As cyberwarfare has become a standard tool of international politics, it is important to recognize that the balance of power among great powers includes a cyber element. The intent of this article is to provide an assessment of the balance of cyberpower. Cyberpower includes computer network exploitation (CNE)—using information technology (IT) to spy on other’s information technology—computer network attacks (CNA), and using information technology to shut down, disrupt, or deny another’s IT. In this article, we consider the capabilities of significant cyberpowers, including the United States, China, and Russia. These are the “cyber superpowers” of contemporary international politics. The cyber capabilities of these states must be conceived of as, in the case of the United States, the equal of its landpower, airpower, or seapower. Moreover, in the cases of China and Russia, their cyberpower is more effective than their conventional capabilities. Furthermore, while not the equal of the three “cyber superpowers,” there are other important actors in cyberspace, including Estonia, France, India, Iran, Israel and North Korea.
The United States continues to be the leader in cyber capabilities. This should not be a surprise as it invented the internet and was “present at the creation.” Additionally, the United States has a long history of conducting CNE and manipulating IT to advance its intelligence collection and military objectives. As with the development of the internet, many critical technological developments and capabilities originated in the United States. The classified information leaked by Edward Snowden provided insight into the extensive capabilities of America in both defensive and offensive weapons. This broad array of cyber tools provides policymakers with strategic flexibility and options they did not possess before the dawn of the cyber age. A now classic example is the 2010 United States and Israeli development and execution of Operation Olympic Games, now widely known as the Stuxnet virus. The famed attack caused destruction to Iran’s nuclear centrifuges and delayed their nuclear development process. This was the first, publicly-known instance of a cyber attack causing physical destruction. Indeed, the Stuxnet virus was only the tip of the iceberg. The United States had reportedly executed broader missions that would enable the United States to launch cyber-attacks and cripple many critical systems in Iran. We should expect and anticipate that similar CNA capabilities have been developed for use against the adversaries of the United States.
Historically, the deployment of a new weapon has been met with a response. While cyber capabilities have offered policymakers a new range of options, they have also set a negative precedent regarding the establishment of international norms regulating the use of cyber weapons. As noted below, since 2010, the aggressiveness of U.S. adversaries has only increased in the cyber realm. Though the United States retains the overall advantage in cyber capabilities China, Russia, and others have developed and are certainly determined to use these capabilities as well. Finally, as artificial intelligence (AI) and quantum computing increase in importance, it should be noted that it is not a given that the United States maintains its dominance in these fields. In 2017, Vladimir Putin has noted that “whoever becomes the leader in [AI] will become the ruler of the world.” China has certainly taken that to heart, which guarantees a modern arms race in the development and military exploitation of quantum computing and AI.
China has advanced cyber capabilities but has, at least thus far, been focused on network exploitation rather than network attacks. China’s relentless use of cyber espionage has angered the United States, as the CNE attacks have stolen prodigious amounts of data to advance China’s intelligence and military capabilities, as well as to provide a boon to the Chinese economy and corporations by allowing them to reduce Research and Development costs. The Chinese have been successfully able to penetrate the most advanced weapons systems. Naturally, they have in particular focused on U.S. defense contractors and have used the stolen data to close the gap in traditional weapons capabilities. China has pushed the limits, and indeed surpassed them, of normative behavior regarding network encroachment. Of the publicly known events, one of the most significant and damaging for America was China’s 2015 data breach at the United States’ Office of Personnel Management. This penetration included the compromise of personal data of over 20 million people, including many in the intelligence community.
There are two broad points worth noting regarding China’s emphasis on network exploitation rather than network attacks. First, China has thus far engaged in cyber behavior that is designed to not elicit a strong military action from the United States. Accordingly, China has exercised a degree of caution no doubt due to a concern about the escalation of conflict from the cyber realm to the kinetic. Though China’s decisions to refrain from network attack should not be seen as an absence of its cyber ability, there are some limitations to China’s capabilities and cyber strategies. Second, China’s capabilities and strategies point to a reactionary position relative to the United States. China has yet to demonstrate capabilities that would enable itself to leapfrog the United States. At the same time, the United States cannot be complacent. China is devoting tremendous resources to achieve domination in the cyber realm and to maintain that dominance as cyber evolves to include quantum computing and AI.
The Russian capabilities are exceptional—mature, developed, and providing flexibility for decisionmakers—and the Russians have been innovative in their deployment in different conflicts. In addition to extensive CNE capabilities, Russia has been more than willing to put CNA at the center of its coercive strategies. Depending on the specific geopolitical environment, Russia has generally been successful in adapting its cyberattacks to advance its interests in a variety of situations. In 2007, it set precedent by being the first state to launch a cyberattack against another state, in this instance Estonia. This attack was a simple DDoS attack that did not result in significant damage but heavily influenced Estonian, and NATO’s, threat perception regarding the cyber weapon. In the 2008 war with Georgia, Moscow utilized cyberattacks as part of its general war strategy. The cyberattacks disrupted Georgian communications and played a wider part of a psychological operation within the war campaign. Additionally, the extent of Russia’s cyber capabilities has been evident in Ukraine where cyberattacks were more sophisticated and resulted in a new level of damage. Several high-profile attacks are worth noting. The first was a 2015 attack on a power grid that resulted in a blackout for several hundred thousand consumers. The blackout took place in December and lasted for several hours thus endangering the lives of Ukrainian citizens. Cyberattacks have also resulted in terabytes of data being deleted, including important information in the Ukrainian treasury. The notorious NOTPETYA cyberattack that cost ten billion in damages also started as a cyberattack against Ukraine. Together this has caused experts to wonder if Russia is using Ukraine as a testing ground to develop and perfect its CNA capabilities.
Most of Russia’s cyberattacks have been used in asymmetrical conflicts where it has possessed escalation dominance, meaning that other countries cannot or have no incentive to escalate to a higher level of conflict. Notably, the 2016 United States presidential election hacking campaign was different in the sense that Russia was not in a position of escalation dominance. Instead of using its cyber capabilities to coerce or punish a weaker state, it aimed to use cyber capabilities to influence the U.S. election—as is now well known—through exceptional hacking skills to penetrate politically sensitive information and leak it via Wikileaks. The impact of the cyberattacks on the election results can be debated and its effectiveness is ambiguous at best, but it is certain that the attacks highlighted Russian deployment of the cyber weapon to influence elections and, no doubt, other targets. All of this was done an influence operation—another arrow in their covert action quiver. Perhaps Russia’s greatest asset in its cyber arsenal is its innovation and its willingness to conduct cyberattacks against its adversaries.
Naturally, there are limits to Russia’s abilities as well. As America and Israel experienced with Stuxnet, once Russia has used a certain strategy, other potential adversaries have the opportunity to better prepare themselves. While Russia’s cyberattacks in Ukraine can be seen as Russia fine-tuning its cyber capabilities, it also provides the West an opportunity to study Russia’s newest capabilities. Once certain capabilities and tactics are known it is easier to improve defensive capabilities. For example, Russia’s election hacking was not as effective in the Dutch, French, German, or Italian elections as it might have been in prior cases. Finally, the Russian attack on Estonia demonstrates that the deployment of the cyber weapon, as with kinetic weapons, generates substantial counter-measures and increases the determination of the defender to ensure its vulnerability is reduced through cyber defenses and, more significantly, through the mobilization of the population to address the threat.