CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 1
The Cyber-Power Project:
Context and Methodology
Over the last 20 years, cyber capabilities have become a
formidable new instrument of national power. As well as
using such capabilities to obtain state secrets from each
other, as in traditional espionage, states have also used
them for a range of other, more threatening purposes.
These include bolstering their own economic develop-
ment by stealing intellectual property; threatening to
disrupt the nancial institutions, oil industries, nuclear
plants, power grids and communications infrastructure of
states they regard as adversaries; aempting to interfere
in democratic processes; degrading and disrupting mili-
tary capabilities in wartime; and, in one case, constraining
the ability of another state to develop nuclear weapons.
The state-on-state cyber operations revealed in the
media include those by the United States and Iran against
each other; Israel and Iran against each other; Russia
against Estonia, Georgia and Ukraine; and Chinese
aempts to steal intellectual property on an industrial
scale. Russian operations against the democratic process
in the US and United Kingdom have received consid-
erable aention, as have the US retaliatory operations
against the St Petersburg-based group deemed to be
partly responsible. A Russian cyber operation against
the US in late 2020, the ‘SolarWinds hack’, has also been
prominent. There have been operations by Iran against
Saudi Arabia, by North Korea against Sony Pictures
and the global banking system, and by the US, the UK
and Australia against the Islamic State (also known as
ISIS or ISIL). Some operations have been conducted in
an unrestrained manner, resulting in many unintended
victims. For example, the NotPetya malware that the
Russians used against Ukraine severely damaged the
Maersk shipping line, and the WannaCry malware the
North Koreans used against the global banking system
aected the UK’s National Health Service.
These media reports only tell a small part of the story.
State cyber operations to reconnoitre and gain a pres-
ence on relevant networks are occurring every second
and are now a permanent feature of cyberspace. The
risk of miscalculation is high. Reconnaissance or prepo-
sitioning could be misinterpreted by the defender as an
actual aack, and therefore provoke retaliation. Inserted
code could malfunction, causing an accident. Escalation
could easily spiral out of control as a result, which is
perhaps the gravest risk entailed in state-on-state cyber
operations. Other risks include the acquisition of state
capabilities by criminals or terrorists, and the ease with
which states can nd highly eective oensive tools on
the open market (the so-called ‘low point of entry’).
In short, cyberspace has become, perhaps inevi-
tably, a key and risky new environment for statecraft
and competition between states in the twenty-rst
century. It has also become a major, and arguably the
major, domain for organised crime. There are no reli-
able estimates of the costs of cyber crime at a national
level.
1
It is possible to document lower-end estimates of
certain types of cyber crime, such as credit-card fraud,
2
but such sub-categories cannot capture the full range
of economic costs from the many types of cyber crime
that extend beyond direct losses, for example by caus-
ing reputational damage or degradation of share value.
Since 2017 there has been a surge in reported losses from
ransomware (malware that prevents access to critical
data until the required ransom amount is paid), which
have totalled tens of billions of dollars. The damage
done by the various types of cyber crime has inevitably
led to a new world of litigation, regulatory nes and
insurance claims. In addition, terrorist groups such as
ISIS and al-Qaeda aspire to become more cyber-capable,
while political-activist groups of all stripes now view
