Washington: The US stands alone as the only tier-one cyber power in the world, but China will rise as a highly capable peer competitor over the next decade, a new International Institute for Strategic Studies (IISS) report concludes.

“Dominance in cyberspace has been a strategic goal of the United States since the mid-1990s,” the report notes. “It is the only country with a heavy global footprint in both civil and military uses of cyberspace, although it now perceives itself as seriously threatened by China and Russia in that domain. …The US retains a clear superiority over all other countries in terms of its [information and communications technology] empowerment, but this is not a monopoly position.”

“The US capability for offensive cyber operations is probably more developed than that of any other country, although its full potential remains largely undemonstrated,” the report adds. The report notes that China has evolved its cyber capabilities from “a position of relative electronics backwardness” three decades ago to “conduct[ing] large-scale cyber operations abroad, aiming to acquire intellectual property, achieve political influence, carry out state-on-state espionage and position capabilities for disruptive effect in case of future conflict.”

China has since “established the world’s most extensive cyber-enabled domestic surveillance and censorship system.” But its ambitions are broader. The country’s 2015 military strategy and 2016 cyber strategy announced its intentions to compete with the US and others in cyberspace. Its efforts to date are bolstered by a growing economy and burgeoning domestic tech market.

However, China’s “core cyber defences remain weak compared with those of the United States, and cyber-resilience policies for its critical national infrastructure are only in the early stages of development.” Yet, the report adds, “China is a second-tier cyber power but, given its growing industrial base in digital technology, it is the state best placed to join the US in the first tier.”

As for Russia, it seeks “to redress key weaknesses in its cyber security through government regulation and the creation of a sovereign internet, and by encouraging the development of an indigenous digital industry. Given its economic circumstances, these ambitions may prove unrealistic.” (Russia’s economy was slightly larger in 2020 than Australia’s and smaller than South Korea’s).

The report notes Russia’s past cyber campaigns reflect “increasing levels of technical sophistication,” but “Russia appears not to have given priority to developing the top-end surgical cyber capabilities needed for high-intensity warfare.”

“To join the US in the first tier,” the report concludes, “[Russia] would need to substantially improve its cyber security, increase its share of the global digital market and probably make further progress in developing the most sophisticated offensive military cyber tools.”

The IISS study, which began in February 2019, analyses 15 countries and places them into three tiers, based on a review of cyber capabilities and national power, to include international competition, economic strength, and military affairs.

“India has made only modest progress in developing its policy and doctrine for cyberspace security,” the report notes. “Its approach towards institutional reform of cyber governance has been slow and incremental…” India’s best opportunity to advance to the second tier is to “harness its great digital-industrial potential and adopting a whole-of-society approach to improving its cyber security.”

Since Stuxnet, Iran has viewed itself as being in a cyberwar with the US and its regional foes, but “economic depression, political turmoil and internal deficiencies” hinder its advancement. “It lacks the resources, talent and technical infrastructure needed to develop and deploy sophisticated offensive cyber capabilities, even though it has used lower-level offensive cyber techniques widely, with some success.”

Of all the countries examined, North Korea is the most difficult to accurately analyse. “Little is known of its cyber-policy ecosystem,” the report notes, but the country is characterized as probably not having a formalized cyber strategy. As such, its operations are largely opportunistic. “Despite its penchant for conducting offensive cyber operations, the techniques used are relatively basic, as it lacks the capability for sustained or sophisticated operations.”

Other countries covered in the study include Indonesia, Japan, Malaysia, and Vietnam — all of which are categorized as third tier.