The International Institute for Strategic Studies (IISS) said that China’s cyber power is still far from matching that of the United States. Following a two-year study, the London-based think tank found that China’s cyber capabilities are being undermined by poor security and weak intelligence analysis.

In the wake of rising threats of cyberattacks and online espionage, the IISS released a report on Monday that ranks the cyber power of 15 major nations based on a spectrum of cyber capacities, taking into account both governmental and private sector capabilities.

It found that the US remained by far the world’s most cyber capable nation and ranked its main adversaries Russia and China as second-tier cyber powers, together with the UK, Canada, Australia, Israel and France. Countries included in the third tier were India, Indonesia, Japan, Malaysia, North Korea, Iran and Vietnam.

China, like Russia, has a proven track record of having strong offensive cyber operations, including online spying, theft of intellectual property and spreading disinformation. However, both countries are held back by relatively weak cybersecurity compared to the US.

The document points out that from the outset, China’s main strategic preoccupation in cyberspace has been domestic – to prevent the spread of Western liberal thinking via the internet. This may have inadvertently diminished its focus on securing it from foreign attacks. The report also said that China’s analysis of cyber intelligence was “less mature” than that of the Five Eyes intelligence alliance (US, UK, Canada, Australia and New Zealand).

The report did warn of China’s rapid digital development and its growing slate of technology firms, making it “the only state currently on a trajectory to join the US in the first tier of cyber powers.”

What set the US apart as the only country classified as tier one was its unparalleled digital-industrial base, its cryptographic expertise and the ability to execute “sophisticated, surgical” cyber strikes against adversaries. In addition, the US also benefits from its close alliance with other cyber powers, including its Five Eyes allies.

The report marks a major endorsement for US cyber capabilities, which have been called into question by a string of major ransomware attacks recently. Notably, Russian-linked cybercriminals took down the Colonial Pipeline, which resulted in severe fuel supply disruptions on the East Coast.

The US government is also still investigating the fallout of the SolarWinds hacking campaign launched by Russian cyberspies, which affected 18,000 organisations globally.

The report also comes as US officials are struggling to temper the global growth of Chinese tech firms, which they fear could give Beijing a critical edge in cyber competition.

In light of these recent attacks, the US Department of Justice advised the country’s attorney offices to send information on ransomware attacks to a centrally coordinated task force in Washington in a move that gives the system-locking malware a similar priority to terrorism.

The report places Russia and China behind US allies such as the UK, France and Australia when it comes to investing in protecting industry against cyberattacks. However, they are far ahead of those countries when it comes to launching offensive hacking operations.

“In their development of offensive cyber mass, the scale of their respective operational experience, their proven reach on cyber espionage and the clarity of their political direction and doctrinal thinking, China and Russia probably surpass all other states except the US,” the report states.

The most important factor for a country’s overall cyber capability is having a cadre of domestic companies focused on information and communications technology that can develop cyber expertise, the report finds.

That’s what gives China, with its raft of growing tech and telecoms firms, the best chance of challenging the United States’ number one spot.