The CSIS paper proposing a European Cyber Operations Group — published earlier this month, finally getting the attention it deserves this week as the broader policy community processes it — is ostensibly a policy recommendation. A select group of nations, operating under the European Intervention Initiative or a similar structure, providing a “single unified front” for counter-hybrid warfare cyber operations. It sounds procedural. It’s actually the clearest articulation I’ve seen of the fact that Russia has been running an unconstrained sabotage and cyber campaign against European infrastructure for the better part of three years and Europe has not, to date, figured out how to impose costs that change the calculation. The ECOG proposal isn’t an exciting new idea. It’s a fire alarm. It was written because 321 confirmed sabotage incidents occurred in Germany alone in 2025. Because Russian hackers targeted Polish critical infrastructure, a Norwegian dam, Danish utilities, and EU institutions, in attacks that the CSIS paper describes as “officially unattributed” — meaning everyone knows who did it and nobody has figured out how to respond in kind. The ECOG is what you propose when the status quo has been failing for long enough that a respected think tank decides to write down exactly how badly.
What’s Actually Happening
On March 12, 2026, CSIS published “Enter Europe’s Cyber Deterrence” — a detailed paper proposing the creation of a European Cyber Operations Group as a structural response to Russia’s hybrid warfare campaign against European infrastructure. The paper’s opening statistical frame should be read slowly: 219 incidents of suspected Russian hybrid warfare in Europe between 2014 and 2025, with nearly half occurring in 2024 alone. German authorities, per German media reporting revealed in February 2026, counted 321 suspected sabotage cases in Germany in 2025. In a single country. In one year. And that number was revealed by German media, not by German official statement — because the official acknowledgement of those incidents as a coordinated Russian campaign would require responses that European governments haven’t agreed on.
The documented incidents in the period include: cyberattacks on Polish critical infrastructure, a Norwegian dam, Danish utilities, and EU institutions (per the CSIS paper, all officially unattributed); drone intrusions over airports and defence facilities in Germany and Finland; GPS spoofing incidents in the Baltics; railway disruption in Germany; cable sabotage in France; Russian shadow fleet vessels using dual-use ships under third-country flags to cut Baltic Sea fibre cables — an operation that GLOBSEC’s analysis describes as specifically designed to “maintain plausible deniability”; and the Zapad-2025 Russian military exercises, which coincided with 570 NATO fighter intercept missions — nearly triple the 2023 figure.
The CSIS paper’s structural diagnosis is the important part. Neither the European Union nor NATO, in its current configuration, “is structurally equipped to deliver the two necessary pillars of European cyber deterrence: (1) strategic operations in wartime and (2) gray zone compellence to counter hybrid warfare activities.” The EU’s cyber operational capability — the EU Cybersecurity Agency ENISA, the CDCC, the SIAC fusion cell — is “starved of funding” and has “not been fully implemented.” NATO’s collective cyber defence rests heavily on US Cyber Command capabilities and US intelligence. And the US, under Trump’s second term, is explicitly recalibrating its European security engagement downward. The European Commission president described critical infrastructure as “the new frontier of warfare.” The EU Commissioner for Home Affairs warned that “there’s a map somewhere in Russia pinpointing hospitals, power plants and water supply as targets.” Both statements are accurate. Neither has produced the operational structure the ECOG paper is proposing.
The CEPA analysis from December 2025 frames the strategic incentive correctly: hybrid operations have “generated political anxiety at minimal cost.” Russia ran 321 sabotage operations in Germany and nobody agreed on what the proportionate response should be. That’s not a deterrence posture. That’s a free lunch, and the Kremlin has correctly identified it as such.
Recorded Future’s published analysis of Russia’s new generation warfare doctrine describes the operational architecture in terms that every enterprise security team should recognise: three intelligence services with distinct operating profiles — GRU for disruptive high-tempo operations, FSB for long-running access and critical infrastructure focus, SVR for stealthy long-dwell espionage — operating as a portfolio, not a monolith, with “redundancy” that increases overall operational resilience even when inter-agency coordination is imperfect. This is not an improvised campaign. This is doctrine.
The Cyber Layer Nobody Is Writing About
The mainstream coverage of Russian hybrid warfare focuses on kinetic incidents — the drone over the airport, the cable cut, the arson at the defence contractor facility. These are legitimate stories. The underreported cyber layer is the operational integration between the physical sabotage and the digital infrastructure attacks, and what it means for European enterprise security posture specifically during a period of US strategic retrenchment.
The GLOBSEC and ICCT analysis documents 151 Russia-related hybrid incidents since 2022 that include “a mix of cyber and kinetic attacks.” These aren’t parallel tracks. Per the Medium analysis of Russia’s hybrid doctrine, Telegram-timed influence operations are “synchronized with cyber activity,” with “wiper staging aligned with geopolitical events rather than purely technical triggers.” Russia’s hybrid operations are coordinated campaigns where cyber, physical, and information effects are sequenced to compound each other. A cyberattack on a logistics network is more effective when it coincides with an influence operation claiming the attack was the victim’s own negligence. A cable cut is more valuable when it happens alongside GPS spoofing that creates navigation uncertainty in the same geographic area. The CSIS paper’s proposal for ECOG is specifically designed to address this integration at the counter-operations level — but it doesn’t exist yet.
The US withdrawal dimension is the part that changes the risk calculus for enterprises operating in Europe most acutely. CSIS’s paper is explicit: “Europe remains highly dependent on U.S. cyber capabilities, creating strategic risk as U.S. involvement in European security declines.” The Defend Forward doctrine — US Cyber Command’s proactive approach of engaging adversaries in their own networks before they can operate against US and allied systems — has provided deterrence overhead for European infrastructure since 2018. If that overhead is being reduced as part of Trump’s broader transactional approach to NATO, the gap that ECOG proposes to fill is not hypothetical. It’s the operational consequence of a policy decision already in progress.
The Recorded Future analysis of Russia’s new generation warfare notes that Putin “likely views the next two years as an opportunity to exploit existing US-NATO tensions.” That assessment was published before the Trump-Xi negotiations that are now openly framing US alliance architecture as tradeable. The combination of confirmed Russian operational tempo, confirmed US strategic retrenchment, and confirmed absence of European counter-hybrid capability is the specific environment in which the ECOG paper was written.
My work on horizontal peace frameworks in Ukraine and on Trump’s NATO posture addresses the structural drift in Western security architecture that the CSIS paper is responding to operationally. The ECOG proposal is the security community acknowledging that the alliance architecture it was built around may not be available in the form it has existed. My research on submarine cable infrastructure protection directly addresses the Baltic Sea cable targeting that Russian shadow fleet operations represent — the cables that carry European enterprise internet traffic are targets in the same campaign that is hitting power grids and airports.
Why It Matters Beyond the Conflict Zone
Here is the enterprise translation, stated without diplomatic softening.
Any organisation operating in Europe — or with significant supply chain exposure to European companies — is operating in an environment where state-sponsored hybrid warfare has produced 321 confirmed sabotage incidents in Germany in one year, repeated cable cuts across the Baltics, GPS spoofing in Northern Europe, and cyberattacks against critical infrastructure in Poland, Norway, and Denmark. The absence of a coordinated European counter-hybrid capability means those operations carry minimal cost for Russia and have been increasing in frequency and ambition. The GLOBSEC analysis describes a “fourfold increase in sabotage and vandalism operations compared to the previous year.”
The specific vectors that Russian hybrid operations have used against European infrastructure are not hypothetical for enterprise security teams. VPN appliances with unpatched CVEs are a documented FSB intrusion vector — the same class of vulnerability that INC Ransom weaponised against Australian healthcare providers in eighteen months of largely undetected operation. Long-dwell SVR access through compromised supply chains is exactly the technique that produces the kind of persistent access that CISA advisories describe as “difficult to remediate” without complete rebuild. The hybrid campaign hitting European infrastructure is running the same technical playbook against which enterprise defences need to be calibrated.
The disinformation component — documented by EUvsDisinfo, France’s Viginum, and the GLOBSEC analysis as integrating AI-generated fake content, Portal Kombat and Pravda network operations, deepfakes, and LLM-based content corruption — has direct enterprise implications in two ways. First, AI-generated fake regulatory guidance, fake government advisories, and fake security alerts can be used to misdirect incident response. Second, LLM content corruption — documented in the Policy Genome 2026 study — affects AI tools that enterprise organisations use to process news and intelligence feeds. If your threat intelligence pipeline includes AI summarisation of open-source intelligence, its outputs can be manipulated by campaigns that flood the source material with coordinated disinformation.
What Went Wrong
The CSIS paper’s structural diagnosis is the honest answer: Europe has been treating coordinated hybrid warfare attacks as isolated criminal incidents rather than “elements of a coherent Russian doctrine.” That framing is not accidental. It’s a political choice that allows governments to avoid the uncomfortable question of what the appropriate collective response to an acknowledged attack would be, because the answer might require capabilities and commitments that politically fractured European governments are not prepared to authorise. Germany sitting on 321 sabotage incidents without official attribution is not intelligence failure. It’s political management.
The US dependency failure is the second structural problem. Defending Forward — US Cyber Command’s proactive posture — has provided a deterrence layer for European infrastructure that European cyber capabilities have never been resourced to replace. The decision to make that a dependency rather than building the European capability alongside it was a decade-long procurement and political failure. The ECOG paper is proposing to fix that. It should have been proposed and funded ten years ago.
The Fix — Fixer’s Advice
For enterprise security teams operating in Europe, the ECOG proposal tells you something important: the policy community does not expect this threat environment to improve on its current trajectory. The ECOG is a proposal, not a capability. It will take years to build if it gets political momentum. In the meantime, the operating environment is what it is.
Edge device exposure audit:
Russian hybrid operations target VPN appliances, firewalls, and network edge devices as primary intrusion vectors — specifically via unpatched CVEs in products from vendors including Fortinet, Ivanti, Citrix, and Cisco. Conduct a complete audit of every internet-facing edge device in your European operations. What firmware version is it running? When was it last patched? Is the vendor under active advisory for unpatched vulnerabilities? CISA’s Known Exploited Vulnerabilities catalog is the minimum baseline for prioritisation. Every unpatched edge device with a public CVE is a documented Russian intrusion vector in the current operating environment.
OT and operational resilience for European facilities:
If you operate manufacturing, logistics, energy, or any industrial function in Europe, review whether your OT environment has network paths to the internet or to IT networks that haven’t been explicitly scoped and hardened. The Russian hybrid campaign specifically targets operational technology in “defence production facilities, transport corridors, and commercial and defense supply chains,” per the GLOBSEC analysis. That targeting profile applies to NATO defence contractors directly and to any enterprise in the European logistics and manufacturing ecosystem indirectly. OT visibility tooling, protocol-specific detection, and network segmentation review are not optional in this environment.
GPS dependency assessment:
Russian GPS spoofing operations in the Baltics and Northern Europe — documented across multiple incident reports — directly affect any logistics, maritime, or aviation operation that depends on GPS timing and positioning. Review what operations your organisation conducts that would be disrupted by GPS spoofing in the affected geographic regions. For logistics operations specifically, identify alternative positioning and timing references for critical operations, and ensure that GPS disruption scenarios are in your operational contingency planning.
Supply chain communications security review:
The Russian shadow fleet’s Baltic Sea cable cuts create intermittent disruption to internet traffic routing in Northern Europe. If your European operations depend on connectivity routed through Baltic subsea infrastructure, understand your actual resilience to routing disruptions. Cloud providers route around cable cuts automatically in most cases, but latency spikes, temporary outages, and reduced bandwidth during rerouting are realistic scenarios. Identify which operations require continuous low-latency connectivity and what the operational fallback is.
Disinformation hygiene for threat intelligence:
The documented LLM content corruption and AI-generated fake advisory campaigns require explicit hygiene practices for enterprise threat intelligence workflows. Verify security advisories through official vendor channels and government cybersecurity agency sites directly, not through AI-summarised news feeds. Establish a verification workflow for any security guidance that arrives through non-official channels, including email alerts from third-party aggregators that may themselves be sourcing from compromised feeds. When your SIEM or threat intelligence platform surfaces a new advisory, verify it against the primary source before operationalising the guidance.
Incident response — hybrid campaign awareness:
Update your incident response playbook explicitly to include hybrid warfare campaign scenarios. Specifically: a scenario where a cyber incident coincides with a physical disruption in the same geographic area (which Russia’s operational doctrine synchronises) requires a different initial investigation frame than a standalone cyber incident. Train your SOC team to flag geographic correlation between cyber alerts and physical infrastructure incidents. The playbook should also include a disinformation assessment step — when a major cyber incident occurs, the first wave of social media attribution is frequently deliberately seeded misinformation designed to misdirect responders.
Final Call-Out
CSIS published a proposal for a European cyber operations group because Europe doesn’t have one. Russia ran 321 sabotage incidents in Germany in 2025, repeatedly cut Baltic cables, hit critical infrastructure in multiple NATO countries, and the response was a series of PDF advisories and a think tank paper recommending something that should have been built a decade ago. The gap between what the threat environment requires and what currently exists is measurable, documented, and growing. Enterprise security teams operating in Europe are operating in that gap. The fix is not to wait for ECOG to exist. It’s to harden the specific attack surfaces the CSIS paper is describing while the policy community figures out how to impose costs on the people exploiting them.
