Countries like Canada, Japan and Australia figure in the top 10, casting doubt on whether this is a serious effort or just one of the many publications that emerge from organisations all over the US (and many other countries too) in order to bolster the US Government's policies. That it comes close to election time tends to increase the cynicism of one who has seen numerous exercises of this kind over the years, all meant to push the American point of view.
The document has been produced as part of the school's China Cyber Policy Initiative. In its preface, written by Eric Rosenbach, a co-director of the Belfer Centre and former chief of staff and assistant secretary of the US Defence Department, there are snide references to China thus:
"The canonical cyber-attacks of the past decade are one important source of data that illustrates the effort by states to extend their influence and power in the cyber domain. Through diplomatic efforts at the UN, however, some states increase their cyber power by hoping to proliferate their own authoritarian models of internet governance. In other fora, state representatives seek to shape the technical standards that govern the fabric of the Internet to gain dominance in the geopolitics of technology and information."
Rosenbach also gilds the lily no end, referring to the authors of the paper, which is ambitiously titled National Cyber Power Index 2020, as "...a smart, creative, and hard-working team" that has created an "innovative and intellectually illuminating study on cyber power. This is important work in both academia and the real world: the study threads the needle of providing robust academic insights in a policy-relevant model."
Such effusive praise is misplaced. This study makes constant excuses for its inability to obtain necessary information. That the team is wet behind the ears is evident from this: "The Belfer National Cyber Power Index measures 30 countries’ cyber capabilities in the context of seven national objectives, using 32 intent indicators and 27 capability indicators with evidence collected from publicly available data."
Publicly available data? Most of the data on cyber attacks and defence is normally available only from anonymous sources, and much of it has to be believed only after verifying things from multiple sources in different domains.
No country announces that it has carried out a cyber attack as that would put its attackers at risk and limit their ability to go into business once they leave the ranks of the intelligence service they serve. Depending on publicly available data is a dead end.
The 30 countries that are ranked are Australia, Brazil, Canada, China, North Korea, Egypt, Estonia, France, Germany, India, Iran, Israel, Italy, Japan, Lithuania, Malaysia, the Netherlands, New Zealand, South Korea, Russia, Saudi Arabia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, the UK, the US, and Vietnam.
The seven national objectives that the centre used were:
- surveilling and monitoring domestic groups;
- strengthening and enhancing national cyber defences;
- controlling and manipulating the information environment;
- foreign intelligence collection for national security;
- commercial gain or enhancing domestic industry growth;
- destroying or disabling an adversary’s infrastructure and capabilities; and,
- defining international cyber norms and technical standards.
The reliability of the NCPI is decreased further by the fact that non-state actors are not factored in when ranking countries. It is a fairly well-known fact that numerous governments outsource their dirty work to private contractors to give themselves plausible deniability and not taking this factor into account weakens any conclusions reached by the centre.
The centre admits it had difficulty with translated documentation which it says may not be entirely accurate. It also admits that it had problems when information was not available in the public domain.
Practically all of the sources cited in the study are American. But the Australian Strategic Policy Institute, a defence industry lobby group based in Canberra, is also mentioned, though just once. Think-tanks are prominent among the sources, with the group BellingCat, a US funded outfit, also earning a guernsey.
There is a vast amount of information to be gained from sources like mailing lists, Twitter, the dark web and numerous other places but it does not look like any of the authors ventured to glean data from these sources. This looks like a study done from the comfort of an office.
Given that all countries are scored for each objective and graphs then prepared, this ends up looking like some typical statistical project. One is left wondering why there was unquestioning coverage of this effort in publications like the Economist.