In February 2019 the International Institute for Strategic Studies (IISS) announced in a Survival article its intention to develop a methodology for assessing the cyber capabilities of states and how they contribute to national power.1 Here, we set out that methodology, use it to assess 15 countries, and draw out the overarching themes and conclusions.

This report is intended to assist national decisionmaking, for example by indicating the cyber capabilities that make the greatest difference to national power. Such information can help governments and major corporations when calculating strategic risk and deciding on strategic investment.

While other organisations have developed index-based methodologies,2 with most focusing principally on cyber security, our methodology is broader: it is principally qualitative and analyses the wider cyber ecosystem for each country, including how it intersects with international security, economic competition and military affairs.

The 15 studies represent a snapshot in time: the national circumstances of each state will of course evolve, and cyber strategies and investments will face challenges from many sources, including the COVID-19 pandemic. Nevertheless, for each state, most policies and trends in capability are likely to endure.

The studies have been conducted against the background of intensifying international confrontation in cyberspace. Several reference points can be cited by way of illustration. In 2015, China’s new military strategy declared that ‘outer space and cyber space have become new commanding heights of strategic competition’ between states.3 In 2016, the Unites States accused the Russian government, and President Vladimir Putin personally, of ordering a sustained information attack on the US presidential election.4 In May 2019, then-president Donald Trump foreshadowed a technology war with China if it continued its malign actions in cyberspace.5 In March 2020, Trump declared a national emergency in cyberspace,6 the fourth time in five years that a US president had done so. In April 2021, China referred to the US as the ‘champion’ of cyber attacks.7 A month later, the G7 foreign ministers’ meeting called on both Russia and China to bring their cyber activities into line with international norms.8 Overall, this report provides substantial further evidence that, for many countries, cyber policies and capabilities have moved to centre stage in international security.

The countries covered in this report are the US, the United Kingdom, Canada and Australia (four of the Five Eyes intelligence allies); France and Israel (the two most cyber-capable partners of the Five Eyes states); Japan (also an ally of the Five Eyes states, but less capable in the security dimensions of cyberspace, despite its formidable economic power); China, Russia, Iran and North Korea (the principal states posing a cyber threat to Western interests); and India, Indonesia, Malaysia and Vietnam (four countries at earlier stages in their cyber-power development).

We assess each country’s capabilities in seven categories: • Strategy and doctrine • Governance, command and control • Core cyber-intelligence capability • Cyber empowerment and dependence • Cyber security and resilience • Global leadership in cyberspace affairs • Offensive cyber capability