New IISS Research Paper
Executive Summary
CYBER CAPABILITIES
AND NATIONAL
POWER:
A Net Assessment
This report sets out a new methodology for assessing cyber
power, and then applies it to 15 states:
Four members of the Five Eyes intelligence alliance – the
United States, the United Kingdom, Canada and Australia
Three cyber-capable allies of the Five Eyes states – France,
Israel and Japan
Four countries viewed by the Five Eyes and their allies as
cyber threats – China, Russia, Iran and North Korea
Four states at earlier stages in their cyber-power
development – India, Indonesia, Malaysia and Vietnam
The methodology diers from the index-based approaches
developed by other organisations because it is broader and
principally qualitative, analysing the cyber ecosystem of
each state and how it intersects with international security,
economic competition and military aairs. The states are
assessed in seven categories:
Strategy and doctrine
Governance, command and control
Core cyber-intelligence capability
Cyber empowerment and dependence
Cyber security and resilience
Global leadership in cyberspace aairs
Oensive cyber capability
THREE TIERS OF CYBER POWER
We have divided the 15 states into three tiers of cyber power.
Our rst tier is for states with world-leading strengths
across all the categories in the methodology. We conclude
that only the United States merits inclusion.
Our second tier is for states that have world-leading
strengths in some of the categories. The states we place at
that level are, in alphabetical order, Australia, Canada,
China, France, Israel, Russia and the United Kingdom.
Our third tier is for states that have strengths or potential
strengths in some of the categories but signicant weaknesses
in others. We conclude that India, Indonesia, Iran, Japan,
Malaysia, North Korea and Vietnam are at that level.
Any aempt at a more granular ranking within the second
and third tiers would depend on the degree of importance
aributed to each category.
In the second tier, if a combination of world-class cyber
security, world-class cyber intelligence, sophisticated
oensive cyber capability and powerful cyber alliances
were deemed key, Israel and the UK would probably be
top. Alternatively, if the decisive factors were the amount
of resources – both human and nancial – devoted to cyber,
unrestrained operational boldness and day-to-day experience
of running cyber-enabled information operations, China and
Russia would probably be the leading second-tier states. But
overall, mainly because of its large and growing indigenous
digital-industrial capacity, we conclude that only China is
currently on a trajectory to join the US in the rst tier.
In the third tier, Malaysia would be top if core strength
in cyber security were the most important criterion. If
operational boldness and experience were key, Iran would
lead. However, given its world-leading internet-related high-
tech industry, we conclude that Japan is best placed, in the
long term, to rise into the second tier.
This report provides conrmation of the likely durability
of US digital-industrial superiority, including through
international alliances, for at least the next ten years. There
are two strands to this judgement. The rst is that in advanced
cyber technologies and their exploitation for economic and
military power, the US is still ahead of China. The second is
