Intelligence Culture and Counterintelligence Effectiveness: Explaining Western European Responses to Russian Hybrid Threats
By Captain Drew S. Switzer Captain, U. S. Air Force
Editor’s Note: Captain Switzer’s thesis won the 2025 FAO Association Award for Excellence in International Affairs at the U.S. Naval Postgraduate School. The thesis is quite long. We are publishing this edited version without research notes. To see the complete thesis with all research material, please contact editor@faoa.org. The Journal is pleased to bring you this outstanding scholarship.
Disclaimer:The views expressed in this paper are those of the author and do not reflect the official policy or position of the U.S. Government, the Department of Defense, Department of State, or the Naval Postgraduate School.
Defining Hybrid Warfare and Hybrid Threats
Scholars agree that the terms “hybrid threat” and “hybrid warfare” are generally used to describe a range of tactics employed simultaneously to project power and influence while emphasizing threats and actions that remain below the threshold of outright war. According to Gregory Treverton, the U.S. government tends to think of hybrid threats as a wide range of tools adversaries use to target societies, not just militaries. According to Jed Willard when quoting Professor Alina Polyakova of the Brookings Institute, Russian, China, and Iran have all been known to employ hybrid warfare tactics in their military strategies, which have included many of the same tools identified by Treverton. They also argue that Russia has openly accused the U.S. of waging a hybrid war against it via support for the Color Revolutions. Russian leaders believe this culminated in support to the 2013 Euromaidan Revolt, the Ukrainian public’s response to President Viktor Yanukovych’s rejection of Ukraine’s association with the EU, which directly led to Yanukovych fleeing Ukraine and Russia’s 2014 annexation of Crimea.
European security and defense alliances also agree that hybrid threats span a spectrum of tools and methods that primarily aim to avoid open conflict. According to Patrick Cullen, the EU does not explicitly define “hybrid warfare” but it does provide a robust description of what it considers hybrid threats. In quoting the 2016 EU Joint Framework, Cullen denotes that the EU categorizes hybrid threats as a strategic blend of coercive and subversive activities, combining conventional and unconventional methods—such as disinformation, economic pressure, and proxy actors—to exploit vulnerabilities and generate ambiguity. The Joint Framework also denotes that these tactics may be coordinated “by state or non-state actors to achieve specific objectives while remaining below the threshold of formally declared warfare.” In contrast to the EU’s conceptual framework, NATO concisely defines hybrid threats as “a type of threat that combines conventional, irregular and asymmetric activities in time and space.” Together, the EU and NATO definitions reflect a shared transatlantic understanding that hybrid threats are multifaceted, deliberately ambiguous, and designed to challenge traditional notions of conflict and response.
Hybrid Russian Intelligence Behavior and Tactics
Scholars have argued that Russian intelligence and security services were vital in conducting covert subversion, sabotage, and cyber campaigns within the Donbas that led to and paved the way for Russia’s 2022 invasion of Ukraine. Such works generally pose that Russia’s 2014 annexation of Crimea was just the beginning of a decade-long frozen conflict, of which the 2022 invasion was an escalatory part. In that eight-year period (2014-2022), Russian intelligence was continuously working to covertly undermine the Ukrainian government in an effort not to garner significant international attention and retaliation. One study denotes that, in many cases, Russian intelligence intentionally sought to blur the lines of attribution and the jurisdictional boundaries of Ukrainian security services by employing criminal networks and Ukrainian citizens as cutouts to conduct their operational acts.
Russia seeks to sustain a global intelligence posture, its war in Ukraine has redirected much of its collection capacity toward operational and tactical priorities, limiting resources for broader strategic efforts. Yet, as Riehle notes, Russian intelligence services are resilient, adaptive, and likely to recover from recent disruptions to reassert their presence beyond the Ukrainian theater. Overall, these works highlight the increasing will of the Russian state to weaponize its intelligence services outside its immediate sphere of influence as part of a broader strategy to destabilize its adversaries, sow discord, and expand its geopolitical influence.
Counterintelligence Definition and Scope
For simplicity and relevance this thesis adopts the definition provided by the NATO Standardization Office (NSO). The NSO defines counterintelligence (listed in their database as “counter-intelligence”) as “those activities concerned with identifying and counteracting the threat to security posed by hostile intelligence services or organizations or by individuals engaged in espionage, sabotage, subversion or terrorism.” This standardized definition provides a consistent framework for analysis and aligns the thesis with an authoritative multinational reference point.
Counterintelligence Doctrine and Evolution
Various scholastic works have been published that address the evolution of counterintelligence doctrine and strategy, particularly in western nations. Philip Davies and Toby Steward argue that western counterintelligence remains underprepared for the evolving hybrid warfare model employed by Russia in Ukraine between 2014 and 2024. They attribute this shortfall to a conflated understanding of counterintelligence targets, exemplified by the NATO and UK TESSOC framework, which bundles terrorism, espionage, sabotage, subversion, and organized crime under one conceptual umbrella. According to Davies and Steward, this model—shaped by years of counterterrorism and counterinsurgency focus—overemphasizes human threat counterintelligence at the expense of a multidisciplinary approach that includes technical intelligence threats such as imagery, geospatial, signals, and open-source collection. This doctrinal gap, they contend, has left western counterintelligence services ill-equipped to confront the full spectrum of threats posed by peer adversaries like Russia. This conclusion thus necessitates western nations identify their systemic shortcomings in an attempt to evolve their counterintelligence services to contend with the contemporary Russian threat.
While not specifically targeted at the intelligence community, Sean Monaghan argues that, to effectively combat hybrid threats, defense organizations must adopt adaptive strategies capable of detecting, deterring, and responding to ambiguous activity below the threshold of war. He emphasizes the importance of intergovernmental coordination and allied cooperation, noting that these threats exploit gaps between peace and war, requiring a whole-of-government approach. Drawing on Frank Hoffman’s critique of traditional force planning, Monaghan further asserts that contemporary defense policy must move beyond the outdated binary of counterinsurgency versus conventional warfare and develop capabilities suited to the complexity of hybrid threats in the gray zone.
The Counterintelligence Response to Russian Hybrid Threats
Since Russia’s invasion of Ukraine in February 2022, a myriad of works has been published which analyze the response of Ukrainian security services to the evolving conflict. Several of those studies focus particularly on the Security Service of Ukraine (SBU). Peter Schrijver’s research on the SBU analyzes how the agency strategically used social media—particularly Telegram—between February 2022 and October 2023 to engage domestic and international audiences. Through qualitative thematic analysis, he found that the SBU’s open dissemination of intelligence, including intercepts and counterespionage successes, played a key role in building public resilience, discrediting Russian narratives, and signaling operational transparency. A broader comparative study further positions this practice within a larger trend of “mediatisation,” where intelligence services in Ukraine, Israel, and the UK use social media not only to inform and mobilize, but to justify actions and assert narrative control during wartime. This approach marked a significant departure from traditional intelligence secrecy, reflecting a broader shift towards open, public-facing communication strategies in the realm of information warfare. In a study on the SBU’s counterintelligence response to Russian operations in Ukraine (2014–2024), Davies argues that the western counterintelligence model—shaped by two decades of counterterrorism and counterinsurgency—was poorly suited to respond to the strategic peer-level threat posed by Russia, and that this doctrinal mismatch substantially limited the effectiveness of the SBU’s response, contributing to escalation. Overall, these analyses suggest that traditional counterintelligence methods may be less effective against Russia’s hybrid intelligence operations, while newer approaches like public attribution show greater promise.
Intelligence Culture and Hybrid Threats
Over the last two decades, intelligence culture has been a topic of increasing interest to the academic community. According to Davies, intelligence culture is central to understanding the nuanced differences between national intelligence systems. He argues that intelligence culture is a critical explanatory factor in why some intelligence agencies experience failure, even when their structures or resources appear comparable to those of more successful counterparts. In a separate article, Davies also emphasizes that the variation in national and institutional definitions of intelligence, and the resulting consequences of those definitions, are critical for understanding the variation in intelligence performance and outcomes across nations. Davies’ ideas are supported by de Graaff and Nyce, who, in referencing European intelligence cultures, argue that a nation’s intelligence culture is shaped by its unique history and environment, and may diverge significantly from neighboring countries despite shared linguistic, geographic, or regional characteristics. Furthermore, de Graaff and Nyce also note that while the academic community has emphasized a variety of other factors contributing to differences in intelligence responses and efficiency—such as national regime type, definitional variances, and bureaucratic processes and structures—systematic comparisons of national intelligence cultures have been somewhat neglected.
Germany: Response to the 2015 Bundestag Hack:
This chapter examines the counterintelligence response to a Russian cyberattack on the German Bundestag which occurred in 2015. After providing a historical background and an overview of the events that transpired during the days-long hacking operation, the chapter explores the response by Germany’s primary counterintelligence service, the Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution, BfV) as well as supporting services such as the Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security, BSI) and the Bundesnachrichtendienst (Federal Intelligence Service, BND). This review also includes an analysis of how the counterintelligence response affected the broader state response to Russia’s attack. Next, the chapter investigates Germany’s intelligence culture using key elements from Chiru’s model. Finally, the chapter concludes by drawing comparisons between Germany’s intelligence culture and its response to Russia’s hybrid operation targeting the Bundestag. Overall, the analysis reveals that Germany’s intelligence culture—plagued by historical hesitation and a lack of public trust—produced a slow and decentralized response to Russia’s hybrid operation. This suboptimal counterintelligence response ultimately led to a delayed and unsatisfying state retaliation against the Russian state.
The Netherlands: Response to the 2018 OPCW Headquarters Cyberattack
This chapter investigates the Dutch response to an attempted Russian cyberattack targeting the Headquarters for the Organization for the Prohibition of Chemical Weapons (OPCW) located in the Hague, Netherlands in 2018. After providing a brief history of Dutch intelligence and reviewing the events surrounding the attack, the chapter analyzes the response of the Dutch military intelligence and security service, the Militaire Inlichtingen-en Veiligheidsdienst (Military Intelligence and Security Service, MIVD). The review shows that, with the assistance of their civilian counterpart, the Algemene Inlichtingen-en Veiligheidsdienst (General Intelligence and Security Service, AIVD) and international partners, the MIVD successfully disrupted the Russian plot before it was able to cause any damage. The chapter then conducts an analysis of Dutch intelligence culture using the same methodology as Chapter II. Finally, the analysis and conclusion sections discuss key elements of Dutch intelligence culture that enabled successful counterintelligence intervention in 2018 as well as provide a brief overview of the Netherlands’ trials with Russian hybrid threats since the OPCW operation.
Comparative Analysis and Conclusion
The purpose of this research was to determine to what extent discrepancies in national intelligence cultures across Western Europe affect national capacities to leverage counterintelligence in response to Russian hybrid threats and how counterintelligence strategies and tactics might adapt to better combat Russian hybrid threats.
Comparative Findings
To enable a comparative analysis between the case studies, this section adopts the same cultural assessment framework used in the previous two chapters. Each subsection examines how the cultural elements of one nation align or diverge from the other, while also considering how those elements shaped the respective counterintelligence responses. The cumulative findings of this analysis then inform the evaluation of the hypotheses in the following section.
Historical Experience
When comparing the evolution of the Dutch and German intelligence apparatuses throughout the 20th century, it becomes clear that historical experience profoundly shaped each nation’s intelligence culture entering the 21st century. Prior to WWII, the Netherlands maintained only a weak intelligence presence, largely a product of its longstanding desire for neutrality in European affairs. This institutional fragility was exposed by the Venlo incident and further compounded by the near-total absence of Dutch intelligence activity during the Nazi occupation. After the war, however, these failures, combined with the imperative to root out lingering fascist and communist influences, prompted the Dutch government to build an entirely new intelligence culture. The resulting system emphasized robust domestic intelligence over foreign influence operations, balancing security effectiveness with democratic oversight. Though the Netherlands experimented with multiple institutional models—establishing and later abandoning a foreign intelligence arm, reorganizing military intelligence branches, and transforming the BNV into the BVD—their services steadily adapted to meet national security needs. This incremental progress, combined with a domestic-centric intelligence and security system, carried into the 21st century, giving Dutch intelligence culture sustained momentum rooted in counterintelligence work as it confronted the challenges of hybrid warfare.
By contrast, the German intelligence community emerged from WWII burdened not only by the legacy of the Nazi regime but also by the need to reconstruct its apparatus twice over. The Cold War division produced two starkly different models: one grounded in democratic principles in the West, the other in authoritarian control in the East. West German services struggled to establish credibility and effectiveness, undermining both their public legitimacy and national security role. While deliberate efforts ensured that Stasi practices would not contaminate the institutions of reunified Germany, the psychological impact of East German and Soviet surveillance on the population could not be easily erased. If the Dutch began rebuilding from ground level after 1945, Germany was digging its way out of a pit by the late 20th century. This difficult trajectory left German intelligence culture on the defensive entering the 21st century, with deep public skepticism toward domestic security services—a posture that would continue to affect its ability to respond decisively to Russia’s hybrid threats.
While these two nations clearly had diverging historical influences on their respective intelligence cultures, it is difficult to tie this history directly to the counterintelligence responses observed in the 2010s. Certainly these historical factors influenced other aspects of each nation’s intelligence culture, as will be discussed in the subsequent sections; however, the historical element does not directly tie in to the observed counterintelligence responses of either nation. That said, examining each nation’s history with respect to intelligence and security is important for understanding the context in which the other cultural elements were cultivated. Taken together, the historical element provides an overall context of each nation’s intelligence culture that influenced counterintelligence responses to Russia’s hybrid threats.
Institutional Structure & Legal Framework
The institutional structures and oversight mechanisms of Germany and the Netherlands share important commonalities, but their differences are far more consequential for countering hybrid threats. Both nations maintain distinct civil and military intelligence services, enforce strict separation between police and intelligence work, and operate under robust democratic oversight regimes. These features, broadly consistent with other Western democracies, reflect adherence to contemporary norms and help ensure accountability. Where the two diverge is in the degree of centralization and integration. The Netherlands, with only two primary services that combine foreign and domestic missions, has developed a relatively centralized structure that facilitates close cooperation through shared resources and units such as the JSCU. Germany, by contrast, must coordinate across multiple services with overlapping jurisdictions—compounded by the presence of sixteen autonomous state-level LfVs—making timely deconfliction and coordination inherently more challenging. Thus, while both systems embody democratic safeguards, the Dutch model has the potential to offer greater agility and coherence in mounting counterintelligence responses.
These structural differences are reflected in how each nation responded to similar cyber-based hybrid operations. In Germany, the multi-agency approach to the Russian cyberattack appeared fragmented. While scholars have often criticized the fractured nature of Germany’s domestic intelligence apparatus, this case suggests that the involvement of external cybersecurity entities was the complicating factor in this counterintelligence response. By first permitting MPs to outsource their cybersecurity and then prioritizing a response from the BSI over the BfV—even though the BfV had initially detected the anomalies—German authorities created a layered response that hindered the flow of information. This diffusion of responsibility delayed a counterintelligence-driven intervention which likely reduced the overall effectiveness of the response. The Netherlands, by contrast, mounted a response that was clearly led by the MIVD, even while external partners contributed. Although details of interagency coordination have not been publicized, the key distinction was that a counterintelligence service assumed primary responsibility for addressing the hybrid threat. This leadership role ensured coherence in the response and contributed to its favorable outcome. Overall, the respective structures of each nation’s intelligence services seemed to have played a substantial role in the ensuing response.
Public Perception & Transparency
One area in which Germany and the Netherlands differ markedly is in the realm of public trust. In Germany, the legacy of totalitarian regimes was compounded by a series of public failures in the early 21st century regarding extremism and foreign influence, creating a serious public relations problem for the intelligence community. Coupled with the still-present public memory of the Stasi-era system in East Germany, these factors had a clear negative impact on trust in the intelligence and security services, as reflected in polling data around the time of the Bundestag hack. In contrast, the Dutch public entered the 21st century with a more neutral attitude toward its intelligence and security services, which quickly shifted into a call for more robust security intervention when terrorist attacks threatened national security. While this increased fear of violent non-state threats may not have directly translated into greater trust, it was at least sufficient to outweigh public skepticism, allowing Dutch intelligence to leverage this sentiment to implement stronger security measures and increase operational efficiency. It is likely these advantages gave the Dutch an edge when it came to transitioning from a terrorism focused intelligence environment to one focused on combating state backed hybrid threats.
The differences in national public perception also significantly shaped the counterintelligence responses in each of the examined case studies. In Germany, the most visible manifestation of this effect was skepticism about involving domestic intelligence services in the response to the Bundestag cyberattack. While some public doubt is common in any nation, the negative image of the BfV and BND led members of parliament to actively resist counterintelligence involvement, fearing the services might exploit their access to undermine governance. Although the agencies were eventually allowed to intervene, their effectiveness was clearly hampered by the delay. Public perception also appears to have influenced counterintelligence indirectly through its impact on efficiency and resources. In the Dutch case, the MIVD was able to detect and disrupt Russian operations within three days—drawing on support from an analyst from a European partner service, conducting robust surveillance, and securing rapid approval to act from the ministers of defense, interior, and foreign affairs. This level of efficiency was enabled by the enhanced resources and authorities granted to the services in the 21st century, most notably through the Wiv, which had passed just the year before. Together, these elements showcase the importance of positive public perception with regard to counterintelligence intervention.
External Orientation & Strategic Threat Perception
In terms of strategic threat perception and relations with Russia, Germany and the Netherlands remained largely comparable through the early years of the 21st century. Following the end of the Cold War, both nations gradually deepened ties with the Russian Federation, developing strong economic links through investment and trade. Similarly, both sought to distance themselves from the Putin regime after Russia’s aggression in Ukraine in early 2014. During this period, each also redirected security attention toward terrorism, adjusting their intelligence and security apparatuses to confront this emerging threat. Yet two key factors set the nations apart in their counterintelligence responses. First, unlike Germany, the Netherlands did not actively scale back its counterintelligence departments after the Cold War. While both prioritized counterterrorism, Germany’s perception that Russia and other state intelligence agencies posed little danger led to a gradual drawdown in counterespionage, diminishing manpower, resources, and institutional experience. The second major difference was in their shifting attitudes toward Russia. For the Netherlands, the downing of Malaysian Airlines Flight MH-17 over Ukraine triggered a rapid and profound shift, driven by public outrage over the deaths of nearly 200 Dutch citizens. Germany, by contrast, experienced no single event that provoked such a dramatic change in its geopolitical outlook. While Germany’s attitude toward Russia was undoubtedly shifting due to the Ukraine conflict, the Netherlands undoubtedly had a more drastic shift in threat perception due to them being directly affected by the conflict. Accordingly, the strategic outlook and threat perception in each country appear to have shaped the trajectory of their counterintelligence services.
Despite clear differences in the geopolitical positions of the Netherlands and Germany prior to their respective encounters with Russian hybrid operations, it is difficult to draw a direct comparison in terms of how these events shaped counterintelligence responses. In a recent study, de Graaff—who had exclusive access to restricted MIVD records—observes that around 2016, MIVD agents began closely tracking Russia’s close-access cyber operations, previously employed by the GRU in targeting the World Anti-Doping Agency. As a result, the names of Morenets and Sebriakov were placed on a Schiphol Airport watch list, ultimately triggering the MIVD’s counterintelligence response when the GRU operatives arrived in the Netherlands in 2018. One could argue this proactive measure reflected a renewed geopolitical focus on Russian intelligence threats to the Netherlands; however, the available evidence does not fully substantiate that conclusion. Similarly, one might suggest that Germany’s gradual drawdown of its counterespionage division hindered the BfV’s response to the Bundestag hack. Yet sources indicate the delay was due less to a lack of capacity and more to skepticism among MPs and an institutional design that prioritized the BSI’s role over counterintelligence. In fact, evidence suggests the BfV was the first to detect the intrusion before referring the case to the BSI—implying that the domestic intelligence agency may have been prepared to respond had it been authorized to do so. In sum, while strategic threat perception and geopolitical context likely contributed to broader intelligence cultures that were more or less conducive to countering Russian hybrid threats, it remains inconclusive whether these factors directly shaped the counterintelligence responses in each case study.
Implications and Policy Recommendations
The results of this analysis allude to several recommendations for policies that should be implemented to strengthen counterintelligence abilities to combat hybrid threats. The first is that states should consider adopting centralized institutional structure for their intelligence communities. Based on the case studies in this research, it seems that consolidated intelligence and security structures create better defined lanes for dealing with opaque threats, in turn yielding a more efficient response. In the case where more agencies were involved, each with their own small piece of the response, the overall response was less efficient and took more time to gradually bring on each individual service causing unnecessary delays. One way to avoid this complexity would be to create intelligence services that integrate multiple different intelligence missions into one agency. For instance, a service that integrates civil foreign intelligence, domestic intelligence, counterintelligence, and cybersecurity would have many of the resources needed to identify and counter most hybrid threats, thereby allowing it to respond to threats without cumbersome coordination. Such a structure could cut down response times and streamline information flows to decision makers in a crisis.
Another key recommendation is for states to focus on building and maintaining a high degree of public trust in order to increase operational effectiveness. As noted by Matei and Halladay, in democratic nations intelligence accountability and effectiveness are at two opposite ends of a never-ending balancing act—constant attention must be given to accountability and public relations to ensure intelligence services can operate efficiently and, in most cases, with a high degree of secrecy. This sentiment is supported by the present research. Resources such as bulk SIGINT collection authority, integration with police forces, and increased use of cyber and artificial intelligence tools are all useful in combating hybrid threats but may also require citizens to sacrifice some of their civil liberties. Nations that prioritize security may be more willing to do so but must also genuinely believe their security services have their best interests in mind and will not abuse the resources provided to them. As demonstrated in the Dutch case study, one way to bolster this relationship is for counterintelligence services to continue leveraging the strategic release of intelligence relating to foreign hybrid operations. In doing so, agencies can showcase their successes to the public while also sharing information that can prove useful in degrading further hostile acts. Intelligence communities that can strike an ideal balance may very likely bolster their counterintelligence effectiveness.
This research also supports the recommendations made by other scholars that the field of counterintelligence needs to evolve its tactics to the contemporary demands of hybrid warfare. Although counterintelligence was at the forefront of the Cold War intelligence game and later adapted to focus on the tactical demands of the GWOT, the mix of state and non-state sponsored operations that threaten western nations demand new approaches. Many of these threats are executed in the cyber realm, such as the cases examined in this research, and are therefore out of the public eye despite their ability to harm various portions of public and private sectors. Perhaps this new environment means that intelligence on hybrid actors needs to be shared with a larger audience than solely state channels. As demonstrated by the Dutch, sharing information publicly—an out of the norm tactic for counterintelligence services—has the benefit of triggering whole-of-society responses. While such a tactic may not be appropriate in every case, policymakers should consider the benefits of sharing information with a wider audience when addressing hybrid threats.
Final Thoughts
This research has shown that national intelligence cultures significantly affect counterintelligence responses to Russian hybrid threats in Western Europe. While additional research should be conducted to validate these findings, the implications for national and collective security are substantial. As the West continues to be victimized by the hybrid campaigns of Russia and other hybrid actors, counterintelligence will become an increasingly vital element of national security. As this research shows, there are differences in the readiness and posture of Western counterintelligence services which affect their ability to identify and neutralize hybrid threats. This variance needs to be considered in the future development of collective defense, as those nations with poor responses will become weak points for the collective. Therefore, it is vital that policymakers and security officials at all levels find ways to bolster counterintelligence effectiveness, for this branch of intelligence and security is likely to be on the frontlines of future strategic conflicts for years to come.
About the Author:
Captain Drew S. Switzer has been an active duty officer and Special Agent for the U.S. Air Force’s Office of Special Investigations since 2018. Throughout his career, he has worked numerous investigations and operations pertaining to AFOSI’s federal law enforcement and counterintelligence missions. In the course of this work, Drew has completed several overseas tours, to include several in Europe and the Middle East. In 2025, he completed a Master of Arts degree in Security Studies at the Naval Postgraduate School and received two awards for his research into the role of western counterintelligence in an age of hybrid warfare. Drew is also the author of a chapter on the role of intelligence in combating hybrid threats in a Routledge-published multi-author book entitled Intelligence and Technology: Trends, Challenges, and Choices.