China’s Cyber Ability Decade Behind US: Study

China will be unable to equal the U.S.’s cyber capabilities for at least a decade, according to a new study by the International Institute for Strategic Studies.

Monday’s Financial Times reported the IISS study found that Beijing’s strength as a cyber power is being undermined by poor security and weak intelligence analysis.

“On every measure, the development of skills for cyber security in China is in a worse position than it is in many other countries,” said Greg Austin, an expert in cyber, space, and future conflict at the IISS.

Austin added that perception of China being a cyber power was “exaggerated” due to media reports focusing on such things as Beijing’s desire to become a global leader in artificial intelligence.

The IISS ranked countries on a variety of cyber capabilities such as the maturity of their intelligence and security functions, the strength of their digital economies, and how well cyber facilities were integrated with military operations.

The study said only the U.S. is ranked as a “top tier” cyber power, with China, Russia, the United Kingdom, Australia, Canada, France, and Israel in the second tier. The third tier includes India, Indonesia, Japan, Malaysia, North Korea, Iran, and Vietnam.

The U.S. and allies, however, increasingly were at risk of ransomware attacks.

China and Russia have excelled in offensive cyber operations — online spying, intellectual property theft, and disinformation campaigns against the West. That was seen in recent hacking campaigns, with Russia’s foreign intelligence service having hijacked SolarWinds software to penetrate government targets in Washington; and suspected Chinese state-backed hackers compromised Microsoft email software to probe U.S. non-governmental organizations and think tanks.

However, the IISS study said both China and Russia were held back by comparatively loose cyber security compared with their competitors.

The IISS said China’s focus on “content security,” or limiting politically-subversive information on its domestic internet, might have affected  its focus on policing the physical networks that transport it.

Also, China being driven by ideology and “increasingly enmeshed with … the political goals” of Communist party leaders has led to the country’s analysis of cyber intelligence being “less mature” than that of the U.S., U.K., Canada, Australia, and New Zealand, according to the IISS.

Global dynamics are being reshaped by the information age, with traditionally powerful countries (e.g. India and Japan) being surpassed in terms of cyber operations by smaller countries (e.g. Israel and Australia).

The U.S. was the only top-tier country due to an unparalleled digital-industrial base, cryptographic expertise, and the ability to execute “sophisticated, surgical” cyber strikes against adversaries, the study determined.

The U.S., unlike China and Russia, also benefited from close alliances with other cyber powers.

Still, as recent ransomware attacks on Colonial Pipeline and Ireland’s health service last month showed, the U.S. and its allies are threatened by independent Russian criminal hackers whose activities apparently are tolerated by authorities.

Robert Hannigan, former director of the U.K.’s intelligence agency Government Communications Headquarters, said he agreed with many of the IISS conclusions but questioned how much China and Russia would be held back by weak cyber defenses.

“While it is true that cyber security is less well developed in Russia and China, they need it less urgently than open western economies,” Hannigan said. “The threat is not symmetrical: western economies are under siege from cyber criminal groups based in and tolerated or licensed by Russia — the same is not true in reverse.”

Hannigan added that the West demands higher levels of cyber security because Russia agencies “have license to be reckless,” unlike the U.S. and its allies.