Developing coherent counter-hybrid threat strategies

Introduction

What do effective counter-hybrid threat strategies look like? In Lieutenant Colonel Frank Hoffman’s Conflict in the 21st Century thesis – the paper which first coupled the term ‘hybrid’ with warfare (and similarly, threats) – he emphasises that the West can “no longer overlook our own vulnerabilities as societies, focus on preferred capability sets, or underestimate the imaginations of our antagonists”. Since then, spurred on by the significant hybrid threats of the 21st century, counter-hybrid threat strategies have been sought. These are often (though not always) reactionary, meaning a hybrid threat needs to be realised, before a coherent counter strategy can be implemented. This can be especially true when a hybrid threat is coupled with new technologies, such as the Russian cyber-attack against US election infrastructure in 2016.

The scope of hybrid threats is enormous, shown comprehensively below. As with other doctrines therefore, counter-hybrid strategy must be guided by principles before bespoke solutions can be put in place. This article explores how some of these principles have been used successfully, allowing actors within states and across societies to develop resilience.

Identify adversaries and their intentions

Identifying an adversary, and further still identifying their modus operandi is no easy undertaking. Whilst not exhaustive, the desired effect of an adversary will usually fall into one of five categories: extort (for money); provoke (to trigger a reaction which damages reputation or justifies a counter-reaction); intimidate (individual or group coercion); exhaust (to break an opponent's will and stop them pursuing an objective); or protract (to drain an opponent’s resources whilst preserving your own). Knowing the single or combination of desired effects is useful in developing a counter-hybrid strategy.

In 2016, following the mass migration of refugees from the MENA region a year earlier, the EU struck a well reported deal with Turkey to stem migration flow into Europe, known as theEU-Turkey deal. Part of the contract saw the EU give €6 billion to improve the humanitarian situation within its borders. In June 2021, a further €5 billion for Turkey, Jordan and Lebanon wasbeing debated to bolster the initial sum. Coincidentally, over the same period, RyanAir Flight 4978 was diverted to Minsk on its journey from Athens to Vilnius, and a dissident Belarusian journalist onboard arrested by the Belarusian authorities. This sparked a string of economic sanctions from the EU (adding to an already extensive list of sanctions imposed following the 2020 Belarusian elections). Following both events, Belarusian leader Alexander Lukashenko began trafficking refugees (predominantly from Iraq) into neighbouring EU states, specifically Poland, Latvia and Lithuania, using a series of trafficking routes operated by commercial third parties, and actively encouraging – even forcing – illegal migration across borders into the EU. European leaders were quick to identify this as a hybrid threat aimed to intimidate the EU in to renouncing sanctions, with some commentators suggesting Lukashenko also intended to use‘migrants as bargaining chips’, in order to extort the EU for financial humanitarian aid, citing the aforementioned EU-Turkey deal (and subsequent anticipated remunerations for Jordan and Lebanon) as a precedent.

The EU response was swift and bold. EU leaders moved quickly to reform policy and legislation on migration, allowing the quick construction of physical barriers on Baltic State borders with Belarus. EU leaders agreed they “won’t accept any attempt by third countries to instrumentalise migrants for political purposes”, and condemned “such hybrid attacks on EU’s borders”. An article by the International Centre for Migration Policy Development theorises how Lukashenko assumed the EU would respond ineffectually, banking on significant border collapses from which the dropping of sanctions and inevitable humanitarian aid from the bloc could be negotiated (on top of his already lucrative smuggling fees, estimated by DGAP to have run to €40 million). The EU did commit €700 million for humanitarian aid within Belarus, though this was carefully distributed; €200 million directly to the ICRC and the remainder implemented by EU partner organisations on the ground. The Commission made available an additional €3.5 million to support voluntary returns from Belarus to countries of origin, effectively undermining Lukashenko’s forced diasporas.

Furthermore, additional legislative action was proposed and actioned, blacklisting the airline providers which facilitated Lukashenko’s migrant smuggling operation. The new legal framework allowed the EU to adopt targeted measures against transport operators. Subsequently, direct flights from Baghdad to Belarus were suspended, and flights from Erbil transiting through third countries to Belarus were also stopped. Ultimately, Lukanshenko’s scheme was too transparent. The EU recognised the threat and the intentions behind it quickly, allowing a timely, collective response.

Diversify imports

Diversification is a vital tool in the arsenal of any counter-hybrid threat strategy. The war in Ukraine is showing all too clearly how dependencies on Russian liquified natural gas and Russian and Ukrainian wheat can cause catastrophic economic and humanitarian consequences. By controlling the sole production, logistic chain, or geopolitical choke-point, adversaries are able to leverage significant influence and exact an extort, intimidate, provoke, exhaust or protract agenda.

An interesting, contemporary case study to examine is Chinese and Taiwanese semiconductors. In 2011, Taiwan alone accounted for ~20% of the overall semiconductor industry worldwide and ~50% of the 20 leading semiconductor foundries, chief among them being the Taiwan Semiconductor Manufacturing Company (TSMC). The requirement for semiconductors since then has grown steadily, with chip demand soaring as the demand for smart devices increases. Annual semiconductor revenue increased exponentially; by 9% in 2020 and by 23% in 2021 – far above the 5% reported in 2019, with demand accelerating through the Covid-19 pandemic, as significant portions of the globe started working more remotely.

China’s increasingly threatening behaviour towards Taiwan has brought the reliance of Taiwanese semiconductor foundries into sharp focus. The process had already begun to naturally spread as the benefits of semiconductor production became clear, but the geopolitical implications of a potential conflict between China and Taiwan have accelerated the urgency for the West in particular to diversify their suppliers. US Commerce Secretary, Gina Raimondo,stated this year at the Aspen Security Forum in Colorado “our dependence on Taiwan for chips is untenable and unsafe”. In the last year, the US have recognised their over-reliance on Chinese and Taiwanese semiconductor imports and have significantly diversified their sources. As of 2023, the US produced 17% of its semiconductor demand, with 83% coming from Asia. China and Taiwan both show relative negative trend, with Thailand, Vietnam, India and Cambodia showing significant positive trend.

Private companies too have recognised the consequences of overreliance on a small number of sources. Samsung, one of the world's leading users of semiconductors, has been ramping up their diversification strategy since 2019, aiming to invest $116 billion by 2030 to boost its foundry operations. Similarly, the management consultancy firm Deloitte has offered four useful, transferable actions which help private companies create diversified, safer semiconductor sourcing, and mitigate the risk of adversaries taking advantage of a monopolised semiconductor market. Deloitte suggest, 1) bringing manufacturing closer to home – nearshoring or friendshoring – by building new foundries or expanding old facilities; 2) managing the risks and challenges that come with this localisation, 3) digitally transforming and digitising elements of the process such as financial planning, operations, order and supply chain management (this helps create more resilient processes as they can be achieved remotely); and 4) addressing and balancing the semiconductor talent equation to ensure a balance of homegrown experts at all stages of production. Similar models can be applied to other industries at risk of hybrid attack.

Control the narrative

Societies writ large are a very important element of hybrid threats, and often the target of such attacks. NATO describes the information, cognitive and social domains as the cornerstone of hybrid warfare. Influence operations such as those employed by Russia in 2016 during the US presidential elections and UK Brexit referendum epitomise this. Access to information is readily available to societies. Open source intelligence (OSINT) makes up between 80-90% of all intelligence activities carried out by Western law enforcement and intelligence agencies. Due to the expediency of information proliferation, staying ahead in the battle to control the narrative is a critical element of countering a hybrid threat.

Russia’s hybrid operation to seize the geopolitically strategic Crimean Peninsula in 2014 was successful in part to a well-constructed narrative, plausible deniability, and a weak Western counter-narrative. Through carefully designed lines of moral and legal pretext – including the citing of NATO’s intervention in Kosovo to create a Kosovan protectorate as precedent – followed by a veiled democratic election, Russia was able to seize the initiative and justify a land-grab which technically broke numerous treaties and charters, including the UN non-intervention charter, Helsinki Final Act of 1975, 1990 Paris charter, 1997 Treaty of Friendship between Russia and Ukraine, and the 1994 Budapest Memorandum of Security Assurances.

Russia’s annexation of Crimea was condemned by many in the international community, and a series of moderate sanctions were implemented. However, the West’s reaction to the event has been described as weak for the most part. Russia’s pretext and subsequent justification narrative raised political and policy challenges for the West, and the West’s quiet voice gave impetus for Russia to increase nationalist rhetoric. Russia’s campaign in Crimea was ultimately unchallenged internationally, and some would argue their latter actions in Syria and the Donbas were more brazen as a result.

By contrast – and clearly the differences between 2014 and 2022 are evident in that 2022 was a full scale military invasion – the West’s unified voice and competitive narrative around the war in Ukraine have proven far more effective at galvanising international response. An important part of the Western narrative strategy in 2022 (led by the US and the UK) has been their use of intelligence. Early on in the campaign, when Russia was suffering from a string of tactical defeats including the roadblock en route to Kyiv, Western intelligence agencies began to rapidly declassify intelligence and release it to the public, a communication strategy which hitherto had not been seen in the 21st century. Russia’s withdrawal from Kyiv, an evident failure, was explained by Russian President Vladimir Putin as a strategic pivot. Western intelligence made it clear that it was military misjudgement, and distributed this globally. Eugene Rumer, a former US Intelligence Official at the Carnegie Endowment for International Peace, explained how this strategy “underscores to the world the futility, the foolishness, the insanity of Putin’s approach to Ukraine [and] hopefully this will also reach the Russian public and will feed into the domestic Russian narrative”. The UK intelligence services too have adopted this strategy. UK officials cited the failure in not aggressively sharing intelligence prior to and during Russia’s annexation of Crimea, with one official saying, “It needs to be done because it makes it harder for Russia to deny what it is doing, which was a problem back in 2008 (Georgia), in 2014 (Crimea) and in Syria”.

Tim Weiner, journalist and author of The Folly and the Glory: America, Russia, and Political Warfare, 1945–2020, explained that this rapid percolation of intelligence isn’t new, but simply a reimagination of a strand political warfare, stating “the rapid declassification and publication of secret intelligence exposed and effectively blunted Putin’s plans to use disinformation and lies as instruments of war. Ultimately, this is a battle for the truth, and shaping people’s views of authoritarian regimes is part of the way political warfare is waged”.

Become resilient

Resilience, a buzzword often associated with counter-hybrid strategy, and a pillar of the EU’s approach to countering hybrid threats, is an encompassing term. Notably, a state’s critical infrastructure (civilian and military and across all domains including cyber) must have built-in resilience to withstand hybrid threats, with effective crisis response. NATO too acknowledges that resilience in infrastructure is a prerequisite for military effectiveness. 

In April 2007, following a catalytic event in which the Estonian authorities moved a controversial communist statue called The Bronze Soldier from the centre of Tallinn to the outskirts of the city, Estonia became the victim of a wave of cyber-attacks from Russian IP addresses, likely designed to ferment disruption across the city in an act of retribution. Online services such as banks, media stations and government infrastructure were swamped with unprecedented amounts of botnet activity, bringing the city to a stand-still. Cash transactions, online broadcasts and government emails were all affected. The event was a harsh reality-check for Estonia. NATO is ambiguous as to whether a cyber-attack would trigger an Article 5 response. At the same time, Estonia realised this would likely be a recurring 21st century threat. Interestingly, about a decade earlier, Estonia had already initiated a workforce e-revolution, beginning with its Tiger Leap Foundation, which was rolled out across Estonian schools during the 1990’s, followed by the Look@World Foundation, a public-private partnership which has raised digital awareness and popularised the internet, supported by the telecom and banking sectors. Between 2000 and 2016, the percentage of Estonia’s population using the internet jumped from 28.6% to 91.4%. Both projects have been instrumental in creating a baseline of cyber-attack resilience, and an internet-savvy workforce to draw from. Moreover, it has also energised computing across the Estonian population on a huge scale. So, when the 2007 cyber-attack hit, Estonia was able to mobilise at a remarkable pace, immediately setting up a voluntary Cyber Defence Unit aimed at protecting Estonian cyberspace, drawn from the country’s leading IT experts, who are security vetted and remain anonymous. Since then, they frequently run cyber-based scenarios exercises, jointly with other agencies, such as an attack on a vital service provider or utility. 

Estonians also vote and pay tax online, have access to their health records online and use online banking. They use a ‘personal access key’ (sometimes referred to as an online ID card) to access these services. Crucially, to ensure transparency, Estonians are able to monitor their own privacy digitally. As President Toomas Hendrik Ilves, the innovator behind Estonia’s digital revolution explains, the public can trace anyone who has tried to access their data by logging on to the state portal. There have been few cases where people have been sentenced for unethically accessing databases, such as medical professionals and the police. In effect, Estonia has its entire adult population frequently checking for abnormal behaviour within their own online realm, a hugely powerful reporting tool for any potential cyber-attacks. In 2021, Estonia ranked third in the Media Literacy Index, compiled by the European Policies Initiative of the Open Society Institute (OSI), behind Finland and Denmark, meaning that Estonia has one of the highest potentials for withstanding disinformation. The Estonian Digital Research Center and State Chancellery in partnership with an Estonian cyber-security company has also launched an online test which assesses disinformation detection skills. Estonia also houses ‘data embassies’ abroad, remoting their servers to allied countries further away from their adversaries, mitigating physical espionage. In 2008, they became the first country to use KSI Blockchain, allowing near-instantaneous threat detection.

Estonia has become a model for e-governance and a leader on digitisation. Since its digital reformation (and prompted by the 2007 cyber-attack), Estonia has shown how capable it is at countering cyber-attacks, to the point that it is able to withstand significant attacks with relative ease, such as the 2020 Killnet cyber-attack, thought to be in retaliation for Estonia removing a similarly controversial Soviet tank from a World War II memorial.

Target hybrid threat financing

Daniel L. Glaser, the Assistant Secretary for Terrorist Financing and Financial Crimes in the United States Department of the Treasury’s Office, stated during his tenure, “there can be no comprehensive response to a national security threat that does not include a strong financial component”. A feature of this financial component with respect to hybrid threats is to target adversarial finances, sometimes called counter-threat finance. Counter-threat finance is explained as “the activities and actions taken to deny, disrupt, destroy or defeat an actor’s ability to raise, move, use or store value”. Targeting threat financing is a strategy which has already been well refined in relation to terrorism, but is less developed and far less simple with more globalised threats, as the law of unintended consequences is amplified. Russia’s current stranglehold on Ukrainian grain exports (which in 2021 generated 41% of the country's total exports, amounting to $27 billion in revenue) is a clear example of how damaging it can be to restrict a state's income, with many African states suffering at the hands of the Russian blockade.

The application of sanctions, or the establishment of embargoes, is measured by NATO in terms of its practical value and its signalling value. Following Russia’s hybrid attack into Crimea, the West resolved to target the Russia economy, focusing on three practical areas: restricting access to Western financial markets for specific enterprises such as banking, energy and defence; an embargo on high-technology oil exploration and production exports to Russia; and an embargo on military exports to Russia (including dual use goods). These practical elements were in concert with the signalling value which can be interpreted as a measure of subjective effectiveness for a specific population. In this case, the signalling was hoping to achieve the following: 

• Coordinated action (by the EU and NATO, signalling unity to domestic and adversarial audiences).

• Specific agencies targeted within the Russian state (signalling responsibility and distinction to domestic and adversarial audiences).

• Designed to cause tangible economic damage (signalling credibility to domestic and adversarial audiences).

• Accepting a limited risk of economic pain domestically (signalling resolve to domestic and adversarial audiences).

The economic and financial assault on Russia following the annexation, specifically their energy sector, likely contributed to Russia’s faltering economy over that period. In 2019, Bloomberg compared Russia’s 5-year GDP forecast with its actual GDP, showing financial targeting had almost certainly had a degree of impact.

Integrate and cooperate

Perhaps most importantly, a developed counter-hybrid strategy must be integrated and in cooperation with allies, organisations and societies. Notwithstanding the primary responsibility to respond to hybrid threats or attacks rests with the targeted country, NATO recognises (as does the EU and individual nation-states) that a joint, integrated approach, built on activities including coherent, strategic messaging, shared intelligence, joint exercises and closer military-civilian cooperation is fundamental. Cooperative societies are also recognised as key to challenging hybrid threats. Threat-aware societies are able to recognise disinformation, absorb economic pressures, and shape sensible policy decisions, which can augment counter-hybrid threat strategies. This has been seen to work for Estonia with their media literacy index score.

An example of European integration against hybrid threats is the Hybrid Centre of Excellence (Hybrid CoE), an autonomous, network-based international organisation sponsored by Finland, which allows NATO and the EU to work more closely against hybrid threats. A ‘do-tank’ with a budget of €1.5 million, the centre helps NATO and the EU design the counter-hybrid threat playbook. The Hybrid CoE has facilitated learning through a series of regional seminars, and identified the need to develop a whole-of-government and whole-of-society approach, which includes engagement with the private sector, academia, and civil society.

Additionally, the Hybrid CoE has coordinated a number of joint exercises with EU and NATO audiences to stress-test hybrid threat responses, for example the “Harbour Protection under Hybrid Threat Conditions” exercise, which was run in 2018. The European Defence Agency Chief Executive, Jorge Domecq, noted the relevance and usefulness of these types of exercises, and the Director of the European Centre of Excellence for Countering Hybrid Threats, Matti Saarelainen, emphasised how exercises such as this are crucial, stating “as international interdependency increases, it is necessary to assess and develop security more comprehensively than in the past. Hence, all stakeholders should be equally aware of the nature of hybrid threats and share the level of awareness among them”.

The European External Action Service, including the EU Intelligence Analysis Centre, works closely with NATO, upholding the Joint Declarations of Warsaw and Brussels (2016 and 2018), which identifies fourteen agreements aimed at jointly tackling hybrid threats. It is equally important to recognise how EU-NATO cooperation is moving from agreements to actions. Two actions which deserve mention are the Technical Arrangement on Cyber Defence, which provides a framework for sharing best practices between NATO’s Computer Incident Response Capability (NCIRC) and the Computer Emergency Response Team of the European Union (CERT-EU), and Military Mobility 2.0, a system which allows NATO armed forces to quickly respond at scale to crises erupting at EU external borders. Additionally, since 2019, NATO has been trialling concept forces known as Counter Hybrid Support Teams, which give ad-hoc assistance to member state Armed Forces in the event of a hybrid crisis. These teams have been fielded and exercised since 2019. All of these actions are in their early developmental stages, but certainly serve as evidence of how a cooperative approach assists with developing coherent counter-hybrid strategies at scale across the European continent.

Conclusion

Principles pertaining to counter-hybrid strategies are clearly non-exhaustive. This article has identified some of the most important. The European Commission’s joint framework on countering hybrid threats helps to consolidate and direct future lines of operation for countering hybrid threats. Critical to positive outcomes is improving awareness using the aforementioned whole-of-government and whole-of-society approach, and establishing mechanisms to exchange information (including intelligence) and examples of good practice at various scales. Teija Tiilikainen, the Director of Hybrid CoE has written perceptively about the 10 steps for a resilient Europe which complement counter-hybrid strategies, the last of which is to ‘be imaginative’. This language is important, echoing Hoffman’s adage to ‘not underestimate the imaginations of our antagonists’. Tiilikainen is clear that hostile adversaries can and will transform anything they can into a tool of influence, and use that tool in multiple domains with the help of advances in techniques and technology. Therefore, the preparedness and response to these threats must be equally imaginative, novel and influential.