- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
My newest book, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Era, comes out today. Here’s a teaser excerpt—if you’d like to read more, the book can be purchased on Amazon.
As with other types of power, there are the great cyber powers, the middling and lagging, and those that punch above their weight. The strongest have four components: large or technologically advanced economies; public institutions that channel the energy and innovation of the private sector, adventurous and somewhat rapacious military and intelligence agencies; and an attractive story to tell about cyberspace.
Size matters. Economic and technological power is essential. States have an almost unassailable advantage over competitors if their companies develop the routers and servers that carry the Internet’s data, the phones and personal computers that people use to communicate, and the apps and web services that serve as gateways to the Internet.
A shared mission. Critical to cyber power is a government’s ability to work with the private sector. This interdependence is the source of nation-state capabilities and vulnerabilities and is most prominent in defense; private firms own the vast majority of telecom, energy, and transportation networks. National cybersecurity “has to be a shared mission,” said President Obama at a February 2015 cybersecurity summit in Palo Alto. “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone.”
Rapaciousness wanted. The third component of cyber power is adventurous and inventive military and intelligence agencies. Forty-one nation-states have cyber warfare doctrines; seventeen reportedly have offensive capabilities. It is cheap and easy to break into machines, but much more difficult to design an attack that creates real impact. That takes significant intelligence, analysis, and research and development. While poorer states can invest a relatively small amount in developing disruptive capacities, those with the greatest resources will be at the cutting edge. By some estimates, the United States spends three to four times more on cyber offense than it does on defense.
The cyber stories we tell. The final component of cyber power is an attractive narrative of cyberspace. Over the last two decades, the United States has advocated, often in tandem with technology and Internet companies, for norms of open access and free speech with minimal government interference and surveillance. While the Internet originated in a defense-sponsored network, the ARPANET, its rapid expansion owed to private actors and a decentralized model of governance. Strong cybersecurity, especially by companies and individuals, was deemed a value in itself and promoted as an enabler of the free flow of information. The 2011 White House International Strategy for Cyberspace condensed all of this into one phrase, stating that the United States will work toward an “open, interoperable, secure, and reliable information and communications infrastructure.”
The True Cyber Superpowers
Few countries manage to put all four of the building blocks together. China and the United States are the only true cyber superpowers, with Russia standing just in the wings. China and the United States both have large numbers of web users and competitive technology companies. Beijing and Washington have created new political institutions and identified cyber as a strategic priority. Their cyber operations, for the purposes of espionage and sabotage, have pushed the envelope of what is acceptable in cyberspace. And both countries have tried to convince others that their mode of governing the Internet should drive the international conversation.
Russia meets all the criteria of a great cyber power but one. Cybersecurity experts often list Russian hackers as the best in the world. Unlike the Chinese, they are stealthy, leaving no clues that they are in a network. “I worry a lot more about the Russians” than the Chinese, Director of National Intelligence James Clapper told a conference at the University of Texas in 2014. Just over a year later, Clapper told Congress, “The Russian cyber threat is more severe than we have previously assessed.”
But Russia does not have a long game. It is losing the competition to produce the technologies and services that are shaping cyberspace. Kaspersky, the Russian cybersecurity firm, is the exception with 400 million users, $667 million in sales, and a record of exposing some of the highest-profile security incidents, including Stuxnet and the Carbanak cybercrime ring. China’s Xiaomi is now the world’s third-largest maker of cell phones and sold 60 million handsets in 2014. YotaPhone, a dual-screen Russian phone, hoped to sell 1 million in the same year. Telegram, a Russian mobile messaging app, has about 35 million users compared to Tencent’s WeChat with 440 million. Chinese technologies are used throughout Southeast Asia, Africa, and Latin America. Russia’s dream of a Silicon Valley overlooking the Moskva River remains elusive. Anticorruption officers raided the offices of the tech incubator in April 2013, official and unofficial statistics suggest an exodus of technology talent, and investment has evaporated.25
Other states and political entities may be able to check two or three of the four boxes. The United Kingdom, Germany, and France have the potential to develop significant offensive cyber power but have so far showed restraint. Israel has technological innovation and military flexibility but is happy to follow the United States’ lead in Internet governance. Estonia, the birthplace of Skype and dozens of technology start-ups, punches above its weight. Its government is at the vanguard in designing new domestic institutions for cybersecurity and in defining norms of international behavior.
North Korea and Iran also have outsized influence. Pyongyang has no global technology companies, much less assured electricity for the entire country, and only a small number of people are allowed access to Kwangmyong (bright star), the officially sanctioned intranet at universities, government offices, and a small number of cafes in the major cities. Perhaps a thousand political elites have access to the global Internet, but North Korean hackers are not shy about launching disruptive and destructive attacks. Tehran has committed relatively few resources but has used cyberattacks as an important part of its asymmetric competition with the United States and its regional adversaries, Israel, Saudi Arabia, and the Gulf states.