War Below the Threshold
War Below the Threshold: Gerasimov's New Generation Warfare, Unrestricted Warfare, and the Critical Infrastructure Attack as Strategic Instrument
Executive Summary
On 27 February 2013, General Valery Gerasimov, Chief of the General Staff of the Russian Federation Armed Forces, published an article in the Voyenno-Promyshlennyy Kurier arguing that the rules of war had fundamentally changed — that non-military means of achieving political and strategic objectives had in many cases exceeded the power of military force. In 1999, PLA Senior Colonels Qiao Liang and Wang Xiangsui published Unrestricted Warfare, arguing that modern conflict must use all means available — financial markets, computer networks, media, and critical infrastructure — without restriction by the domain boundaries that previous military thinking had observed.
Both documents pre-date by years the attacks now being conducted against European critical infrastructure. The Baltic cable sabotage campaign of 2023-2024, Volt Typhoon's confirmed pre-positioning in Western CNI, the HSE ransomware attack, and the County Mayo water utility attack are not random incidents — they are the operational expression of strategic frameworks that named critical infrastructure as the primary attack domain more than two decades before the first cable was dragged.
This paper presents both doctrinal frameworks precisely and honestly — including the academic debate about whether the Gerasimov Doctrine exists as a distinct Russian doctrine, which is a debate that practitioners must understand. It then maps each framework to the confirmed European CNI attack record and derives the CNI protection implications that follow from treating these frameworks as the design basis for defensive investment.
1. A Note on the Title — Why This Paper Is Not Called 'The Landscape of Hybrid Threats'
The phrase 'hybrid threats' has become one of the most widely used and least analytically precise terms in the contemporary security lexicon. It is used to mean everything from Russian disinformation campaigns to North Korean cyberattacks to Chinese economic coercion to Iranian proxy militia operations. Its breadth is its weakness: a concept that encompasses everything explains nothing.
This paper uses a different analytical frame — not the category label 'hybrid threats' but the specific doctrinal texts that describe the strategic logic behind the operations we are actually observing. The Gerasimov article and the Qiao Liang-Wang Xiangsui book are primary source documents with named authors, publication dates, and specific analytical arguments. They can be read, quoted, contested, and updated as circumstances change. 'Hybrid threats' is a policy label. It is not an analytical framework.
The title 'War Below the Threshold' captures the operational characteristic that is common to every CNI attack documented in this paper series and every operation described by both doctrinal frameworks: they are conducted below the threshold of Article 5 of the North Atlantic Treaty and Article 42.7 of the EU Treaty — the collective defence thresholds that would trigger a formal military response from the target state's allies. The threshold is not incidental to the strategy — it is the strategy. The entire operational logic of New Generation Warfare and Unrestricted Warfare is to achieve strategic effects that would normally require armed conflict, without crossing the legal and political thresholds that trigger the adversary's full-spectrum response.
ON TERMINOLOGY — HYBRID, GREY ZONE, SUB-THRESHOLD, NEW GENERATION: These terms describe the same operational space with different emphases. 'Hybrid warfare' (NATO usage) emphasises the combination of military and non-military instruments. 'Grey zone' (US DOD usage) emphasises the ambiguity between peace and war. 'Sub-threshold' (EU/ECFR usage) emphasises the legal threshold that is deliberately not crossed. 'New Generation Warfare' (Russian military science usage) emphasises the conceptual evolution from previous doctrine. This paper uses 'sub-threshold warfare' as the governing term because it most precisely describes the characteristic that is operationally significant for CNI protection: the adversary is conducting warfare while deliberately maintaining a legal and political status below that which would trigger the target's defence alliance.
2. Gerasimov's 2013 Article — What It Actually Says
The 'Gerasimov Doctrine' is one of the most cited and least read documents in contemporary Western security discourse. Mark Galeotti, the analyst who coined the term 'Gerasimov Doctrine' in a 2013 blog post for In Moscow's Shadows, later publicly regretted it — describing the label as analytically misleading in a 2018 Foreign Policy article titled 'I'm Sorry for Creating the Gerasimov Doctrine.' Understanding what Gerasimov's article actually says, and what it does not say, is prerequisite to using it analytically.
2.1 The Primary Source — Precise Citation
The document is: Gerasimov, Valery. 'Tsennost' nauki v predvidenii' (The Value of Science is in the Foresight: New Challenges Demand Rethinking the Forms and Methods of Carrying out Combat Operations). Voyenno-Promyshlennyy Kurier (Military-Industrial Courier). 27 February 2013. Reprinted and translated into English by Robert Coalson: Military Review, Vol. 96, No. 1 (January-February 2016), pp. 23-29. Published by the US Army Combined Arms Center, Fort Leavenworth, Kansas.
The article was a reprint of Gerasimov's speech to the Academy of Military Science in January 2013 — his first major public address as the newly appointed Chief of the General Staff. It is an academic-military analysis piece, not a policy document or operational planning directive. It was published in a weekly military trade newspaper with a specialist readership, not in an official doctrinal publication of the Russian Armed Forces.
2.2 The Core Arguments — Directly from the Text
Gerasimov makes five analytically significant arguments in the article:
Argument 1 — The rules of war have changed: Gerasimov writes that 'the very rules of war have changed. The role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.' This is not a prescription for Russian strategy — it is an observation about the direction of modern conflict that Gerasimov attributes primarily to Western operations in the post-Cold War period, using the Arab Spring and the Western interventions in Yugoslavia and Iraq as examples. Gerasimov explicitly frames these as American innovations that Russia must understand and respond to, not as Russian innovations that Russia is implementing.
Argument 2 — The 4:1 ratio of non-military to military means: Gerasimov argues that modern conflict increasingly relies on a ratio of approximately four non-military measures for every one military measure. Non-military means include: political and diplomatic pressure; economic instruments (sanctions, trade restrictions, investment restrictions); information operations (disinformation, propaganda, narrative warfare); cyber operations; support for proxy forces and fifth columns; and covert intelligence operations. Military force is the last resort and the minority component — but it remains present and credible as the backstop that gives the non-military measures their coercive power.
Argument 3 — Simultaneous operations across all domains: Modern conflict, in Gerasimov's analysis, is conducted simultaneously across all physical environments and the information space. There is no longer a sequential 'first diplomacy, then economic pressure, then military force' — modern adversaries operate all instruments simultaneously, creating a cumulative pressure that no single domain defence can address. This argument directly anticipates the Volt Typhoon model: pre-positioned network access (cyber domain), SCADA documentation collection (intelligence domain), shadow fleet maritime sabotage (physical domain), and diplomatic pressure — all simultaneous, all below the threshold.
Argument 4 — The 'colour revolution' as the template: Gerasimov uses the Arab Spring uprisings and what Russian military analysts call 'colour revolutions' as the primary template for understanding how non-military means can achieve strategic effects equivalent to armed conflict. A population made economically desperate, informationally confused, and politically polarised does not need to be militarily defeated — it defeats itself. This argument has direct CNI implications: a population that has lost power, water, and digital connectivity is undergoing the same destabilisation process that Gerasimov describes as the objective of sub-threshold warfare.
Argument 5 — The importance of the preparatory phase: Gerasimov emphasises that in modern warfare, the preparatory phase — intelligence collection, network penetration, pre-positioning of forces and capabilities, establishment of influence networks — is as strategically significant as the kinetic phase. The preparatory phase can last years. It is conducted covertly, below any threshold that would trigger a defensive response. The kinetic or disruptive phase, when it comes, is brief, simultaneous, and draws on the intelligence and infrastructure established in the preparatory phase. This argument is Volt Typhoon's operational model, stated twelve years before CISA AA24-038A confirmed that the PRC was implementing it.
THE ACADEMIC DEBATE — DOES THE GERASIMOV DOCTRINE EXIST?: Mark Galeotti's 2018 retraction of the term, and subsequent analysis by Charles Bartles, Michael Kofman, and Roger McDermott, argues that Gerasimov was describing American and Western doctrine rather than prescribing Russian doctrine — and that the 'Gerasimov Doctrine' label has misled Western analysts into seeing a coherent Russian sub-threshold strategy where there is actually a more fragmented and reactive set of operations. This debate is analytically important and the practitioners in this paper's audience should engage with it directly. The honest assessment: Galeotti and Kofman are probably correct that 'Gerasimov Doctrine' is a Western analytical construct rather than a genuine Russian doctrinal statement. But the operational pattern the construct describes — sub-threshold CNI attacks combined with information operations, economic pressure, and covert network pre-positioning — is documentably real regardless of its doctrinal provenance. Source: Galeotti, M. 'I'm Sorry for Creating the Gerasimov Doctrine.' Foreign Policy. 5 March 2018.
Source: Gerasimov, V. (2013) 'The Value of Science is in the Foresight.' Voyenno-Promyshlennyy Kurier. 27 February 2013. English translation: Military Review, Vol. 96, No. 1. January-February 2016. pp. 23-29. US Army Combined Arms Center. Galeotti, M. (2018) 'I'm Sorry for Creating the Gerasimov Doctrine.' Foreign Policy. 5 March 2018. Bartles, C. (2016) 'Getting Gerasimov Right.' Military Review. January-February 2016. pp. 30-38.
3. Unrestricted Warfare — The Chinese Doctrinal Framework
Qiao Liang and Wang Xiangsui's 1999 book Unrestricted Warfare (超限战, Chao Xian Zhan — literally 'Warfare Beyond All Boundaries') is, unlike the Gerasimov article, an unambiguously prescriptive doctrinal text. It was published by the People's Liberation Army Literature and Arts Publishing House in Beijing in February 1999, making it an official PLA publication, not an academic analysis piece. Qiao Liang held the rank of Major General in the PLA Air Force at the time of publication. The book is a deliberate strategic prescription for how China should fight and win against an adversary — specifically the United States — that is conventionally superior.
3.1 The Primary Source — Precise Citation
Qiao Liang (乔良) and Wang Xiangsui (王湘穗). Chao Xian Zhan (超限战). Beijing: PLA Literature and Arts Publishing House. February 1999. English translation: Unrestricted Warfare. Translated by the Foreign Broadcast Information Service (FBIS), Central Intelligence Agency. 2000. Multiple subsequent commercial translations. The FBIS translation is the US government's official translation and the version cited in academic and policy literature.
3.2 The Core Arguments — Directly from the Text
Qiao and Wang make three analytically significant arguments that are directly relevant to the CNI protection question:
Argument 1 — Remove all domain restrictions from warfare: The book's central prescription is that warfare in the 21st century must transcend all the restrictions that the 20th century placed on it: the restriction to military forces and weapons, the restriction to defined geographic theatres, the restriction to declared states of war, and the restriction to combatant targets. Qiao and Wang write that 'future war means using all means, including armed force or non-armed force, military and non-military, and lethal and non-lethal means to compel the enemy to accept one's interests.' The phrase 'all means' is the book's analytical engine — it removes every limiting assumption from strategic planning.
Argument 2 — Critical infrastructure as a legitimate and primary attack domain: Qiao and Wang specifically identify critical infrastructure as a primary attack target in the Unrestricted Warfare framework. Chapter 4, 'The War God's Face Has Become Indistinct,' lists the following as legitimate warfare instruments that a conventional-military-inferior adversary should use against a superior adversary: financial market attacks ('securities war'), computer network attacks ('network war'), media control ('media war'), and attacks on infrastructure systems. They write: 'From the deliberate choices of timing and location of attacks on key sections of infrastructure systems such as power grids, traffic systems, financial systems and computer networks to the use of economic measures... victory can be obtained without armed conflict.' This was published in 1999 — eight years before the Aurora vulnerability was demonstrated, twenty-four years before Volt Typhoon was confirmed to be mapping Western power grid infrastructure.
Argument 3 — Asymmetric cost imposition as the strategic objective: The book's strategic logic is rooted in asymmetry: China cannot match US conventional military capability, so the objective is not to defeat the US military in a conventional engagement but to impose costs — economic, political, social — that make the strategic objective (primarily Taiwan) too expensive to pursue. Infrastructure attacks serve this logic directly: they impose costs on the adversary's economy and social cohesion that are disproportionate to the cost of the attack. This is the cost asymmetry principle documented in the Critical Infrastructure Vulnerabilities paper — Colonial Pipeline's USD $4.4M ransom attack imposed USD $700M-1B in cascade economic costs. Qiao and Wang describe this asymmetric cost imposition as the defining strategic advantage of the Unrestricted Warfare approach.
Unrestricted Warfare anticipated the drone threat, the cyber-physical convergence, the use of financial instruments as warfare tools, and the targeting of civilian infrastructure as a primary military objective — all of which have been confirmed operationally in the two and a half decades since its publication. This is not because Qiao and Wang had perfect foresight. It is because they were thinking rigorously about how a conventionally inferior adversary with a long-term strategic horizon and no inhibitions about attacking civilian infrastructure would approach the problem of defeating a conventionally superior adversary.
THE CONVERGENCE — GERASIMOV AND QAO LIANG READ THE SAME PROBLEM: Gerasimov and Qiao Liang-Wang Xiangsui are not describing the same strategy — they are describing different national strategies for achieving strategic objectives without triggering a full conventional military response. But they converge on the same operational conclusion: critical infrastructure is the primary target domain in sub-threshold warfare, because its disruption achieves the social, economic, and political effects that kinetic military operations would otherwise require. This convergence is the analytical foundation of this paper. If two strategically opposed major powers — Russia and China — independently arrive at the same conclusion about where to attack, that conclusion is well-founded. The CNI defence investment programme is not a response to one country's doctrine. It is a response to a strategic logic that has been independently validated by both.
Source: Qiao Liang and Wang Xiangsui. Unrestricted Warfare. PLA Literature and Arts Publishing House. Beijing. February 1999. FBIS English translation. CIA. 2000. Available through US Government Publishing Office. Qiao Liang. 'Unrestricted Warfare: A Threat Assessment.' PLA Air Force. 1999.
4. The Operational Record — Doctrine Mapped to Documented Incidents
The following mapping connects each major CNI incident documented in this paper series to the specific doctrinal argument in Gerasimov's article or Unrestricted Warfare that anticipated it. The purpose is not to prove that each incident was directly planned using these texts — it is to demonstrate that the strategic logic they describe is being executed, whether or not the specific texts were consulted.
4.1 Volt Typhoon — Gerasimov's Preparatory Phase in Operational Form
The confirmed facts: CISA Advisory AA24-038A (February 2024), co-signed by the NSA, FBI, and Five Eyes intelligence partners, confirmed that a PRC state-sponsored threat actor designated Volt Typhoon had achieved persistent access to US critical infrastructure networks — including energy, water, transportation, and communications — with confirmed dwell times of at least five years. The actor had exfiltrated SCADA relay documentation, network topology maps, and switchgear configuration data — the intelligence product required to develop a target-specific ICS attack tool comparable to Sandworm's Industroyer2. The stated assessment: Volt Typhoon was pre-positioning for activation in a Taiwan conflict scenario, not conducting espionage for intelligence collection.
The Gerasimov mapping: This operation is the precise operational implementation of Gerasimov's Argument 5 — the preparatory phase as strategic action. CISA AA24-038A describes exactly what Gerasimov predicted: years of covert network penetration, intelligence collection, and capability pre-positioning, conducted below any threshold that would trigger a defensive military response, preparing for a kinetic or disruptive phase that has not yet occurred. The preparatory phase is not reconnaissance in the conventional military sense — it is the creation of an operational capability to activate simultaneous disruption of multiple CNI sectors across multiple countries at a geopolitically defined moment.
The Unrestricted Warfare mapping: Volt Typhoon's documentation of Western power grid relay configurations is the operational preparation described in Unrestricted Warfare Chapter 4 — 'network war' as the instrument that makes 'winning without armed conflict' achievable. If the PLA Air Force can activate simultaneous circuit breaker operations across multiple Western power grids at the moment of a Taiwan military contingency, the adversary's political will to intervene is tested against the prospect of domestic blackouts. Qiao and Wang described this logic in 1999. CISA confirmed its operational preparation in 2024.
Source: CISA/NSA/FBI/Five Eyes. Advisory AA24-038A: People's Republic of China State-Sponsored Cyber Actor Living off the Land. February 2024.
4.2 The Baltic Cable Sabotage Campaign — Below-Threshold Physical Action
The campaign pattern: Nord Stream pipeline destruction (September 2022); Balticconnector pipeline and telecommunications cables (October 2023); BCS East-West Interlink and Arelion cable (November 2024); EstLink-2 power interconnector (December 2024). Six incidents across 28 months targeting European energy and communications infrastructure in the Baltic Sea. All conducted in international waters. No successful criminal attribution in any jurisdiction. No Article 5 NATO collective defence invocation. No armed military response from any affected state.
The Gerasimov mapping: This campaign is the direct operational expression of Gerasimov's core argument: non-military means achieving strategic effects equivalent to those that would otherwise require armed conflict, conducted below the threshold that triggers collective defence. The destruction of Nord Stream imposed EUR 1.2 billion in asset losses on European energy infrastructure and materially altered European energy supply security — a strategic effect of the first order. No military force was used. No armed response was possible under international law because no armed force had been used. The campaign achieves strategic effect while maintaining the legal and political status of peacetime operations.
The Unrestricted Warfare mapping: The shadow fleet operational model — commercial vessels with opaque ownership structures conducting infrastructure attacks in international waters — is the physical expression of Unrestricted Warfare's prescription to remove domain restrictions. These are not naval vessels. They are not military actors. They are registered in third-country flags of convenience, crewed by nationals without direct state connections, operating in international shipping lanes. The attack is conducted below every legal and military threshold simultaneously: not an act of war, not a military operation, not attributable to a state actor within the standards of international law. Qiao and Wang described this model as the operational ideal — maximum strategic effect with minimum attribution risk.
Source: Finnish Border Guard. Eagle S Seizure Statement. December 2024. NATO. Baltic Maritime Surveillance Assessment 2024.
4.3 The HSE Ransomware Attack — Tier 3 Actor, Tier 1 Strategic Effect
The incident: Conti ransomware deployed against the Health Service Executive on 14 May 2021, following eight weeks of undetected dwell. Approximately 80,000 devices encrypted. National health service operations disrupted for weeks. EUR 100 million-plus confirmed recovery cost. Source: HSE Board Report, December 2021.
The analytical point: The HSE attack was not a sub-threshold warfare operation — Conti is a criminal ransomware group, not a state actor, and the attack was financially motivated. It is included in this mapping for a different analytical purpose: it demonstrates that the attack surface identified by both Gerasimov and Qiao Liang — critical infrastructure systems with inadequate cyber defences, connected to the public internet, with long dwell-time vulnerability — is real, accessible, and consequential. A Tier 3 criminal actor with commodity tools achieved the social, economic, and political disruption that both doctrinal frameworks describe as the objective of sub-threshold warfare. If a criminal actor can achieve this accidentally, a state actor with the preparatory investment described in CISA AA24-038A can achieve it deliberately.
The sub-threshold implication: The HSE attack's EUR 100 million-plus consequence with no criminal attribution, no state accountability, and no policy response beyond IT modernisation is the model that sub-threshold warfare operationalises. Both Gerasimov and Qiao Liang argue that the optimal attack is one where the adversary cannot attribute, cannot respond, and cannot prevent recurrence without bearing costs that exceed the cost of the original attack. The HSE case validated this model operationally, at national scale, in a NATO and EU member state.
4.4 County Mayo Water — Tier 2 State Actor, Zero Cost, National Exposure
The incident: IRGC-affiliated Cyber Av3ngers disabled the Erris water scheme pump in December 2023 using a Shodan query, a browser, and the Unitronics factory default password. 180 households lost water for two days. NCSC-IE national audit confirmed Ireland had no pre-existing complete inventory of internet-exposed OT equipment.
The Unrestricted Warfare mapping: Qiao and Wang explicitly describe attacks on water, power, and transport infrastructure as legitimate warfare instruments. The County Mayo attack achieved exactly what they prescribe: disruption of civilian life, demonstration of infrastructure vulnerability, and exposure of national defensive capability gaps — all at zero cost to the attacker. The operational cost asymmetry — zero investment, national audit response, 180 households disrupted — is the precise strategic logic of Unrestricted Warfare applied at its most basic level.
The national exposure significance: The NCSC-IE post-attack audit's finding that Ireland had no pre-existing national OT device inventory is the most strategically significant intelligence the County Mayo attack produced — not for the Irish government but for any adversary assessing Irish CNI vulnerability. The audit demonstrated that Ireland did not know what was exposed. An adversary applying the Gerasimov preparatory phase logic now knows that the preparatory phase for Ireland requires only a Shodan search.
THE DOCTRINE IN THE ATTACK RECORD: Every CNI incident in this paper series maps to one or both doctrinal frameworks. This is not selection bias — it is because both frameworks were derived from the same strategic logic: that civilian infrastructure is the primary attack domain for adversaries who wish to achieve strategic effects without triggering the collective defence thresholds that would produce a symmetric military response. The incidents confirm the frameworks. The frameworks explain the incidents. Together they establish the design basis for CNI protection investment.
5. The Threat Actors — Three State Approaches to Sub-Threshold CNI Attack
Gerasimov's article and Unrestricted Warfare each describe the generic logic of sub-threshold warfare. The specific implementation varies significantly by state actor. Understanding the distinct approaches of Russia, China, and Iran is prerequisite to calibrating the defensive investment for any specific CNI sector.
5.1 Russia — Physical Sabotage Combined with Cyber Pre-Positioning
Russia's sub-threshold CNI strategy as documented in the 2022-2025 period combines two operational tracks that are rarely discussed together in Western security analysis: the physical sabotage track (Nord Stream, Balticconnector, Baltic cables, EstLink-2, GRU proxy recruitment of domestic European nationals for arson and logistics attacks documented in Poland, Lithuania, and Germany) and the cyber pre-positioning track (Sandworm's Industroyer series against Ukrainian energy, Volt Typhoon-parallel Russian operations against European grid SCADA documented in ENISA annual reports). The operational logic of running both tracks simultaneously is coherent with Gerasimov's Argument 3 — simultaneous operations across all domains. Physical sabotage in the maritime domain is conducted by one operational element while cyber pre-positioning in the network domain is conducted by a completely separate operational element. Neither track is in an operational relationship with the other — they are independent instruments of the same strategic objective, creating redundant pathways to the same effect. If the cyber track is detected and disrupted, the physical track retains its capability. If the physical track is attributed and internationally sanctioned, the cyber track continues. This is the resilience logic of multi-domain sub-threshold operations.
The GRU proxy recruitment model. Polish ABW (Internal Security Agency) and Lithuanian VSD (State Security Department) dismantled GRU-linked networks in 2023-2024 that were recruiting local nationals via encrypted messaging applications to conduct physical reconnaissance and sabotage of logistics infrastructure. Payment: cryptocurrency, EUR 500-2,000 per task. The recruited individuals had no Russian intelligence connections, no military background, and no knowledge of their GRU handlers' identities. Attribution to Russia required signals intelligence and network analysis by the national security services — it is not attributable through any publicly verifiable standard. This is Gerasimov's proxy forces and fifth column argument in operational form.
Source: Polish ABW Annual Report 2024. Lithuanian VSD Annual Report 2023. Finnish Border Guard Eagle S Statement December 2024.
5.2 China — Long-Term Pre-Positioning Without Activation
China's documented sub-threshold CNI strategy, as confirmed in CISA AA24-038A, is the purest operational expression of the Unrestricted Warfare preparatory logic: years of patient network penetration, intelligence collection, and capability development, with no activation of disruptive effects. Volt Typhoon's confirmed five-year dwell times with zero operational disruption — no ransomware deployed, no circuit breakers opened, no data deleted — confirm that the objective is pre-positioning for future use, not immediate disruption.
The intelligence product of Volt Typhoon's operations — SCADA relay documentation, network topology maps, switchgear configurations — is exactly the input required to develop target-specific ICS attack tools. Sandworm's Industroyer2 had victim-specific relay addresses hardcoded in its binary. Those addresses came from prior intelligence collection of the type that Volt Typhoon is confirmed to be conducting in Western infrastructure. The intelligence-to-effects chain is: Volt Typhoon collects the topology data; Chinese ICS tool developers use it to build a target-specific activation capability; a geopolitical trigger releases the capability simultaneously across multiple networks.
The geopolitical trigger is not speculative — CISA AA24-038A states it explicitly: Volt Typhoon's pre-positioning is assessed as preparation for activation in a Taiwan conflict scenario. The activation would seek to impose CNI disruption costs on the United States and its allies that compete with the political will to intervene militarily in the Taiwan Strait. This is Qiao and Wang's central argument from 1999, stated as the current operational assessment of the US intelligence community in 2024.
5.3 Iran — Opportunistic IRGC-Directed Hacktivist Campaigns
Iran's sub-threshold CNI strategy, as demonstrated by the County Mayo attack and the broader Cyber Av3ngers campaign of December 2023, differs from both the Russian and Chinese models in one critical dimension: it is opportunistic and vendor-targeted rather than strategically pre-positioned and geographically targeted. The Cyber Av3ngers campaign targeted Unitronics-manufactured equipment regardless of geographic location or strategic significance because the attack vector — default credentials on internet-accessible PLCs — was available across a global target set, and because Unitronics is an Israeli company. Irish water infrastructure appeared in the target set not because Ireland is a strategic adversary of Iran but because an Irish utility was running Unitronics equipment with default credentials.
The strategic implication of opportunistic CNI targeting for defensive investment is different from the strategic implication of pre-positioned adversary access. Against Russian and Chinese pre-positioning, the defensive priority is detection of long-term persistent access — behavioural baselining, OT-specific monitoring, and zero-standing-access vendor management. Against Iranian opportunistic targeting, the defensive priority is elimination of the attack surface — default credential change, internet disconnection of OT devices, and patch management for disclosed high-CVSS vulnerabilities. Both defensive priorities are necessary. Neither is sufficient without the other.
6. The CNI Protection Implications — What the Doctrine Tells the Defender
The analytical framework of sub-threshold warfare has specific implications for how CNI protection investment should be prioritised, sequenced, and governed. The following implications follow directly from the doctrinal analysis rather than from generic security engineering principles.
6.1 The Preparatory Phase Is Already Underway
Gerasimov's Argument 5 and Qiao and Wang's core prescription both emphasise that the preparatory phase — intelligence collection, network penetration, capability pre-positioning — is conducted years before any activation of disruptive effects. CISA AA24-038A confirms five-year dwell times. The HSE attack had an eight-week preparatory dwell. The implication for CNI protection is that the question is not 'has the preparatory phase started?' but 'what has already been accessed during a preparatory phase that we may not yet have detected?'
This reframes the defensive investment priority. The OT network monitoring platforms (Claroty, Nozomi, Dragos), the behavioural baselining programme, and the zero-standing-access vendor management architecture are not preparation for a future threat — they are the detection mechanism for a preparatory operation that statistical probability and the CISA assessment suggest is already underway in the highest-value Western CNI networks.
6.2 The Threshold Design Means Kinetic Response Is Not Available
Both doctrinal frameworks are designed around the threshold problem — achieving strategic effects without crossing the legal and political threshold that triggers the adversary's conventional military response. The Baltic cable campaign's attribution to Russia has been assessed by multiple European intelligence services and yet produced no Article 5 NATO invocation and no armed response, because the standard of proof required for collective self-defence under international law has not been met in any attributable public forum. This is not a failure of political will — it is the operational success of the below-threshold design.
The implication for CNI protection is that the kinetic response option is structurally unavailable. The defence of critical infrastructure in the sub-threshold warfare environment must be entirely defensive and resilience-based — the hardened facility, the OT network architecture, the detection system, the backup power, the spare transformer programme. There is no offensive deterrence component that a CNI operator can deploy. The investment decision is between protecting the asset and bearing the consequence of the asset's loss. Against a sub-threshold adversary, those are the only two options.
6.3 Simultaneity Is the Strategic Design — Point Defences Are Insufficient
Both doctrines emphasise simultaneous multi-domain operations as the mechanism that overwhelms the adversary's response capacity. A defender who can respond to one attack at a time — dispatching engineers to the County Mayo pump station, rerouting grid capacity around the Metcalf substations, managing the HSE restoration programme — is operating well against sequential attacks. A defender facing simultaneous attacks on multiple nodes across multiple sectors is facing the strategic design of both doctrinal frameworks.
This implies that CNI protection at the national level requires a national-level coordinated response architecture — not just hardened individual facilities. NCSC-IE's national OT audit following County Mayo was the first exercise of national-level OT inventory capability in Ireland. The CER Directive's Article 12 requirement for critical entity identification and Article 17 requirement for national resilience strategies provide the legal framework for this national architecture. The doctrine tells us that the defensive architecture must match the attack architecture's design: if the attack is designed to be simultaneous and multi-domain, the defence must be coordinated and multi-sector.
6.4 The Information Domain Is a CNI Attack Vector — Not Just a Consequence
Both doctrines identify information operations as a primary instrument of sub-threshold warfare — not as a supporting element but as an independent attack vector that produces effects equivalent to physical infrastructure disruption. A population that believes its water supply is contaminated — regardless of whether it is — will not drink the water. A population that believes its power grid is compromised — regardless of whether it is — will lose confidence in the institutions responsible for protecting it. The information effect of a CNI attack is often larger than the physical effect.
The October 2022 Sandworm attack against Ukrainian energy infrastructure combined physical circuit breaker operations with a simultaneous information campaign designed to maximise public panic. The psychological effect of knowing that an adversary can disable your heating in winter is part of the strategic objective, not a side effect of it. This implies that CNI protection communications — the public messaging following any CNI security event — are a component of the defensive response, not an administrative afterthought. An organisation that can rapidly and accurately communicate the status and expected restoration timeline of a disrupted service defeats the information dimension of the attack, regardless of how the physical dimension is resolved.
THE PRACTITIONER'S CONCLUSION FROM THE DOCTRINE: Gerasimov describes a war that has already started and that the adversary is winning by not calling it a war. Qiao and Wang describe an adversary who has removed all the restrictions that the defender has internalised. The CNI protection response to both frameworks is the same: treat the current period as the preparatory phase of an adversary operation, implement the detection architecture that identifies pre-positioned access, harden the assets whose loss would produce the strategic effects both doctrines describe as the objective, and build the national coordination architecture that can manage simultaneous multi-sector disruption. The luxury of assuming that sub-threshold warfare is a future threat was not available after Balticconnector in 2023. It certainly is not available after EstLink-2 in December 2024.
7. Conclusion
The phrase 'hybrid threats' has served its purpose as an awareness-raising label. It has brought sub-threshold warfare into mainstream security discourse and onto the agendas of political leaders who would not otherwise engage with it. But it has reached the limits of its analytical utility. It describes a category without explaining the logic; it points at a phenomenon without explaining why the phenomenon exists; and it generates a defensive response that is broadly calibrated to a general threat environment rather than specifically calibrated to the strategic frameworks that are driving the operations we are actually observing.
Gerasimov's 2013 article and Qiao Liang and Wang Xiangsui's 1999 book are analytically more useful precisely because they explain the strategic logic. They answer not just 'what is happening' but 'why is this happening and where will it happen next.' The answer, in both cases, is: critical infrastructure, because its disruption achieves the social, economic, and political effects that conventional military operations would otherwise require, at a fraction of the cost, below every threshold that would trigger the adversary's full-spectrum response.
Every incident documented in this paper series — Metcalf, County Mayo, HSE, Colonial Pipeline, the Baltic cables, Volt Typhoon — is an expression of this logic. The defences this paper series specifies — OT network segmentation, behavioural detection, HVM for public spaces, substation hardening, the counter-UAS detection architecture — are the correct responses to that logic. They are not responses to 'hybrid threats' in the abstract. They are engineered defences against a strategic framework that named critical infrastructure as the primary attack domain in 1999 and has been operationally validating that assessment continuously since 2013.
References and Primary Sources
Gerasimov, V. (2013) 'Tsennost' nauki v predvidenii' (The Value of Science is in the Foresight). Voyenno-Promyshlennyy Kurier (Military-Industrial Courier). 27 February 2013. English translation by Robert Coalson: Military Review, Vol. 96, No. 1, January-February 2016, pp. 23-29. US Army Combined Arms Center. Fort Leavenworth, Kansas.
Qiao Liang and Wang Xiangsui. Chao Xian Zhan (Unrestricted Warfare). PLA Literature and Arts Publishing House. Beijing. February 1999. FBIS English translation: Unrestricted Warfare. Foreign Broadcast Information Service, Central Intelligence Agency. 2000.
Galeotti, M. (2018) 'I'm Sorry for Creating the Gerasimov Doctrine.' Foreign Policy. 5 March 2018.
Galeotti, M. (2013) 'The 'Gerasimov Doctrine' and Russian Non-Linear War.' In Moscow's Shadows. 6 July 2013.
Bartles, C. (2016) 'Getting Gerasimov Right.' Military Review. January-February 2016. pp. 30-38.
Kofman, M. (2016) 'Fixing NATO Deterrence in the East or: How I Learned to Stop Worrying and Love NATO's Crushing Defeat by Russia.' War on the Rocks. 12 May 2016.
CISA, NSA, FBI, Five Eyes. Advisory AA24-038A: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. February 2024. [Volt Typhoon confirmation.]
HSE. Conti Cyberattack on the HSE: A Report from the Board. December 2021.
CISA. Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs. December 2023.
Finnish Transport and Communications Agency (Traficom). Balticconnector Investigation Summary Report. 2024.
Finnish Border Guard. Statement on Eagle S Seizure. December 2024.
Polish Internal Security Agency (ABW). Annual Report 2024.
Lithuanian State Security Department (VSD). Annual Report 2023.
ESET Research. Industroyer2: Industroyer Reloaded. April 2022.
NATO. Comprehensive Assessment of Hybrid Threats 2024. NATO HQ. Brussels. 2024.
European External Action Service (EEAS). EEAS Annual Report on Disinformation and Foreign Information Manipulation 2024. EEAS. Brussels. 2024.
EU Hybrid Fusion Cell. Hybrid Threats Quarterly Review 2024. EEAS. Brussels. 2024.
Fridman, O. (2019) 'On the Gerasimov Doctrine: Why the West Fails to Beat Russia to the Punch.' PRISM, Vol. 8, No. 2. National Defense University Press. Washington DC.
McDermott, R. (2013) 'Gerasimov's New Model of Warfare — or the West's New Model of Gerasimov?' Eurasia Daily Monitor. Jamestown Foundation. March 2013.
European Union. NIS2 Directive: Directive (EU) 2022/2555. December 2022.
European Union. CER Directive: Directive (EU) 2022/2557. December 2022. Transposed: S.I. 559/2024.