Pages

30 April 2020

Reconceptualizing Cyber Power


1. Introduction

The internet has changed the way power is perceived, built and projected (1). It has changed the way countries make decisions, create policy and interact with one another. The physical world is increasingly enmeshed with cyberspace. This brings innovations, efficiencies and conveniences; however, the greater our dependence on cyberspace, the more our daily lives can be disrupted and our identities usurped by malicious actors online (2).

Cyber capabilities are increasingly woven into the traditional tools of statecraft (3). A country is able to enhance the power of its military and security organizations through cyber means. Indeed, non-state actors have been empowered too, with companies such as Microsoft and Google seeking to set global cybersecurity and artificial intelligence norms and principles (4).

It is not clear how exactly cyber has altered the global balance of power, but there is general agreement that the balance of power has been altered (5). Offensive cyber capabilities—in contrast to traditional tools wielded by states—are cheaper, harder to track and exploit vulnerabilities to inflict significant harm on the victim. The asymmetric nature of cyber capabilities means smaller countries can punch above their weight, exerting more influence using cyber means than with traditional tools (6). Despite this, the overall trend has been the consolidation of power in all its forms, traditional and cyber, in favor of traditionally more powerful players.


There is no well-defined or generally agreed-upon definition of cyber power. The term “cyber superpower” has been applied to China, Israel, Russia, the U.K. and the U.S. by influential organizations such as the World Economic Forum (7). However, this title has been bestowed without any clear explanation of the criteria for what a “cyber power” or “cyber superpower” is or is not capable of.

Nevertheless, cyber is fast becoming a strategic tool for countries. Increasing numbers of countries are developing offensive capabilities (8) and cyberspace is becoming an ever-contested area (9). Countries are dedicating more resources to cyber defense and offense. In the 2020 U.S. President’s Budget, at least $17.4 billion is earmarked for cybersecurity-related activities, a $790 million or five percent increase from 2019 (10).

Is Cyber Power Distinct from Traditional Military Power?

Military power is part of cyber power and vice versa. Military power has always been complemented by the other capabilities that can be deployed by a state. Take information operations as an example. Radio Free Europe/ Radio Liberty was an important tool used by the U.S. to undermine the Soviet Union (11). The use of Facebook by Russia to sabotage Ukraine and to support the invasion of Crimea or to subvert election security to weaken liberal democracies can be seen as an even more effective information operation given that it was targeted and insidious. Thus, cyber is indeed a part of military power, and having cyber capabilities can greatly increase overall military power.

In many respects, cyber power can deliver an effect similar to that achieved by other conventional military means. The effect of disabling critical infrastructure could be achieved by cyber or a conventional weapons attack. Indeed, a cyber attack might be preferred over a kinetic strike as its effect could be reversible in a way that a missile strike is not.

However, cyber power should be considered as a domain in its own right and not only be considered as complementary to or an amplifier of other forms of power. Cyberspace is already considered the fifth domain after space, sea, land and air (12). However, the cyber domain has multiple characteristics which make it more difficult to assess than the others. As highlighted by many observers, cyber capabilities do not require the expensive industrial base of traditional military capabilities. The lack of such overt development also means the wielder can remain relatively anonymous. This lowers the barrier to entry, broadening the pool of potential actors to include both state and non-state entities.

As Inkster (13) highlights, having the best possible understanding of the capabilities of allies and adversaries has always been a vital tool of statecraft. Anonymity in cyberspace makes it more difficult for states to assess an adversary’s capabilities, making deterrence difficult.

In recent years there has been a developing school of thought that attempts to restrain the perceived over-enthusiasm towards cyber power; supporters of this thinking argue that cyber power does not have independent war-winning capability (14). We do not disagree, however, our view is that the threat of cyber-enabled capabilities is so broad that thinking of cyber power only in the traditional mindset of war and conflict is a mistake. Cyber power must be considered as a means to pursue and affect other spheres of competition and cooperation between states, such as the economic and societal arenas.

Our Approach

Our intention is to provide the best possible understanding of cyber power capabilities to inform public debate. The Belfer approach proposes eight objectives that countries pursue using cyber means; provides a list of capabilities required to achieve those objectives that demonstrates the breadth of sources of cyber power; and compares countries based on their capability to achieve those objectives. Our work builds on existing cyber indices such as the Economist Intelligence Unit and Booz Allen Hamilton’s 2011 Cyber Power Ranking (15), by, for example, including a policy dimension and recognizing that cyber capabilities enhance military strength.

The Belfer Cyber Power Index reconceptualizes the notion of “cyber power” at the country-level to reflect the different objective(s) that each country is pursuing—demonstrated through national strategies, rhetoric and action—and their ability to achieve these objectives. We do not include non-state actors in our ranking. Our objective is to provide a measure for cyber power at the national level, reflecting strength, resilience and comprehensiveness, which we define as using cyber means to achieve multiple objectives as opposed to a few. We hope this tool will broaden and deepen the cyber power discussion and incorporate countries beyond those that are already extensively covered in the media—like the U.S., China and Russia—thus contributing to effective long-term cyber strategies for a more stable world.

To date we have found sufficient data to assess the cyber power of 30 countries. The Cyber Power Team at the Belfer Center will release our initial Cyber Power Index in Summer 2020 based on these 30 countries, which includes the most prominent state-actors.

2. Reconceptualizing Cyber Power

The original meaning of “superpower” can be traced to the Cold War. During the Cold War, “superpower” was used most often to describe the U.S. and the Soviet Union, the most powerful countries at the time. Each country was able to exert significant influence globally. However, due to the geographically borderless nature of cyber, virtually any player in the cyber arena is capable of projecting themselves globally. Cyber power to some extent removes the geographical conditions that constrain other traditional types of power (16). Therefore today, “superpower” in its traditional definition is not an accurate or useful way to describe or compare cyber power wielded by a country.

In defining cyber power we face the following challenges:

On the one hand, countries employ cyber capabilities for offensive operations, to ensure cyber security and to gain economic advantage. For example, the U.S. conducts offensive operations to counter cyber espionage by China (17), the DPRK uses cyber means for financial gain (18) and Russia exploits social media to spread disinformation (19). In our framework, we account for the different objectives that countries may pursue with their cyber capabilities.

On the other hand, many cyber activities are difficult to attribute. Often state actors deliberately obfuscate attribution efforts or allow their actions to be misattributed to other groups. In addition, the most technically accomplished and effective attacks may only come to light years after they were first launched, when the target organizations, or others, finally detect them. Still, it is possible to draw useful conclusions about cyber power from the wealth of data on successful attacks and breaches.

The definition of national cyber power that we propose is as follows: a country’s ability to pursue its objectives using cyber means. The greatest global cyber power is the country that:
sets clear national objectives in cyberspace*;
has the essential capabilities to pursue these objectives;
achieves multiple objectives using cyber means.

* Note: Not all 30 countries assessed have a national cyber strategy. In the absence of a national cyber strategy we examined broader defense and security related policy documents and rhetoric from senior leaders.

Using the Council on Foreign Relations’ Cyber Operations Tracker, which tracks cyber operations since 2005 (20), we conducted a historical analysis of state-sponsored cyber activities and identified the core objectives countries have pursued in cyberspace. We identified eight objectives that range from strengthening and enhancing cyber defenses, to surveillance and monitoring of domestic groups, financial gain and the destruction and disablement of an adversary’s infrastructure and capabilities. These objectives are listed within the Framework section.

A more specific understanding of cyber power, how it is wielded and how it fits alongside traditional tools of statecraft will help policy makers understand the opportunity costs associated with cyber operations.

This is not the first effort to provide a framework to measure a country’s cyber power. However, previous indices such as the Economist Intelligence Unit and Booz Allen Hamilton’s Cyber Power Index focused on the ability of each country to wield digital infrastructure with only a limited focus on defense (21).In addition, the dual nature of some indicators does not appear to feature in their assessment. For example, digital infrastructure can be both a strength and a vulnerability, a duality which is reflected in our ranking.

Other indices, such as the International Telecommunication Union’s annual “Global Cybersecurity Index,” focus solely on domestic cyber resilience (22) and do not take into account offensive cyber capabilities. To our knowledge, existing cyber indices do not consider a country’s specific objectives and how those individual priorities are reflected in the capabilities that a state develops.

We take an all-of-country approach to measuring cyber power, i.e. assuming that the government in power can wield these components effectively. The Belfer Cyber Power Index will allow policymakers and strategists to more effectively assess the capabilities of countries and their abilities to pursue their national interests in cyberspace. As more data becomes available over the coming years, we will expand our cyber power index to include assessments of more countries.

3. Framework

Cyber power, as stated previously, is a measure of a country’s ability to pursue its national objectives using cyber means.

As a starting point we conducted a historical assessment of state-sponsored cyber activities from 2005 to the present day to identify the core objectives that countries have pursued in cyberspace.

To assess an individual country’s cyber power, we used a three-step approach which assesses a country’s potential ability to achieve its objectives and then ranks each country from more to less capable.

First, we examine what objectives a country has stated or demonstrated it wants to achieve in cyberspace. Second, we assess a country’s ability to pursue these objectives based on our mapping of their capabilities against the objectives. Third, we consider the number of objectives a country is pursuing in cyberspace and then rank each country against the others - the more objectives a country pursues the more comprehensive a cyber actor that country is and the higher up in the index they will be.

Objectives

Measuring cyber power in contextual terms requires analysis of the objectives that countries are trying to pursue via cyber means. Drawing on military doctrine, objectives are what an actor “desires to accomplish in a given set of circumstances.” (23)

While the specific goals that countries try to pursue are specific to each, international relations theory typically defines three broad overarching objectives that all countries seek to pursue in some form (24):
Defense and security. Protecting citizens remains the primary objective of national governments.
Economic growth and prosperity. Increasing flows of global trade, strengthening the domestic economy, and increasing government revenues to pay for essential services.
International power projection. Projecting influence overseas and growing its international reputation to enhance its defense and security and economic prosperity.

To pursue these objectives, countries plan and conduct operations and discrete activities.

Based on analysis of national cyber strategies and publicly known state-sponsored cyber operations since 2005 (25), we have inferred eight objectives that countries have pursued using cyber capabilities. These objectives help to achieve the overarching defense and security, economic growth and prosperity and international power projection goals mentioned above.

In no particular order of importance, they are:
Surveilling and monitoring domestic groups;
Strengthening and enhancing national cyber defenses;
Controlling and manipulating the information environment;
Intelligence gathering and collection in other countries for national security objectives;
Amassing wealth and/or extracting cryptocurrency;
Extracting IP overseas for commercial gain to enhance domestic industry growth;
Destroying and disabling an adversary’s infrastructure and capabilities;
Defining international cyber norms and technical standards.

3.1 Assessing Intention

Cyber power involves using cyber capabilities to pursue policy objectives. However, because a country’s resources are limited, objectives must be prioritized.

To measure intent, we have assessed:
Each country’s track record in perpetrating cyber attacks;
Cyber military strategies to date;
Participation in international cooperation agreements on cyberspace.

By analyzing official government policy and inferring the objectives of previous state-backed cyber operations, we can begin to understand how a country is prioritizing their objectives in cyberspace. Furthermore, how often a country has exercised cyber power is a leading indicator of how much influence it will have in the future.

A country makes financial, policy, and opportunity trade-offs when it seeks to achieve one of the eight objectives above. Declared objectives achieved through cyber means are often included in national cyber and defense strategies and planning documents.

National cyber strategies are a relatively recent phenomenon but are rapidly proliferating. We have read all of the available cyber strategies and available documents for the 30 countries in our ranking and conducted textual analysis, using natural language processing, to identify declared objectives and to understand how each country seeks to develop the capabilities to achieve them.

For example, the U.S. cyber strategy (26) outlines how the government and all of its agencies will work together to fulfill four objectives: defend domestic infrastructure and data; nurture a secure digital economy and domestic innovation; work with allies and partners to deter malicious actors through punishment; and expand America’s vision of an open, interoperable, reliable and secure internet (27). All of these activities are therefore tied with the U.S.’ vision of enhancing its cyber capability and resilience and are elements of an all-of-country approach.

Of course, there is strategic advantage to be gained in not declaring certain objectives. When assessing intent, how a country seeks to articulate the objectives it will pursue using cyber means is often as important as the objective it is trying to pursue. For example, countries conducting cyber espionage may choose not to publicly state they are conducting cyber espionage. Therefore, it is important to also look at metrics that reflect a country’s actions, which could demonstrate intent. To measure this, we have examined publicly available data on state-sponsored operations by both private sector cyber threat analysts and governments to assess the consistency—or inconsistency—between a country’s declared and demonstrated intent.

3.2 Measuring Capability

Cyber power relies upon a set of resources that relate to the creation, control and communication of electronic and computerized information: infrastructure, networks, software and human skills (28). To assess a country’s capabilities we have mapped each objective onto lists of indicators. This process allows us to assess to what extent countries have the necessary capabilities to pursue their objectives.

For example, the “Strengthening and enhancing national cyber defenses” objective depends on state’s ability to:
Assess, detect and mitigate threats and attacks;
Educate and inform users of the threats they face;
Regulate and legislate on data privacy and cyber activity within its borders.

Therefore, a list of capabilities that map to strengthening and enhancing national cyber defenses would include (but not be limited to) the following:
Existence of comprehensive critical infrastructure, cyber security, and user content laws;
Skilled employees in cyber security;
Inter-agency partnerships to shore up national cyber defenses;
Number of cyber military units dedicated to defending the homeland;
Number of top domestic cyber security firms.

Some resources may add to cyber power for one national objective but be detrimental for another. For example, while a highly connected population can boost productivity in the workforce and create prosperity, the potential risk of attacks becomes more likely and more severe for that country. This can be compounded by weak cyber security standards and practices and high infection rates for devices. A country’s lack of cyber security and resilience, then, can expose it to risk and can be measured by the level of its cyber security standards, the infection rate of devices and the connectivity of its population. In this vein, some of the world’s most developed countries have a higher risk of cyber attack due to extensive digital infrastructure but older legacy systems that are harder to update. One can argue that the DPRK has a lower risk of cyber attacks as a result of its relative lack of internet connectivity.

While a national strategy or plan lays the framework for how a country will build national cyber security and resilience, each of these individual elements brings a resource and capability burden that a country must be able to meet. This not only requires financial or technical resources, but also human and industry resources. Our metrics reflect the fact that an educated and skilled workforce, complemented by effective public-private relationships, is essential for most countries to meet their objectives.

Our final step is assessing the comprehensiveness of each country as a cyber actor. Countries may pursue anywhere between none to all eight of these objectives. The more objectives a country successfully pursues using cyber means, the more comprehensive a cyber actor it is.

We will issue case studies for each country to explain our findings in detail.

4. Conclusion

Cyberspace and cyber means are multi-use: every measure of cyber power can at once empower a country and also expose it to vulnerabilities. As the rate of cyber threats increases alongside the expansion of cyberspace, a better understanding of the components of what can strengthen and weaken a state is critical in order to design effective solutions.

The Belfer Cyber Power Index reconceptualizes the notion of ‘cyber power’. We propose a new framework for measuring a country’s cyber capabilities against their individual objectives and provide a global ranking of countries based on how comprehensive a cyber actor they are. Our work differs from existing attempts to measure cyber power because it is holistic in assessing security, resilience, offensive capabilities against objectives and realistic, where we recognize that cyber capabilities do not stand alone and enhance traditional tools of statecraft such as military strength. Our assessment of the most capable and comprehensive cyber power is the country that has the highest potential capability to achieve multiple objectives.

Our assessment of 30 cyber powers will be released by Summer 2020.

5. Frequently Asked Questions

How do I compare how effectively Country A is achieving its national objectives in cyberspace versus Country B?

The most capable cyber power is the state that most effectively uses cyber means to pursue its objectives. For each national objective, we will show the current capacity for each country to pursue said objective, ranking each country against the others. For countries whose objectives are directly comparable to one another, the methodology for how countries are ranked will be included in detail in the comprehensive cyber power assessment which will be released in Spring 2020. However, it is important to note that countries may not all prioritize the same objectives.

Consider the following example: Country A’s primary objective in cyberspace is financial gain, while Country B has no desire for financial gain but rather seeks domestic infrastructure security. Measuring Country A’s ability to use cyberspace for financial gain versus Country B’s ability to do the same would not be a proper measurement of each country’s cyber power. This is because financial gain as an objective has not been prioritized by Country B in cyberspace, and Country B is not actively trying to develop capabilities towards that objective.

Why are you only considering cyber power at the state level, and not including cybercriminal or other non-state actors?

Some interpretations of cyber power consider non-state actors as “passive intellectual capital” (29) whereby the state is the political entity that needs to learn how to optimize its cyber power. We quantify cyber power at the all-of-country level to illustrate its contribution to national power where, if harnessed correctly, it can contribute to a state’s ability to pursue its domestic and foreign policy objectives using cyber means.

Our assessment of components is holistic, including not only cyber resilience and power projection capabilities, but also national policies and regulatory frameworks, as well as domestic resources and pipelines. These components create a better understanding of the cyber power a state can wield.

To what extent is the ranking representative of reality?

Capturing the scale, unique attributes and potency of cyber capabilities, as mentioned above, is a blend of art and science. Due to the sensitivity of some information, any attempt at measuring cyber power will suffer from the same gaps as other measurements of power. This is further exacerbated by the diffuse nature and intangibility of cyber power.

This intangibility makes compiling public sources of data on the issue more challenging because cyber tools are not manifest like tanks and guns, and the owner of cyber tools has a relatively high level of anonymity. Most of this information does not exist in the public sphere and technical capabilities tend to be decipherable only by technical experts.

In some states, political tradition limits the availability of access to data. Democratic governments are answerable to the electorate and have a duty to disclose, among other things, budgets and expenditures. For example, the U.S., U.K., and Australia have disclosed expenditures on building cyber capabilities.

Still the framework that we use to assess cyber power allows us to measure a wide and meaningful range of objectives, capabilities and comprehensiveness. We can thus provide a more holistic measure of cyber power than the measures delivered by existing indices.

No comments:

Post a Comment