Harvard's Belfer Center for Science and International Affairs today released its updated 2022 National Cyber Power Index (NCPI), a follow-up to its groundbreaking 2020 index that ranks 30 countries according to their capability and intent to pursue eight objectives of cyber power.
Key items the report notes:
The war in Ukraine helped with the increasing positions of both Russia and Ukraine and led to Russia leapfrogging the U.K. in the rankings. Per the report: "Within two objectives, commercial gain and destructive capability, Russian cyber power has increased relative to that of the U.K., largely because of their undertaking of more cyber operations that have been publicly reported in these areas."
1. U.S.
2. China
3. Russia
4. United Kingdom
5. Australia
6. Netherlands
7. Republic of Korea
8. Vietnam
9. France
10. Iran
The digital landscape—cyberspace—is the new battlefield as nation-states look to one-up each other through cyber means and grow their cyber power. The NCPI concludes.
"From our analysis, it is clear that states seek to not only destroy and disable an adversary's infrastructure and capabilities, but also to strengthen and enhance national cyber defenses, gather intelligence in other states, grow national cyber and commercial technology competence, control and manipulate the information environment, and extend their influence through defining international cyber norms and technical standards. Cyber power should be considered in the context of a state's national objectives and states should and increasingly are taking a whole-of-nation approach when attempting to harness it."
As mentioned above, the unilateral invasion of Ukraine by Russia is exacerbating the fault line in global affairs being created by the nexus of technology and values. In an effort to rally behind Ukraine, allies offered support to defend Ukraine's digital estate by helping build capacity and providing needed hardware and equipment.
[RELATED: Cybersecurity Community Steps Up to Help Ukraine]
Perhaps unintentionally, Russian cyberattacks spilled beyond Ukraine's borders, with Russia targeting allies showing support for President Vlodymyr Zelinksky. States ramped up their own cyber defenses as a reaction to Russia's aggressiveness.
Here's a look at the entire Top 30 list:
While the United States leads China in the index overall, it's a bit tighter than some might like. The U.S. is leading or at least in the top five in every category, as follows:
Some other notable observations from the rankings:
See the chart below that lists out the eight objectives used to determine the National Cyber Power Index. An eighth category was added for the 2022 report that did not exist for the 2020 report. "Amassing and Protecting Wealth" is defined as "the use of cyber operations to amass wealth. This includes theft by cyber means including ransomware, ransoms demanded for not publicizing information obtained via data breaches and attacking the digital infrastructure of financial institutions."
The index looked at the number of attacks identified in open-source databases that had a financial gain objective. The four states that recorded a score in this area were China, DPRK (North Korea), Vietnam, and Iran. Russia is a notable omission, but the Russian government does not report or identify the generation of cash from cyberattacks.
The NCPI is produced by the Cyber Project from the Harvard Kennedy School Belfer Center for Science and Administration. The authors are Julia Voo, Irfan Hermani, and Daniel Cassidy.
Voo is a Cyber Fellow and leads the team behind Belfer's National Cyber Power Index. She was formerly the Research Director for the China Cyber Policy Initiative. Voo previously served at the British Embassy in Beijing where she covered China’s cyber and AI policy from a commercial perspective, technical standards, and other trade policy issues.
Hemani is a Deputy Director for Cyber Policy at the U.K.'s Department for Digital, Culture, Media and Sport, responsible for secure technology policy as part of the U.K.'s new National Cyber Strategy. He previously worked in Deloitte's Technology Risk Advisory team.
Cassidy is a strategy and security professional who is currently a director at DartKite, a consultancy firm specializing in using data to support strategy and policy decision making, particularly related to cyber and cyberspace. He previously worked for the U.K. government and the E.U. as an expert in strategy and crisis management, and a wide range of issues including arms control, applied research, and migration.
Julia Voo told SecureWorld News:
"Cyber power isn't simply destructive and defensive. It is multifaceted and requires a whole-of-nation approach to harness it. We are increasingly seeing more states trying to do just that. It's not just a handful of cyber powers. The NCPI shines a light on a much larger range of countries developing the capabilities and demonstrating the intent to achieve their objectives using cyber means. We should be having much broader conversations about what this means for geopolitics."
Harvard scholars gathered together 40 years ago to examine the Cold War, specifically the threat of a nuclear exchange between the Soviet Union and the United States.
According to the NCPI:
"Today, we seek to recreate that interdisciplinary approach to tackle a new threat: the risk of conflict in cyberspace. The problems that confront today's leaders are substantial and diverse: how to protect a nation's most critical infrastructure from cyberattack; how to organize, train, and equip a military force to prevail in the event of future conflict in cyberspace; how to deter nation-state and terrorist adversaries from conducting attacks in cyberspace; how to control escalation in the event of a conflict in cyberspace; and how to leverage legal and policy instruments to reduce the national attack surface without stifling innovation."
Since the publishing of the inaugural 2020 index, readers have highlighted two key themes they like to watch for: a holistic approach to cyber power, and achieving multiple objectives using cyber means.
On the holistic front, the report's authors say it measures demonstrated capability and potential, measuring government strategies, capabilities for defensive and destructive operations, resource allocation, and private sector capabilities within a country—technology companies, workforce, and innovation.
"Cyber power is multifaceted and requires a whole-of-nation approach in order to harness it. The objective of the NCPI is to provide a more complete measure of cyber power than existing indices, anecdotal studies, or journalistic speculation," the report surmises.
The report also explores the extent to which certain nation-states pursue multiple objectives using cyber means. This is not to say that the technical merit of a cyberattack is what is measured; more so, the complexity of the operation as it is linked to the demands of the state's objective. As the report states, "the most sophisticated cyber operations are not always made public. This could be because either the victim is unaware or unwilling to confirm that they were subject to an attack or the attacker's actions were not detected or cannot be attributed to them.”
To better measure incidents, particularly those with a financial impact of more than $1 million, the NCPI authors relied on the Council on Foreign Relations (CFR) Cyber Operations Tracker, as well as an additional resource, the Center for Strategic and International Studies (CSIS) Significant Cyber Incidents database.
For more, read the full 2022 National Cyber Power Index here.