Harvard's Belfer Center for Science and International Affairs today released its updated 2022 National Cyber Power Index (NCPI), a follow-up to its groundbreaking 2020 index that ranks 30 countries according to their capability and intent to pursue eight objectives of cyber power.
Key items the report notes:
- The United States remains atop the list (see the Top 10 and full Top 30 lists below).
- Russia moved ahead of the United Kingdom into third place (China remains second), "largely as a result of greater demonstrations of intent and capability in the fields of espionage, destructive attacks, and domestic surveillance," according to the announcement of the NCPI's release.
- Australia jumped from 10th in 2020 to 5th in this year's index; France fell three spots from 6th to 9th; and Germany, Canada, and Japan fell out of the Top 10.
- Moving into the Top 10 were the Republic of Korea – 7th, up from 16th; Vietnam – 9th, up from 18th; and Iran – 10th, up from 22nd.
- Ukraine just missed the Top 10, coming in 12th, but making a giant leap from 29th in 2020.
The war in Ukraine helped with the increasing positions of both Russia and Ukraine and led to Russia leapfrogging the U.K. in the rankings. Per the report: "Within two objectives, commercial gain and destructive capability, Russian cyber power has increased relative to that of the U.K., largely because of their undertaking of more cyber operations that have been publicly reported in these areas."
The top 10 most powerful cyber nations in the world
1. U.S.
2. China
3. Russia
4. United Kingdom
5. Australia
6. Netherlands
7. Republic of Korea
8. Vietnam
9. France
10. Iran
It's a new world as digital capabilities have increased
The digital landscape—cyberspace—is the new battlefield as nation-states look to one-up each other through cyber means and grow their cyber power. The NCPI concludes.
"From our analysis, it is clear that states seek to not only destroy and disable an adversary's infrastructure and capabilities, but also to strengthen and enhance national cyber defenses, gather intelligence in other states, grow national cyber and commercial technology competence, control and manipulate the information environment, and extend their influence through defining international cyber norms and technical standards. Cyber power should be considered in the context of a state's national objectives and states should and increasingly are taking a whole-of-nation approach when attempting to harness it."
As mentioned above, the unilateral invasion of Ukraine by Russia is exacerbating the fault line in global affairs being created by the nexus of technology and values. In an effort to rally behind Ukraine, allies offered support to defend Ukraine's digital estate by helping build capacity and providing needed hardware and equipment.
[RELATED: Cybersecurity Community Steps Up to Help Ukraine]
Perhaps unintentionally, Russian cyberattacks spilled beyond Ukraine's borders, with Russia targeting allies showing support for President Vlodymyr Zelinksky. States ramped up their own cyber defenses as a reaction to Russia's aggressiveness.
Here's a look at the entire Top 30 list:
Figure 2. Overall Ranking 1-30
So how is the U.S. faring against other super powers?
While the United States leads China in the index overall, it's a bit tighter than some might like. The U.S. is leading or at least in the top five in every category, as follows:
- Financial – 5th behind DPRK (North Korea), China, Vietnam, and Iran (in that order)
- Surveillance – 4th behind China, Vietnam, and Iran
- Intelligence – 1st ahead of China, the U.K., and Australia
- Commerce – 2nd behind China and just ahead of Russia and the U.K.
- Defense – 3rd behind Australia and Ukraine (the response to the Russian invasion upped Ukraine's score here)
- Information Control – 1st ahead of Russia, China, and Vietnam
- Destructive – 1st ahead of Russia, China, and the U.K.
- Norms – 1st ahead of the U.K., Singapore, and China
Some other notable observations from the rankings:
- Canada ranked third from the bottom in Financial; in the middle of the pack on Surveillance; Top 8 in Intelligence; middle in Commerce; 8th in Defense; 11th in Information Control; middle in Destructive; and the bottom third in Norms (13th overall).
- Germany is in the bottom third of Financial; just outside the Top 10 in Surveillance; middle in Intelligence; 9th in Commerce; 10th in Defense; 7th in Information Control; Top 10 in Destructive; and 9th in Norms (11th overall).
- Brazil is in the bottom third or lower in all categories, including last in Surveillance; 29th in Financial; 28th in Intelligence; and 29th in Commerce (last overall).
The framework for building the Index
See the chart below that lists out the eight objectives used to determine the National Cyber Power Index. An eighth category was added for the 2022 report that did not exist for the 2020 report. "Amassing and Protecting Wealth" is defined as "the use of cyber operations to amass wealth. This includes theft by cyber means including ransomware, ransoms demanded for not publicizing information obtained via data breaches and attacking the digital infrastructure of financial institutions."
The index looked at the number of attacks identified in open-source databases that had a financial gain objective. The four states that recorded a score in this area were China, DPRK (North Korea), Vietnam, and Iran. Russia is a notable omission, but the Russian government does not report or identify the generation of cash from cyberattacks.
Table 3. Objectives Pursued
The group behind the study
The NCPI is produced by the Cyber Project from the Harvard Kennedy School Belfer Center for Science and Administration. The authors are Julia Voo, Irfan Hermani, and Daniel Cassidy.
Voo is a Cyber Fellow and leads the team behind Belfer's National Cyber Power Index. She was formerly the Research Director for the China Cyber Policy Initiative. Voo previously served at the British Embassy in Beijing where she covered China’s cyber and AI policy from a commercial perspective, technical standards, and other trade policy issues.
Hemani is a Deputy Director for Cyber Policy at the U.K.'s Department for Digital, Culture, Media and Sport, responsible for secure technology policy as part of the U.K.'s new National Cyber Strategy. He previously worked in Deloitte's Technology Risk Advisory team.
Cassidy is a strategy and security professional who is currently a director at DartKite, a consultancy firm specializing in using data to support strategy and policy decision making, particularly related to cyber and cyberspace. He previously worked for the U.K. government and the E.U. as an expert in strategy and crisis management, and a wide range of issues including arms control, applied research, and migration.
Julia Voo told SecureWorld News:
"Cyber power isn't simply destructive and defensive. It is multifaceted and requires a whole-of-nation approach to harness it. We are increasingly seeing more states trying to do just that. It's not just a handful of cyber powers. The NCPI shines a light on a much larger range of countries developing the capabilities and demonstrating the intent to achieve their objectives using cyber means. We should be having much broader conversations about what this means for geopolitics."
Harvard scholars gathered together 40 years ago to examine the Cold War, specifically the threat of a nuclear exchange between the Soviet Union and the United States.
According to the NCPI:
"Today, we seek to recreate that interdisciplinary approach to tackle a new threat: the risk of conflict in cyberspace. The problems that confront today's leaders are substantial and diverse: how to protect a nation's most critical infrastructure from cyberattack; how to organize, train, and equip a military force to prevail in the event of future conflict in cyberspace; how to deter nation-state and terrorist adversaries from conducting attacks in cyberspace; how to control escalation in the event of a conflict in cyberspace; and how to leverage legal and policy instruments to reduce the national attack surface without stifling innovation."
Two key themes
Since the publishing of the inaugural 2020 index, readers have highlighted two key themes they like to watch for: a holistic approach to cyber power, and achieving multiple objectives using cyber means.
On the holistic front, the report's authors say it measures demonstrated capability and potential, measuring government strategies, capabilities for defensive and destructive operations, resource allocation, and private sector capabilities within a country—technology companies, workforce, and innovation.
"Cyber power is multifaceted and requires a whole-of-nation approach in order to harness it. The objective of the NCPI is to provide a more complete measure of cyber power than existing indices, anecdotal studies, or journalistic speculation," the report surmises.
The report also explores the extent to which certain nation-states pursue multiple objectives using cyber means. This is not to say that the technical merit of a cyberattack is what is measured; more so, the complexity of the operation as it is linked to the demands of the state's objective. As the report states, "the most sophisticated cyber operations are not always made public. This could be because either the victim is unaware or unwilling to confirm that they were subject to an attack or the attacker's actions were not detected or cannot be attributed to them.”
To better measure incidents, particularly those with a financial impact of more than $1 million, the NCPI authors relied on the Council on Foreign Relations (CFR) Cyber Operations Tracker, as well as an additional resource, the Center for Strategic and International Studies (CSIS) Significant Cyber Incidents database.
For more, read the full 2022 National Cyber Power Index here.
