The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The United States is still number one in cyber capabilities

with Aaron Schaffer

The United States remains by far the world’s most cyber-capable nation with no major competitors for the title.

That’s the conclusion from a mammoth 182-page report released today by British think tank the International Institute for Strategic Studies that reviews the cyber capabilities of 15 of the world’s biggest players in hacking and digital defense. The report assesses both government and private-sector capabilities.

The report relegates the most troublesome U.S. adversaries, Russia and China, to a second tier of cyber powers. That group also contains the United Kingdom, Canada, Australia, Israel and France. 

However, China’s rapid digital development and its growing slate of technology firms make it “the only state currently on a trajectory to join the U.S. in the first tier of cyber powers,” the authors warn.

The report marks a major endorsement for U.S. cyber capabilities, which have been called into question by a string of major cyberattacks by Kremlin-linked hackers and Russia-based cybercriminals. It also comes as U.S. officials are struggling to temper the global growth of Chinese tech firms, which they fear could give Beijing a critical edge in cyber competition. 

“China has made significant progress in bolstering its capabilities since 2014, but nowhere near enough to close the gap with the U.S.,” said IISS Senior Fellow for Cyber, Space and Future Conflict Greg Austin. “The main reason is the relative standing of the two nations’ digital economies, where the U.S. remains far advanced despite China’s digital progress.”

Yet all of the U.S. advantages in cyberspace haven’t kept it safe. 

American companies and government agencies are being pummeled by less capable nations — including not just Russia and China but also Iran and North Korea. And U.S. government hackers are less likely to punch back because they’re trying to follow rules of good behavior in cyberspace that their adversaries ignore, according to the report. 

The ways in which the U.S. wields its cyber power appear politically and legally constrained when compared with its main cyber adversaries,” the report notes. 

It adds that “factors have combined to give the adversaries of the U.S. an edge in the use of unsophisticated cyber techniques that are aimed at subversion but pitched below the legal threshold for an act of aggression that might justify an armed response.”

In other words, U.S. officials can't legally justify responding to most adversary hacks by counterpunching with traditional arms or cyberattacks. But more measured responses, such as economic sanctions and indicting hackers, have done little to deter adversaries. 

IISS places Iran and North Korea in a third tier of cyber capability along with India, Japan, Indonesia and Malaysia. 

The United States has essentially led the cyber pack since the 1990s. 

That dominant position is due to many factors including:

  • Dominant military capabilities in both offensive and defensive cybersecurity
  • A world-leading cadre of U.S. technology and cybersecurity companies that help protect domestic industry and foster cyber talent
  • A highly evolved government approach to cybersecurity and managing hacking risks
The think tank places Russia and China behind U.S. allies such as the United Kingdom, France and Australia when it comes to investing in protecting industry against cyberattacks. 

But they’re far ahead of those U.S. allies when it comes to launching offensive hacking operations. 

“In their development of offensive cyber mass, the scale of their respective operational experience, their proven reach on cyber espionage and the clarity of their political direction and doctrinal thinking, China and Russia probably surpass all other states except the U.S.,” the report states. 

The most important factor for a country’s overall cyber capability is having a cadre of domestic companies focused on information and communications technology that can develop cyber expertise, the report finds.

That’s what gives China, with its raft of growing tech and telecoms firms, the best chance of challenging the United States’ top-tier position. 

It also means tech-savvy Japan is most likely to move into the second tier, despite being relatively weak in cyber capabilities now.

Report watch

Report: A major cyberattack could cause more economic damage than a devastating hurricane.

The economic damage from a significant cyberattack could be worse than the loss caused by a major hurricane or other extreme weather event, according to a study out today from the Foundation for Defense of Democracies and the insurance firm Intangic. The study was shared in advance exclusively with The Cybersecurity 202.

One main reason is the indirect effects of a cyberattack, such as the damage to a company’s reputation and to its ability to attract investors and creditors, is far costlier in the long term than the property damage from extreme weather.

Hackers could cause about $80 billion worth of damage with a particularly widespread cyberattack, the report estimates. That’s compared with about $65 billion in damage due to Hurricane Sandy. The fictional but far from outlandish scenario for that attack involves hackers cracking into a company that provides digital services to thousands of other firms and then launching coordinated ransomware attacks targeting the firm and many of its clients.

The study is based on public data and a method for rating companies’ cyber risk developed by Intangic, which was formerly named Cyberhedge. Intangic qualitative research lead Chris Nolan co-wrote the study with FDD Deputy Director Annie Fixler. 

The keys

Microsoft revealed another hacking operation by the Russian group behind SolarWinds.

The hackers compromised a Microsoft customer service account and used the information to try to hack Microsoft customers, the company said.  

Microsoft discovered the operation while investigating an earlier breach by the group. It publicly released information about the operation after a warning to customers was seen by Reuters’s Joseph Menn. 

Hackers also launched a broad phishing campaign that breached three Microsoft customers, the company said. The incidents appear to be “largely unsuccessful, run-of-the-mill espionage,” according to a White House official.

Consultants have finished recounting ballots for Maricopa County’s partisan audit.

The most public phase of the partisan audit, which was fueled by baseless election fraud claims, has ended and a final report on its findings is now weeks to months away, the Associated Press’s Jonathan J. Cooper and Bob Christie report. The recount was ordered by the state’s Republican-led Senate, which signed a contract with the Florida cybersecurity firm Cyber Ninjas to lead the effort.

The company did not have election or auditing experience before the election. Its CEO, Doug Logan, has boosted baseless theories that the 2020 election was marred by fraud.

Meanwhile, Arizona’s Republican-controlled House moved to weaken the powers of Secretary of State Katie Hobbs (D), who has been an outspoken critic of the audit. The chamber passed measures that would make the state attorney general’s office the “sole authority” to defend Arizona election laws. The measures were already approved by the state Senate, and Gov. Doug Ducey (R) is expected to sign them into law.

Former members of Congress are registering to lobby for a Chinese surveillance giant.

Hikvision is turning to the former lawmakers as the company wrestles with the U.S. government’s severe restrictions on its U.S. operations, Drew Harwell reports

Former eight-term U.S. representative Anthony “Toby” Moffett (D-Conn.) is representing Hikvision as is former senator David Vitter (R-La.).

The Biden administration this month banned Americans from investing in Hikvision after years of accusations that the company is tied to Chinese government spying and helping enable repression of the country’s Uyghur minority. Hikvision did not respond to requests for comment. 

Cyber insecurity

Mercedes-Benz USA accidentally puts out data from nearly 1,000 customers (Reuters)

Ukrainian member of FIN7 cybercrime gang sentenced in United States (Reuters)

Industry report

Major government contractor Booz Allen helps cyber victims pay ransoms—exactly the opposite of U.S. policy (Forbes)

Encryption wars

Amazon buys encrypted message platform Wickr (Financial Times)

Government scan

NIST defines 'critical software' under the cyber EO (FCW)

Chat room

The Hints from Heloise column is a little out of its depth when it comes to password security. From cybersecurity journalist Brian Krebs:


  • Deputy national security adviser Anne Neuberger discusses cybersecurity policy at a Silverado Policy Accelerator event on Tuesday at 9:30 a.m.
  • Officials from the Cybersecurity and Infrastructure Security Agency discuss the ways businesses can secure themselves from cyber threats at a U.S. Chamber of Commerce event on Tuesday at 11 a.m.
  • Sen. Angus King (I-Maine) and FireEye CEO Kevin Mandia discuss cybersecurity issues at a Washington Post Live event on Tuesday at 2 p.m.
  • John Sherman, the Pentagon’s acting chief information officer, testifies before a House Armed Services subcommittee on Tuesday at 2 p.m.
  • The House Energy and Commerce Committee holds a hearing on cybersecurity legislation and securing U.S. networks on Wednesday at 10:30 a.m.

Secure log off