Australia’s cyber power is more bark than bite
Australia scored number eight out of 30 major nations for “cyber intent” in the National Cyber Power Index 2020 (NCPI) published earlier this month, but only number 16 for “cyber capability”.
That capability gap pulls Australia down to number 10 after, in order, the US at number one, China, UK, Russia, Netherlands, France, Germany, Canada, and Japan.
Looking at individual data points, Australia is way down in an unsurprising 24th place when it comes to fixed broadband speed, behind Ukraine and only just ahead of Vietnam.
It’s down at 16th place for internet freedom, scoring 72 out of a possible 100 points. The five leading nations in this category were Sweden, Netherlands, New Zealand, Switzerland, and Estonia.
Australia is in the bottom half of the 30 ranked countries in things such as patent applications per capita; the number of global top 100 firms in all three tracked categories of tech, cyber, and surveillance; its military strategy and centralised cyber command; and its total number of cyber military personnel.
Australia is number five in e-commerce per capita, however. It’s also number five for mobile data speeds, after South Korea, China, Canada, and the Netherlands.
The NCPI was compiled by the Belfer Center for Science and International Affairs at the Harvard Kennedy School as part of its China Cyber Policy Initiative.
The methodology detailed in the report is complex, and it makes some assumptions which cause your correspondent to have some doubts about the index’s effectiveness.
The key issue is that the report is based entirely on publicly-available information, which means that secretive nations may be misrepresented. The researchers acknowledge this, however.
“We recognise that countries deliberately choosing to be opaque will be vastly under-ranked in the index. We suspect that Israel falls into this category,” they wrote.
“We also strongly believe that ‘Amassing Wealth or Extracting Cryptocurrency’ is a top objective of some countries and that they employ cyber means to achieve it. Unfortunately, we were not able to collect sufficient data … to measure each country against this objective.”
Cyber power isn’t just about destroying infrastructure
Unlike previous attempts to rank nation-state cyber power, the Belfer Center has attempted to include “all aspects under the control of a government where possible”.
“Within the NCPI we measure government strategies, capabilities for defense and offense, resource allocation, the private sector, workforce, and innovation,” they wrote.
“Our assessment is both a measurement of proven power and potential, where the final score assumes that the government of that country can wield these capabilities effectively.”
The NCPI identified seven national objectives that countries might pursue using cyber means.
They’re listed as: Surveilling and monitoring domestic groups; strengthening and enhancing national cyber defences; controlling and manipulating the information environment; foreign intelligence collection for national security; commercial gain or enhancing domestic industry growth; destroying or disabling an adversary’s infrastructure and capabilities; and defining international cyber norms and technical standards.
“In contrast to the broadly held view that cyber power means destroying or disabling an adversary’s infrastructure (commonly referred to as offensive cyber operations), offense is only one of these seven objectives countries pursue using cyber means,” they wrote.
The Belfer Center reviewed more than 1,000 existing sources of data and developed 27 unique indicators to measure a state’s cyber capabilities.
Beyond the top 10 scorers already listed, the nations studied were ranked from Israel at number 11, down through Spain, Sweden, Estonia, New Zealand, South Korea, Switzerland, Singapore, Malaysia, Vietnam, India, Turkey, Iran, Brazil, Ukraine, Saudi Arabia, Lithuania, Italy, and finally to Egypt at number 29.
North Korea was not given a ranking in the charts.
Morrison government is more rhetoric than action: Labor
The Labor Party has attempted to generate political capital with the NCPI, noting that while Australia is now in 10th place overall, it scored a far more impressive third place in a 2011 index produced by the Economist Intelligence Unit and Booz Allen Hamilton.
“This is yet another example of the Morrison government’s approach of rhetoric over action while failing to prioritise cyber at both an industry and government level,” wrote Tim Watts, the Shadow Assistant Communications Minister and Shadow Assistant Cyber Security Minister, last week.
“The biggest gap between intent and capability is in our offence, with Australia placing 10th in intent yet only 24th in capability — particularly lagging in the capability of our domestic industry to realise high-tech export opportunities.”
The government’s much-delayed 2020 Cyber Security Strategy lacks any objectives or initiatives to support the Australian cyber security industry, Watts said, noting that Australia ranked eighth in intent for the commercialisation of its cybersecurity capability, but only 12th when it came to capability.
While your correspondent has noted that the government strategy is certainly disappointing, vague, and unambitious, Labor’s comparison with the 2011 ranking is a furphy.
As the NCPI notes, that 2011 index “does not measure offensive capabilities, and focuses largely on economic and resource indicators — which although are important to understanding the potential for developing cyber power does not provide the fullest picture of cyber capabilities”.
Labor also chose not to compare the NCPI ranking with the International Telecommunications Union’s Global Cybersecurity Index [PDF] of 2018, where Australia came in at number 11.
As a nation with a higher cyber intent but lower cyber capability, Australia is “actively signalling to other states that they intend to develop their cyber capabilities”, said the NCPI.
However, such nations have either not yet disclosed their capabilities, through stated or demonstrated means, or currently don’t have the capabilities at hand to achieve their cyber goals.
The bad guys: China, Iran, North Korea
According to the NCPI, some 29 countries are seen to be pursuing legal wealth generation via cyber means, such as developing their cybersecurity industries.
“Only one country was observed pursuing it via illegal means — DPRK [North Korea],” the researchers said.
“Only one country was assessed to have not demonstrated its wealth generation intent at all — Egypt.”
China tops the NCPI’s list for the objective “growing national cyber and technology competence”.
“Along with DPRK and Iran, China is one of only three countries assessed to be pursuing this objective through both legal and illegal means,” they said.
“[China] has been both observed conducting industrial espionage and sought to incentivise and grow its domestic cyber expertise through research and development, and public-private partnerships.”