Executive Summary
The Belfer National Cyber Power Index (NCPI) measures 30 countries’ cyber capabilities in the context of seven national objectives, using 32 intent indicators and 27 capability indicators with evidence collected from publicly available data.
In contrast to existing cyber related indices, we believe there is no single measure of cyber power. Cyber Power is made up of multiple components and should be considered in the context of a country’s national objectives. We take an all-of-country approach to measuring cyber power. By considering “all-of-country” we include all aspects under the control of a government where possible. Within the NCPI we measure government strategies, capabilities for defense and offense, resource allocation, the private sector, workforce, and innovation. Our assessment is both a measurement of proven power and potential, where the final score assumes that the government of that country can wield these capabilities effectively.
The NCPI has identified seven national objectives that countries pursue using cyber means. The seven objectives are:
- Surveilling and Monitoring Domestic Groups;
- Strengthening and Enhancing National Cyber Defenses;
- Controlling and Manipulating the Information Environment;
- Foreign Intelligence Collection for National Security;
- Commercial Gain or Enhancing Domestic Industry Growth;
- Destroying or Disabling an Adversary’s Infrastructure and Capabilities; and,
- Defining International Cyber Norms and Technical Standards.
In contrast to the broadly held view that cyber power means destroying or disabling an adversary’s infrastructure (commonly referred to as offensive cyber operations), offense is only one of these seven objectives countries pursue using cyber means.
The overall NCPI assessment measures the “comprehensiveness” of a country as a cyber actor. Comprehensiveness, in the context of NCPI, refers to a country’s use of cyber to achieve multiple objectives as opposed to a few. The most comprehensive cyber power is the country that has (1) the intent to pursue multiple national objectives using cyber means and (2) the capabilities to achieves those objective(s).
The NCPI 2020’s Most Comprehensive Cyber Powers across all seven objectives are, from 1st to 10th: US, China, UK, Russia, Netherlands, France, Germany, Canada, Japan, Australia.
We present three different indices. The NCPI, the Cyber Intent Index (CII), and the Cyber Capability Index (CCI). Both the CII and CCI are stand-alone measures. The NCPI is a combination of CII and CCI.
We recognize that national cyber objectives are not composed in isolation: cyber capabilities are just one of the suite of tools, i.e. alongside traditional military means, diplomacy, public policy, punitive measures, and trade policy, available for countries to employ to achieve their national objectives.
The NCPI builds on existing databases that measure specific elements of cyber power and collates this data with multiple indicators that were sourced in-house. Our data analyses followed a rigorous methodology and procedure, all of which are available upon request.
We verified our analysis of national cyber strategies using natural language processing. We have correlated the NCPI composite indicator with relevant measurable phenomena (similar composite indicators but also relevant quantities e.g. GDP/capita, International Telecommunications Union Cybersecurity Index etc.) to identify similarities or differences.
The Cyber Intent Index reflects the different prioritization that some countries place on developing specific objectives and are therefore more important to their conceptualization of cyber power than others.
For the DPRK we could not find reliable measurements for many of the capabilities listed in our index. We have therefore asked several experts to provide us with their assessments of the different capabilities as they relate to the DPRK to inform the NCPI. Researchers and practitioners should bear in mind that the DPRK is a special case when referencing its NCPI score in comparison to the other countries in this index.
We have used a Min-Max normalization technique to rescale the cyber capability indicators because it: (1) best reflects our conceptual framework; (2) is most appropriate for the data properties; and, (3) can be easily interpreted by users. The intent part of our formula can be considered as equivalent to a weight.
Researchers and practitioners should use the NCPI to gain a more comprehensive understanding of the components that comprise cyber power and how cyber means can be employed to achieve a range of objectives. Users who are interested in a specific national objective can analyze the NCPI by both intent and capabilities by objective to better understand their country of interest.
In this paper we contrast the NCPI with existing cyber-related indices, outline our conceptual framework, provide guidance on how to interpret our findings, share the methodology for scoring intent, capabilities and the composite indicator, list the sources we used, and provide an overview of the limitations of our approach.
The purpose of the NCPI is to broaden the discussion on cyber power to reflect that it can be applied to achieve more than destructive capabilities and that it is an important tool for governments to achieve multiple objectives. We believe that further transparency around national cyber objectives and capabilities is needed to make more relevant and effective policy and prevent dangerous escalation between countries. We hope that the NCPI helps move the discussion on cyber power and the utility of increased transparency around capabilities, forward.
Full version contents:
1. Introduction
2. National Cyber Power Index 2020
3. Conceptual Framework
4. Methodology and Discussion
5. Conclusion
Annex A. NCPI Plot Charts by Objective
Annex B. Detailed Explanation of Intent Indicators by Objective
Annex C. Detailed Explanation of Capability Indicators
Annex D. Radar Charts of All Capabilities by Country
Download the full report:
Access the dataset: