Old Wine, New Bottles?

However, much of the current discourse around state threats has been poorly and loosely defined, and has tended to focus more on the topic’s military than civilian aspects. Much research has also failed to ask a variety of basic questions about why the issue of state threats is so important now, both as a phenomenon, and also as a subject of policymaking for Western governments. Many of the activities that fall under the broad umbrella of state threats are well-known covert and clandestine activities such as espionage, sabotage and subversion. There are natural questions of how novel or significant state threats truly are, and indeed, how much Western governments care about them as a result.

This research seeks to address these concerns, looking to provide firmer definitional boundaries, and, within them, to explore the scale, scope and character of modern state threats, especially – but not exclusively – from a Western perspective. The research notes that besides the apparent explosion in the volume and range of hostile activities, there is much that is “new” about them, from the combination of traditional intelligence tradecraft with new technologies, attempts to innovate, a willingness to take greater risks, and a growing willingness to contract out violent and/or dangerous clandestine and covert activities to both licit and illicit non-state actors – especially organised crime groups. It is also clear that many hostile activities take advantage of new vulnerabilities in society that have never existed before, such as the ubiquity of social media and societal reliance on technology.

Overall, the research shows how state threats have become more important as tools of policy due to “geopolitical climate change”. Perceived changes in global power balances and receding agreement on international norms of behaviour are permitting and encouraging more states – non-aligned and Western, as well as authoritarian opponents of the West – to use hostile acts that mostly fall short of war to achieve their political ends. Although current evidence suggests that the results of these kinds of activities are mixed at best, their relative cheapness and apparent lack of political risk are likely to make them an attractive form of coercive statecraft in the medium term. While this might be bearable for highly resilient states in the short term, this is unlikely to be the case for less stable societies, and if sustained over the long term, could even have more severe effects on open societies that have robust protections in place.

1. Introduction

In January 2024, the UK’s defence secretary, Grant Shapps, warned the British public of the rising threat to the UK of hostile, state-backed activity from countries including China, Russia and Iran. The deputy prime minister, Oliver Dowden, informed the House of Commons in March of that year that Chinese state-backed hackers had conducted cyber espionage campaigns against UK parliamentarians and the UK Electoral Commission in 2021 and 2022. The following month, two British men were charged with committing arson in support of Russia; and Iranian journalist Pouria Zeraati was stabbed outside his home in London, while the suspected attackers, who were apparently acting on behalf of the Iranian state, fled the UK.

As Shapps forewarned at the start of the year, the UK would endure a prolonged wave of state-linked hostile acts in 2024. But this wave was not altogether new; in March 2023, the assistant commissioner of the Metropolitan Police, Matt Jukes, stated that his force’s casework on foreign interference and espionage had increased fourfold since March 2018, with the attempted poisoning of former Russian intelligence officer Sergei Skripal in Salisbury. Nor was it limited to the UK. Across Europe, North America and the Asia-Pacific region, other states also faced a rising cadence of similar hostile operations, ranging from intrusive commercial espionage to physical sabotage, cyber attacks, violence against political activists and political interference. Much of this activity had been directed at Western liberal democracies by authoritarian offenders, but this was not universally the case; transnational repression, cyber attacks and subversive disinformation campaigns were also becoming a more common currency of statecraft in other regions, among states of various constitutional complexions.

Such state-backed hostile activity is not a complete novelty, and has a long and continuous history, even during relatively peaceful periods. Nevertheless, some senior Western officials have begun to use language that frames the current wave of hostile acts in distinctly “epic” terms, something more than just the old wine of the clandestine in newer, more technologically advanced bottles. Several governments, such as those of the Netherlands, Australia, the UK and Canada, have thus begun to develop specific policies to respond to the threat of state-backed hostile activity. The problem they seek to tackle has been described in various ways: “state threats” in the UK (the term used in this paper), “threats from state actors” in the Netherlands and “hostile activity by state actors” in Canada, for example. But the core concern remains the same throughout: to find ways to mitigate the risk posed by detectable and unwelcome change in patterns of inter-state behaviour.

Despite the growing importance of state threats as a specific policy challenge, however, the current volume of research on the topic is limited. This in itself should prompt further study, but the need is more pressing still, given the apparent immediacy of the issue. In response, the Serious Organised Crime & Anti-Corruption Evidence (SOC ACE) research programme sponsored two workshops of the State Threats Taskforce (STT) in March and June 2023, which were convened by the Royal United Services Institute (RUSI). The STT, which comprised former practitioners and experts from Europe and Five Eyes countries, revealed that even among those deeply immersed in relevant fields, there was uncertainty around fundamental questions such as the meaning and scope of the term state threats, how best to assess such threats, and consequently, how to develop a response to them. For the sake of productive discussions, the workshop attendees decided to take an intuitive approach to defining state threats, following the words of Supreme Court Justice Potter Stewart on obscenity: “I know it when I see it”.

While a reasonable basis for initial discussions, however, indistinct definitional boundaries do not provide sufficient grounds for the development of effective policy. Ideally, policymakers require a common conceptualisation of a problem, without which their actions risk being piecemeal, unnecessary or incongruent. The clearest finding of the STT workshops was, therefore, that further research was needed to review the basic concept of state threats and arrive at a foundational threat assessment, upon which appropriate strategies and responses could be developed. As a result, this research aims to:

1. Clarify the meaning and coherence of the term state threats.

2. Understand why state threats have emerged as an issue now.

3. Map out the scope and nature of current state threats.

4. Assess the effectiveness of hostile activity as a tool of state policy.

5. Consider the potential development in the state threats landscape in the short to medium term (two to five years, following definitions of duration common in government and business).

Although the paper touches upon current and potential policy responses to state threats, interventions are not the focus of the paper and are not addressed extensively here. These issues require further study; it is hoped that a further opportunity to provide one will be possible in the future.

1.1. Argument and structure

The paper begins in section 2 by addressing the foundational question of definition and the current state of research literature on state threats. As noted above, the UK government uses the term state threats to denote hostile activity by states; other governments use variations on this formula. Some states and international organisations such as the European Union (EU) and the North Atlantic Treaty Organization (NATO) also use the term “hybrid threats” for analogous challenges, but properly speaking, this term deals more with the use of mixed and innovative methods of hostile action, rather than the actors that use them (which can be both state and non-state actors).

The definitions used by governments for state threats and cognate terms broadly include the same elements: covert, coercive, corrupt, illegal, threatening or undermining acts against other states’ interests, carried out by state actors, or non-state actors on their behalf. These acts often fall short of what is commonly accepted as war within the current international system.

However, despite the commonalities in their definitions, there are some differences too – some states include overt as well as covert hostile acts, for example. There are also many ambiguities around intent and responsibility in the various definitions, which risks making them too wide-ranging to be of use. For example, in one policy definition it is theoretically possible for a state-linked act that damages another state to be seen as a state threat, even when it is not explicitly intended to be so. Moreover, the various definitions leave significant issues unresolved; for instance, while most emphasise the role of non-state actors in the execution of state threats, they do not provide a method for deciding when a hostile action by a state-linked non-state actor is a state threat and when it is not.

Researchers cannot wish away these complexities; but although ambiguities will remain, the aim should be to minimise them. Pragmatism suggests that many overtly hostile state acts fall within the accepted “rules of the game” of international statecraft, but some, which seek to twist or stretch those rules, or infringe basic norms such as state sovereignty, do not. In effect, they are statecraft conducted in bad faith. These distortions of commonly used methods of statecraft sit within the scope of state threats, especially as they can both accompany and lay the groundwork for other covert and coercive acts.

On the question of intent, some state behaviours are indeed unhelpful, but lack an underlying intention to cause harm to another state or its interests, at least at the outset. Nonetheless, what starts as negligence or antisocial behaviour can be exploited at some stage. Other state actions – direct investment in other states’ infrastructure, for example – might seem constructive and indeed helpful. But they can make the recipient dependent and thus vulnerable on the helping state, even if that state’s original intentions were genuinely benevolent or sought mutual benefit. Neither negligence nor support is therefore strictly speaking a “state threat”’, but both types of action might eventually be used with malign intent in the future or “weaponised”, to use a neologism of the moment. Such behaviours might thus be seen as “dual use” forms of statecraft that can be turned to different ends, depending on the circumstances.

On the further vexed issue of how far states can be held accountable for the activities of non-state actors, it is difficult, if not impossible to develop detailed evidence of operational connections between states and non-state actors. Nonetheless, if non-state actors do show evidence of interaction with a state and an alignment with state actor behaviours – whether in method, target choice or timing ‒ there are reasonable grounds for seeing their activities as state threats.

Unsurprisingly, given the relative novelty of the term state threats, academic and research literature specifically discussing the area under that term is limited at present. Nonetheless, there is a large body of existing research on relevant adjacent areas such as “hybrid” and “grey zone” war/warfare/conflict/threats – among the various nouns being used with these opening descriptors ‒ as well as a growing revival of interest in “covert action” and newer concepts such as “intelligence conflicts”.

A limiting factor to the value of this literature has been its tendency to focus on hostile activities in periods of acute crisis or near-war situations, with a heavy accent on military activity, although research on the grey zone has looked at more chronic, low-level crises too. This latter body of work is thus more germane to the concept of state threats, but both areas provide useful material on the novel and multi-stranded character of much current conflict and statecraft, and, importantly, the varying ways in which different types of states frame hostile acts. While there is a bias in Western scholarship towards drawing a clear line between war and peace (hence the difficulty of defining state threats), for states such as Russia, which use hostile methods more actively, there is more of an interest in their feasibility and value. What is a theoretical debate for some is a question of application for others.

With this necessary groundwork completed, the paper goes on in section 3 to ask why, if state threats are not new, they have become such an issue now. Most importantly, the answer is because of mounting evidence; where quantitative data are available, the indications are that they are on the rise. However, perceptions matter too. The hostile behaviour of states seeking to revise the international order, hereafter described as “revisionist powers”, has become increasingly worrisome. Acts such as Russia’s seizure of Crimea in March 2014 and the full-scale invasion of Ukraine in February 2022 that were previously treated as background frictions to be downplayed in favour of maintaining good relations have increasingly been seen as intimations of much darker designs than previously supposed.

A further reason is timing: the rise in the danger from state activity, both actual and perceived, has come when other recent national security challenges have been in relative abeyance. The Islamist extremist terrorist threat has remained and the extreme right has become more dangerous. But while terrorist attacks have continued, government efforts to degrade terrorists’ operational capabilities have helped make them mostly small and containable, in comparison to the attacks of the first 20 years of the 21st century. This has allowed policymakers more space to address the challenge of state threats. Nonetheless, the size of this space should not be overstated, as attacks and planned attacks by Islamic State (IS) affiliates in Iran, Russia and Austria in 2024 indicate.

The next three sections look at the nature of the current state threats challenge in more detail. Section 4 looks at the variety of methods states are currently using, including:

• espionage, especially commercial espionage;

• intimidation, including rising levels of transnational repression;

• sabotage, “cybotage” and the “systemic overload” of social systems, through the weaponisation of criminal activities such as illegal migration;

• subversion of the information environment to shape the views, actions and decision-making of audiences within a targeted state;

• malign influence on elite figures and groups with the power and position to guide the public policy of a targeted state;

• sponsorship of groups seeking to destabilise the existing political order of a targeted state; and

• orchestration of regime/governmental change, through support for coup d’états or direct interference in electoral processes.

Section 5 considers how these activities are initiated and executed – in effect, the mechanics of state threats. Despite some of the media-shaped images of leaders such as President Vladimir Putin of Russia being in full control of their countries’ activities, it seems likely that hostile acts emerge from a variety of different channels, from “business as usual” planning by intelligence agencies, to bureaucratic responses to the expressed or perceived preferences of state leaders. Freelance endeavours by state and non-state actors that might not be “approved” until after the fact also need to be included. Additionally, section 5 looks at the variety of operatives who execute hostile acts, ranging from state officials and intelligence officers to a wide variety of non-state actors in “legitimate” spheres such as business and civil society, as well as the increasingly important worlds of private military contractors/companies (PMCs), organised crime groups (OCGs) and cyber-criminals, and to a lesser extent, terrorist and militia groups.

Section 6 then takes the analysis further by looking for underlying patterns in the qualitative evidence. While this lacks the potential rigour of a quantitative analysis, particularly given currently patchy availability of relevant data cross regions and threat types, it is apparent there have been “booms” in certain areas of espionage, sabotage and subversion in recent years, along with an attempt to innovate using new tools and unexpected loopholes in Western law. It is also clear that cyber techniques have grown in importance, especially in volume activities such as disinformation, although human officers and agents remain an invaluable part of a state’s capability. Not everything can be done, or done well, remotely or via computer. The section also highlights the importance of distinctive national “styles” of hostile activity. Of all the core revisionist states which oppose the current international order, Russia appears to be the most wide-ranging and reckless in its behaviour. The Democratic People’s Republic of Korea (hereafter, North Korea) and Iran also take substantial risks, but have a more limited field of activities due to their more modest size and resources. China – despite being the largest and most powerful of the four core revisionist states – is the most careful and circumspect about how, when and against whom it undertakes hostile acts, at least for now. Indeed, indications are increasing of growing Chinese aggressiveness in some areas, especially cyber operations.

Section 7 looks at the motives behind states’ use of state threats. Among Western media and some experts, it is a widely shared view that the perceived rise of state threats reflects aggressive behaviour against Western democracies by a handful of authoritarian regimes – China, Russia, Iran and North Korea. Allowing that there is a strong thread of truth in this narrative, this section argues, however, that although these four core revisionist states are the most significant current part of the state threats problem, they are not the only part. Hostile acts are not the sole province of authoritarian states and Western democracies are not the only targets. Indeed, hostile acts between states continue to occur in a variety of contexts; democracies have targeted other democracies; non-Western authoritarian states have targeted one another; and Western democratic states have themselves used such methods, albeit more rarely, and circumscribed by law and ethical constraints.

What is driving revisionist hostility and this accompanying decline in standards in international behaviour? The broader context has seen the confluence of several geopolitical trends, economic changes and technological developments. The most important of these has been the overall shift in global economic and political power away from the US and its allies towards China and other major developing economies. Although the US and its allies have held fast to their own vision of a rules-based liberal international order, China, Russia and others now see that order coming to an end, to be superseded by their preferred model, based on two key concepts: a form of “hard” state sovereignty that goes back to the Peace of Westphalia in 1648, making non-interference in other states’ affairs fundamental to international statecraft; and the idea that “great powers” – among which they include themselves – are different from other states, with the right to enjoy global predominance and spheres of influence. Two power centres and two world-views are thus fundamentally at odds, shaping the kind of epoch-changing situation that has often resulted in open war in the past.

That this has not happened yet can probably best be explained by the cost-benefit calculations of the states involved. Any open great power conflict would be globally damaging both politically and economically, and potentially catastrophic if nuclear weapons were used. From the perspectives of states such as Russia and China, moreover, the US and its allies remain economically and militarily powerful; the outcome of any open conflict with them would be uncertain or even unwelcome. In a world where the costs and risks of war are so great, it makes sense for the revisionist states to behave in a way that does not provoke a military response. Thus, the use of hostile acts are ‒ and remain ‒ a logical middle way by which revisionist states can mount their challenge to status quo powers without triggering a potentially existential crisis.

State threats are also attractive as tools of policy because of the advances brought about by economic globalisation and technology over the past 30 years. Societies, economies and polities are more interconnected than ever before, providing states with a level of access to potential targets that would have been difficult during a period such as the Cold War. Developments such as the growth of cyberspace have been a key part of this global integration, moreover, providing avenues for less wealthy states to access and target regional rivals or even global opponents. Interests and operational options have come together in ways that have made the deployment of state threat-type activity the safest and most affordable way to express inter-state hostility.

In the case of the revisionists, moreover, there are few internal constraints on them using such measures, even if they bring collateral damage to the wellbeing, liberties and human rights of civilians in other countries. Such states already show little concern for the rights of their own citizens at home; it is of little surprise that they show limited concern for the rights of other states’ citizens either.

These factors, which have shaped the behaviour of the main revisionist states, have also had a wider impact on “geopolitical climate change”, promoting hostile action as an acceptable form of statecraft for states that are relatively uninvolved in the competition between the major powers. For those which have in the past either feared a US response to antisocial international behaviour, or looked to the US for security, the environment has changed. “Middle powers” in the developing world have thus increasingly felt enabled or prompted by changing circumstances to take matters into their own hands, with state threats an obvious way to target their local rivals. Given the relative cheapness and accessibility of cyberspace, moreover, this has been easier to do than ever before. Anywhere in the networked world can be part of the virtual battlefield.

If state threats are a relatively low-cost means to pursue state ends, the logical next concern is whether they provide a reasonable return on investment. Section 8 addresses this question, finding that despite the widespread use of state threats, their tangible impact is difficult to discern, at least at present. Certainly, in fields such as espionage, massive campaigns, such as the one currently being mounted by China, have reaped an enormous economic dividend – but also at a reputational cost. In other cases, the use of assassination, sabotage, cyber effects and various types of political interference have not necessarily produced unambiguously positive results, whether measured by reducing opponents’ capabilities or by causing them to shift their policies. In fact, much hostile activity not only undermines the reputations of the states involved, but also leads to countermeasures that have the potential to make future hostile actions less effective.

Nonetheless, too optimistic a view of the effectiveness of state threats might yet prove to be misguided. Even if Western governments only evaluate the effectiveness of state threats on the relatively narrow basis of results alone, it is possible that states using hostile acts will get an occasional “lucky hit” – some see Russian interference in the US 2016 presidential election as an example – or that their activities will help wear down their targets’ resilience over the medium to long term. Additionally, governments using hostile actions might have different metrics from weighing up costs against tangible benefits. It is possible that some states see such behaviours as useful ways to “signal” credibility and intent to other governments. Alternatively, their continuance might simply be the result of institutional rigidity, with state agencies continuing to undertake hostile acts as part of a self-generating pattern of behaviour.

As section 9 suggests, moreover, the relatively limited impact of state threats so far does not guarantee their lack of impact in the future. Among the core revisionist states, regime intentions remain the same, and in some cases – in that of China, most worryingly – there is evidence that those intentions are hardening. At the same time, as technological capabilities such as artificial intelligence (AI) advance, the means to cause damage at a higher volume and velocity are growing, especially in relatively open Western societies. This will not only sustain the threat from the revisionist states, but also probably push and encourage other states to use similarly abrasive forms of statecraft.

As a result, section 10 concludes the paper by arguing that governments should take the problem of state threats seriously, despite their patchy record of apparent success so far. It is therefore imperative not only to tackle both the dangers from directly targeted hostile actions, but also to address the overall shift in the character of international statecraft that is currently taking place. Governments should not only be looking to their own states’ safety and resilience, but to that of their wider neighbourhoods. As noted at the outset, while some Western states have begun to face up to the challenge of state threats, the response has not been universal; the approaches taken have been piecemeal and episodic, with sector-by-sector responses that are not always aligned with a clear threat assessment or connected to wider government, civil society or international initiatives. For a problem that is so fluid, complex and cross-sectoral, it is apparent that governments have some way to go before they can provide consistent and germane responses that are well-calibrated to the challenges they face.

1.2. Methodology

The evidence that informs this paper has been gathered from various sources. Desk research has been the primary method, comprising reviews of STT notes, research papers identified through the academic databases EBSCO and JSTOR, and open source searches of the internet with the search engine Google. Books, sections and articles were identified through a range of search strings including terms such as “state threats”, “hostile state activity”, “hostile activity” and “hostile acts”, and further terms that regularly appear in relevant subject-adjacent literature, such as “hybrid warfare”, “grey zone warfare/conflict” and “weaponisation”. These terms were also combined with country names, including the four core revisionist states identified by the STT ‒ China, Iran, North Korea and Russia ‒ but also in combination with other countries of potential interest during the process of research, such as Belarus, Syria and Venezuela, and less obvious candidates such as Saudi Arabia, Turkiye and the United Arab Emirates (UAE).

In addition to reviewing existing research literature, the study looked at relevant policy statements, legislation and research from departments, agencies, legislatures and bureaucracies of national governments and international organisations, which were sourced via official websites. Credible media reports on potential state threat incidents were located via online searches using Google, where search strings combined categories of types of state threat actions identified in the process of research (such as assassination, cyber operations and so on) with countries of interest. Searches were limited to English language sources (or those translated into English) published since March 2014. This date was chosen because it allowed for a review of a decade’s worth of relevant material, and coincided with the Russian annexation of Crimea, which marked a significant watershed in Western perceptions of the potential importance of state threats.

After a period of desk research, the lead investigator conducted 50 semi-structured interviews by video conference platforms with academic experts, researchers, journalists, current and former government officials and practitioners. The interviewees were located in North America, Europe and the Asia-Pacific region, and were selected based on their knowledge and expertise on state threats or related areas, specific domains such as cyber or disinformation, and/or specific countries and regions. Interviewees were informed that notes would be taken during the discussions, but the discussions themselves would not be recorded, and would be treated as confidential; names, organisations or other identifying data would not be included in the text, unless otherwise agreed. The use of any specific evidence or judgements was agreed in writing and, where requested, the identities of individuals have been anonymised.

Despite the global significance of the state threats issue, the scope of this paper was naturally limited by the researcher’s location in the UK and linguistic barriers. Unsurprisingly, therefore, it is written from a Western perspective, and the terms “the West” and “Western” appear consistently throughout the text to make the geographic and cultural scope of assessments clear. The paper uses the terms in the same sense as Australian counter-insurgency expert David Kilcullen, who has described “the West” or “Western societies” as a “loose collection of countries” primarily in North America, Europe and the Asia-Pacific region that “are allied or aligned with the United States … and that often collaborate in coalitions or international institutions”.

If geography and language limit the paper’s scope, they also affect the character of its judgements. The paper’s conclusions are shaped by the researcher’s circumstances in a liberal, democratic, free market society in the developed world. Despite the conscious aim of objectivity, the underlying assumptions of this type of society will have had an effect that cannot be ignored. Nonetheless, the paper still seeks to take as balanced a perspective as possible; indeed, a key finding of the paper is that state threats should not simply be viewed through a lens of “the West versus the rest”.

Finally, from a methodological perspective, some comment is required on the length of the paper, which is much greater than originally intended. It soon became obvious during the research process that the field of state threats was much vaster than the STT workshops had suggested, and that a tight curatorial approach would be needed on the use of evidence in any research product. Consequently – and even at the length of the paper as it currently stands – it remains highly selective, and somewhat akin to “a motorcycle ride through the art gallery,” in the words of former Central Intelligence Agency (CIA) deputy director Admiral William Studeman. The author therefore wishes to apologise in advance for any lacunae that readers with country- or domain-specific expertise will almost certainly identify.

2. Definitions and literature

The term state threats and similar formulations are relatively new to the lexicon of UK government policy, emerging around 2017/18, prior to and in the wake of the attempted poisoning of Sergei Skripal. The term was used to name the Joint State Threats Assessment Team, created in June 2017 and based at the UK Security Service (MI5)’s Thames House headquarters, but ministers and officials also used other similar terms including “hostile state activity”, “hostile activity by states” and “state-based threats” at the time. However, in 2021 the term state threats was chosen as the preferred descriptor; hostile state activity, in particular, was rejected because it might imply that certain states were hostile by definition, and the UK government wanted to stress that it was more concerned with hostile behaviours rather than specific states.

The Home Office provided a fuller definition of state threats in its Consultation on Legislation to Counter State Threats (Hostile State Activity) in May 2021, which introduced measures later included in the subsequent National Security Act. According to the consultation, state threats comprise:

Overt or covert action orchestrated by foreign governments which falls short of general armed conflict … but nevertheless seeks to undermine or threaten the safety and interests of the UK, including: the integrity of its democracy, its public safety, its military advantage and its reputation or economic prosperity.

The consultation also defined five key state threat categories:

1. Threats to people, through harassment or physical violence.

2. Threats to things, such as the nation’s critical national infrastructure (CNI) or overseas supply chains.

3. Espionage against both the public and private sector, including academic, scientific, technological and commercial intelligence.

4. Interference in political, electoral, economic or social processes or decision-making.

5. Threats to geostrategic interests, in the reshaping of international norms and the misuse of rules, norms and agreements to coerce other states.

While more traditional terms were mostly not used, these categories largely covered the classic and well-known behaviours of state intelligence and security agencies, including transnational repression (threats to people), sabotage (threats to things) and subversion (interference).

Other Western states have also developed policy language for the phenomenon of state threats in recent years, although the terms used vary from country to country. The three examples provided below, from the Netherlands, Canada and Australia, are far from an exhaustive sample, but they give a flavour of how similar challenges are defined outside the UK.

▲ Table 1: Non-UK terminology on state threats.

While none of these definitions is an exact match with the UK definition, there are similarities between the terms. Each takes an implicitly similar perspective on:

1. the severity of the threat – state threats fall short of the internationally defined nature of war or armed conflict;

2. the source of the threat – state threats are initiated by state actors but can be executed either by state or non-state actors;

3. the character of the threat – state threats are covert, deceptive, corrupt, illegal, coercive or surreptitiously threatening; and

4. the intention behind, and effect of, the threat – state threats damage other states’ interests.

However, despite parallels, there are also notable variations and ambiguities between them. While the consensus is to focus on behaviours that are likely to be conducted secretly or duplicitously, the UK also includes overt hostile acts in its definition. This is slightly messy, and brings with it the question of whether all aggressive or hostile overt acts can be deemed to be state threats. If so, then state threats might also include robust measures used and endorsed by Western states, such as economic and financial sanctions, military deployments, the exercise of maritime rights or alliance building. This would in fact accord with the views of some states, such as India, which do not support the application of national sanctions outside the UN framework, or those, such as China, which reject settled bilateral or multilateral alliances. Including overt acts without any qualification would therefore risk either creating a definition that is so broad as to be meaningless, or include wide swathes of statecraft that Western states deem largely acceptable.

A further problem is the extent to which a damaging state behaviour should be considered a threat where a state’s intentions are ambiguous. In the definitions of the UK and Canada, a hostile act is intended to harm the interests of another state; there is implied political intent. In the case of the Netherlands, however, the definition also encompasses undermining actions that could harm another state’s interests, without making it clear whether those actions are intended to cause harm or not. On such grounds, a vast range of antisocial state behaviours could be interpreted as state threats; if a state pumps effluent into a sea shared with a near neighbour, this might cause major health problems for the population of the neighbour, but it might seem odd to see this as a state threat rather than just antisocial behaviour.

Other problematic situations arise when considering the effects of time and changing intent. All of the definitions appear to be founded on a presumption that the state “act” is either one thing, or another – hostile or otherwise. But apparently positive or mutually beneficial state interactions such as the provision of aid, investment, technology transfers and so on also have the potential to be used by the providing state to undermine or manipulate the recipient, whether that is part of their original intention or not. It might seem sensible therefore to also include interactions which have the potential to damage a state at some point as prima facie state threats. But to do so would then mean that decades’ worth of positive interstate interactions, many benevolent or motivated by a desire for mutual benefit, would need to be seen as potential preludes to future blackmail. Such reasoning seems paranoid in the extreme. At the same time, if such actions were totally excluded from the scope of state threats, it would potentially exclude areas of genuine future risk.

Further dimensions to the problem of intent arise from the role of non-state actors in hostile activity. An OCG or terrorist network might act on behalf of a state on occasion, but such groups are also likely to have their own interests and agendas that are damaging to other states, but unaligned with the needs or interests of their sometime state partner. It seems obvious that those actions undertaken on behalf of a state should be included as state threats, but sifting out the state-linked behaviours of a non-state actor from the non-state-linked ones is much easier to propose than accomplish. From the outside, other states will only see the non-state actors’ actions, and not necessarily whether they arise as the result of a relationship with a state actor. Given how murky the nexus between state and non-state actors is, therefore, it might seem prudent to view the actions of all non-state actors with known state links as state threats; however, to do so would be far from parsimonious, in light of the scale of terrorist and criminal activity in the world, and would again risk making the term state threats so broad as to be meaningless.

2.1. Clarifying the definition

The simplest answer to these difficulties is to understand state threats very narrowly or broadly, either excluding or including all problematic categories. However, both approaches have significant weaknesses; the former risks ignoring many relevant hostile behaviours and actors, and the latter risks creating a vast and undifferentiated spectrum of hostile activities that may, or may not, be state related. Consequently, some pragmatism is required to find an understanding of the term that does not dilute its meaning too far and provides a workable scope for investigation. In the probably apocryphal words attributed to Albert Einstein, “Things should be made as simple as possible, but no simpler”.

The centre of gravity of governments’ thinking is that state threats are largely covert activities. But how to parse “acceptable” and “unacceptable” forms of overt statecraft? The acceptability of various overt activities under international law or custom are open to wide interpretation, even when states agree on the letter of the law or usual pattern of practice. However, it is feasible at least to exclude some types of overt hostile behaviour from the scope of state threats. Firstly, some forms of overt hostile action are explicitly allowed under international law in response to other states’ hostile and illegal actions, such as forcing international waterways to assert the freedom of the seas if a blockade is attempted, for example. Secondly, some forms of overt action, while not explicitly endorsed by international law, are similar to those used by the international community through the UN, such as economic and financial sanctions. This leaves overt hostile activities that are explicitly banned (wars of aggression, for example), and a zone of activities – various forms of coercive diplomacy, most notably – that are neither explicitly endorsed nor prohibited by international law and practice. Sifting the acceptable from the unacceptable within this zone is a difficult matter, touching on both ethics and taste. However, some potential rules of thumb might establish whether a state’s overt behaviour could be deemed less acceptable as peacetime conduct, especially when used in conjunction with covert hostile acts. These are behaviours that, in effect, go against the intended spirit of the rules, if not their precise letter, including:

• Extreme behaviours that push acceptable forms of statecraft to the very edge of international practice, such as the use of physical threats in diplomacy.

• Subversive behaviours that distort, infringe or manipulate rules and norms with antisocial behaviours, such as seeking to redraw international boundaries without consent, or using international tools and institutions in dishonest or misleading ways.

If there are rough arbiters of the line between “acceptable” and “unacceptable” behaviour, it is probably through the pragmatic application of these criteria, imprecise though they may be. If overt acts are intended to cheat, twist or subvert existing international rules and norms, they are likely to go beyond the boundaries of “rough” statecraft into the realm of state threats.

On questions of intention and responsibility, common experience suggests that while sins of omission, negligence or inattention can be unhelpful, damaging or even dangerous, they are rarely treated as threats. A doctor whose mistakes lead to the death of a patient can be accused of negligence, or manslaughter, but not murder. Intention needs to play a role. At the same time, the consequences of normal inter-state behaviour that might later be misused or abused cannot be treated as immediate threats as such, without good evidence to suggest that they are intended otherwise. Again, common experience suggests that a dependency created or exacerbated by acts of generosity or mutually beneficial cooperation only really becomes a threat when used as such by one partner or other.

Using this principle as a guide, therefore, it is also defensible to exclude damaging state behaviours where there is no clear intention to cause harm to other states, with the following caveat. Both categories of behaviour – negligence and the intentional creation of dependencies – might have the potential to become state threats at some point, if channelled, shaped or twisted to cause specific harm. They might therefore be conceived as “potential state threats” or forms of “dual use” statecraft.

Following the same logic, to be seen as state threats, the acts of non-state actors cannot be treated as either state or non-state threats wholesale. Intermediate criteria need to be applied, both around intent and evidence of operational engagement. Where non-state actors undertake illegal acts of no or limited political significance, or acts clearly motivated by self-interest or group agendas, and even where non-state actors have relationships with state actors, these are not obviously state threats. To be so, there would need to be evidence of a relationship or operational entanglement with state actors, and reasonable grounds to believe that the non-state actors’ actions were being undertaken as a result of that engagement. This suggests that although non-state actors might undertake a hostile act they assess to be in the interest of a state, it should only be treated as a state threat if the act happens with demonstrable engagement or encouragement by a state actor. If the alternative interpretation were taken, states would be hostage to the actions of any group or individual that declared they were an instrument of that state’s interests, regardless of the views or actions of that state itself.

Using the principles developed above, we might therefore flesh out the previously ambiguous aspects in our definition of state threats in the following ways:

1. Severity – state threats are hostile acts that fall short of the internationally defined nature of war, and/or distort and subvert peacetime international rules and norms.

2. Source – state threats are initiated or encouraged by a state actor, and executed by a state or non-state actor for that state’s purposes.

3. Character – state threats are underhand and undermining (covert, deceptive, corrupt, illegal, coercive or threatening) or abuse accepted rules and norms to achieve hostile ends.

4. Intention and effect ‒ state threats cause intentional and politically motivated damage to another state’s (or other states’) interests and assets.

As readers will surmise, this definition is still a working model to which boundary cases will cause challenges. Nevertheless, it is a useful framework for analysis, and aligns with the underlying sense of the concept of state threats as expressed in various Western policies.

2.2. Hybrid threats

A cognate term to state threats used by NATO and the EU is that of “hybrid threats”. The European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE), a joint initiative of the two aforementioned international organisations, based in Helsinki, defines hybrid threats as actions “conducted by state or non-state actors, whose goal is to undermine or harm a target by combining overt and covert military and non-military means”. As will be obvious, the concepts of state and hybrid threats overlap, but they are not identical. In practice, hybrid threats are more concerned with the combination of threat methods than the identity of the perpetrating actor, which can be a state or non-state actor, including the latter acting on their own behalf. As a result, while it is possible to say some state threats might also be hybrid threats (for example, a state using combined means of hostile activity), this does not have to be the case, as a state threat could involve using a single method in a purely conventional way.

2.3. Literature review

Paradoxically, the literature on state threats is both limited and extremely full. Although there is no field of “state threat studies”, there are several streams of relevant research in political science, history and military studies. The most significant is work on the concept of “hybrid war”, sometimes rendered as hybrid “warfare”, “conflict” or “threats”. The volume and breadth of the material in the field is massive and continues to grow, in part encouraged by various national-level debates among military and strategic scholars about the meaning of the phrase and its practical content.

Although most often associated with Russian military thinkers, the hybrid idea first emerged in a contemporary setting in 1999 in Unrestricted Warfare, a book written by two colonels in the Chinese People’s Liberation Army (PLA). In the book, Qiao Liang and Wang Xiangsui argued that the US’s overwhelming conventional military victory over Iraq in 1991 indicated that the US’s opponents would need to break rules and leverage vulnerabilities to defeat it in the future. In practice, this meant that China and others must use “all means, including armed force or non-armed force, military and non-military, and lethal and non-lethal means to compel the enemy to accept one’s interest”.

An analogous stream of thought emerged in the US in the following decade, initiated by US Marine colonel and scholar Frank Hoffman, who coined the term “hybrid war” in a 2007 article. As with Liang and Xiangsui, Hoffman argued that the use of blended tactics, exemplified by Islamist terrorist group Hezbollah, was becoming a major characteristic of fighting involving both state and non-state actors. The term was later picked up in Russian military discussions (in Russian as gibridnaya voina), but framed as a type of political warfare used by the US. In the Russian version, the US was seen using social media and civil society groups to foment “colour revolutions”, non-violent protest movements against authoritarian regimes in the former Soviet Union (USSR) and the Middle East. Despite pointing to the supposed American origin of this meaning, however, Russian military thinkers, including leading Russian general Valery Gerasimov, took the notion of hybridity as something they themselves should apply and improve upon in the future, mixing military methods with economic action, information campaigns and political subversion. Indeed, the subsequent Russian attack on Ukraine in 2014, which resulted in the annexation of Crimea, was seen initially by many Western observers as an exemplar of Russian hybrid warfare, combining as it did low-level military action, sabotage, cyber attacks, disinformation, simulated protests and criminal-led violence to destabilise the government in Kyiv.

Obviously, then, there have been variations in the meaning of hybridity in different national discussions. For Chinese thinkers, hybridity has a tone of “anything goes”, in an all-encompassing state-against-state struggle for global dominance; for US thinkers, it indicates using various means in a distinctly military context; for Russian thinkers, the term points towards the use of non-military tools in combination with limited military means, to avoid a larger conflict while also making up for material deficiencies. However, despite these differences, there are common threads. At its core, as Kilcullen notes, the essence of much of the current discussion lies in the “addition and combination” of a variety of methods and tools, “bringing into play the maximum range of categories of conflict and combining them in novel ways”. In short, combination is the key.

Kilcullen’s reference to novelty also highlights another concept allied to that of hybrid war: weaponisation. Russia expert Mark Galeotti describes the “weaponisation wave” as “the notion of items and concepts not usually connected with conflict” being used as ways of demonstrating hostility, such as enabling criminality, or exploiting pre-existing economic and social vulnerabilities. However, as with other terms used in this field, although close in spirit to hybrid war, weaponisation is not identical to it; it is conceivable that a novel or unusual method could be used on its own and not in combination with other methods. Furthermore, hybridity does not require novelty, but can also involve the mixing of well-worn methods and tools.

A further related area is research on “grey zone” or “liminal” warfare or conflict. Although overlapping with other concepts, it too has distinct characteristics. While hybrid war and weaponisation focus on the combination or novelty of means, respectively, grey zone and liminal conflict emphasise the use of ambiguous methods to achieve political ends, seeking to damage a target without detection or attribution, thus making a robust response less likely. Unsurprisingly, therefore, the field of study is less focused on conventional military conflict, which the proponents of grey zone activity usually wish to avert, and more on the world of counter-insurgency and paramilitary action. This increasing interest in the study of the grey zone has dovetailed too with a revival of interest in the field of Western intelligence studies in the concept of covert action, defined from a US perspective by intelligence expert Loch Johnson as “clandestine intervention in the affairs of other nations for the purpose of advancing the global interests of the United States”. Grey zone activity and covert action have much in common, with a shared focus on the use of less easily detectable and attributable methods to achieve political ends; however, while it is difficult to draw a clear boundary between the two, covert action is more clearly within the purview of intelligence agencies than militaries, and less likely to involve identifiably military activity.

Recent studies of covert activity have looked at the increasing use of such methods by Russia, China and several other countries, while also asking questions about their practical and ethical validity as tools of statecraft for Western states. While work such as Cormac’s provides a survey of the covert realm as a whole, other scholars have produced notable country-specific studies, especially on the activities of Russian agencies and those of China. The growth of malign influence operations has been a major theme of much recent work on China, leading to several studies of Chinese intelligence penetration of Canada, Australia and South-East Asian countries.

Scholars have also looked at the concepts of hybrid war, grey zone conflict and covert action through the lenses of various domains, most notably cyberspace. Over the past three decades, a series of interpretative waves have rippled through cyber security studies: initially, in the 1990s, the so-called “revolution in military affairs” focused attention on the role of computers in improving militaries’ war-fighting capabilities. Then, from the late 1990s into the 2000s, as the internet became a growing reality across all aspects of life, scholars became more concerned about the role of cyber as a novel and devastating theatre of war. From the 2010s onwards, and in the absence of “cybergeddon”, the discussion moved on to the less melodramatic role cyber could play as an enabler of existing types of covert activity, such as espionage, sabotage or subversion. The debate has become even more nuanced in recent years, with experts debating whether cyber activity is a form of “intelligence conflict”, defined by cyber experts Robert Chesney and Max Smeets as statecraft pursued by the means and methods traditionally associated with intelligence agencies; or, as other cyber experts such as Michael Fischerkeller and associates prefer, a realm of “persistent engagement”, with attackers and defenders pursuing something akin to a virtual wrestling match, “deliberately calibrated to remain below the threshold that would elicit an armed response, seeking instead to produce cumulative gains over time”. Several authors have also highlighted how difficult clandestine and covert actions are in the cyber domain, constrained as they are by the same kinds of practical and political constraints that limit all forms of state action. Lennart Maschmeyer, another cyber expert, has highlighted how activity in the cyber domain faces the same “operational trilemma” as subversion, with the three requirements needed to generate a secret and indirect effect – speed, intensity and control – impossible to maintain at the same time.

What this changing pattern of cyber research points towards, and the reality of which is relevant to the wider issue of state threats, is a recent critical change in tone. While much of the initial work on all these subjects stressed their novelty and importance, recent thinking has taken a more interrogative attitude. Several studies, such as the work of political scientist Thomas Rid, have raised questions about the strategic effectiveness and impact of various types of covert and clandestine actions, especially cyber attacks and information operations. Taking a similarly sceptical perspective, military historian Sir Lawrence Freedman has noted that the central issue “with all new developments” has been whether they “get a decisive result in a conflict or just [provide] another means of engaging in a dispute without necessarily being able to bring it to a conclusion” – the answer to which question he himself has doubts over.

In contrast, several other contemporary scholars have suggested reframing the question of effectiveness using criteria other than damage caused or political change triggered. Political scientist Austin Carson, for example, has emphasised that covert action should be seen not only as a means of achieving tangible results, but also of communicating intent and will – “signaling” – to both opponent states and allies alike.

2.4. Conclusion

At the close of the section, it is clear that the question of how to define the area of hostile state activities has proved difficult for policymakers and researchers alike. Very little seems to fit neatly within pre-existing conceptual boundaries; even after careful exploration and analysis, some ambiguity cannot be avoided. However, we are probably in a less uncertain place now than Judge Stewart, forced purely to rely on gut instinct to define state threats. State threats do have coherence as a concept, as hostile actions by states and their partners with political intent to harm other states. They are executed outside or on the edge of international law and practice, and can either be covert, lightly disguised or in some cases overt.

Without being labelled as “state threats research”, moreover, there is much in the world of academia and policy research that helps us understand the nature of the issue. Despite the heavy skew of much of the literature towards military affairs in near-war scenarios, the study of hybrid warfare and grey zone and liminal conflicts has helped demonstrate various styles of activities ‒ combinative, innovative or ambiguous – that can be just as relevant to peacetime activities of intelligence agencies. Indeed, the current turn in the literature towards a focus on covert action, intelligence contests and persistent engagement shows just this.

3. The state threats “moment”?

Of course, as has been stated from the outset, state threats are far from being a new phenomenon. States have undermined their rivals using covert and clandestine means since antiquity. Discussing contemporary cyber attacks, political scientist Thomas Rid has remarked that despite their apparent novel methods, they are simply “sophisticated versions of three activities that are as old as human conflict itself: sabotage, espionage, and subversion”. Despite the end of the Cold War, states that were then apparently friendly continued to undertake hostile acts against one another throughout the 1990s and the early 21st century. China was caught seeking to influence Bill Clinton’s presidential campaign through secret donations, 20 years before Russian interference in the 2016 US presidential election, while Russian operatives assassinated Putin critic Alexander Litvinenko in London in November 2006, only six years into the rule of Vladimir Putin. Hybrid or grey zone methods are far from new either. “Any notion that only in the late twentieth century fluid, state, non-state or para-state actors were mixing conventional and unconventional forces and methods as well as espionage, sabotage, criminality, propaganda and subversion is patently untrue”, writes Galeotti. Continuity, more than change, seems to be the rule, so an obvious question arises: why are state threats so important now?

In the national security sphere, it is rare for any type of threat to disappear completely; there is indeed a traceable line of ongoing state threats activity from the end of the Cold War through to today. However, the available evidence does suggest that state threats have grown both in absolute and relative terms in recent years. In the first instance, the volume, range and daring of hostile acts appear to have grown, although it has taken Western governments time to see this. Major shocks – such as Russia’s annexation of Crimea in 2014 and the full-scale invasion of the Ukraine in February – have been needed to force fundamental re-evaluations of long-lasting policy paradigms. In the second, state threats have begun to pose a comparatively greater challenge to Western national security than the previous main threat of international Islamist terrorism, which, while far from disappearing, has become less focused and lethal than in the wake of the attacks on the US on 11 September 2001.

3.1. An upward trend

There is currently no state threats database on all qualifying hostile state acts comparable to the Global Terrorism Database, which seeks to list all terrorist activities on a global scale. However, relevant, open source, quantitative proxy data on rising state hostile activities is available, especially from the cyber sphere. The Modern War Institute at West Point’s Dyadic Cyber Incident Dataset (DCID), which collates state-to-state cyber operations, has shown an upward if erratic trend in such operations over the first two decades of the 21st century. Figure 1 shows that trend according to its data sets 1.5, and the more recently updated 2.0, which runs to 2020.

▲ Figure 1: Frequency of state-versus-state cyber incidents over time (2000-20).

The DCID indicates that there are four leading perpetrators of cyber attacks (China, Russia, Iran and North Korea, in that order), which together are responsible for 82% of all attacks over the 20-year period. Data from the Council on Foreign Relations Cyber Operations Tracker also indicates that 77% of incidents in its dataset (starting in 2005) were initiated by one of these four countries. Separate work on disinformation by the Oxford Internet Institute has also demonstrated the growing role of government-linked cyber actors in online information operations, with the number of national governments involved rising from 70 to 81 countries between 2019 and 2020. Of these, the countries with the greatest capacities include Russia, China and Iran, and in the Western world, the US, UK, Australia and Ukraine. Other major regional players include: Egypt, Israel, Iraq, Saudi Arabia and the UAE in the Middle East; India, Pakistan, Myanmar, Vietnam and the Philippines in the Asia-Pacific region; and Venezuela in South America.

Qualitative assessments of a wider range of activities by intelligence agencies in various European and Five Eyes Countries indicate a similar picture too, with Russia, China and Iran mentioned most consistently as the main troublemakers. Of these, Western governments see China and Russia as the most concerning states, although the style and magnitude of the threat they pose varies. UK and US intelligence officials have compared Russian hostility to bursts of bad weather, whereas Chinese hostile behaviours have been described as being more pervasive and difficult to detect, somewhat like climate change. Most Western states also see North Korea as a threat, but primarily because of its cyber activities.

Along with an apparently increasing volume of hostile acts, moreover, observers have noted a rising tempo and ambition in the actions of perpetrators. The most notable player, across numerous fields, has been Russia. According to the assessment of Jakub Kalensky, deputy director of Hybrid Influence at the Hybrid CoE, who was interviewed for this project, “Russian information operations were in a relative hiatus in the 2010s”, but they “escalated massively following the Euromaidan Revolution [in Ukraine] in November 2013, and never stopped”. Russian activities have also become more geographically ambitious, spreading beyond the former Soviet states of Russia’s near abroad to the wider European continent and North America. Russia expert Keir Giles has reflected that, “since 2014, Moscow has become increasingly willing to reach into Western countries and do direct harm, through sabotage, murders and assassinations, undisguised electronic warfare, false-flag cyber attacks and more”.

China too has apparently accelerated the pace of its hostile activities. Christopher Wray, the director of the US Federal Bureau of Investigation (FBI), stated in 2020 that the agency was investigating over 2,500 China-linked cases, over half of all the agency’s live counter-intelligence cases. Wray also stated that the FBI had seen a 1,300% increase in Chinese economic espionage over the previous decade. Nicolas Eftiamides, a retired senior government official, China specialist and senior fellow at the Atlantic Council, who maintains a database of Chinese espionage and covert activity reports, has also identified a significant increase in activity in the past two decades, along with an improvement in Chinese tradecraft since 2016. With greater scale and capability has come greater ambition too, with renewed Chinese efforts at electoral subversion and malign political influence in the US and among its allies, such as Canada, Australia, the UK, France, Germany and Italy.

Although most hostile activity is initiated and managed solo by one state, there are also some indications of collaboration on hostile acts. Since the Covid-19 pandemic, there have been increasing indications of Chinese and Russian state-linked social media accounts working together on disinformation. Regimes friendly to Russia and Iran, such as Venezuela under the presidencies of Hugo Chavez and Nicolás Maduro, have also allegedly been involved in a variety of hostile acts, including overseas electoral interference, transnational repression of dissent and illicit narcotics trafficking with terrorist groups. One of the most blatantly hostile of Russia’s associates has been the regime of President Alexander Lukashenko in Belarus; among other activities, Belarus has encouraged illegal migration across its borders into Poland, and in May 2021 conducted an act of air piracy, forcing a Ryanair flight to land in Minsk to detain a Belarusian dissident, Roman Protasevich, and his partner.

Beyond the main revisionist states and their associates, moreover, are middle powers, loosely defined as states that sit below global powers such as the US, China and Russia in terms of political, economic or military power and influence. Middle powers exist both in the developed and developing worlds, but most of those in the developed world are tied into Western economic and security structures. There is certainly a history of Western or Western-aligned middle powers using covert and clandestine acts, not the least the UK. However, constrained as they are by a variety of liberal democratic checks and balances, and largely tied into Western security arrangements, they do not appear to be major contemporary users of hostile action.

Certainly, many emerging middle powers have used covert and clandestine measures against their rivals for some time, and any Western ignorance of their activities seems more likely to result from a lack of past scholarly interest, than their absence in fact. However, the evidence of recent years is that several emerging middle powers have been using covert tools as forms of statecraft with growing regularity. Probably the most active has been Turkiye, under the leadership of President Recep Tayyip Erdoğan, which the German government rates as being as problematic for internal German affairs as Russia, China and Iran. Turkiye has been accused, in particular, of using violence against critics overseas, especially Kurdish independence activists and those linked to the religious Gülen movement, which mounted an unsuccessful coup attempt against President Erdoğan in July 2016.

Saudi Arabia has also been highly active in the covert world, most infamously with the murder of dissident journalist Jamal Khashoggi in Saudi Arabia’s Turkish embassy in October 2018. But Saudi Arabia also has a record of offensive cyber operations, online disinformation campaigns and political interference overseas; in this, it is also joined by other Middle Eastern powers such as the UAE and Qatar. Cyber expert Ben Buchanan writes that in recent years, the UAE and Qatar have become engaged in a relentless online battle of “tit for tat hack-and-leak operations”, with each seeking to embarrass the other politically with accusations of support for Islamist extremist terrorism.

Middle powers in other regions have also increasingly used hostile acts against bordering states and rivals. In South Asia, long-time rivals India and Pakistan have been engaged in a covert (and sometimes overt) battle for dominance in the region, which has included cross-border support for terrorism and assassinations, and has more recently spilled into the realm of cyber operations and online disinformation. Both countries have also begun to reach further afield, moreover, allegedly meddling in Canadian elections; and in the case of India, mounting a campaign of assassinations against Sikh separatist leaders living in North America. Despite the underlying domestic and regional causes of this behaviour, it appears that some middle powers are increasingly willing to play them out on the global stage.

3.2. Changing perceptions

The growing evidence of state-led hostile acts has played a central role in the greater recognition of the importance of the issue, but it has not been the only reason behind the shift. In fact, there has been something of a lag between the evidence of rising state threats and Western governments’ reactions.

The most important barrier to accepting the evidence of growing state threats has been the belief that the era of globalisation had fundamentally changed the nature of international politics. After the end of the Cold War, some Western political scientists argued that global economic integration was leading to political liberalisation, and from there, to a period of settled democratic peace. Russia was increasingly perceived as a “normal country”, transitioning from authoritarianism to a liberal, free market democracy. China too, despite retaining a communist regime, was seen in a similar way: as an authoritarian state that was inching towards freedom by way of liberal economics. President Bill Clinton in March 2000 welcomed the prospect of China’s accession to the World Trade Organization, holding out the vision of a state transformed by prosperity; “the more China liberalizes its economy, the more fully it will liberate the potential of the people”, he promised, “and when individuals have the power not just to dream, but to realize their dreams, they will demand a greater say”.

Only a small number of states, such as Iran and North Korea, were seen as holdouts against this new world, and occasional tensions with Russia and China were simply discounted as bumps in the road; historian John Lough has shown how this dynamic played out between Germany and Russia in the 1990s and the early 21st century, with Berlin moving to ignore Russia’s democratic backsliding and abuse of human rights out of a combination of historic guilt, idealism and economic self-interest. The years up to 2014 were, Lough concludes, ones of wishful thinking about Russia, where Western governments were willing to ignore an “increasing divergence between the Russia they wished to see and the Russia they were dealing with”. Western countries turned an even more forgiving eye on Chinese domestic repression and aggressive diplomacy, motivated by a desire to buy cheap Chinese goods and export to Chinese markets, especially major European trading countries such as Germany. For Western leaders, profit could afford to come before principle, because the expected future outcomes of lasting peace and prosperity would outweigh any immediate strategic or ethical concerns.

An accumulation of evidence about aggressive Russian and Chinese behaviours, both overt and covert, slowly started to erode these attitudes over the first decade of the 21st century, but it took a series of decisive and shocking events to undermine the previous Western view. For Russia, key inflection points were its annexation of Crimea in 2014 and the full-scale invasion of the Ukraine in February 2022, which led to Russia’s increasing isolation from its Western partners, and escalating economic and financial sanctions. With these dramatic events, it became ever more difficult for Western governments to re-interpret Russian actions in a forgivable light.

For China, the shift has been slower and more guarded. The US and other Western countries have become increasingly concerned about how China’s integration into the global economy has allowed it to penetrate Western businesses, CNI, and scientific and technological research. They have also struggled to downplay the more bellicose, nationalistic and anti-Western rhetoric of President Xi Jinping since his rise to power in 2012‒13, and to ignore Chinese domestic repression, or intimidation of regional neighbours including Taiwan and the Philippines. But while there have been fewer dramatic “wake-up calls” than with Russia, China has increasingly raised doubts in Western governments about its trustworthiness and intentions since the Covid-19 pandemic. China’s unwillingness to cooperate with an international enquiry into the origins of the pandemic brought substantial Western criticism, as has its ongoing public support for Russia since the full-scale invasion of Ukraine, and the public revelation of its extensive espionage and malign influence operations in European and anglophone countries. While the US and its allies have tried to retain varying degrees of engagement with China in the face of these difficulties, Western officials and observers have become increasingly anxious about China’s ultimate intentions, as well as the role it might play in leading an anti-Western axis that also includes Russia, Iran and North Korea.

3.3. The changing face of terrorism

Threats do not arise in a vacuum, however. For a threat to gain salience depends on its relative position vis-à-vis other potential challenges. One of the additional factors that explains the growing salience of state threats now has been the comparative change in the profile of terrorism, which has been one of the West’s primary national security concerns of the past two decades. After the spectacular shocks of 9/11, Western national security strategies squarely focused on tackling the Islamist extremist threat: firstly, Al-Qaeda and its regional affiliates; then from the mid-2010s, as Al-Qaeda’s operational effectiveness declined, IS, which dominated large swathes of Syria and Iraq for several years, and mounted dramatic attacks in Europe, such as in November 2015 in Paris.

However, in the past five years the character of the threat from Islamist extremism has changed, if not disappeared. Al-Qaeda, IS and their affiliates remain important actors in the Sahel, the Horn of Africa, Afghanistan and the Federally Administered Tribal Areas of Pakistan. Indeed, recent cases have indicated that IS affiliate Islamic State-Khorasan Province has the capability to mount major operations, launching a successful attack on a Moscow concert hall in March 2024, and planning one on a Taylor Swift concert in Vienna in August 2024, that was prevented by the concert’s cancellation. However, in recent years, Islamist extremist groups and networks have not demonstrated an operational capability within or against Western states comparable to that seen in the early 2000s or mid-2010s. On the contrary, most recent attacks have been limited to lone actor-or small cell operations of relatively low lethality, partly contained by Western intelligence agencies’ successful surveillance and disruption efforts over the past decade. Moreover, even though Western states have become more anxious about the threat from right-wing terrorists, the extreme right has not been able to mount major domestic campaigns comparable to past Islamist extremist operations, and has largely remained limited to self-financed attacks conducted by lone-actors. In this context of a reduced or at least modulated terrorist threat, Western governments have enjoyed greater policy space in which to focus on threats from other states.

3.4. Vulnerabilities and capabilities

A further aspect to answering the question “Why now?” is a changing perception of Western vulnerabilities. At the height of the international terrorist threat, experts emphasised how vulnerable open Western societies were to terrorism, and how increasingly easy it was for terrorists to cause disproportionate damage with new technologies such as end-to-end encryption, commercial drones and 3D printing.

These vulnerabilities have not gone away with the relative decline of the terrorist challenge. Security experts continue to argue that the open character of Western countries makes it a perfect target, because key aspects of security are outsourced to the private sector; much CNI sit in private hands, for example, where the drive to keep down costs and maximise profits can reduce security and resilience measures to tick-box compliance rather than active risk management.

The risks are arguably greater now, moreover, because state actors have significantly greater resources than terrorists, and many more avenues to cause trouble given Western economic dependencies. Russia, China and other countries with authoritarian or autocratic systems have developed deeply embedded links into Western financial systems, economies and societies. Some of these, such as China’s investments in major ports, are highly strategic and vulnerable to abuse. The experience of the pandemic and the economic effects of the 2022 Russian invasion of Ukraine have made it apparent how vulnerable supply chains and energy and communications infrastructures are to disruption, and Western policymakers and analysts are thus clearly worried about the extent to which hostile state actors might exploit these in the future. In interview, Ragnar Ingibergsson, a former senior analyst of economic hybrid threats at Hybrid CoE, commented, “liberal societies are at risk by their very nature” because “their fundamental ethos is openness”. Facing well-resourced and implacable adversaries that are willing to abuse this openness, he noted, such societies are “at an immediate disadvantage”.

3.5. Conclusion

The current challenge of state threats seems to echo past periods of intense interstate competition that many assumed had passed with the end of the Cold War. This might lead scholars who take a critical perspective on security and international relations to wonder whether state threats are an empirical reality, or another instance of the rhetorical “securitisation” or inflation of pre-existing policy issues.

However, even a basic survey demonstrates that there are genuine grounds for concern about the growth of hostile state activities. There is a “there” there; the current prominence of state threats is not just the result of national security establishments and analytic communities creating a new problem or casting around for a new threat to tackle for a lack of alternatives. Changing perceptions of the relative intensity of terrorism have helped create policy space to address state threats, but they have not created the issue in itself. Indeed, the rising importance of state threats has created resource problems for Western intelligence agencies, which have an ongoing responsibility to keep terrorism in check. State threats are not a problem of choice.

From another critical perspective, it might also be asked whether we can truly say state threats are growing, especially when it is clear that governments have not been focusing on the issue for some time. After all, we do not know what we do not know. Nevertheless, where we have data series over time ‒ for example, in the field of state-linked cyber activity ‒ there does appear to have been an increase in state threats over the past two decades. It would be counterintuitive to discount this evidence, even if we accept that the gradient of rise has not necessarily been steep or steady.

Finally, while accepting there are continuities between past and present state threats, the character of the current situation differs from the past three decades in many ways. The growing range and ambition of hostile state activity, much of it now technologically enabled, goes far beyond what was experienced in the 1990s and the early years of the 21st century. It also goes beyond the obvious analogue of the Cold War era, both in terms of the range of state actors involved and the environment in which the activity is taking place. Simply stating that state threats will “always be with us” fails to recognise that the phenomenon, like any other social activity – war, education, travel and so on – can take on a radically different scale and character over time, despite retaining its most fundamental qualities.

4. State threats in practice

The previous section sought to understand the reasons why state threats are an issue of concern now; this section seeks to provide a map or anatomy of state threats in practice. Rising volumes of cyber attacks and disinformation efforts have been noted as two indicators of increased state-on-state hostility; but these two areas of activity, while important, are far from being the only ones.

An attractive way to map out the current scope of state threats would be through a quantitative study. However, given the current patchy state of the quantitative data landscape it is a vast undertaking that is well beyond the scope of this project. This section thus seeks to provide a qualitative outline of the key areas of hostile activity, looking at the methods or vectors of hostile action, and highlighting the common targets and purposes behind attacks. To the extent possible for mostly secret activities, the section looks at the mechanics behind hostile acts, from points of initiation to operational execution.

4.1. Overt measures

Most overt hostile acts are undertaken by state actors with the explicit intention of intimidating other states, often to follow a line of action they otherwise would not. The most basic form is abuse of diplomacy, turning diplomatic channels into a means of delivering threats, rather than a means of dialogue. China, for example, has become infamous for its “wolf warrior diplomacy”, which combines performative public anger and threats of vague consequences when a state goes against China’s will. For example, Gui Congyou, the Chinese ambassador to Sweden, in November 2019 expressed his government’s anger at the awarding of a major writing prize to Hong Kongese-Swedish dissident Gui Minhai: “We treat our friends with fine wine, but for our enemies we got shotguns”, he told a Swedish journalist.

Alongside gangster-style diplomacy, some states have become ready users of what Galeotti has described as “heavy-metal diplomacy”, such as launching aggressive military exercises or tests, or shadowing or harassing other states’ military or civilian vehicles, especially at sea or in the air. These actions go well beyond the bounds of commonly agreed military practice, and can lead to direct incursions into other states’ sovereign territory. Russian aircraft and naval vessels regularly violate Western countries’ airspace and domestic waters, and in recent years Russia has taken to jamming the satellite-based global positioning system in both the Baltic Sea and Black Sea regions, causing major problems for civilian aircraft. Russia has also attempted the surreptitious movement of border markers, termed “borderisation” by those who have suffered it on land in Georgia. Russia tried this technique again in May 2024, this time testing the maritime borders of Estonia by removing floating markers in the Narva river.

Although the Russians are among the most prolific users of heavy metal diplomacy, they are far from being alone. China’s Maritime Militia – technically part of the PLA, but often using civilian resources – has harassed its neighbours’ military and civilian vessels in the disputed waters of the South and East China Seas, while also building new “islets” to provide justification for the subtle shifting of international maritime boundaries. Other states have gone as far as acts of near piracy, such as Belarus’s forced landing of a civilian aircraft in May 2021 or Iran’s boarding of Western commercial vessels in the Persian Gulf in 2019, including the seizure of the Stena Impero, a ship with Swedish owners, registered in the UK, as it was passing through the Straits of Hormuz.

In combination with the tools of diplomatic and military menace, several states have also used economic and financial coercion, applied indirectly through business and commercial interests. Russian state-owned oil and gas firms have continuously used access to vital energy supplies to coerce and cajole the governments of former countries of the Soviet Union and eastern European states in the past three decades. China, meanwhile, has become adept at manipulating Western companies’ access to the Chinese market for political purposes, with a technique known as yi shang bi zheng (“using business to pressure government”). For example, Chinese officials encouraged Börje Ekholm, chief executive of Swedish telecommunications giant Ericsson, a firm with significant Chinese interests, to lobby the Swedish government in 2020 to drop a proposed public sector ban on Chinese technology firm Huawei. China has also made widespread strategic investments in the communications and logistical infrastructures of European, African, Middle Eastern and Asian countries, making them economically dependent on Beijing’s continued goodwill.

A further openly used tactic, though more a signal of displeasure than a direct act of coercion, is withdrawal from important international agreements. A recent example is the withdrawal of Russian and Chinese support for the effective implementation of UN sanctions on North Korea, especially the failure to extend the mandate of the UN Panel of Experts in March 2024. Further examples also include pointed negligence in areas of previous international cooperation, such as tackling international organised crime. Since the start of the full-scale invasion of Ukraine in 2022, for example, Russia has made it easier to import counterfeit Western luxury goods and in February 2024 withdrew from the Criminal Law Convention on Corruption, a Council of Europe initiative dedicated to criminalising corrupt practices. Belarus has taken a similar course, legalising piracy of audio-visual content and software in January 2023.

On the flip side of these acts of overt coercion, there have been attempts to build constituencies of political and public support in states likely to oppose revisionist agendas. For obvious reasons of simplicity and efficiency of effort, such attempts typically begin with a process of cultivating elites, seeking to create personal bonds and relationships that can be leveraged at a later date. Extending the meaning of a term that comes originally from development literature about the control of resources and power by domestic elites, observers have described this process as a form of external “elite capture”.

Both Russia and China have worked hard to build close and open relationships with sympathetic Western politicians, business leaders, journalists and cultural figures. The Russian approach has been particularly brazen, with several Western leaders offered directorships in Russian companies and other benefits in return for support for Russia. In Germany, this process has been described as “Schroederisation”, which Galeotti characterises as “the individual-by-individual corruption of another country’s politics in a wholly legal (if ethically problematic) way”. The name, of course, comes from the example of former German chancellor Gerhard Schroeder, who developed a lucrative working relationship with Russian gas producer Gazprom after leaving office in 2005, and has remained one of President Putin’s most vocal Western supporters ever since. Schroeder has not been the only one to take Putin’s rouble, moreover, and other European politicians, such as former foreign minister of Austria Karin Kneissl, and former prime minister of France François Fillon, have also taken positions with Russian firms after leaving office.

The Chinese Communist Party (CCP) has followed a similar path to Russia, if not quite so shamelessly. In the words of China expert Elizabeth Economy, China’s aim has been to penetrate “societies and economies … to shape international actors’ political and economic choices in much the same way as it does with domestic actors”. China has a well-developed method for achieving this. According to Stokes and Hsiao, experts on the PLA, Chinese agencies will identify friends to be supported, enemies to be suppressed and those in the middle to be won over. As other China experts highlight, the Chinese seek to do this at both national and local levels of governance in targeted states. The issue is explored further in a discussion of malign influence below (section 4.6.3).

But Russia and China have also sought to build open relationships with communities and groups on the fringes of power and influence. This process of what might be described as “popular capture” takes place more commonly through connections to overseas ethnic and cultural minorities. Russia, for one, has sought to exploit the dispersal of Russian speakers throughout the countries of the former USSR and eastern Europe, with initiatives such as Russki Mir (“Russian World”), which encourages Russian speakers or descendants of Russians living outside Russia’s borders to see themselves as a distinct community of “compatriots”, with allegiance to the motherland. These efforts to shape a separate identity for citizens of other countries can also be underpinned by material benefits, such as the provision of pensions and passports, as was the case in South Ossetia and Abkhazia in 2007. Georgians described this process as “passportisation”, to go along with the aforementioned process of borderisation. China has also built strong relationships with its diaspora communities throughout the world, using state-backed media and direct engagement between party bodies such as the United Front Work Department (UFWD), and Chinese-heritage business and academic communities. Under the current leadership of the CCP, expatriates and members of the diaspora community are expected to act as unofficial Chinese ambassadors to their host countries ‒ in the words of President Xi, to “tell the China story well”. The implied expectation is that there will be problems for them if they do not.

Other groups that Russia, in particular, looks to are those on the political extremes, especially when elite capture has proved difficult to achieve. Elements within the Putin regime have built close connections with parties of both the far right and the far left in Europe, most notably those of Marine Le Pen in France, Alice Weidel and Sahra Wagenknecht in Germany, and Matteo Salvini in Italy. Le Pen’s party, then named the Front National, received a loan of €9.4 million from a Russian bank in 2014, while more recently, the Prague-based Voice of Europe media outlet was allegedly used to channel cash to representatives of the far right in Europe. Russia has also provided platforms for foreign radicals and populists on state-connected TV channels, such as Russia Today, as well promoting narratives likely to appeal to disaffected political constituencies in foreign countries.

A further method currently in use is the overt suppression of anti-regime dissent overseas, often described as “transnational repression”. One of its most widely used techniques is the abuse of legitimate legal processes to target dissent and criticism, one aspect of a wider phenomenon also known as “lawfare”, a term coined in a military context by former US air force general Charles Dunlap to mean “the use of law as a weapon of war”. A common tactic is the abuse of Red Notices, which require the 195 member agencies of the Interpol international police network to issue warrants for arrest against those named. These notices are intended to prevent suspected criminals escaping justice, but some states have misused them to harass domestic dissidents based overseas, often spuriously labelling them as terrorists. China, for example, has used the tool to try to extradite dissidents such as Dolkun Isa, the president of the World Uyghur Congress, while Russia has sought to detain not only its own dissidents, but also foreign critics such as British-US financier Sir Bill Browder.

China and Russia have also used their own domestic legal systems to target dual-nationality dissidents with charges of espionage or political offences, as seen in the ongoing case against Chinese-Australian writer Yang Hengjun and that of recently released Russian-British journalist Vladimir Kara-Murza. A further aspect of lawfare used by Russia has been to bring civil cases in foreign courts that target journalists writing about the Russian regime, referred to as Strategic Litigation Against Public Participation (SLAPP). Chinese diplomats have also mixed a wolf warrior approach into their attempts at transnational repression within foreign civil societies, making coercive threats against Western universities that have sought to exercise their academic freedom by offering platforms to critics of Chinese policy, such as pro-Tibetan or pro-Uyghur activists, especially when those universities have enjoyed significant financial and research links with Chinese institutions.

The key point to recall about these overt measures (summarised in Table 2), is their wider contextual relationship to other more covert forms of state threats. Most importantly, they play a role in creating and shaping environments in which it is easier for states to use nefarious activities if they choose to do so. Cases in point are elite and popular capture, which can easily slide from what appear to be open and legitimate relationships to hidden corruption. As China expert Alex Joske suggests, the Chinese approach of “making friends and watching what happens” is effectively a form of grooming, where the Chinese “friend” creates a credit balance of favours done, such as providing political access and business opportunities, which can then be drawn upon later. The exploitation of expatriates and members of diaspora communities as unofficial ambassadors in their host or home countries also fosters groups of what might later become operatives available for espionage, sabotage or subversive activities. While Xi looks to overseas Chinese to tell the country’s story, he has also said he expects them to be its “eyes and ears” as well.

▲ Table 2: Summary of overt methods.

4.2. Covert and clandestine measures

Strictly speaking, the terms “clandestine” and “covert” – though often used interchangeably – have different meanings. In clandestine acts, the intention is to hide both the actor and the action. In covert acts, the aim is to hide only the actor, making deniability the key requirement. However, for ease of use, this paper will use both words interchangeably.

As an aside, it should be noted that some intelligence scholars now question how appropriate the word covert really is for the activities being described. Cormac and Aldrich have highlighted that much contemporary covert activity is conducted with such flagrance that the perpetrators almost seem to be begging to be identified. In such cases, “implausibly deniable” acts might reflect a lack of professionalism, but could also be intended to send “a message” to the target or potential targets. While accepting the principle behind the point, however, this paper will continue to use the word covert, noting that in some instances levels of cover are light to the point of being diaphanous.

For simplicity, the following sections look at the evidence on contemporary covert and clandestine activity within the framework of the well-known categories noted in the discussion of definitions in section 2. They are:

1. Espionage ‒ the secret collection of sensitive materials held by others.

2. Intimidation ‒ against people, whether individually or in groups.

3. Sabotage – the intentional damage, destruction of assets or processes, including preparation for sabotage, or an intentional action to take advantage of target vulnerabilities for future exploitation.

4. Subversion – covert attempts to shape the overall political environment within another state in a way favourable to the perpetrator.

5. Malign influence – covert attempts to influence the views and decisions of targeted elites in a way favourable to the perpetrator.

6. Sponsoring internal opponents – covert attempts to support groups that actively oppose or challenge a targeted state using disruptive or violent means.

7. Orchestrating regime change – covert attempts to interfere directly in electoral processes or overthrow a targeted government by other means.

The meaning of these terms is fairly well understood, but there is a certain amount of fuzziness in how various scholars and practitioners define them. For example, the term subversion has been applied extremely broadly by some to describe all “indirect and secret” state actions in the space between diplomacy and war, or “external interference in a nation’s affairs to overthrow the existing order … on terms favourable to the aggressor”. Other studies – including this paper – see subversion more narrowly, as covert exploitation of the information environment of another state, to induce political effects favourable to the perpetrator. Although it is important to be clear about terms, there is always a risk of “good faith” misunderstandings about the meanings of such ambiguous words.

A further aspect of this issue is that even when terms are clearly defined, different categories are closely coupled to, overlap with or slide into one another. Espionage, for example is not deemed a covert activity by scholars of the field. However, it is the principal foundation of all forms of (successful) covert action. If one does not know the whereabouts of a target, they cannot be intimidated. If one does not already know the layout of a sensitive building, installation, computer system and so on, it is difficult to do targeted damage. If one does not understand the political environment, political structures or internal divisions within a state, it is difficult to manipulate its affairs.

Furthermore, it is arguable that some forms of covert action can have dual or even multiple levels of effect. Revelations of successful espionage, intimidation of dissidents or media figures, or acts of sabotage against a given state can send negative and thus subversive messages about the capacity of that state to cope with such hostile activity, and might influence the views and morale of its decision-makers. Covert activities can also be used in concert (subversion and malign influence are natural bedfellows); and other types of action, if successful, can provide opportunities to undertake new operations. Civil disturbances encouraged from abroad can provide useful grist for further subversive information operations; and lessons and intelligence derived from an act of sabotage can be used to prepare new operations, or be provided to domestic groups with anti-state agendas and a willingness to use violent means. The possibilities are numerous.

4.3. Espionage

Of all the dark arts, espionage is probably the most comprehensible and acceptable in Western eyes. Arguably, the ubiquity of spying throughout history and between countries of all types – including those of the West – makes it an odd bedfellow among other hostile activities listed. When China stole officials’ personnel data from over 22 million records in the US government’s Office of Personnel Management (OPM) in 2015, General Michael Hayden, former head of the National Security Agency (NSA) and CIA, remarked that what China had done was perfectly legitimate. Furthermore, he said he would have even ordered a similar hack himself if it were against China. The US government was also initially outraged at the hack of an update to business software company SolarWinds’ Orion supply chain management system by Russia’s Foreign Intelligence Service (SVR) in 2020, fearing it to be a potential act of sabotage. But after careful assessment, both the US government and outside observers concluded it was a less concerning case of espionage.

Just because espionage is familiar to the West, however, does not necessarily mean it sits within the bounds of legitimate statecraft; legal scholars have noted how the paucity of international law on peacetime espionage makes the activity difficult to classify as “legal”. Nonetheless, despite limited guidance in written and case law, most scholars see peacetime spying as permissible where it helps states understand the behaviour of other governments and provides early warning of potential attempts to break international law. The emphasis here, then, is on the legality of spying on reasonable grounds of security, suggesting that principles of necessity and proportionality apply. It is because of this divide between broadly acceptable espionage – undertaken for purposes on diplomacy, security and maintaining peace – and less justifiable espionage – undertaken for gain, as a prelude to mischief-making or even just for the sake of it – that much of the behaviour of the leading revisionist states is so problematic.

Both the magnitude and range of contemporary spying by China and Russia seem high by historic standards. Ken McCallum, director general of MI5, has described China’s espionage campaign as “epic”. As the OPM hack indicates, much of this explosion of activity comes from the development of cyber hacking, which enables the collection of bulk data on a vast scale, and for its own sake; according to intelligence historian Calder Walton, China follows a “collect and store now, decrypt later” strategy. It is notable that the largest proportion of what are described as cyber operations are not disruptive attacks as such, but data collection through cyber means; the DCID database indicates, for example, that 61% of the state-backed cyber attacks registered were primarily data thefts, rather than acts of sabotage. Data mining of social media has also provided a vast reserve of openly accessible personal information that is relatively easy for states to collect. US agencies have been concerned, for example, that China has been scraping sites such as LinkedIn to collect data and cultivate contacts, and using platforms such as TikTok to surveil US military staff in US bases across the globe.

A significant amount of this cyber-enabled espionage has been devoted to gathering information on traditional and ‒ to Western eyes ‒ legitimate targets, such as the military, intelligence agencies, government departments, legislatures, and other organs of governance and politics. The Russian Military Intelligence Service (GU, more commonly known by its historic title, GRU) is believed to have been especially prolific in this regard. One of the GRU’s units, known within the cyber community as Advanced Persistent Threat (APT) 28, or more colloquially as “Fancy Bear”, has undertaken many major politically focused espionage hacks, including an attack on the German Reichstag in May 2015 that stole 16 gigabytes of data from 14 elected representatives, including then-chancellor Angela Merkel, and the notorious penetration of the Democratic National Committee (DNC)’s systems in the US in 2016.

However, the aperture of anti-Western cyber espionage has widened much further in recent years too, encompassing targets in non-state or government-related areas. US officials have taken particular issue with what they claim to be China’s theft of a huge chunk of US intellectual property (IP); according to the US Intellectual Property Commission, IP thefts cost the US between US$225 billion and US$600 billion annually, with China the primary perpetrator. In a further step beyond espionage norms, China has also sought to collect data on private citizens of target countries, not only through open source intelligence on social media, but through hacks of a variety of businesses and civil society institutions. For example, China was believed to have covertly acquired confidential credit data on over 150 million US citizens from credit agency Equifax in 2017. Cyber industry reports also suggest that Chinese APTs have targeted Indian law enforcement, media and the country’s national identity database. Despite China’s apparent primary focus on collecting information, moreover, it is becoming increasingly unclear whether certain hacks, especially recent penetrations of Western CNI, are not so much acts of espionage as intentional pre-positioning for future offensive operations.

The growing importance of cyber tools in espionage should not detract, however, from the ongoing value of what intelligence professionals term “human intelligence” (HUMINT) to these states. China, Russia and others have continued to exploit human sources within government, military and political circles. Cameron Ortis, formerly of the Royal Canadian Mounted Police, was sentenced in February 2024 to 14 years in prison for leaking intelligence material to a transnational money-laundering network with links to Hezbollah and various OCGs. Court documents published after his conviction also indicated that Ortis had been suspected of planning to pass intelligence to Chinese officials. Other recent cases have included Peter Debbins, an officer in the US Army’s Special Forces, who was convicted of providing material to Russian intelligence in 2021; and “Thomas H”, a Bundeswehr (armed forces) officer involved in German military procurement, who had also allegedly worked with the Russians.

Russia has also continued its aggressive development of a network of overseas individuals ‒ known as “illegals” ‒ providing a cadre of clandestine operatives to supplement declared operatives under diplomatic cover, which have declined in numbers due to recent expulsions by Western governments. A noted trend has been the deployment of Russian nationals under deep cover as Latin Americans, cases of which have recently emerged in a variety of European countries, including Norway and Slovenia. A prominent US case in this vein has been that of Sergey Vladimirovich Cherkasov, aka Viktor Muller Ferreira, a GRU operative who studied at Johns Hopkins University in the US and Trinity College in Ireland posing as a Brazilian citizen. After completing his education, he secured a job at the International Criminal Court in the Hague, but as the result of an investigation by the General Intelligence and Security Service (AIVD), he was arrested by Brazilian authorities and sentenced to 15 years in prison for document fraud, a sentence later reduced to five years. He was also indicted in the US in March 2023 for several criminal activities, including acting as an unregistered agent of a foreign power. However, Brazilian courts refused a US extradition request, and have the authorities have stated that Cherkasov will eventually be extradited to Russia, where he is sought on charges of drugs smuggling.

Russia has also sought to work through trusted non-Russian operatives, the outstanding recent example of which is Austrian citizen Jan Marsalek. Marsalek, who worked as chief operating officer of German payments services provider Wirecard, fled to Russia in 2020, after he was alleged to be implicated in a massive fraud at the company. Subsequent media reporting based on intelligence sources suggested that Marsalek had been a GRU operative since the early 2010s, and had been used by Russia to try to infiltrate Austria’s domestic intelligence agency, the Office for the Protection of the Constitution and Counterterrorism (BVT), and the Austrian political elite. It also emerged in early 2024 that Marsalek had allegedly undertaken a variety of other tasks for the GRU, including running a network of Bulgarian nationals conducting intelligence activities in the UK, a group which was disrupted by arrests in September 2023.

China has also used human sources to collect intelligence on traditional targets; various recent scandals have emerged in European countries regarding the penetration of leading politicians’ staff by Chinese operatives. China has been adept too at developing contacts under the cover of ostensibly innocent overt influence efforts, especially through Chinese diaspora communities with political links. HUMINT has also played an important role in commercial and academic collection, especially copyright infringement and IP theft, leading to multiple lawsuits against Chinese businesses brought by Western technology firms, including Cisco, Fujitsu, Motorola, T-Mobile and Quintel, and bio-medical giants such as Monsanto Programmes such as China’s “Thousand Talents Plan” have further proved especially useful ways to cultivate and then exploit Western researchers in leading-edge areas of scientific and technological research. Perhaps the most well-known of these cases was Charles Lieber, a Harvard chemist who was arrested in January 2020, and later convicted of lying to US investigators about his Chinese links, and for failing to declare payments of over US$1 million from Chinese institutions.

As discussed later, China also takes a “whole-of-society approach” to collection, with Chinese businesspeople, workers, academics, researchers and students all required to collect commercial, scientific and technological material when based overseas or working with foreign partners. According to FBI investigations in 2020, Chinese researchers apparently unaffiliated to the Chinese state, who had visas to work in the US, were in fact linked to the PLA and tasked to collect material on medical research and software development. In the wake of six people being arrested in the summer of 2020, more than 1,000 Chinese researchers unexpectedly left the US.

Before moving on from espionage, it is important to state that the US and several of its allies are also major spying nations. Agencies such as the CIA, MI6 (the UK’s Secret Intelligence Service) and Israel’s Mossad have impressive HUMINT capabilities and coverage, while the NSA and GCHQ are the world leaders in the collection of electronic communications, known as signals intelligence (SIGINT). As past breaches have indicated, US and UK technical collection capabilities are highly advanced, and critics have raised legitimate questions about how appropriately and legitimately these have been deployed against allies, enemies and domestic targets alike. Critics have noted how Western agencies have also shown an unhelpful habit of repeating past mistakes and excesses. Moreover, while the US and most of its allies generally eschew commercial and non-security related espionage, this is not the case for every Western country or ally.

Nonetheless, this does not “make them all the same”, or create a direct moral or legal equivalence between Western and revisionist states. While the outcomes have been far from perfect, Western governments have increasingly sought to place the activities of their intelligence agencies on a legal footing, creating checks and balances on their operations, and various forms of institutional oversight, such as the UK’s Investigatory Powers Tribunal. In addition, several Western legislatures have shown a willingness to investigate and address alleged lapses of their own agencies, as happened in US in the 1970s, and more recently, in the US Senate investigation of the alleged involvement of CIA operatives in the torture of Al-Qaeda suspects. In comparison, the agencies of authoritarian states rarely appear to be held publicly accountable for breaching the laws and norms of overseas espionage; when they are criticised, it is more often for corruption or poor performance. While Western agencies are far from being beyond reproach, there is more evidence of them seeking to work within defined legal and ethical frameworks than there is of their opponents doing the same.

4.4. Intimidation

Alongside the explosion in espionage, there has also been a massive rise in governments’ use of intimidatory tactics against their critics and opponents located overseas. Much of this activity comes from revisionist authoritarian regimes such as China, and to a lesser extent Russia and Iran, but has also emerged from autocratic middle powers in Central Asia and the Middle East, and even democratic states such as Turkiye. As noted in the previous section on overt measures, some of this transnational repression has been out in the open, but much has been covert too, and violent. Historically, the intelligence agencies of the USSR referred to such activities as part of a wider range of ostrye meropriyatii (“sharp measures”) for just this reason.

It is legitimate to ask whether attacks on critics based overseas are state threats when they are not necessarily intended as attacks on the states hosting the targeted critics. However, the tools and methods used – often violent – not only put the people and assets of the host state at risk, but also abuse the states’ sovereignty and interests. That these acts are undertaken both knowingly and intentionally means they fall squarely within the definition of state threats.

4.4.1. Surveillance and harassment

Intimidatory tactics fall along a spectrum of threats, with surveillance as its least threatening expression. At its most basic, this can be physical surveillance, carried out by state operatives, partners or proxies overseas; a recent example is the creation of “unofficial Chinese police stations” in various Western states that host Chinese diaspora communities. But there are limitations on the levels of access that surveillance teams can get to targeted individuals overseas and cyber tools have therefore become increasingly useful for monitoring at a distance. China, in particular, has taken advantage of technological developments. As early as 2009, Operation Aurora, undertaken by a group linked to the PLA, hacked Google, Microsoft and 32 other firms to spy on the email accounts of Chinese dissidents. Throughout the Covid-19 pandemic, moreover, Chinese agencies used social media apps such as WeChat and TikTok, and online conferencing platforms such as Zoom, to maintain coverage of interactions between those living in China and members of the diaspora. In one instance, a member of Zoom’s China-based research and development team was required to work with the Chinese Ministry of State Security (MSS) and Ministry of Public Security to identify and close meetings in the US that China deemed subversive.

Unsurprisingly, it has been a small step from surveillance to more direct forms of harassment by Chinese agencies, again enabled by technological developments such as voice over internet protocol calls, social media and instant messaging services. Chinese officials have used channels such as WeChat to contact, threaten and intimidate Uyghur and Tibetan expatriates living in Western countries, either directly, or more powerfully through family members still living in China. This technique, known as coercion-by-proxy, is commonly used to gain compliance from anti-regime individuals and groups based overseas. For example, Abdujelil Emet, a Uyghur dissident living in Germany, was phoned by his sister in Xinjiang, who begged him to stop his activism. The menacing consequences for Emet’s family of his failure to comply were also made clear. China is not the only user of the technique, moreover. Iran has used coercion to try to control its diaspora and North Korea has held hostage family members of its own workers sent overseas to generate income. Other states, such as Vietnam, Egypt, UAE, Oman and Turkiye are also alleged to have used the method to blackmail and punish journalists, students, academics, workers and critics living overseas, using vulnerable family members as targets. Coercion-by-proxy also has the potential to be used in more active ways too, with state agencies applying leverage on the home-based families of those living overseas to undertake covert and clandestine activities on the state’s behalf.

4.4.2. Kidnapping

More direct interference in the freedoms of critics living overseas can follow, including the kidnapping of the most important targets. Again, this is an area in which China has been particularly active, conducting numerous operations against exiled former CCP officials the Xi regime alleges to be corrupt. Xi launched Operation Foxhunt (2014), then Operation Skynet (2015), to identify, locate, capture and repatriate such individuals – voluntarily or otherwise. Chinese operatives have carried out such operations worldwide, both where extradition treaties do – and do not – exist. Walton estimates that over eight years of activity, Chinese authorities targeted more than 9,000 Chinese nationals through these programmes. Despite the trumpeted focus on corruption, however, China has also used similar techniques to target political dissidents and critics. For example, Hong Kong bookseller and Swedish citizen Gui Minhai was kidnapped from Thailand in 2015, before later being put on trial in China and convicted for his involvement in a historic fatal car accident.

4.4.3. Physical attacks and assassinations

At the far end of the spectrum of intimidation are physical attacks and assassinations. Here, the Putin regime has had a high international profile, seemingly less disposed to kidnapping its targets than to killing them. Two of the most notorious cases in the past 20 years have happened in the UK. Alexander Litvinenko, a former Russian Federal Security Service (FSB) officer and Putin critic living in London, died after being poisoned by two former FSB officers with polonium 210, a highly radioactive isotope in November 2016. Former GRU officer Sergei Skripal and his daughter Yulia, who lived in Salisbury, were targeted by two serving GRU officers with the nerve agent Novichok in March 2018. While the Skripals survived, three members of the public were also poisoned, with one later dying. According to Walton, investigative reporting has linked Russian agencies and their partners to many other deaths in the UK.

Russia has allegedly undertaken such activities in other European countries too, notably against exiled Chechen rebel leaders. Zelimkhan Khangoshvili, a Chechen who fought for the Georgian military during the 2008 Russo-Georgian war, was murdered in Berlin in summer 2019 by hitman Vadim Krasikov. Krasikov was captured and received a life sentence in 2021, but was returned to Russia in a prisoner swap in August 2024. President Putin’s spokesperson subsequently admitted that Krasikov was an FSB employee. Russia may also have begun targeting defectors from the Russian war effort against Ukraine. Maksim Kuzminov, a Russian helicopter pilot who defected to Ukraine in August 2023, was found shot to death by unknown assailants in Spain in February 2024. Although no official allegations were made, media reports suggested that both Spanish and Ukrainian intelligence agencies believed Russian intelligence to be culpable.

While it remains the most notable example, Russia is not the only user of sharp measures against dissidents based overseas. Within the core group of revisionist states, both Iran and North Korea have sought to assassinate regime critics. According to figures provided by the UK’s Metropolitan Police in February 2023, the police and MI5 foiled 15 plots by Iran to abduct or kill dissidents based in the UK in the preceding two years. Moreover, the UK sanctioned several members of Iranian Revolutionary Guard Corps (IRGC) Unit 840 in January 2024 for their involvement in ongoing plots against Iranian journalists based in the UK. North Korea too has a history of using violence against overseas exiles. The most recent – and probably the most bizarre – was the murder of Kim Jong Un’s exiled older half-brother, Kim Jong Nam, in Kuala Lumpur International Airport in February 2017. The elder Kim was grabbed by two female assailants, one Vietnamese and one Indonesian, who smothered him with a cloth infused with a liquid that turned out to be VX nerve agent. The women later claimed that they had been led to believe that the attack was a harmless prank by a small group of men – likely to have been North Korean intelligence officers – who paid them a small amount of cash in return.

As noted, middle powers too have also used harsh repressive techniques overseas. The murder of Saudi journalist Jamal Khashoggi in the Saudi embassy in Istanbul in October 2018, allegedly on the orders of Crown Prince Mohammed Bin Salman, has become a cause célèbre of transnational repression. Turkiye too has become notorious for targeting dissidents and domestic enemies overseas; Turkish intelligence is alleged, for example, to have been behind the shooting of Sakine Cansız, a member of Kurdish terrorist group the Kurdistan Workers’ Party (PKK), in Paris in 2013. In Africa, the government of President Paul Kagame in Rwanda is alleged to have been behind the murders of a succession of dissidents and political opponents, including Patrick Karegeya, Rwanda’s former head of intelligence, in a South African hotel in 2013. While Kagame denied involvement in the murder, he has stated he wished Rwanda had done it. In South Asia, India’s intelligence agency, the Research and Analysis Wing, is alleged to have conducted a string of assassinations of Islamist militants living in Pakistan between 2020 and 2023. According to US and Canadian officials, India was also behind the murder of Sikh separatist Hardeep Singh Nijja in Vancouver in June 2023, as well as a series of plots in North America against other Sikh activists.

4.4.4. Beyond dissidents

Most repressive operations target governments’ domestic opponents overseas. However, there have been examples of China, Iran and Russia also targeting foreign nationals to create political leverage with Western governments. The most common overt technique is the arrest of dual nationals who, work, study or visit those states, usually on espionage charges; a recent case is that of US-British and Irish national Paul Whelan, who was convicted of spying in Moscow in June 2020. Russia also almost routinely harasses critical foreign journalists, with a favoured technique being “doxxing”, which involves publishing an individual’s personal information online. In Putin’s Trolls, Finnish journalist Jessika Aro provides a distressing account of how her investigation into Russian disinformation led her to be targeted with threatening texts and emails, online abuse, character assassination and even false allegations of criminality. Such techniques can also cross into the realm of “live trolling”, in the phrase of another Finnish journalist, Laura Halminen, with critics, their families and associates targeted with graffiti outside their homes, damage to their property and assets, and break-ins where the intruders leave intimidatory “calling cards” such as unflushed toilets and rearranged domestic items.

There is, moreover, a growing body of evidence that Russia has targeted Western politicians and officials with the same techniques it uses against dissidents and critics. Admittedly, some of this has been open and performative. Russia announced an arrest warrant – unlikely ever to be actioned – against Estonian Prime Minister Kaja Kallas in February 2024 for “desecration of historical memory”. However, for more junior officials, Russian behaviour has had much sharper edges. Western diplomats based in Moscow are regularly subject to harassment, including threats to their children and the poisoning of domestic pets. Military personnel posted to various Baltic states as part of NATO deployments have also been targeted and threatened, while Russian backed media outlets have made allegations of child rape against US officers visiting Ukraine.

More worryingly, a small number of physical attacks against foreign nationals and officials have been planned or actually taken place. Iran has attacked US, Israeli and Saudi diplomats and officials overseas, and North Korea has previously mounted three assassination attempts against presidents of the Republic of Korea (South Korea) in 1968, 1974 and 1983. Russia has been more circumspect in this regard, although there are allegations that it has taken extreme measures against significant foreign nationals that have supported the Ukrainian military. Bulgarian businessman Emilian Gebrev, a supplier of arms to Ukraine, was targeted with Novichok in 2015; and media reports in July 2024 suggested that Russian intelligence had plotted to assassinate Armin Papperger, head of Germany’s leading arms manufacturer Rheinmetall. It was also reported in March 2023 that the Wagner Group, Russia’s leading PMC, had issued a US$15 million bounty on Italy’s Minister of Defence Guido Crosetto, after he blamed the group for an increase in illegal migration across the Mediterranean Sea.

It is also possible that Russia has physically targeted some Western diplomats simply for doing their jobs. Since 2017, a growing number of US and Canadian diplomats posted in Cuba, China, Austria and elsewhere, as well as officials within the US itself, have suffered from highly correlated combinations of symptoms that include severe dizziness, migraines, earaches and vertigo – so-called “Havana syndrome”. While there is no clear chain of evidence to link these incidents to Russia, past research by the US National Academies of Sciences, Engineering, and Medicine has suggested that the symptoms are consistent with the use of directed microwave energy pulses, an area in which the USSR is known to have conducted weapons research. While far from being conclusive, a recent joint investigation by Der Spiegel, The Insider and 60 Minutes, broadcast in March 2024, further provided a range of circumstantial evidence that supported the conclusion Havana syndrome was indeed the result of Russian military intelligence activities against Western diplomats and officials.

4.4.5. Terrorism

Violence can be covertly used to intimidate governments and wider societies, as well as groups and individuals: in effect, as state terrorism. The sponsorship of terrorist groups can also help generate an atmosphere of political instability in a targeted state, as discussed below (section 4.8). These different uses are not mutually exclusive.

Unsurprisingly, given terrorism’s negative reputation, its direct use by states is unusual, if not unknown, and convincing examples tend to be more historic than contemporary; North Korean intelligence officers are widely believed to have been behind the bombing of Korea Air Flight 858 in November 1987, and operatives of the regime of Muammar Qadhafi in Libya were accused of being behind the destruction of Pan Am Flight 103 over Lockerbie, Scotland, in December 1988. However, some state-conducted terrorist acts still appear to continue. In recent years, the IRGC has allegedly been involved planning attacks against Western, Israeli and Sunni Arab targets in Africa. Following the UAE’s normalisation of relations with Israel in 2020-21, the IRGC allegedly planned attacks against UAE diplomatic missions and staff, including a terrorist attack in the Ethiopian capital Addis Ababa. However, even Iranian state involvement in active terrorism is more often indirect, undertaken through non-state actors. The IRGC works closely with Islamist groups such as Hezbollah in Lebanon, Hamas and Islamic Jihad in the Occupied Palestinian Territories, Shia militias in Iraq, and the Houthis in Yemen, acting as a consistent financial enabler of operational activities. Of these, Hezbollah has been the most important, with Iran acting as the group’s primary external financier over the long term, providing the bulk of its funding each year. With Israel’s successive military strikes on the infrastructures of these groups since October 2023, their financial dependency on Iran is likely to have increased.

Nonetheless, current evidence does not suggest that Iran has exploited these relationships to mount major terrorist attacks against Western targets, either in the region or in Western countries themselves, in recent years. Indeed, Iran’s involvement with Hezbollah is as intertwined with its sanctions evasion and illicit money-making efforts as terrorism proper. Iran’s associate state in Venezuela also has links to Hezbollah, as did the now defunct regime of Bashar Al-Assad in Syria until its overthrow in December 2024. But here too, evidence suggests that these states’ associations with terrorists have been more linked to commercial and illegal endeavours than terrorism.

Among the other main revisionist states, their relations with terrorist groups are much less apparent than Iran’s, although Russia remains a state of potential interest. Moscow is alleged to have developed operational connections with Hezbollah after deploying forces to Syria in 2015, and to have helped the Taliban sell oil prior to its return to power in Afghanistan in 2021, also offering bounties to Taliban fighters to kill US soldiers. Russian intelligence also appears to have developed links to far-right paramilitary groups in Eastern Europe, and martial arts clubs that follow the systema discipline used by Russian Spetsnaz special forces. Some of these groups are believed to have members who are also officers in local law enforcement agencies and militaries.

It is possible, moreover, that these relationships might have been exploited to stimulate terrorist acts; for instance, Russian intelligence officers are alleged to have tasked the extreme right-wing Russian Imperial Movement to arrange a letter bomb campaign against Spanish Prime Minister Pedro Sánchez and US diplomats in 2022-23. There are further indications that Russia has started to build links with left-leaning terrorist groups too; recent media reports have suggested that a Lithuanian diplomat working for Russia sought to contact an Irish republican terrorist through an Irish member of the European Parliament (MEP) in November 2021, for reasons unknown.

There is undoubtedly some continuity between modern Russia’s interest in terrorist groups, and the ambiguous past relationships of the USSR and Warsaw Pact countries with European leftists and Palestinian nationalists during the Cold War. Nonetheless, evidence of modern Russian state sponsorship of terrorist attacks against Western targets seems limited. Although Russia’s ties to violent non-state actors in the West do appear to be growing, they have not been operationalised as yet.

In contrast, China and North Korea have shown little recent interest in working with terrorists to commit hostile acts; and while India has asserted that China has supported the Maoist Naxalite insurgency against the Indian state in the east of the country since the 1960s, evidence for this claim is thin. But if most revisionist states do not appear eager to sponsor terrorist acts, some middle powers have consistently dabbled in the practice. Elements within Pakistan’s Inter-Services Intelligence agency (ISI) have for decades provided operational support and direction to several Kashmiri Islamist extremist groups that have targeted India, such as Jaish-e-Mohammed, Harakat-ul-Jihad-al-Islami, and Lashkar-e-Taiba, the last group being the perpetrators of the attacks in Mumbai in November 2008. Other middle powers, such as Saudi Arabia and Qatar, have also provided passive environments in which Islamist extremist groups have been able to raise funds and organise operations. But again, these relationships do not necessarily equate to the actual use of terrorism as a tool of state policy. Turkiye has also been accused of financing and tasking terrorist groups and militias; however, it does not appear to exploit these relationships to launch “classic” terrorist attacks, more often using them to target individual enemies of the Turkish government overseas.

4.5. Sabotage

People are not the only targets, of course. A recent wave of arson against buildings and infrastructure across Europe highlights a revived interest in the use of sabotage – the attempt to destroy, damage or disrupt physical assets and systems for political purposes – as a hostile tactic. However, while physical acts of sabotage continue, it is again notable how the development of technology, and the increasing vulnerability of socially complex open societies, have provided new avenues for hostile activity that create damage in less tangible ways.

4.5.1. Physical sabotage

During the 2010s, the peacetime use of physical sabotage went through a relative lull, although there were a handful of examples such as probable Iranian attacks on Saudi oil tankers and several Russia-linked hostile actions in eastern Europe. For example, the GRU unit later believed to have been behind the Salisbury poisonings allegedly blew up an ammunition depot in Bulgaria in November 2011; the depot contained artillery destined for Georgia, which had recently fought a brief war with Russia. The same unit was also alleged to have been behind explosions at a Czech ammunition depot housing weaponry destined for Ukraine in October and December 2014.

However, as noted above, the volume and cadence of acts of sabotage in Europe appears to have grown in recent years, especially since February 2022. Arson against companies providing supplies for Ukraine has continued, to be sure, with attacks and attempted attacks in the UK, Germany, Eastern Europe, Scandinavia and the Baltic region. But Russia has also now shifted towards attacking a wider range of European targets that have no apparent links to the war in Ukraine, including retail outlets such as Warsaw’s largest shopping centre Marywilska 44, which was destroyed by a massive fire in May 2024. In November, Polish officials also publicly linked Russia to a series of mysterious parcel explosions and fires on flights used by courier companies in Europe; and at the end of December, Finnish authorities said they were investigating the potential sabotage of a sea-bed electricity cable between Finland and Estonia by a Russia-linked tanker.

Russia may also have been laying the groundwork for more dramatic acts of sabotage in the future. Russian companies and citizens have been buying real estate near strategic ports and military installations in Finland for nearly a decade, possibly either as platforms for spying and/or sabotage. Kilcullen has also asserted that, for several years, suspected GRU officers have been “collecting intelligence, conducting reconnaissance, and preparing guerrilla cells and sabotage networks to be activated in the event of conflict” in Scandinavian countries. Russian sabotage preparations might also have spread further afield than Russia’s near neighbours. Irish police arrested suspected Russian intelligence personnel in 2020, who were found mapping fibre-optic cable landing points linking Ireland to under-sea communication cables in the Atlantic Ocean. Western militaries and agencies have also collected intelligence indicating that Russian trawlers and research vehicles have been used to conduct reconnaissance on undersea communications cables in the Baltic and North Seas, intelligence which Russia may now be putting to use. Although China has so far been much less active than Russia in this area, it too appears to have been making similar preparations to target undersea communications cables, with civilian vessels being used to survey strategic areas in the contested waters of the South and East China Seas. The potential involvement of a China-flagged vessel in the disruption of telecommunications cables in the Baltic Sea in November 2024 suggests that it may now be willing to take more aggressive action in this regard, and not only in its own interests, but also in those of other revisionist states. However, with the Chinese authorities unwilling to fully cooperate in Swedish authorities’ investigation of the case, it is unclear whether the damage caused was an accident, an intentional Chinese act, or one sponsored by Russia, using a Chinese commercial vessel as cover.

4.5.2. Cyber effects

While physical sabotage continues, however, the growing weapon of choice in the field of sabotage is what has variously been described as “cyber effects”, “offensive cyber” or “cybotage” operations. According to cyber expert Daniel Moore, operations are of one of two types: an event-based attack, usually targeted and time limited; or a clandestine intrusion to establish a presence within a system, which might eventually culminate in an attack.

When attacks occur, they can take a number of forms, using a spectrum of weapons that go from cheap and simple, right through to the highly sophisticated; as Rid describes they range from the equivalent of digital “paintball pistols”, through “to specific but high-potential weaponry” that are more akin to “fire-and-forget” missiles. In terms of ascending sophistication, the most common types of attacks include:

1. Denial of service, or distributed denial of service (DDOS), attacks, which bombard a targeted internet site with communications traffic, disrupting its ability to function.

2. Ransomware attacks, where software is used to encrypt the data of a system and prevent user access unless a ransom is paid.

3. Wiper attacks, where software is used to wipe the data in the target system permanently.

4. Manipulation attacks, where malware is introduced into a system to control, disrupt or damage: (a) its cyber assets and infrastructure, such as supervisory control and data acquisition (SCADA) systems, which control technological and industrial processes; and/or (b) connected physical assets such as factories, energy and water supplies, and transport systems.

Techniques overlap significantly. Smeets notes that the basic methods used to intrude into systems for attacks are the same as those for cyber espionage, making it difficult to determine the purpose of a penetration without more detailed intelligence. In the end, all intrusions, whether intended to collect and observe, or to damage and destroy, need to find points of vulnerability by which an intruder can enter. These “backdoors” include human users’ susceptibility to fraudulent emails to elicit sensitive information or system access, known as “phishing” attacks, or so-called “social engineering”, where hackers use deceptive communication techniques to gain access to systems by building trust with legitimate system users. More worrisome, though, are “zero-day exploits”, software vulnerabilities that are unknown to systems’ owners, which can be used to enter and manipulate systems.

Russian state-backed APTs have been prolific users of a range of these types of cyber weapons, with a significant proportion of their efforts targeted at Ukraine and other former Soviet states in the Baltic region and the Caucasus. Prior to February 2022, one of the most disruptive Russian operations was the NotPetya attack in 2017, when Russian hackers used a wiper programme disguised as ransomware to disrupt Ukrainian infrastructure, businesses, financial institutions and government departments. The attack was so effective – and virulent – that it spread to many international businesses, including several Russian firms.

Russia has not limited itself to attacking near neighbours, however, and boasts a long history of targeting the US and other Western countries. An FBI investigation in the 1990s, Moonlight Maze, revealed a long-term Russian intrusion into US government and military systems. More recently, Russia has begun to exploit its intrusions in the West to cause significant disruption. Russian attacks on the railway systems of Germany, the Czechia and several other eastern European countries in early 2024 caused problems for ticketing and signalling systems, raising the risk of a major rail accident. Evidence has also mounted suggesting that Russia has been preparing for more dangerous attacks in the future. The US Department of Justice (DoJ) indicted four Russian officials, including four FSB officers, in March 2022 for undertaking penetrations of US energy infrastructure, including a nuclear power station in Kansas.

While lacking the resources of Russia, Iran has found cyber effects operations particularly useful as a tool of hostile activity, with a significant proportion of attacks directed at local rivals. Saudi Arabia has been a key target. For example, Iran is believed to have conducted a wiper attack in August 2012 against Saudi oil company Aramco, which affected data on 35,000 computers involved in production, shipping and contracts. Known as the Shamoon attack, after the name on the folder into which the malicious code was loaded, it was followed by further similar attacks in 2016 and 2018 against Western oil companies operating in Saudi Arabia. Unsurprisingly, Israel has also been a major target for Iran’s cyber exploits, for example, with attempts to disrupt Israeli water supplies in May 2020. But Iran has roved further afield too, targeting major US banks with DDOS attacks in 2012 and 2013, attempting to penetrate the SCADA systems of a dam in New York in 2013, and conducting a wiper attack on the Sands Casino, owned by US businessman and Israel supporter Sheldon Adelson, in February 2014.

While not strictly cybotage, North Korea has also used cyber methods to conduct an ongoing cybercrime campaign to steal and extort currency from businesses, financial institutions and other organisations around the globe, using similar tools and techniques as those deployed in offensive cyber operations. Early North Korean efforts focused on stealing fiat currencies, most notably the partially successful theft of just under US$1 billion from Bangladesh Bank’s account with the Federal Reserve Bank of New York in February 2016. This attack became known as the Lazarus Heist, after the nickname of the North Korean APT thought responsible for the exploit, the Lazarus Group. Over the past eight years, however, North Korea has primarily focused on stealing crypto- rather than fiat currencies. According to figures collected by cyber threat intelligence firm Chainalysis, North Korea’s total cryptocurrency haul between 2016 and 2023 was likely to have been over US$4 billion. Some of North Korea’s attacks – given their scale and disruptiveness – were also in effect forms of sabotage as well as criminality. The Lazarus Group exploited a vulnerability in Microsoft’s Windows operating system in May 2017, releasing the WannaCry ransomware “worm”, which self-replicated across machines without any direction, temporarily crippling hundreds of thousands of computers in over 150 countries.

Alongside some of its more idiosyncratic tactics, moreover, North Korea has also used cyber weapons for more straightforward offensive cyber operations against its local rival South Korea. North Korean hackers penetrated a South Korean nuclear power station in December 2014, apparently both to steal information and also to cause public alarm about potential sabotage. More recent forays have seen North Korea deploy malicious code in the systems of South Korean financial institutions, media and defence companies.

For the most part, China’s approach to cyber effects operations has been more cautious than other revisionist states. Political scientist Ron Deibert has argued that Chinese measures in cyberspace have been largely defensive and internally focused, prioritising the creation of the “Great Firewall of China” to prevent Chinese audiences seeing subversive foreign content. In line with Deibert, Lyu Jinghua, an expert on Chinese cyber strategy, has noted that despite an initial interest in cyber effects in the 2000s, Chinese military and intelligence agencies pivoted away from offensive operations after 2010 because of what they perceived to be a poor cost-benefit ratio – a lot of effort for little material gain.

That said, other analysts note that China has shown greater willingness to undertake cyber effects operations since 2020. Taiwan has been subject to a heavy barrage of attacks; Taiwanese officials stated in July 2021 that they faced 30 million cyber attacks every month, with about half originating from China. China has also begun to step up activity against its larger regional rivals. Cybersecurity firm Recorded Future reported in February 2021 that a Chinese-state linked actor known as RedEcho had penetrated India’s power grid management structure and placed malicious code within it.

China has also targeted the US. Hackers linked to the MSS undertook a massive penetration of Microsoft Exchange email server software in January 2021; while initially an act of espionage, China “propped the doors open” for other malicious state and non-state actors to take advantage of the vulnerability, according to Rachel Noble, the head of the Australian Signals Directorate. This was an unprecedented act, she said, arguing that China had “crossed a line” by aiding and abetting criminals. Since then, cybersecurity firms have noted that Chinese APTs have increasingly moved away from their previously core activity of espionage to deploying malicious code in Western infrastructure systems including energy, utilities and transportation. In December 2023, Brandon Wales, executive director of the US Department of Homeland Security’s CISA, noted increasing numbers of Chinese attempts “to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict”, which was “a significant change from Chinese cyber activity from seven to 10 years ago”. In February 2024, moreover, a group of US agencies and departments including the FBI, NSA and CISA issued an advisory highlighting the activities of the China state-sponsored cyber group known as Volt Typhoon, which they warned was undertaking activities against parts of US CNI that were “not consistent with traditional cyber espionage or intelligence gathering operations” and intended to create “disruptive effects in the event of potential geopolitical tensions and/or military conflicts”.

Despite the foregoing discussion, it is important to close this section by stressing that not all cyber effects operations come from revisionist states. Indeed, many middle powers and Western states are highly active in various areas of the cyber sphere. Currently the most active and capable cyber attacker apart from the revisionist powers is the US, which in conjunction with Israel, was behind one of the most celebrated and supposedly successful cyber attacks of the past 20 years, the Stuxnet attack of 2009 against the Iranian nuclear programme. Members of NATO, the EU, Five Eyes and bilateral allies of the US such as South Korea, Japan and the Philippines have also been identified as perpetrators of offensive cyber operations. Although Western cyber effects operations are more likely to be undertaken within tight legal and ethical frameworks than many authoritarian states, it is vital to recognise that they exist.

4.5.3. Weaponising vulnerabilities

A further form of sabotage is the weaponisation of a targeted state’s vulnerabilities. This is most apparent in current efforts by some states to create a systemic overload of Western economies and welfare systems; if DDOS attacks seek to disrupt systems through volume of traffic, systemic overload operations seek to target another state’s political and economic systems by amplifying existing social and economic challenges. The most widely recognised form of systemic overload at present is the enabling of illegal migration, which, as noted previously, can be both an overt and covert state threat. President Erdoğan, President Lukashenko and former leader of Libya Muammar Qadhafi have all threatened European countries with what Qadhafi described as “a human flood”.

In practice, however, the opening of the floodgates is typically managed in a semi-overt or semi-covert way. Russia has used loopholes in border regulations with its Scandinavian and Baltic neighbours to increase cross-border movements, such as providing bikes to asylum seekers who would be unable to cross the border on foot. Russian PMC the Wagner Group has also been accused by the Italian government of enabling the Mediterranean crossings of illegal migrants in retaliation for Italy’s support for Ukraine. Belarus is also alleged to have provided migrants with wire-cutters to break through border fences, and has created commercial structures and incentives to support migration from the Middle East to Europe via Belarus. Belarusian authorities might have also enabled OCGs’ human-trafficking activities. One of the notable additional effects of these activities – besides systemic overload – has been to provide further material for anti-Western states to use in subversive information operations (see section 4.6). Not only can state actors create real crises in their targets’ systems with such methods, they also have the potential to create crises of confidence in their targets’ capacity to cope too.

The case of weaponised migration further highlights the important role that crime plays in other forms of current systemic overload. The closeness of some criminal hacking groups to state agencies has led observers to ask whether large-scale fraud and ransomware attacks are not simply permitted by state actors, but actively encouraged. For example, around three-quarters of ransomware attacks in 2021 came from Russian groups, many of which were – intriguingly – located in the same Moscow building as Russia’s Ministry of Digital Development, Signals and Mass Communications. Conti, one of Russia’s most prolific ransomware groups, provided further indications of the nature of the cybercrime-state agency relationship in early 2022, by declaring its allegiance to the Russian state.

Other forms of criminality are also potentially significant tools for weaponisation. The relationship between states such as Iran, North Korea, Venezuela and the now defunct Assad regime in Syria and the trade in illicit narcotics has been partly noted already. In these cases, state involvement is probably driven more by profit than focused malice, although it seems unlikely any of these states are worried if their activities have a negative effect on their regional opponents or Western countries.

A more challenging question is the extent to which China might be using the trade in opiate precursors between Asia and the Americas to stoke the epidemic of addictions to highly addictive synthetic opiates such as fentanyl in North America. In the US, politicians have accused China of supporting precursor production for just this purpose. However, it is difficult to demonstrate direct Chinese state sponsorship of the precursor trade with high confidence. Even if some Chinese law enforcement negligence is witting and directed, the growth of the trade has also been enabled by other factors that challenge Chinese society, such as institutional incompetence, limited resources and corruption. Framing fentanyl as a weapon used by China to corrupt the US might make for good headlines, but as yet, evidence to support the contention remains thin.

Alongside more obvious efforts to weaponise social and economic challenges, there is also the question of the extent to which the revisionist states – in particular, China – might seek to weaponise Western economic dependencies. As noted in section 3.4, long-term globalisation has led many Western economies to sustain their prosperity by relying heavily on Chinese goods, services and markets. Furthermore, the pandemic has shown that Western economies are extremely sensitive to shocks to international supply chains between East Asia and the rest of the world, with fragile, just-in-time logistical processes quickly snarled up. Chinese investment, technology and firms have, moreover, become highly integrated into the global and Western economies, with Chinese companies owning and constructing major ports, and providing communications infrastructure to support the rollout of 5G in many countries. The Belt and Road Initiative and Digital Silk Road have thus helped China become an economic senior partner to many states, giving it a level of access into other countries’ systems and infrastructures that rivals even that of the US.

This would not be a concern to Western governments, of course, if Chinese intentions were completely benign. But analysts have pointed out that for many Western economies, a lot now rests on China’s good graces and Beijing has significant potential power to cause economic disruption if it wishes. China also has a level of integration into global digital systems that could allow it to extend its domestic surveillance state well beyond its borders, thus bolstering other authoritarian regimes and extending China’s own SIGINT capability.

To be sure, and as countries such as Australia have already discovered, China is willing to exploit economic dependencies to exert overt pressure. Other cases also show China covertly taking advantage of its involvement in technology projects; media reports have alleged that China used its direct access to computer systems it built at the headquarters of African Union to collect the organisation’s data surreptitiously between 2012 and 2017. Nonetheless, at present there appear to be relatively little public evidence of coercion or abuse occurring. Sensitive government intelligence might tell a different story, but as yet, it remains untold. Moreover, the evidence of China using its involvement in telecommunications projects to extend its global spying capability or to bolster digital authoritarianism appears relatively limited, at least for now. While therefore accepting the premise that China has the potential to abuse the economic and technological vulnerabilities of the West, there is limited evidence it is doing so ‒ on a large scale, at least.

4.6. Subversion

As noted in section 4.2, subversion has been one of the most difficult areas of covert action to conceptualise. However, for the purposes of this paper, it comprises the covert manipulation of the information environment for the political purposes of the perpetrator. The primary targets of subversion are the information-consuming public – whether conceived as a whole, or targeted segments within it.

First level aims of subversion can include changing views, radicalising opinion, and stimulating or exacerbating disagreements. Second level aims can be to prompt actions, whether that be in public protest, or at the ballot box. In its current manifestations, subversion relies heavily on the use of communications platforms such as social media to reach a wider audience than possible in the past through print and broadcast media.

Being less visible in its effects than sabotage, the scale and potential growth of subversive activity is difficult to measure. However, despite its low visibility, subversion has become a major preoccupation of Western governments, especially in the wake of Russia’s extensive use of social media and “hack and dump” operations of sensitive information in the 2016 US presidential election. Several Western countries are thus now seeking either to identify past information operations against their political or electoral processes, or to close loopholes to prevent such interference in the future; Canada, for example, is currently undertaking an extensive public inquiry into cases of potential interference in the recent past.

The exploitation and distribution of information is central to subversion, and terms such as “information warfare” or “information operations” are regularly used to describe such activity. But as Lawrence Freedman has noted, these terms have “two different but easily confused meanings”; the first refers to warfare “designed to disable systems dependent upon flows of information”, whereas the second – more germane in this discussion – refers “to attempts to influence perceptions by affecting the content of information”. According to Sir David Omand, the former Director of GCHQ, that content can be divided into three classes:

• Disinformation – intentionally created false information deployed to mislead.

• Misinformation – disinformation that is innocently recycled.

• Malinformation – true information never intended for release, but stolen and revealed publicly.

All three types of subversive information can be used in multiple ways, including promoting or opposing a particular perspective, aggravating disagreements or simply causing confusion. Subversive information can also come via various channels, as security scholar Andreas Krieg describes: a common starting point is for an “expert” or supposedly trusted source in academia and research, media or culture to introduce suspect information – whether knowingly or not – into public discourse; the information may then be taken up by other experts, reported or discussed through some form of media outlet, and from there recycled and discussed further.

The bare bones of the process are not much different now than they were 100 years ago, but in their reach and speed information operations have been dramatically amplified and accelerated by the development of new media, new communications technologies and widening online engagement. The pool of genuine experts and journalists looking for comments has grown, providing many more opportunities for information to feed into the media ecosystem. The online world has also provided cover for the activities of fake experts and journalists, simulated think-tanks, government-organised non-governmental organisations (NGOs) and media outlets. Social media accounts can be operated en masse by “troll factories” of real individuals, as well as automated bots, all of whom can be used to seed and orchestrate messages or divisive information. Even though examples of “coordinated inauthentic behaviour” – the manipulation of public debate through the use of networked disinformation assets – can be detected and quashed by social media firms, the take-down process can be slow, allowing operators of inauthentic networks to take evasive action. Quite apart from the behaviour of bad actors, moreover, social media and instant messaging have substantially expanded the ability of information consumers to share and recycle information, whether out of amusement, shock or disgust, thus enabling the bad actors to increase the speed at which subversive information circulates without any effort on their own part.

Together, these methods have generated what Krieg has called “weaponized narratives”, based on simulacra of reality, which are increasingly difficult for mainstream media outlets, public figures or the public to identify. Left to try to assess information for themselves, their investigations and discussions help further launder that information through the wider media “echo chamber”, enhancing the subversive effect.

As in so many other areas, Russia has led the way in subversive information. The original Soviet term for such operations was aktivnye meropriyatiya (“active measures”), although Russian intelligence now uses the term meropriyatiya sodeistviya (“support measures”) instead. Either way, the essence of the practice is the same: “to weaken the targeted adversary”, and, as Soviet defector Vasiliy Mitrokhin described, “to create conditions favourable” to Soviet foreign policy. Active measures are seen as closely linked to refleksivnoe upravlenie (“reflexive control”), another concept with a history going back to early Soviet strategic thinkers, which describes an effort to make targets act against their own interests, without realising they are doing so.

Russia has used a variety of actors and channels to undertake information operations. Overt media outlets for foreign audiences, such as Russia Today, RIA Novosti, Sputnik and their regional affiliates, provide a platform for Russia-friendly “experts”, while overseas groups and influencers – both witting and unwitting – spread Russia-friendly messages on social and mainstream media in other states. Under the surface, troll farms such as Lakhta Internet Research ‒ originally named the Internet Research Agency, set up by now-deceased commercial caterer and co-founder of the Wagner Group Yevgeniy Prigozhin in the mid-2010s ‒ use both human tolls and automated social media advertising campaigns to promote and recycle messages on behalf of the Russian state.

Russia uses this machinery to promote key themes, which include its supposed role as the primary opponent of fascism in the second world war, its alleged victimisation by the US and an expanding NATO, and the corruption and ineffectiveness of the EU. Current variations on these themes also include efforts to undermine the reputation of the government of Ukraine, Western support for Kyiv and sanctions against Russia. Russian campaigns in Europe, North America and developing countries have also touched upon anti-colonial and anti-liberal themes, presenting Western countries as predatory and decadent outsiders, in contrast to a traditionalist and conservative Russia that supports developing nations’ independence and sovereignty. A recent Russia-funded disinformation campaign in Africa, highlighted by the US Department of State in February 2024, spread rumours that the US had created dengue fever, a mosquito-borne disease which has taken many African lives, and that the US was using Africans as guinea pigs in their efforts to create a vaccine.

Russia has also used information operations during foreign election campaigns to promote the interests of one candidate or side over another. The best known of these are the hacks of the DNC in 2016, collecting over 50,000 emails and documents, which were subsequently posted on a supposed whistleblowing website, DCLeaks, which was in fact a GRU front. The release of the documents was clearly intended to undermine the presidential campaign of Hilary Clinton. Russia also used a hack-and-dump operation of private material to target the 2017 election campaign of French President Emmanuel Macron, and has used other subversive information tactics to disrupt various US elections since 2016, including the US 2020 presidential election. Several analysts further assess that Russia has used similar techniques to exacerbate social divisions in other Western states during other public votes, such as the independence referendum in Scotland in 2014, the Brexit Referendum in the UK in 2016, the illegal Catalan independence referendum in Spain in 2017, and the NATO entry referendum in Montenegro in 2018.

Russia has, moreover, exploited opportunities to encourage social strife outside of elections. It is believed to have been behind a “false flag” operation in France in 2015, when a group claiming to support IS hacked into the TV5 Monde network and promoted Islamist extremist narratives. Russian operatives were also likely to be responsible for the so-called “Lisa Affair” in January 2016, when Russian information operations networks, abetted by public figures such as Russian Minister of Foreign Affairs Sergei Lavrov, disseminated false stories about the abduction of “Lisa”, a Russian-German girl living in Berlin, who was said to have been kidnapped and molested by three “Southern” men. Russia has continued to exploit racist, Islamophobic and antisemitic narratives in Europe too, using the Hamas attack against Israel on 7 October 2023 as an opportunity to set European Muslim and Jewish communities against one another with public provocations. Over the past decade, Russia has also promoted divisive racial, religious and ideological narratives across North America, targeting issues such as gun rights, abortion and the Black Lives Matter movement.

A variation of this Russian approach has been the use of “street-level” provocations, which seek to stimulate disagreements and public clashes. During the 2016 US election, Russian operatives operating online encouraged demonstrations both for and against the different presidential candidates in the same locations, to cause trouble. More recently, French officials are reported to believe that Russian intelligence was behind a Moldovan couple who are alleged to have painted Star of David symbols across the suburbs of Paris in October and November 2023, following the start of the Gaza conflict. The images of the stars were then picked up by a Russian disinformation network and recycled online to exacerbate tensions between Jewish and Muslim communities. An additional technique in the Russian subversive repertoire has been to try to sow general confusion. This technique, described by analysts Christopher Paul and Miriam Matthew as the “firehose of falsehoods”, shows no attempt to create, support or undermine any distinct narrative, but simply to shower online audiences with multiple contradictory versions of reality. Unlike the targeting of social wedge issues intended to create rancour, the firehose technique is designed instead to create such levels of uncertainty about the truth that the audience is too disoriented to react. One of the most prolific Russian firehose campaigns came during the Covid-19 pandemic, with the propagation of multiple differing stories about the origins of the virus, the efficacy of various medical treatments and emerging vaccines, and the policies and performances of various national governments.

In contrast to Russia, China’s information operations have tended to promote a positive image of China and the CCP, rather than seeking to undermine opponents, exploit divisions or generate chaos. According to China specialist Anne-Marie Brady, China’s information operations have focused on two main audiences – diaspora Chinese and foreigners – among which it seeks to raise China’s profile as an effective state and benevolent force, and undermine and marginalise anti-CCP opinions. The main exception to this nuanced approach has been the targeting of pro-independence and pro-US narratives in Taiwan. According to analysis conducted by the Taiwanese think-tank IORG (now Taiwan Information Environment Research Center), Chinese-language media and social media content between 2021 and 2023 exhibited 84 types of anti-US narratives, including claims of poisonous US pork imports into Taiwan, and the secret harvesting of Taiwanese blood by the US to make a bioweapon to attack China. During the Taiwanese presidential election of January 2024, there were also indications that a state-linked Chinese cyber group known as “Spamouflage” was behind an AI-generated video showing Taiwanese news anchors making false allegations about the outgoing president, which Microsoft Threat Intelligence assessed to be the first known case of state-backed AI disinformation in an election.

Although more cautious than Russia, however, observers have noted something of a pivot in Chinese information operations since the start of the pandemic in 2020, with a turn towards harder-edged campaigns intended for wider audiences. China followed Russia’s lead in spreading disinformation about the origins of the Covid-19 virus, suggesting that it had emanated from a US biological warfare facility, and pushed a narrative that Western governments had failed to handle the crisis as effectively as China. According to US civil society group the Alliance for Securing Democracy, Chinese government-linked Twitter accounts posted around 90,000 tweets spreading disinformation on Covid-19 in the months of April and May 2020 alone, while in June 2020, Twitter closed 170,000 accounts it assessed were part of a coordinated Chinese disinformation campaign.

Other research suggests that more divisive Chinese information operations have not been limited to Covid-19. The Centre for Information Resilience, a UK think-tank, in August 2021 revealed the existence of a network of false social media profiles across multiple platforms, which were not only promoting Chinese pandemic narratives, but were spreading disinformation on US gun laws and racial issues. Reflecting on this and other evidence, China expert Bethany Allen has suggested that Chinese information operations are increasingly amplifying other states’ anti-Western narratives, “demonstrating growing convergence between their ideologies and information strategies”.

Iran has also developed its own information operations, with overt and covert dimensions, mixing self-promotion, transnational repression and attempts to stir up trouble within opponent states such as Israel, Saudi Arabia, the UAE and the US. During periods of tension in the Middle East, Iran has tended to expand these efforts, as recently demonstrated when social media accounts linked to the regime seeded and recycled multiple fake images of the Iranian drone and missile attack on Israel on 13 April 2024. Iran has also sought to use disinformation to interfere in overseas elections, sending fake emails to US voters claiming to be from far-right group the Proud Boys, which threatened to harm the recipients if they did not vote for presidential candidate Donald Trump, as well as recycling Trump campaign claims of electoral fraud.

North Korea seems to be less active in subversive information than the other main revisionist states, but middle powers such as Egypt, Saudi Arabia and the UAE have become major online players, targeting local rivals and various religious and political movements they deem to be internal threats. As noted in the discussion of cyber effects, the UAE and Qatar have become deeply engaged in what Buchanan calls an ongoing battle of “tit for tat hack-and-leak operations”, each country seeking to embarrass the other politically with accusations of support for Islamist extremist terrorism. In the Balkans, under the leadership of Alexander Vučić, Serbia has sought to use disinformation to promote his political ends, enabling media ecosystem that recycles Russian and Chinese talking points. In South Asia, India and Pakistan have long been engaged in a covert battle that has now spilled into the realm of online disinformation about each other’s governments and military operations. Indian intelligence has also used social media posts, channelled through a fake civil society group called The Disinfo Lab, to target US-based critics of the government of Prime Minister Narendra Modi. Several Western governments are also active in the information space, seeking to rebut, rather than propagate, disinformation. France has taken on Russian propaganda in sub-Saharan Africa, but its efforts have on occasion backfired when they have been revealed to have been using the same kind of fake social media accounts as the Russians themselves.

4.7. Malign influence

Where subversion tends to be broad-brush, malign influence focuses on individuals and groups of political, economic, social or cultural significance. As noted in section 4.1, there has been evidence of Russia and China openly attempting to “Schroederise” Western elites, but this is likely to be only one element in these states’ overall efforts.

Probably the most sophisticated exponent of malign influence is China. The activity of Chinese diaspora groups with links to the UFWD and other elements within the CCP has been widely used to provide cover for intelligence operatives claiming to be business leaders, journalists, students and academics, allowing them to operate throughout Europe, North America and the Asia-Pacific region. A major case, revealed in December 2020, was the targeting of Eric Swalwell, a member of the US House of Representatives, who developed a close relationship with Chinese national Christine Fang in the early 2010s. Fang, whom US authorities suspected of being an undercover MSS operative, lived in California as a student, where she became involved in politics and began to meet and befriend local politicians, Swalwell among them. Media coverage of the story led to unsuccessful Republican attempts to remove Swalwell from the House Permanent Select Committee on Intelligence, even though he had ended his relations with Fang after receiving a briefing from the CIA in 2015.

Other cases have emerged beyond the US. In November 2017, Sam Dastyari, an Australian senator, was revealed to have taken a sympathetic stance towards Chinese territorial claims in the South and East China Seas, in contradiction to the policy of his own Labor Party. Media stories also alleged that Dastyari had developed a close financial relationship with Chinese billionaire Huang Xiangmo, who was himself alleged to have ties to the CCP. Dastyari subsequently resigned from the Senate. In January 2022, MI5 alleged to Sir Lindsey Hoyle, the speaker of the UK House of Commons, that Christine Lee, a solicitor active in the UK’s Chinese diaspora, with links to numerous British politicians, was a witting asset of the UFWD, and had sought to influence members of Parliament through donations. That same month, Canada’s Privy Council Office reported that the Chinese consulate in Toronto had made clandestine transfers to 11 candidates and 13 campaign staff, seeking to influence the federal election of 2019.

Russia has also sought to exert covert influence, working through the same kinds of civil society fronts, businesses, experts and professionals as China. A recently reported example is Pravfond, a Russian government-backed foreign aid body staffed by former SVR officers, which has been active in online propaganda and the legal defence of Russian nationals linked to illegal state activities. As Russia expert Catherine Belton notes, many Russian front groups have budgets that “were always murky”, and according to one of her sources, likely to be connected to Russian intelligence. Russian dirty money has also played a central role in channelling malign influence through commercial avenues. Russia’s dominance in European hydrocarbons has provided the means by which it can influence corrupt local elites on the continent, using local intermediary businesses – partly state owned, partly private – not only to supply oil or gas, but also to distribute secret funds to friendly politicians, political groups and businesspeople. As outlined in recent SOC ACE research, examples are numerous, and include well-documented cases such as the funnelling of Russian state cash to the pro-Russian presidential campaign of Prime Minister Victor Yanukovych in Ukraine in 2004, disbursed through a Ukrainian intermediary of Russian energy giant Gazprom. Russia has also exploited similar techniques beyond its near abroad; for example, developing but never implementing a scheme in 2018 to sell discounted Russian diesel to an Italian firm, which would then be sold at full price, with the difference donated to Italian radical right party Lega Nord.

Russia has found other covert channels by which to influence potentially sympathetic politicians across Europe. Media reports of successive allegations of suspicious payments to pro-Russian European politicians and parties have included recent scandals over payments to MEPs, which are allegedly linked to Kremlin efforts to shift the balance of political opinion on the war in Ukraine among European political circles. These types of funds rarely come directly from official Russian sources, of course, passing through many different types of intermediaries: politically sympathetic Russian oligarchs; Russian banks and businesses, such as First Czech Russia bank, which provided a loan to Marine Le Pen in 2014; third-country nationals, such as the Swiss lawyers allegedly used to distribute funds in Czech politics; or extreme Russian groups, such as the Russian Imperial Movement, which has provided funding for the Scandinavian far right. Other avenues of influence Russia has exploited include offers of benefits in kind, and illegal or unethical commercial opportunities. Russia has organised “fact-finding” visits to occupied locations in Crimea and eastern Ukraine for German, Italian, Austrian and Czech politicians, where they have been offered sanctioned business opportunities, presumably in return for political favours.

In contrast to China and Russia, both Iran and North Korea have shown limited appetite or capacity to mount high-level malign influence operations. However, other states have tried. Among the revisionist states’ closest associates, Venezuela has sought to influence political battles in neighbouring countries and even further afield, providing funds for the populist Five Star Movement in Italy in 2010. Recent court cases in the US have also revealed allegations of middle powers such as Egypt, Turkiye and the UAE illegally providing funds to political representatives and campaigns in the hope of promoting their interests.

4.8. Sponsoring internal opponents

States can also go beyond covert attempts to influence opinion, taking steps to covertly support internal actors that undermine the stability of a targeted state. What this can amount to covers a broad spectrum, from material support for civil protests to prolonged military campaigns by insurgent groups (an area where there can be significant crossover with sponsoring terrorist groups, as noted in section 4.4.5). Such forms of direct covert support or intervention have a long history; both the US and USSR used them during the Cold War to create problems for their opponents, especially in the developing world.

In recent years, Russia has been the most active stirrer of domestic chaos, especially among its near neighbours, paying for protesters and provocateurs in former Soviet states such as Moldova. It has also actively meddled in the developing world, providing financial and material support for the Taliban insurgency in Afghanistan prior to the group’s victory in 2021, as discussed previously. However, Russia has been more circumspect in applying similar techniques in the West. Certainly, it has been suspected of supporting discontent in several Western countries over the past decade, such as the “gilets jaunes” (“yellow vests”) movement in France in 2018, and protests in the US in 2016, but its attempts to instigate direct protests and social unrest as a form of disruption have been limited.

Iran has also sought to support protests in neighbouring states; following Israel’s military response to Hamas’s attack on Israel in October 2023, Iranian operatives reportedly encouraged pro-Hamas protests in Israel’s pro-Western neighbour, Jordan. Evidence of similar efforts has emerged in the US and Europe, too; in October 2023, The Times reported that the UK police and MI5 believed Iranian operatives were not only encouraging pro-Hamas demonstrations in London, but were also deploying operatives within the crowds. In July 2024, US Director of National Intelligence Avril Haines stated that Iran had encouraged, and in some cases even paid for, pro-Hamas protests against the US. Again, however, Iran’s actions have tended to be limited to generating and supporting protests rather than intense civil strife. Its actions have been carefully calibrated.

Unlike Russia and Iran, China, by contrast, has been much less likely to provide material support for internal opposition groups overseas, partly out of its general preference for stability. Indeed, Beijing seems more interested in strengthening the hands of partner governments against dissenters and rebels than sponsoring disorder.

Beyond the revisionist states, however, there are a range of examples of middle powers covertly supporting armed groups, apparently to undermine the stability of their local opponents. The alleged support of Pakistan’s ISI for Islamist extremist groups’ attacks on India has been mentioned (section 4.4.5). Pakistani officials have also asserted that India has provided support for extremist and irredentist groups in its own unsettled and contested provinces of Baluchistan and Kashmir. In South America, Venezuela and Colombia have accused each other of harbouring and supporting insurgents, criminals and terrorists who mount cross-border attacks; while in Africa, the UN has highlighted alleged support for the M23 rebel group by Rwanda and Uganda in the ongoing conflict in the Democratic Republic of the Congo. Although it might be argued that these examples of covert proxy support do not touch the West, they are common in the developing world, and are almost certainly in need of greater understanding as a result.

4.9. Sponsoring regime change

A final area of covert state activity is involvement in efforts to alter a targeted state’s political arrangements, whether by non-violent means such as vote-rigging, or by sponsoring coups d’état. Russia has the clearest track record in this area, particularly among its near neighbours, allegedly supporting a failed coup against pro-NATO leader of Montenegro Milo Ðukanović in 2016. The plot involved pro-Russian locals, a former senior Serbian soldier, Russian funding and operational support from two GRU officers. Russia has also recently been accused of seeking to buy votes in the 2024 presidential election in Moldova, using criminal groups as intermediaries. Russia appears to have a willingness to meddle directly in the developing world too; senior US military officers have raised the possibility that the Wagner Group played an influential role in stimulating successive military revolts in the so-called “coup belt” of the Sahel and the Horn of Africa in recent years.

However, Russia appears to have limits to how far it will intervene in the West itself, at least for now. Here, Russia has focused on using subversion and malign influence, but has been unwilling to seek to “fix” elections. It is notable that while Russian operatives hacked into US voter databases in 2016, there is no evidence that they sought to tamper with voter rolls. That said, of course, it is also possible this was an act intended to send a message to the US that Russia had the capability to undertake more direct political interference in the future.

Other recent examples of attempted regime change by revisionist states are more difficult to identify. China has shown little willingness to topple governments it does not like, although it might have had a hand in approving the Zimbabwean Defence Forces’ removal of Zimbabwean leader Robert Mugabe in November 2017. There are also only a few credible recent examples of middle powers seeking to bring about regime change in rival states. A recent case is the alleged attempt by Jordan’s Crown Prince Hamza to overthrow his brother, King Abdullah, in April 2021, which some believed also involved Saudi Arabia. Nonetheless, credible cases are rare, perhaps indicating that direct attempts to change other states’ political arrangements, rather than influencing or destabilising them, are deemed among the most high-risk and possibly difficult of state threats to accomplish.

4.10. Conclusion

As this section demonstrates, the range of current state threats is extremely broad, running from overt bullying behaviour through to attempts at covert regime change. As summarised in Table 3, many overt and covert activities are in some ways mirror images or extensions of one another, in areas such as influence and subversion. However, while the visible use of coercion against governments is an important part of the modern phenomenon of state threats, it is clear from the survey that the centre of gravity of states’ activities, and the area which offers the widest range of options, is in the covert and clandestine sphere. As the next section explores, this has made state threats primarily the province of the most secretive of state actors and their partners in the commercial, criminal and extremist demi-mondes.

▲ Table 3: Comparison of overt and covert/clandestine measures by class of action.

5. Executing state threats

Understanding how state threats are initiated and executed is an obvious problem. In democratic societies, details can eventually become public, but in authoritarian states, the challenge is much greater, given their very obvious lack of transparency. A certain amount of educated speculation is necessary.

From the outside, all political leaders wish to present the image of a well-organised state apparatus, with themselves and their colleagues in complete control; however, all states, of all types, are heirs to basic problems that make translating policy into action more difficult than might first appear. Unfortunately, however, because of fundamental psychological distortions, outside observers can often forget this, leading governments to overestimate the coherence and coordination of their opponents’ behaviours, a pattern international relations scholar Robert Jervis has documented extensively. This is a particularly common problem for democratic governments looking at authoritarian states, where the tendency is to see a single lead actor and a single will. All actions are viewed through the lens of an image of supreme control. But as political scientist Barbara Geddes and colleagues have shown, decision-making in dictatorships can be as incoherent, or even more incoherent, than in democracies, with members of authoritarian regimes competing to maintain position and gain favour with the leadership; “for most purposes dictatorships should not be analyzed as unitary actors”, they conclude. Caution and discernment should therefore be close companions when exploring how state threats originate and are operationalised.

5.1. Initiating hostile acts

A cautious approach to the claims of authoritarian efficiency should not, however, lead immediately to the assumption that these states operate in complete chaos. Authoritarian leaders have varying degrees of control over foreign and security policies, with the level depending on the extent to which the regime is dominated by its leader or “personalised” around them, the effectiveness and character of the military and bureaucracy, the existence and strength of non-state sources of power, and the relationship between formal and informal powers. Hostile activities might therefore emerge from several different sources in an authoritarian state, including the state’s leadership, individual government departments or agencies, freelancing officials, or individuals, groups or networks within or close to the regime, depending on its character and composition. Ian Kershaw, a historian of Nazi Germany, has used the ideas of Max Weber to show how Adolf Hitler’s regime developed a hybrid policymaking model, with the leader’s rhetoric setting the overall direction of the regime, and those below and around him seeking to “work towards” realising Hitler’s expectations and objectives, as a Nazi functionary described it. It is useful to keep this interpretation in mind when considering how hostile state activities emerge in modern authoritarian states.

Among the core contemporary revisionist states, the regime whose decision-making has been most exhaustively explored is that of Russia under President Putin. As Russian security scholar Andrew Monaghan observes, experts on Russia have offered a range of interpretations of how Putin’s sistema (“system of governance”) operates, from those who see a strong hand directing from above, through to those who see something akin to lightly managed chaos. Nonetheless, while examples of both interpretations can be found, the regime does not appear to behave totally consistently.

In part, much of the initiation of state-linked hostile acts is bureaucratised. Russia’s intelligence agencies have the main responsibility for covert and clandestine activity, and as organs of state, they follow broad strategic objectives set out by the Kremlin, with varying degrees of activism, creativity, autonomy and competitiveness. Very often, this process works with little need for direct Kremlin approval. As Kevin Riehle, a long-time scholar of Russian intelligence commented in interview, “Putin only wants to provide strategic guidance, or to intervene if things go wrong; the less he has to do that, the happier he is.”

However, as Monaghan writes, there is “a wealth of evidence” that the formal state is “often dysfunctional in practice”. This leads to what international relations scholar David Lewis has described as Russia’s “dual system”, with a state bureaucracy undertaking business as best it can, supplemented by “a parallel system of governance, known as ruchnoe upravlenie (‘manual control’)”. In situations of manual control, members of the presidential administration look for ad hoc solutions to meet policy objectives or rectify failures, working “through unofficial ‘curators’ to ensure effective implementation of decisions”. Galeotti describes these curators as “an adhocracy” of “political entrepreneurs” in business, the media, politics, or from the worlds of intelligence and organised crime. When the formal state fails, or cannot meet a need, the “adhocrats” step in to offer their services; an exemplar was Yevgeniy Prigozhin.

General strategic requirements or specific requests come to the adhocrats, but they can have wide latitude in shaping the ultimate nature of the objective itself. Writing with Balkans expert Tena Prelec, Lewis has shown how, in past Russian attempts to pressure Moldova, “overall strategy” came from the Kremlin, but there was also “input from other actors” and actual implementation of hostile acts relied “heavily on parastate actors and local elites”. These implementers were “not simply pawns of the Kremlin”, but actors in their own right.

Members of the adhocracy have even greater autonomy in how they pursue regime objectives, with or without direction. In his study of Russia’s relations with the European far right, Shekhovtsov has shown that the Kremlin, rather than directing the development of contacts, allowed a permissive environment in which Russian political, business and cultural figures could build ties with like-minded individuals and groups overseas, which might then have political value at a later date. In riskier matters such as assassinations, Russia also seems to have maintained a significant tolerance for adhocrats taking matters into their own hands. As Riehle commented in interview:

assassinations not sponsored by the Russian state are likely the work of strong business elites who kill to remove competition or an obstacle. However, those assassinations may also be in the interests of the state, because when a person is an obstacle to a pro-Russian corporation, he or she is also an obstacle to the state. Non-state assassinations sometimes also align with state interests.

Russia’s mixed system of decision-making and operationalisation is in some ways mirrored in Iran, although its system seems more centrifugal and disordered. “Iran’s theocratic regime has been eager to present itself as a well-organised state, following the orders of the Supreme Leader”, remarked Ali Ansari, a historian of Iran at the University of St Andrews, interviewed for this project: “The reality is much less impressive.” Indeed, as scholars of Iranian grand strategy Thierry Balzacq and Wendy Ramadan-Alban note, this well-crafted image of top-down control obscures “the reality of cross-institutional factionalism across the regime”. While the Supreme Leader is the most significant overall player within the state, he is not all powerful. His role is to make occasional specific commands, provide strategic guidance and adjudicate between different factions.

As a consequence, Ansari suggested, the regime operates more like “a collection of non-state actors” than a coherent state, where even non-Iranian non-state partners such as Hezbollah cooperate and compete within a diffuse political ecosystem. This suggests that the origins of specific acts of Iranian hostile activity will lie in the multiple decisions of institutions, factions and networks throughout the regime. Of the factions within the regime, the IRGC is probably the most powerful because of its close links to the supreme leader, extensive military and intelligence capabilities, and commercial empire. However, the IRGC too is hobbled to an extent by internal factionalisation, suggesting that its activities should not be seen as any more coordinated than the wider state.

In comparison with Russia and Iran, China has had a historic reputation for having a more heavily bureaucratic decision-making structure, with a collective leadership transmitting directions down through state and CCP structures. However, the reality has never been this clear-cut. There has long been tension between state and party structures, and a tendency for new party-linked groups and bodies to proliferate; prior to the arrival of President Xi, outside observers emphasised how the rapid growth of Chinese foreign policy actors had led to an increasingly fragmented Chinese approach to the outside world. As China expert Rush Doshi notes, a loosening of controls in the 2000s did indeed allow such outward-facing actors more autonomy, within limits. While agencies’ priorities have been set and are monitored at a senior level, the agencies themselves have operational autonomy in how they are achieved. There is also some evidence of state officials following their own paths, although this is more often in pursuit of personal gain than personal agendas; official corruption and entrepreneurialism have long thrived in the Chinese state, with officials and diplomats seeking to channel illicit funds out of China through a burgeoning underground banking network.

The Chinese model of a largely consistent bureaucracy, tinged with some diversity and irregularity, appears to have continued under Xi. However, there has been a definite attempt to tighten central control, with Xi taking a ruthless approach to perceived failure and corruption, and ensuring his own acolytes take senior positions. The goals and character of the regime have also increasingly mirrored the nationalistic and authoritarian temperament of Xi, with officials required to cleave to the ideas contained in what China scholars Steve Tsang and Olivia Cheung describe as “Xi Thought”. Although Xi could hardly be in complete control of the vast Chinese state and the CCP, his increasingly dominant position suggests that China’s hostile activities are likely to closely reflect his preferences.

Finally, North Korea is the opaquest regime of the core revisionist group. Since its creation in 1948, North Korea has been run as a hereditary dictatorship under the Kim dynasty. Kim Jong Un, its leader since December 2011, is the grandson of the regime’s founder, Kim Il Sung. Under the country’s suryong (“leader”) system, Kim Jong Un enjoys ultimate power. But, as with other authoritarian states, it is not always clear what this means in practice. Certainly, the Kim family has “the ultimate authority in North Korea”, remarked Aaron Arnold, a former UN Panel of Experts member, in interview: “This is a criminal state, run like a mafia family”. Former UK ambassador to North Korea Alastair Morgan also noted during interview that “there is a strong ‘vertical of power’ in Pyongyang, and Kim takes a very close interest in strategic matters”. In practice, this means that for the most important and riskiest decisions, such as missile launches, state assassinations and so on, the initiative or final say will probably sit with Kim. However, as with the other regimes discussed, North Korea’s leadership cannot have complete control of day-to-day activities. For most hostile activities – the cybercrime campaign, for example – relevant departments of the state are likely to manage their execution to support Kim’s objectives. While this provides some small flexibility for initiative, this is largely tempered by the knowledge of the potentially fatal consequences of making mistakes or misleading the leadership.

5.2. Executing hostile acts

Once initiated, the implementation of hostile acts can be a complex process involving both state and non-state actors. Intelligence officers are often central, whether as project managers or executors of the hostile act; their status will usually be obfuscated with various forms of official (diplomatic) and non-official cover. To increase deniability, state actors also effectively hire or work with a wide range of non-state actors. Although non-state actors involved in hostile acts are often described as state proxies – actors under the direct control or direction of the state in question – the word should be applied with caution. The relationships between state and non-state actors can be complex, and in many cases, it is more appropriate to consider the non-state actor as a partner or collaborator, rather than just a hired hand.

As noted in section 2, the involvement of non-state actors poses a problem of responsibility: which of non-state actors’ behaviours should be treated as state threats, and which should not? Observers can of course look for evidence of a recognised chain of command or operational relationship between a state and non-state actor, and an indication that a form of tasking or plan has been agreed between the two. But in the covert world, finding the evidence to show this convincingly is a high bar that is unlikely to be met. Perhaps the most that can be hoped for is to collect enough material to: (a) identify a probable relationship between a state and non-state actor; and (b) find consistency and alignment between the state actor’s objectives and the apparent objectives of the non-state actor’s conduct. Even then, the line is difficult to draw clearly, as it is perfectly possible for non-state actors to act in ways apparently consistent with a state’s objectives without any direction or encouragement whatsoever. Indeed, as episodes in the history of US covert action show – for example, US intelligence’s collaboration with hyper-active Cuban anti-regime groups during the Cuban Missile Crisis – the tail can threaten to wag the dog. Researchers therefore need to take a careful approach that weighs evidence on a case-by-case basis.

5.2.1. State operatives

The state operatives most intimately involved in implementing hostile activity are (military or civilian) intelligence officers. The number and responsibilities of intelligence agencies differs from state to state. In Russia, there are three major agencies: military intelligence, the GU (formerly, and still colloquially known as, the GRU); foreign intelligence, the SVR; and the security agency, FSB. Of these three, the GRU is the most engaged in sabotage and subversion overseas; its Unit 29155 is thought to have been responsible for some of the most high-profile hostile actions in the West, such as the attempted assassination of Sergei Skripal in 2018 and the destruction of a munition’s depot in Czechia in 2014. The SVR is more focused on foreign espionage and the FSB on domestic concerns, although both have undertaken more kinetic and intrusive hostile acts overseas. In China, the major intelligence agencies are the MSS and the three intelligence departments of the PLA. These departments are charged with technical surveillance, HUMINT and subversion, and malign influence operations. In addition, a recent espionage case in the UK involving Chinese-heritage and non-Chinese individuals, suggests that the agencies of China’s Special Administrative Region of Hong Kong are also now running overseas operations against Western targets. In Iran, the IRGC and the Ministry of Intelligence and Security (MOIS) are the main overseas intelligence operators; while in North Korea, covert and clandestine activities are managed by the Reconnaissance General Bureau (RGB), also known as Unit 586, which was created in 2009.

Despite the dominance of intelligence agencies as the main official operators behind hostile activity, other official agencies can be involved too. In China, a wide range of state and CCP bodies also play an important role in espionage, disinformation and malign influence operations. The most significant Chinese organisation is the UFWD of the Central Committee of the CCP, which is charged with managing relations with the Chinese diaspora, co-opting foreigners and suppressing overseas criticism of China. As China experts have noted, the UFWD operates much like an intelligence agency overseas, often working under diplomatic cover at Chinese embassies, alongside MSS or PLA representatives. As Allen describes, “party cadres who hold an official position in the United Front Work Department may ‘double-hat’ … [holding] publicly undisclosed positions in the department”. A further important political agency is the International Liaison Department in the Political Work Department of the Central Military Commission, which also seeks to influence the policies and behaviours of other countries’ defence and foreign policies.

In addition to these more dedicated agencies, Russia, China, Iran and North Korea all have significant state-owned or linked industries that are used to provide cover for state operatives or to undertake hostile activities in their own right. In China, state-owned enterprises have close ties to the MSS and are legally obliged by Chinese law to cooperate with Chinese intelligence agencies. In North Korea, the regime has used state trading companies to produce heroin and methamphetamine; counterfeit US currency, cigarettes and pharmaceuticals; evade sanctions; and launder illicit funds. Russian state-owned media has also acted on behalf of the Russian intelligence services; in one remarkable example, Russian journalists ostensibly reporting on the poisoning of Putin critic and opposition leader Alexei Navalny in March 2021 were alleged to have conducted covert reconnaissance on the security of the Berlin hospital where he was being treated.

5.2.2. Non-state operatives

Alongside official operatives, the variety of non-state actors involved in operationalising hostile acts is extremely diverse, ranging across the legitimate private sector, civil society, criminal organisations and even terrorist groups. As noted above, relationships with non-state actors are far from uniform. Many non-state actors can be partners of, or contractors to, state or even other non-state actors, rather than direct surrogates or proxies. Indeed, even for those that most closely fit the concept of a proxy, a variety of influences can be in play, including the non-state actor’s own agenda or self-perceived interests.

Oligarchs and tycoons

The peculiar character of the post-Soviet regimes that have evolved since the end of the Cold War has highlighted the role of “oligarchs”: business leaders who have amassed great wealth through ownership of former state-owned companies, and who as a result have wielded significant economic and political influence.

Russian oligarchs had significant independent power in the 1990s, but with the ascendancy of Putin, their autonomy was constrained. The regime now appears to expect them to act as custodians of Russian national wealth and, when required, as arms of the state. Oleg Deripaska, a metals tycoon close to the Putin regime, told journalist Catherine Belton in 2007, “I don’t separate myself from the state. I have no other interests”. Russian oligarchs and their businesses can thus often act as deniable state partners, especially when exercising both overt and malign influence through economic and financial means. For example, Konstanin Malofeev, a successful investment banker and conservative ideologue, has played a significant role in creating channels through which far-right groups across Europe and North America have built closer relations with the Kremlin.

The importance of oligarchs is not just limited to Russia and the post-Soviet world, however. Chinese and Chinese-heritage tycoons based in Hong Kong and Macao have acted on behalf of the Chinese state and CCP overseas; as Hamilton and Ohlberg remark, for these individuals, “loyalty to the Party is a condition of doing business”. For example, Canada’s Operation Sidewinder, an investigation conducted by the Royal Canadian Mounted Police and the Canadian Security Intelligence Service in the 1990s, revealed extensive cooperation between Chinese tycoons, OCGs (“Triads”) and Chinese intelligence officers in money laundering and political influence operations in Vancouver, a model which Canadian investigative journalists and academics have suggested continues in use. It is a pattern with parallels in other countries too, including Australia; the resignation of Senator Dastyari in 2017, mentioned above, was in part triggered by revelations of his financial relationship with Huang Xiangmo, a UFWD-linked Chinese real estate tycoon keen to promote Chinese political interests in Australia.

Businesses and contractors

Businesses – the organisations as much as their owners and managers – have also long played a role in covert activities, and were a key element of “arm’s-length” operations by the USSR in the Cold War. Involved businesses can be legitimate commercial concerns with no roots in the secret world, but have owners or senior leaders willing to allow the organisation to be used as cover for intelligence operations. Other firms can be legitimate front companies, businesses secretly set up by agencies themselves to conduct both genuine commercial and covert activities; meanwhile, shell companies, which do no commercial activity at all and have obscured ownership structures, can be used to provide cover for covert or illicit activities, and create a commercial grounding for the movement of operational funds.

During periods of prolonged international isolation, both North Korea and Iran have become sophisticated users of front and shell companies in order to procure and sell illicit goods, evade sanctions and launder funds; they have developed sophisticated networks through intermediaries based in major trading and financial centres such as Hong Kong, Singapore and the UAE. Studies of North Korean sanctions evasion have found, for example, that many of its overseas operations were conducted with the help of foreign individuals and foreign front companies, including some with Chinese links. Further recent research suggests that since the start of the war in Ukraine, Russia has also been learning to use such tactics.

In China too, private businesses play a role in covert activities, especially with regard to collecting commercial intelligence. Under the Counter-Espionage Law of 2014, all private organisations and individuals are required to provide information to the state on request, and since the introduction of the National Intelligence Law of 2017, they have also been required to “assist and cooperate with the state intelligence work”. According to Murray Scot Tanner, an expert on Chinese law enforcement, these laws have shifted the burden of responsibility for collecting and sharing sensitive information from the public to the private sector, creating “affirmative legal responsibilities for Chinese and, in some cases, foreign citizens, companies, or organizations operating in China to provide access, cooperation, or support for Beijing’s intelligence-gathering activities”.

While some of these activities are likely to have no contractual underpinnings, in other cases, businesses have provided covert services commercially – and with a legal paper trail. Activities that require technical expertise, such as online surveillance, cyber espionage, cybotage and online disinformation, can be difficult for less well-resourced state agencies to sustain without external expertise. According to US indictments issued in March 2016, for example, Iran has used legitimate Iranian IT companies to undertake hacking operations. Many middle powers – especially in the Middle East – have also called on contractor services, looking internationally to firms staffed with former military, intelligence and law enforcement professionals, sometimes from Western countries. Notable examples include the UAE’s use of DarkMatter Group, a company composed of former NSA members, to monitor dissidents and critics; or the Archimedes Group, an Israeli business that Facebook found to be conducting information operations on its platform for suspected parties in Latin America, Africa and South-East Asia. This group of non-state actors also appears to be growing quickly. The Oxford Internet Institute found that the number of private cyber firms offering services to governments nearly doubled between 2019 and 2020, from 25 to 48, indicating a strong upward trend.

Private military companies/contractors

A contractor type of increasing significance is the PMC. The deployment of PMCs became a regular feature of the Western military occupations of developing countries such as Afghanistan and Iraq in the 1990s and the first two decades of the 21st century. Over that period, the growth and use of such firms spread globally.

Russia has been a major development hub for PMCs, despite their being illegal under Russian law. At the core of the Russian sector has been a network of companies commonly referred to as the Wagner Group, set up from 2014 onwards under the stewardship of Yevgeny Prigozhin, but subsequently subsumed into wider state operations since his death in August 2023. The Wagner Group has acted as the “long arm” of intervention for Russia in conflicts in the Middle East, North Africa and sub-Saharan Africa, supporting authoritarian leaders, conducting criminal activities and enabling Russian sanctions evasion efforts. Wagner has also played an active role in anti-Western disinformation efforts in Africa; in October 2019, Facebook announced that it had closed a disinformation operation across eight African countries that Wagner had coordinated. Emerging evidence also suggests that Wagner has become a covert operator in the West too. Two UK nationals were arrested in April 2024 for an act of arson on a Ukraine-linked business that Wagner is alleged to have commissioned.

Russia is not the only state to have allowed or enabled the creation of PMCs, moreover, although evidence of others’ involvement in covert activities is less obvious. The Chinese state has used major Chinese PMCs such as China Security & Protection Group, the Shandong Huawei Security Group and Genghis Security Services to provide security for the Belt and Road Initiative, and these PMCs also have close links to the Chinese military and intelligence.

Civil society and lobby groups

As several of the subversion cases previously discussed indicate, both Russia and China have used civil society groups such as think-tanks and NGOs to promote disinformation or channel malign influence. Giles has outlined, for example, how Russia has used sympathetic non-Russian nationals to set up front organisations that “can at first sight appear genuine and home-grown”, but which are in fact mouthpieces for Moscow. In addition, he notes, Russia has used sympathetic but “unwitting accomplices” in politics, the media and culture – infamously described as useful idiots by Vladimir Lenin – to recycle Russian narratives. It is here that carefully cultivated relationships with extreme and radical voices in Western countries have paid long-term dividends.

Chinese agencies are also prolific in their use of front civil society organisations. According to Hamilton and Ohlberg, the UFWD and its web of linked organisations have accelerated their activities since 2010, following CCP guidance to “build ethnic Chinese-based political organisations, make political donations, support ethnic Chinese politicians, and deploy votes to swing close-run elections”. MSS officers have also used externally focused think-tanks and fora such as the China International Culture Exchange Center, the China Reform Forum and the China Institute for Innovation & Development Strategy as covers to cultivate relationships with elite political, business and cultural leaders overseas, working through local diaspora groups. The aims of such organisations have been to gather intelligence about elite thinking in targeted societies, and push soothing narratives of China’s “peaceful rise”, an idea associated with Zheng Bijian, a senior adviser to the Chinese government. China has also used institutional links with Western universities as cover for covert activity. While intended to teach Chinese languages and share Chinese culture, Chinese state-supported Confucius Institutes have been used by the UFWD for intimidation and subversion on campuses, especially where there are significant Chinese student intakes.

The Western lobbying industry has also proved a useful tool for covert malign influence. In several Western countries, the US and Australia for example, there are legal requirements for lobbyists acting on behalf of foreign governments to register their activities. However, over the past decade there have been several well-known instances of entrepreneurial lobbyists going beyond legal bounds to act as covert influencers. The investigation by former FBI director Robert Mueller into Russian interference in the 2016 US presidential election led to the indictment and subsequent guilty plea of US lobbyist Paul Manafort for acting as an unregistered agent of the pro-Putin Yanukovych regime of Ukraine. Manafort was also connected to pro-Putin oligarchs and a Russian intelligence officer, according to the US Senate Select Committee on Intelligence’s investigation of Russian interference in the US political system. More recently, Gal Luft, a dual US-Israeli citizen, became a fugitive following his indictment in the US for alleged violations of the US Foreign Agents Registration Act and other alleged criminal acts. Luft – the joint head of a Maryland-based think-tank – was alleged to have acted as an unregistered agent of the Chinese government, and to have played the role of intermediary in an Iranian sanctions violation scheme. After absconding from bail following his arrest in Cyprus in 2023, Luft was re-arrested by Cypriot authorities in September 2024.

Populations and diasporas

As the cases of Manafort and Luft suggest, private individuals can play a valuable role as operatives, which goes beyond the world of high politics. As noted previously, China requires by law that private individuals as well as businesses cooperate actively with Chinese intelligence services. Chinese citizens’ covert and clandestine responsibilities continue to expand, moreover; in September 2021, Chinese citizens were required to provide their government with vulnerabilities they had identified in software, to help build a stockpile for state use. China has also used its so-called “fifty-cent army” ‒ a cadre of supposedly private citizens who are often in fact government employees are paid by the Chinese government to spread propaganda and disinformation online ‒ to support internet trolling in the state’s campaigns against dissent and anti-CCP narratives. Estimates suggest that these individuals produce around 450 million social media comments a year, although much of this activity is purely for domestic audiences.

States are also looking to their diasporas for active support. Despite the narrow specifications of China’s Nationality Law, President Xi has stated that those of Chinese heritage are as subject to the Chinese state as Chinese nationals, commenting that “no matter where you are, you must always put the fatherland and the [Chinese] people in your heart … [and] be a defender and evangelist of patriotism”.This suggests that Xi expects those living overseas – while not subject to Chinese law – to cooperate with the Chinese state and CCP. Russia too has an expansive view of its Russki mir, which has percolated through to the exploitation of individuals of Russian heritage for covert activities. A recent example comes from the arrest of two German-Russian men by German police in April 2024; the men are alleged to have been planning acts of sabotage on behalf of Russia against industrial and military sites supplying the Ukrainian war effort. Other countries are also reported to be seeking to intimidate and interfere with diaspora communities. Mike Burgess, the head of the Australian Security Intelligence Organisation, stated in August 2024 that “at least three or four” countries were attempting to interfere in Australia’s political system, and that some of the perpetrators were also Australian “friends”.

Organised crime and criminal gangs

States such as Russia and China are thus increasingly using an “all of society” approach to execute state threats, showing little concern about creating a clear dividing line between civilian and non-civilian activities. These states show a similar lack of qualms in their relations with criminal actors. According to interviews with several serving senior law enforcement officials in European jurisdictions, criminal involvement in covert state-linked activity has apparently risen over the past two decades, although the precise scale, scope and character of state-criminal relations remains opaque. As Magda Long, a scholar of covert influence operations, commented in interview, the nature of the state-crime nexus varies from state to state. In some instances, such as Russia, state agencies have a “much closer and integrated relationship with transnational criminal networks, some of which almost act as quasi state entities”. In other cases, “the relationships are more at arm’s length and are used episodically rather than consistently”.

From a European perspective therefore, Russia is the obvious exemplar of a robust state-crime nexus. The consensus of Russia experts is that Putin came to a modus vivendi with Russian and post-Soviet OCGs early in his tenure as President, promising a similar arrangement to the one offered to the oligarchs ‒ an arrangement Galeotti describes as, in effect, “a new social contract”, where the OCGs would be free to work within agreed boundaries, acting on behalf of the state as required. Over the decades, this compact has led to numerous interactions and tightening operational bonds, described by UK intelligence agencies to the UK Parliament’s Intelligence and Security Committee in 2020 as a “very muddy nexus between business and corruption and state power in Russia” and a “symbiotic relationship between the Russian state and organised crime”.

Russian state officials and intelligence agencies have tasked OCGs and other serious criminals in numerous ways, ranging from undertaking low-level espionage activities, such as couriering messages and conducting surveillance, to providing more sophisticated services, such as arms trafficking. In a case from June 2010, suspected Russian intelligence officer Christopher Metsos (also known as Pavel Kapustin) absconded while on bail in Cyprus following the issue of a US arrest warrant on charges of acting as an unregistered foreign agent and conspiring to launder money. According to Galeotti, US counter-intelligence officers suspected Metsos had managed to escape with the help of Russian people traffickers. Professional criminals have also been connected to several potential state-sponsored assassinations against anti-Russian Chechen and North Caucasian leaders in Austria and Turkiye, and have facilitated increased flows of illegal migration across Russian and Belarusian borders into Scandinavia, the Baltic region and Eastern Europe.

Since the start of the full-scale invasion of Ukraine, media reporting based on intelligence sources suggests that Russian intelligence agencies have sought OCGs’ help in increasing the agencies’ operational revenues, encouraging the OCGs to expand their operations in tobacco and other forms of smuggling to help the state. UK authorities have also claimed that Russian OCGs and money launderers disrupted by arrests in December 2024 were not only involved in laundering the proceeds of crime, but also provided funds for Russian intelligence operations. Recent arrests of suspected saboteurs in Poland in May 2024, some with criminal backgrounds, further suggest that Russian intelligence has been looking to criminal groups to support a wider range of hostile acts. In many of these activities, the criminals appear to originate from Russia or post-Soviet countries, but the Russian regime also appears to have worked with criminals from Balkan countries such as Bulgaria.

By contrast, China’s historic relationship with OCGs has focused on maintaining order at home. In the 1980s, China’s paramount leader Deng Xiaoping reportedly reached an accommodation with the Triads in Hong Kong to ensure stability during the territory’s handover from the UK in 1997, with cooperation continuing after the transition. There have been further allegations that Triad-led gangs were deployed to attack pro-democracy protesters in Hong Kong in 2014. Chinese OCGs also appear to have been involved in covert state-sponsored activities further afield, as pathfinders for Chinese operational activity in more hostile environments. Recent investigative journalism has further suggested that Chinese OCGs in Italy and Spain were involved in setting up secret Chinese police stations, and played the role of local enforcers on behalf of the Chinese state. Other recent reporting has suggested that China has ignored the operations of criminal groups in numerous special economic zones across South-East Asia, on the understanding that the criminals avoid the homeland and promote Chinese interests overseas. Although China has increased anti-organised crime cooperation with other countries in the region, Chinese law enforcement has used what Southeast Asia expert Zachary Abuza describes as a “selective” approach, tackling only the OCGs which do not follow “the rules” as a form of coercion; Abuza notes that this is colloquially known as “kill[ing] the chicken to scare the monkeys”.

Elements of the Iranian regime are also alleged to have associations with organised crime, despite the regime’s theocratic basis. IRGC leaders have been linked to trafficking heroin from Afghanistan, as well as drug-trafficking schemes involving Hezbollah, the former Assad regime and Venezuela. However, the extent to which such involvements are institutional IRGC policy is uncertain; these relationships could just as easily be the result of corrupt relationships between individual commanders and OCGs. That said, there is considerable evidence to indicate that Iranian agencies do have operational relationships with OCGs beyond narcotics, especially in “hard” operational environments such as the UK and the US. In a number of cases that emerged in 2023 and 2024, authorities revealed that Iranian intelligence had worked with criminals to target Iranian dissidents and journalists living in the West. Such plots included an attempt to kill Masih Alinejad, an Iranian-US journalist, revealed in January 2023, which intriguingly involved an eastern European crime group, rather than one with more obvious Middle Eastern links. Iran is also alleged to have used OCGs to attack Israeli targets in Europe. According to statements from both the Mossad and the Swedish Security Service (SÄPO) in May 2024, the Kurdish crime group Foxtrot, which was based in Sweden, was responsible for a grenade attack on the Israeli embassy in Stockholm in January 2024, conducted at Iran’s request. Like Russia, it seems, Iran has become increasingly willing to use criminal operatives for more dangerous hostile acts.

North Korea too has cultivated long-term relationships with various OCGs, including the Triads, Japanese yakuza and Russian mafia, mainly to distribute illicit goods and launder the funds generated. However, these relationships are most intimately connected to illicit revenue generation for state financing purposes, as opposed to other covert and clandestine state activities.

Besides the four main revisionist states, there are examples of several others cultivating relationships with OCGs, whether as a means of generating income or to maintain domestic peace. Venezuela and Syria under the Assad regime are two obvious examples of states that have enabled organised criminal narcotics trafficking to benefit themselves. There are also instances of middle powers passively ignoring criminal activities that support the illicit activities of states such as Russia and Iran. The UAE, for one, has been accused by the US of taking a lax approach to tackling Russian sanctions evasion in its midst. There are also cases of middle powers apparently using criminals to undertake covert acts. Turkish intelligence has allegedly drawn on criminal networks to mount assassinations of dissidents living in European countries. The US has also recently claimed that India used an intermediary to hire a professional hitman to murder Sikh activist Gurpatwant Singh Pannun in the US in November 2023. However, in comparison to Russia or Iran, middle powers’ levels of engagement with criminality to mount hostile acts appear limited, for now at least.

Cyber-criminals

A growing aspect of modern criminality is cybercrime. But although there are significant overlaps between new and old, the distinctive activities of cyber-criminals in the realm of state threats deserves special attention. As with other non-state actors, state actors’ relations with cyber-criminals exist on a spectrum. Cyber expert Tim Maurer has identified three types:

• Delegated relationships, where state actors specifically direct cybercrime groups to undertake hostile acts.

• Orchestrated relationships, where state actors guide and incentivise cybercrime groups to undertake certain acts voluntarily.

• Sanctioned relationships, where state actors create a permissive atmosphere for cybercrime groups to commit criminal acts that are not against the interests of the sanctioning state.

Useful though these categories are, however, identifying unambiguous real-world examples for each with the evidence available is difficult, if not impossible; on the whole, the best that might be achieved is ascertaining some form of state-cybercrime nexus based on some identified operational links, the cyber groups’ patterns of behaviour, and choices of target. It is not an exact science.

Of the core revisionist states, Russia seems to have the widest range of relationships with cyber-criminals. Some early examples have been at the extreme end of delegated relationships, with agencies recruiting criminal hackers and giving them intelligence officer status. In the mid-2000s, allegedly in return for avoiding prosecution on fraud charges, the FSB recruited Dmitry Dokuchayev, a prolific Russian hacker who operated under the online handle “Forb”, as an officer in its cyber function. Dokuchayev, who was also subject to charges of cybercrime in the US, was convicted of treason in April 2019 for leaking Russian government documents to the US. Such arrangements led to a peculiar situation where one part of the intelligence infrastructure used criminals to hack for the state, while other parts investigated them doing it.

More often, however, Russian agency relationships with cyber gangs appear to have fallen more into the categories of orchestrated or sanctioned relationships. In some instances, available detail suggests careful choreography between the state and criminals. Drawing on law enforcement sources, a New York Times investigation in 2017 suggested that Evgeniy Bogachev, an alleged Russian cyber-criminal subject to US sanctions, coordinated his activities with the FSB, allowing the security agency to collect intelligence in systems he had penetrated for criminal purposes. Other evidence suggests some form of protective or enabling relationship between Russian agencies and Russian cyber-criminals. Most commonly, Russian cyber-criminals have provided support for state activity, in return for state agencies permitting cyber-criminal groups to undertake criminality overseas, especially against states perceived to be hostile to Russia, a relationship type cyber experts Michael McLaughlin and William Holstein compare to the English state issuing letters ofmarque to naval privateers in the Elizabethan era. Cyber journalist Raphael Satter notes, for example, that:

some ransomware groups write it into their code that they do not deploy against machines that run Russian on their keyboards … [which] gives you some idea of what may be some informal deals being struck between the state or elements of the state and cyber criminal groups.

However, the cyber sphere remains a fluid realm, and the connections between Russian agencies and cybercrime might well have become closer in recent years as a result of the war in Ukraine. The war has had an apparently radicalising effect on some Russian cybercrime groups, leading them to align more closely with the Russian state. An exemplar is the leading ransomware group, Conti, which declared its allegiance to the Russian state in early 2022. A massive breach of the group’s data by a Ukrainian hacker revealed how this relationship had developed, with the group’s online conversations and files indicating ongoing contact with Russian state agencies over time.

The Russian approach is mirrored to a degree by the Iranian model, although the Iranians operate on a far smaller scale. As Moore notes, while having official cyber capabilities in the MOIS and IRGC, Iran is highly dependent on outsourcing to provide capacity. Past cases of Iran state-linked hacking have involved apparently legitimate Iranian businesses. It seems that Iran also draws on a wide range of other non-state actors – academics, activists and criminals – to supplement its state resources and, in Moore’s words, “to generate an image of capacity it does not have”.

In contrast to Russia and Iran, China’s cyber operations appear to fall more closely under the control of the MSS and the Strategic Support Force of the PLA. But, according to cyber intelligence firm Mandiant, there is additional evidence that some Chinese “state” hackers also act as hybrids, hacking targets selected by the Chinese government during office hours, then pursuing other personal interests for pleasure and profit in the evening. Intriguingly, APT 17, believed to be run by the Jinan bureau of the MSS, uses the same cyber tradecraft as APT41, which sells its skills for hire.

The MSS and the PLA have also sought to gather commercial and defence-related intelligence using cyber groups with limited connections to the state, as well as cultivating a network of what are often described as “patriotic hackers”, which they occasionally direct to attack targets on an ad hoc basis. Nonetheless, while China’s relations with cyber-criminals appear to still be more carefully managed than those of Russia, there have been recent indications of growing collaboration. For example, when Chinese state hackers penetrated the Microsoft Exchange servers in March 2021, it appears they deliberately left an exposed vulnerability, which cyber-criminals took advantage of to steal data for illicit use. This suggests an intimate choreography between state agencies and hackers.

Like China, North Korea also relies primarily on state cyber groups. These are part of the RGB, which recruits young people with relevant aptitudes trained from an early age specifically to work in cyber. In this tightly controlled society, there is less space in which an indigenous cyber underground can develop, and thus more limited non-state cyber resources for the North Korean state to draw upon; indeed, reporting suggests that private North Korean hackers are more likely operating in opposition to the state than for it. Within Pyongyang’s state-developed cyber cadre, however, there is evidence that state groups, like those in China, do conduct their own criminal activities, or are given the latitude to do so. North Korean cyber groups have also worked with foreign cyber-criminals to improve their tooling. Research by Alex O’Neill, who has studied North Korean cyber operations at the Harvard Kennedy School, suggests that North Korean state actors have used Russian language sites on the dark web to contact Russian groups and commission them to develop malware on their behalf. If North Korea does not use cyber-criminals to undertake hostile acts, therefore, it is more than happy to work with them in furtherance of its own activities.

Terrorists and militias

The final type of relevant non-state actors are those with political and religious agendas, and a willingness to use violence to pursue them: terrorists and militias. State-sponsored terrorism was noted in section 4 as a potential vector for hostile activity, whether as a form of direct attack and intimidation, or as a more general way to generate political instability in a targeted state. It naturally follows, then, that politically violent groups might play a role in undertaking them. The most clear-cut case is Iran, which has worked with Hezbollah, Hamas and others to mount attacks in the Middle East, and to a lesser extent beyond.

This said, however, and as noted previously, widespread contemporary state use of violent groups for covert violent purposes is mixed at best; there is little to suggest their widespread use by Russia, while Iran’s relations with an array of terrorist groups and militias seem to focus as much on commercial, criminal and other types of collaboration, as on hostile activity (see 4.4.5 ‒ Terrorism). Iranian connections with its self-described Axis of Resistance are complex, moreover, and, as historian Rouzbeh Parsi notes, more often amount to a partnership than a proxy arrangement. This is most evident in the case of Lebanese Hezbollah, which, despite its heavy financial dependence on Iran, retains wide operational autonomy, and works jointly with the IRGC and other Iranian partners in enterprises such as creating illicit revenue from sanctioned oil sales. But Hezbollah is not unique. Yemen expert Baraa Shiban observed in interview that although the relationship between Iran and the Houthis of Yemen is often presented as one of sponsor and proxy, it is much more complicated in reality. While the Houthis’ religious sensibilities have affinities with the Shia Islam of the Iranian regime, they are not identical. Moreover, the Houthi leadership does not see itself as Iran’s proxy, but as an ally “with shared enemies, in particular Saudi Arabia”. As Shiban commented, “they have a common interest in reducing Saudi Arabian influence and keeping the West out of the region”. While these groups have taken leading roles in conducting attacks against Iran’s regional enemies, therefore, it is far too simplistic to suppose that they do so purely at Iran’s behest.

5.3. Conclusion

Drawing the threads together, it is apparent that although some observers frame the current geopolitical situation as “Cold War II”, the current growth in clandestine and covert activities is not the monochrome spy game many imagine the original Cold War to have been. State actors or those close to them remain the key point of origin for the initiation of state threats, and even when adhocrats like Prigozhin act without clear orders, they are acting on a perceived state need, or with what they believe to be the probable approval of the political elite. Freelancing is thus undertaken in the context of a shared sense of overall state objectives. State operatives also continue to be key players in executing state threats. Intelligence officers ‒ declared and undeclared, military and civilian ‒ are ubiquitous. But the variety of types of non-state actors also involved in hostile acts, either as partners or proxies, has grown in range and nature. The players in the covert world are as diverse as they have ever been, and among them, some (organised and cyber-criminals) have become especially important because of their unique skills, reach and access.

6. Analysing state threats

The previous two sections provide something like a map of the current landscape of state threats, although, much like pre-Mercator cartography, it remains more conceptual than precisely physical. In the absence of detailed quantitative data, it is difficult to provide a confident analysis of the salience of a particular threat type, or threat actor, or how different elements within the landscape relate to one another. In short, it is not possible to assess the volumes, patterns and relationships within the data with the kind of accuracy that would satisfy a social scientist. Nevertheless, the conceptual map does suggest some initial observations and hypotheses about the state threats phenomenon as whole, as well as the patterns of behaviour of specific countries, which could be tested with more data-driven rigour at a future point.

6.1. Prevalence of threat vectors

A natural starting point is to measure the prevalence of various types of threat vectors. We currently lack the hard quantitative data to do this, but even if (or when) such data can be compiled, the results of any “count” will need to be handled carefully. Due to the differing characters of types of hostile acts, some are much easier to count than others. Some hostile actions, which might best be seen as events, are by their nature more straightforward, because they are time limited and more likely to register in the media or public consciousness. This could include an overt military incursion, an assassination or a coup. Other types of hostile actions might be better understood as processes, containing a pattern of activities, probably happening at a lower register, possibly over a longer duration, such as espionage, subversion or malign influence campaigns. These are much less easy to discern and log. At this point, therefore, we have to recognise that we do not know what we do not know, and accept that any judgements of relative prevalence for different types of state threats remain impressionistic.

Based on the nature of open source reporting, driven as it tends to be by the discrete, episodic and sensational, it would be easy to conclude that there are many more event than process-style hostile actions. However, what hard data are available suggest that the reality could well be the other way around. For example, the DCID shows that 61% of all state-linked hostile cyber activities in the database relate to espionage, not cyber effects operations.

If processes dominate over events across the state threats landscape, there could be several reasons for this. Process activities such as espionage are “business as usual” for intelligence agencies; they are more likely to be part of an agency’s routinised processes. They are also likely to be less resource intensive, lower risk and open to at least partial “industrialisation”, especially where technology can be used. By contrast, event-style actions typically require more planning, resources and risk management, and are more kinetic, dangerous and reputationally risky. In addition, event-style actions are harder to routinise, as they are also potentially dictated by external schedules, such as the movements of a targeted dissident or electoral cycles, or the irruption of unexpected events a state might seek to take advantage of.

What of overall trends in volume between different types of hostile activity? As set out in section 2, one of the reasons why governments are discussing state threats now is the evidence that the volume of threats is rising. Openly available information seems to bear this out. Among these threat vectors, the scale of Chinese commercial espionage conducted both through cyber techniques and human collection continues to stand out as a cause of great concern to Western agencies; Anne Keast-Butler, the head of GCHQ, described it as an “epoch-defining challenge” in May 2024. However, other types of hostile activities besides Chinese commercial espionage are also becoming more salient, especially since the start of Russia’s full-scale invasion of Ukraine in 2022. They include:

• Open coercion ‒ Heavy metal diplomacy and border incursions of various types appear to be on the rise in both Europe and Asia, seen, for example, in Russia’s jamming of the global positioning system in widening areas of eastern Europe, and Chinese vessels’ regular clashes at sea with those of the Philippines.

• Sabotage ‒ There has been a marked rise in Russia-organised or -inspired physical sabotage in European countries, usually targeting supply chains supporting the Ukrainian war effort. China has shown increasing willingness to undertake cyber operations that show indications of preparation for future acts of cybotage.

• Malign influence ‒ A growing number of cases of espionage and linked covert influence operations by both Russia and China were reported in European and Five Eyes states in 2023 and 2024. The intensity of the reporting probably reflects the fruition of investigations by Western agencies against long-term operations by Russia and China, suggesting that these efforts at malign influence are not emerging as such, but reflect a longer-term trend; however, the coincidence of recent reported cases remains notable.

Beyond questions of proportion, scale and trend are those of relationship and pattern; in other words, are certain types of hostile activity commonly used together, and if so, what are the most salient correlations?

As noted in section 4, there is a certain fuzziness around different types of clandestine and covert action, with blurred lines and potential for multiple parallel effects that can intimidate, cause physical damage, and influence perceptions, opinions and even policy. From the evidence of the previous sections, there is a clear nexus between dramatic hostile actions, and the subsequent deployment of subversive information techniques. Border incidents, military near misses, assassinations, sabotage operations and stimulated migration flows have all been used to shape misleading narratives that lay the blame on others, or make spurious claims of Western ineptitude, hypocrisy or deceit. In the case of the attempted assassination of Sergei Skripal in 2018, Russian officials made various spurious and contradictory counter-claims, suggesting the poisoning itself was a Western hoax or that the toxin used was made in the West. These allegations were then recycled through Russian online disinformation ecosystem, and partly as a result, reported further in the West.

As Kilcullen notes, different types of hostile actions can also be used in combination for potential strategic effect, or as part of an escalatory ladder; he identifies two styles of approach in the liminal/grey-zone space: “horizontal escalation”, which increases the intensity of hostile action within initial boundaries, and “vertical escalation”, which expands across geographies and different styles of attack, creating what he describes as a “bandwidth” problem for an opponent. Russia has produced several multi-pronged campaigns of horizontal escalation against former Soviet republics since 2000. One of the earliest examples was a campaign against Estonia in April 2007, where a local government decision in Estonia to move a Soviet war memorial triggered a succession of online disinformation, cyber attacks against Estonian institutions, riots by Russian speakers, physical attacks on the Estonian ambassador in Moscow, and the severing of rail links between Estonia and Russia. Georgia and Ukraine were also subjected to similar campaigns in the run-up to, and alongside, direct Russian military action in 2008, 2014 and 2022.

In a similar vein, Russia has also learned to switch between different techniques, depending on the levels of success achieved. An example comes from Russian malign influence operations in Europe, where attempts to Schroederise political and business elites did not lead to the hoped-for pro-Russian pivot in European foreign policy. Consequently, Russia switched its efforts towards cultivating figures on the political fringes in the West, as a form of leverage against the mainstream political elites it had largely failed to capture.

While less well practised in escalatory choreography than Russia, China has also combined hostile measures on occasion. Taiwan has been the main target, most recently before the Taiwanese presidential election in January 2024. The Chinese campaign included a crescendo of verbal threats, cyber attacks, disinformation campaigns and naval drills off the coast of the island. China has also used combined hostile actions against states that have challenged it politically. Australia’s demand for an enquiry into the origins of the Covid-19 pandemic in April 2020 led China to impose heavy tariffs and other trade restrictions. At the same time, however, Australia was also subject to a series of unattributed cyber attacks on the public and private sectors, which the Australian government assessed to have been executed by a “sophisticated state-based cyber actor”. External observers took this to mean a Chinese APT.

6.2. Initiation and execution of threats

The absence of reliable information on the inner workings of many regimes makes it especially difficult to assess whether there is a correlation between initiating actors and specific types of hostile acts. However, some reasonable probabilities emerge from the evidence. Firstly, in most cases, it seems probable that the initiator of a hostile act will be a state actor of some sort, whether a senior leader, official or intelligence officer. While states such as Russia allow wide latitude for entrepreneurialism favourable to the state’s strategic objectives, this only goes so far; initiating hostile activity on a state’s behalf is not a right that appears open to all. Secondly, it seems likely that lower-risk process activities such as standard disinformation campaigns or ongoing espionage – the business-as-usual elements of the covert world – are initiated by less senior figures, on a more routine basis, but may also offer scope for adhocrats and entrepreneurs to offer their services. Finally, it also seems probable that higher-risk event-type actions, such as high-profile assassinations, or focused combined campaigns of activities, are initiated, or at the very least greenlit, by more senior officials and political leaders. Overall, the pattern is likely to be the that the more routine and less risky the hostile activity, the wider the range of potential initiators at different levels of authority there are likely to be, with the converse being the case for episodic and higher-risk acts. This hypothesis is set out visually in Figure 2.

▲ Figure 2: Risk, periodicity and potential authority required. Note: Q=Quadrant

In Q1 – more routine and higher-risk activities – are likely to be treated as basic business by intelligence agencies, but might be higher risk depending on the nature of the target; in these instances, activities are most likely to be initiated by agencies on their own authority, with occasional requests for external sign-off. In Q2 activities are both high risk and rare, and likely to require higher levels of sponsorship within a state. In Q3, actions are both low risk and relatively routine, and are likely to be undertaken without any high-level involvement. Activities in Q4 – low risk and episodic – may paradoxically require higher levels of sign-off simply because of their relative rarity.

This is an admittedly broad-brush approach to the question of the relationship between operation types and sign-off levels, but we have more to go on with regard to potential correlations between the types of operatives used and types of operations. Figure 3 gives a conceptual visual representation of the patterns in the evidence reviewed for this project.

▲ Figure 3: Involvement of actor type in relation to types of hostile action.

While there are no fixed rules, it is clear that state operatives are most likely to be involved in the broadest range of hostile activities. It also seems more likely that they will be tasked to undertake activities that involve higher risks, and/or where significant resources are required, such as high-profile assassinations, physical sabotage or sophisticated cyber effects operations. As noted, Russia’s GRU Unit 29155 is thought to have played a central role in violent hostile acts across Europe over many years. However, state agencies do not have a monopoly on kinetic or disruptive activities. PMCs, OCGs and cyber-criminals have played important auxiliary roles in acts of violent intimidation, sabotage and destabilisation. Both Russia and Iran have used criminals to assassinate lower-profile opponents overseas, rather than deploy state operatives.

In contrast, revisionist states appear to use legitimate and/or civilian non-state actors for actions that are less likely to be risky or violent. China, with its whole-of-society approach” to intelligence, has also encouraged legitimate actors in civil society to conduct lower-risk activities, such as passive intelligence collection. Revisionist states will also use legitimate businesses as contractors to support and enable some non-physical hostile activities such as basic cybotage and disinformation.

A range of factors probably influence the relationship between the risk of a given hostile activity and the type of actor used. Some activities will ideally require high levels of skill and professionalism. State actors initiating hostile acts are thus unlikely to outsource activities of great significance – a high-profile assassination, for instance ‒ to actors over which they have limited control, or in whom they have limited confidence. In contrast, other hostile activities, such as pushing online disinformation, are much lower risk and thus easier to leave to non-state actors. However, pragmatic operational requirements will also be important, especially when non-state actors have niche expertise or geographic access that state actors do not. Some non-state actors also offer a better option for deniability ‒ a particular benefit of working with OCGs or terrorists, who will be expected to be involved in illicit activities anyway.

6.3. The place of cyber

If states are showing a propensity to outsource a variety of hostile activities to non-state actors, there is also ample evidence of states increasingly using cyber tools as way to act at a distance and improve deniability. The development of the cyber sphere has allowed states to access a far wider range of secret, sensitive and open source data than ever before, with the potential to access systemic vulnerabilities in any institution’s computer-based systems that are linked to the internet.

However, while it is important to note that although cyber has massively expanded the scope and range of espionage, sabotage and subversion, it has not removed the need for human operatives. Cyber espionage and effects operations often rely on human operatives finding initial vulnerabilities in targeted institutions. Disinformation campaigns on social media, moreover, while routinely amplified using automated bots, still need humans to identify and deploy narratives in the first instance. Many other types of hostile acts also entail physical actions – breaking into a building, stealing assets, physical intimidation, assassination, or influencing an individual in face-to-face discussion – which cannot be done, or done well, via a computer. Humans are thus far from redundant in the world of state threats; in reality, cyber has supplemented and augmented the capabilities and reach of human operatives, rather than made them obsolete.

6.4. Gaps and constraints

As is apparent, the current range of state threats is vast. But it is not necessarily as wide as it might be, as historic experience from the Cold War suggests. There are also options that have been used in the past, but which are not being deployed now, or imaginative new possibilities that have yet to be explored. Table 4 provides a range of possible examples.

▲ Table 4: Types of hostile actions not currently observed.

The relative absence of these types of measures from the current stable of methods used reflects various constraints. Some, such as kinetic cyber effects operations, might be technically difficult to achieve. Other constraints might relate to state actors’ own ethical or political limits, or an assessment that these types of acts are likely to trigger reciprocal action, escalation or unintended consequences. The US government reportedly considered taking funds from the personal accounts of Serbian president Slobodan Milošević in the 1990s, in retaliation for his genocidal policies in Kosovo, but decided against this course of action out of fear it might lead to reciprocal action against Western leaders. The absence of terrorism as a tool of hostile state activity probably reflects the stigma attached to it since 9/11, and the ubiquity of the problem across the globe; states are probably less likely to enable violent acts of terrorists if they too face a terrorist threat that could be encouraged and aided from outside. Indeed, it is one of the areas of security where the US, Russia and China saw common interests and cooperated in the early 21st century.

Another apparent lacuna in the contemporary state threats landscape is an absence of collaboration between the main users of hostile acts against common opponents. Since the full-scale Russian invasion of Ukraine, media reporting has documented an increasing number of areas where Iran, North Korea and Russia, and to a lesser extent China, have expanded cooperation. Both Iran and North Korea have provided Russia with materiel such as drones and artillery shells, despite a variety of relevant UN and Western sanctions; China, meanwhile, has strengthened its political and economic ties with both Russia and Iran.

In comparison, there are fewer indications that these states are collaborating extensively in the covert realm, although some areas of cooperation do seem to have begun to develop. One is cyber operations and capabilities; North Korea has used operatives based in China to conduct cyber activities in the past, and as previously noted, has worked with Russian OCGs to develop its malware capabilities. Russia is also reported to have been helping to develop Iran’s cyber weapons. A further area of evolving cooperation is disinformation, where Chinese, Russian and Iranian state-linked social media have consistently recycled and repeated one another’s anti-Western narratives, with a significant convergence during the Covid-19 pandemic. Analysts have seen a confluence of approaches between these actors in recent years; Microsoft’s Threat Analysis Center suggested in November 2023 there was a real risk that China, Iran and Russia would work together to influence the US 2024 presidential race.

The reasons behind these states’ limited levels of covert joint working are not wholly surprising, however. Regardless of their closeness, there are obvious sensitivities around covert and clandestine operations; no state can be confident that shared intelligence and capabilities might not be passed on surreptitiously to another party, or potentially used against them at some future date if the relationship sours. In addition, beyond their shared opposition to US hegemony and a dislike of the Western rules-based approach to international affairs, these states also have many well-established reasons not to trust one another. Although China and Russia are partners, they still have differing interests; one leading China expert, who wished to remain anonymous, explained in interview, “while China prefers stability, Russia has made a habit of stirring up chaos”. And while Russia, China, Iran and North Korea are broadly speaking authoritarian states, the ideologies they espouse are distinct and united only by a common dislike of the West. As Middle East expert Alex Vatanka notes of Iran:

an Islamist regime that claims to be carrying out Allah’s wishes on earth … counts among its treasured foreign partners an atheist China and a Russia led by a self-declared champion of Christianity. It is not a common set of values that brings them together, but rather the desire to preserve their own power and limit their sense of isolation.

6.5. Country-level analysis

The many overlapping commonalities in the patterns of behaviour of the core revisionist states makes it possible to talk in general terms about their patterns of hostile activity. But despite the similarities and overlaps, the four main countries of interest have their own particularities and emphases in their approaches. Colin Gray, a British-US scholar of strategic studies, referred to the divergent “strategic cultures” of national militaries, shaped by history, broader culture, the political system and a wide set of geopolitical conditions. To an extent, distinctive national patterns have also emerged in the state threats landscape too, despite the many similarities between the four countries’ methods.

6.5.1. Russia

Russia is by far the most daring and energetic of states in the realm of state threats, conducting what Galeotti has described as “an aggressive geopolitical campaign to assert its claims to great-power status and also undermine Western capacities to constrain it”. The campaign has several pronounced characteristics, which, while not uniform, are consistent and recurrent:

• Russia is aggressive, action oriented and kinetic ‒ Russia’s willingness to use violence and threats against critics and enemies overseas seems to far exceed the boundaries of most other states, both overtly, through heavy metal diplomacy, and economic and diplomatic threats, and covertly too. It is currently deeply involved in acts of physical sabotage across Europe, and is highly active in cyber effects operations, described by cyber expert Moore, as “arguably the most prolific government deployer of event-based capabilities”.

• Russia is deeply rooted in traditional espionage ‒ Espionage remains of core importance to Russia, and it continues to target Western military and political intelligence, collected through both human and technical sources. The Council on Foreign Relations database on government-sponsored cyber incidents attributes 193 incidents to a Russian government-affiliated threat actor, of which 139 were espionage; of those, 91 were directed at government or military collection targets. Russia also collects economic intelligence relevant to core Russian industries such as hydrocarbons, foreign views of Russia and investigations into Russia-related incidents such as the shooting down of Malaysian Airlines Flight MH17 over Ukraine in July 2014, or the potential use of chemical weapons by the regime of Bashar al-Assad in Syria in 2017. Russia also sees espionage as a foundation of and fundamental precursor to covert action. As Riehle notes, in all the “widely publicized cases of covert election meddling … Russia’s intelligence collection preceded covert action”.

• Russia exploits hybrid, grey-zone and weaponisation techniques, but not for their own sake ‒ Russia has been adept at mixing various techniques to collect intelligence. Cyber collection has been combined with well-worn human methods of tradecraft, with agencies recruiting foreign sources in traditional ways. The use of money as a lure has become increasingly important, as Russian operatives have leveraged the flows of illicit cash that have become available since the fall of the USSR. As one former State Security Committee (KGB) officer explained to Catherine Belton, “[in] black-cash operations Russia has developed a weapon more powerful than anything it has ever possessed before”. In covert activities such as intimidation, sabotage and subversion, Russia has also demonstrated a willingness to supplement traditional means with a variety of other methods, “choosing from a buffet of belligerence and deploying them in different combinations to suit specific situations”, according to Giles.

• Russia uses both state and non-state actors as operatives, but state relationships with non-state actors are more pragmatic than programmatic ‒ Russia uses a wide range of actors to execute hostile activities; indeed, it is arguably the state which uses the widest spectrum of different types of “operatives”. Nonetheless, this should not detract from the preeminent role Russian intelligence agencies continue to play, or suggest that non-state actors are necessarily the preferred operatives. As Riehle noted in interview, “the decision to use a criminal over an intelligence officer for a particular activity such as assassination will be contextual, rather than bureaucratic”. Such a decision will depend on multiple factors and considerations, including, but not limited to, the importance of the operation, the risks entailed, and the available resources and levels of access to the target.

• Russia is often untargeted and attritional ‒ Russia’s approach to hostile activity is biased towards the use of volume and attrition in attack, rather than precision strikes. Kalensky explained during interview that in the disinformation space, Russia usually seeks to “overwhelm the resistance of targets by sheer volume and velocity of information flow”. In a separate interview, cyber expert Jason Kikta observed a similar pattern in how Russian cyber effects operations are conducted, with agencies and other operators using a “throw everything at it” approach, leading to “high volumes of indiscriminate and random activity” in the cyber realm.

• Russia can be flexible ‒ Despite a willingness to keep up long-term and attritional campaigns, Russia will also switch tactics, depending on results. Until the annexation of Crimea, Russia followed what Lough has described as a “dual strategy of … charming and pressurising”, with Russia retaining close ties with Western political and business elites, minimising active measures against the West, while applying aggressive measures against the states of the former USSR and Warsaw Pact countries. However, this pivoted in response to hostile Western reactions to the annexation, with Russia turning away from engagement with what are known in Germany as “Putin-Verstehers” (“Putin empathisers”) – mainstream political figures who had shown Putin the benefit of the doubt in the past – towards the radical political fringes of right and left.

• Russia is resourceful and exploitative ‒ Russia has also shown itself willing to use the opportunities afforded by successful covert actions to open up new fronts or use successes as a springboard for further adventitious activity. The state-encouraged migration crisis on the Russian and Belarusian borders has not only been a useful means to pressure Western societies and welfare systems, but to generate material to support information operations that aggravate anti-immigrant sentiment in European countries, and provide opportunities to insert intelligence assets into refugee flows that can later be used for espionage, sabotage and subversion. Mandiant has also noted how the GRU will often use espionage operations as platforms from which to undertake cyber effects operations, showing no real adherence to a strict categorisation of activities.

• Russia tends to escalate rather than back down ‒ This willingness to switch approaches also points to a comfort with escalation. The most blatant example is the progressive intensification of Russian activity against Ukraine since 2000, which culminated in a full-scale conventional war. Owen et al. observe of several eastern European cases that when “Putin’s Russia is unable to attain foreign policy goals through corruption … it might well do so via force later on”. Russia also now seems increasingly open to escalation against Western targets too. As Giles describes, since 2014, Russia has become “more and more willing to reach into Western countries and do direct harm, through sabotage, murders and assassinations, undisguised electronic warfare, false-flag cyber-attacks and more”.

• Russia is tolerant of risks ‒ Russia seems much more willing to act despite the high risk of failure and public discovery, and will skirt the line between overt and covert action, often behaving in ways that provide an easy trail leading back to its operatives. While some experts simply explain this as poor tradecraft, others believe that the recklessness is part of the point of the action. For example, even though the operation to kill Sergei Skripal failed and its operatives were publicly identified, it sent a message to enemies of the Russian state. As Cormac writes: “you cannot escape the past; we can come for you; you can never relax”.

• Russia’s methods are ethically and legally questionable ‒ Russia appears more willing to breach norms of legality, ethics and proportionality typical to Western states. In both the Skripal case, and the assassination of Alexander Litvinenko, Russian operatives used weapons-grade chemical and radiological materials, which not only promised a horrific death for the targets, but risked the lives of innocent bystanders; indeed, in the Skripal case, the only individual to die was UK national Dawn Sturgess, who had no connection to the Skripals.

• Russia is as interested in psychological as physical effects ‒ In addition to Russia’s interest in tangible outcomes to clandestine and covert action, it also shows a pronounced interest in creating intangible psychological effects on its targets, especially by using information operations. Russia’s widespread involvement in online disinformation, hacking and leaking operations, and other forms of political electoral interference, show a consistent assumption on the part of Russia that shaping the psychological landscapes of opponents or targets is extremely valuable and important.

Russia’s style and method of approach towards hostile activity might therefore be summed up as committed and adaptive. The underlying spirit of Russian hostile activity is a persistent attempt to wrong-foot opponents by acting outside expectations and norms. Much like Keyser Söze, the shadowy villain of the film The Usual Suspects, Russia’s modus operandi is to try to appear willing to “to do what the other guy wouldn’t”. However, the image of sinister brilliance Russia seeks to project is not always matched by its performance; Russia can also be wasteful, messy, reckless and pointlessly transgressive (see section 8).

6.5.2. China

While China does not completely eschew the kind of aggressive moves exhibited by Russia, it prefers to resort to them only when necessary, what Economy terms China’s “Iron Fist in a Velvet Glove” approach. As Allen notes, China places great value on using tools and policies that appear to bring positive benefits to a target state, but which, in her words, also have a “dual function” if needed for more malign purposes. As a result, the characteristics and contours of China’s activities seem relatively less threatening than Russia’s, calibrated to avoid direct confrontations with the US and other Western powers.

• China is heavily focused on commercial and knowledge-focused espionage ‒ Espionage has become increasingly important to the Chinese effort to secure economic, commercial and technological secrets that help it to catch up with, and surpass, US economic and military power. According to Eftiamides’s figures on recent Chinese intelligence activities, China’s major espionage effort have focused on commercial, scientific and educational targets in California’s Silicon Valley, New England, Florida and Texas, whose areas of expertise correlate closely with the technological priorities of China’s “Made in China 2025” industrial policy. Only 25% of China’s espionage or covert action operations have therefore been against traditional political and military targets. This knowledge-focused espionage is occurring on a grand scale, even collecting data that have no immediate use or are inaccessible due to encryption.

• China makes substantial if not exclusive use of cyber tools in espionage ‒ A significant proportion of China’s espionage effort is conducted through cyber incursions. But even so, the human element remains important, and China continues to use classic techniques to recruit human sources, or to run undercover operations. Social media has played a vital role in China’s efforts to identify and cultivate potential new sources, but this is only a starting point, and also relies on human relationship building and face-to-face interaction to bear fruit. As Eftiamides describes, therefore, much Chinese espionage is thus in fact “HUMINT enabled cyber espionage”, rather than pure cyber espionage

• China takes a whole-of-society approach, but state and party agencies are central to its efforts ‒ The breadth of China’s espionage efforts have demonstrated the role all Chinese individuals, businesses and organisations have in intelligence collection. Indeed, Chinese national laws mandate that all Chinese businesses and nationals work with intelligence agencies, both at home and abroad. This has led some to propose a “1,000 grains of sand” theory of Chinese intelligence collection, which as China expert Joske describes, is based on a vision of China sending “a stream of tourists to the beach in broad daylight, each picking up a single grain”, which can be “analysed and aggregated to form a brilliant picture” back in Beijing. However, Joske argues that this is probably something of an overstatement, as MSS and PLA officers, embedded in all sectors of Chinese society, remain China’s core operatives. It also appears that, although China maintains relations with non-state actors such as commercial contractors, “patriotic” Triads and cyber-criminals, they lack the range and magnitude of those in Russia; for example, most of China’s identified hacking groups are affiliated with either the MSS or the PLA.

• China is focused on building its own image and reputation ‒ Economy argues that China sees the wide acceptance of its narratives and perspectives as a key tool in its campaign for global pre-eminence; but while China wishes primarily to promote a positive image of itself, it is eager to silence its critics too. As Mao Zedong stated, a strong reputation, enhanced through “united front work”, was one of the CCP’s “magic weapons” alongside the armed struggle to defeat its enemies. China has therefore used less obtrusive techniques of subversion than Russia, seeking to push the narrative of China’s peaceful rise as a way to anaesthetise and numb Western governments, rather than exploit social divisions to cause confusion and chaos. However, it has cracked down hard on negative counter-narratives. Accordingly, China’s harshest intimidatory, disruptive and subversive measures are directed at domestic dissidents and Taiwan.

• China takes a twin-track approach to regional and global opponents ‒ China takes an aggressive stance towards local opponents such as Taiwan. According to Taiwanese government figures, the island faces 30 million cyber attacks a month, half of which come from China. By contrast, much of China’s overt hostility towards the West has a performative feel, based on a combination of harsh rhetoric and the primary use of economics as a tool of coercion, such as trade bans on some Australian exports in 2020, the last of which was lifted in March 2024. China’s favoured approach to getting what it wants from Western countries is to weaponise access to the Chinese market, with the threat of its loss used to put pressure on Western business interests, and from there, governments. As Allen comments, “companies and countries around the world increasingly see … [China] as vital to their prosperity,” a perception China then uses “to incentivize adherence to its most fundamental geopolitical objectives”. In more obviously combative spheres of operation, China has proved equally cautious. It has mostly sidestepped major physical sabotage or cyber effects operations, and was “notable by its absence”, according to Cormac in external efforts to meddle in the 2020 US presidential election. China has become more aggressive in the disinformation and cyber effects spheres since the Covid-19 pandemic, but it is not yet clear this amounts to a permanent switch in behaviour.

• China takes an indirect, “guerrilla” approach to its operations ‒ Following the guerrilla thinking of the Mao era, China often tests rivals by using multiple small probes which, as Kilcullen describes, pose “a bandwidth challenge … by expanding the spectrum of competition beyond … [a] rival’s capacity to cope”. Where resistance is weak, China will press its advantage; where resistance is strong, China will step back and bide its time or switch approach ‒ there is no timetable per se, and methods and routes of travel can vary, although the intended objective will remain the same. China will also seek out unguarded vulnerabilities, a technique known as nongcun baowei chengshi or “using the local to surround the center”. Malign influence operations, such as that which allegedly targeted Eric Swalwell, will often focus those at an early stage of their career, operating in local rather than national politics, exploiting their naiveté and obscurity, and laying the groundwork for more valuable exploitation if the target reaches the national stage at some future point.

Where Russia is free-wheeling and confrontational, therefore, China exhibits greater discipline, control and risk aversion. If China can achieve its aims by apparently fair rather than foul means, it will do so. As the previously quoted anonymous China expert noted in interview, China sees itself as “a stabiliser, not a disrupter”. China has “a passion for stability and order”, and although willing to accept a certain amount of chaos if it causes problems for the US, views too much as a danger to its own political interests. Nonetheless, China does not shy away from tough measures or underhand behaviour, and it has become expert in manoeuvring around Western institutional defences, rather than attacking them directly. Alluding to the writings of Chinese military strategist Sun Tzu, Eftiamides explained in interview that the Chinese approach was conceived as being like “running water, flowing into the vulnerabilities and openings left by opponents”.

6.5.3. Iran

Since the 1979 revolution, the Iranian regime has also followed an indirect strategy in confronting its opponents. Examples of overt hostility towards the US and Western states have tended to be acts of performative defiance; for example, mistreating dual nationals such as British-Iranian teacher Nazanin Zaghari-Ratcliffe, imprisoned in Tehran between 2017 and 2022, or shadowing and occasionally boarding Western oil tankers in the Persian Gulf. In the covert sphere, Iran has been more aggressive, and has made great use of cyber tools to support espionage, disinformation campaigns and disruption. However, as Moore notes, underlying Iranian caution means that cyber operations are more likely to focus on soft targets in the private sector or civil society, where the aim is to “exact a cost from otherwise capable adversaries by targeting their population directly”. Nonetheless, while recognising that some of Iran’s cyber operations lack professionalism, Moore also argues that for a country of its size and resources, it “can punch above its weight”.

Iran’s other hostile activities are conducted against local rivals such as Israel and Saudi Arabia; when acts are undertaken against Western states, these are more likely to take place in “neutral” regions such as Latin America or Africa, and involve partners such as Hezbollah. In such circumstances, moreover, Iranian agencies, especially the IRGC, play the role of orchestrator and enabler of non-state actors’ attacks on Western interests, rather than being a direct participant. Working with non-state actors is a critical and largely intentional element in Iran’s approach, moreover, including not only terrorist groups and militias, but other legitimate and illicit actors. As noted previously, the IRGC has contracted commercial providers for online disinformation cyber operations, and used OCGs to target dissidents in Europe for assassination.

6.5.4. North Korea

North Korea was responsible for many hostile overt and covert acts in the last century, including the attempted assassinations of South Korean presidents in 1968 and 1983, and terrorist bombings, such as the attack on Korean Air Flight 858 in November 1987. However, this kind of outrageous violence, if not completely absent from the regime’s current repertoire, is a less common aspect of its behaviour now, although it continues to mete out retribution against defectors’ families. To the extent that North Korea has pursued covert campaigns of espionage, physical sabotage, cyber effects operations and disinformation, activities have largely targeted South Korea. Alex O’Neill remarked, in an interview that took place while he was conducting research at Harvard University, “South Korea remains the North’s greatest target, in every sense, and to a lesser extent Japan and the United States”. Nonetheless, despite Pyongyang’s undoubted hatred for the South, many of its attacks have an air of comedic desperation, as exemplified by the spate of rubbish-filled balloons dispatched across the border in 2024.

In the wider world, North Korea’s antisocial behaviour is overwhelmingly concerned with generating much-needed funds to support the state. Cybercrime, described by Kim Jong Un as “an all-purpose sword” is the most important of these by far, leaving few countries untouched; even supposed “friends” such as Russia have been targeted. North Korea also has a history of collaborating with OCGs in illicit money-making, but in the past three decades, many of these associations have narrowed as the North Korean state has reduced its direct involvement in the distribution of illicit goods such as drugs.

6.6. Conclusion

Comparing volumes and trends for various types of state threats is currently hard to achieve with any precision. However, while accepting these difficulties of comparison, some discernible and logical patterns do emerge, suggesting both continuity and innovation, and a measured view of what the growing wave of state threats means in practice. Event-style actions, while attracting more attention, are often riskier and require greater preparation. They are thus much less common than process-style activities; probably the most significant boom in activity has been in business-as-usual covert activities such as espionage and online disinformation campaigns, both of which can be magnified in effect by combining human operatives and cyber tools. It is also important to note that however reckless states can be, there continue to be apparent constraints on certain types of action, mostly around the use of lethal violence on a mass scale.

Moreover, although non-state actors are becoming more important to the execution of state threats, state actors remain at the core of the phenomenon, whether providing concrete orders, setting requirements or providing a “vibe” about what types of behaviour are expected or would be welcomed. It also remains the case that state operatives provide the operational backbone that ensures the execution of state threats. Others, especially criminals and PMCs, are certainly involved in a wide range of hostile activities, but they appear to be most often used where there is a call for niche skills or access, or require violence.

These general patterns accepted, significant national variations in modus operandi are also apparent. Russia has a much greater risk appetite than nearly any other state, followed by Iran and North Korea. China is more circumspect and cautious by comparison. Although there is a large common playbook of hostile activities, each state makes its own choices about which techniques to apply, framed by contextual factors such as resources and capabilities, but also by its underlying motives and objectives. The next section thus moves on to ask the question of why these states are using hostile actions as tools of policy.

7. Explaining state threats

Explaining the growth in contemporary state threats has two aspects. The first is motivational, a question of asking why certain states are behaving in a hostile manner. The second is practical, considering why states are expressing this hostility through sub-threshold, covert acts, rather than using more traditional means, such as diplomacy or even war.

7.1. Explaining hostility

Understanding the cause of interstate antagonism has remained one of the most fundamental questions in international relations. Those of a realist persuasion see state hostility in terms of threats, interests and hard power calculations, while those with a more liberal perspective see conflict arising from clashes of values and ideologies, compounded by an absence of shared institutional structures and economic relationships. Views within both broad schools of interpretation are numerous, however, and scholars of one school or the other can take very different approaches to the same issue. Unfortunately, there is no way to do justice to all realist and liberal interpretations of state antagonism here, let alone choose which one provides the most satisfying explanations. However, they do remind us that power and values are important potential causal factors in states’ behaviours, both of which need to be taken into account when understanding the growth of state threats.

In comparison to international relations, military scholarship has taken a more functional view of recent developments, showing how the process of military evolution – both technological and doctrinal – has helped shape how states behave in the current international environment, with much of the recent debate focusing on the role of technology. Many cyber security scholars argue that the rise of relatively accessible cyber weapons has been a great leveller between states, enabling even small states to take aggressive action at a low cost. They argue that states are becoming more hostile in the cyber sphere because they have the means to be so. In addition to these thematic perspectives, country-focused studies in domestic political science and history have also looked to understand the behaviour of particular states through their individual governance structures, histories, cultures and other distinctive factors. Although such interpretations usually accept the reality and influence of broader global trends, they naturally emphasise the primacy of domestic sources of international behaviour. This perspective implies that waves or patterns of international behaviour – such as greater interstate hostility – are more likely to be the result of the coincidental alignment of several states’ separate political trajectories, rather than a single global phenomenon.

As this brief survey suggests, each style of interpretation has some intuitive strength. Power balances and calculations are fundamental to states’ understanding of their national security; a regime’s world-view and mindset will naturally tinge how it sees and thus reacts to the outside world; access to cheap offensive weapons makes it easter to take an aggressive path; and a state’s history and culture are bound to shape its fears, hopes and ambitions. However, none of these approaches alone is sufficient to explain the current state of international politics, and each has its problems. Realists often fail to give due attention to the role leaders’ personalities and regime ideologies play in framing power calculations; it is hard to believe that the second world war would have happened as it did without the peculiar perspectives of Hitler and the Nazi Party. Conversely, liberal scholars can also go awry by not taking power realities into account, or by applying too doctrinaire a view of the effect that regime type has on state behaviour. Despite the claims of some liberal democratic peace theorists, not all authoritarian states are aggressive.

The explanations of strategic thinkers, who see increasing hostility as a natural result of the increasing effectiveness of offensive over defensive power, are similarly incomplete. They can show how new weapons and techniques enable states to be more hostile, but not why they might be more hostile; there is, after all, no requirement to use new weapons. As Smeets has shown, for example, a growing number of states have developed offensive cyber capabilities, which they have then only used in limited ways. Finally, country-focused historians and political scientists, while correctly emphasising the importance of national peculiarities in shaping state behaviour, can miss or downplay the effects of common interests, ideas and political predicaments shared by states at any given time. States following similar patterns of behaviour are not likely to be identical in motives and objectives, but any set of obvious “family resemblances”, in the phrase of philosopher Ludwig Wittgenstein, is unlikely to be wholly down to random chance.

7.1.1. A pragmatic approach

These various strengths and weaknesses thus need to be taken into account. Yes, power and power balances matter; systems and ideas matter; weapons and tools matter; history and culture matter. But state decision-making is far from monocausal or static; the dynamic interactions between power, interests, ideas, memory and much else besides shape state behaviour. As a consequence, this paper takes a pragmatic approach that draws on these schools of thought, but is not necessarily slavishly attached to them. Initially, it looks towards the fundamental mismatch between how major authoritarian states such as Russia and China, and the Western world, believe the international system should operate. It further explores how this difference has come to matter more as economic, political and military power balances have shifted against the Western world. Rising powers have expected to see a West that is more willing to make concessions, but their expectations have often been disappointed. After surveying the broader international environment, the section moves on to the distinctive situations of the main revisionist states. While they have a great deal in common – their dislike of Western global leadership in particular – a variety of influences mould their behaviour, such as the character of political leaders, regime ideology, economic strength and so on.

Before proceeding, it is important to note that what follows is not intended as an apologia for certain states’ activities, or as a critique of Western policy. Its aims are to understand and explain, rather than justify. While some of the roots of current interstate hostility are genuinely defensive from those states’ perspectives, it does not necessarily follow that this is reasonable or that their responses are justifiable. Moreover, the states in question clearly have their own revisionist agendas, which contradict much of their public rhetoric about the importance of sovereignty and international respect. While they might wish to paint themselves as victims, this is an incomplete view at best and a highly misleading one at worst.

7.1.2. A clash of world-views

The broad context for the current situation is a profound difference in visions for the international system. Since the end of the Cold War, the US and other Western countries have promoted liberal democratic values and free markets (often called the Washington Consensus), a rules-based approach to international order, and an increasingly interventionist position on the international community’s right to control the spread of weapons of mass destruction (WMD), and to police domestic human rights, known as the Responsibility to Protect. This Western vision has long been a challenge for North Korea and Iran, whose attempts to follow idiosyncratic ideological paths and develop WMD and ballistic delivery systems – despite their international commitments – have put them at odds with most of the rest of the world, leading to international sanctions in both cases.

However, despite a less obviously adversarial stance in the 1990s and 2000s, neither Russia nor China have been enamoured of the Western version of the international order. In fact, they have rejected many Western precepts and held to a traditional theory of international relations that stresses the inviolability of state sovereignty and the duty of non-interference in other states’ affairs. Both the Russian and Chinese governments have also expressed a preference for what they see as a stable and ordered world, managed by the great powers, a group in which they include themselves, rather than one where the US and its allies pursue the creation of an ideal international community of their own design. Although neither leading revisionist state seems to have a desire to export its model in detail, both Russia and China have shown support and encouragement for authoritarian regimes in the developing world. If they do not wish to promote authoritarianism per se, they have been eager to make the world a safe place for it to flourish.

However, while both Russia and China use noble rhetoric about the UN and present themselves as defenders of state sovereignty, their vision of world order is also deeply rooted in self-interest. Both countries’ views on sovereign equality and non-interference are qualified by a belief that great powers are different from other states; because of their status; they have the right to be consulted on all major global issues by their peers; and they have a special dispensation to pursue their interests in their respective regional spheres of influence. Despite the arguments of realists such as US political scientist John Mearsheimer that in some way revisionist state behaviours are being caused by ill-advised Western pressure, these states do have an expansive international agenda of change, independent of Western policy, and one which would not disappear if the US and the West more broadly took a different stance.

This difference in world-view between the West and revisionist states would of course remain theoretical and academic if there were no arenas in which they might actively conflict. However, over the past two decades, there have been multiple opportunities for friction to occur and increase. At its mildest, the Russians and Chinese have become aggravated at playing an inferior role to the US on the international stage, a position neither country, as self-understood great powers, believes is appropriate. US domination of international institutions such as the UN, the International Monetary Fund and the World Bank, has led many emerging powers to rail against a closed system designed for what they argue are Western interests alone. Both Russia and China have also opposed the Western use of force without UN Security Council approval ‒ first to defend human rights in Kosovo in 1999, then to tackle WMD proliferation in Iraq in 2003 – seeing the interventions as an affront to their right to be consulted and acts of hypocrisy by states that claim to support a rules-based order.

More dangerously, the leading revisionist states have increasingly taken issue with the growth of Western alliances such as NATO, and most intensely in those regions they consider to be part of their spheres of influence. Not only do China and Russia see the development of multilateral alliances as inappropriate Western meddling in regions that do not concern them, they seem them as potential challenges to Russia and China’s territorial integrity and regime stability. The revolts of the Arab spring and the so-called “colour revolutions” in the states of the former USSR have caused particular anxieties, due to an inchoate fear that such revolts could be used by the West as grounds for providing material support to opposition groups, or justifying military intervention and regime change, as occurred in Libya in 2011.

Some in the West see such fears as ludicrously paranoid, or even as disingenuous excuses for bad behaviour. Nonetheless, whether reasonable or otherwise, these fears are not completely without foundation in countries that historically have been vulnerable to invasion and bouts of political upheaval, as China, Iran and Russia all have been. At the same time, however, even if it is possible to empathise with these fears of the West and Western influence, they do not provide a good justification for the revisionist states’ desires to apply double standards to state sovereignty in their own spheres of influence. Nor, moreover, do they help us understand why hostile attitudes have translated into increasingly hostile behaviour towards the West in the past decade or so.

7.1.3. Changing power balances

Clearly, the leading revisionist states have felt emboldened in recent years to take their own path, regardless of the views of governments in the West, and sometimes in active opposition to it. While this might in part reflect the accumulation of annoyances, disagreements and perceived slights of the past two decades, it is unlikely these would be sufficient to justify taking on the West without any reasonable hope of success.

This rising level of confidence has come from somewhere, therefore, and is most probably connected to changes in global power balances, both concrete and perceptual. In the past two decades, global shares of economic strength have shifted dramatically from the US and its allies towards China and emerging economies represented by partnerships such as the Brazil, Russia, India, China, South Africa (BRICS) group. According to some estimates, the BRICS countries’ share of global gross domestic product (GDP) passed that of the Group of Seven (G7) major Western economies (Canada, France, Germany, Italy, Japan, the UK and the US) around 2020, with the BRICS representing 35.43% of world income in 2024, compared with the G7’s 29.64%. Historian Paul Kennedy argued in the 1980s that political and military strength, as well as the desire to use it, tend to follow in the wake of growing economic might, and this relationship seems to have held true in the current age. With their growing relative strength, states such as China and Russia have been increasingly emboldened to act on their disagreements with the West. As US analyst Thomas Wright has written, Russia, China and similarly minded states only “tolerated the liberal order when they were relatively weak”. However, the shifting balance of power has offered them the opportunity to pursue their interests, and both to defy and to assail the West in a way that was impossible or quixotic before.

It also seems likely that this power shift has triggered something like a bandwagon effect among the revisionist powers and possibly beyond; as one power appears more willing to challenge the current US-led international order without existential consequences, the more willing others become to emulate it. In just this vein, China expert Shogo Suzuki has argued that in recent years, the international system has witnessed the development of a subculture of states that reject Western norms, which he describes collectively as a “delinquent gang”. As revisionist states have become more powerful, their perspectives and behaviour have become validated in their own eyes and those of other states. As a result, any stigma that might have previously attached to perceived “bad” international behaviour has begun to dissipate. This is an accelerant not only for the revisionist states themselves, but for others who might follow their lead, enlarging the gang of delinquents further still. As Julien Bastrup-Birk, a RUSI associate fellow and former UK official, suggested in interview, “if the major powers like China start changing the rules of the game, others will follow their lead, resulting in a further erosion of the Westphalian model”.

But an increased willingness to take a stand against the West has not just arisen from growing non-Western strength, but also an increasing perception that the West itself is in dramatic decline, a view held even within Western countries themselves. The global financial crisis of 2007-08 highlighted the weaknesses of the Western economic model, while the military and political failures of the interventions in Afghanistan and Iraq suggested that the US and its allies could no longer impose their will on other states as they had done in the past. With the US and its partners seeming like “paper tigers”, moreover, many non-Western states have begun to feel less fearful about acting against Western expectations, and less optimistic about receiving US support in the event of outside aggression. In the words of Ivan Krastev, a political scientist, such states “are determined to be at the table and not on the menu”. The moral and ethical reputations of the US and other Western powers were also tarnished by perceived claims of hypocrisy and deceit over the origins of the war in Iraq, as well as subsequent scandals about the use of torture, spying on allies and domestic surveillance. As US political scientist Alexander Cooley argued, to many in the developing world, the West appeared not only to be failing materially, but morally, putting it in “normative retreat” for the first time in decades.

7.2. Choosing state threats

Historically, revisionist states have often turned to the use of diplomacy to assert their dominance over declining powers in changing geopolitical environments. Indeed, China has made considerable efforts to reshape existing international institutions along more palatable lines, while creating parallel multilateral structures that it dominates. However, the application of military means has also been common. Russia and China have made massive investments in their militaries in recent decades, as they have sought to create conventional and nuclear forces capable of challenging US military pre-eminence. Russia has, moreover, used its forces against non-NATO states in its near abroad too; first against Georgia in 2008, and then against Ukraine from 2014 onwards, and on a much grander scale since 2022.

However, neither Russia nor China has so far sought to use its military forces in direct military confrontations with Western states. Iran and North Korea have also been circumspect about the levels of military force they have deployed, against powerful regional opponents such as Israel, as much as against Western countries.

The reasons behind the decision to use state threats rather than diplomatic or military means have been subject to a growing debate in the fields of international relations and intelligence studies. Looking at the use of covert action in the context of foreign wars, political scientists Austin Carson and Keren Yarhi-Milo have suggested that one attraction of such a type of intervention is to send a “signal” of carefully calibrated commitment and engagement to both friend and foe alike. Other political scientists have taken alternative perspectives. Looking at historic cases of US regime change, Lindsey O’Rourke has suggested that the decision to use covert rather than overt means has been driven by a variety of tactical and strategic concerns, especially controlling costs and limiting consequences. Also analysing US involvement in regime change, Michael Poznansky has proposed that the choice of covert means has been guided by a desire to conform to the appearance of international law, by not overtly breaching the principle of non-intervention.

Some care is required to avoid assuming that these findings immediately explain the contemporary use of hostile state actions, however, drawing as they do on the past actions of the US rather than authoritarian states, and focusing on particular types of hostile actions, rather than hostile action as a whole. Nonetheless, they do provide useful indications as to why states choose to use hostile acts as a form of state policy, especially when it comes to demonstrating that they “remain in the game”, while seeking to minimise disruption and reputational damage.

Indeed, this balance between feasibility and risk – doing what is materially possible within the bounds of the politically sustainable – is probably at the core of why the revisionist states are using state threats. As Venezuelan journalist Moses Naim notes, following the ideas of management scholar Ian MacMillan, state decisions about strategy and tactics are largely based on: (a) the range of tools available to the state; and (b) the scope and constraints of their given situation. In the cases of Iran and North Korea, neither can start a conflict with a regional opponent, particularly one tied to the US, and expect to win outright, or without unpleasant and possibly existential consequences. As their response to Iran’s aerial attacks on Israel in April and October 2024 indicate, the US and its allies would come to the aid of Israel in the event of a direct Iranian attack. This would also be the case if North Korea attacked South Korea, a country with which the US has a bilateral defence treaty and close military cooperation.

At the same time, even Russia or China would be taking a great risk to use its military in a direct confrontation with the US or one of its allies. Certainly, both have substantial militaries, but Russia has struggled to subdue a much smaller power in Ukraine, and China has not deployed the PLA in a major conflict since the war against Vietnam in 1979. Although there has been a shift in overall geopolitical power dynamics, therefore, the US and its allies have maintained a level of military dominance that has dissuaded others from seeking to challenge them directly, at least for the time being.

How best to express strength and hostility then, if not through military force? Kilcullen suggests that the obvious step, and the one taken by the revisionist states, is to apply “a suite of ‘offset strategies’ to sidestep … [Western] conventional power”. In other words, state threats. Firstly, these covert actions – sabotage, subversion and so on – can seem relatively cheap options in comparison to a military operation. Secondly, if they succeed, they offer the potential to create a large effect for a small investment. Thirdly, they are easier to abandon if they go wrong and deniable even if they succeed. Driven by operational realities and practicalities, Bastrup-Birk described in interview how the use of such “deniable proxy levers of influence, alongside indirect forms of warfare and power projection” could be seen as “the logic of the wise”, with the revisionist states choosing “to play to their strengths and not those of their opponents”.

None of the aforementioned benefits are assured of course. As intelligence scholars point out, operations can metastasise out of control, have unintended consequences or cause severe reputational damage. “Plausible deniability” is, as Cormac and Aldrich argue, often an unconvincing concept in practice. Nonetheless, covert acts do at least provide the benefit of causing particular difficulties to Western states, which struggle to assess their seriousness and calibrate an effective response within a credible timescale. Like naughty children seeking to annoy a neighbour by ringing their doorbell and then running away, the revisionist states can use these methods in relative comfort, confident as they can be that they will not provoke a response ‒ or, at least, a response that is likely to bother them.

7.3. State case studies

If there are significant similarities in motivation across the revisionist states, there are also variations between them. While this paper cannot provide an exhaustive review of each state, it aims to provide a balanced summary of relevant issues, recognising the sensitivities involved. Some states may have unpalatable motivations and questionable world-views from a Western perspective, but that does not immediately imply they are not sincerely held. There is no reason to suppose that all states will react to a given international environment the way Western states do; as Omand has written, we need to avoid “mirror imaging” and “transferred judgement” when assessing the causes behind the behaviours of other international actors. We should not assume or presume that our potential opponents will, or should, feel and think as we do.

7.3.1. Russia

Of the two largest revisionist states, Russia’s adversarial attitude is the most pronounced and durable. Indeed, President Putin has been making deeply critical comments about US and Western policy since his Munich Security Conference speech in February 2007 from 2022. Putin’s real intentions are a puzzle that have long absorbed Western academic and policy circles, not unlike the “Kremlinology” of the Cold War. Unsurprisingly, wide divergences of opinion remain, as described in the four “versions” of Putin below:

1. Russian nationalist or imperialist ‒ While those holding this view note that Putin’s behaviour has become more hostile over time, they suggest that the changes are less dramatic than some would portray them, and that his motivations and aims have been driven by nationalism and are largely consistent. Such observers see Putin as nostalgic for the USSR and/or Russian empire, typical of the Soviet security class from which he came, and a leader who would like to revive Russian power.

2. Victim of the West ‒ Others see Putin starting his office on good terms with the West, only pivoting to hostility around his return to the presidency in 2012 in response to Western behaviour. The reasons given for this pivot vary. Some cite NATO’s expansion up to Russia’s borders; others, supposed covert US support for domestic protests after Putin’s re-election in March 2012.

3. Failed moderniser ‒ Another camp also sees a change in Putin’s behaviour over time, with him coming to office as an economic moderniser, then shifting back to an approach mired in corruption and authoritarianism. In this version, Putin’s increasing hostility towards the West has partly been a distraction for his own population from his own failure. As Russia analyst Lilila Shevtsova describes, hostility has been a psychological trick, offering the Russian people a reminder of “what it feels like to be a great power”.

4. Compulsive tactician ‒ Finally, several observers have questioned whether Putin has any guiding principles or strategic objectives. In this version, Putin is constantly calculating tactical margins, and taking action to achieve short-term gain, depending on the circumstances. This suggests that Russia’s behaviour on the international stage simply reflects Putin’s day-to-day power calculations, rather than long-term goals.

Comparing these interpretations, it is clear that a primary issue is whether Putin has core beliefs. Overall, Putin’s public statements and behaviours over the past 20 years suggest that he does, and that they sit broadly within the discernible traditions of Soviet and Russian imperial thinking, as suggested by the first school of interpretation. Putin, and the cadre of intelligence and military securocrats from which he emerged (the siloviki), share what Russia expert David Lewis has described as a common “mental map that interprets the reality … not a clearly articulated belief system, but a set of shared understandings of contested concepts among a group of political actors”. Another Russia expert, Brian Taylor, has labelled it the “Code of Putinism”, combining a shared body of “habits, emotions, and ideas” on which Russia’s behaviour is based. Within the boundaries of this code, several beliefs and policy corollaries are central:

• Russia is a global power ‒ Russia is seen as a natural great power with interests across the world. In this, it is among a small group including the US and China. Smaller powers should therefore be deferential towards Russia, and peer states should pay due attention and respect to its views. Russia should thus enjoy a leading position in international institutions such as the UN.

• Russia has natural spheres of influence ‒Russia scholar Ruth Deyermond notes that Russia operates a double standard, arguing on the one hand for non-intervention in its own affairs, while on the other, positioning itself as the grand arbiter of affairs within its regional spheres of influence. For the Putin regime, Russia has unchallengeable strategic interests in the states of the former USSR, eastern and northern Europe, and even the Arctic. Of these, the former Soviet states are the most important, some parts of which – eastern Ukraine being the key example – are seen as being part of historic Russia, which should be returned to the homeland. Russia also sees its vital interests as cultural, as well as geographic, viewing itself as a guardian of Russian culture and honour across the world, giving it both the duty and the right to intervene to protect and promote the interests of Russian nationals and speakers, and to defend the honour of Russian culture and history.

• Russia is under threat, from within and without ‒ Riehle notes that the regime, so heavily staffed with siloviki, is deeply entrenched in “the chekist mindset”, which goes back to the original Soviet secret police, the Cheka. According to the chekist view, Russia’s geographic integrity and political stability are under constant threat from outside powers – especially Western democracies – and internal dissidents acting as their agents. As a result, the Russian state “is constantly looking for, and sometimes fabricating, a connection between domestic threats and foreign enemies”, to fulfil its psychological expectation of threat.

These beliefs did not appear suddenly in 2012; there are traces of them in Putin’s public pronouncements going back to the first two terms of his presidency. Putin saw the hand of unnamed foreign powers in terrorist atrocities such as the Beslan school siege in 2004, for example, and he was actively bemoaning the end of the USSR in 2005. His angry speech about Western international behaviour to the Munich Security Conference in 2007 has already been noted.

However, in his early years in power, Putin was more cautious about translating hostile attitudes into hostile activities. Despite his deep-seated suspicions of the US, Putin at first judged that he was more likely to meet his goals through cooperation than confrontation. Sergei Pugachev, an oligarch, explained to Belton that Putin’s apparent friendliness was pragmatic and not undertaken “out of any sense of generosity, but because Putin expected something in return”. He did not receive these rewards, however, and over time, his resentments grew as Western policies increasingly cut across Russia’s perceived interests. The geographic expansion of NATO into the post-Soviet space, and US criticism of human rights abuses in Russia not only angered Putin, but stoked his paranoia. Putin and his associates became increasingly convinced that the colour revolutions in Georgia, Ukraine and other post-Soviet republics, as well as protests in Russia in 2012 following Putin’s re-election as president, were Western interventions intended to overthrow his regime and break up Russia. A further aspect of the antagonism, moreover, was hurt pride. Western encroachment into Russia’s perceived sphere of influence was taken as a major slight by Putin, as was Russia’s diminution on the world stage. Putin was reportedly particularly riled by President Obama’s comments in December 2016, when Obama dismissed the threat from Russia, describing it as a “smaller … weaker country” about which the US had little need to be anxious.

Putin’s perceptions that Russia was being thwarted and scoffed at by the US and its allies – reasonable and rational or not – laid the ground for a policy that was increasingly hostile and more in tune with the basic presumptions of his world-view. With little to be gained from trying to negotiate with the West, the alternative was to disrupt and challenge it in the hopes of creating a strategic dividend favourable to Russian interests. Russia became better positioned to do this, moreover, as the century wore on, as the period of economic collapse at the end of the 20th century was replaced by an economic boom and burgeoning government revenues based on the massive growth in its export trade in hydrocarbons; from 1999 to 2008, Russia’s GDP grew by 94% and its GDP per capita doubled. This meant that Putin not only felt Russia had to take a stand against the West, but also that Russia had growing means to do so.

Of all the revisionist powers, Russia has thus been the most willing to risk direct military confrontation with the West, especially in Ukraine. Nonetheless, it has sought to skirt the edges of military conflict, most probably because it is aware, even after years of military investment, of how poorly placed it would be to fight NATO directly. As a result, it has made a virtue of necessity, opting for what Galeotti has described as a form of “guerrilla geopolitics”, where covert means are used to attack the West from the inside, exploit weaknesses, encourage divisions and force the West to fight itself, rather than Russia. In doing so, it has also drawn upon the strengths of a long Soviet and Russian covert tradition, which takes a permissive view of the acceptable boundaries of peacetime hostility, and emphasises the use of daring, improvisation and a willingness to exploit opponents’ response thresholds to make up for material weaknesses. The hyperactivity of this campaign in part also reflects a historic penchant in Russian agencies for “action for action’s sake”, along with high levels of inter-agency competition. As Riehle notes, the Russian services “have a tradition of rivalry, partially due to intentional overlaps in their missions”. This level of competition is likely to have increased with the growing number of non-state actors available to undertake hostile activities.

7.3.2. China

China’s engagement with the US and its allies was presented by the majority of China experts during the 1990s and 2000s as part of a “peaceful rise” to global power. According to this argument, China was rising in global importance through internal development and cooperation with the West, rather than conquest and confrontation. Although some Western observers of China still give credence to this narrative, an increasing number now perceive China as increasingly aggressive, and willing to challenge the US at global level. However, despite a growing consensus in this regard, there is a wide spectrum of opinion on why the change in the character of its behaviour has occurred. The three most common interpretations of this shift are outlined below:

1. The grand plan ‒ Holders of this view tend to see the apparent rise in Chinese hostility towards the West as part of a long-term Chinese plan. According to these analysts, China has sought to lull the West into a false sense of security by focusing on friendly economic and political engagement, before then switching to direct confrontation once US power has been overtaken; one book along these lines has the title The Hundred Year Plan.

2. The unavoidable crisis ‒ In a less conspiratorial take than the “grand plan”, this interpretation tends to see China’s growing antagonism towards the West as a natural consequence of the clashes that occur between rising and declining powers, especially when they struggle to find ways to accommodate one another and have differing views of how the world should work. While accepting that China has long assumed its ascent would naturally lead to dominance, this interpretation does not necessarily cast China’s conduct in an especially nefarious light, but rather as a function of power political realities.

3. The Xi pivot ‒ Another group of scholars sees the critical factor in the intensification of Chinese hostility towards the outside world as a reflection of the character and views of President Xi, who became general secretary of the CCP in 2012, and president of China 2013, and subsequently one of the most powerful Chinese leaders since Mao. These scholars note that Xi has pushed China’s formerly bureaucratic authoritarianism towards a more personalised model, while taking a more repressive tone at home, and a more nationalistic and aggressive one overseas. In this, they believe, Xi is very different from his more conciliatory immediate predecessors, Jiang Zemin and Hu Jintao.

Of all three versions, the idea of the “grand plan” is the one most open to question. The proposition that the Chinese leadership set and then followed a long-term plan over many decades, changes of leader, and throughout major historical vicissitudes such as the Great Leap Forward and the Cultural Revolution, is hard to accept. Likewise, the idea that there is something “natural” about current levels of Chinese antagonism towards the West seems too deterministic; as China expert T.V. Paul has noted, confrontations between rising and declining powers are likely but not inevitable, and peaceful accommodations, though rare, do occur. Finally, it seems unreasonable to place all the responsibility for Chinese aggressiveness on the shoulders of Xi, especially as the regime continues to exhibit many bureaucratic aspects. China is not quite a one-man show yet.

But these different perspectives do provide some useful insights. Chinese leaders have indeed long seen the West as a potential threat that needs to be addressed, regardless of outwardly friendly relations. Despite several decades of apparent amity after US President Richard Nixon’s opening to China in 1972, China’s political world-view has been grounded in the idea that it suffered a so-called “century of humiliation” between the 1840s and 1940s, when Western countries actively meddled in China in pursuit of their own interests. More recently, the CCP has feared the influence of the Western democratic model ‒ celebrated, for example, by the pro-democracy protests in Tiananmen Square in 1989 ‒ as a threat to its position leading Chinese society. The party has also feared Western military force, exemplified by the accidental NATO bombing of the Chinese embassy in Belgrade in 1999, as a risk to its physical security and territorial integrity.

Moreover, while the CCP has not necessarily had a “plan” for world domination as such, its policies have been based on the expectation that China would eventually be the preeminent global power, reflecting the natural superiority of Chinese civilisation. According to China expert Wang Gungwu, for China, countries are “all alike but equal” but at the same time, all “inferior to China”. Even Chinese leaders who are relatively well-disposed towards the West have been honest behind closed doors about the need to take a gradualist approach to China’s ascent, noting, as Deng Xiaoping said, that China must “hide its strength and bide its time”.

Kilcullen has noted that China did indeed take a “twin-track” approach throughout the 1990s, which emphasised the idea of the peaceful cooperation, “while simultaneously pursuing military modernisation and vigorously defending China’s national security interests and socialist ideology against Western encroachment”. As part of this first track, China stressed the role of global structures such as the UN, the importance of sovereignty and non-interference, and showed “no missionary impulse to promote authoritarianism”, according to China expert Andrew Nathan; in fact, Beijing preferred a “regime-neutral” approach that sought “good relations with whoever is in power, regardless of regime character”, as long as this was mutually beneficial. However, at the same time, China also claimed an exclusive sphere of influence among its near neighbours and demanding respect on the international stage. As China scholar Martin Jacques observed in the years before Xi’s rise, China’s foreign policy remained “tinged with the thinking of the tributary system”, pointing back to the era when China’s neighbours’ paid material tribute to its emperor.

The intensification of Chinese hostility towards the West has thus been likely to some degree, considering the country’s trajectory and the expectations of the CCP over the past 40 years. However, more recent influences have played their part too. Much as Russia’s hydrocarbon boom enabled the Putin regime to start to push back against the West with greater confidence, the astonishing growth in the Chinese economy in the past 30 years has undoubtedly helped China to do the same. As Jacques pointed out over a decade ago, an increasingly powerful China was unlikely to “always adjust to and adopt Western cultural norms” as a consequence. Even during the eras of Jiang and Hu, China had begun to push back against Western criticism of its human rights record. China was also beginning to take a more aggressive stance on maritime border disputes in the South China Sea, presenting the UN Secretary General, Ban Ki Moon, with a submission in May 2009 claiming “undisputable sovereignty” within what it called the Nine Dash Line. Nonetheless, despite these structural influences, it is unlikely that any other Chinese leader would have calibrated their approach as aggressively as Xi. While he cannot be held responsible for the entire pattern of Chinese behaviour, his views have almost certainly shaped and sharpened the conduct of Chinese policy over the past decade.

Ostensibly, much of Xi’s stated vision of a “China dream” has focused on economic growth, science and technological development. Programmes such as Made in China 2025, which focus on manufacturing growth and technological innovation, look towards what Xi has described as a “modern socialist country” by the 100-year anniversary of the Chinese Revolution in 1949. Many external policies have also appeared primarily economic and collaborative, with the country promoting the development of international trading infrastructure and financial investment through the Belt and Road Initiative and the Asian Infrastructure Investment Bank. As Xi told the CCP National Congress in October 2017: “The Chinese nation … has stood up, grown rich, and become strong. It will move toward center stage and make greater contributions for mankind”. Xi also told the congress that China wished to see “the construction of the common destiny of mankind”.

But while much of Xi’s language has sounded benevolent, the vision he presents also has hard edges. Xi has encouraged the use of both fair means and foul in China’s campaign of economic development; the country’s massive commercial espionage campaign, while predating his leadership, has grown under it. A survey of Chinese espionage cases in the US between 2000 and 2022, conducted by US think-tank the Center for Strategic and International Studies, indicates a rising trend over the past two decades, but with its sharpest growth between 2015 and 2020. At the same time, while seeking Western know-how, Xi has also sought to make China a more closed society. In a paper known as “Document No. 9”, circulated in April 2013 and subsequently leaked, the CCP’s Central Committee listed “false ideological trends” coming from the West which had to be combatted, including liberal democracy, universal values, civil society and Western-style journalism. After a period of relative openness to discussion, the CCP under Xi began to close down the small avenues that were available to question the system.

In the wider world, Xi’s warm words have also largely translated into a reality that is, in the words of Tsang and Cheung, “self-centred, hierarchical, illiberal, and coercive”. The term “common destiny” has roots in the traditional Chinese idea of tianxia (meaning “all under heaven”), which places China at the centre of the international order, as benevolent guide and judge over all. Xi’s vision thus places China at the top of a global pyramid of power, within which other states will accede to China’s wishes simply because of its self-evident correctness. Because the Chinese leadership under Xi believes itself to be benevolent and wise, it has concluded that China’s interests must be the same as every other state. Thus, while a common destiny is intended to operate through the traditional UN-based system, the Chinese leadership assumes that it will operate exactly in accord with Chinese requirements. Any attempts to stand against China are thus likely to be perceived to be wrong-headed and in need of correction.

Under Xi, China has thus taken a stronger line on dictating – and not just promoting – China’s role as an arbiter of all China-linked affairs on a global scale. Not only does Xi see China as having ultimate authority over all ethnic Chinese outside China, regardless of nationality, but also that it has the fundamental right to control how it is perceived and treated. As Allen notes, China increasingly assumes that “criticizing Chinese government behavior is always a violation of China’s sovereignty and, thus, a form of meddling in its domestic affairs”. Moreover, while the pre-Xi CCP seemed uninterested in promoting “socialism with Chinese Characteristics”, especially to established democracies, the past decade has seen a more energetic promotion of a Chinese model of governance in the developing world, based on technological surveillance and social control. Former UK diplomat and China expert Charles Parton noted in interview that China “does not aspire to be the world’s policeman. But being the world’s secret policeman … well, that is another matter”.

China’s long-term preoccupation with making itself the world’s leading economic, political and military power, combined with its increasing paranoia about regime stability, help explain its heavy focus on commercial espionage, repression of dissent and elite malign influence operations. If Russia seems determined to create a chaotic atmosphere in which it can achieve its goals, China prefers to keep the current international system intact and inheritable, even if it foresees major renovations to its workings. For a state whose fundamental requirement is order, disruptive behaviours such as assassinations, physical sabotage and cybotage are likely to be viewed as counterproductive.

This preoccupation China has with inheriting, rather than wrecking, the international system also partly explains why the Chinese leadership has so far not resorted to military means. The likely economic damage to China from an open conflict with the US and other Western states would almost certainly undermine China’s economic growth, which has been one of the fundamental priorities of the CCP for four decades. Its alternative has therefore been to develop a wide-ranging “grand strategy” that has sought to promote its agenda by a range of means ‒ including covert and clandestine methods ‒ that test their opponents, rather than challenge them in one specific domain or another.

This palette-based approach, in which state threats play a part, enables China to pursue its goals without putting its economic ascent at risk. Furthermore, this exploits the vulnerabilities of the many European and Asian countries that have an interest in maintaining economically beneficial relationships with Beijing, and are therefore likely to have a higher tolerance for potential Chinese aggressiveness. Much like the junior partner in a coercive domestic relationship, these China-dependent Western countries seem willing to put up with a certain amount of bad behaviour, for fear a greater loss if they fight back.

China’s use of covert and clandestine means does not just reflect pragmatism, however; it also neatly dove-tails with much of China’s tradition of strategic thinking. Going back to Sun Tzu’s The Art of War, and echoed in Mao’s writings on guerrilla warfare, Chinese military thought stresses a cautious, incremental and roundabout approach to achieving victory in a confrontation, minimising costs, and encouraging opposing nations to undermine themselves from within – a technique known as wu wei. This indirect approach was re-stated in modern form in Liang and Xiangsui’s Unrestricted Warfare, which, while not a state-endorsed strategy, reflected the natural contours of historic Chinese strategic discourse. It also went on to shape China’s official “Three Warfares” strategy of 2003, which highlighted psychology, public opinion and legality as central battlegrounds in war. China has thus long been comfortable with using state threats as a tool of policy, both for pragmatic and cultural reasons.

7.3.3. Iran

The Iranian regime has taken a largely confrontational position towards the West since the 1979 revolution, when the theocratic Shia movement of Ayatollah Ruhollah Khomeini overthrew the Western-backed regime of Shah Reza Pahlavi. Although there have been some brief and shallow periods of détente – notably with the signing of a nuclear deal in 2015 – the overall tenor of the relationship has been negative. Western observers see a variety of reasons for this:

• Iran as a revolutionary power ‒ Among some Western analysts, Iran is still seen as a regime driven by the same religious zealotry and idealism that overthrew the shah four decades ago. Its behaviour towards the outside world is thus interpreted as a continuation of its revolutionary aims: to extend Shia influence in the Muslim world, destabilise its monarchical Sunni neighbours in the Persian Gulf, destroy Israel and eject Western powers from the region. Like Jacobin France and Soviet Russia, Iran seeks to reshape the region around it in its own image.

• Iran as an anxious theocracy ‒ Other Iran watchers take a more circumspect view. While accepting the revolutionary foundations of the regime, they see contemporary Iran’s hostility towards the West as less intense or sincere than it first appears; the regime’s aggressive behaviour is carefully calibrated, and intended to demonstrate Iran’s anti-Western bone fides and regional leadership to groups such as Hezbollah and Hamas, rather than to export the revolution. According to this view, modern Iran has evolved into what Parsi describes as more of “a status quo power” than a revolutionary champion, operating according to the dictates of “defensive realism” rather than ideological zealotry.

• Iran as a resister of interference ‒ A further view explains Iranian behaviour as a largely natural response to outside pressure from the West, which has sought to manipulate Iranian governments throughout history. This narrative points towards the West’s decades-long support for the shah’s repressive regime; covert interventions in Iranian politics, such as the US and UK-backed overthrow of the prime minister, Mohammed Mossadegh, in 1953; and Western support for Iran’s regional enemies as powerful explanations of Iranian conduct.

All the interpretations bring some insights, but caution is required in too readily accepting Iran’s behaviour as purely defiant self-defence. It is true the West has interfered in Iran’s domestic politics in the past; just as with the siloviki in Russia, the Iranian regime genuinely sees itself as besieged by hostile outsiders they fear will encourage internal dissent. However, this is far from a complete picture. Hostile actions against Western interests began very early in the regime’s existence, as the taking of US and Canadian diplomats as hostages in 1979 indicates.

The regime’s expansive regional agenda is also apparent. It is difficult to frame Supreme Leader Ayatollah Ali Khamenei’s stated aim to create a “new Islamic civilization”, his call for the destruction of Israel – “a cancerous tumour” – or his support for the activities of terrorist groups and militias beyond Iranian borders purely as rejoinders to external victimisation.

Basic hostility towards the West – and especially the US – thus remains a fundamental part of the Iranian regime’s world-view, as does the long-term aim to see Iranian (and Shia) power and influence increase in the region, geopolitical conditions permitting. But this ideological vision is not well-favoured by the constraints the regime faces in terms of lack of resources and a contentious regional environment. In line with those observers who see it as a troubled state, caught between vaunting rhetoric and problematic reality, Iran’s hostile activities suggest a regime that has a genuine desire to cause harm, but a pragmatic desire to avoid the consequences. Iran’s current approach is thus chiefly disruptive, and its activities are targeted more at its neighbours than at the West. “The regime knows that it needs to deliver on its rhetoric, but it also knows that there are limits,” commented Ali Ansari during interview. “Their attacks on its enemies have mostly been more performative than truly damaging as a result.”

This performative character has been shaped largely by pragmatic and understandable strategic choices. Despite Iran’s large population and hydrocarbon reserves, the regime understands itself to be an economic and military minnow compared with Russia and China, a position weakened further by the impact of Western sanctions. Iran knows it is in no position to challenge the West head on, and this is what has made jang-e narm (“soft war”) or jang-e gheir-e kelasik (“non-classic war”), as described in Iranian military doctrine, so appealing. Such acts exhibit bravado at minimum cost to Iran, and in the words of Parsi, “stave off potential enemies on their home turf”.

However, the regime’s approach is also constrained by more embarrassing internal realities too. Despite the monolithic image it seeks to present, the regime is riven by factionalism, cynicism and corruption; Ansari commented that “there are very few true believers left in the regime, and in most cases, people are looking after themselves”. The regime has, moreover, faced substantial evidence of its own unpopularity with the Iranian people in recent years. The persecution of dissidents such as Mahsa Amini, a young woman who died in police custody in September 2022 after being arrested for violating rules on wearing a headscarf, led to serious protests, magnified by economic distress, which the regime initially struggled to contain. It seems likely therefore that the leaders of the regime are aware of its fragility and the new instability that becoming embroiled in an open conflict might bring.

7.3.4. North Korea

Like Iran, North Korea’s hostility towards the West is largely ideological, inherent and long term, and goes back to the regime’s attempt to overrun its southern neighbour in 1950, which was thwarted by the US and its allies under a UN mandate. Led by an idiosyncratic hereditary communist regime under the Kim family, Pyongyang has pursued a path it describes as juche (“self-sufficiency”), although at various times it has looked to China and the USSR (and latterly Russia) for support. What has given North Korea’s attitude towards the West a particular sharpness, though, has been its opposition to the US’s role as the ongoing protector of its neighbour, South Korea. North Korea has continued to rail against the US for interfering in the affairs of the peninsula, and has continually claimed that the US intends to overthrow the Kim regime. Whether the North Korean leadership believes this or not, it has used US involvement as the justification for pursuing, and achieving, a nuclear and ballistic missile capability, for which it has been sanctioned by the UN Security Council.

To an even greater extent than Iran, however, North Korea is relatively weak by standard measures of national power, apart from its stock of WMD and the size of its conventional armed forces, which are among the largest in the world. Its economy is a particular problem; following the loss of the USSR as an economic sponsor after the Cold War, nearly two decades of UN sanctions and the effects of the Covid-19 pandemic, the country has a very small economy by international standards, with its nominal GDP a tiny fraction of South Korea’s. Despite tight state control and surveillance of the general population, the stability of the regime is also perennially in doubt.

Consequently, what primarily guides the regime’s present activities is its instinct for self-preservation, which explains its campaigns to generate hard currency through crime, particularly its extensive cyber exploits. As noted previously, these activities are mainly intended to generate funds to bolster the regime, rather than to attack the West per se. North Korean cyber activities have targeted many states, including those of widely differing political stances. Expediency trumps any sense of principle for the Kim regime. Nevertheless, even if North Korea’s current conduct is not primarily intended to attack the West, Pyongyang is content when its activities damage its enemies, seeing this as a positive collateral effect. Notwithstanding recent statements about abandoning reunification efforts, moreover, the regime’s rhetoric indicates an ongoing intention to disrupt its neighbour, with Kim threatening in October 2024 to destroy the South with nuclear weapons “if provoked”. Furthermore, it is probable that the regime would take a more proactively hostile stance towards the West if it felt more secure. James Byrne, a senior associate fellow at RUSI and an expert in North Korean sanctions evasion, interviewed for this project, suggested parallels with Abraham Maslow’s hierarchy of needs, where individuals only move on to higher-order goals after securing their basic needs. As Byrne reflected, “Pyongyang is at the lowest level of ‘the hierarchy of aggression’ now – it needs to worry about survival first and foremost – but if it were to become economically stronger, perhaps with Russian and Chinese support, that could easily become more aggressive still.”

7.4. Conclusion

This section has sought to explain, hopefully with some nuance, both rising international tensions and states’ increasing resort to covert means to conduct policy. While it might be tempting to frame the current situation purely as a return to Cold War behaviours, with the authoritarian states of Russia and China attacking liberal democracies, the reality is much more complicated. Clashes of world-view, shifting economic power balances and the individual cases of the countries in question have to be taken into account. Like its atmospheric equivalent, geopolitical climate change has emerged as the result of the interactions within a complex international system, which are hard to reduce and explain with simple formulae.

This febrile situation has thankfully not yet led to a major military conflict, but this is not something that can be relied on forever. The use of covert and clandestine means largely reflects states’ current cost-benefit calculations, and the ongoing disparities in power between the leading revisionist states and the US and its allies. Naturally enough, the revisionist states are fearful of the costs of any direct conflict; acting below the threshold of war remains the pragmatic choice. But this could change with revised power calculations, or if these states begin to conclude that covert means are not an effective way to attain their goals. This suggests that, as we move towards considering the future pattern of state threats, we must assess how effective they have proved so far.

8. State threats’ effectiveness

The study of policy “success” is a developing field, which has sought to apply social scientific and econometric methods of evaluation to various aspects of public policy, primarily in the domestic arena. Concepts of success vary, but broadly fall into three categories:

• process success, which considers criteria such as the breadth of support for a policy, or its sustainability;

• programmatic success, which considers whether a policy has been implemented effectively and efficiently, and delivered intended outcomes; and

• political success, which looks at whether a policy adds to the reputation and credibility of the enacting government.

Trying to apply any of these heuristics to the messy world of state threats, especially in light of the secrecy in which they are planned and sometimes executed, will be a major challenge. Their use by authoritarian regimes, which tend not to provide extensive and auditable trails of data, adds a further layer of obfuscation. Methodologically, it is hard to see how quantitative measures might be credibly applied, and even a qualitative assessment would struggle with confounding factors; the correlation of a hostile action and a desired outcome does not necessarily mean that the former has caused the latter.

Accepting these limitations, this section takes a relatively modest and impressionistic approach, assessing available qualitative evidence against a criterion of programmatic success: to what extent do hostile actions result in desired outcomes for the perpetrating state? This focus on policy aims and intended outcomes is largely driven by the needs of a diverse audience – it is the “type” of policy success that has the widest purchase in common usage – and a preference for economy in the length of an already long paper. Its primacy does not imply that the other two categories of success are irrelevant to state threats; in fact, they are potentially important factors to consider when the question of why hostile acts might persist when programmatic success proves elusive. However, these other categories will play a secondary role here, based on a hope that future research will be able to take a more broad-based and multi-dimensional approach to evaluation.

8.1. Three levels of programmatic outcome

State policies in the international arena are usually undertaken with the objective of having an impact on the target, and/or a bringing a benefit to the threat actor. As we have seen in previous sections, in the case of state threats, impacts are likely to be focused either on attempting to degrade, damage, disrupt, destroy or purloin another state’s (or state’s citizens’, residents’ and organisations’) capabilities, capacities and assets (both physical and non-physical); or on manipulating that state’s attitudes, behaviours and policies in a way that is conducive to the interests of the threat actor.

These impacts should theoretically be seen at different levels, from micro- to macro-level. To borrow terms from military science, these levels might be described as:

• Tactical ‒ the level of an individual engagement or act.

• Operational ‒ the level of a discrete operation or a campaign combining individual engagements.

• Strategic ‒ the level of an overall goal or state policy objective.

A potential matrix for how to understand these desired impacts might be seen at the different levels is outlined in the table below, using intimidatory hostile acts such as an assassination as an example.

▲ Table 5: Potential impacts of intimidatory hostile acts.

At a tactical level, for example, the assassination of a critic living overseas might be intended to remove a single critical voice; at an operational level, to create a leadership vacuum among dissidents and a chilling effect on regime criticism and outside support; and at a strategic level, to strengthen the regime by removing alternative leaders, and creating an atmosphere where outside states are dissuaded or unable to challenge the threat actor’s behaviour. A similar approach could be taken to the other categories of state threat, but for the sake of brevity, and an expectation that the point of this exercise is relatively clear, a tabular explanation for each area of hostile activity is not outlined here.

8.2. Assessing effectiveness

It is clearly a simpler task to assess the effectiveness of hostile acts at the tactical level rather than the (higher) operational or strategic levels. For example, an assassination succeeds or fails, but does it subdue dissidents or make a regime safer? This is more difficult to assess. There are no obvious metrics; even in a qualitative analysis, many variables have to be considered. It is wrong to assume, moreover, that the tactical success of an act will translate into success at the higher levels. Positive operational and strategic outcomes can happen for reasons unrelated to tactical success; indeed, there is also a long military history of positive tactical and operational outcomes not necessarily leading to strategic success: the Pyrrhic victory is an ancient concept.

When assessing the effectiveness of state threats, therefore, it is important to be cautious about the level of confidence we place in our judgements. At operational and strategic levels, it is probably more realistic to note the correlation between the expected likely effects of an activity and the outcomes achieved, then to consider whether and how those activities could have contributed to the outcome. It will be difficult to say with certainty that x caused y. Nonetheless, based on the evidence used for this paper, some general preliminary judgements are feasible.

8.2.1. Overt coercion

Of the state threats considered, probably the least effective category at an operational or a strategic level is overt coercion. In fact, bellicose rhetoric and sabre-rattling seem more likely to damage a state’s reputation, draw attention to its other antisocial behaviours and increase international resistance to its activities. North Korea has been an exemplar of this kind of obstreperous attitude towards the outside world for decades; it has not helped it to accrue either economic benefits or international political capital, except perhaps with other revisionist states such as Russia and China. China’s wolf warrior diplomacy has also generated a negative international response; and Russian threats and open military bullying of previously neutral countries such as Finland and Sweden have almost certainly moved them closer to the West, as their recent accession to NATO suggests. Although overt threats are relatively cheap to deliver, they can often behave more like boomerangs than javelins.

8.2.2. Espionage

The oldest and most consistent stream of clandestine activity is espionage. Assessing its effectiveness is obviously challenging given the sensitivity around the collection, analysis and exploitation of the raw product. Intelligence histories indicate that it can take many years to make even a tentative assessment of whether a country’s collection or disruption efforts have proved fruitful; credible work on the UK’s intelligence performance in Northern Ireland during the period known as the Troubles has only appeared in recent years, for example. It is therefore hard to come to a judgement on the success of the general espionage efforts of the core revisionist states based on the current public record. Neither Iran nor North Korea have the resources to conduct significant overseas collection operations and it seems unlikely they have scored major successes. For Russia, the picture is likely to be mixed, given the volume and range of its intelligence collection activities. It has probably enjoyed tactical successes of which we are unaware, alongside more public operational embarrassments, with spy rings rolled up across North America and Europe in recent years, and hundreds of Russian intelligence officers expelled from Western countries since February 2022.

The one undoubted example of success at all levels is China’s commercial, scientific and technological campaign, which has exploited the vulnerabilities and weaknesses of the Western private sector and civil society. The US IP Commission has identified China as the “world’s principal IP infringer”. As previously noted, China’s efforts are likely to have helped in its attempt to overtake the US as the world’s leading economy, although there are no reliable estimates of how much of a difference they have made. Either way, however, they have probably caused a significant drain on the US economy. According to Eftiamides, based on US intelligence estimates and other official US, EU and Canadian figures, the cost to the US of Beijing’s spying is US US$320 billion annually. In the words of General Keith Alexander, former head of US Cyber Command, China’s commercial espionage spree has probably been “the single greatest transfer of wealth in history”.

8.2.3. Intimidation

Intimidatory methods such as harassment and assassination also have mixed results. At a tactical level, they can remove or repress problematic individuals, but even so, they are not always successful, however “professional” the operatives might be – see the case of Sergei Skripal, for example – and they can also succeed in ways that draw negative attention to the perpetrator, as in the cases of Alexander Litvinenko and Kim Jong Nam, both of whom were killed using exotic methods that indicated the likely involvement of a state actor.

At an operational level, intimidatory methods can instil fear, suppress dissent and communicate a state’s intent, capability and daring, even if caught or detected. Nonetheless, these effects are often short term and can become counterproductive. Attempts to quash criticism and dissidence can have an emboldening rather than a repressive effect, as if turning up the heat under a pressure cooker; the Iranian regime found just this with the Iranian public’s angry response to the death of female protester Mahsa Amini in custody in 2022.

Strategically, moreover, the regular use of such techniques can become addictive and extremely damaging, as states become increasingly associated with their use. Russia’s use of assassination, for example, has certainly removed irritants to the regime, but at the cost of focusing international attention on its brutality. The deployment of intimidatory techniques on a larger scale has also generated counterproductive results for other states. For example, a leaked MOIS document in 2019 indicated that the IRGC’s support for Shia militias in Iraq had alienated the country’s Sunni communities because of the militias’ indiscriminate violence and wanton destruction of property. Intimidatory measures brought short-term security but long-term dangers for the Iranian presence in Iraq.

8.2.4. Physical sabotage

As with assassination, the use of kinetic attacks against physical assets can have short-term tactical benefits. However, they are unlikely to have long-term operational or strategic impacts on the targeted asset, especially in developed states that have the resilience to maintain services, and the resources and expertise to rebuild, as Poland’s efforts to maintain normal commercial activity following the Marywilska 44 shopping centre fire suggests. Where physical sabotage can have a more pernicious effect is in countries that are less capable of responding, especially if the acts of sabotage are sustained over a prolonged period and the targeted state’s resources stretched as a result. Even in more developed states, there is a risk that though difficult to assess, successive acts of sabotage might have an attritional effect on the population’s psychological resilience. How much systemic overload techniques such as state-enabled illegal migration are having is also a moot question. Certainly, any additional crime stimulated by the activity of ill-intentioned states will generate costs in terms of law enforcement, border control and social welfare rolls. However, at present there is little to indicate the material level of these efforts has moved so far above the normal baseline as to have had a critical effect on Western public sector service delivery. Thus far, such acts appear to have been irritants rather than major threats.

8.2.5. Cyber effects

In fairness, the dangers of physical sabotage have caused Western policymakers lower levels of anxiety in recent years than those that might arise from acts of cybotage. The former US secretary of defense, Leon Panetta, is remembered for his famous warning of a “cyber Pearl Harbor”, where an unexpected cyber attack would have existentially threatening consequences for the US. But if some of the more panicked expectations about cyber effects operations have largely dissipated, evidence continues to suggest they have the potential to cause significant tactical and even operational effects. Several supporters of the efficacy of cyber attacks have pointed to the impact of the US-Israeli Stuxnet attack on Iran’s nuclear centrifuges in 2009-10, which was reported at the time to have pushed back the Iranian nuclear programme by three to five years. Others have also highlighted the Iranian Shamoon attack against the Saudi oil industry in the early 2010s, as well as a succession of Russian attacks on the Baltic states, Georgia and Ukraine in the past two decades. These attacks caused a period of initially severe disruption, with financial costs in some instances running into many millions of US dollars. North Korea’s massive cyber theft and extortion campaign has also been a great success on every level, providing the regime with much needed illicit funding to help avoid weapons procurement counter-measures and other sanctions. Indeed, estimates suggest that North Korea generates around half of its annual state income from crypto theft.

Nonetheless, some proportionality needs to temper these judgements. Even the much-vaunted Stuxnet campaign is now assessed to have had a less dramatic effect on the Iranian nuclear programme than originally surmised. Iran’s own successive actions against the Saudi oil industry also appear to have been relatively superficial in effect, failing to compromise the SCADA networks that controlled the physical systems controlling oil production. Furthermore, despite the proclaimed potential of cyber effects operations, most do not appear even to seek to have a strategic impact. In fact, data from DCID 2.0 suggest that only around 11% of cyber operations (including both espionage and effects) appear to have been aimed at degrading systems, with 28% intended to cause basic disruption. The remainder – the majority – were forms of espionage. DCID 2.0 data also show that the relative severity of cyber attacks over time did not change, with the greatest proportions in the middle range and none in the most severe range of “7-10”.

Other statistics show a similarly mixed picture. While the recovery time from ransomware attacks in the US seems to be rising over time (currently taking 24 days on average), other recovery times vary depending on attack type and the victim’s capabilities. According to a UK government survey carried out over 2022 and 2023, more than 80% of UK businesses and charities were able to restore operations within 24 hours after they had faced their worst attack. Other measures are more optimistic still. Economic costs of cyber attacks seem to have declined in recent years. Research by former cyber executive Tom Johansmeyer in 2024 found that around 92% of total economic losses from cyber attacks had come before 2009. These figures suggest that, as Freedman argues, cyber attacks have been “damaging more than crippling”, and “routine and ubiquitous”, rather than episodic and unexpected. Even in wartime, cyber effects operations have proved manageable. Jason Kikta noted in interview that “even 72 hours of sustained Russian cyber attacks were not enough to overcome Ukraine in February 2022”. As the recent Ukrainian experience suggests, the public and private sectors and governments are much more willing and able to soak up and handle such attacks than might have initially been expected. Like the much-feared strategic bombers of the second world war, cyber attackers are always likely to get through, but now, as then, they face resilient targets.

8.2.6. Weaponisation operations

Weaponisation operations are, by their nature, potentially quite diverse in type, so arriving at a general assessment about their success or otherwise is impossible. They are also few in number, or at least seem so at present, so there is a limited pool of examples from which to draw, the most obvious being the weaponisation of migration. In this instance, the tactical aims of the perpetrating state appear be to create overwhelming pressure on the health and welfare systems of the targeted state, and to exacerbate its social divisions, amplified by information operations. At a strategic level, the hope appears to be to gain some political dividend from the targeted state, whether in terms of policy concessions, or from its distraction and being over-stretched. In the case of recent Russian and Belarusian efforts, Western officials believe that the increased flow of migrants across eastern European, Baltic and Scandinavian borders was intended to stir social divisions, enable radical and extreme voices on the left and right – often favourable to Russia – and thus undercut European support for Ukraine.

Considering the relative recency of these events, it is too early to come to a firm conclusion about their effects, but so far, no European health or welfare system seems to have collapsed as a result of these inflows or for other reasons. Certainly, negative material about migration has played a major role in online narratives in Europe, especially in Eastern European countries such as Poland. However, the level and character of impact this kind of material is far from clear-cut. Yes, there does appear to be a rough correlation between perceived migrant flows and rising support for anti-migrant (and pro-Russian) parties such as the Alternative für Deutschland in Germany; however, past research has suggested that rising immigrant flows do not create a general political backlash, but rather energise pre-existing anti-immigrant sentiments in limited segments of the public as the issue gains public salience. The same research also indicates that the constituency for such material is likely to be declining in Europe.

Moreover, while inflows appear to have generated harsher policy responses towards cross-border migration flows from mainstream parties, this has not necessarily been accompanied by a change in political attitudes towards Russia’s war against Ukraine. Finland’s government, for example, brought in tight new border measures in July 2024 with widespread political support, while remaining resolute in its support for NATO and Ukraine. Indeed, Finnish Prime Minister Petteri Orpo stated that the action had only been necessary because of Russia’s weaponisation of migration, and explained that the measures were intended to send a “message” that Finland would protect its security. Although it cannot be assumed that every European country will respond in the same way as Finland, its example provides reasonable evidence to suggest that weaponisation – of migration at least – has not yet achieved its aims, and has in some ways proved counterproductive to Russia’s cause.

8.2.7. Subversion

A level of Western anxiety similar to that seen around weaponisation and cyber effects operations has also shaped assessments of the effectiveness of modern information operations. After the UK Brexit referendum and US presidential election in 2016, there was extensive media speculation about the size of the role that targeted information operations by external state actors had played in narrow and unexpected results. Various news outlets re-stated figures suggesting that 126 million US citizens had been exposed to Russian disinformation through Facebook, while the former US director of national intelligence, James Clapper, declared his belief that the Russian intervention had been a decisive element in the presidential campaign. The effect was also amplified by mainstream Western media, which turned the fear of Russian disinformation into a major public narrative. As Kilcullen has remarked, the GRU must have been “surprised and gratified at the extraordinary return on their modest investment” as the operation became self-sustaining with the Western media’s propensity to discuss the issue.

Since 2016, however, a more ambiguous body of evidence on the impact of information operations has emerged, suggesting less dramatic effects than were originally supposed. To take the 2016 US presidential election ‒ the cause célèbre of disinformation ‒ as an example, while the products of Russian efforts on Facebook in 2016 were seen by millions, only about 37% saw them before they cast their ballots. Moreover, as Rid notes, it was not clear to what extent the 37% had merely clicked through rather than engaged with or internalised the material, or how they reacted when they did engage.

Information operations have also had potentially counterproductive effects too. Looking sceptically at Russia’s efforts, Galeotti has observed that “Russia may have a megaphone, but this just means that when its message is laughable or offensive it can alienate more people at once”. China has been similarly ridiculed for the low quality of its more aggressive current disinformation efforts. A recent Chinese government-backed disinformation campaign that has targeted US audiences, known as “Spamouflage”, triggered sceptical responses from Western observers. According to Jack Stubbs, an executive at social media analysis company Graphika, Spamouflage’s approach has been “like throwing spaghetti at the wall”, although as Stubbs notes, “they are throwing a lot of spaghetti”.

But criticisms of “threat hype” by Rid and others does not mean that information operations are totally without effect. As Rid himself acknowledges, it is more that these effects will be less certain or dramatic than promised in government “after-action reviews and project memos”. Rid quotes Kate Starbird, an online influence researcher, who observed that “measuring the actual impact of trolling and online influence campaigns is probably impossible. But the difficulty of measuring impact doesn’t mean that there isn’t meaningful impact”.

Indeed, there is a prima facie case that high-volume, high-velocity information operations can help shape beliefs and patterns of behaviour. Krieg cites research showing that repeated exposure to information increases familiarity and ease of processing, regardless of the information’s veracity. Also, in a growing number of instances the weight of evidence suggests that disinformation has contributed to discernible effects ‒ both short and long term ‒ in the “real” world. Braw notes the role that social media played in triggering the storming of the US Capitol on 6 January 2021, where disinformation about the outcome of the 2020 presidential election contributed to extensive damage and loss of life. Giles has also highlighted the probable effect of Russian disinformation about Western Covid-19 vaccines on public health among Russian speakers. Latvian government data indicated in 2021 that 80% of the country’s hospitalised Covid-19 patients were Russian speakers, despite making up only 25% of the Latvian population overall. This incredible discrepancy could have many causes, but it is reasonable to suppose that Russian speakers were exposed to misleading sources of information that non-Russian speakers were not.

The key issue then is what factors might make information operations more or less successful. Nicholas Yap, a disinformation expert at the Atlantic Council think-tank, noted that current social scientific research suggests that disinformation has a more discernible effect when targeting marginalised social groups, although the level of that effect is far from certain, and is likely to depend on a variety of criteria such as the quality of the disinformation material used and the wider political context in which it appears. Indeed, as Yap also notes, a great deal depends on the nature of an information consumer’s pre-existing beliefs and thinking patterns; if a message chimes with a consumer’s prejudices, then it is more likely to be quickly embraced. As he observed in interview, “The vast majority of disinformation is probably consumed within a pre-existing echo chamber and reflects existing views and prejudices”. This suggests that information operations are more likely to be effective in an already divisive social environment, prodding existing wounds, rather than creating fresh damage.

A further issue is the media environment into which disinformation narratives are introduced. Much depends on how the media and political class of the targeted society choose to handle disinformation narratives, and the fact that disinformation operations are taking place. Olga Belogolova and fellow disinformation experts have recently argued that while it is important for opinion-shapers to recognise that information operations can have an effect, there are risks of “amplifying not only the original falsehood, but also a an even more corrosive and polarizing narrative – that American politicians are remote controlled, and that US citizens don’t have agency”. Giving too much weight and power to disinformation narratives can distract politicians from tackling real issues that might underlie the disinformation story, make those behind disinformation campaigns look more powerful than they are and undermine confidence in the political system that has been targeted. In short, if the opinion-shapers of Western societies hype and mishandle disinformation, they will help do the perpetrators’ work for them.

8.2.8. Malign influence

The effectiveness of influence operations is also unclear. On one hand, researchers have noted the persistent efforts by Russia and China to penetrate the political and business elites of European and anglophone countries, with some apparent success. Hamilton and Ohlberg have stated that in the UK, Chinese “influence networks … [have] passed the point of no return” and that efforts by the UK “to extricate itself from Beijing’s orbit … [will] probably fail”.

Yet, while influence operations have undoubtedly had some political effect in blunting Western responses to hostile acts, it is not clear they have achieved their aims decisively. Russian efforts to secure German compliance with its wishes, through both overt means and malign influence, alleviated Germany’s concern about Russian conduct in the 2010s. Nonetheless, following the annexation of Crimea in 2014, German attitudes began to change. This shift was given further impetus by Russia’s full-scale invasion of Ukraine in February 2022, leading Chancellor Olaf Scholz to suggest that the country’s foreign policy was undergoing a Zeitenwende (“historic turning point”).

In contrast, developments in Western relationships with China appear to be less clear-cut. Many Western countries, especially those in Europe and the Asia-Pacific region, are caught between a desire to support Taiwan, human rights and democracy, and a wish to retain valuable Chinese economic ties. But even so, Western governments have shown growing concern about Chinese state-linked covert activities – especially cyber espionage ‒ leading to a general cooling of relations, if not the kind of breach that has occurred with Russia. In addition, many Western countries have begun to take action to improve their economic security, especially in relation to technologies such as advanced microchips and communications infrastructure such as 5G. While no Western country seems keen to disengage completely from a relationship with China, a process of strategic “de-risking” is under way across many Western countries, which is at variance with the intended aims of Chinese influence campaigns.

8.2.9. Sponsoring internal conflicts and regime change

There are relatively few contemporary cases of states fostering internal opposition against opponents – and likewise of attempts to encourage, enable or enact covert regime change ‒ on which to base a credible judgement about the effectiveness of such actions. However, two sets of broad observations emerge from the material available.

Firstly, developing countries seem to be the most attractive and conducive environment for direct covert political interference. The revisionist powers that have supported violent opposition groups, in particular Iran and Russia, have largely done so in unstable areas such as the Sahel, the Middle East and South Asia. Here, they have had some success in creating instability and promoting their interests. In the case of Russia’s support for the Taliban, the Russians even provided aid to an internal group that achieved power, although scholars do not identify that aid as being one of the enabling factors that led to the Taliban’s success in 2021. However, while meddling in less settled regions might be easier than in more stable areas, it does not bring guaranteed benefits. As Iran’s support for Hamas and Hezbollah has shown, being closely linked to terrorists, insurgents and militias can be detrimental to a state’s reputation when those groups are shown to be weaker than they might have first appeared. Iran’s support did little to prevent either group from being militarily humbled by Israel in 2023 and 2024, and Iran’s reputation as a regional force to be reckoned with has undoubtedly suffered as a result.

Secondly, in relation to developed countries, revisionist states appear much less likely to become closely linked to violent opposition groups, and to the extent that they do, their associations seem more focused on generating public protests than fomenting major civil disturbances. The internal instability caused by these efforts seems marginal at best, and the value they bring seems primarily to be in feeding subversive narratives. Russia, of course, also appears to have attempted to topple a government and fix elections in the Balkan states of Montenegro in 2016 and Moldova in 2024. However, neither of these attempts succeeded; on the contrary, both seem to have been counterproductive, with Montenegro joining NATO in June 2017, and the Moldovan leadership reaffirming ties with the alliance after Russian interference in the country’s elections in October and November 2024. Despite the relative susceptibility of both countries to direct Russian interference, neither succumbed, raising doubts about how useful direct covert involvement in the politics of settled Western liberal democracies can be.

8.3. Cumulative effectiveness

This brief review suggests that individual state threats have uncertain and at best mixed effects. However, this still leaves open the possibility of combined measures having a cumulative impact over time. We might therefore firstly ask if the hostile activities of revisionist states have made Western countries weaker. Certainly, the West is going through a challenging period both politically and economically. Many Western commentators, as well as Western public opinion, see a crisis of confidence in democracy and the free market economy. Nonetheless, even if this is an accurate description of the current situation – and some would see it as an overstatement – the causes of the West’s current problems are likely to be complex. It is possible that state threats campaigns have contributed to them, but it seems unlikely they are the sole, or even primary cause; in fact, the contemporary debate on supposed Western decline tends to look closer to home for the culprits, such as political and cultural polarisation, democratic inertia and lack of economic dynamism.

Secondly, we should also ask whether revisionist states’ attempts to re-orient the intentions of their targets have had a discernible effect. Some might suggest that Russian interference in US politics has had some success in creating political chaos, but this is debatable. The US has faced significant and widening political divisions for several decades. These divisions were not created by Russia, even if the Putin regime has sought to take advantage of them. Beyond the US, moreover, attempts to weaken Western resistance seem either not to have worked or to have had the opposite effect. Looking at Russia, that most prolific user of state threats, Cormac observes that for all its noise and activity, Russia has “seemingly failed to induce meaningful policy change” in the West.

8.4. Explaining ineffectiveness

Accepting the possibility that the effects of state threats might not yet have emerged, it appears that they have had a relatively limited impact on their targets at the strategic level, at least so far. China’s commercial espionage campaign and North Korea’s cybercrime spree appear to be the only clear successes, with most other hostile activities having limited, partial or short-term effects and plenty of unwanted consequences. They are largely policy failures by rational standards. Why, then, are they generating such poor results? As with most policy failures, from the mundane to the exotic, there are likely to be several reasons:

• Uncertain logic behind operations ‒ For most state threats activity, there is limited theory or evidence to demonstrate conclusively that they will or should have the expected effect. Some types of acts do sometimes roughly correlate with desired effects – disinformation, for example ‒ but the evidence is never clear-cut. As Freedman notes about coercive activities in general, they rely on a model of human psychology and response that has yet to be consistently validated. People can be cowed by coercion, but then in other circumstances, can be motivated and energised to respond.

• Practical difficulties in mounting operations ‒ Covert activities might be relatively low cost and less involved than military operations, but they are not necessarily easy to do well. Many covert and clandestine operations involve complex tasks in contested and dangerous environments, and bring considerable risks to human and technical assets. Extensive planning and preparation are necessary to achieve even the most basic operational elements, problems which quickly become amplified in combined or ongoing campaigns. And even an impressive plan can be derailed by unforeseen events and unknowns. As former CIA analyst Mark Lowenthal has remarked, “if overt means of producing a similar outcome are available, they are almost certainly preferable” to the covert option.

• Trade-offs inherent in secret activity. As noted previously, Maschmeyer has highlighted how intractable the challenges of secret action can be, arguing that a “subversive trilemma” obtains that leads to trade-offs between operational speed (conceived of as the time required to go from the start of an operation to an effect); the intensity of desire effects, in terms of scope and scale; and the level of control over the effects generated. According to Maschmeyer’s analysis, actors operating under secrecy cannot achieve speed, intensity and control all at once, with any gain in one area leading naturally to a decline in performance in the other two. For example, an operation which prioritises speed will enjoy limited preparation, and is thus likely to have a less powerful effect and be less well managed. As a result, the outcomes generated will probably be short of expectations, and limit the operations “strategic value in practice”.

• Limited quantity and quality of tools, skills and resources ‒ However coherent a plan, it can easily go awry for want of sufficient resources and capable operatives. Resources vary across the revisionist states; the Russian and Chinese agencies should in theory be well resourced due to the size of their economies, North Korea and Iran relatively less so. But as North Korea’s RGB is the generator of the state’s cyber funding, it seems likely to be generously resourced and potentially self-funding. Moreover, the IRGC has prospered through deep engagement in the Iranian economy and the sale of hydrocarbons. Competency is another matter and Russia, in particular, has faced multiple failures. Riehle observes that Russian operations:

have been revealed publicly time after time since 2010, including foreign arrests of illegals, Russian arrests of officers for fraud and robbery, the attribution of dozens of Russian computer-based operations, the exposure of an unmistakably Russian hand behind assassinations and government manipulation, the arrests and expulsions of large numbers of officers under diplomatic cover, and continuing defections from the ranks of Russian services.

Chinese agencies have seemed to be less accident prone, excelling in some areas ‒ cyber espionage, for example ‒ and have generally improved their tradecraft over time; yet, they have continued to struggle with long-term or complex operations, and more aggressive disinformation campaigns. Iran’s operatives have also been variable performers. Cormac notes that their social media disinformation campaigns have been “rudimentary and somewhat sloppy in their tradecraft”, if also “loud, provocative and divisive”. Among the undeniably “world-class” state operatives are the cyber teams behind North Korea’s criminal campaigns, who demonstrate remarkable sophistication and growing expertise.

• High resilience of targets ‒ During the STT workshops in 2023, the consensus among participants was that that the UK and partners enjoyed a relatively high level of resilience to state threats, arising from relative wealth, a history of social stability and cohesion, and the benefits brought by pre-existing measures to tackle challenges such as terrorism, general cyber threats and serious organised crime. As grey-zone-aggression expert Elizabeth Braw has explored, resilience has been nurtured in recent years, as many Western countries have taken additional measures to strengthen their position by restricting foreign investments where there are national security risks, reviewing and stress testing electoral systems, and improving online literacy and hygiene skills. Braw has also noted that several states, such as the US, the UK and Australia, have also used punitive tools to deter, catch and punish state-backed hostile actors by, for example, tightening criminal law on espionage and foreign interference, using financial sanctions, indictments and prosecutions, and what she describes as the “naming and shaming” of states, leaders and operatives believed to be behind hostile activities.

Overall, therefore, states face major challenges in executing hostile activities in a way that offers the genuine promise of having a valuable impact. These factors affect all areas of state threats activity to varying degrees, but a case study that shows all these problems in stark relief is in cyber effects operations.

8.5. Cyber effects

Cyber security experts continue to debate what value cyber effects operations generate. Many doubt their coercive capacity, given their covert nature ‒ how can one be coerced by someone who is difficult to identify? – or their capacity to inflict significant damage in one blow. Separately, others have now focused on how intrinsically difficult cyber effects operations are to execute, rather than their potentially devastating effects. Maschmeyer has applied his “subversive trilemma” to cyber, and found that the same operational trade-offs and tensions emerge in the field as they do in other areas of secret activity: “consequently, in most circumstances, cyber operations fall short of their strategic promise and provide, at best, limited strategic utility”, he states.

In a similar vein, Smeets has analysed the wide number of variables offensive cyber needs to get right, from having access to the human expertise, system vulnerabilities and appropriate cyber weapons, to having the necessary technical and institutional infrastructures in place, which only the largest or most developed of countries will have. As he further notes, cyber talent is limited, cyber vulnerabilities are hard to find, and the most readily available cyber techniques, such as DDOS attacks, are fairly low impact. The most impressive cyber operations require a combination of rare ingredients not easily available to most states.

Russia and China are relatively well positioned in having access to the raw essentials needed for cyber espionage and effects operations, enjoying relatively educated populations and significant financial resources by sheer dint of economic size. Iran and North Korea, by contrast, have many of the right people and knowledge, but more limited resources, although it seems clear that North Korea at least has prioritised investment in cyber. Resource issues aside, all the revisionist states – even the two most powerful – have also faced problems in execution, some of which have been self-inflicted. Russian agencies, for example, combine both expertise and resources with a capacity for duplication of effort and in-fighting. It appears that both the GRU and FSB ran parallel and uncoordinated hacks of the DNC in 2016, “apparently unaware of each other’s operations”, according to Riehle. “The cyber teams of the KGB successor agencies operate within siloed institutions that are well-known for their infighting. The GRU, who are known for their high risk tolerance, can also be poor at operational security”, O’Neill noted in interview. The Chinese agencies have been a little less hapless in this regard, and Western cyber experts have discerned an improvement in their performance over the past decade. Their teams have “become more sophisticated and flexible”, and “more adept at living off the land” within targeted systems, according to cyber expert Jamie Collier, interviewed for this project. Nonetheless, as Collier also noted, Chinese hackers are far from perfect, and continue to make sloppy mistakes during their intrusions.

Further problems are added by the tendency of several of these states – Russia and Iran, in particular – to outsource cyber activities. Quite apart from generating obvious anxieties around control, operational security and competence, relationships with non-state partners in the cyber realm have also had some unfortunate unintended consequences, as the case of Dmitry Dokuchayev (section 5.2.2) indicates.

Despite their relative lack of legal and ethical checks and balances in comparison to Western states, moreover, the revisionists have also faced a number of other potential constraints. The most potent is the risk of escalation that cyber effects operations bring. In the words of Arquilla, using the most powerful tools in peacetime risks turning “a profitable cool war hot”. Then there are unintended consequences; initiating an attack could cause collateral damage to untargeted states or even the attacker themselves. Finally, there is the possibility of losing strategic advantage; to deploy a sophisticated weapon in peacetime risks revealing the capability to others who might then copy or develop a defence for it, or highlight a previously unknown vulnerability in a targeted system, prompting remedial action to improve resilience. An impressive cyber weapon is thus, as Arquilla states, “a wasting asset”: if it is not used it is pointless, and if it is, it soon becomes obsolete.

The revisionists also face a relatively hard target in Western countries. Major targets are likely to be much better defended and protected than low-value alternatives; and, in general, rising cyber awareness in the West has led to a slow rise in overall levels of cyber security, making sophisticated hacking gradually harder to achieve. Buchanan argues that the US has a significant “home-field advantage” because of the core role of its private enterprises in providing “the modern digital ecosystem”. Gavin Wilde, a senior fellow at the Carnegie Endowment for International Peace, noted in interview that James Clapper had been right when he had declared the US to be “the biggest kid on the cyber block”. Other Western states are less powerful, he suggested, but even though “the UK and France are smaller, they still have advanced cyber security capabilities which are going to give any attacker pause”. The West is thus not without its defences.

8.6. Understanding persistence

Considering the challenges of execution and the patchiness of the results achieved, it seems puzzling that states continue to use hostile actions as a tool of policy: what is the point if they continue to have a negligible strategic effect? Assuming there are programmatic aims behind state threat-type actions, it might be that those perpetrating them only have tactical or short-term goals in the first place. They might be intended to create what Kilcullen has called “a temporary window of opportunity”, in which they can carve out small gains or distract attention from other actions.

If states are seeking strategic gains, they might also be willing to wait for them. One might call this the “compound interest” approach to hostile action, where time and multiple small investments have a long-term cumulative effect. As Rid notes when discussing the thinking behind Russian active measures, their aim is to work “slowly, subtly, like ice melting”. Similar thinking guides the proponents of cyber persistence theory, including Fischerkeller and Harknett, who see individual covert acts in cyberspace less as one-off faits accomplis, but as multiple actions in a broader campaign that will bring “cumulative gains to serve desired strategic effects … over time and space”. From this point of view, Buchanan notes, the cyber attacker is “like a boxer who wins on points rather than with a knockout blow”.

A further possibility might be that perpetrator states are applying a gambler’s mentality, seeing hostile actions as bets that might one day pay off with a big win. Discussing Russian cyber activities in interview, Gavin Wilde commented that while Russia recognises that much of what it does is “a crap shoot”, it continues because it wants to “keep its hand in the game”. As the Provisional IRA stated after its unsuccessful attempt to kill the British prime minister Margaret Thatcher in Brighton in 1986, they only had to be lucky once, whereas she had to be lucky every time.

Despite previously concluding that state threats have not had much impact so far, therefore, we need to entertain the possibility that, as Chinese Communist leader Zhou Enlai reportedly said ‒ probably apocryphally ‒ when asked about the effects of the French Revolution, “it is too soon to tell”. It is possible that revisionist states hope that the long-term cumulative effect of state threats will be more powerful than they have been until now. Constant attrition can potentially exhaust a defender’s will to resist over time. Indeed, research on complex adaptive systems indicates that the path towards dramatic change can be slow and gradual, then brief and dramatic. One of the most persistent anxieties several experts interviewed for this project voiced was that, over time, subversive activities would gradually undermine liberal democratic societies’ self-belief and trust in governments to deliver public goods. While the existential decline of a Western polity encouraged by outside forces seems highly unlikely, the possibility of some unforeseen negative outcome cannot be excluded.

8.7. Other measures of “success”

At the start of section 8, other measures of success apart from the programmatic ones used within the field of policy evaluation were noted. The concept of process success, which is informed by a liberal democratic desire to ensure a policy is well made and enjoys appropriate political support, is not a measure that dovetails neatly with the reality of state threats when executed by authoritarian regimes. However, it is possible that a sustained pattern of hostile activities against external opponents might help integrate and satisfy the coalitions of groups, constituencies and actors upon which the regime depends, especially if parts of that coalition are actively involved in the development and execution of hostile actions, and benefit from them. Although this remains a speculative hypothesis, it is possible that the heavy engagement of non-state actors in state threats activity not only reflects operational needs and realities, but also an attempt to tie those actors more closely to the regime.

A more credible assessment criterion for state threats than process success is political success, which is focused on what effect a policy has on the reputation of governments and leaders. Within a domestic context, and especially where regimes are dependent on nationalistic or aggressive constituencies for support, overt and lightly covert activities against opponents might help generate popularity and plaudits for a regime. It can also send a useful “signal” to those constituencies who wish to see aggressive actions against opponent states that would be dangerous to satisfy if more conventional, military measures were taken. Indeed, the concept of “signalling” also has potential explanatory value at international level too. The work of Carson and Yarhi-Milo on the utility of covert military action as a form of communication by states, their opponents and allies has already been mentioned (section 7.2). It could be argued, using their framework, that hostile actions achieve political success because they send messages of resolve and commitment, strengthening a government’s international reputation.

However, as other scholars have pointed out, the evidence that governments are actually using covert actions to send signals is limited and therefore it seems somewhat presumptive to treat signalling as a potential measure of success. A more powerful criticism still is that covert signalling is hardly a reliable form of communication. Carson and Yarhi-Milo themselves admit that covert military actions do not always send the right message; rather than making the government behind them look strong, they can make them look weak instead. They highlight several contexts in which this might occur, including when a government looks “unconstrained” from the outside. An apparently strong government, or one seeking to promote an image of strength, but which is only willing to use covert measures to signal resolve, might generate cognitive dissonance among its target audiences, leading those audiences to conclude that the government “talks big and acts small”. It is possible, for example, that Iran’s relatively feeble responses to Israel’s military actions in 2024 have had just this effect both on the Israeli government and Iran’s erstwhile allies in the Axis of Resistance, leaving Tehran with the unhappy dilemma of whether to escalate boldly or step back from confrontation. If covert action is indeed intended to send messages of robustness and commitment, it is a risky way of doing so.

8.8. Negative motivations

Finally, we also need to entertain the possibility that among the reasons some states keep using state threats is not that they lead to any form of “success” as understood from a Western perspective, but to meet some other motivation or need. Discussing Russia, Giles has argued that while “it’s often tempting to call Russian actions irrational”, it is probable that “Russia is operating to entirely different rules and priorities than Western liberal democracies”. One possible negative aim is to create enough friction to prevent one’s opponent from following their own preferred policy. Moore notes of offensive cyber operations, for instance, that they can be seen less as an “independent means of securing battlefield goals” than as an “offset capability”, which prevents an opponent from achieving “their own goals”. In other words, they are simply “spoilers”.

Other motives could be even less rational. States might see hostile acts as a way to gain attention and importance; Giles judges this to be an important Russian motive, noting how “entering discussions” with the US about alleged misdemeanours is exactly what Russia wants. “If Moscow cannot achieve recognition as a first-rank partner,” he remarks, “the next best option appears to be recognition as a first-rank enemy”. A further possibility is the desire, not unlike medieval or early modern states and their leaders, to generate a negative reputation that sends the impression of being a dangerous state that is not to be trifled with. As Riehle noted of the Russian intelligence services during interview, this is probably one reason why they do not seem to care about getting caught: “they enjoy the reputational effects of being seen as reckless and dangerous”.

Alternatively, states can often feel an urge to “do something” in circumstances where other actions are either impractical or dangerous; the UK formed the Special Operations Executive in 1940 to conduct small-scale covert attacks on mainland Europe, partly out of a lack of other immediate military options after the fall of France. In some cases, as Magda Long noted in interview, the ongoing use of hostile acts can become institutionalised, especially where a state has a long history of covert activity and a structure to support it: “the mindsets and structures that motivate and enable covert activity are deeply embedded in states like Russia and Iran”, she noted. Moreover, the more these states carry out such activities, the more they are likely to feel the need to keep doing so. In a separate interview, Rory Cormac, professor of international relations at the University of Nottingham, commented that Russian electoral interference would probably keep recurring for similar reasons: “They have been doing this for such a long time that it’s become almost normalised. You can well imagine the logic ‒ ‘If the West thinks we’re coming, they might misread our resolve or intentions if we don’t show up’”.

8.9. A paradoxical challenge

The current situation surrounding state threats is thus in many ways paradoxical. On one hand, the volume, range and pace of hostile activity appear to be growing rapidly; on the other, the actual damage done seems relatively limited, so far at least. If governments are to develop appropriate policy responses, therefore, they need to take a clear-eyed view of both the absolute and the relative dangers state threats pose. In issues of national security, there is always a risk of either greatly over- or under-estimating the nature of threats, based on over-generalisations from historical examples.

In terms of the absolute danger that state threats pose, there are good grounds for not overreacting. Western governments should avoid seeing the revisionist states as “ten feet tall and bullet proof”, as Riehle warns Westerners are often prone to do with regards to Russian intelligence. Russia, the most aggressive state, has many economic and social problems, and is mired in a difficult conventional war in Ukraine, a conflict that has probably put pressure on the intelligence resources needed for Russia’s wider campaign of covert acts. Iran and North Korea, despite their regional aspirations, are economically poor; while dangerous to those they live closest to, they currently appear to lack great operational reach. China, while the most populous and wealthy of the four, is by far the most cautious and circumspect, and the least eager to gain a negative reputation.

At the same time, governments need to take a measured approach to the effects of state threats. The scale of material and psychological damage acts of physical sabotage, cybotage or various forms of subversion have on Western states seems relatively limited in comparison to the sometimes lurid and apocalyptic visions doomsayers paint. So far, the centre has held, and – overall – Western societies have proved resilient. Much like the legendary response of London during the Blitz, it seems that modern democracies have been able to “take it”. Governments thus need to maintain perspective about the threat generated by state actors vis-à-vis non-actors. Certainly, state actors and their partners are likely to be more dangerous than criminals or terrorist groups, due to their scale and the resources available to them. However, here too the level of lethal threat seems more theoretical than actual. Although the current wave of Russian hostile acts across Europe has generated disruption and physical damage, it has not yet posed the same threat to life as, say, an IS-instigated attack on a major pop concert. Certain constraints and limitations seem to remain in place for state actors that do not necessarily obtain for non-state actors.

Governments also need to consider the scale of the threat non-state actors pose in acting on behalf of states, in comparison to the threat they generate in their own self-interest and on their own behalf. Some OCGs and cyber-criminals work for governments some of the time, but most do not. The Global Initiative against Transnational Organized Crime (GI-TOC)’s dataset on assassinations from 2019 to 2020 indicates that only 5% of cases were clearly linked to a state actor. And with regard to disinformation, Nicholas Yap also commented that most was likely to come from commercial actors who were seeking to “create noise and attract attention, rather than shape the political landscape. Not everything is a Russian bot”. In some instances, the most dangerous activity might not even come from criminals, or humans, at all; in an infamous presentation in 2017, titled “The Squirrels are Winning”, US cyber security researcher Cris Thomas provided evidence to suggest that squirrels were much more dangerous to the integrity of the US power grid than hackers had so far proved to be, whether non-state or state backed.

But this call for perspective should not lead state threats to be discounted or treated as a joke. The scale of the current problem might be greater than conceived due to the many unknowns around the covert world. Cyber experts note that the challenge of attributing cyber attacks to particular actors is more of a delicate art than a robust science; one interviewee, who worked at a senior level in commercial cyber security, reflected it was possible that a higher proportion of hostile cyber activities involved sophisticated state actors than was currently assumed: “They have the resources and expertise to develop ways to hide their hands”. This could also be the case with other types of state threat. For example, although the GI-TOC database on assassinations shows only a small proportion of cases involving state actors, in 63% of cases the perpetrator and their objective were unknown, leaving open the possibility of greater state involvement than had been currently identified. Separately, in the field of political finance, Magnus Öhman, a senior political finance adviser at the International Foundation for Electoral Systems, commented in interview that it was “very difficult” to assess the amount or provenance of foreign money shaping political environments, because “funds can be legitimately funnelled through various intermediate steps to a domestic donor before the final payment is made”. The complexity and fluidity of the financial system provides a level of opacity quite as helpful as any more intentional attempts at camouflage.

There is, moreover, much we do not know about the effects of state threats. As has been highlighted already, they might have the potential to have unforeseen corrosive effects on polities, economies and societies over time. There is also a chance – remote though it might seem – that a hostile action or campaign might somehow “get lucky”, bringing about an unexpected fait accompli due to a rare alignment of favourable circumstances. Few US intelligence analysts considered it possible that a terrorist group such as Al-Qaeda would have been able to mount attacks successfully within the US on the scale achieved in September 2001. In addition, it is feasible that operations that have had a limited impact up to now might provide the foundation for ones with greater impact in a different context. As Kikta noted in interview, current espionage operations, or preparations for sabotage, cybotage or subversion, could become an “enabler of offensive action in the early stages of a future conflict”.

8.10. Conclusion

At the close of the section, therefore, we are in an ambiguous situation. Western governments face a problem in state threats that is real and growing, but not necessarily existential. At the same time, it is a problem about which much is unknown; some of its effects might be invisible at present, or will not be obvious until a later date. There are thus some loose parallels with the early debate about the effects of climate change, or the start of the Covid-19 pandemic in 2020, where imponderables and lack of data left considerable room for uncertainty about how bad the problems were. Considering that this ambiguity prompted many governments to take a precautionary approach in both cases, such a response might also be equally appropriate in how governments handle state threats.

This is all the more justified because of the potential for state threats to become more severe over time. Of the revisionist states and their associates, the most powerful – China – is currently the least active. Even in the cases of Russia, Iran and North Korea, certain constraints on action appear to be in place. If these states’ patterns of behaviour were to change, however, or revisionist associates and middle powers began copying these behaviours more widely, the scale of the problem state threats posed would increase. Other developments too, such as expanding technological capabilities, could create opportunities for more dangerous and potentially deniable activity. These possibilities indicate the need to look finally towards the underlying influences that will shape the future landscape of state threats.

9. State threat futures

Intelligence analysts commonly see predictive analysis as a treacherous activity. If essential to their work, it is the one area they are likely to make the most noticeable mistakes, being either too cautious in order to avoid ridicule, or too foolhardy in order to grab readers’ attention. This section does not seek to make many hard predictions, therefore, but rather to look at general trends in the medium term and sketch out some possible scenarios.

Considering its relatively modest ambition, moreover, the section takes a thematic approach to the question of state threats’ evolution, using as a framework for analysis the three components intelligence professionals typically view as the core elements of threat assessment: intent, capability and opportunity. Based on current trends in these three components, it seems likely that the environment for Western countries will at best stay the same, but more likely worsen. Those states currently using state threats against Western countries show little sign of a change of intent; in the cases of China and Russia, their capabilities remain formidable. One area for optimism is Western countries efforts to reduce their vulnerabilities to state threats, but even so, Western governments will still need to build defences urgently since the storm has the potential to grow quickly. More problematic, moreover, will be the growing use of state threats by middle powers, against their regional rivals and beyond. Not only would this probably presage an increasingly fractious international arena, but a more dangerous one too, especially for those many developing countries that are particularly vulnerable to outside interference and influence.

9.1. Intent

The basic clash of world-views between the revisionist and Western states that is shaping the current crisis seems unlikely to change soon. As successive summits between Presidents Xi and Putin have indicated since 2022, the leaders see the balance of economic, political and military force vis-à-vis the US and its allies moving in their favour. Neither Russia nor China shows any sign of standing back from its revisionist stance and diplomatic relations remain warm. In response, Western states have continued to support the idea of a rules-based international order, showing limited willingness to make major concessions to revisionist demands. The one partial exception to this was during the first Trump presidency, from 2017 to 2021, but President Trump’s rhetoric did not lead to material or permanent changes in the position of the US as the leader of the Western world. Whether this could change during the second Trump presidency is difficult to know; Trump is an unpredictable figure, but his track record has suggested a gap between the extremity of some of his threats and the reality of what he does. Overall, the fundamental standoff looks likely to persist.

9.1.1. Russia

Tensions will most obviously continue with Russia. Few Russia experts see Russian hostility towards Western countries changing while Putin remains in power. Catherine Belton, the author of Putin’s People, commented in interview that “the war in Ukraine has really allowed the Putin regime to be fully itself. Now, it can make its revisionist agenda unambiguous and clear-cut. There is no need to hide it any more”. As Russian journalist Andrei Kolesnikov has also remarked of Putin, “maybe he was always brutal, but now he has decided to be brutal freely, openly and without restrictions”. In the pithy words of Keir Giles during interview, “the brakes are now off”.

The brakes are also likely to remain off even under any likely successor, moreover. Putin’s geopolitical world-view, which sees Russia in an existential battle with the West, is deeply entrenched and widely shared among the Russian political elite. The elite appears willing to pay a high price for this view, moreover, including the loss of coveted commercial interests in the West, even if that forces Russia into greater dependency on an increasingly powerful China, as both Belton and Giles noted in separate interviews. However, as Belton added, the elites hope that “the ultimate weakening of the West caused by Russian disruption will allow [them] to win back their positions of commercial strength in the future”. Even among Putin’s critics, his nationalist world-view resonates, if not his methods; Ukrainians had mixed views of Putin critic Alexei Navalny before his death in early 2024, noting his past comments about the importance of Crimea to Russia, and the historic closeness of Russia and Ukraine.

Strategic, structural and psychological factors are also likely to keep Russia on its present course. The Putin regime has now crawled so far out on the branch that it will be difficult for it to crawl back without loss of face, and serious economic and social consequences. The Russian economy is increasingly designed for war, and directed towards trade and cooperation with non-Western states. Russian society has developed what Kolesnikov has described as a psychology of “mass mobilisation” and a “sense of permanent war”. Much as during the Cold War, the Russian public even before 2022 had been encouraged to see any privation as the result of nefarious Western actions, supported by traitors at home. Fears for the survival of “Fortress Russia” have thus driven an acceptance, expectation and even appetite for greater repression at home, and more aggressive behaviour abroad.

Russia also continues to see Western actions and responses through a dark lens. When Russia takes an aggressive action (which it describes to itself as defensive), the West will criticise or respond to that action. Moscow then sees this as an additional affront and a justification for further hostile activity. The confrontation thus becomes a self-perpetuating spiral.

Even Western attempts to break the spiral with some concessions – which have been described over the past two decades as “resets” – fail, because of Russia’s instinct to keep taking advantage of its interlocutors. Russia expert James Sherr has joked that “if you finally conclude a written agreement with them to stop parking their car on your lawn, don’t be surprised if they park their truck there instead”. Short of a revolution that results in a definitively post-Putinist regime, or a complete collapse of Western resolve, it is therefore difficult to see how the current high levels of hostility dissipate.

Some Russia observers and Western policymakers are now more worried, in fact, that this hostility will escalate further into a direct military conflict with NATO. Whether war occurs or not, however, it seems likely that Russia will maintain and probably increase the tempo of its hostile activities against the US and Europe, especially those focused on undermining Western support for Ukraine and targeting dissidence and dissent. Russia sees little downside from active measures. As Wilde commented in interview, “If you have the resources to do something that might help your cause, and no one is really trying to stop you, why would you do otherwise?”

If Russia still wishes to avoid a military confrontation with the West, and even if it does not, hostile acts thus remain an attractive option. The question is the extent to which Russia will now increase the intensity of its hostile actions and repertoire of techniques. So far, the indications are concerning; Russia is becoming more willing to use kinetic action against physical targets, and to use cyber effects to generate disruption of European CNI. Thomas Haldenwang of Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), stated in May 2024 that his agency assessed “the risk of state-controlled acts of sabotage to be significantly increased”, with “a high potential for damage”. While some constraints on directly targeting European civilians probably remain, Russia is increasingly taking action that might cause significant damage and wider loss of life.

9.1.2. China

Under Xi, China sees the tide of history moving in its direction, which Xi elliptically describes as “great changes unseen in a century”. From his and the CCP’s perspective, this invariably means, over time, Chinese sovereignty over Taiwan, revised boundaries in the South and East China Seas, regional hegemony in the Asia-Pacific region and acceptance of China’s global pre-eminence. Although Tsang and Cheung reflect that China has no interest in being a “global policeman”, it does have an interest in the rest of the world complying with its views.

China expects this to happen naturally due to its rise and the US’s relative decline. Xi has told Putin that “time and momentum are on our side”. However, China’s behaviour up to now indicates that that it is also willing to give history a helping hand occasionally. China’s problem is that the US and its allies do not necessarily see matters in the same way, and are unlikely to gently concede to Beijing’s economic hegemony or welcome its ongoing support for Russia. Frictions seem inevitable, the only question being how intense they will be.

Much depends on Xi. If he were to leave power, there could be some room for a softening of the Chinese position. But the underlying geopolitical dynamics of the world, combined with China’s rising expectations, suggest that the same structural factors enabling the current levels of tension would remain. In addition, any likely successor to Xi will come from the ranks of a CCP that Xi has actively shaped in his own image. Allegiance to “Xi thought” has become a guiding influence in the regime, growing in importance alongside the largely consensus-based bureaucratic approach that operated in the 1990s and 2000s. If and when Xi were to depart, leadership elements that want a less assertive international posture might emerge, but they are unlikely to be in a strong position in any battle for succession in the near future.

With Xi, or a Xi-like successor in position, the overall pattern of tensions with the West thus seems likely to remain broadly the same. Despite the running sore of Taiwanese self-government and the increasing heat of Chinese rhetoric, Beijing has so far refrained from taking drastic military actions to resolve the issue. More broadly, China continues to prefer stability over chaos. Part of this is a habit of political culture, but also reflects its perceived long-term interests; as the former UK ambassador to North Korea, Alastair Morgan, put it in a research interview, “if it can help it, China prefers not to smash up a system it would like to inherit”. Even under Xi, China has shown itself minded to take a gentler approach than Russia in pursuit of long-term strategic interests.

According to Charles Parton, the overall Chinese approach might be described as Bismarckian, after the 19th-century Prussian and German chancellor who pursued the long-term goal of German unity, while being flexible about the manner and timing of its attainment. China seems unlikely to ape Russia, therefore, but it is probable that its current range and depth of hostile activities will continue. Commercial espionage is central to China’s drive towards economic, political, and military pre-eminence, and little will constrain this – even warnings from the West. As President Obama found after a summit with Xi in September 2015, a Chinese promise to reduce commercial cyber espionage was soon discarded. China also remains highly focused on using subversive techniques to reshape the world in its own interests. Ragnar Ingibergsson observed in interview that “the CCP will play the ambiguities of the current system, stretch its boundaries, cheat and so on, to create new and more favourable precedents.” The strategy is “to change the character of the playing field and the rules of the game. That is how it intends to win”.

There is also a possibility – if not necessarily a likelihood – that China will increase the range and intensity of its hostile activities against Western countries. This could arise as a natural function of Beijing’s desire to translate its latent power into coercive political capital, especially if Western powers are resistant. China sees itself as the natural leader of the world; if it feels unbound by past constraints, it could decide to impose its own order upon the world.

Of course, China’s preference for avoiding unnecessary conflict suggests that hostile acts will mostly follow rather than precede perceived outside provocations. The most significant provocation in Chinese eyes would be support for Taiwan or another South-East Asian country against Chinese coercive action. However, China has already shown itself to be easily roused to anger by much less. China has also become increasingly paranoid about potential US penetration, with domestic espionage prosecutions escalating in recent years. As more aspects of Chinese domestic policy are “securitised”, Economy observes, “virtually any issue can now be labelled a threat to Chinese sovereignty or social stability”.

If China does undertake more hostile activities against Western states, however, they are likely to be carefully calibrated escalations, not wild swipes. Bold acts of assassination or large-scale physical sabotage seem unlikely, although China’s behaviour in the South and East China Seas suggests that it could use non-state actors such as its civilian fleet to take disruptive action against Western supply lines and communications. A more likely venue for escalating Chinese hostility against Western countries is cyberspace. Allen notes that China’s concept of “internet sovereignty” has stretched well beyond its borders in recent years, making itself the self-appointed arbiter of China-related online discussion, regardless of location. This could translate into even more aggressive attempts to use cyber tools to quell overseas dissent and criticism, stir up domestic troubles for opponents or undertake more ambitious cyber effects operations.

9.1.3. Iran

For Iran, the standoff between its theocratic regime and the West is likely to remain much as it has done since 1979, with the key question being how intense that standoff will be. The death of the president, Ebrahim Raisi, in a helicopter crash in May 2024, followed by the election of reformist candidate Masoud Pezeshkian as his replacement in July, has led some to hope for an easing of tension, something which President Pezeshkian has encouraged. However, despite the removal of one of the most hardline figures in the regime in Raisi, there are few signs of a softening of Iran’s posture towards the West. Much of the power over external policy lies in the hands of Ayatollah Khamenei, who is both highly conservative and strongly aligned with the IRGC. There are, moreover, few reformists in contention to replace Khamenei when he dies. Experts assess the most probable successor to be Khamenei’s son, Mojtaba, whose associations with conservative elements in the regime suggest continuity rather than change. Even if a reformist successor were to emerge, however, they too would face strong structural constraints that would make it difficult for the regime to change its current trajectory even if it wished to. Since February 2022, Iran has become increasingly enmeshed in a political, economic and military relationship with Russia, which presupposes a hostile position towards the West. Since October 2023, Iran has also become trapped in relationships with groups such as Hamas and Hezbollah, making its confrontation with Israel and its Western allies hard to avoid without appearing weak. Tehran, Ali Ansari commented in interview “has become trapped in a dynamic where it must demonstrate resistance to Israel, the Gulf states and the West, and assert its regional dominance – even when doing so is not really in its interests to do so”.

State threats are thus likely to remain an appealing approach to Iran, due to limited resources, and a fundamental desire to avoid provoking a war with the US and its allies. The intensity and scope of these activities might increase, however, if Iran felt emboldened by Russian support, or if regional conflict in the Middle East escalated, and the US and its allies were to provide extensive support to Israel. In such circumstances, Iran could use its existing relationships with terrorist partners to target Western interests beyond North America and Europe, in regions such as Latin America and Africa. Iran could also expand its overseas campaign of intimidation against Iranian dissidents or even Western officials, perhaps using OCGs to undertake these tasks. If validated, media reports in September 2024 of an Iranian plot to assassinate President Trump could also suggest a growing appetite in the Iranian regime to escalate tensions and take increasingly provocative actions.

9.1.4. North Korea

A dynamic like the one shaping Iranian behaviour also affects North Korea. As James Byrne noted during interview, “the basic ethos of the Kim regime is antithetical to the West. It’s been like that for generations, and most likely always will be”. The pattern of history suggests that this is unlikely to change under Kim Jong Un’s eventual successor; indeed, hopes of reform from this Swiss-educated leader following his own rise were quickly dashed. Certainly, the regime has sought opportunities to negotiate with the US over its nuclear status, as demonstrated by talks during Trump’s first term. However, those discussions ran aground in 2019 over differing expectations about what could be achieved, especially on sanctions relief. This seems unlikely to shift even following Trump’s re-election in November 2024; without the prospect of a deal with the US, North Korea has little incentive other than to move closer to Russia and China and take an adversarial stance towards the West.

Pyongyang is thus unlikely to see a good reason to curb its basic hostility to the US and its allies. Byrne noted that North Korea has few legal or moral qualms about undertaking extreme and hostile acts; it has “no ethical or moral compass we would recognise. They have few limits. They kill on a whim”. Fear of provoking the West is thus likely to have less purchase in Pyongyang than Tehran, given its possession of WMD and geographic proximity to China. What has limited and constrained North Korea so far, Byrne concludes, is not so much a lack of intent, but a lack of resources; “it’s been hard for them to do anything other than focus on issues of survival over recent decades”, he notes, “but there can little doubt that the more secure they feel, the more aggressive a stance they will take”. Morgan judged that the recent shifting alignments of Russia and China following the full-scale invasion of Ukraine would also have increased North Korea’s risk appetite. “North Korea sees the situation in Ukraine and its consequences as an epochal opportunity, which it can exploit for its own ends”, he notes: “They will not want to waste it.”

What this means in practice is difficult to know. Some analysts assess that North Korea is potentially preparing for a “bolt from the blue” military attack against the South. While possible, however, it seems unlikely, especially without Chinese and Russian support. What seems more probable is an intensification of what has gone before – more overt sabre-rattling, missile launches and possibly even further nuclear tests. In the covert world, North Korea’s cybercrime exploits and other criminal activities to procure and fund weapons proliferation will continue, as will cyber espionage, cyber effects operations, and online disinformation, especially against South Korea, Japan and the US. Current performative acts such as dropping rubbish-filled balloons over South Korea will also persist. There is a risk, moreover, that in the event of a period of heightened tension such apparently clownish exploits might escalate into more dangerous actions, such as using toxic waste instead of rubbish.

9.2. Capabilities

Military thinkers see capability as the ability to have a desired effect, tangibly translating human capital, technical knowledge and appropriate kit into a successful outcome. The most basic elements of military capability are seen as coming from a country’s economic strength and population size. Size matters less in the world of covert action, of course; Israel, for example, has developed a reputation for mounting sophisticated covert operations, despite being a country of less than 10 million people. Nonetheless while small states can have a major impact, larger, richer and more advanced states continue to have an advantage. Size does not assure success, but it helps.

9.2.1. Russia

Russia is one of the world’s largest advanced economies, and usually sits within or just outside the global top ten ranking for national income. Despite facing a raft of sanctions on its military, technology and revenue-generating hydrocarbon industries, moreover, Russia’s economy has continued to grow since the start of its full-scale invasion of Ukraine in 2022. The International Monetary Fund expects it to grow the fastest among the advanced economies in 2024. Its state intelligence agencies continue to be robustly funded, and despite some criticisms of their early performance in Ukraine in 2022, recent research suggests they have managed to regroup and improve their performance. Even if Russia were to lose the war in Ukraine, moreover, it would retain its covert capabilities and ability to mount hostile operations beyond its borders.

But Russia should not be over-estimated, either. Despite the surface positives, the country is highly dependent on exporting natural resources and is in steep demographic decline. Russia has a falling number of technologically educated young people, which will drain the cyber capabilities of the Russian agencies over time. More immediately, Russia is also facing a serious drain on its available resources due to the war; in the cyber sphere, for example, conducting offensive operations, espionage, pre-positioning and information operations targeting Ukraine has probably made it more difficult to spare state resources for operations further afield.

More aggressive counter-espionage activities by Western agencies have also limited Russian access to targeted areas, with a growing number of expulsions and prosecutions denuding Russian intelligence networks in Five Eyes and European countries. Numerous Russian officers operating under legal cover in embassies and consulates have been expelled from Western states since 2014, and there has been a recent spate of arrests of Russian illegals in Europe and elsewhere.

In response to these challenges, and as noted previously, Russia has increasingly turned to a variety of non-state actors, on which it has relied to supplement or act on behalf of the state. PMCs have become especially important overseas; as Magda Long noted in interview, “Russia is becoming especially dependent on quasi-state [agencies] like Wagner when it comes to ‘out of area’ activities in places such as sub-Saharan Africa.” Closer to home, the Russian state continues to maintain close links to the realms of organised and cybercrime, and shows signs of using OCGs more often, and for a wider range of covert activities. Prelec has noted that since the start of the full-scale invasion of Ukraine, there has been “an unambiguous trend” towards the politicisation of cybercrime groups. More generally, there has been an increasing “weaponisation of the Russian shadow empire” in Eastern Europe, through illegal trafficking, counterfeiting and money laundering, according to a UK official interviewed for this project. The spread of Russia’s criminal relationships is not just linguistically driven, moreover, and has extended to OCGs in eastern and central European countries such as Bulgaria. But while these additional “secret” and “not-so-secret” armies of non-state actors in some ways enhance Russia’s capabilities and ability to access targets overseas, they are not an unambiguously positive asset. As noted in the previous section, working with non-state actors brings myriad problems around performance and control, which are likely to exacerbate the difficulties already inherent in conducting covert activity.

9.2.2. China

China currently faces several domestic challenges, such as declining demographics, weak consumption, a stagnant property market and receding foreign direct investment. Corruption and favouritism also remain problems, despite Xi’s anti-corruption drive, and there is growing evidence that the Chinese bureaucracy has become less efficient and more risk averse under Xi. Nonetheless, of the four main revisionist states, China is by far the strongest economically, politically and militarily. The size of China’s economy remains on an upward trajectory and there are no indications this is likely to collapse soon. The country also boasts one of the largest security and intelligence apparatuses in the world, which Western intelligence officials estimate to number around 600,000 people.

Consequently, China is, and is likely to remain, well-resourced and in a position to conduct covert and clandestine activities, with large and increasingly professional intelligence agencies, and impressive cyber capabilities. Supplemental to these, the state also has access to a vast range of legitimate and illegitimate non-state actors to act as auxiliaries to enable Chinese state power throughout the world. As Parton observed in interview:

the Chinese state and party have potential global reach, well beyond official networks. The Chinese diaspora is vast [and] increasingly influential and much of it has no choice but to cooperate with the CCP, given relatives and other ties back in China.

Around 60 million people of Chinese heritage live outside China, which, Allen notes, is a figure roughly the same size as the population of Italy. Patriotic Chinese OCGs provide further auxiliary power, with a presence in many Western countries. Although these have largely not been seen through a state threats lens so far, however, they have substantial capacity to act on behalf of Chinese interests. Taken together, these informal networks have the potential to operate, in Parton’s words, “as a huge informal ecosystem through which the CCP can attain its goals”, although the willingness of these networks to cooperate should not be taken for granted. “Elements of the Chinese diaspora are subject to pressure, but they are not innately disloyal to their home countries”, he observed.

9.2.3. Iran and North Korea

Iran and North Korea are both much smaller than China and Russia, and correspondingly weaker when it comes to their covert capabilities. As discussed in previous sections, both have been subject to a range of withering UN and Western sanctions for several decades, and the regimes of both are fragile. Issues of succession continue to plague both regimes, while economic difficulties undermine regime stability. In interview, Ansari described Iran as “a failed state waiting to happen”, a descriptor that could easily be applied to North Korea too.

This has translated into relatively less wide-ranging covert capabilities in comparison to the larger revisionist states, a fundamental that will not change. This said, however, for states that have been treated as pariahs by much of the international community for many decades, both also enjoy valuable assets. North Korea’s world-class cyber capability shows no signs of decline. Iran has well-resourced and professional intelligence agencies, which have the facility to operate through a robust diplomatic network, and diaspora communities in Europe and North America. Iran also has relations with non-state actors on which it can draw, although Israeli military efforts in 2024 against Hamas, Hezbollah and the Houthis are likely to have undermined these pro-Iranian groups’ capabilities severely, at least in the short term.

The recent shift in geopolitical tectonics gives further grounds to believe that both countries will at the very least be able to sustain their capabilities and possibly even expand them. Their burgeoning relationships with Russia and China have certainly provided new hope for economic aid and opportunities to grow without access to the Western financial system. As Byrne noted of North Korea, “Now that Russia and China have opened the gates, it will stay poor, but it will be less of a scavenger.”

9.2.4. The role of partnerships

The extent to which Iran and North Korea will be able to look to China and Russia to bolster their covert capabilities raises the broader question of the impact of a growing partnership between the four states collectively. In a strategic sense, the current dynamic favours closer ties and cooperation; all four share common concerns about the fragility of their regimes, and a desire to pursue national agendas contrary to the Western concept of the rules-based order. Despite their obvious differences in ideology and outlook, Iran, Russia, China and North Korea sit together in what Tobias Borck, previously RUSI senior research fellow for Middle East Security Studies, described in interview as “the same revisionist pot”, united in their shared dislike of the US and its rules-based international order, and at least somewhat willing to look past each other’s conflicting interests. The anonymous China expert interviewed for this project argued that the cornerstone relationship between the two most significant powers, Russia and China, was unlikely to fall apart any time soon. “While there is much that divides them, their shared dislike of the status quo is much stronger”, the expert observed.

These shared interests have already translated into growing levels of general cooperation between the core revisionists; cross-pollination of tradecraft has begun to take place in the fields of cyber operations, disinformation and sanctions evasion. As relationships develop further, it is possible that growing cooperation between the states will spill over into more covert activities, providing a force multiplier for the capabilities of individual states. Nevertheless, some limits are likely to remain because of the sensitivity of the methods used in covert acts. It is not yet apparent that any such boundaries have been reached; the more difficult the environment, the more likely it seems that states will be willing to cooperate in sensitive areas. It seems probable therefore that the revisionist states will inch forward with the pooling of knowledge, and possibly some direct operational collaboration, especially if they perceive the potential benefits of success to outweigh the risks. While any such joint working arrangements will be difficult to manage, it is not beyond the realms of imagination.

9.2.5. Emergent technologies

A further dimension in the capability question is the potential for technological innovation to enhance state capabilities, much in the way that cyber has already done. The use of drones in conflict zones such as Ukraine has shown how new technology can enhance states’ military capabilities, allowing cheaper and potentially more deniable means of attack, which have the potential to be used in peacetime too.

The most significant area of development, however, has been the emergence over the past decade of the variety of computational tools that come under the umbrella of AI. Among the most widely discussed AI tools of the moment are: machine learning, which applies flexible algorithms to large amounts of data to learn patterns and then apply them to new data; generative AI, which uses deep learning models to create new textual, visual and sound content; and agentic AI, which features autonomous agents that can complete complex multi-stage tasks without human guidance.

Smeets suggests that AI tools have significant potential to upgrade states’ cyber espionage and effects capabilities in various ways, by improving the speed and accuracy of “fuzzer” programs, used by hackers to identify vulnerabilities in systems; enhancing social engineering with adaptable agents capable of tailoring their approach to humans; and creating versions of malware that are able to mimic legitimate software, avoid detection and propagate at speed across networks. He also suggests that generative AI will potentially enable bad actors to create and distribute disinformation of better quality and at higher speeds and volume than at present. In 2024, a year of many elections, this last “use case” was of particular concern, as observers expressed fears that electoral processes might be subverted by “deepfake” news stories based on manipulated images and voices.

AI is in detectable current use, moreover. Microsoft has reported that Russia, China, Iran and North Korea have been experimenting with AI large language models to support their cyber espionage and effects operations. Separately, technology firm OpenAI has claimed that Russia, China and Iran have used generative AI in disinformation operations, crafting fake comments and articles in various languages, generating names and bios for social media accounts, as well as applying it to more technical tasks such as debugging code. Both the Chinese and Iranian governments allegedly used AI-generated disinformation content during the US presidential election in 2020. In a further recent case, an unknown actor used AI-generated material to produce a fake audio recording of Michal Šimečka, the leader of the centrist Progressive Slovakia party, planning to rig the election. The clip was posted on Facebook just before voting started in the Slovakian general election in September 2023, which Šimečka lost. It is not clear to what extent the recording affected the result.

Despite legitimate concerns about the impact of AI, however, fears need to be tempered with evidence. In terms of its negative impact so far, whether in the fields of cyber espionage, effects or subversion, the there is some evidence to warrant a sceptical view of the scale of the danger AI poses. Despite the promise of generative AI, for example, leading models still produce weird “hallucinatory” content, which undermines the technology’s overall credibility. AI is not just a weapon for bad actors, moreover, and as Smeets highlights, it can be used defensively too, detecting and patching vulnerabilities through autonomous mechanisms, and watching for, and reacting to, hostile actions.

With a technology of the undoubted power of AI, therefore, experts and non-experts alike need to chart a path between hysteria and complacency, recognising both AI’s potential and constraints. For instance, research has found that even while deepfakes are hard to produce, “cheapfakes”, created with easily accessible software, are very easy to generate and seem to be just as effective at bamboozling those exposed to them as the more sophisticated alternative. On the other hand, AI as it is now is not necessarily as it will be in three, five or ten years’ time. The potential for rapid improvements and the discovery of new offensive use cases cannot be ruled out or ignored, but Freedman’s warnings about over-reacting to the dangers of new technology always needs to be kept in mind.

A similarly balanced approach is also appropriate in another area of technology that has caused much recent excitement: quantum computing. According to its supporters, quantum computers will use quantum bits (or qubits) to store more data possibilities than the binary bits of classical computing, thus massively increasing processing power and computational speed. Such computers would theoretically have vast potential, especially in supporting scientific and medical research. From the perspective of state threats, moreover, they would also have the power to crack existing methods of encryption in days or hours, expanding the possibilities of cyber espionage. No secret would be safe. Nonetheless, caution is required in this instance, just as much as with AI, and in fact, probably more so. Despite advances in recent years, even the promoters of quantum computing admit that the powerful platforms they envisage have not yet been fully realised. Expert surveys suggest that it will be the late 2030s before a quantum computer will be able to crack current encryption standards, and firms such as IBM are already confident that “quantum-safe” or “post-quantum” cryptography that relies on complex “lattice” mathematical problems will be effective. This does not mean, of course, that quantum computing cannot or will not have a decisive effect on cyber espionage, but we are not at that point yet, and we have both the time and means to hand to mitigate the risk.

9.3. Opportunities

The final element of the threat calculation is the quantity and quality of opportunities a potential hostile actor enjoys. Viewed from the perspective of potential targets, opportunities might alternatively be described as vulnerabilities. As discussed in the previous section, Western societies have shown considerable resilience so far, and many governments have begun to take further measures to reduce vulnerabilities or strengthen their defences; however, as Ingibergsson noted, open societies “provide a wide ‘attack surface’, that can be instrumentalised to cause pain”. Western governments’ efforts have reduced some opportunities for their opponents, but have far from “bullet-proofed” the West.

A key question is how far contemporary resilience efforts can go in open societies. For physical or tangible targets subject to the threat of damage – data and information, critical national infrastructures, cyber infrastructure, borders and even people – there is significant scope and precedent for action, as indicated by concerted efforts to protect key targets from terrorism in the past two decades. Governments’ increasing focus on investigating and disrupting hostile acts by state actors, as well as reinforcing public and private cyber security, and the protections around economic infrastructure indicate these vulnerabilities can be reduced.

However, there is still a great deal to do. The gap between the rhetoric of resilience and the patchy reality is perhaps most obvious in cyber security. Despite years of government exhortation, new laws and regulations, the creation of new institutions and numerous highly publicised breaches, much of the private sector remains vulnerable, using cheaper legacy systems or new platforms that do not have security built in as standard. This is a major problem when it comes to protecting CNI, much of which lies in private hands in Western states. In the US, for example, 85% of CNI is privately owned.

Challenges in the domestic arena are multiplied for the international economy. Global trade, travel, finance and communications infrastructures are open to disruption by unexpected events, such as pandemics, extreme weather and volcanic eruptions, but also human attacks, as the sabotage of the Nord Stream pipelines in the Baltic Sea demonstrated in September 2022. Many of these infrastructures are extremely vulnerable. A recent Cityforum report on resilience noted how difficult it is to protect or monitor assets such as submarine communications cables are,; by way of example, the report noted that around 9,000 km of submarine infrastructure on which the EU depends were “in inhospitable and remote parts of the oceans”. Such infrastructures are typically not the clear responsibility of a single government or international organisation, and there are no common rules for assigning responsibility for acts of sabotage.

If protecting tangible targets has posed difficulties for open societies, then less concrete or visible problems such as subversion have been even more problematic. Western politics, framed as they are around regular elections, have a preference for tackling easily identifiable and relatively short-term challenges, and have a tendency to privilege political and economic freedom over security concerns. In fairness, several Western governments have begun to address issues of democratic resilience, with a significant amount of energy going into the generational challenge of building information resilience in schools and other institutions. But they have still found it difficult to find an acceptable balance between freedom and security, especially in relation to regulation of social media. There is a basic presumption in the West that, all other things being equal, freedom should come first. Indeed, there are credible and reasonable grounds for this to be the case if open societies do not wish to become like the closed alternatives with which they disagree.

In comparison to the effort to counter disinformation, however, efforts to tackle malign influence and interference among elites are much less advanced. Why this might be is a matter for speculation. Some optimists might see few problems and thus little need for a sustained effort; pessimists might perceive something deeper and less open to treatment. Pessimists might also see profound risks in tackling such issues openly, because of the potential to increase societal distrust of leaders and democratic institutions. The more cynical might also note how the self-interested concerns of a country’s political class might lead them to quash initiatives that reveal their party’s unsavoury connections or undercut sources of funding. There are multiple reasons not to look, and not to act; it seems unlikely that many Western governments will, without sustained media, civil society or public pressure.

9.4. Linking capabilities and opportunities

To what extent will the revisionist states be able to use their capabilities to take advantage of the available opportunities? For Iran and North Korea, the balance probably lies in the West’s favour, as neither enjoys great physical access to Western countries, making it difficult, if not impossible, to undertake significant levels of human espionage, hostile intimidation, physical sabotage or malign influence. However, both have effective cyber capabilities and despite Western efforts, new opportunities to exploit Western cyber vulnerabilities continue to appear. Recent reporting has shown several examples of US firms unwittingly hiring North Koreans online because of the difficulty they face in hiring science, technology, engineering and mathematics graduates in their home markets. Iran also has a wide range of relationships with non-state actors in Europe and beyond, with direct access to key Western economic interests in the Middle East, especially major shipping lanes in the Persian Gulf and the Arabian Sea, and through partners such as the Houthis, to the Red Sea and the Gulf of Aden.

As noted above, Russian access to Western vulnerabilities is less impressive now than it was six years ago, following the degradation of its HUMINT network in response to its aggressive acts. However, Russian economic and financial interests, including those of its oligarchical class, are still deeply embedded across Europe, despite the sanctions blitz of the past two years. As Belton noted in interview, “one of the big differences we face now from the Cold War is how deeply integrated Russian interests are in our economies, financial systems and political systems”. Russia also continues to have access to Western states through links to OCGs and diaspora communities; to Western interests in the developing world through PMCs; and to Western infrastructure using drones, sea trawlers and other forms of technology that have the potential to be turned into tools of disruption. Moreover, it is possible that Russia has already put in place potential operations where direct access is no longer necessary. As Estonian analyst Kadri Liik has observed, Russia creates “openings and opportunities for causing disruption at a later date”, then “puts them on hold like a beer in the fridge, just in case”.

Of the four core revisionist states, China has the best access to the widest range of Western states. Certainly, Western governments in Five Eyes countries and European states are showing more awareness of Chinese commercial espionage, cyber operations and potentially pernicious political influence and economic penetration. Some have also taken targeted action to reduce China’s role in critical communications technology and national infrastructure. But these initiatives have been more muted than those against Russia, not least because of China’s much greater economic and political heft. In anglophone and European countries, with businesses eager to access large Chinese markets, and domestic consumers keen on Chinese manufactured goods, the appetite to treat exposure to China as a national security interest is more limited. In the EU, in particular, there has been a clear attempt by President Macron and Chancellor Scholz to walk a narrow path on China that seeks to make Western concerns known, while maintaining good political and economic relations. While 19th century Western policy was founded on the need for a Chinese “open door” to Western economic interests, the 21st century equivalent now rests on China having an open door to Western economies.

Consequently, governments have made greater efforts to improve Western security against Russian compared with Chinese interference. China’s diplomatic network has not been subject to major expulsions, and Chinese students and workers travelling overseas have enlarged the already significant global Chinese diaspora. China also continues to enjoy economic interests in the logistical infrastructure and ports of Europe, Africa, the Middle East and the Asia-Pacific region. China thus has multiple ways by which it might act against Western states, both overtly and covertly, and directly and remotely.

9.5. Proliferation risks

Finally, beyond the activities of the four core revisionist states, there is a growing risk of state-on-state hostile acts proliferating in various regions across the world. Figure 4 highlights jurisdictions mentioned in this paper that have used one or more different types of hostile acts against or within other states.

▲ Figure 4: States linked to hostile activities.

The most obvious category of states of concern are the revisionist states’ closest associates, such as Belarus and Venezuela, which will potentially see greater scope to cause mischief for local rivals and opponents. However, they are not necessarily the most significant risks, as in most instances, their capabilities and opportunities are relatively limited, putting them more in the category of Iran and North Korea than China and Russia.

Of greater concern are the powerful middle powers that do not currently feature on, or only sit near the fringes of, the list of the “usual suspects”. As we have seen, several states such as the UAE and Saudi Arabia are already conducting hostile activities against dissidents overseas, and targeting local rivals with online disinformation and cyber effects operations. These states – often authoritarian or with autocratic tendencies – have similar concerns to the core revisionists about regime stability, and in some cases harbour ambitions to project power and influence across their regions. Considering the febrile geopolitical environment, they face both temptations and imperatives to use and expand their covert hostile activities. This will be even more the case if the leading exploiters of such methods, such as Putin, are perceived as not only getting away with such behaviour, but thriving as a result. Journalist Gideon Rachman observes that the repressive techniques of “strong man” leaders like Putin have become the role models for aspiring autocrats. It is not unlikely that they might also seek to emulate them in the international arena too.

There is a further risk that Western or Western-oriented powers might do the same. As much as a decade ago, political scientist Alexander Cooley noted that some “backsliding democracies” were “beginning to imitate … [authoritarian] practices” at home. More recently, Rachman and others have highlighted how even in established democracies, strong man leaders ‒ Erdoğan in Turkiye, Viktor Orbán in Hungary, Modi in India and Benjamin Netanyahu in Israel – have increasingly come to the fore. Such leaders show “contempt for the rule of law” and international norms, as well as a tendency to vilify enemies, both foreign and domestic. Although more constrained by the checks and balances of liberal democracy and the niceties of relationships with the US and others, such states are also exhibiting greater defiance and bravado on the world stage, as India’s apparent willingness to carry out assassinations on North American territory suggests.

For both non-aligned and Western-oriented middle powers, the imperative to follow a more aggressive foreign policy is partly a response to geopolitical reality. With the waning of the US as global policeman – a process that seems likely to continue ‒ such states have a pragmatic need to look after their own interests in “tough neighbourhoods” – an argument that Israel has used for many years. Jodi Vittori, an expert in corruption and state fragility interviewed for this project, observed that it was “a weak assumption to think that states which have historically looked to the US for security will always do so in the future”. Discussing the example of the UAE, Vittori commented, “it is a perfect example of the irrelevance of old assumptions. The UAE’s behaviour reflects its beliefs that not only can it not rely on the US, but it may not think it needs to any more”.

As the core revisionist states have already found, the least risky means of pursuing repressive and aggressive policy goals are state threats, and it is likely that middle powers will follow this pattern. Such methods are well-suited to the needs of smaller powers because, as Naim notes, “[such] advantages and techniques … wear down, impede, undermine, sabotage, and outflank the megaplayers in ways that [they], for all of their vast resources, find themselves ill-equipped and ill-prepared to resist”. Such methods are also becoming increasingly acceptable as tools of statecraft. For example, assassination – once largely eschewed by most states – has become something of a “macho” badge of honour, even for a democracy such as Israel. Cormac reflects on how the use of such tools has become something of a vicious cycle: “states get away with killing because other states get away with killing. As more leaders … go unpunished for using poison or suffocation to despatch enemies, the taboo against killing erodes”. The question then becomes, if everyone else is doing it, why aren’t we?

9.6. Future scenarios

Overall, the best-case scenario for state threats and hostile acts is that they remain at their current levels; more likely, however, seems to be a middle-case scenario of an increasing intensity and range of hostile actions, among a wider range of states. The worst-case scenario is that the growing use of state threats will trigger open military conflict, although cases of covert activities having that effect in the past are difficult to find.

Russia, Iran and North Korea, already highly antagonistic towards the West, will seek an increasing variety of ways to challenge and disrupt the US and its allies. The most difficult country to assess is China. While taking a gradually more aggressive stance in several spheres, and cultivating close diplomatic and economic ties with Russia and Iran, China has been nuanced in its approach. This nuance seems unlikely to be discarded unless military conflict ensues in the South or East China Seas, but the trends of recent years suggest that China will increasingly use its resources in an underhand and hostile way.

How might the middle-case scenario play out? Firstly, states already using hostile acts will probably seek to improve the operational quality and impact of their current activities, as well as increasing the intensity of activities within their current domains of operation. This could lead to several outcomes:

• More assassination attempts and attacks on dissidents and foreign nationals, either through a greater use of non-state actors, or deniable means such as attack drones, and exotic weapons such as poisons or microwave technology some believe are being used to cause Havana syndrome.

• More ambitious efforts at sabotage and cyber effects operations directly against Western states, using both pre-positioned explosives and computer malware, or ad hoc physical attacks by non-state actors working for financial or political incentives, along the lines of lone-actor/small cell models common to contemporary Islamist extremism. Developments might include attacks on ground-based infrastructure such as pipelines, communications cables and transport links. More sophisticated state-led attacks might include efforts to disrupt aerial or space traffic through “accidents” resulting from reckless behaviour.

• More attempts to overburden Western social and economic systems, actively weaponising the operations of OCGs to create chaos and undermine trust in government institutions. OCGs could continue to profit illegally from their core trades such as trafficking drugs, people and weapons, and varieties of theft and fraud and so on, while states with links to such groups could seek to encourage and enable them to increase the scope and intensity of their efforts, specifically as a form of weapon.

• More aggressive electoral interference, such as attempts to tamper with voter rolls, disrupt electronic voting systems or manipulate social media on the day of election to affect turnout or even rig votes. As Jessica Garland, director of policy and research at the UK Electoral Reform Society, suggested during interview, the combination of means of interference now available to state and non-state actors, made it “a real possibility, a real danger, that a failed election might bring the legitimacy of a democratic system into doubt”.

Revisionist states will also probably deploy hostile behaviours in a wider range of domains and geographies, responding to targets’ attempts to build their resilience. “Even when a country manages to plug its vulnerability in one area, aggressors can move to a different area or new type of aggression,” writes Braw. “From food supplies to mental health provision, stockpiles of petroleum to media literacy classes … there is a very real truth to this concern that in the modern age pretty much everything can be weaponised”, Galeotti has also observed. Identifying what forms such novel modes of aggression might take is as much a test of the imagination as one of scholarship; as former market trader Nassim Nicholas Taleb famously concluded, true “Black Swan events”, unforeseen or unexpected events with major consequences, are, by definition, not predictable.

Perhaps an initial step therefore is to look to the types of hostile activity that have so far been judged as beyond the boundaries of current acceptability. These could include state-sponsored terrorism. Iran already has connections with terrorist groups, and although Hezbollah suffered heavy damage from Israeli attacks in the autumn of 2024, it has retained an extensive international network in Europe and Latin America. Russia and North Korea also have a history, if not a contemporary record, of links to several terrorist groups. Depending on the development of the threat environment, sponsorship of anti-Western terrorist attacks might be revived.

A further risk is the revival of what Galeotti has called “economic guerrilla warfare”, which has traditionally involved distributing counterfeit money to degrade currencies, or stimulating strikes to cause domestic disruption. In the heavily financialised modern economy, this approach could be applied in several novel ways. One possibility would be to target the individual finances of dissidents or foreign officials; it is not an outlandish prospect; as mentioned, the US considered using it against President Milošević’s bank accounts during the Kosovo war. Another option would be for a hostile state to offload its investments in, for example, a target state’s debt, to destabilise the target state’s economy. Former US Treasury secretary Hank Paulson described how, during the global financial crisis, Chinese officials informed him that Russia had suggested dumping US mortgage debt to destabilise the US economy, an idea which the Chinese said they had rejected. A further possibility, enabled by the growing importance of technology in the role of financial markets, would be to use cyber techniques to tamper with trading algorithms to trigger flash crashes, or distribute disinformation on social media to generate financial panic and bank runs. Considering the complexity and integration of international markets, the options are numerous.

9.7. Conclusion

We thus face the prospect of a messy, confusing and dangerous world that is difficult to understand and navigate. Within such a world, Krieg suggests, conflict “exists on a continuum with no clear beginning or no clear end”. As Galeotti describes, “we are heading into an age when everyone may be in at least some kind of a state of ‘war’ with everyone else, all the time, and it is just a matter of degree”.

With geopolitical tensions and risk tolerances rising, therefore, states are likely to employ increasingly risky measures. Not only will Western states be increasingly targeted by revisionist states such as Russia and China, but they will also need to survive in an international environment where previously accepted norms of behaviour, far from being universally followed, decline even further in influence. Western states will not only be the targets of hostile action but will also probably suffer collateral damage from acts not directly targeting them. Beyond the West, state-on-state hostile activity is also likely to increase if current trends continue. It will undoubtedly be a more dangerous global environment than the one Western countries currently face.

How much more dangerous is hard to predict. Novel types of threat will probably emerge, but they are unlikely to be any more the apocalyptic wonder weapon than cyber was originally feared to be. New technologies will bring more offensive potential, but also new tools for defence. A range of constraints on hostile acts, even if looser than before, will also probably remain. Complex operations will continue to be difficult to mount and unexpected events will continue to get in their way. While revisionist states are likely to push the thresholds of risk further, they will probably still avoid actions they believe will trigger a war ‒ unless, of course, it becomes their intention to do so.

An increasingly unwelcoming global situation does not therefore imply apocalypse, but it does suggest an environment as tense as – and much more complex than – the Cold War. How well-prepared Western governments are to cope with this is an open question. Current resilience efforts are likely to help, but so far, these have been intended to make good on past deficiencies, to meet the threat as it is and not as it has the potential to become. Although there is no immediate cause for panic, governments need to consider what more they can do to prepare their societies for an even more tumultuous geopolitical landscape.

10. Conclusion

Looking ahead, Western governments should not be overconfident about the strength of their current position or the adequacy of their current level of response. The corrosive effects caused by persistent hostile activity may indeed begin to show over time, and if the intensity and impact of hostile activity increases, current levels of Western resilience, and the efforts to improve it, may not be enough. As those preparing flood defences in a period of climate change have found, relying on past crises as a measure of likely future dangers is a risky course of action. Records have a bad habit of being broken.

10.1. Policy issues

As stated at the outset, this paper is not intended to provide an assessment of current or potential policy responses to the state threats issue. Such an assessment would be extensive and cannot be done justice here. However, both the findings of the STT workshops and the research behind this paper suggest a number of policy areas that require further consideration:

• Understanding the real scope and character of the threat ‒ It is easy to see state threats in simplistic ways: on one hand, as a return to the Manichean conflicts of the second world war and the Cold War, with the West opposing an authoritarian alliance willing to use hostile acts. There is more than a little truth in this interpretation; Western states are indeed subject to sustained hostile action. However, this situation is part of a wider environmental change in power balances and international norms, where “delinquents” such as Russia and Iran are enlarging the scope for bad behaviour among states more widely. Both elements of the problem need to be addressed in a joined-up way.

• The mutability and variety of hostile activities – As we have seen, state threats have various morphologies, with patterns of usage that can vary over time and between states. Any effective policy response thus needs to: (a) be historically grounded; (b) be shaped by current intelligence; and (c) anticipate that patterns and sources of hostile behaviour can and will change. In some areas, Western countries are well-placed to do this because of the high competence of their intelligence agencies, but as several expert interviewees remarked, these agencies have also been woefully under-resourced in linguistic and cultural expertise, especially on Asian societies such as China. Care will also be needed to avoid focusing on novelty alone. Older challenges, such as human-managed espionage, remain just as important as ever and will deserve proper attention.

• The scope of vulnerabilities and dependencies ‒ Open societies present significant attack surfaces for aggressive states. Considering the trend towards weaponising unconventional means, it is in a government’s interests to understand the full spectrum of the country’s vulnerabilities, even if those vulnerabilities cannot all be addressed at once. At the same time, governments need to understand the full range of their political, economic and social dependencies on other states, assessing their potential for exploitation, and prioritising them accordingly. In theory, a large part of responding to state threats will involve the target-hardening of concrete processes, networks and assets, and people, all of which are comparatively easy to map and measure. However, governments will also need to address the more intangible aspects of democratic and societal resilience, which have often been seen as too hard to tackle.

• Understanding the unhelpfulness of the Western “peace/war” dichotomy ‒ Western countries have so far largely categorised how they deal with the problem of state threats in legalistic ways, separating out the behaviours of “peace” and “war” into distinct spheres, and following that same logic in shaping policy. If this continues, Western countries are likely to remain limited and unimaginative in their responses, and will continue to encourage other states to undertake hostile acts that will not be met in an effective way. If this is to be the approach – one based largely on resilience, rather than on either (a) deterring such behaviour or (b) seeking to uphold existing international norms – then it needs to explicitly recognised that Western countries are foregoing opportunities to react or proactively shape the environment.

Governments will also need to consider how best to organise their responses – the how and the who ‒ giving particular attention to the cross-domain character of state threats and in some instances, such as China, the broader grand strategies of which they will need to be a part. Beyond the US, most Western states – including the UK – have not thought in grand strategic terms for many decades, for various – understandable – reasons. With the nature of the threat as it appears to be, however, this might need to change.

As part of this change, it will be all the more important for governments to develop coherent risk assessments of the state threats they face, and integrated strategies across all sectors. Governments will need to develop a “single point of view” on state threats, and effective leadership and coordination mechanisms to guide and oversee strategic implementation, necessitating closer cooperation between agencies and government departments dealing with different dimensions of the same threat, such as law enforcement and intelligence agencies tackling the activity of state-linked OCGs.

Given that so much of the contemporary threat targets the “soft underbellies” of open societies, governments will also need to consider how the public, private and third sectors of society cooperate. Cooperative action will need to be considered across borders too, and how best to manage any multilateral efforts, whether through existing arrangements (such as NATO, Five Eyes, the G7 or EU), their augmentation or dedicated alternative mechanisms.

One of the key questions governments will have to address, moreover, is how to balance their policy responses between strictly defensive, responsive and offensive measures. In most cases at present, states are following a state-agnostic resilience model, avoiding tit-for-tat or direct responses or active engagement with hostile actors. The one exception is perhaps in cyberspace, where “persistent engagement” with attackers and offensive operations are now in vogue, at least as subjects of scholarly discussion.

Considering the nature of the threat landscape, however, it seems unlikely that this approach will affect the calculations of states that show deeply entrenched hostility towards the West. Western governments will need to consider whether, therefore, they are willing not only to protect themselves, but perhaps react or even escalate in response. How they might do so is a major discussion in its own right, from using covert efforts to sabotage and undermine hostile acts in process, or more offensive measures to disrupt targets of value to the hostile state. Western states need to think hard about how to change aggressors’ “return on investment” calculations, not only by reducing the impact of hostile state behaviours, but also by imposing costs upon them that might change their decision-making processes.

Across the spectrum of measures taken, Western governments will need to calibrate how far they are willing to go. Full-spectrum resilience could place demands on open societies that they have not faced for over three decades or even longer. Efforts to identify and root out past and continuing subversion and malign influence, like Robert Mueller’s special counsel investigation of Russian interference in the US presidential of 2016, could have a negative effect on already low public trust in public institutions. There will also be natural and appropriate concerns about the risks of heavy-handed legislation or regulation affecting fundamental freedoms, whether political, social or economic. The cost of upgrading the resilience of existing systems, structures and processes, or better yet building in resilience “by design”, would need to be explicitly accepted by governments, the private sector and the public; checks and balances to protect civil liberties on intrusive legislation, such as legislative renewals and sunset clauses, would need to be considered.

There would be external risks too; more offensive measures could trigger escalatory responses and unintended consequences. The disruption of the personal finances of a hostile political leader would certainly pose the risk of reciprocation, and potentially erode the integrity of the international financial system. Quite apart from triggering a hostile response, moreover, such behaviours would have a potentially degrading effect on the West’s idea of itself, its standards and its wider reputation. Most Western governments continue to agree with former US secretary of state and national security advisor Henry Kissinger’s judgement that “we need an intelligence community that, in certain complicated situations, can defend … national interests in the gray area where military operations are not suitable and diplomacy cannot operate”. But contemporary policymakers are wary too of reverting to some of the excessive behaviour of US intelligence agencies during the Cold War, which had such damaging domestic and international effects on the US government’s reputation. Western states take pride in their liberal heritage, and understand themselves to be acting to high standards. While far from completely innocent, most cleave close to this line, eschewing the full spectrum of hostile activities other states might use; when covert activities are applied, they are usually circumscribed within legal and ethical bounds intended to maintain proportionality. Were legal and ethical tolerances to change dramatically, and the consequences of these changes to become public, it could have dramatic and negative effects on public trust in the institutions of government. It would, in addition, pose wider risks to the reputation of Western states as upholders of international standards, feeding Russian and Chinese narratives about “Western hypocrisy”, and further undermining the integrity and stability of the rules-based order the West supports.

10.2. Research agenda

Such policy changes will not occur without a broad evidence base, however; further research should also play an important role in supporting the development of relevant policy responses. Notwithstanding this paper, more needs to be done to identify and, if possible, quantify the patterns and morphologies of state threats by source, type and method. There is a strong case for partnerships between government, academia and policy research to pool their knowledge to develop a more sharply defined and potentially quantitative picture of the threat, with possible projects including:

• An independent state threats database to capture trends over time.

• A detailed evaluation of state threats’ effectiveness through a wider range of available criteria and heuristics.

• An evidence review/horizon scan of emerging and future threats, and trends in weaponisation.

• A stocktake of Western country’s key vulnerabilities to, and dependencies on, hostile, potentially hostile and non-aligned states.

In addition, governments need to develop a better understanding of the range of responses that are being deployed ‒ and might yet be deployed ‒ by states to tackle a variety of hostile threats. This could include evidence reviews and assessments of:

• Multilateral and state strategies and policies.

• Approaches towards the “intangible” challenges of political and social resilience.

• Historic policy approaches to analogous domestic challenges (such as the Cold War or the threat from international terrorism post-9/11).

• The role and risks of potential models of “forward defence” or “offence”, in keeping with Western norms and standards that could be applied alongside a resilience-based approach.

• The potential to weaponise Western areas of strength, such as economics, trade and finance, or even intelligence collection.

This paper further demonstrates that the challenge of state threats needs to be looked at in a broader context than simply “the West versus the rest”. Geopolitical climate change is affecting the behaviour and normative standards of a wide range of states, including important non-aligned middle powers. This development thus deserves further dedicated review, both from the perspective of the scale, scope and character of these powers’ use of hostile activity, and also in consideration of anti-proliferation techniques that might be used to discourage its spread. Although not as pressing a challenge as that posed by the four core revisionist states, middle powers pose a future risk better addressed now rather than later.

Matthew Redhead is a researcher and writer on financial crime and national security topics, and an independent risk consultant to the FinTech and RegTech sectors. He is also a regular contributor to Jane’s Intelligence Review on serious organised crime, financial crime, terrorism and intelligence. He has extensive experience in financial services, having trained as a “front office” banker for HSBC in the 1990s, and worked for seven years in various senior roles in that same bank’s financial crime risk function, leaving as Global Head of Strategic Intelligence in April 2018. He has also served as a government official at the MoD, and on secondment at the Office of Security and Counter-Terrorism (OSCT) at the Home Office. He has considerable experience working in several fields of management consultancy for PwC and Matrix Knowledge Group.