of the United States in this area are close allies or strategic partners. The US has also moved faster and more effectively than any other nation to defend critical infrastructure in cyberspace. Lastly the study estimates that, while the US is not the most prolific cyber attacker in the world, US offensive cyber capabilities are likely much more powerful and sophisticated than any other nations even though its full potential is largely undemonstrated.

The second tier is for states that have world-leading strengths in some of the categories. The states placed at that level are, in alphabetical order; Australia, Canada, China, France, Israel, Russia and the United Kingdom. To determine relative ranking amongst the second-tier states, one must first decide which categories are most important. If one considers the combination of world-class cyber security, world-class cyber intelligence, sophisticated offensive cyber capability, and powerful cyber alliances key determining factors, Israel and the UK would probably be at the top of the second tier. Alternatively, if the decisive factors are assessed as quantity of resources (specifically human and financial) devoted to cyber operations, unrestrained operational boldness, and day-to-day experience of running cyber-enabled information operations, China and Russia would lead the second-tier states. If one considers the potential to move up into the first tier the key factor, China leads the second tier because of its large and growing indigenous digital-industrial capacity.

The third tier is for states that have strengths or potential strengths in some of the categories but significant weaknesses in others. The report concludes that India, Indonesia, Iran, Japan, Malaysia, North Korea, and Vietnam are at that level. As with the second tier, one must first determine the most important category to determine relative ranking between third-tier states. Malaysia would be at the top if core strength in cyber security were the most important criterion. If operational boldness and experience were key, Iran would lead. If one believes the potential to move up the tiers is most important, Japan would be number one due to its world-leading internet-related high-tech industry.

Strategic Considerations

• Businesses that operate out of the United States are in position to have the most well-protected cyber footprints in the world.
• Embrace constraints and requirements from Government Cyber Security authorities because it will have a positive impact on company reputation and a company’s ability to maintain market position.
• When assessing potential business partners, do not simply consider breach protection measures, also examine capability to react to incidents and proactive preparation for new and emerging threats.  
• Strengthening one’s security and reaction posture in cyber-space also strengthens the market as whole, the United States, and its strategic allies.

Our Recommendations

Maintain awareness of relevant regulations regarding security, response, and reporting transparency. Embrace constraints and consider how they will improve your business. Do not view government regulation as a hinderance to be avoided at all costs.  

Sources

• https://www.theregister.com/2021/06/29/international_institute_for_strategic_studies_cyber_study/?&web_view=true
• https://www.iiss.org/blogs/research-paper/2021/06/cyber-capabilities-national-power
• https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

Supporting Documentation

• CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment, International Institute for Strategic Studies

MITRE Mapping(s)

• https://attack.mitre.org/groups/G0022/
• https://attack.mitre.org/groups/G0007/
• https://attack.mitre.org/groups/G0016/
• https://attack.mitre.org/groups/G0034/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.