China’s strengths as a cyber power are being undermined by poor security and weak intelligence analysis, according to new research that predicts Beijing will be unable to match US cyber capabilities for at least a decade.

The study, published on Monday by the International Institute for Strategic Studies, comes as a series of hacking campaigns have highlighted the growing threat of online espionage by hostile states.

In December, US officials discovered that Russia’s foreign intelligence service, the SVR, had hijacked SolarWinds software to penetrate government targets in Washington including the commerce and Treasury departments. Three months later, Microsoft email software was compromised by suspected Chinese state-backed hackers to probe US non-governmental organisations and think-tanks.

IISS researchers ranked countries on a spectrum of cyber capabilities, from the strength of their digital economies and the maturity of their intelligence and security functions to how well cyber facilities were integrated with military operations.

China, like Russia, has proven expertise in offensive cyber operations — conducting online spying, intellectual property theft and disinformation campaigns against the US and its allies. But both countries were held back by comparatively loose cyber security compared with their competitors, according to the IISS.

As a result, only the US is ranked as a “top tier” cyber power by the think-tank, with China, Russia, the UK, Australia, Canada, France and Israel in the second tier. The third tier comprises India, Indonesia, Japan, Malaysia, North Korea, Iran and Vietnam.

Greg Austin, an expert in cyber, space and future conflict at the IISS, said media reports focusing only on the positive sides of China’s digital advances — such as its aspirations to become a global leader in artificial intelligence — had contributed to an “exaggerated” perception of its cyber prowess. “On every measure, the development of skills for cyber security in China is in a worse position than it is in many other countries,” he said.

According to the report, Beijing’s focus on “content security” — limiting politically-subversive information on its domestic internet — may have diminished its focus on policing the physical networks that transport it. The IISS also suggested China’s analysis of cyber intelligence was “less mature” than that of the Five Eyes intelligence allies (the US, UK, Canada, Australia and New Zealand) because it was driven by ideology and “increasingly enmeshed with . . . the political goals” of Communist party leaders.

Austin said the information age was reshaping global dynamics so traditionally powerful countries such as India and Japan had begun to lag behind in the third tier of cyber operators, while smaller countries such as Israel and Australia had built up cutting-edge cyber skills that had propelled them into the second tier.

What set the US apart in the first tier, according to the IISS, was its unparalleled digital-industrial base, its cryptographic expertise and the ability to execute “sophisticated, surgical” cyber strikes against adversaries. Unlike opponents such as China and Russia, the US also benefited from close alliances with other cyber powers, including its Five Eyes partners.

However, the US and its allies were increasingly at risk of ransomware attacks — such as those on Colonial Pipeline and Ireland’s health service last month — by Russian criminal hackers who are not state-directed but whose activities are apparently tolerated by authorities.

Robert Hannigan, former director of the UK’s intelligence agency GCHQ and now a senior executive at cyber security company BlueVoyant, said he agreed with many of the IISS conclusions but questioned how much Beijing and Moscow would be held back by weak cyber defences.

“While it is true that cyber security is less well developed in Russia and China, they need it less urgently than open western economies,” Hannigan said. “The threat is not symmetrical: western economies are under siege from cyber criminal groups based in and tolerated or licensed by Russia — the same is not true in reverse.”

He added that while Russia knew that the west would not indiscriminately target civilian critical infrastructure in a destructive way, Russian agencies “have licence to be reckless”. “That in turn demands higher levels of cyber security in the west,” he said.