The hybrid threat challenge facing Europe today is reminiscent of the terrorist threat challenge of the post-9/11 Global War on Terrorism (GWOT) era. Because of that similarity, the alliance should adapt the counterterrorism cooperation model developed over the last twenty years.
As European security partners grapple with Russia’s gray-zone activities—operations conducted below the threshold of war to create confusion and hesitation—the recently released U.S. counterterrorism strategy makes a notable acknowledgment. In the final sentence of its subsection on Europe, the strategy commits to working with European partners to counter covert state actions, including sabotage and assassination plots, categorized as “hybrid threats.” The inclusion of the term is both appropriate and significant because Russian intelligence services have demonstrated how state power can be projected through irregular means.
After all, even a cursory glance at some of the activities being perpetrated by Russian and Iranian proxies throughout Europe demonstrates that what we are actually talking about looks a lot like the FBI’s definition of international terrorism— “Violent, criminal acts committed by individuals and/or groups who are inspired by, or associated with, designated foreign terrorist organizations or nations (state-sponsored).”
Since the Russian invasion of Ukraine, Western intelligence services have been tracking a troubling evolution in Russian tradecraft: the emergence of proxy recruitment at scale, enabled by digital platforms and designed to blur the lines between espionage, sabotage campaigns, and terrorism.
Through the use of so-called “disposable agents,” both Moscow and Tehran have convinced individuals living in the West to commit violent, criminal acts, sometimes for small sums of money, other times encouraging attackers with ideological inspiration. If these were Sunni jihadists linked to al-Qaeda or the Islamic State, the incidents would be labeled as terrorist attacks, and those responsible would be called homegrown violent extremists who were radicalized and recruited online. Russia has worked through its intelligence services, while also cultivating a network of willing recruits throughout Europe.
Recent investigations reveal the scale and intentionality behind this approach. A 2025 exposé uncovered a Russian military intelligence (GRU)-linked recruitment campaign using Telegram bots and viral propaganda videos to solicit volunteers abroad. The messaging was deliberately broad—appealing to nationalism, grievance, or simple curiosity—and funneled interested individuals into automated recruitment pipelines. These systems lowered the barrier to entry: a single click, message, or expression of interest could place a user into a pipeline for tasking.
Iran has followed suit, relying on one of its many proxy groups—Kataib Hezbollah, an Iraqi Shia militia—to orchestrate a shadowy hybrid campaign under the banner of Harakat Ashab al-Yamin al-Islamia (HAYI). HAYI has already claimed responsibility for a series of attacks across Europe, spanning the United Kingdom, the Netherlands, Belgium, and France. Similarly, Russian hybrid attacks in Europe know no borders and have occurred in the UK, France, Germany, Estonia, Georgia, Moldova, and elsewhere. Just last week, Russian drones crashed through an apartment block in Romania, a NATO member.
The key to successfully countering hybrid threats is working by, with, and through allies to leverage each other's strengths in a shared effort to identify threat networks, map their structures, penetrate their operations, and dismantle them. This requires not just unity of effort within countries, but a coordinated approach across law enforcement, intelligence agencies, security services, and special operations forces.
In some ways, perhaps, the U.S. and its allies are a victim of their own success. The Global War on Terrorism—while not without its faults—was successful in combating al-Qaeda and the Islamic State, decapitating their leadership and driving them from safe havens in the Levant and Pakistan's tribal areas. Of course, the terrorist threat has not vanished, though it has morphed into a more decentralized network of regional affiliates and franchise groups that still wreak havoc from the Sahel to Central Asia.
For more than two decades after 9/11, the United States and our European allies were bound together by a clear and urgent mission: to disrupt terrorist networks, prevent attacks, and dismantle organizations such as al-Qaeda and ISIS. That shared mission forced us to innovate. It drove unprecedented cooperation across intelligence services, law enforcement, counterintelligence and with special operations forces. Barriers – silos – that once slowed us were broken down, and in doing so, countless lives were saved.
But the strategic environment has dramatically changed.
Compared to the two decades that followed the al-Qaeda attacks of September 11, 2001, terrorism has become a back-burner issue, relegated to a focus on great power competition, which manifests in the shadows through hybrid threats. And while there has been a NATO strategy to counter hybrid threats since 2015 (and it has also developed a Center of Excellence to analyze the issue), the discussion is typically less coalition and mission-focused than counterterrorism operations were, say, during the peak of the Islamic State's caliphate and amidst the mass movement of foreign fighters between Western countries and the Middle East.
One of the issues is that, as a concept, hybrid threats—while not a new term—suffer from definitional ambiguity and are not widely agreed upon in the lexicon. The term itself is used interchangeably with 'gray zone warfare' and is at times mistaken for or confused with asymmetric warfare, political warfare, irregular warfare, and/or unconventional warfare.
Still, the 2026 strategy does characterize certain states as behaving like terrorist enablers—or as part of the terrorist threat environment—when they sponsor, support, equip, or facilitate terrorist organizations, rather than treating terrorism solely as a non-state actor phenomenon. While not explicitly calling out Russia, that framing is useful and is a departure point for a more aggressive Western strategy for countering this phenomenon.
Terminology and labeling aside, what is clear is that sabotage, cyber operations, and the use of disposable agents by Russia, Iran, and other Western adversaries are wreaking havoc and destabilizing society in many countries. And because state actors are involved, there is an additional element they alone can bring—scale. This means using professional intelligence services, financial resources, sophisticated cyber capabilities, diplomatic cover, and complex logistical support in transportation, communications, and other crucial areas.
As such, the only way that states can hope to be successful in countering hybrid threats is by massing their own state-based capabilities and cooperating through pooled resources and intelligence sharing.
Another idea gaining traction in the event of escalation in Europe, is resurrecting Cold War–era like-stay-behind structures for government continuity: a legally grounded resistance architecture that’s in place—distributed, resilient, and capable of sustaining state continuity from the first moment of disruption. It is almost shocking to process the idea that hybrid threats from Russia are causing some NATO countries to institutionalize “total defense” models designed to absorb shock and sustain governance under pressure. But the threat landscape demands such contingencies.
In this new threat paradigm, resilience and resolve—not caution—is the center of gravity.
Only a more aggressive stance in pushing back against those actors deploying hybrid capabilities can be effective. One thing is for certain: a tepid, half-hearted response—or worse, no response—will only continue to embolden Moscow, Tehran, and Beijing. Hybrid threats, by their very nature, pose a cross-border challenge. The shots may be called in the Kremlin, but the operations take place in London, and may involve intermediaries scattered across the globe, providing various forms of active and passive support to the perpetrators of the attack.
To blunt these offensives requires integrating and partner-sharing of world-class intelligence – like the way Western intelligence services dealt with jihadi threats - and an unprecedented willingness to elevate aggressive offensive counterintelligence to a strategic capability among partners nations.
Countering hybrid warfare requires far deeper intelligence integration among allies. Intelligence sharing can no longer remain confined to elite classified exchanges between a handful of services. Governments must create real-time intelligence fusion across cyber defense agencies, financial regulators, military commands, law enforcement, border security organizations, and private-sector infrastructure operators. This is particularly urgent because critical infrastructure is now the frontline of modern conflict.
If the Western nations remain integrated, vigilant, and forward-leaning, they will not simply compete in this space—they will shape it.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
