Cyber Power Index over Taiwan conflicts Methodology

指標定義テーブルについて投稿します

The 8 Objectives
They have provided two issues that have been of particular interest to readers of the Index, are a holistic approach to cyber power and achieving multiple objectives using cyber means.

A holistic Approach to Cyber Power
The objective of NCPI is to provide a more complete measure of cyber power than existing indicates, anecdotal studies, or journalistic speculation. More specifically, within the NCPI we measure governments strategies, capabilities for defensive and destructive operations, resource allocation, private sector capabilities within a country such as technology companies, workforce, and innovation. This assessment is a both measurement of demonstrated capability and potential, and the final scores assumes that the government can wield these capabilities effectively, or the nation can benefit from them.

The following 8 objectives, they provide, the first one is “Surveilling and Monitoring Domestic Groups” is defined as “A state has taken steps to give itself the legal permissions and cyber surveillance capabilities to monitor, detect, and gather intelligence on domestic threats and actors within its own borders. This may range from efforts to conduct surveillance of its citizens, monitor internet traffic, circumvent encryption, or detect and disrupt foreign intelligence services, criminal organizations, and terrorist groups.”. The second one is “Strengthening and Enhancing National Cyber Defenses” which is defined as “A state has prioritized enhancement of the defense of government and national assets and systems, and improvement of national cyber hygiene and resilience. This includes active defense of government assets, promoting cybersecurity and cyber hygiene to key industries and the general population, and raising national awareness of cyber threats.”. The third one is “Controlling and Manipulating the Information Environment” is defined as “Reflecting the duality of information controls, a state has utilized using electronic means to control information and change narratives at home and abroad. The form includes spreading domestic propaganda, creating, and amplifying disinformation overseas, and using cyber capabilities to target and disrupt groups otherwise outside of its jurisdiction. The latter includes taking down extremist material from social media and refuting foreign propaganda.”. The fourth one is “Foreign Intelligence Collection for National Security” which is defined as “A state has extracted national secrets from a foreign adversary via cyber means. This objective is specifically focused on the collection of information that is not commercially sensitive, but instead the collection of information that informs diplomatic activities, military planning, treaty monitoring, and other situations in which states seek to improve their situational awareness and understanding of a foreign state. This includes hacks and breaches of classified material, such as military plans, but it also includes stealing personnel records, and accessing the communications of senior government figures.”. The fifth one is “Growing National Cyber and Commercial Technology Competence” is defined as “A state has attempted to either grow its domestic technology industry or used cyber means to develop other industries domestically. This could be through legal and illegal means. Illegal means include conducting industrial espionage against foreign companies and states to facilitate technology transfer. Legal means include investment in cybersecurity research and development and prioritizing cybersecurity workforce development.”. The six one is “Destroying or Disabling an Adversary’s Infrastructure and Capabilities” defined as “A state has used destructive cyber techniques, tactics, and procedures to deter, erode, or degrade the ability for an adversary to fight in cyber or conventional domains. This includes cyberattacks on critical infrastructure, and Distributed Denial-of-Service attacks on government communications networks. It also includes cyberattacks to demonstrate intent and capability to deter an adversary from acting.”. The seventh one is “Defining International Cyber Norms and Technical Standards” defined as “A state has actively participated in international legal, policy, and technical debates around cyber norms. This might include signing cyber treaties, participating in technical working groups, and joining cyber partnerships and alliances to combat cybercrime and share technical expertise and capabilities.”. The last one is “Amassing Wealth and/or Extracting Cryptocurrency” is defined as “A state has conducted cyber operations to amass wealth. This includes theft by cyber means including ransomware, blackmail using information obtained via data breaches and attacking the digital infrastructure of financial institutions, and blackmail based on information obtained via data breaches.”.

They recognize that national objectives pursued using cyber means are not composed in isolation because cyber capabilities are just one of a state’s suite of tools. For example, there are alongside traditional military means, diplomacy, sanctions, and tariffs, that are the effective deployment of them by a state to achieve its national objectives. So, it would be repeated after measured results, their measurement provides a state’s intent to pursue each objective through an assessment of national strategies, rhetoric, and attributed cyber operations. Therefore, if a state’s intent to pursue an objective is high, they assess that the objective is of more importance to that state. And another importance of understanding multiple objectives as opposed to a few, is called “comprehensiveness”, that could differentiate between levels of intent and capability between states across all objectives we they assign. And finally, they could provide “Comprehensive Cyber Power Ranking”, that has the intent to pursue multiple objectives using cyber means and has the capabilities to pursue and achieve said objectives, combining both the intent and capability score across all eight objectives.

Methodology
This research verifies judgement level of 0.1~1 to each objective after evaluation I line with the standards of 8 objectives to quantify the cyber power for each nation. This process uses the data of country’s operations mainly from “COUNCIL on FOREIGN RELATIONS, Cyber Operations Tracker”.

1. Identifying the objectives
First, this research refers to 8 objectives which indicates at the section of “A holistic Approach to Cyber Power”, providing “Surveilling and Monitoring Domestic Groups”, “Strengthening and Enhancing National Cyber Defenses”, “Controlling and Manipulating the Information Environment”, “Foreign Intelligence Collection for National Security”, “Growing National Cyber and Commercial Technology Competence”, “Destroying or Disabling an Adversary’s Infrastructure and Capabilities”, “Defining International Cyber Norms and Technical Standards”, and “Amassing Wealth and/or Extracting Cryptocurrency”.
2. Data collection method
Second, this research collects the data relevant to cyber operations of timeline for each country from “COUNCIL on FOREIGN RELATIONS, Cyber Operations Tracker”. This data includes implementation of cyberattack by governments, the kind of operations, impact, target and so on.
3. Mapping to operational objectives
Third, aligning with collected operational data to each objective. Determinations which objects each operation corresponds to, this research evaluate their importance and impact level on a scale from 0.1 to 1 taking into account their significance and influence. For example, a certain operation directly is relevant with “Amassing Wealth and/or Extracting Cryptocurrency”, it assess the operation into a scale from 0.1 to 1.

Number Name Scale
1 Amassing Wealth and/or Extracting Cryptocurrency 0.1 ~ 0.3 Minor monetary damages by taking advantage of Information leak (cost thousands of dollars)
1 Amassing Wealth and/or Extracting Cryptocurrency 0.4 ~ 0.6 Attack by ransomware or moderate  monetary damages (cost tens of thousands to hundreds of thousands of dollars)
1 Amassing Wealth and/or Extracting Cryptocurrency 0.7 ~ 0.9 Multiple ransomware attacks or  attack to a large financial infrastructure (cost millions of dollars)
1 Amassing Wealth and/or Extracting Cryptocurrency 1.0 Serious cyberattack to National scale financial system (cost billions of dollars)
2 Controlling and Manipulating the Information Environment 0.1 ~ 0.3 Domestic limited information manipulation and propaganda
2 Controlling and Manipulating the Information Environment 0.4 ~ 0.6 Dissemination of misinformation and small scale information manipulation abroad
2 Controlling and Manipulating the Information Environment 0.7 ~ 0.9 Large scale disinformation and cross-border information manipulation across
2 Controlling and Manipulating the Information Environment 1.0 Global information manipulation through major media and social networks
3 Defining International Cyber Norms and Technical Standards 0.1 ~ 0.3 Attendance an international conference or initial technical cooperation
3 Defining International Cyber Norms and Technical Standards 0.4 ~ 0.6 Active attendance with creation of international technology standardization
3 Defining International Cyber Norms and Technical Standards 0.7 ~ 0.9 Leadership with conclusion a cyber treaty or major international technology standards
3 Defining International Cyber Norms and Technical Standards 1.0 Leadership in international cyber policy and setting key cyber standards multilaterally
4 Destroying or Disabling an Adversary’s Infrastructure and Capabilities 0.1 ~ 0.3 A cyberattack to enemy network communication
4 Destroying or Disabling an Adversary’s Infrastructure and Capabilities 0.4 ~ 0.6 Periodic attacks to major infrastructure (ex. Power grid and water system)
4 Destroying or Disabling an Adversary’s Infrastructure and Capabilities 0.7 ~ 0.9 Persistent and effective cyberattack to multiple national infrastructure
4 Destroying or Disabling an Adversary’s Infrastructure and Capabilities 1.0 Complete destruction or long-term incapacitation of critical military or civilian infrastructure linked to national security
5 Foreign Intelligence Collection for National Security 0.1 ~ 0.3 Gathering information from a single or limited source
5 Foreign Intelligence Collection for National Security 0.4 ~ 0.6 Gathering critical information from multiple source, albeit with limited scope and impact
5 Foreign Intelligence Collection for National Security 0.7 ~ 0.9 Strategic information gathering activities that could impact military planning and diplomatic efforts
5 Foreign Intelligence Collection for National Security 1.0 Continuous collection of critical information (military, politic, economy) with widespread and serious impact at national level, directly linked to national security
6 Growing National Cyber and Commercial Technology Competence 0.1 ~ 0.3 Implementation of a basic training program for cybersecurity
6 Growing National Cyber and Commercial Technology Competence 0.4 ~ 0.6 Advancements in a domestic cybersecurity technology development in a case of certain commercial outcomes
6 Growing National Cyber and Commercial Technology Competence 0.7 ~ 0.9 Conducting advanced developing research in cyber technologies and creating competitive technologies in international market
6 Growing National Cyber and Commercial Technology Competence 1.0 Producing advanced and innovative cyber technologies domestically to establish global leadership
7 Strengthening and Enhancing National Cyber Defenses”, “Controlling and Manipulating the Information Environment 0.1 ~ 0.3 Implementation of basic cyber defense measures
7 Strengthening and Enhancing National Cyber Defenses”, “Controlling and Manipulating the Information Environment 0.4 ~ 0.6 Development of a more systematic cyber defense architecture and deployment of measures across a wide range of industries, including small and medium-sized enterprises
7 Strengthening and Enhancing National Cyber Defenses”, “Controlling and Manipulating the Information Environment 0.7 ~ 0.9 Execution of an integrated national cyber defense strategy and enhancement of defensive capabilities through international cooperation
7 Strengthening and Enhancing National Cyber Defenses”, “Controlling and Manipulating the Information Environment 1.0 Full deployment of advanced cyber defense infrastructure and establishment of defense technologies leading international standards
8 Surveilling and Monitoring Domestic Groups 0.1 ~ 0.3 Limited internet traffic monitoring and small-scale surveillance activities
8 Surveilling and Monitoring Domestic Groups 0.4 ~ 0.6 Implementations of an extended communications monitoring program, focusing on specific groups and activities
8 Surveilling and Monitoring Domestic Groups 0.7 ~ 0.9 Implementation of a nationwide monitoring system, enabling extensive communication and data collection
8 Surveilling and Monitoring Domestic Groups 1.0 A national-level surveillance system with advanced surveillance technology and full data analysis capabilities, capable of monitoring all domestic communications in real time and automatically identifying threats using advanced artificial intelligence

4. Quantification of Capabilities
After evaluating those operations corresponding to each object, summing up these assessments , and quantifying cyber capabilities for each nation on a scale 0.1 to 1. This assessment is based on significance and influence of operational objectives. To achieve this, a summation formula is utilized, whereby the product of Capability and Intent for each objective is computed and then aggregated across all objectives. This mathematical expression, ranging from x=1 to x=8, encapsulates the interaction between Capability and Intent within a defined range, offering a systematic approach to evaluate cyber capabilities. This methodology finds application in various contexts, particularly within cybersecurity, enabling the assessment of diverse threat factors. "Capability" denotes the capacity to execute attacks, while "Intent" signifies the intention to carry out such attacks, facilitating the computation of overall threat or risk levels.

上記の画像


This allows for the calculation for the product of Capability and Intent for each x, which is then summed up. Using this formula enables the quantification of cyber capabilities for each nation on a scale from 0.1 to 1.