Hybrid Threats: War Below the Threshold of War

How hostile actors exploit cyber systems, information disorder, infrastructure vulnerability and political division to weaken states without declaring war.

By Dr Danie Adendorff

The target is not only infrastructure. It is judgement.

A modern state can be attacked without an invasion. No tanks need cross a border. No formal declaration of war need be issued. Instead, an undersea cable is damaged, a hospital network is disrupted, false narratives spread online, political pressure intensifies, energy dependency is exploited, and public confidence begins to erode.

Each incident may appear separate. One may look like an accident. Another may look like crime. A third may be dismissed as ordinary political argument. A fourth may be explained as commercial pressure. The danger begins when these actions are not isolated, but coordinated: when their combined effect is to weaken a society’s ability to understand, decide and respond.

That is the essence of the hybrid threat problem. Hybrid threats are not only attacks on systems, networks or infrastructure. They are attacks on the decision environment of the state.

This is why NATO, the European Union and the European Centre of Excellence for Countering Hybrid Threats now treat hybrid threats as a central security challenge. In 2025, NATO created the position of Special Coordinator for Hybrid Threats, now held by Jean-Charles Ellermann-Kingombe, as a high-level focal point for the Alliance’s work. NATO has also identified Russia and China as major actors whose cyber, political, economic, technological and information activities affect Allied security.

That does not mean every suspicious incident should automatically be attributed to Moscow or Beijing. Serious analysis requires evidence, restraint and legal precision. But it does mean that hybrid threats now sit at the centre of European and transatlantic security thinking.

What are hybrid threats?

Hybrid threats are coordinated hostile activities that combine several instruments of power to undermine a state, institution, alliance, company or society while avoiding the clarity of open war.

A practical definition is this:

Hybrid threats are coordinated hostile campaigns that combine military and non-military, covert and overt, cyber, informational, economic, political, legal, criminal and infrastructural methods to exploit systemic vulnerabilities while remaining below the threshold of open warfare.

This definition closely follows the leading institutional understanding of the problem. The European Centre of Excellence for Countering Hybrid Threats characterises hybrid threats as coordinated and synchronised actions that deliberately target systemic vulnerabilities, exploit thresholds of detection and attribution, and seek to influence decision-making. The Council of the European Union similarly describes hybrid threats as coordinated harmful activities carried out with malign intent through means such as information manipulation, cyberattacks, economic coercion, covert political manoeuvring, coercive diplomacy and threats of military force. NATO’s formulation also emphasises the combination of military and non-military, covert and overt means.

The core point is simple: hybrid threats are not defined by one tool. They are defined by combination, intent and effect.

What makes a threat “hybrid”?

Four features distinguish hybrid threats from ordinary crime, routine espionage, conventional military pressure or normal political competition.

First, hybrid threats are multi-domain. They operate across cyber systems, media ecosystems, critical infrastructure, finance, law, diplomacy, political influence, intelligence, criminal networks and, at times, military signalling. The strategic effect lies in the interaction between domains.

Second, they depend on ambiguity and deniability. A hostile actor may use proxies, front companies, criminal groups, compromised accounts, sympathetic media channels, legal intermediaries or apparently independent organisations. The purpose is to slow attribution and complicate response.

Third, they are threshold-managed. The campaign is calibrated to remain below the level that would clearly justify a military response or collective-defence decision. NATO has nevertheless stated that hybrid operations against Allies could, if severe enough, reach the level of an armed attack and lead to consideration of Article 5.

Fourth, hybrid threats exploit systemic vulnerability. They target seams in democratic societies: polarised politics, fragile cyber defences, energy dependency, fragmented government responsibility, private ownership of critical infrastructure, legal constraints, poor media literacy and declining public trust.

In conventional warfare, the visible target may be a military unit, command post or city. In hybrid activity, the deeper target is coherence.

The Baltic cable case: when the seabed becomes strategic terrain

The Baltic Sea provides one of the clearest contemporary demonstrations of the hybrid threat problem.

In November 2024, two undersea fibre-optic communications cables in the Baltic Sea were severed: the C-Lion1 cable between Finland and Germany, and the BCS East-West Interlink between Lithuania and Sweden. Germany and Finland publicly expressed deep concern, noting that the incident immediately raised suspicion of intentional damage and had to be understood against the wider background of Russia’s war against Ukraine and hybrid warfare by malicious actors. A Chinese-flagged vessel, Yi Peng 3, came under scrutiny in reporting and official inquiry contexts. China denied responsibility, and the incident was not conclusively attributed in public.

In December 2024, the Eagle S tanker was suspected of damaging the Estlink 2 power cable between Finland and Estonia and several telecommunications cables. Finnish authorities linked the vessel to Russia’s so-called shadow fleet, used to evade oil sanctions. Russia denied involvement. Finnish prosecutors later alleged that the vessel’s anchor had been dragged for roughly 90 kilometres across the seabed, causing major damage to critical infrastructure. The immediate repair costs were estimated at around €60 million.

The legal aftermath is more important than the incident alone.

In October 2025, the Helsinki District Court dismissed the criminal case against the Eagle S crew. The decisive issue was not merely whether intent could be proved. The core issue was jurisdiction. The court held that the alleged conduct occurred outside Finland’s territorial waters, in the Exclusive Economic Zone, and that Finnish criminal law could not be applied under the court’s reading of international maritime law. The vessel was registered in the Cook Islands, and the court’s reasoning pointed instead towards the flag state or the crew members’ home states.

This is the hybrid threat dilemma in concentrated form. The infrastructure damage was real. The operational consequences were serious. The political suspicion was substantial. NATO responded by launching Baltic Sentry in January 2025 to increase its military presence in the Baltic Sea and improve Allied ability to respond to destabilising acts against critical infrastructure. Yet the legal route to accountability remained difficult.

The Finnish prosecution has appealed the district court’s ruling, so the matter is not settled. But even at this stage, the case demonstrates a central problem: hybrid threats exploit the space between operational harm and legal consequence.

That space may be created by attribution delay, evidentiary uncertainty, flag-state jurisdiction, commercial ownership structures, open registries, maritime law, proxy actors, or the practical difficulty of monitoring the seabed. For hostile actors, that space is not incidental. It is part of the operating environment.

The campaign logic

Hybrid threats should not be understood as a list of tactics. They are a campaign logic.

Cyber operations may disrupt government systems, hospitals, ports, energy networks, financial services, electoral infrastructure or operational technology. Information manipulation may deepen distrust, polarise debate, discredit institutions or confuse citizens about what has happened. Economic coercion may exploit trade, energy, debt, investment, sanctions evasion, supply chains or critical materials. Political subversion may operate through covert influence, elite capture, corruption, intimidation, front organisations or manipulation of grievances.

Lawfare can delay action, constrain response, intimidate critics or exploit democratic legal protections. Criminal networks may provide access and deniability. Military signalling — exercises, border pressure, maritime harassment, drone activity, irregular forces or coercive deployments — can intensify pressure while still avoiding declared war.

The strategic effect lies in combination. A cyber incident may be serious. A cyber incident combined with disinformation, energy pressure, legal ambiguity and infrastructure disruption becomes a different order of security problem. It does not merely damage systems. It burdens judgement.

Why democracies are exposed

Democracies are not vulnerable because they are weak. They are vulnerable because they are open, lawful, interconnected and dependent on public trust.

Free media systems allow rapid communication, but also rapid manipulation. Legal protections safeguard dissent, but can be abused by hostile actors. Private ownership of infrastructure promotes efficiency and innovation, but complicates national-security coordination. Political competition strengthens accountability, but polarisation can be aggravated from outside. Digital platforms connect citizens, but also permit automated amplification, micro-targeting and coordinated inauthentic behaviour.

Democratic governments are also institutionally fragmented by design. Defence, intelligence, law enforcement, cyber agencies, regulators, local authorities, private companies and civil society all hold parts of the response. That is normal in a lawful society. But during a fast, ambiguous and multi-domain incident, lawful fragmentation can become operational delay.

A hostile actor does not need to defeat democracy directly. It may only need to overload decision-making, deepen mistrust and make institutions appear divided, hesitant or incompetent.

Hybrid threats and the grey zone

Hybrid threats sit within the wider grey zone between routine peace and open armed conflict. Grey-zone activity describes hostile or coercive conduct below the threshold of war. Hybrid threats describe the methods used within that space. Hybrid warfare describes a more intense condition in which hybrid methods may accompany, prepare for or support armed conflict.

The distinctions matter.

Not every cyberattack is a hybrid threat. Not every protest is subversion. Not every trade dispute is economic coercion. Not every false claim online is foreign interference. The analytical test should be disciplined: is there evidence of malign intent, coordination, multi-domain activity, vulnerability exploitation and strategic purpose?

The concept becomes dangerous when used carelessly. A democratic state that labels all dissent, criticism or political opposition as ‘hybrid activity’ risks weakening the freedoms it claims to defend. The correct response is not paranoia. It is structured assessment.

Information manipulation and AI

Information manipulation has always been part of conflict. What has changed is speed, scale and technical sophistication.

The EU’s Foreign Information Manipulation and Interference framework is useful because it focuses not only on false content, but on coordinated, intentional and manipulative behaviour. The key question is not merely whether a claim is true or false. It is whether actors are covertly manipulating the information environment to damage democratic processes, public trust or institutional legitimacy.

Artificial intelligence intensifies the problem. Generative AI can produce plausible text, images, audio and video at scale. Deepfakes can target public figures, military leaders, journalists or election officials. Bots and automated systems can amplify narratives faster than human verification can respond. Synthetic content can be mixed with genuine grievances, making manipulation harder to detect and harder to communicate publicly.

The aim is not always to make citizens believe one lie. Often, the aim is to make them distrust everything: government, media, courts, elections, science and each other.

The defence cannot be propaganda in reverse. It requires credible public communication, evidence-based correction, media literacy, platform accountability, independent journalism and institutions that admit uncertainty without surrendering authority.

The attribution dilemma

Hybrid threats exploit the delay between incident and decision.

A cable break may be accidental. A cyberattack may be criminal. A disinformation campaign may look domestic. A proxy may not disclose its sponsor. A suspicious vessel may operate under one flag, carry another state’s cargo, be owned through a complex commercial structure, and act in ways that are difficult to classify legally.

This creates multiple delays: technical investigation, intelligence assessment, legal classification, interdepartmental coordination, public communication and political decision. During that delay, hostile narratives can spread, public anxiety can rise and decision-makers can be forced into an unfavourable choice.

Respond too slowly, and the attacker gains initiative. Respond too aggressively, and the state may appear reckless or repressive. Say too little, and citizens suspect concealment. Say too much without evidence, and credibility suffers.

Attribution is therefore not only a technical intelligence problem. It is a legal, political and strategic communication problem.

Resilience is the strategic answer

The response to hybrid threats cannot be left to the military alone. It must be whole-of-society.

Government must coordinate across departments. Intelligence services must support warning and attribution. Law enforcement must investigate criminal and proxy activity. Cyber agencies must strengthen networks and incident response. Regulators must enforce resilience standards. Defence must deter, reassure and support civil authorities where appropriate. Diplomacy must coordinate consequences with allies. Private infrastructure owners must recognise their national-security role. Technology platforms must confront coordinated manipulation. Media organisations must verify responsibly. Citizens must be equipped to recognise manipulation without being encouraged into suspicion of everything.

Critical infrastructure protection is now central. Subsea cables, pipelines, ports, electricity grids, hospitals, transport hubs, data centres and telecommunications systems are not merely technical or commercial assets. They are part of national resilience. The European Commission’s 2026 Cable Security Toolbox and associated €347 million investment in strategic submarine cable projects show that Europe is moving from passive concern towards structured resilience, repair capacity and deterrence.

Preparedness must include exercises that test not only technical response, but political judgement under uncertainty. The real test is not whether a state can respond after all evidence is clear. The real test is whether it can act lawfully, proportionately and coherently while evidence remains incomplete.

Conclusion: hybrid threats attack the decision system

Hybrid threats are often described by their instruments: cyberattacks, disinformation, sabotage, coercion, proxies, economic pressure and legal ambiguity. Those instruments matter. But they are not the deepest target.

The deeper target is judgement.

Hybrid campaigns seek to make leaders hesitate, citizens distrust, institutions fragment and alliances doubt one another. They exploit the space between suspicion and proof, harm and attribution, disruption and response, legality and strategy.

That is why hybrid threats are so difficult. They are not only security incidents. They are tests of national coherence.

The answer is not to militarise democratic life or treat every disagreement as hostile manipulation. That would concede too much to the attacker. The answer is disciplined resilience: protected infrastructure, trusted institutions, lawful response, credible communication, allied coordination and decision-making that can function under ambiguity.

Hybrid threats are war below the threshold of war. They must be recognised before they paralyse, attributed before they are politicised, and answered without abandoning the democratic principles they are designed to exploit.

Selected Sources

NATO. ‘Countering hybrid threats.’ NATO Topic, updated 29 January 2026. https://www.nato.int/en/what-we-do/deterrence-and-defence/countering-hybrid-threats

NATO. ‘NATO launches Baltic Sentry to increase critical infrastructure security.’ 14 January 2025. https://www.nato.int/en/news-and-events/articles/news/2025/01/14/nato-launches-baltic-sentry-to-increase-critical-infrastructure-security

NATO. ‘Jean Charles Ellermann-Kingombe.’ NATO International Staff biography. https://www.nato.int/en/about-us/organization/who-we-are/international-staff/assistant-secretary-general-cyber-and-digital-transformation

Council of the European Union. ‘Hybrid threats.’ https://www.consilium.europa.eu/en/policies/hybrid-threats/

Council of the European Union. ‘Council adopts conclusions on advancing the EU’s capacity to counter hybrid threats.’ 16 March 2026. https://www.consilium.europa.eu/en/press/press-releases/2026/03/16/council-adopts-conclusions-on-advancing-the-eu-s-capacity-to-counter-hybrid-threats/

European Centre of Excellence for Countering Hybrid Threats. ‘Hybrid threats as a phenomenon.’ https://www.hybridcoe.fi/hybrid-threats-as-a-phenomenon/

European Commission. ‘Commission increases submarine cable security with €347 million investment and new toolbox.’ 5 February 2026. https://digital-strategy.ec.europa.eu/en/news/commission-increases-submarine-cable-security-eu347-million-investment-and-new-toolbox

European Commission. ‘Submarine Cable Security Toolbox and Cable Projects of European Interest.’ 5 February 2026. https://digital-strategy.ec.europa.eu/en/library/submarine-cable-security-toolbox-and-cable-projects-european-interest

Finnish Prosecution Service. ‘Prosecutor appeals judgement in the Eagle S case.’ 9 October 2025. https://valtioneuvosto.fi/en/-/11121156/prosecutor-appeals-judgement-in-the-eagle-s-case

Reuters. ‘Finland charges Eagle S tanker captain, officers over cable cuts.’ 11 August 2025. https://www.reuters.com/markets/commodities/finland-charges-eagle-s-tanker-captain-officers-over-cable-cuts-2025-08-11/

Reuters. ‘Finnish court says has no jurisdiction in Eagle S cable damage case.’ 3 October 2025. https://www.reuters.com/business/media-telecom/finnish-court-deliver-verdict-baltic-sea-cable-breach-trial-against-tanker-crew-2025-10-03/

UK House of Commons Defence Committee. Defence in the Grey Zone. HC 405, 9 July 2025. https://publications.parliament.uk/pa/cm5901/cmselect/cmdfence/405/report.html

European External Action Service. Foreign Information Manipulation and Interference materials. https://www.eeas.europa.eu/eeas/foreign-information-manipulation-interference-fimi_en

Author Workflow Disclosure

This article was produced through an AI-assisted but human-directed workflow. AI was used to support accessibility, structuring, language refinement, source prompts and editorial development. The author retained responsibility for the argument, interpretation, final judgement and publication decision. AI-generated material is not treated as empirical evidence.

Image Declaration

The image accompanying this article/post is AI-generated and is intended for illustration purposes only.

contact@rumbls.com

Terms and Conditions

Privacy Policy

Cookie Policy

© 2026 Dr Danie Adendorff. All rights reserved.

Disclaimer

Contact .