There was a sense of relief in the headlines in the Financial Times last week: “China’s cyber power at least a decade behind the U.S.” This was the reaction to a substantial report by the International Institute for Strategic Studies (IISS), which found that the United States alone is able to deploy world-leading capabilities in all aspects of the cyber domain, relegating China to tier-two status. These findings seemed to offer a respite from the more usual narrative in the West that China will soon achieve a dominant position in cyberspace, if it has not already. So should Western policymakers relax? Not quite.
Why Comparison Is Difficult
First, it is important to recognize the challenges in assessing a state’s cyber capabilities. A large part of the problem is in measuring the effects of cyber operations, particularly at the strategic level. Possessing a capability is only part of the story. The ultimate test is deploying that capability with a coherent strategy in ways that achieve the intended outcomes and provide a benefit that outweighs the costs. When two fighters enter the ring, the tale of the tape (the opponents’ pre-fight measurements and weights) is only one part of the equation.
Second, China is pursuing a distinctive strategy in cyberspace. More than any other domain, cyberspace affords nations opportunities to shape their environment and exploit it in innovative ways. Because Chinese cyber strategy displays a clear preference for operating below the threshold of direct confrontation, a direct comparison to the United States or any other state would not adequately capture China’s strengths in cyberspace. In this way, the boxing analogy breaks down, as the competitors are each determined to dictate the design of the ring, and they have very different ideas about the rules of the contest.
Stealing Secrets Abroad, Controlling Information At Home
Assessing the effects of Chinese cyber operations requires analysis of external operations focused on espionage and domestic operations focused on the control of information. Espionage operations have comprised theft of intellectual property, extraction of personal data, and access to strategic systems. The mass exploitation of vulnerabilities in the Microsoft Exchange Server email system, discovered in March 2021, together with the 2015 theft of sensitive data on millions of individuals connected to the U.S. government, represent the scale and aggression with which China pursues access to such information and systems. The theft of secret data on the development of the F-35 fighter jet is one of the most prominent examples of how China has deployed cyber capabilities to pursue the traditional intelligence objective of stealing secrets.
This extensive case history enables a confident assessment of Chinese capabilities and intent to steal vast troves of information and gain wide-ranging access to protected networks. The more challenging and meaningful task for assessing China’s cyber wherewithal is to investigate the effects achieved by these operations. Crucially, as with any espionage operation, effectiveness is measured not by the quantity of information secured, but by the value of intelligence that can be derived from it. In the case of Chinese cyber espionage, assessing the intelligence value is complicated by the fact that many operations appear to be aimed at harvesting information, or securing access, which may become useful in future. China’s strategic aim is to secure an advantage in the long-term contest with the United States and its allies, so any snapshot assessment of Beijing’s strengths at a given point in time will struggle to capture the ultimate effectiveness of Chinese cyber espionage.
China’s Unique Cyber Strategy
While it is common for Western strategists to refer to cyberspace as a fifth domain complementing air, land, sea, and space, Beijing identifies cyberspace as one component of the broader information space. The difference is not merely semantic—it creates a strategic logic for Chinese cyber operations in which the focus is not on control of cyberspace, but rather control of information. The objectives of this approach are to protect domestic political stability (inextricably linked to preserving the rule of the Chinese Communist Party), while driving what Chinese leaders term the informatization of the economy.
In practical terms, this means the deployment of digital surveillance against every citizen using tools that are woven into the fabric of all economic and social activity, coupled with huge investments in technologies such as artificial intelligence and electronic payments. A preoccupation with state control of the information space is also reflected in China’s determination to dominate the development of global standards for digital technology and to define a framework for global governance of the internet centered on state control.
Like Beijing’s external espionage operations, the domestic deployment of Chinese cyber capabilities is part of a singular strategy that will be realized in the medium to long term. This is not meant to suggest that Chinese leaders do not feel pressure to generate tangible results in the short term, but Chinese cyber power exhibits distinctive features that can be missed by anyone taking comfort in a short-term snapshot ranking.
A comprehensive assessment of state cyber power, such as that presented by the IISS, is a valuable resource. But comparisons of different states’ capabilities are fraught with difficulty. China is deploying its cyber capabilities in pursuit of long-term strategic objectives in ways that make the effects hard to measure for comparative purposes. Chinese leaders continually have emphasized the theme of progress on a long journey, a point most recently articulated by Chinese President Xi Jinping with his declaration that China is “advancing with unstoppable momentum toward rejuvenation.” A more accurate headline on China’s and Western powers’ relative capabilities in cyberspace would acknowledge that the effects of Chinese cyber power will only be revealed over at least the next decade.