CYBER CAPABILITIES AND NATIONAL POWER: A Net Assessment 171
Net Assessment
Based on the country studies in the report, we can
draw conclusions about the ways in which states have
responded to the opportunities and threats presented
by cyber capabilities. In addition to considering sepa-
rately each of the categories in our methodology, we
can also draw conclusions about the relative standing
of the 15 countries and the implications for the broader
global balance of power.
Foundations of cyber power
On published strategy and doctrine, the country studies
reveal considerable variation in practice, especially on
the balance between policies for cyber security on the
one hand and policies for intelligence-related, politi-
cal and military uses of cyber assets on the other. All
countries maintain high levels of secrecy around the lat-
ter three areas. All the countries studied in this report
now have some published strategy, doctrine or policy
in at least one of the diverse aspects of cyber power.
The United States led the way by publishing cyber poli-
cies from the mid-1990s onwards. It now has the most
mature and comprehensive policy seings. While some
other states also produced discrete elements of strate-
gic and doctrinal cyber thinking in the 1990s, it was not
until the late 2000s that the rst wave of policies compa-
rable in breadth and depth to those of the US were pro-
duced. This was followed by a second wave from 2015
onwards. Each study reveals a unique blend of civilian
and military elements, reecting the particular strategic
circumstances and policy preoccupations of that coun-
try. Given the rapidly evolving nature of cyber threats
and opportunities, none of the countries studied is com-
fortable with its level of maturity on strategy.
National dierences also play out in the arrange-
ments for governance, command and control. Here, the
political culture of each country is immediately visible
as the primary determinant of governance arrange-
ments. Liberal democracies in advanced economies
such as France, Japan, the United Kingdom and the
US tend to have more well-established arrangements
for cyber governance compared with democracies in
the wealthier developing countries (India, Indonesia
and Malaysia). In the laer group, governance arrange-
ments have developed more slowly and unevenly, as
have security strategies for cyberspace. In more authori-
tarian countries such as China, Iran, North Korea and
Russia, the governance arrangements are more nar-
rowly focused and less transparent. Of those four coun-
tries, only China might be said to have an established
framework for a multi-stakeholder approach to cyber
governance, although its political system favours the
Chinese Communist Party as the dominant stakeholder.
A core cyber-intelligence capability is the primary foun-
dation of cyber power. Any country’s ability to take
defensive or oensive action in cyberspace is funda-
mentally dependent on its understanding of the cyber
environment – its cyber situational awareness. This can
be constructed by combining all available sources of
information from across the private and public sectors.
The most eective intelligence agencies must also have
the capability to detect and aribute sophisticated state-
based cyber aacks and to conduct sophisticated cyber
operations of their own. While many states around the
world have cyber capabilities focused on their own
internal security, and some have developed a regional
intelligence footprint, only a few have sucient reach to
achieve the level of global cyber understanding essen-
tial for the most sophisticated operations. Those states
are the Five Eyes intelligence allies (Australia, Canada,
New Zealand, the UK and the US), which operate
