Toeing the Threshold: Russia’s Hybrid Grand Strategy and the Future of NATO's ‘Strategic Ambiguity’

On April 22, 2023, a woman on a horse ride in a forest near the Polish city of Bydgoszcz was stunned to find the wrecked remains of an unidentified airborne object resting beneath the trees. Reporting it to the local police, she was unaware that the wreckage she had found was in fact that of a Russian KH-55 cruise missile, capable of carrying a 200 kT nuclear warhead – 13 times the explosive payload of the bomb dropped on Hiroshima in 1945 – but thankfully unarmed. Evidence suggested that the cruise missile, launched from Belarus, had travelled over 500km over Polish territory before crashing a few kilometres from the outskirts of Poland’s eighth most populous city. 

The ensuing investigation made matters even more confusing: it was discovered that the cruise missile had crashed and lain dormant in the Polish woods since December of the previous year. The Polish air force had been aware of its entry into their airspace, but could not locate it due to bad conditions. The incident, not made public at the time, was subsequently deemed to be a case of an errant warhead that got off course while on its way to its target in Ukraine. But questions remained: Why was the cruise missile found with no explosive payload on board? Why had the incident, reported to the Minister of Defence, been kept a secret from the public and, more concerningly, the Prime Minister? Why had the search for the crash site been abandoned after only one day, and using only local police rather than the military? And how could the missile have come off course so much as to crash land near Bydgoszcz, in the north-west of Poland?  

Bydgoszcz is not only Poland’s eighth city but also home to five NATO units, the NATO Joint Forces Training Centre, and NATO’s largest supplier of TNT, Nitro-Chem, which is nearby. Did Russia launch a nuclear-capable cruise missile bound for Ukraine with no payload on board, which lost course and accidentally crashed close to a key NATO base in Poland? Or did the Kremlin fire the empty KH-55 as a warning shot for NATO forces?

Incidents like this illustrate the razor-thin line that separates Putin’s war of aggression in Ukraine from spilling over into a larger-scale conflict with global implications. Had the missile found near Bydgoszcz carried and detonated a conventional – let alone nuclear – payload, it would have constituted what Article 5 of the North Atlantic Treaty deems an “armed attack” against a NATO member – and therefore an attack against all Treaty members, effectively rendering it a declaration of war against NATO. Whether or not the missile was indeed errant and bound for Ukraine, or a shot across NATO's bow, any such incident could trigger a global war with potentially nuclear consequences. 

And it raises a further, crucial question: while the detonation of a nuclear-capable cruise missile is a fairly unmistakable “armed attack”, what about acts of hybrid and cyber warfare? When does a cyber attack, an act of industrial sabotage, interference in an election or disinformation campaign cross the threshold of constituting an act of war? Even as technological advances in AI are on the verge of exponentially amplifying the scalability and potential impact of hybrid and cyber warfare tactics, the operational and political clarity on such tactics and strategies, which, as the saying goes, “blur the line between war and peace”, is – at least outwardly – sorely lacking from a European and NATO standpoint. Far more ambiguous than a cruise missile hitting an important NATO position, hybrid and cyber operations raise critical questions about the nature of 21st century warfare itself – and therefore also about the future of collective defence beyond today’s conflicts.

Cyberattacks, disinformation, manipulation: Russia as a master of hybrid warfare

Thus, we dive into the murky waters of so-called “below-threshold” or “below-Article 5” threats. Some three and a half years into their invasion of Ukraine, it is clear that Russia is already waging war on NATO. For now, this war is not kinetic – save perhaps for the Western equipment supporting the Ukrainian army’s efforts on the ground. Instead, this battle is taking place on multiple fronts, in the form of hybrid warfare. Such below-threshold threats are typically non-kinetic forms of influencing, coercing, weakening or otherwise subverting adversarial states, militaries and critical entities. These can range from abstract and long-term strategies, such as destabilising weak states in the adversary’s vicinity, to direct, short-term tactical operations like cyber attacks targeting the enemy’s critical infrastructure. And the Kremlin has, for a number of years now, been using a multi-layered arsenal of these capabilities against states it deems adversarial. 

Indeed, this campaign has its beginnings long before February 24, 2022. Russia, long a master of the dark arts of hybrid warfare, has used and continues to use instruments on all levels of abstraction and throughout the operational and information spectrum to weaken NATO resolve, undermine and fracture European political unity, and directly or indirectly target NATO conventional capabilities. A brief examination of Russia’s hybrid arsenal unleashed against European and NATO states – but also unaligned, neutral states – within the last few years gives us a good overview of the growing tactical and strategic role of asymmetric, hybrid and cyber threats in Russia’s broader geopolitical struggle beyond the Ukrainian theatre. 

1. Cyberattacks and sabotage

In today’s rapidly digitising world, cyber warfare and sabotage have taken centre stage in Russia’s tactical hybrid arsenal in and beyond the battlefield. Such operations have been employed on the ground in Ukraine, both tactically on the battlefield, in attacks on governmental institutions and attacks on Ukrainian critical infrastructure like their civil electricity network. But Russian state actors have also repeatedly targeted NATO states and allies directly, as a way of disincentivising support for Ukraine – or punishing such support after the fact. The Dutch military intelligence service MIVD, for instance, recently reported a large-scale cyber-sabotage attack on an undisclosed critical service provider in the Netherlands last year, seemingly to discourage a €150 million package to aid Ukraine’s air defences eventually approved this April. The Kremlin has shown a propensity to use non-NATO members as testing grounds, as in the case of the two-week DDoS attack which effectively shut down Austria’s Ministry of Foreign Affairs in 2020. Meanwhile, Russia’s use of para-state groups and hacking collectives with unclear links to Russian Intelligence allows Russia to deny accountability, while making attribution more difficult. 

2. Election manipulation

Romanian and European politics were shaken up when Calin Georgescu, polling in the single digits just weeks before, surged to win the first round of Romanian presidential elections in November. Shortly after, a network of some 66.000 bots and “inauthentic accounts” was removed from TikTok, where Georgescu’s surge began. A Russian network operating on Telegram was uncovered, filtering almost €1 million to thousands of accounts, including Romanian social media influencers, to amplify Georgescu’s protectionist, pro-Kremlin and anti-Ukrainian message on social media. Although awaiting final confirmation, the campaign mirrors similar disinformation and interference campaigns used by the Kremlin in Moldova and elsewhere. Here, too, Russia’s activities are not limited to Ukraine and its NATO allies: non-NATO member and neutral state Austria reported massive cyber attacks on the websites of political parties days before last November’s election, perpetrated by the Kremlin-affiliated hacker group, “NoName057(16)”. 

3. Disinformation and influence campaigns

A few months later, in March, Austrian intelligence uncovered another Russian operation, this one an “analogue” influence campaign that involved placing fake pro-Ukrainian stickers with Nazi allusions and symbolism in sensitive public places. While this operation was clearly limited in scope, it highlights the Kremlin’s sensitivity to disinformation on all levels of the information spectrum. Of course, disinformation is all the more potent with the role social media plays in our everyday political and social lives. With the rapid growth of AI systems capable of producing lifelike videos or manipulating existing footage, the threat of targeted digital misinformation is going to continue to grow. It is clear that Russian disinformation campaigns and election manipulation fit into a broader strategy to destabilise European political and social cohesion and push support for pro-Kremlin political actors, primarily on Europe’s extreme right. Documents uncovered in the course of the “Wirecard” bankruptcy scandal, which inadvertently uncovered a network of Russian agents active in central Europe, have highlighted attempts by Kremlin agents to establish “refugee centers” in northern Africa, from which waves of migrants can be sent to Europe in a concerted manner when politically opportune. 

Cyber attacks, sabotage, disinformation, election manipulation: these operations, all within the past year or so, highlight the growing role of hybrid warfare tactics in Russia’s arsenal. Putin’s hybrid strategy is multifaceted, modern, self-reinforcing and thinks long-term. While a TikTok campaign, a few stickers, or a single DDoS attack all do not carry the same weight as an armed ballistic missile hitting a NATO base in Poland, it nonetheless begs the question: where, and how, do you draw the line between yet another act of destabilisation and manipulation, and an act of war?

The “strategic ambiguity” of Article 5: deterrent or weakness?

As it stands, Article 5 of the North Atlantic Treaty remains firm: only an “armed attack” against one or more of its signatories can trigger the collective security clause. Naturally, NATO has looked beyond conventional, kinetic threats since: the 2016 NATO summit affirmed cyberspace as a further operational domain beside land, air and sea, and cyber attacks were reiterated as a possible triggering cause for Article 5 in 2016 and 2021. Hybrid warfare, too, was affirmed as a possible trigger at summits in 2019 and 2021. In both, the focus remains on a “case-by-case evaluation”. Proponents have noted the strategic value of what former NATO Secretary General Stoltenberg called “purposefully vague” language of Article 5, arguing that the “uncertainty serves as a deterrent and can motivate a potential adversary to exercise self-restraint in their malicious cyber activities and avoid launching a large-scale attack that could cross the blurred threshold”. Much of this ambiguity, they claim, is an outward, “official” ambiguity: not showing one’s hand to adversaries while closely monitoring the situation along clearly established, internal guidelines. Because the Kremlin – or any malign actor – is unaware of where the red lines are, they are more likely to restrain hybrid and cyber operations to within acceptable bounds, both in scale and quantity. In other words, this strategic vagueness is a key deterrent in its own right. 

But does this assessment hold up in 2025? While the Kremlin has certainly intensified its multidimensional hybrid operations since February 2022, Europe has been feeling the effects of the strategy since before Putin’s annexation of Crimea in February 2014. Today, with a network of agents of unknown size operating throughout NATO and non-NATO states alike, Russian intelligence is able to potentially operate multiple, complex public influence and election manipulation campaigns simultaneously, constantly attempting to sway public opinion in Russia’s way in critical Western states. Potential voters are targeted with concerted and well-produced social media campaigns with the ability to produce authentic AI and deepfake visual material, while armies of bot accounts can overrun local servers and sway public opinion on social media platforms. Not least, the “Voice of Europe” scandal a year ago, which uncovered a network of pro-Russian actors embedded in a seemingly authentic Czech media agency, actively approaching EU Parliament lawmakers for covert intelligence or the paid peddling of Russian propaganda, shows the Kremlin does not shy away from attempting to infiltrate the highest levels of political decision-making in Europe directly.

At the same time, their cyber warfare capabilities have grown both in scope and capacity, and continue to threaten critical NATO entities. They have attacked critical infrastructure, as well as businesses and government agencies far beyond Ukraine’s borders, in NATO and non-NATO countries alike. Unlike with all but the most covert kinetic weapons systems, there is furthermore a certain ‘survivorship bias’ when it comes to cyber capabilities: actors like Russia can choose which capabilities to reveal to the adversary. The Economist recently noted that Chinese hackers may already have deeply penetrated some critical US infrastructure systems, with malignant code providing Chinese hackers a ready-made opening for sabotage should the need for cyber-escalation arise. Although more advanced than Russian hackers, the latter are no slouch; there is no reason to believe current Russian cyber attacks in Europe are particularly close to the maximum destructive potential of the Russian signals intelligence’s arsenal. 

At the intersection of cyber and hybrid warfare, a report by the American Sunlight Project, a watchdog, uncovered the Russian ‘Pravda’ network of over 100 sites spanning an astonishing 74 countries and regions, as well as twelve languages. These domains auto-replicated Russian-friendly media reports, likely to flood Western AI large language models (LLMs) like ChatGPT with Russian bias, a strategy dubbed “LLM grooming”. A sample analysis by ASP showed an astonishing publication rate: even with the conservative estimate of 97 unique domains, their sample estimated the total publishing output of the ‘Pravda’ network to be over 20.000 articles in a 48-hour period. ‘Pravda’ – the Russian word for ‘truth’ and infamously the name of the official newspaper of the USSR’s Central Committee –  points to the Kremlin’s sensitivity for the growing salience of AI large language models in public discourse, and their ever-growing critical role in shaping the informational world around us. 

Not least, Putin’s grand strategy looks beyond national borders and NATO territorial lines. Employing Wagner troops and other mercenaries, or buying influence with local warlords and strongmen, the Kremlin has sought to destabilise Europe’s geopolitical neighbors in the Middle East, North and Sub Saharan Africa, aiming to trigger refugee movements to push European welfare states – and their political establishment – to the brink and fuel anti-EU and, so often, pro-Kremlin sentiment on the continent. Putin’s hybrid grand strategy is multi-layered and advanced, able to juggle rapid, tactical cyberattack capabilities, medium-term political influence campaigns in the digital domain seeking to weaken EU unity and potentially sway crucial elections in Russia’s favour, and long-term, strategic operations to weaken and destabilise European states, through a multitude of methods as widely diverging in force and sophistication as forced displacement and LLM grooming. 

While Russia’s invasion of Ukraine, undoubtedly the biggest strategic blunder of Putin’s career, was arguably the greatest unifying factor for NATO since 9/11 – re-invigorating an unpopular and apparently outdated organisation, driving military spending back towards the 2% goal and leading multiple powerful militaries on or close to Russia’s border to join the Alliance – a dragging war, energy insecurity and the multilevel nature of Putin’s strategy all mean that a fracturing of EU and/or NATO unity and resolve is not unthinkable in the medium term. Networks like ‘Pravda’ and organisations like ‘Voice of Europe’ indicate how Russian campaigns work to push Russian propaganda and support anti-NATO heads of state on all European policy levels. The close-call election in Romania shows how quickly one successful operation in a key NATO state could shake up the playing field. Again, the latter operations are not likely to be everything up the Kremlin’s sleeve, either from a current operational standpoint, nor from one of maximal operational capability. One thing, though, remains clear: Putin will keep prodding all levels of political decision making, looking for weak points to undermine European political unity and NATO resolve.

For this resolve to hold – and for Article 5 to maintain its role as a deterrent, and avoid the risk of becoming an empty promise – political clarity may be of equal importance today as operational clarity. For one, many NATO member states still rely on a parliamentary mandate for any involvement in collective defence operations, and their level of material military commitment, even when Article 5 is triggered, remains a political matter – two things which cannot be said for Putin. A vague formulation of Article 5 – even if “strategically ambiguous” only outwardly – could risk a situation where even clear violations of the collective defence clause drown in a political back-and-forth, undermining not only NATOs operational capabilities and the speed at which these capabilities can be deployed, but also – as a result – the very deterrence role the combination of those factors is intended to fulfil. 

Meanwhile, continuously reaffirming that cyber and hybrid attacks could trigger Article 5, without clearly delineating which do or do not, may begin to feel more like an invitation than a deterrent. While Russian hackers are continuing to push the bounds of the scale and intensity of their attacks on Western critical cyber infrastructure, no single attack is “game-changing” enough to risk triggering Article 5. Every new attack or operation piles political pressure on EU and NATO critical entities, while each new Russian foray into uncharted hybrid land that goes unpunished sets an implicit precedent that the red line is yet further away. Without sufficient political (ie. public) clarity, a retroactive NATO declaration of a case of a Russian operation constituting an “armed attack”, an Article 5 red line having been crossed, may end up appearing arbitrary to public eyes, potentially fuelling political polarisation and further feeding the very Russian victim narrative Putin’s hybrid strategy has been so successful in cultivating throughout the West. If NATO vows to defend not just the territorial West but also its values, it must take into account political narratives and their power in shaping public opinion. With an at times Russophile Trump White House at the de facto helm of the organisation for the coming years, such political clarity may yet prove critical when push comes to shove.

Furthermore, it is clear that we have, in 2025, but an inkling of the transformative power of Artificial Intelligence in supercharging the potency and potential reach of Russia’s hybrid tactical arsenal, from cyberattacks to disinformation campaigns. With the potency of such threats growing as exponentially as AI technology itself, the need for clearly defined safeguards and red lines becomes more crucial than ever. AI indeed poses a double problem for cybersecurity: not only can it enhance the capabilities of the attacker, but increased incorporation of AI in Western critical infrastructure also exposes a greater “surface of attack” for malign actors to exploit, for instance via “prompt injection”. The ‘Pravda’ network shows the Kremlin’s sensitivity to the strategic potential of exploiting AI, going so far as to try to skew the analysis of public LLMs – a move clearly intended more to shape public opinion than attack critical infrastructure. 

NATO – and more concretely Europe – risks becoming a punching bag for daily hybrid attacks from Russia, no single one of them game-changing enough to constitute an “armed attack” under Article 5, but in sum a potent, consistent campaign pushing the continent’s political establishment to the brink. Europe is already feeling this ‘death by a thousand cuts’ strategy today; the same strategy, in equal quantity but fuelled by the awesome, growing power of AI to push disinformation on a large scale, produce a well-timed deepfake video days before a critical election, or make cyberattacks more destructive and difficult to attribute, could prove toxic mix for a European project already mired by polarisation and political rough seas. 

Predictions for 2030: Mutually assured destabilisation

There is little reason for Putin to abandon his concerted hybrid strategy aiming to weaken the West’s resolve over the next five years, unless unmistakeable action is taken. Whether or not the war in Ukraine continues, Putin’s hybrid war with the West goes beyond the tactical level; in his eyes, Ukraine is only the most active theatre among a broader, larger-scale geopolitical and cultural struggle for post-Cold War dominance. In weakening his perceived adversaries and expanding the Russian sphere of influence, his strategy is already doing its job, weakening NATO's operational resolve and pushing Russophile actors in Europe to undermine allied political unity. Sensitive to Western democratic processes, Kremlin operations continuously attempt to sway public opinion in Russia’s favour through a multitude of sophisticated and interconnected methods. 

By 2030, some clearer safeguards will likely be in place, but the non-kinetic and long-term nature of Putin’s strategy and the serious consequences of an Article 5 invocation will likely continue to drive a policy of tacit tolerance of Russian hybrid warfare by NATO until unmistakably clear red lines are drawn, or in the unlikely case a game-changing operation takes place or is discovered. Strategic ambiguity will remain doctrine, all while AI continues to supercharge cyber and hybrid warfare capabilities. Cyber and hybrid capabilities will continue to interlink and self-reinforce. With NATO unwilling to engage offensively in such tactics in a concerted manner, this will primarily benefit Russia. The Kremlin, for its part, will not show its full hand when it comes to the potential of its cyber capabilities, slowly testing the waters on new capabilities while saving systems-level attacks for a moment he deems opportune. With AI breaking new ground almost daily, a global consensus on effective AI regulation still far off, and cyber defence capabilities struggling to keep pace with the growth of offensive threats, a quiet cyber-arms race among global powers continues to gain speed. 

Policy recommendations: (Cyber-)War and Peace

Strategically unambiguous: A clearer outward definition of NATO red lines when it comes to cyber and hybrid threats is unavoidable. To deter a threat, we must be able to name it. As capabilities grow rapidly, safeguards and red lines must stay ahead of the curve or risk becoming irrelevant. At the same time, NATO's response must become as transparent and accountable as strategically possible to counter Russian victim narratives.

Unified NATO (and NATO-adjacent) cyber defence: Today’s conflicts take place as much in cyberspace as they do on sea or land. While joint exercises like the NATO CCDCOE's “Locked Shields” are a step in the right direction, NATO must make efforts to unify and streamline cyber defence capabilities, perhaps including NATO-adjacent (eg. PfP) states under a uniform cyber umbrella. Today’s “Sky Shield” is tomorrow’s cyber defence umbrella. 

Cyber rapid response: The capabilities and scope of NATO Cyber Rapid Reaction Teams must be expanded to enhance deterrence capabilities. Retaliatory tactical measures could be considered in the event of a large-but-not-threshold-crossing attack, as a means of strengthening deterrence options.

Clearly defined AI safeguards: NATO and NATO-adjacent actors must move quickly to institute clearly defined legal frameworks for the use of AI technology, particularly regarding sensitive content like political communications. Watermarks, verification, and automated authenticity controls. 

Stricter social media guidelines: Social media is, for better or worse, here to stay in our public discourse. To give Russian disinformation as little area of attack as possible, stricter verification guidelines for profile and content creation, and independent fact-checking instruments must be deployed.