How to Think About a State’s Cyber Capabilities

Tony Craig is a PhD candidate in the Department of Politics and International Relations at Cardiff University. Brandon Valeriano is a Reader at Cardiff University, the Donald Bren Chair of Armed Politics at the Marine Corps University, a fellow at the Niskanen Center, and author of Cyber War versus Cyber Realities on Oxford University Press.

The fear brought on by Russia’s hacking of the Democratic National Committee (DNC) has been profound. This is part of a broader concern over Russia’s growing activity in cyberspace which include disputes against Estonia, Georgia, and Ukraine. One recent commentator notes the “impressive” increase in Russia’s cyber capabilities given its frequent use of cyber tactics against rival countries. Another source claims that Russia has overtaken the United States in cyber capabilities because of its use of troll armies to launch cyberattacks. The mistake they make, however, is equating a greater usage of cyber aggression with an increase in capabilities.

Russia is suspected of being behind a number of high-profile cyber incidents. In the last decade, the Kremlin is thought to have orchestrated the disruption of Estonia’s banking and government services, the defacement of Georgian websites, the Ukraine power grid hack, the compromise of the DNC during the U.S. election, and a phishing campaign against U.S. think tanks..

While these incidents are a cause for concern, the use of cyber tactics cannot be used as an indicator of cyber capability for two reasons. First, an actor that uses cyber aggression with more frequency is not necessarily a more capable one. Spraying a target with continual cyberattacks is no guarantee that you can hit a target with any effectiveness. A more capable actor may, in fact, be less willing to reveal its cyber tools, since once used, rivals can learn from the attacker’s methods and patch vulnerabilities.

Second, cyberattacks involve varying levels of sophistication depending on the target and the aims of the attacker. For instance, to punish Estonia for removing a Soviet statue, Russia allegedly chose to flood Estonian websites with junk traffic, causing them to crash. On the other hand, to steal information, Russia is suspected of choosing phishing methods to infect computers with the necessary malware. These examples cannot lead to a conclusion that Russia has increased its cyber capabilities, only that Russia used different tools for different purposes.

So how can cyber capabilities be measured absent of hype? Capabilities refer to the set of resources and assets the state possesses that increase its potential to carry out its aims. In conventional warfare terms, capabilities are measured by factors like the country’s population, industrial capacity, technological advancement, or the size of its military forces. In cyberspace, capabilities refer to the state’s resources and assets that help it achieve its goals in cyberspace such as numbers of hackers, the level of expertise in computer science, and malware sophistication. There is only anecdotal evidence of Russia’s ability in these areas, and a more systematic investigation is lacking. The impact of these factors is also crucial. True, there are reports of the changing organisational structure of Russia’s cyber troops, but to really understand what an advancement in capabilities mean, observers need to understand how these developments lead to increased effectiveness on the cyber battlefield.

Even if Russia, China, or other actors are increasing their cyber capabilities, these advances should not be conflated with cyber power. Power is measured by the actual influence exerted or the outcomes brought about. When commentators talk about cyber threats, they often only discuss the hackers’ initial achievements in gaining access to networks or bringing down websites. Although this may be a successful cyber operation on the surface, it may not lead to victory in the strategic sense that a rival state has succumbed to another’s will and changed its behavior. The DNC hack likely had some small impact on the U.S. election but Clinton’s failure to engage the Rust belt, the FBI note on a continuing investigation days before the election, and dissatisfaction with immigration and identity politics all likely had a greater impact on events than hacking.

Policy needs to be informed by empirical evidence rather than projected fears. Overall, there has been a remarkable level of restraint in the cyber domain, but mistakenly perceiving increases in capabilities may trigger security competition and arms races that will threaten the dramatic progress digital connectivity brings to society. We are not in a cyber world war, but at cyber peace. Maintaining this will be an active project aided by sober analysis that cuts through the hyperbole.