Loading summary
A
Hello everyone, this is Tom Uren. I'm here with another between two nerds discussion and the Gruk. G', day Garruk, how are you?
B
G', day Tom. I'm fine, and yourself?
A
I'm very well. This week's edition is brought to you by Airlock Digital Airlock makes a application whitelisting solution for your endpoints to keep them safe and secure. Find them@airlockdigital.com so Gruk, you sent me actually quite an old blog post by Dave Itel, who used to once upon a time work for nsa and he's got a technical, I think exploit writing type background and he is a policy aficionado, so he's written quite a lot about policy as well. So this post is actually almost a decade old, 2016 and it was I guess inspired by a post on Lawfare which was about the important cyber conflict questions and answers. So I think part of it is interesting to me is that it's just a bit of a, what's the word? A time capsule of what people were thinking a while ago, I would point.
B
Out just very briefly, in the middle of getting their asses kicked in the information domain by Russia. This was, yeah, this was the topic of conversation.
A
And so Dave, I tell, took a crack at how do we define cyber power? And he came up with what I think of as quite a technical answer. So he talks about, and his blog post, which is quite short, talks about exploitation, implantation, exfiltration and analysis, integration into other capabilities like humit and effect. What struck me as interesting is that this is a very technical way to approach cyber power. And since that time several different think tank type bodies have taken a crack at what is cyber power and none of them would have used any of these criteria at all. And they're looking much more at what it achieves for a state rather than how good your technical capabilities are.
B
Right. So I think one of the interesting analogies to think about would be like the Toyota war in, I think it was between Chad and Tunisia or Libya, don't quote me on that. But anyway, you had one state that had T55s from Russia and some, some other sort of like quite advanced military equipment and another state that had AKs, machine guns and Toyota trucks and they made these huge technical armies or basically they put machine guns or rocket launchers onto Toyota trucks and then just drove them through the desert and they were able to defeat the other army because they could just swarm them, hit, hit them, move away, cross deserts that they couldn't. All of this stuff and that they could maintain their equipment. If you're a dictator with a whole bunch of Soviet gear, it's unlikely you have an army that can service your tanks if they have problems. Whereas if you have a whole bunch of like, Toyota Hilux diesel trucks, as long as you've got a rock, a stick and a piece of bendy wire, you could probably fix anything with it. So, yeah, like, if you were talking about military power and you started measuring who has more tanks, you would very quickly come away with, you know, this is a lopsided engagement and it's going to be a crushing victory for the one with the most hardware and military power. Whereas in fact, contextually, what turned out to be much better was investment in things that actually made sense for that domain, that area of operation and stuff. And I think it's a little bit like this in that you have people looking at, say, like the Abrams or the American hardware and saying, like, this is the best military you could ever have. And then if you were to drop it into like a swamp and be like, all right, you know, defeat a bunch of small Vietnamese people who have been fighting for a thousand years and really don't like you, you know, having the most tanks ceases to be a useful metric of military power. I think it's similar to that and that it's. If you're trying to achieve your aims, it's not necessarily the most tanks that's going to help you out. And I think in this case, having the most technically capable, intelligent service is great, but I don't know that that's the necessary criteria for having an effective cyber.
A
Right? Yeah, yeah. So Itel's got some. A nice graph chart down at the bottom where it's got different axes, you know, persistence, sourcing and networking. And so you get this kind of triangle features inside. And the bigger the triangle, the kind of better an agency is. And that seemed to me to be a good way of comparing the technical capabilities of agencies, if you could get accurate measurements on whatever dimensions you chose. But it doesn't necessarily tell you how well they're applied or what they achieve for the state themselves.
B
Right. I think that those are in descending order of importance, like, what does it achieve for the state? How well can you apply the capabilities that you have and then how good are the capabilities that you have? Right. And so a measure of like, capability, that's a useful thing, but it's very, very low down on the ladder in terms of understanding how powerful cyber has made the state or how powerful cyber is. For the state.
A
So I'm thinking of a sporting analogy where you can have very, very highly skilled teams that are just in certain sports. Size and speed really matters. So being technically skilled allows you to get beaten to a pulp less badly.
B
Right. So you could be an amazingly skilled rugby player, but unless you're 6 foot 6 and 250 kilos of solid muscle, it's not really going to do you very much good when the All Blacks come running. You know, like there's just.
A
Yeah, yeah. So I think that to me is like an analogy that kind of works. The technical is part of the answer, but it's not the whole answer. So we had a podcast a while ago where we talked about whether cyber power could be strategic and in the sense that could influence the fate of nations. So that was BTN117 actually earlier this. That's right. Our conclusion at that time was that, yes, it can, but it's not the same sort of power as, like military power and that it tends to be incremental and occur over a long period of time. And I guess one example we spoke about a bit was the Chinese theft of intellectual property. And over a long time, decades, I think that that's had quite a significant effect on the Chinese economy and its manufacturing prowess.
B
Right. But I. I think it would. It would also be a mistake to chalk everything up to only that. Right. Like, it's not just that they stole things, it's that they sort of operationalized what they stole and then built on it, that they were able to use it and make it work for their national power base. Like the things that they wanted to do as a state, it helped them. The US could steal far more intellectual property than China could, just in terms of volume. Right. And they could probably do it without getting caught, but so what? Like, it. Like it wouldn't help them. Like, it's just. It's not a useful thing for them to do. And even if it was a useful thing for them to do, I think we've discussed this, that they would have a lot of difficulty actually integrating it into their economy in a way. Like, they wouldn't be able to convert what they've stolen into state power directly. Whereas I think obviously China has. So they've. In a way, you could say that they've integrated cyber better into their state power matrix.
A
Yeah. So that was BTN120. Should u. S. Spies steal Chinese commercial secrets? What I was going to say, this is.
B
This is. This is our recap episode.
A
What I was going to say is that the stealing of intellectual property was just one part of a broader strategy. So they had a lot of different things that were aligned. Trade policy, industrial policy.
B
Internal economic policy, where they. I saw a discussion with a China expert who was speaking about how does China succeed so well, how do they produce these giant companies? And part of the thing is that they're very willing to accept a lot of corruption and privacy problems at the early stage. So if you show up and you say, I want to be an electronic vehicle manufacturer, they will fund you, even if it's like you're the nephew of the mayor and your big plan is to, you know, take out a million dollars and then put a sign up of your garage saying, you know, EV research department and do nothing but spend the money. Like they'll accept that because there'll be enough people who really do it that you'll end up with an ecosystem where they have to compete against each other in this sort of very vicious race to the bottom on prices, but also race to the top on quality. And what you have left is sort of like these gladiator companies that have defeated all of their rivals. And then not only that, because all of their rivals have lost out. After investing in factories, after investing in infrastructure, these winner companies can then gobble up that infrastructure and make themselves even bigger. It's a lot like actually how Silicon Valley approaches things where you fund a lot of startups and some of them win and a lot of them don't. And that's sort of the approach that China has, but at a state level to things that it cares about.
A
Right? Yeah, yeah. So I think what's interesting there is that they're bringing all those different mechanisms or tools together in a single purpose. And for me, it seems like the US has not really done that using cyber, except for intelligence gathering. And so it makes it very hard to say the US has won in the cyber domain because it collected the most, it did the best collection intelligence.
B
It got caught the fewest number of times per gigabyte of data stolen.
A
And I think collecting intelligence is very important. It makes a difference. It makes a difference to the decisions that you make. But it's very hard to see how it's made a difference after 20 years. And so, yeah, when it comes to measuring the success of cyberpower, I'd have to put China ahead of the US with the caveat that I've got no idea.
B
Right. I mean, we don't know about the successes that have never been publicized. But, you know, I think I'd go A little bit further than that as well, actually, that we could measure. Like, how powerful has cyber been? Not just is this a cyber power, but how powerful has cyber been for this state? And I think China is going to far and away the leader, but I think a close second is going to be Russia. If you include the information domain, which I do, I would say that that's part of it. I'd say that they have achieved their state goals far more frequently with the use of cyber than any other state that I'm aware of. And I would then say North Korea, with Lazarus, again, is an exceptional cyberpower, even though they're financially motivated and they're only stealing crypto. Right, right. That's what they want to do.
A
Yeah, yeah. So what is interesting to me about that list is that the more what the weaker a country is in terms of traditional, I guess I call them instruments of power. So there's that definition where you break down the state instruments of power to diplomatic, informational, military, and economic. And over the last 30 years, you'd have to say that for the vast majority of the time, most of the time, the US Would be ahead on most of those.
B
Right. That's probably why they like that metric.
A
Yeah. But the weaker a state is, the more that it's relied on cyber. So it's like North Korea probably. Probably you'd rank them the bottom on that. Those for the diametric.
B
Yeah. Not a huge power in any of those other metrics, but yeah.
A
And so it's relied on cyber the most. It. And. And because it's an asymmetric. And then it's kind of in reverse order. So Russia next, because, yeah, they're pretty.
B
Good, but they're a middling power on all of the other levels.
A
Yeah. And I also, like you say that they've been very successful. They've been successful kind of narrowly, but it hasn't really helped their economy or their military in Ukraine.
B
I think they haven't been able to take advantage of the success. Right. Maybe, like. So I think they've achieved their goals in terms of what the operations were supposed to do, generally speaking, but then I don't know that they've been able to capitalize on that. China, on the other hand, is obviously very tightly integrated, and they've managed, at least most of the time to capitalize on their successes. So I think that in terms of the number of operations that they've done that have been successful, it might be a comparable number, but China has exploited a far greater percentage of those operations than Russia. Has. So Russia has done things that have worked and then sort of fumbled it. Right.
A
And so when you say things that have worked, you mean like interfering with the presidential election, sowing discord in the.
B
Sort of poisoning the. Well in terms of political discourse, which they played some role in in the us Obviously not the only role, but they. They were certainly successful in their goal was to make greater animosity and more fractures. And that happened, and they were trying to achieve that. Now, whether that would have happened without them is possible, maybe even probable, but we don't know because we can't run it a second time. Like, we can't redo those years. So I'm going to chalk that up to. As a success. But they haven't really benefited from that massively. Like they haven't been able to exploit that. On the other hand, I think that they. They played a big role in getting Brexit to happen, which wasn't with cyber. It was a lot more with money. Like they invested into the. The leave campaigns. And I think that that was successful for them. They got what they wanted, but I'm not sure that they were able to exploit that either.
A
Yeah, it feels like they've been successful at being a spoiler for other people, but they haven't. Like they've stopped other people scoring goals or. But. But haven't actually scored goals of their own.
B
Yeah, I'm sort of. I'm getting this feeling like that it's a little bit like they're biting off more than they can chew. Like they can actually do the bite. Like they can. They can certainly do this big grand vision thing that they have, like the first parts of it, but then once they've done that, it sort of falls apart because they're not powerful enough to actually exploit these sort of conditions that they create.
A
Yeah. So I'm not convinced how much difference they've actually made in terms of, I.
B
Think, advancing the state.
A
Yeah, I think they're advancing what is going on. Well, they're pushing in the same direction as what is going on anyway, so it's like they're pushing on an open door. How much difference does that make? I'm not sure, but I agree that they're pushing in the same direction as things have turned out. So they haven't hurt it, certainly.
B
Yeah. Like I. In my view, they've been more successful in some regions than in others in terms of information operations. They've been pushing in the US at least on this. You know, we need to stop helping Ukraine. This is defeat, is Inevitable and all of that. That's been very successful. It hasn't immediately, like, it has stopped help for Ukraine a few terms and it's.
A
It's become part of the debate.
B
Absolutely.
A
The narratives that they push.
B
Yes. So that's been very successful and I think it's worked for them, and I think it's generally working for them. But I think that the problem is that the invasion of Ukraine has created conditions that are so unfavorable to Russia that information narratives are not sufficient to change the field in any way. You can convince the US not to help Ukraine with money or whatever, but Europe being so close to the actual conflict, has existential fears that are coming up, which you can't argue away as you can with someone who's a continent and an ocean away. It's much more visually present for them, so they are unlikely to be swayed by narratives, whereas someone much further away is more open to be swayed by narratives. I don't think that the information stuff can work for them in the conditions that they've created. Like, they've actually, they've used their military to work against their cyber. And I think the military is stronger in this case. Right.
A
So I guess this is coming up to the. The. What are the limits of cyberpower? And so to me, the very question, how do we measure cyberpower? In some dimensions, the US Is probably the best. Like, technically, they probably have the best techniques or whatever.
B
The number of people working on it or the amount of money invested, or the square footage of parking lots devoted for people who are employed exclusively in cyber. You know, any. Like, there's a large, There's a large number of metrics you could come up with that the US is far and away the winner. I don't think one of those metrics is how far has cyber advanced the interests of the state. I think that that's an area where whatever it's doing for them, it's not public and it's in the realms of informing decisions rather than affecting the world, you know, shaping the environment.
A
Yeah, yeah. So this is a dilemma, I guess. The more powerful the state, the less useful cyber is. Is that. Is that what we're saying?
B
I think that might be the paradox in a way. Like, the more you can invest in cyber, the less you need it, maybe. Or like, the less it can do for you.
A
I guess the less of a game changer it is maybe. Like, because know, if the US had the will, it could change the game with military power, it could do anything.
B
It. Well, it could do it with just leaning economic pressure on people. Like, it could use any of the instruments of national power from, from dime, the diplomatic, informational, military, economic, any of those. It's so like, it's so overpowered that cyber sort of doesn't, doesn't even enter into it as, as a thing that they need to consider.
A
Yeah. So at this point, it seems that China is becoming more of a peer adversary, is close to if, if, if it's not already.
B
Right.
A
And so that would imply that cyber becomes less and less useful for the prc because it's got other.
B
Believe that. Yeah.
A
Because it's got other tools that would be more effective.
B
And also I think that the way that they've been using the information they've stolen, all that IP has been to bootstrap their own economy and their own industries. But then they're not resting on their laurels and just saying, well, any advances that happen, we'll just steal those as well. They are investing now. Like, I think Huawei has a $30 billion R&D budget or something insane like that. I think if there's a Bell Labs producing the new technology of the future, it's more likely to be in China than in the US These days. There's more money flowing into things and there's probably more intellectual freedom to work on long shots that are aligned with goals, even if there's less political freedom to disagree with what those goals are or whatever. But you certainly, you have the space to work within the system and go very, very far because it supports you so much. And I think that maybe that's what counts. Right. Like maybe if you want to be a powerful state, maybe you don't actually need political freedoms, you just need to be able to integrate all those tools and use them. All of which is to say that because China has sort of bootstrapped itself so far with so much already, I think that there's diminishing returns to keep stealing more information. I think that the lead that the US has is getting shorter and shorter and I think China is probably advancing perhaps beyond them in some areas. So it's less useful now to have cyber to augment yourself because there's just less that it can do for you.
A
I guess there's. In the last couple of years, there's been the Salt Typhoon Group, which is focused on compromising US and other telecommunications.
B
If you look at it, they're switching more towards an NSA style operation like intelligence gathering. Right. But they're turning away from economic focus to a more political intelligence focus.
A
Yeah, it's always hard to tell if it's a shift when it's public reporting. Like it's hard to get right, right picture of the whole landscape. But yeah, that's where I was going with that as well by mentioning Saltai. That would be consistent with our hypothesis.
B
Yeah. And although, although, just, just to push back on what I've, I've just said and what we both agree, Dan, is, is Salt Typhoon happening now because they're more interested in doing intelligence collection or because they now have the capability to do that? I would argue that they had the capability before, right? Like it's hacking telcos is not like it's not flying to Mars. So I don't think that they've suddenly leveled up to the point that now they can do telco hacking. You know, they've been doing telco hacking for a long time. I think they've leveled up to the point where telco hacking is something that's more useful than, I don't know, like Boston Robotics hacking.
A
So in, in this big picture world where China and the US are close to peers, our prediction is that cyber becomes less and less relevant because they've got other options that are, that are more useful. And so in the future we'll see Russia still being a spoiler, causing countries to kick own goals despite never kicking a goal itself. North Korea I guess will continue to be a cyber power until they launch.
B
Their own blockchain, at which point.
A
And I guess in a way they're also experimenting with different forms of money raising. I suppose, I guess they too are bumping up against the limits of cyber power because they're just, there's only so.
B
Much people can steal.
A
Getting people to apply for jobs not particularly cybery.
B
It's, it's probably not, it's probably not as lucrative as draining an exchange of their, you know, cash reserves. There's like, we haven't mentioned Iran, right. And so Iran has some cyber capabilities. But then I wonder how useful for Iran can those capabilities be given how weak they are in the other dimensions, but also how limited cyber is for what they're trying to achieve. Right. Like can, can cyber stop other countries from invading or attacking them? No. Like, can cyber get them nuclear capabilities? No. Like, can cyber jumpstart their economy? Like, no, because they're sanctioned to hell. Given out a thing of like, you know, the more, the more powerful you are, the less useful cyber is. I think there might also be a bottom floor of, you know, if you are below this level of economic integration into the global economy, cyber can't help you either.
A
I actually think of it as the other way around where Iran is actually a lot bigger and more integrated than North Korea. And so it's got options in terms of selling oil.
B
Right.
A
Maybe they're not great options, but they're better than.
B
Yeah, North Korea's. Yeah, whatever they have.
A
Yeah, yeah. Like North Korea steals billions, which is significant for North Korea. I think if Iran stole billions, it would be not that significant because it's a bigger country.
B
Cover two days of government spending or something or whatever it is, but it's, it wouldn't be a double digit part of their gdp.
A
Yeah, yeah. It's not a game changer. And I guess it's the, I mean, I suppose it's the same dynamic as for the US where cyber is not a game changer.
B
Maybe it's Iran's aspirations don't align with cyber's strong points. Points. I mean, similarly, I think you could say that the Netherlands has been very successful when they've applied themselves to cyber. Like they punch way above their weight in terms of skills and capability. But they're the Netherlands. Right. Like just how, how much advantage could they get given that contextually they can't, they can't steal everything and then pour it all into their industrial base and build up as an industrial power. Right. That they, they can't steal billions of crypto and have it massively boost their budgets. You know, they, they can't influence, let's say British political narratives and have it somehow help them in a way. Are the things that cyber has been proven good at useful for, like France or Germany or the Netherlands? Like, are those, are those dimensions where cyberpower helps for these states? I think that's, I think that's probably where the US lands as well in that it's, there's a lot of diminishing returns, but also there's not a lot of space to take advantage of those power dynamics.
A
I was just thinking about the amount of money that states tend to spend on intelligence collection and it's like significant, but in terms of an overall national budget, it's like a drop in the bucket. And compared to defense, like it's a fraction of the defense budget and cyber.
B
Is a fraction of the intelligence budget. So you're.
A
Yep, yep. And I think that puts it in perspective and we're. Yeah, cyber people always wanting it to be the thing that'll change the planet.
B
Clearly all of these states are just very misguided. There's. If, if they were to invest as much in cyber as they invest in the military. Yes. You know, cyber people think that cyber is special, that cyber has this outsized role to play and I agree with that. But I, I think in terms of, like, proportion overall, yeah, it's very small. Like, I think it can do more than it's actually doing. Like, I think there's, there's room, there's room to improve how you use cyber and how you can exploit it and so on, but I don't think that that's sort of like, oh, if you had a, like, if you had 10 nuclear attack submarines, that's a huge deal, right? Like having, having a bigger cyber force. I don't think that's a huge deal. I don't, I don't think it changes the dynamics as much as having, you.
A
Know, an aircraft carrier, which is so it's. The cyber is really the underutilized 0.01% of the national budget just going there to waste. Thanks, Crush.
B
Thanks, Tom.
Hosts: Tom Uren & The Grugq
Date: September 15, 2025
This episode delves into the complex question of "cyber power": how should it be defined, and how significant is its role among the instruments of state power? Drawing inspiration from a nearly decade-old Dave Aitel blog post, Tom Uren and The Grugq discuss how technical prowess in cyber operations often fails to equate to meaningful outcomes for states. Using historical analogies, recent examples, and state actors such as the US, China, Russia, and North Korea, the hosts map out both the contributions and limitations of cyber capabilities in national strategy.
Dave Aitel’s Technical Framework:
The blog post aimed to define cyber power through technical benchmarks: exploitation, implantation, exfiltration, analysis, and integration with other intelligence methods. Uren notes this is a "very technical way to approach cyber power," whereas recent policy circles focus more on outcomes and state achievements rather than just technical ability.
"They’re looking much more at what it achieves for a state rather than how good your technical capabilities are." — Tom Uren [01:02]
The Limitations of Metrics:
The Grugq draws a comparison to the "Toyota War," where technical military superiority didn’t guarantee victory; effective application and adaptability mattered more than raw capability.
"If you were talking about military power and you started measuring who has more tanks, you would ... come away with ... this is a lopsided engagement ... Whereas in fact, what turned out to be better was investment in things that actually made sense for that domain." — The Grugq [02:22]
Rank of Importance:
Capability is only one aspect. Even if technical skill is high, real-world impact for the state depends on effective application and integration.
"A measure of capability ... is very, very low down on the ladder in terms of understanding how powerful cyber has made the state." — The Grugq [05:38]
Incremental and Long-Term Influence:
Some cyber operations, like China's IP theft, have notable cumulative effects, but rarely produce immediate, strategic shifts akin to military power.
"Could cyber power be strategic? ... Our conclusion ... was that ... yes, it can, but it’s not the same sort of power as military power, and ... it tends to be incremental and occur over a long period of time." — Tom Uren [06:44]
Integration and Exploitation:
The full value of cyber operations is only realized when states can integrate stolen data or intelligence into wider economic and policy machinery.
"It’s not just that they stole things; it’s that they operationalized what they stole and then built on it." — The Grugq [07:39]
Application Is Key:
The US may steal more IP, "but so what?" if it isn’t used to serve state goals as efficiently as China does.
DIME Model Context:
Less powerful states (in Diplomatic, Informational, Military, Economic terms) rely more on cyber because other instruments are limited.
"The weaker a state is, the more it’s relied on cyber. North Korea ... you’d rank them the bottom on that …, and so it’s relied on cyber the most." — Tom Uren [13:41]
Russia and North Korea:
Both are highlighted as successful, if narrowly, in using cyber offensively for goals like sowing discord (Russia) or funding regime needs (North Korea). However, achievement of broader national objectives (economic growth, military dominance) often remains elusive.
Effectiveness of 'Spoiler' Tactics:
Russia often succeeds in disrupting or spoiling adversaries' plans ("stopping goals"), but fails to convert that into direct gains ("scoring goals" for itself).
"They’ve been successful at being a spoiler ... but haven’t actually scored goals of their own." — Tom Uren [16:08]
The Paradox of Power:
The more powerful a state is in traditional terms, the less impactful cyber operations become for them; the USA can achieve more via economic or military means.
"The more powerful the state, the less useful cyber is. Is that what we’re saying?" — Tom Uren [20:10]
"The more you can invest in cyber, the less you need it, maybe. Or ... the less it can do for you." — The Grugq [20:20]
China’s Evolution:
As China catches up with the US, its reliance on cyber for economic advantage decreases, shifting focus toward intelligence collection akin to the NSA.
"There’s diminishing returns to keep stealing more information ... less useful now to have cyber to augment yourself because there’s just less that it can do for you." — The Grugq [22:57]
Cyber’s Relative Budget:
The proportional spend on cyber remains tiny compared to national defense budgets—cyber often feels overhyped relative to its real-world effect.
"In terms of an overall national budget, it’s like a drop in the bucket. And compared to defense, ... cyber is a fraction of the intelligence budget." — Tom Uren [28:52]
States Like Iran:
For states with poor integration into the global economy (like Iran), even significant cyber capabilities may have marginal utility.
"If you are below this level of economic integration into the global economy, cyber can’t help you either." — The Grugq [26:47]
Smaller States (e.g., Netherlands):
Some states "punch above their weight" technically but can't materially leverage cyber gains for outsized national advantage due to scale or contextual constraints.
Military Analogy:
"You could be an amazingly skilled rugby player, but unless you’re 6 foot 6 and 250 kilos of solid muscle, it’s not really going to do you very much good when the All Blacks come running." — The Grugq [06:25]
China’s National Policy:
"They’re bringing all those different mechanisms or tools together in a single purpose. For me, it seems like the US has not really done that using cyber, except for intelligence gathering." — Tom Uren [10:41]
Spoiler vs. Scorer:
"They’ve been successful at being a spoiler for other people, but ... haven’t actually scored goals of their own." — Tom Uren [16:08]
Diminishing Returns:
"I think that might be the paradox in a way. Like, the more you can invest in cyber, the less you need it ... the less it can do for you." — The Grugq [20:20]
Cyber vs. Defense Spending:
"States tend to spend on intelligence collection ... but in terms of an overall national budget, it’s a drop in the bucket. Compared to defense, it’s a fraction of the defense budget, and cyber is a fraction of the intelligence budget." — Tom Uren [29:10]
Takeaways:
Cyber power, while dazzling at the technical level, rarely shifts the balance of power by itself. For weaker states, it’s a crucial asymmetric tool, but for the most powerful, it’s simply one option among many—with rapidly diminishing returns as their broader capabilities overshadow anything cyber alone might achieve. Integration, context, and clear state objectives matter more than sheer cyber skill.