Is China's 'Cyber Capacity' Really 10 Years Behind the US?Experts Dispute Findings of Report by International Institute for Strategic Studies
Some security experts are questioning the findings of a recent report by the International Institute for Strategic Studies, a London-based think tank, that concludes China is 10 years behind the United States in "cyber capacity."
The report attempted to measure cyber capacity of 15 countries based on their strategy and doctrine; governance and command and control; core cyber intelligence capability; cyber empowerment and dependence, cybersecurity and resilience; global leadership in cyberspace affairs; and offensive cyber capability.
But some security experts say the report does not adequately take into account cyberattacks by nonstate actors. They say it attempts to rank countries on capabilities that are difficult to measure. And they say the report doesn't adequately consider defensive powers.
As a result, they say the report underestimates the cyber capabilities of China and fails to reflect the vulnerabilities of U.S. companies that support critical infrastructure.
"The recent pipeline attack in the U.S. shows a severe weakness, where digitization of physical infrastructure can leave a nation vulnerable, even if its offensive cyber capability is strong," says Simon Moffatt, founder and analyst at research and advisory firm The Cyber Hut, referring to the ransomware attack on Colonial Pipeline Co.
The International Institute for Strategic Studies did not immediately reply to a request for comment on the critiques of its report.
The Report's Conclusions
The report concludes that only the U.S. has tier 1 cyber capacity, with world-leading strengths across all the categories. Tier 2 nations are China, Russia, Australia, Canada, France, Israel and the United Kingdom, while tier 3 nations include India, Indonesia, Iran, Japan, Malaysia, North Korea and Vietnam.
The study uses data gathered through research of published material, such as strategies and plans; interviews with experts; known investment of financial and human resources; known operational use and testing and exercising activities; and nongovernmental and academic indices, including the ITU’s Global Cybersecurity Index.
Casey Fleming, CEO of strategic risk, strategy and intelligence firm BlackOps Partners, says the study's methodology lacks proper weighting for an accurate assessment, overemphasizing offensive cyber capability and command and control.
The study also fails to recognize the significant boost in the Chinese Communist Party's cyber capabilities and its strategy of launching unrestricted hybrid warfare, such as blending cyberattacks with conventional attack tactics, he says.
The study says the United States' "capability for offensive cyber operations is probably more developed than that of any other country."
But cyber "power" is based as much on defense as offense, Moffatt argues.
"We need to think about what cyberwar is used to achieve," he says. "It is often part of an overall kinetic/physical military capability, but used more in peace time for coercive power and to improve negotiation positioning."
The ability to withstand distributed denial-of-service in the case of critical infrastructure, prevent intellectual property leakage and protect military installations is as critical as the power to wage cyberattacks, he says.
"Although the U.S. is ranked alone in tier 1, it is hopelessly unprepared for an attack from Russia or China," says Peter Yapp, partner at international privacy consultancy Schillings and former deputy director of U.K.'s National Cyber Security Center.
"China does not need to use sophisticated means to infiltrate critical national infrastructure or businesses … because the tools and processes in place to protect them don't present enough of a challenge."
While the U.S. and the U.K. were "hell bent on offensive capability, they ignored defensive capability," adds Andrew Jenkinson, group CEO of cybersecurity consultancy Cybersec Innovation Partners (see: Biden Promises Retaliation Unless Putin Stops Cyberattacks),
Fleming argues that China's cyber capacity is far more advanced than this report suggests.
"China has blocked its internal internet to outside access and traffic, for the most part. The CCP [Chinese Communist Party] is creating its own internet to replace the World Wide Web for control," Fleming says.
Eoin Keary, founder of cybersecurity firm Edgescan and former global director of the Open Web Application Security Project Foundation, adds: "There is a widespread understanding that due to the connections between corporate and state power in China, it is pulling ahead in the areas of artificial intelligence, machine recognition and machine learning. In fact, some of the largest publicized ransomware attacks occurred in the U.S, not China or Russia, which sows seeds of doubt in the conclusion of the report."
The Chinese strategy of having most of its critical infrastructure made in China by 2025 will enable it to control civilian access to content and make it relatively immune to some types of complex supply chain attacks, Moffatt adds.
In the latest development, China's Ministry of Industry and Information Technology said on Monday it has issued a draft three-year action plan to develop the country's cybersecurity industry, Reuters reports.
Detected attacks represent only a fraction of state-sponsored Chinese and Russian activity, says Paul Prudhomme, head of threat intelligence advisory at the cybersecurity firm IntSights and former contractor specializing in state-sponsored cyberthreats for the United States Intelligence Community.
These attackers, he says, may not be particularly concerned about getting caught. "Operational security of some Chinese attackers has occasionally been weak enough to suggest that they simply did not bother to cover their tracks thoroughly," he says.
The study says it considers the extent to which a country engages in, influences and attempts to lead international collaboration on cyber matters when making rankings of cyber capacity. But this measurement is biased towards Western countries, some experts say.
The report also does not adequately take into account actual cyberattacks and losses, Jenkinson says.
"The U.S will bear about 80% - $4.8 trillion - of an estimated $6 trillion global cybercrime costs and losses in 2021. That is around 20% of the U.S GDP. … The writing, without massive change and effort, is on the wall," Jenkinson says. The 2021 cybercrime cost estimation is based on hostile nation-state-sponsored attacks as well as organized crime gang hacking activities.