Who are the most powerful nations in cyberspace?
Which countries are most capable of carrying out their national objectives through cyber means?
And how can we rank the top 10 most powerful cyber countries on planet earth?
A group of researchers at Harvard University makes all of these things possible through a new benchmark report called the National Cyber Power Index.
Rankings: the 10 most powerful cyber nations in the world
According to the team at the Belfer Center for Science and International Affairs at Harvard's Kennedy School, the most powerful cyber countries in the world are as follows:
1. United States
3. United Kingdom
Surprised to see certain countries missing from the top 10 list?
Israel is listed as the eleventh most powerful nation in cyberspace, in a virtual dead heat with Australia. And Estonia is 14th. More on those two surprises later on.
Let's zoom out a bit and look at the top 30 global cyber power rankings:
How were the most powerful cyber countries ranked?
It is always fascinating to see "top ranking lists" like these, but how do we know what this really means, and what criteria did the Harvard researchers use?
Here's the short answer if you're a math geek:
And now, here is the explanation the rest of us can understand.
In determining the National Cyber Power Index (NCPI), the research team is taking what it calls an "all of country approach" to determining and ranking cyber power. The group identified seven national objectives that countries pursue using cyber means. The seven objectives are:
- Surveilling and Monitoring Domestic Groups;
- Strengthening and Enhancing National Cyber Defenses;
- Controlling and Manipulating the Information Environment;
- Foreign Intelligence Collection for National Security;
- Commercial Gain or Enhancing Domestic Industry Growth;
- Destroying or Disabling an Adversary's Infrastructure and Capabilities; and,
- Defining International Cyber Norms and Technical Standards.
And now, back to that math formula for just a moment:
"The overall NCPI assessment measures the 'comprehensiveness' of a country as a cyber actor. Comprehensiveness, in the context of NCPI, refers to a country's use of cyber to achieve multiple objectives as opposed to a few. The most comprehensive cyber power is the country that has (1) the intent to pursue multiple national objectives using cyber means and (2) the capabilities to achieves those objective(s)."
Researchers also say they had to leave one nation-state objective on the cutting room floor. They attempted to collect data to demonstrate power around "Amassing Wealth and Extracting Cryptocurrency," which some nation-states use as a way past currency restrictions, embargoes, and financial sanctions.
However, a lack of reliable data prevented that category of cyber power from being included.
Where the United States loses to China and Russia in cyber power
Even though the United States is ranked number one overall, China continues to build on its cyber strengths. In several cyber power categories, it now leads the world. And in at least one instance, Russia also tops the United States.
- Cyber surveillance power: When it comes to cyber surveillance, China is the most powerful in cyber. Researchers say Russia is second in the category and the United States is third.
- Cyber power in commerce: In this category, China is number one, the U.S. is second.
Researchers says China's intent here is clearly documented:
"In-line with recent headlines in Western countries, China tops the Growing National Cyber and Technology Competence objective. Along with DPRK (North Korea) and Iran, China is one of only three countries assessed to be pursuing this objective through both legal and illegal means.
It has been both observed conducting industrial espionage and sought to incentivize and grow its domestic cyber expertise through research and development, and public-private partnerships."
[Related podcast: Chinese Hackers and the Equifax Data Breach]
- Cyber defense power: China is ranked number one in this category, followed by the Netherlands and France, then the United States and Canada.
- Additional cyber power categories: Researchers concluded that the United States leads in cyber offense, influencing cyber norms, and cyber intelligence.
If this were a magic quadrant analysis, which is common in the cybersecurity industry, only five countries make it to that part of the plot, in the upper right here:
China is making significant cyber power gains
The Harvard researchers behind the National Cyber Power Index conclude that when it comes to cyber capabilities and the ability for a country to carry out national objectives through cyber, the United States remains the leader overall, but China is rapidly gaining:
"The US scores highest on five out of seven objectives... China is in the top 5 for every single objective. In recent years, China has
invested heavily in research and development of technologies that allow the country to achieve multiple objectives in cyberspace. These results reflect China's increasingly dominant position in cyberspace but also highlight the significant gap in capability between China and the US in most areas."
Surprising findings in worldwide cyber power rankings
There were a number of surprises in the cyber power rankings. Here are some examples:
"One area where the ranking is at odds with conventional thought is around Israel. Israel is often put at the top of pseudo-rankings by commentators, particularly highlighting its capabilities around offensive cyber and intelligence gathering."
Researchers say one explanation here is that they depended on open source data for their research, whereas much of Israel's cyber power is operated covertly, limiting their analysis.
And here are other surprising results that may have those in cybersecurity scratching their heads:
"The index also highlights several countries not normally associated with being cyber powers, as having strong capabilities in certain areas. Malaysia is in the top 10 four times for information control, intelligence, commercial gain and norms and laws.
Sweden is in the top 10 for three objectives: surveillance, cyber defense, and information control. Switzerland made the top 10 for cyber defense and commercial gain.
Estonia, often heralded as a beacon of cyber and digital capability, made the top 10 for only two objectives: intelligence and offense. Whilst this is impressive for a country of under 1.5 million, it is perhaps not as impressive as the team were expecting.
Germany, a country not often talked about when discussing cyber capability, was ranked in the top 5 for intelligence, offense, and norms, being able to draw on its strong industrial base and its well-organized military and civilian capabilities."
What is the point of this cyber power ranking?
Did some of these rankings catch you by surprise? Do you agree or disagree with how the researchers analyzed things?
Regardless, the Harvard team that created the NCPI hopes you'll be talking about it. They conclude the 91-page report like this:
"Based on the current state of the field, there is still room to develop
a more precise and nuanced framework for understanding cyber power, but our framework and the data we have collected can still move the cyber policy conversation beyond its current focus on offensive cyber.
Finally, we hope that this study encourages more transparency around cyber capabilities and intent which is a critical component for preventing dangerous escalation and conflict between countries."
For more details, see the full report for yourself: National Cyber Power Index 2020
[Related podcast: Cybersecurity, Geopolitics, and the Threat Landscape]