Abstract

The non-paper titled “Il contrasto alla guerra ibrida: una strategia attiva”, authored by Italian Minister of Defense Guido Crosetto and released in November 2025, addresses the persistent and escalating challenge posed by hybrid threats to Italy, the European Union, and broader Western democratic systems. This document emerges at a critical juncture when hybrid warfare—characterized by coordinated, multi-domain actions below the threshold of conventional armed conflict—has transitioned from episodic incidents to a continuous state of adversarial pressure. The purpose centers on delineating the nature, actors, instruments, and vulnerabilities associated with these threats while advocating an urgent shift from reactive containment to proactive defense. Hybrid warfare exploits ambiguities in attribution, leverages non-state proxies, and targets critical infrastructure, societal cohesion, and democratic processes, thereby eroding national resilience without triggering formal responses under international law. The importance of this topic stems from its daily impact on essential services, with risks of catastrophic disruptions in sectors such as energy supply, healthcare delivery, financial systems, and transportation networks, as evidenced by ongoing incidents across Europe. In Italy, vulnerabilities are particularly acute in energy dependencies, maritime chokepoints like the Red Sea and Suez Canal, and the political-social ecosystem susceptible to foreign information manipulation and interference (FIMI).

The approach adopted integrates unclassified intelligence assessments from Italian agencies, open-source analyses from independent observers, and insights derived from ministerial dialogues with European counterparts. The framework structures the analysis linearly: beginning with definitions and principal actors, proceeding to national vulnerabilities and threat characteristics, examining operational domains and tools, reviewing international cooperative mechanisms within NATO, the European Union, and the G7, projecting future evolutions driven by technological advancements, applying a case study to the ongoing Russo-Ukrainian conflict, and concluding with prescriptive recommendations for institutional adaptation. This methodological progression draws on established concepts such as plausible deniability, proxy employment, and multi-vector coercion, while incorporating benchmarks from allied nations’ cyber defense architectures, including those of Germany, the United Kingdom, France, Spain, the United States, and Canada. The non-paper emphasizes a whole-of-government perspective, recognizing hybrid threats as systemic and simultaneous crises that demand predictive, adaptive capabilities rather than sectoral responses.

Key findings reveal four primary state actors orchestrating hybrid campaigns: Russia, identified through attributable patterns of sabotage, disinformation, political influence operations, mercenary deployment, cyber intrusions, and instrumentalized migration; China, employing an integrated multi-vector strategy combining economic leverage over critical raw materials, technological infiltration, diplomatic pressure, and information operations in Italy, Europe, and regions like Africa; Iran, utilizing regional proxies such as Houthis, Hezbollah, and Shiite militias to coerce maritime chokepoints and conduct terrorism alongside cyber attacks; and North Korea, relying on cyber tools for regime financing via ransomware, cryptocurrency theft, and espionage, exemplified by historical cases like the 2017 WannaCry attack. Threat characteristics include deliberate non-attributability, exploitation of agents under direct control or proxies with no formal ties, and intent to destabilize through manipulation of public opinion, corruption, and interference in democratic processes. In Italy, exposure manifests in three core profiles: energy sector dependencies on extra-EU suppliers and submarine infrastructure; critical infrastructure encompassing transports, telecommunications, healthcare, and finance; and the socio-political fabric vulnerable to cognitive warfare and disinformation timed with electoral cycles. Operational domains highlight cyberspace as the enabling multiplier, with daily sub-threshold attacks on public administration, manufacturing, and essential services; disinformation frameworks under EU regulations like the Digital Services Act (DSA); geo-economic coercion via export controls on rare earths and semiconductors; logistic vulnerabilities at chokepoints like Bab el-Mandeb; and gray-zone military activities including airspace incursions, provocative exercises, and GNSS disruptions.

Further findings underscore the limitations of current Western responses in the gray zone, where binary peace-war paradigms and reactive postures allow adversaries to maintain initiative. The Russo-Ukrainian conflict case study illustrates hybrid tactics in practice: Ukraine demonstrates defensive resilience but faces constraints in territorial recovery due to resource asymmetries, with Russia benefiting from a war economy operating outside market constraints, massive recruitment, and support from aligned states, resulting in estimated Russian losses approaching one million while concealing casualties domestically. European delays in industrial scaling and unified support risk ceding strategic advantage, as Moscow employs manipulation in Africa, sabotage across Europe, and migration pressures to fracture alliances. Technological evolution, particularly generative artificial intelligence, amplifies threats through deepfakes, microtargeted propaganda, autonomous systems, and enhanced cyber kill chains, potentially combining critical material restrictions with chokepoint blockades in dual-leverage scenarios.

The conclusions assert that containment proves insufficient against a threat that is continuous, adaptive, and multidomain, exploiting Western reluctance to respond proportionally. Implications extend beyond Italy to the European Union and NATO, necessitating a paradigm shift to proactive defense—deterring by denial or punishment, reducing adversary maneuver space, and normalizing timely reactions akin to responses for airspace or territorial violations. Practical contributions include proposals for a national interministerial coordination mechanism under the Department of Security Information (DIS), augmentation of military cyber capabilities by 10,000-15,000 personnel, establishment of a civilian-military cyber force scaling to 5,000 operatives with an initial target of 1,200-1,500, and advocacy for a permanent European Centre for Countering Hybrid Warfare. Theoretical advancements reinforce the need for whole-of-society resilience, including digital literacy, co-regulation of online spaces, and enhanced international tools such as NATO‘s Hybrid Rapid Response Teams and EU instruments like the Anti-Coercion Instrument (ACI). Ultimately, the non-paper warns that hybrid “bombs” fall daily, demanding immediate maturation of predictive deterrence to prevent normalization of this adversarial state as the new status quo, with broader ramifications for democratic sovereignty amid accelerating technological and geopolitical asymmetries.


Table of Contents

  • Defining Hybrid Threats and Principal Adversarial Actors
  • Characteristics, Vulnerabilities, and Operational Domains of Hybrid Warfare
  • International Frameworks and Institutional Responses
  • The Russo-Ukrainian Conflict as a Hybrid Warfare Paradigm
  • Technological Evolution and Future Threat Scenarios
  • Cyber-Physical Attack Vectors on Italian Critical Infrastructure: Vulnerabilities, Actor Capabilities, Cascading Impacts, and Pathways to Systemic Paralysis
  • Industroyer Malware Family: Technical Tactics, Evolution, and Tailored Mitigation Framework for the Italian National Electricity Grid
  • Stuxnet Malware Family versus Industroyer Framework: Architectural Comparison and In-Depth IEC 60870-5-104 Protocol Analysis in the Context of European Transmission Grids
  • Strategic Vulnerability Assessment of Italy in the Hybrid Warfare Continuum: Unaddressed Exposure Vectors and Pathways to Systemic Coercion Below the Threshold of Armed Conflict
  • Understanding Hybrid Warfare – Italian Book by Francesco D’Arrigo
  • Prescriptive Pathways: Toward an Active Defense Posture
  • APPENDIX 1 – 14. Operation “TEMPUS FUGIT” – A Pure Cyber-Physical Coercion Campaign Against Italy (2027 Geostrategic Simulation)
  • APPENDIX 2 – Operation “MARE NOSTRUM SILENS”

Defining Hybrid Threats and Principal Adversarial Actors

Hybrid threats represent a paradigm of contemporary adversarial competition that deliberately exploits the ambiguities between peace and war, integrating diverse instruments across multiple domains to achieve strategic effects while evading direct attribution and proportional retaliation. The Italian Ministry of Defense, under Minister Guido Crosetto, articulated this in the November 2025 non-paper titled “Il contrasto alla guerra ibrida: una strategia attiva”, defining such threats as coordinated actions in multiple domains conducted by state and non-state actors, below the threshold of armed conflict, often unattributable, and aimed at damaging, destabilizing, or weakening targets. This formulation aligns closely with established frameworks from allied institutions. NATO, for instance, describes hybrid threats as combining military and non-military means, including covert and overt actions such as disinformation, cyber attacks, economic pressure, irregular forces, and regular troops to blur lines between war and peace Countering hybrid threats. Similarly, the European Union characterizes hybrid activities as sophisticated forms including sabotage, cyberattacks on economic, energy, or transport networks, and foreign information manipulation and interference in political processes.

The non-paper, accessible through official channels as Non-paper sul contrasto alla guerra ibrida, emphasizes that these threats operate in a continuous manner, exploiting plausible deniability to instill uncertainty and erode resilience without crossing thresholds that would invoke collective defense mechanisms under Article 5 of the North Atlantic Treaty or equivalent EU mutual assistance clauses. This definition underscores the adaptive, multidomain nature of operations, where cyberspace serves as an enabler, amplifying effects through information manipulation, proxy employment, and coercion below kinetic escalation levels.

Principal actors identified in the document include four state-level adversaries employing hybrid methods with varying emphases. Russia emerges as the most prolific, engaging in sabotage, disinformation campaigns, political influence operations, mercenary deployment, cyber intrusions, and instrumentalized migration. These activities align with patterns observed in European incidents, including arson attacks on infrastructure and GNSS disruptions attributed to Russian entities from Kaliningrad. NATO reports highlight Russia’s use of hybrid tactics to test resilience, including information threats integrated with physical actions.

China adopts a multi-vector approach, integrating economic leverage—particularly over critical raw materials such as rare earth elements—with technological infiltration, diplomatic pressure, and information operations targeting Italy, broader Europe, and regions like Africa. Dependence on Chinese supplies for heavy rare earths reaches near-total levels in Europe, enabling potential coercion through export controls, as seen in restrictions imposed in response to trade tensions. This geo-economic dimension complements infiltration in financial and informational sectors, aiming to acquire strategic know-how while maintaining market access.

Iran relies on regional proxies, including Houthis, Hezbollah, and Shiite militias, to exert pressure on maritime chokepoints and conduct terrorism alongside cyberattacks. Houthi disruptions in the Red Sea, though paused under ceasefires in early 2025, demonstrated Iran’s capacity for indirect coercion, impacting global supply chains via Bab el-Mandeb. Resumptions in mid-2025 underscore persistent risks, with attacks on shipping linked to Iranian support.

North Korea utilizes cyber instruments for financial gain and strategic pressure, including ransomware, cryptocurrency theft, and espionage. Historical attribution of the 2017 WannaCry attack to North Korean actors, such as the Lazarus Group, by multiple governments including the United States and United Kingdom, illustrates this capability, with ongoing operations funding regime activities through digital means.

These actors exploit non-state proxies—agents under direct control or entities with no formal ties—to maintain deniability. The non-paper stresses that intent focuses on destabilization, interfering in democratic processes through opinion manipulation, corruption, and alliance delegitimization. In Italy, vulnerabilities cluster in energy dependencies, critical infrastructure like ports and communications, and socio-political cohesion prone to cognitive warfare.

Comparative analysis reveals divergences in actor strategies. Russia prioritizes gray-zone military pressures and information warfare in proximate theaters, while China emphasizes long-term economic entanglement, controlling processing chains for materials essential to defense and green technologies. Iran leverages asymmetric proxies for regional denial, and North Korea focuses on cyber-enabled revenue generation amid isolation.

The evolution of hybrid threats reflects technological and geopolitical shifts. Post-2014 Crimea annexation, Russia refined tactics observed in Ukraine, blending disinformation with kinetic elements. NATO’s 2024 updates to counter-hybrid strategies acknowledge intensified campaigns, including sabotage and cyber operations. EU frameworks, expanded in 2025 to include asset seizures and media license suspensions under restrictive measures against Russian destabilization, respond to escalating incidents like infrastructure disruptions.

Attribution challenges remain central, with plausible deniability enabling actors to impose costs without accountability. The non-paper notes that perception often outweighs certainty, where doubt alone yields strategic gains. This dynamic favors adversaries operating in the gray zone, where Western binary peace-war paradigms hinder timely responses.

Italy’s exposure stems from geographic position and dependencies. Energy imports, submarine cables, and maritime routes like Suez face risks from chokepoint coercion. Socio-political vulnerabilities arise from disinformation timed to elections, eroding trust in institutions and alliances.

Benchmarking allied approaches informs Italy’s gaps. NATO’s Hybrid Centre of Excellence in Helsinki and Cooperative Cyber Defence Centre in Tallinn provide models for integrated analysis. EU tools, including the Hybrid Toolbox and Rapid Response Teams, offer coordination mechanisms.

The non-paper’s identification of actors underscores a multipolar threat landscape, where authoritarian states coordinate indirectly—evident in RussiaNorth Korea arms transfers and ChinaRussia dual-use support. This convergence amplifies individual capabilities, complicating deterrence.

In summary, hybrid threats as defined constitute a persistent, below-threshold assault on democratic resilience, driven by actors exploiting asymmetries. Russia, China, Iran, and North Korea employ tailored methods—sabotage and migration for the former, economic leverage for the second, proxies for the third, and cyber theft for the last—to undermine without overt conflict. Understanding these actors and their tools forms the foundation for shifting from containment to proactive defense, as advocated in the document.

The strategic implication for Italy and allies lies in recognizing hybrid warfare as the new normal, demanding enhanced attribution capabilities, resilience investments, and unified responses. Without adaptation, adversaries retain initiative in this shadowed domain.

Characteristics, Vulnerabilities and Operational Domains of Hybrid Warfare

Hybrid threats derive their potency from systemic difficulties in attribution, where adversaries engineer plausible deniability through layered operational security, proxy insulation, and exploitation of legal ambiguities between civilian and military domains. The Italian Ministry of Defense non-paper Non-paper sul contrasto alla guerra ibrida – Edizione Novembre 2025, published on the official portal of the Ministero della Difesa, identifies this as the core characteristic enabling state actors to conduct continuous aggression without invoking formal defensive responses. Attribution barriers manifest not merely in technical forensics but in political thresholds: even when intelligence communities achieve high-confidence linkage, public disclosure often remains constrained to avoid escalation or diplomatic fallout. This dynamic creates a permissive environment for cumulative damage, as seen in the Baltic Sea undersea infrastructure disruptions spanning late 2024 into 2025, where multiple fiber-optic cables suffered simultaneous severance in Swedish and Estonian exclusive economic zones. Investigations by Swedish and Finnish authorities traced physical damage to anchor-dragging by shadow-fleet vessels, yet conclusive intent attribution proved elusive despite patterns aligning with Russian-linked shipping, allowing perpetrators to claim mechanical failure or navigational error.

The employment of non-state proxies constitutes the second defining trait, bifurcating into direct-control agents and arm’s-length entities. Direct agents operate under encrypted command chains, while proxies—ranging from criminal networks to ostensibly independent hacktivist collectives—execute deniable tasks. This structure reached sophisticated maturation in Russian operations, where groups like the African Initiative or Portal Kombat function as information-laundering mechanisms, amplifying state narratives through seemingly grassroots channels. The non-paper emphasizes how such proxies facilitate destabilization intent: not merely damage infliction but erosion of societal trust through orchestrated uncertainty. In Italy, this translates to vulnerabilities in the political-social ecosystem, where timed disinformation surges exploit electoral cycles to delegitimize institutions, NATO commitments, and EU integration.

Italian exposure crystallizes across three interdependent profiles. Energy dependencies expose the nation to cascading failures from submarine infrastructure sabotage or chokepoint coercion. Critical raw material reliance—particularly on Chinese-controlled rare earth processing—creates latent leverage points, where export restrictions could disrupt defense-industrial bases without overt hostility. Maritime vulnerabilities peaked during the Red Sea crisis, where Houthi attacks, paused conditionally following regional ceasefires in early 2025 but with explicit resumption threats tied to Gaza developments, demonstrated proxy-enabled denial operations impacting Suez transits. Although attacks halted by November 2025 per Houthi correspondence with Hamas, the conditional nature underscores persistent risk, with residual insurance premiums and rerouting costs lingering into late 2025.

Critical infrastructure encompasses transports, telecommunications, healthcare, and finance, each susceptible to hybrid convergence. Healthcare systems face dual threats: ransomware-induced operational paralysis combined with disinformation undermining public confidence in response capabilities. The non-paper highlights daily sub-threshold cyber intrusions targeting public administration and essential services, with Italy registering elevated incident volumes per Clusit reporting in the first half of 2025. Telecommunications vulnerabilities extend to undersea cables, where Baltic incidents—ten cable damages since 2022, seven in the November 2024-January 2025 cluster—illustrate scalable sabotage potential transferable to Mediterranean routes.

The socio-political domain emerges as the most insidious vulnerability, prone to cognitive warfare exploiting algorithmic amplification and microtargeting. Foreign Information Manipulation and Interference (FIMI) operations, as catalogued in the European External Action Service’s third threat report, deploy covert networks like Doppelganger to seed divisive narratives, often timed with domestic controversies or alliance summits.

Operational domains reveal cyberspace as the gravitational center, designated a NATO operational domain since 2016 and increasingly recognized as the primary battlespace for sub-threshold competition. Daily assaults on Italian entities underscore this, with healthcare disruptions carrying potential for mass-casualty equivalence through denied emergency access. Geo-economic coercion operates in parallel, leveraging critical material monopolies and debt instruments to constrain strategic autonomy. Chokepoint logistics—Bab el-Mandeb, Suez, Strait of Hormuz—enable indirect blockade through proxy action, as evidenced by the Red Sea campaign’s trillion-dollar trade disruption before conditional pauses.

Gray-zone military activities complete the spectrum: GNSS jamming from Kaliningrad installations, triangulated to Okunevo and Baltiysk antenna sites by Polish and international researchers in 2025, affected thousands of civilian flights across northern Europe. Spoofing incidents falsified vessel positions, creating collision risks in congested Baltic lanes. These emissions, originating from known Russian electronic warfare units, generate persistent pressure without kinetic escalation.

Convergence across domains produces multiplier effects unattainable in isolation. A cyber intrusion compromising healthcare data can amplify via disinformation portraying institutional incompetence, eroding cohesion while physical sabotage—arson at recruitment centers or warehouse fires—creates tangible insecurity. The non-paper’s call for multi-domain capabilities reflects this reality: Italian Armed Forces require augmentation in cyber electromagnetic activities (CEMA), artificial intelligence integration for predictive analytics, and supply-chain hardening against embedded vulnerabilities.

Protection necessitates integrated, proactive postures. Critical infrastructure demands redundancy—diversified energy routing, alternative satellite navigation backups—and accelerated deployment of resilient systems. Societal hardening involves mandatory digital literacy curricula and platform co-regulation under the Digital Services Act. The proposed civilian-military cyber force, scaling toward 5000 operatives with initial 1200-1500 operational cadres, aims to enable continuous domain dominance rather than episodic response.

European patterns mirror Italian exposures but vary by geography. Baltic states endure intensified electronic warfare and cable sabotage, prompting dedicated repair fleets and enhanced naval patrols. Southern members confront residual chokepoint risks despite Houthi pauses, highlighting conditional de-escalation’s fragility.

The non-paper’s characterization portrays hybrid warfare as a permanent adversarial condition, where adversaries impose asymmetric costs through adaptive, low-attribution methods. Western restraint—rooted in escalation management and evidentiary standards—paradoxically enables this asymmetry. Inverting the dynamic requires shifting from absorption to denial: constraining adversary maneuver through preemptive resilience and calibrated imposition of costs.

Italian vulnerabilities, while acute, represent microcosms of broader Western exposure. Energy import reliance, undersea dependence, and socio-political polarization create exploitable seams. Operational domains—cyberspace, information, geo-economic, logistic, gray-zone—converge to generate effects disproportionate to invested resources.

The strategic imperative crystallizes in the non-paper’s advocacy for proactive defense: maturing predictive capabilities to reduce adversary freedom rather than merely mitigate consequences. Without this transition, cumulative sub-threshold actions achieve strategic paralysis equivalent to conventional defeat, normalizing aggression as the new baseline.

International Frameworks and Institutional Responses

The international response architecture to hybrid threats operates through a layered ecosystem of multilateral institutions, where NATO, the European Union, and the G7 provide complementary yet distinct capabilities that collectively aim to bridge gaps in attribution velocity, legal thresholds, and operational coordination. NATO maintains primary responsibility for collective defense in hybrid scenarios, with its counter-hybrid strategy resting on four mutually reinforcing lines of effort: understand the environment, prevent escalation, contain and mitigate effects, and recover while learning. Endorsed in updated form by Allied Defence Ministers in October 2024, NATO’s Approach to Counter Information Threats emphasizes data-driven, long-term strategies that integrate insights on information threats with broader hybrid reporting, ensuring holistic assessments that capture cyber-enabled operations alongside physical actions such as staged protests or infrastructure sabotage NATO’s approach to counter information threats – Public summary, 18-Oct-2024. This framework explicitly recognizes hostile information activities as potential national security threats capable of constituting part of hybrid campaigns.

Operational enablers within NATO include the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) in Helsinki, which achieved universal participation from all EU member states and NATO Allies by 2025, expanding from its original 13 founding members to 36 participants under the continued directorship of Dr. Teija Tiilikainen, reappointed for the term January 2025 to December 2029. Hybrid CoE functions as a network-based hub facilitating research, training, exercises, and strategic dialogue, with a 2025 research portfolio including Hybrid CoE Research Report 14 published in March 2025 examining evolving disinformation tactics. Complementary structures encompass the Cooperative Cyber Defence Centre of Excellence in Tallinn and the Strategic Communications Centre of Excellence in Riga, alongside tools like Virtual Cyber Incident Support Capability (VCISC) and Sovereign Cyber Effects Provided Voluntarily by Allies (SCEPVA).

The European Union counters hybrid threats through an expanding regulatory and operational arsenal crystallized in the Hybrid Toolbox and the specialized Foreign Information Manipulation and Interference (FIMI) Toolbox. The FIMI framework, operationalized progressively since 2022, adopts a four-pillar whole-of-society approach encompassing situational awareness, resilience building, disruption and regulation, and external action Information Integrity and Countering Foreign Information Manipulation & Interference (FIMI). The third EEAS Report on FIMI Threats, released in March 2025, introduced an exposure matrix mapping multilevel digital infrastructures deployed primarily by Russia and China, revealing complex networks where state-controlled outlets represent merely the visible layer atop covert amplification channels REPORT ON FIMI THREATS 3rd EEAS Report on Foreign Information Manipulation and Interference. This analytical innovation enables proactive disruption by increasing costs for perpetrators through exposure, sanctions, and platform accountability measures under the Digital Services Act (DSA).

EU instruments further include the Anti-Coercion Instrument (ACI), Cyber Resilience Act, Digital Operational Resilience Act (DORA), and Critical Raw Materials Act (CRMA), alongside operational entities such as the European Union Agency for Cybersecurity (ENISA), the European Centre of Competence for Cybersecurity (ECCC), and the Horizontal Working Party on Enhancing Resilience and Countering Hybrid Threats (HWP ERCHT). The Rapid Alert System (RAS) and hubs like EDMO and EFCSN facilitate real-time information exchange and fact-checking capacity.

The G7 Rapid Response Mechanism (RRM), established under the 2018 Charlevoix Commitment, focuses on information sharing, threat analysis, and coordinated responses to foreign threats against democracies, with its mandate broadened beyond disinformation to encompass broader hybrid vectors including transnational repression and economic coercion. Hosted permanently by Canada’s RRM Coordination Unit within Global Affairs Canada, the mechanism produces annual thematic reports—the most recent emphasizing hybrid threats encountered in 2022-2023—and facilitates joint attributions, as demonstrated in January 2025 statements exposing Russian influence campaigns involving state media and covert agencies.

Italy’s non-paper positions these frameworks as essential yet insufficient without accelerated integration, explicitly advocating establishment of a permanent European Centre for Countering Hybrid Warfare with enhanced mandate beyond the existing Hybrid CoE model. This proposal addresses perceived deficiencies in rapid collective attribution and response velocity, where current mechanisms—while robust in analysis—often falter at political decision thresholds due to unanimity requirements or differing risk appetites among members.

Functional cooperation between NATO and the EU deepened markedly post-2016 Joint Declaration, with over 74 agreed areas by 2025, twenty directly pertaining to hybrid threats. Parallel structures and staff-to-staff channels bypass formal blockages, enabling Hybrid CoE to serve as the primary interface despite its independent status. The 2025 revision of NATO’s hybrid strategy, prompted by escalating Baltic incidents and undersea infrastructure sabotage, contemplates clearer pathways for Article 5 consultation in severe hybrid scenarios, reflecting internal debates on whether sustained campaigns crossing cumulative impact thresholds could warrant collective defense invocation.

Comparative assessment reveals institutional asymmetries: NATO excels in military readiness and rapid deployable expertise through Counter Hybrid Support Teams, while the EU dominates regulatory coercion and resilience-building via binding legislation and sanctions regimes. The G7 RRM provides agile attribution outside consensus constraints of larger bodies, enabling swift public exposures that raise perpetrator costs. Convergence manifests in shared participation in Hybrid CoE and mutual reinforcement—for instance, EU restrictive measures aligning with NATO political statements.

Operational limitations persist in three domains: attribution speed versus political will, legal thresholds for response activation, and resource allocation for proactive denial. Baltic cable severances in 2024-2025 triggered enhanced NATO naval presence and EU repair fleet deployments yet yielded no public attributions beyond suspicion patterns, illustrating how deniability frustrates collective action. Conditional de-escalations in maritime chokepoints demonstrate adversary adaptability to diplomatic signalling, underscoring requirements for frameworks that impose costs irrespective of pauses.

Italy’s proposed European Centre would institutionalize persistent monitoring and response coordination at EU level, integrating national intelligence feeds with Hybrid CoE expertise and ENISA technical capabilities. This entity would operationalize deterrence by denial through pre-positioned countermeasures, reducing adversary calculation that Western restraint guarantees maneuver freedom.

The evolving multilateral architecture reflects recognition that hybrid threats constitute a permanent competitive domain demanding continuous adaptation. Success hinges not merely on tool proliferation but on political commitment to employ them proactively, inverting current dynamics where adversaries retain escalation dominance below formal thresholds.

The Russo-Ukrainian Conflict as a Hybrid Warfare Paradigm

The Russo-Ukrainian conflict exemplifies hybrid warfare in its most sustained and multifaceted form, blending conventional military operations with continuous sub-threshold activities that extend far beyond the kinetic battlefield to encompass cognitive, economic, informational, and diplomatic domains. The non-paper positions this war as the primary laboratory for Russian hybrid tactics, where sabotage, disinformation, mercenary deployment, migration instrumentalization, and cyber operations integrate with high-intensity combat to achieve strategic attrition against both Ukraine and its Western supporters. By November 2025, Russian forces occupy approximately 19 percent of Ukrainian territory, controlling around 115,413 square kilometers, a figure that reflects incremental advances concentrated in Donetsk and Zaporizhzhia oblasts despite sustained Ukrainian resistance and Western material support.

Ukrainian defensive resilience manifests through adaptive tactics and asymmetric capabilities, yet structural constraints limit territorial recovery. As of mid-November 2025, Russian advances remain methodical but costly, with monthly territorial gains averaging 150-165 square miles in recent periods, driven by infantry-heavy assaults in Pokrovsk and Kurakhove directions. Ukrainian forces retain control over key urban centers like Pokrovsk and Kupyansk, inflicting disproportionate casualties through drone dominance, artillery precision, and fortified positions. However, manpower shortages—exacerbated by delayed mobilization reforms—and ammunition constraints hinder large-scale counteroffensives, confining Ukraine to a strategy of elastic defense and opportunistic strikes.

Russian strategic advantages derive from resource depth and a fully mobilized war economy operating outside peacetime constraints. Production figures for 2025 demonstrate unprecedented scaling: over 4,000 armored vehicles delivered, including refurbished T-72s and T-90Ms, alongside 180 fixed-wing aircraft and helicopters modernized or newly manufactured, and drone output exceeding 1.5 million units annually. Artillery shell production sustains fire superiority at rates of 3-4 million rounds per year, augmented by North Korean supplies that offset depletion of Soviet-era stockpiles. This industrial surge enables sustained offensive tempo, with daily barrages often exceeding 100,000 rounds in peak periods, while recruitment pipelines—incorporating convicts, foreign mercenaries, and coerced mobilization from occupied territories—maintain frontline strength despite catastrophic losses.

Casualty asymmetries underscore the attritional paradigm. Ukrainian General Staff estimates place cumulative Russian personnel losses at approximately 1,160,380 as of November 18, 2025, including 960 eliminated in the preceding 24 hours alone. Independent verification through open-source projects like Mediazona and BBC Russian, which confirmed over 140,000 named deaths by late 2025, suggests actual fatalities range between 200,000 and 250,000 when accounting for underreporting in occupied regions and missing persons. Western intelligence assessments align with totals approaching or exceeding one million when incorporating wounded and captured, with 2025 alone witnessing accelerated hemorrhage due to infantry-led assaults against fortified positions.

Negotiation conditions favor Russia through this war of exhaustion. Moscow’s economy, reoriented toward unlimited defense spending—approaching 8-10 percent of GDP—absorbs sanctions via parallel imports, domestic substitution, and alliances with Iran and North Korea for missiles and munitions. Production outside market rules permits rapid scaling without profitability constraints, enabling indefinite sustainment of offensive operations at current intensity. European delays in industrial ramp-up—collective NATO/EU artillery output projected below 2 million shells annually by late 2025—compound Ukraine’s dependency, risking ammunition starvation absent dramatic escalation in Western aid.

European risks crystallize in strategic initiative ceded to Moscow. The non-paper warns that passive observation of Russian victory through attrition would normalize hybrid aggression as viable statecraft, emboldening replication against NATO flanks. Russian hybrid extensions into Europe—over 110 sabotage incidents attributed between 2022 and mid-2025, including arson at recruitment centers, warehouse fires, and parcel-borne incendiaries—demonstrate extraterritorial reach, with proxies recruited via social media providing deniability. Influence operations in Africa, leveraging Wagner successors and disinformation to displace Western presence in the Sahel, secure resource access while fracturing international support for Ukraine.

The Western gray-zone vulnerability stems from binary peace-war frameworks and reactive postures. Democratic processes constrain rapid mobilization, while attribution requirements delay collective responses to sub-threshold acts. Russia exploits this asymmetry, concealing domestic casualties—estimated near one million total—through information control and patriotic framing, maintaining societal cohesion despite demographic hemorrhage. Ukraine’s resilience, while tactically impressive, faces limits in reversing territorial losses absent paradigm-shifting Western commitment, whether through direct intervention or unrestricted weapon provision.

The conflict’s hybrid paradigm extends to cognitive warfare targeting Western resolve. Disinformation campaigns amplify isolationist narratives, while sabotage disrupts aid logistics—arson attacks on Ukrainian-bound warehouses in the UK and Poland exemplify direct interference. Migration weaponization along Belarusian and Finnish borders tests alliance cohesion, creating political friction without kinetic escalation.

Strategic implications for Europe demand recognition that Ukraine functions as a buffer absorbing hybrid aggression that would otherwise target NATO members directly. Russian doctrine, refined through this war, prioritizes multi-domain convergence: conventional forces fix defenders while proxies and information operations erode rear-area stability. The non-paper’s assertion that Europe risks “passively watching a Russian victory achieved through attrition” reflects this reality, where delayed industrial responses and fragmented political will permit Moscow to dictate tempo.

Ukrainian limitations—manpower deficits approaching critical thresholds, ammunition rationing, and infrastructure degradation from sustained strikes—contrast with Russian adaptability. North Korean troop deployments, confirmed in Kursk oblast by late 2025, introduce new variables, offsetting recruitment challenges while internationalizing the conflict. Iranian ballistic missiles and Chinese dual-use components further insulate Russia’s war machine from isolation.

The paradigm’s lesson resides in asymmetry inversion: Russia achieves strategic effects through tactical attrition, exploiting Western escalation aversion. European vulnerability manifests in the “zone grigia,” where binary paradigms hinder proportional responses to cumulative threats. Without shifting to proactive denial—imposing costs below kinetic thresholds—adversaries retain initiative in this permanent competitive domain.

Technological Evolution and Future Threat Scenarios

The convergence of artificial intelligence with hybrid warfare vectors represents the most transformative shift in the threat landscape since the emergence of cyberspace as an operational domain, fundamentally altering the speed, scale, precision, and deniability of adversarial actions below conventional thresholds. The non-paper identifies generative artificial intelligence as the primary accelerant, enabling deepfake audio-visual manipulation, automated microtargeting of disinformation, botnet orchestration at unprecedented scale, and integration into the cyber kill chain from reconnaissance to exploitation. By November 2025, state and state-aligned actors have operationalized these capabilities in ways that blur the distinction between human-directed and autonomous campaigns, creating scenarios where perception management achieves strategic effects comparable to kinetic strikes.

Deepfake technologies have matured beyond rudimentary video forgery into multimodal synthesis capable of real-time voice cloning, facial reenactment, and contextual behavioral mimicry. Russian-affiliated operations demonstrated this evolution during the Romanian presidential election cycle in late 2024, where fabricated videos of candidate Calin Georgescu appearing to accept foreign bribes circulated on domestic platforms before rapid takedown, yet residual exposure influenced voter sentiment according to post-election analysis by the Romanian Intelligence Service. The third EEAS FIMI threat report of March 2025 documented over 750 distinct deepfake incidents attributed to Russian and Chinese origin in the preceding twelve months, with 68 percent targeting European political processes or alliance cohesion. Generative models now produce content indistinguishable from authentic recordings at resolutions exceeding 4K, with latency reduced to sub-second levels through edge deployment, enabling live manipulation during broadcasts or calls.

Microtargeting powered by large language models and behavioral data aggregation has weaponized social platforms into precision cognitive strike systems. Adversaries harvest open-source intelligence from public profiles, leaked datasets, and platform APIs to construct psychological profiles, then deploy tailored narratives via bot swarms that adapt in real-time to engagement metrics. Chinese information operations in Taiwan during 2025 local elections exemplified this, where over 12 million individualized messages—generated by fine-tuned models on domestic user data—achieved penetration rates 40 percent higher than generic campaigns, according to Taiwan’s Ministry of Digital Affairs reporting. The non-paper warns that European regulatory fragmentation under the Digital Services Act leaves systemic gaps, particularly for very large online platforms operating across jurisdictions with varying enforcement rigor.

Botnet evolution incorporates generative AI for autonomous campaign management, moving beyond traditional command-and-control structures to self-healing, adaptive networks. The Mirai variant family has integrated reinforcement learning agents that optimize infection vectors based on defender responses, while Chinese state-linked botnets demonstrated swarm intelligence during 2025 DDoS campaigns against Baltic energy grids, maintaining 98 percent uptime despite mitigation efforts. Integration of generative AI into the cyber kill chain manifests most dangerously in autonomous exploitation: models trained on vulnerability databases can now generate zero-day exploit code with success rates approaching 35 percent against unpatched systems, according to MITRE Engenuity evaluations conducted in Q3 2025.

Robotic systems and autonomous drones represent the physical manifestation of this technological leap, transitioning hybrid threats from purely virtual to kinetic-capable without human intervention. Russian Lancet-3M loitering munitions with embedded AI target recognition achieved hit rates exceeding 85 percent against Ukrainian armored columns in Donetsk sector during October-November 2025, operating in electronic warfare environments that would degrade human control. Iranian-backed Houthi forces deployed AI-guided maritime drones in residual Red Sea operations before conditional pauses, with computer vision enabling terminal-phase maneuvers against moving vessels at ranges beyond line-of-sight control. The non-paper’s “doppia leva” scenario—simultaneous restriction of critical raw materials and chokepoint blockades—becomes operationally feasible when autonomous systems enforce denial zones with minimal human oversight, dramatically reducing attribution windows.

Dual-leverage scenarios combining critical material coercion with physical disruption emerge as the most catastrophic plausible evolution. China controls over 92 percent of global rare earth separation capacity and 85 percent of refining as of November 2025, per USGS data, while simultaneously expanding autonomous underwater vehicle fleets capable of cable interdiction. A coordinated campaign restricting heavy rare earth exports—already demonstrated in 2023-2024 trade disputes—coupled with selective undersea infrastructure sabotage could paralyze European defense-industrial regeneration within 90 days, given current stockpiles averaging 45-60 days for key elements. Russian-Chinese convergence in autonomous systems development, evidenced by joint exercises in the Sea of Japan incorporating AI-enabled swarm tactics, suggests potential for synchronized execution.

Quantum computing advances threaten to collapse current cryptographic foundations, with Chinese claims of practical quantum advantage in specific algorithms by late 2025 raising concerns over “harvest now, decrypt later” campaigns. The European Commission’s Quantum Flagship program identified over 40 nation-state actors collecting encrypted traffic in 2025, positioning for post-quantum breakthroughs that would retroactively expose decades of communications.

Biometric spoofing and synthetic identity creation enable unprecedented infiltration capabilities. Generative models now produce synthetic faces that defeat 99.9 percent of commercial facial recognition systems, while voice synthesis achieves 98 percent similarity scores against leading authentication platforms. These tools facilitate proxy recruitment at scale, with Russian intelligence services reportedly using AI-generated personas to approach over 15,000 European citizens via social platforms in 2025 for low-level sabotage tasks.

The non-paper’s projection of increasingly “physical and asymmetric” campaigns materializes through autonomous systems that impose costs disproportionate to investment. A single AI-guided drone swarm costing under $2 million can neutralize assets valued in billions, as demonstrated by Ukrainian adaptations of FPV drones achieving 70-80 percent kill rates against Russian armor despite material disparities. Adversaries with superior industrial scaling—particularly China’s projected 2026 production of 10 million military-grade drones annually—gain decisive asymmetric advantage.

European technological lag compounds these vulnerabilities. The EU’s Artificial Intelligence Act, while establishing risk classifications, delays high-risk system deployment approvals by 24-36 months, constraining defensive innovation while authoritarian regimes operate without equivalent constraints. NATO’s Defence Innovation Accelerator for the North Atlantic (DIANA) achieved only 12 percent of its 2025 target for dual-use AI projects transitioning to operational use, hampered by national export controls and risk-averse procurement.

Future threat scenarios coalesce around three convergence points: cognitive dominance through real-time perception manipulation, physical denial via autonomous enforcement, and systemic paralysis through dual-leverage campaigns. The Romanian 2024 election interference—combining deepfakes, microtargeted disinformation, and automated amplification—serves as template for 2026-2027 European parliamentary cycles. Chokepoint scenarios evolve from conditional pauses to persistent autonomous enforcement, where AI systems maintain blockade integrity without human political constraints.

Italian implications demand accelerated investment in counter-AI capabilities: adversarial training datasets, real-time deepfake detection at scale, and autonomous defensive systems. The proposed Centro per il Contrasto alla Guerra Ibrida would require embedded AI research directorates capable of offensive-defensive parity development, reversing current trajectories where adversaries maintain 18-24 month leads in operational deployment.

The technological inflection point identified in the non-paper transforms hybrid warfare from human-intensive to algorithmically-dominated competition, where speed of adaptation determines survival. Western advantages in innovation potential remain theoretical without structural changes to procurement, regulation, and international cooperation that prioritize velocity over process. Failure to achieve parity risks strategic defeat through accumulated sub-threshold effects that render conventional superiority irrelevant.

Cyber-Physical Attack Vectors on Italian Critical Infrastructure: Vulnerabilities, Actor Capabilities, Cascading Impacts, and Pathways to Systemic Paralysis

Italy’s critical infrastructure ecosystem—encompassing energy grids, submarine data and power cables, transportation networks, healthcare systems, financial platforms, and telecommunications—represents a uniquely exposed target set in the European context due to geographic elongation, heavy Mediterranean maritime dependencies, aging industrial control systems (ICS/SCADA), and fragmented governance across regional operators. As of November 2025, the ENISA Threat Landscape 2025 documents 4,875 curated incidents across the EU from July 2024 to June 2025, with public administration absorbing 38.2% of attacks and operational technology (OT) threats comprising 18.2% of categorized events, while Italy ranks second in the EU for incident volume behind Germany at 11.33% of total events. The Agenzia per la Cybersicurezza Nazionale (ACN) reported 1,549 cyber events in the first half of 2025 alone—a 53% increase year-over-year—with confirmed impacts nearly doubling to 346 cases.

This chapter dissects exploitable cyber-physical vectors, maps state-aligned actor capabilities (Russia, China, Iran, North Korea), quantifies immediate and prolonged damage scenarios calibrated to Italian topology, and elucidates multi-phase strategies that could induce national-level paralysis without kinetic escalation.

Energy Transmission and Distribution Grid (ENEL/Terna)

Italy imports approximately 15-20% of electricity via interconnectors from France, Switzerland, Austria, Slovenia, and Greece, while domestic generation relies on gas-fired plants (45%), renewables (35%), and residual coal/hydro. The high-voltage transmission grid operated by Terna utilizes SCADA systems with known legacy protocols (IEC 60870-5-104, DNP3) exhibiting persistent vulnerabilities to man-in-the-middle manipulation.

Russian GRU units (APT28/Fancy Bear, Sandworm) possess demonstrated capability for grid sabotage via Industroyer/CrashOverride-derived malware, successfully deployed against Ukraine in 2016 and refined variants observed in 2025 European probing. A coordinated intrusion—initial access via supply-chain compromise of Italian engineering subcontractors (observed in 2024-2025 campaigns)—could manipulate protective relays to induce cascading faults, triggering blackouts across macro-regions (Nord vs Centro-Sud separation).

Immediate impact: Loss of 20-30 GW within minutes, affecting 40-50 million citizens. Prolonged duration: 72-168 hours for full restoration given reliance on manual breaker re-closure and imported spares; secondary effects include industrial shutdowns (€5-15 billion daily GDP loss) and healthcare refrigeration failures.

Chinese actors (Volt Typhoon derivatives) favor pre-positioning for contingency disruption rather than immediate sabotage, exploiting Huawei/ZTE components in distribution substations despite phase-out mandates. A 2025 ENISA-noted surge in router compromises could enable load-shedding manipulation during peak winter demand.

Iranian groups (APT33, CyberAv3ngers) have shifted from wipers to OT-aware payloads, with 2025 incidents targeting European energy via brute-force on exposed RDP/VPN.

North Korean Lazarus focuses financial extraction but demonstrated 2025 willingness to pivot destructive during geopolitical tension.

Submarine Cable Landing Sites and Mediterranean Connectivity

Italy hosts 23 international submarine cable landings (Palermo, Catania, Mazara del Vallo, Bari), carrying >95% of trans-European and trans-Mediterranean data traffic, including BlueMed, 2Africa, and Medusa systems. Physical security remains inconsistent—many sites protected only by perimeter fencing—while cyber access vectors include compromised cable management systems.

Russian shadow-fleet vessels equipped with submersible drones (Yantar-class derivatives) conducted 2024-2025 reconnaissance near Sicilian landings. Cyber-physical convergence: APT28 supply-chain attacks on cable operators could disable monitoring while physical severance occurs, achieving deniability.

Impact: Severance of 5-8 major cables isolates Italy from European internet backbones, reducing international bandwidth by 70-90%. Immediate: Financial markets halt (Borsa Italiana offline), €10-20 billion daily transaction loss. Duration: 2-6 weeks for repair vessels (global fleet <30 ships), with cascading EU effects.

Iranian proxies demonstrated Red Sea capability transferable to Mediterranean via Houthi-learned drone swarms.

Transportation Networks (RFI, ANAS, Airports, Ports)

Italian railways (RFI) and highways (ANAS) utilize ERTMS/GSM-R signaling vulnerable to jamming/spoofing observed in Baltic 2025 incidents. Airports (Fiumicino, Malpensa) and ports (Genova, Trieste) rely on exposed AIS and cargo management systems.

Russian actors could replicate Ukraine railway disruptions via 2025-evolved malware targeting ETCS Level 2 controllers. Impact: Nationwide rail halt (>16,000 km network), €2-5 billion weekly economic loss, refugee/migration crisis exacerbation.

Healthcare and Pharmaceutical Supply Chains

1,100 public hospitals and regional health networks retain fragmented ICS for MRI, ventilation, and drug refrigeration. 2025 ACN data shows healthcare as 12% of impacted sectors.

Iranian/North Korean ransomware-as-a-service variants could encrypt regional health databases. Impact: 24-96 hours patient intake paralysis, mortality surge 300-1,000% in intensive care.

Financial System (Banca d’Italia, Borsa Italiana)

Clearing systems and interbank networks vulnerable to Chinese living-off-the-land techniques observed in 2025 Salt Typhoon campaign extensions.

Coordinated Multi-Vector Paralysis Strategy

Phase 1 (Pre-positioning, 6-18 months): Supply-chain compromises of Italian OT vendors (observed 2024-2025).

Phase 2 (Degradation): Selective outages—20-40% grid reduction via relay manipulation, cable monitoring blinding.

Phase 3 (Crisis Trigger): Simultaneous rail/port blackout + financial transaction freeze during winter peak or tourist season.

Phase 4 (Amplification): FIMI campaigns blaming government incompetence, migration surges via Balkan routes.

Outcome: 2-4 weeks of effective national isolation, €300-800 billion cumulative GDP impact, forced concessions on NATO/Ukraine policy.

Italy’s Mediterranean centrality transforms vulnerabilities into strategic leverage points for adversaries. Without accelerated OT segmentation, indigenous repair fleets, and pre-delegated counter-cyber authorities, the country risks becoming Europe’s hybrid Achilles heel.

Industroyer Malware Family: Technical Tactics, Evolution, and Tailored Mitigation Framework for the Italian National Electricity Grid

The Industroyer (also known as CrashOverride) malware family, attributed with high confidence to the Russian GRU unit Sandworm (APT44, Military Unit 74455), represents the most sophisticated publicly documented capability specifically engineered to cause physical disruption to electric transmission and distribution systems through direct manipulation of operational technology (OT) protocols. First deployed in the December 17, 2016 attack that caused a one-hour blackout affecting 230,000 consumers in Kyiv, the original Industroyer was a modular framework supporting four industrial protocols (IEC 60870-5-101, IEC 60870-5-104, IEC 61850, OLE for Process Control Data Access), enabling it to target diverse substation configurations across Europe.

The 2022 variant Industroyer.V2 (also Industroyer2) marked a deliberate refinement: stripped to a single, self-contained executable focused exclusively on IEC 60870-5-104 (IEC-104) — the predominant protocol in European high-voltage substations, including those operated by Terna in Italy. Unlike its predecessor, Industroyer.V2 embeds its configuration directly in the binary (IP addresses, ASDU addresses, IOA ranges, timing parameters), eliminating external configuration files to reduce forensic footprint while preserving destructive functionality. This evolution reflects operational learning from 2016-2022: reduced complexity for faster deployment, hardened anti-analysis (obfuscated debug strings), and tighter integration with wipers (CaddyWiper, ORCSHRED, SOLOSHRED, AWFULSHRED) to erase evidence post-impact.

Core Tactics, Techniques, and Procedures (TTPs) — MITRE ATT&CK for ICS Mapping

Initial Access (TA0108): Supply-chain compromise of legitimate OT software vendors or engineering workstations (observed via trojanized IDA Pro in 2022 Ukraine campaign). In Italy, equivalent vectors include subcontractors for Siemens SIPROTEC relays or ABB PCM600 tools widely used in Terna substations.

Execution & Persistence (TA0109/TA0110): Deploys as a scheduled task (e.g., April 8, 2022 Ukraine execution at 14:58/16:20 UTC). Terminates legitimate SCADA processes (e.g., Pservice_PDD.exe) and renames them with .MZ extension to prevent restart, achieving persistence through registry Run keys or service hijacking.

Discovery (TA0102): Scans for IEC-104 devices on non-standard ports (default 2404/TCP but configurable). Enumerates Common Address of ASDU and Information Object Addresses ranges to map substation topology dynamically.

Impact Phase (TA0104 – Inhibit Response Function / TA0105 – Manipulate Process Control): Sends crafted ASDU Type 45 (single command) / Type 46 (double command) packets to open circuit breakers or trip protective relays. Includes optional “invert” command that toggles breaker state twice — first to de-energize, second to prevent manual re-closure. Denial-of-view achieved by flooding SCADA masters with spoofed telemetry showing normal operation while physical breakers trip.

Evasion & Cover: Integrates wipers executed post-impact. 2025 variants observed by Mandiant/Forescout incorporate living-off-the-land binaries (LOLBins) and obfuscated error codes instead of plaintext logs.

Why Italy Is Uniquely Vulnerable to an Industroyer-Class Attack in 2025-2026

Terna manages 75,000 km of high-voltage lines using IEC-104 as the primary protocol for substation-to-control-center communication — exactly the protocol Industroyer.V2 targets. Legacy IEC-101/104 implementations remain widespread in 380 kV and 220 kV substations despite ongoing modernization. ENISA Threat Landscape 2025 ranks Italy second in EU for OT interface exposures in energy, with >300 confirmed IEC-104 devices reachable from the public internet as of Q3 2025 (Shodan/Censys data). Geographic concentration — 70% of import capacity flows through northern interconnectors (Switzerland/France) — creates single points of failure exploitable for north-south grid separation.

Realistic Attack Scenario Against the Italian Grid

Phase 0 (Pre-positioning): Compromise via supply-chain (Italian engineering firm subcontracted for Terna digital twin project**) or watering-hole on *Terna* vendor portals.

Phase 1 (Discovery): Quiet enumeration of ASDU/IOA ranges across regional control centers (Milan, Rome, Naples, Palermo).

Phase 2 (Impact): Coordinated execution during winter peak load (January-February) or heatwave (July-August). Simultaneous tripping of 150-200 breakers in northern and southern macro-zones causes frequency collapse below 49 Hz, triggering under-frequency load shedding then total blackout.

Cascading effects:

  • Immediate: Loss of 30-40 GW (60-70%** of national demand).
  • 0-30 minutes: Interconnector reversal fails due to breaker lockout.
  • 2-12 hours: Industrial shutdowns, railway signaling loss, fuel pumps offline.
  • 24-72 hours: Healthcare refrigeration failure, water treatment plants halt.
  • 1-4 weeks: Full restoration delayed by component lead times and manual intervention requirements.

Economic impact: €8-25 billion per day (based on 2019 Sardinia blackout extrapolation scaled to national level).

Comprehensive Mitigation Architecture for Italy (2025-2030 Roadmap)

  • Immediate (0-12 months)NIS2-driven baseline:
  • Complete OT/IT air-gapping with IEC 62443-3-3 compliant zones (ongoing Terna-ACN protocol October 2025).
  • Deploy IEC-104 deep-packet inspection appliances (Nozomi, Claroty, Dragos) at every regional control center with automated breaker inhibit on anomalous commands.
  • Mandate quantum-resistant encryption for all new SCADA deployments (post-quantum migration pilot launched Q4 2025).
  • Medium-term (12-36 months) — Denial-by-design:
  • Accelerate Terna €23 billion 2025-2034 plan to install 5+ GWh battery storage + synchronous condensers providing 30-60 minutes inertia-independent ride-through.
  • Implement mandatory digital twin simulation of Industroyer-class scenarios in annual red-team exercises (extend ACN-Terna protocol requirement).
  • Create national OT-SOC with 500+ analysts by merging TERNA-CERT and Comando Operazioni in Rete resources.
  1. Long-term (36+ months) — Autonomous resilience:
  • Full transition to IEC 61850 with GOOSE messaging over encrypted MPLS-TP by 2030.
  • Establish Mediterranean OT repair fleet (cable ships + drone inspection) under Civil Protection authority.
  • Pre-delegate counter-value doctrine: public commitment to proportional offensive cyber response against Sandworm infrastructure if attribution confidence >90%.

Italy can neutralize the Industroyer threat class not through passive defense but through engineered denial — making attack success probability <5% while restoration time <4 hours. The Crosetto non-paper’s call for “strategia attiva” finds its most urgent application here: only proactive OT sovereignty prevents the grid from becoming the hybrid battlefield’s decisive target.

Stuxnet Malware Family versus Industroyer Framework: Architectural Comparison and In-Depth IEC 60870-5-104 Protocol Analysis in the Context of European Transmission Grids

The Stuxnet worm (discovered 2010, active from 2009) and the Industroyer/CrashOverride framework (first operational deployment December 2016, evolved variants through 2025) represent the only two publicly documented malware families that have achieved verifiable physical destruction or disruption of electric power infrastructure through direct manipulation of operational technology. While both are attributed to state-level actors (Stuxnet to a U.S.-Israeli collaboration under Operation Olympic Games, Industroyer to Russian GRU Sandworm/APT44) and both leverage deep knowledge of industrial protocols, their design philosophies, target specificity, propagation mechanics, and destructive modalities diverge profoundly — with direct implications for vulnerability assessment of the Italian national grid operated by Terna, which relies extensively on IEC 60870-5-104 as its primary substation-to-control-center protocol.

Architectural and Tactical Comparison

Stuxnet constitutes a hyper-specialized, air-gap-bridging weapon engineered for a singular industrial process: uranium enrichment using IR-1 centrifuges at Natanz. Its payload targeted exclusively Siemens Step7 projects controlling S7-315 and S7-417 PLCs via Profibus/Profinet, manipulating frequency converters (Vacon NX and Fararo Paya) to induce destructive resonance while spoofing legitimate sensor values. The malware incorporated four Windows zero-days (LNK, Print Spooler, Task Scheduler, Keyboard Layout), two stolen digital certificates, and a sophisticated PLC rootkit that intercepted Step7 read/write cycles. Propagation relied on USB vectors with auto-execute via LNK vulnerability and peer-to-peer RPC updates inside air-gapped networks. Destructive logic required precise process fingerprinting — exactly 996 centrifuges in six cascade banks — making Stuxnet non-reusable against generic infrastructure.

Industroyer/CrashOverride (and its 2022-2025 descendants Industroyer.V2, Industroyer2, PIPEDREAM/INCONTROLLER) embodies a modular, protocol-agnostic framework designed for rapid reconfiguration against diverse electric transmission and distribution environments. Unlike Stuxnet‘s monolithic 1.3 MB payload, Industroyer deploys as separate executable modules (launcher, payload DLLs, wipers, port scanner, DoS tool) that dynamically load configuration from encrypted blobs or the registry. The 2016 version supported four protocols (IEC 60870-5-101, IEC 60870-5-104, IEC 61850, OLE for Process Control), while Industroyer.V2 streamlined to IEC-104 exclusively — the dominant European standard — with embedded target lists eliminating external config files. Exploitation requires no zero-days; initial access typically occurs via supply-chain or credential theft, followed by living-off-the-land execution.

MITRE ATT&CK for ICS mapping (v15, 2025) reveals stark contrasts: Stuxnet saturates Execution, Persistence, Privilege Escalation, and Impact with custom rootkits, whereas Industroyer excels in Discovery (dynamic network mapping) and Lateral Movement (protocol-native command injection). Stuxnet achieves Denial of View through PLC-level sensor spoofing; Industroyer implements Denial of Control by terminating legitimate SCADA processes and issuing raw breaker commands while flooding masters with spoofed telemetry.

IEC 60870-5-104 Protocol: Structure, Inherent Vulnerabilities, and Exploitation Vectors

IEC 60870-5-104 (2006 Edition 2, unchanged core through 2025) extends IEC 60870-5-101 serial protocol over TCP/IP (default port 2404/TCP) using APCI (Application Protocol Control Information) for connection management and ASDU (Application Service Data Unit) for payload. Packet format follows:

  • APCI Header (6 bytes): Start 68H, Length, Control Field (4 octets determining I/S/U-format).
  • ASDU Header: Type Identification (TI), Variable Structure Qualifier (VSQ), Cause of Transmission (COT – 1-2 octets with Originator Address), Common Address of ASDU (CASDU – 1-2 octets), Information Object Address (IOA – 1-3 octets).
  • Information Objects: Variable length containing actual commands/values (e.g., Type 45 single command, Type 46 double command, Type 58 single command with time tag).

Critical vulnerabilities stem from 1990s design assumptions of isolated networks:

  • No native authentication — any host controlling a valid CASDU/IOA pair can issue commands.
  • No integrity protectionASDU lacks cryptographic signatures (pre-IEC 62351-5/IEC TS 60870-5-7 2025).
  • Plaintext transmission — no encryption; MITM trivial on compromised segments.
  • Predictable sequencingSend/Receive sequence numbers enable replay/injection after brief observation.
  • Permissive command acceptance — most implementations execute C_SC_NA_1 (Type 45) or C_DC_NA_1 (Type 46) without secondary confirmation.

Industroyer exploits these precisely: after mapping CASDU/IOA via passive observation or active scanning, it issues SELECT+EXECUTE sequences (if configured) or direct EXECUTE commands to open breakers, followed by denial-of-view via spoofed M_SP_NA_1 telemetry showing closed state. The 2022 Ukraine deployment required only 17 minutes from initial access to blackout.

Implications for the Italian Transmission Grid (Terna)

Terna operates >75,000 km of HV lines with IEC-104 as the predominant protocol between regional control centers (Milan, Rome, Naples, Palermo) and 380/220/150 kV substations. As of November 2025, >300 IEC-104 interfaces remain internet-exposed (Shodan/ENISA data), while legacy SIPROTEC 4/5 and ABB RTU560 devices retain default CASDU configurations. An Industroyer-class actor achieving foothold on a single engineering workstation could propagate to control-center segments via shared Active Directory trusts, executing north-south separation identical to the 2016 Kyiv event but scaled to continental Italy.

Stuxnet poses negligible direct risk — its Step7 fingerprint does not match Terna‘s heterogeneous environment — but illustrates the feasibility of PLC-level sabotage that 2025 Russian/Chinese frameworks (PIPEDREAM, INCONTROLLER) now generalize.

The evolution from Stuxnet‘s exquisite specificity to Industroyer‘s modular reconfigurability marks the maturation of cyber-physical weapons from bespoke artifacts to reusable platforms — rendering European IEC-104-dependent grids the most immediately exploitable critical infrastructure class worldwide as of November 2025.

Strategic Vulnerability Assessment of Italy in the Hybrid Warfare Continuum: Unaddressed Exposure Vectors and Pathways to Systemic Coercion Below the Threshold of Armed Conflict

The November 2025 non-paper authored by Minister Guido Crosetto constitutes the most comprehensive unclassified Italian strategic document on hybrid threats to date, yet its analytical frame—while correctly diagnosing the permanence of sub-threshold aggression and the insufficiency of containment—remains constrained by the diplomatic and institutional boundaries inherent to a public ministerial statement. Certain exposure vectors that would enable a determined adversary to impose strategic paralysis on Italy without triggering Article 5 invocation or EU mutual defence clauses are either understated or entirely absent. This chapter, operating at the geopolitical-strategic level, identifies those critical gaps and maps the coercive pathways that remain viable as of November 18, 2025.

The Mediterranean Geo-Economic Vice: Unacknowledged Dual-Dependency Leverage

The non-paper correctly flags energy dependencies and submarine infrastructure, but fails to articulate the full convergence of two asymmetric levers that no other European state faces at comparable intensity:

  • Critical Raw Materials + Maritime Chokepoints (“doppia leva” in Italian strategic parlance): Italy is simultaneously the European nation most reliant on Chinese-processed rare earths and battery precursors (over 90% of lithium hydroxide and cobalt sulphate for its automotive and defence-industrial chains) and the one whose primary energy and data lifelines transit the two most proxy-controllable maritime chokepoints outside Asia: Suez-Bab el-Mandeb and the Sicily Channel.

New data from the IEA Global Critical Minerals Outlook 2025 confirms China’s refining dominance has intensified: >95% of global heavy rare earth separation capacity and >85% of battery-grade graphite refining remain Chinese-controlled as of Q3 2025, with new export licensing requirements introduced in October 2025 covering tungsten, molybdenum, and seven heavy rare earth elements. Italy’s automotive sector (Stellantis alone producing >1.4 million vehicles annually requiring >15,000 tonnes of processed lithium equivalents) faces a 90-120 day stockpile vulnerability, as confirmed by USGS Mineral Commodity Summaries 2025.

A coordinated but deniable campaign combining selective export licensing delays on battery-grade materials (already demonstrated by Beijing in 2023-2024) with low-intensity Houthi or Houthi-trained Libyan militia interdiction of Sicily-bound traffic could induce a 6-12 month degradation of Italy’s electric vehicle and defence-electronics production without a single shot fired in European waters. The TeleGeography Submarine Cable Map 2025 documents 23 active international landings in Italy (primarily Sicily: Mazara del Vallo 8, Palermo 6, Catania 5), representing >40% of all Mediterranean-EU connectivity points—yet Italy maintains zero sovereign repair vessels, relying on two private contracts that cover only <15% of global repair capacity demands during multi-fault scenarios.

The Demographic-Logistical Time Bomb: Instrumentalised Migration as Strategic Paralysis Weapon

While the non-paper mentions migration as a Russian tactic via Belarus, it does not confront Italy’s unique exposure as the only major European state whose entire southern coastline constitutes a permeable strategic front. The combination of >180,000 arrivals in 2023-2025 via the Central Mediterranean route and the presence of >800,000 non-EU residents in irregular status creates a latent coercive capacity that no Baltic or Central European state possesses.

Updated UNHCR Operational Data Portal figures as of November 17, 2025, record 66,617 sea arrivals to Italy in 2025 alone (down from 157,651 in 2023 but with a 58% drop attributed to Tunisian interceptions rather than reduced push factors). The Caritas-Migrantes Rapporto Immigrazione 2025 estimates the total foreign resident population at 5,308,000 (including ~1.1 million irregular or semi-regular), with >65% concentrated in northern industrial regions. A state or non-state actor capable of orchestrating simultaneous surges from Tunisia, Libya, and Egypt (as tested in September-October 2025) could overwhelm reception capacity within 72 hours, forcing the Italian government into a trilemma: mass internment (domestic political crisis), uncontrolled releases (public order collapse), or suspension of Schengen (fracturing EU solidarity). The IOM Displacement Tracking Matrix Q3 2025 notes Tunisian departure capacity exceeding 15,000 persons/week during peak periods.

The Financial-Systemic Exposure: Italy as Europe’s Sovereign-Debt Stress Point

Italy’s public debt (>140% of GDP) and the €450 billion of Italian government bonds held by the ECB under transmission protection instruments create a vulnerability absent from the non-paper: a coordinated sovereign-spread attack via market manipulation and information operations could force Rome into emergency fiscal measures that paralyse defence spending increases.

Eurostat Q2 2025 data places Italy’s debt-to-GDP at 138.3% (highest after Greece at 151.2%), with Banca d’Italia reporting €2.84 trillion outstanding BTPs. ECB holdings under PEPP/TPI exceed €420 billion as of November 2025. The 2022 precedent (spread spike to 450 bps triggered by political instability) demonstrates feasibility; a 2026 campaign timed with ECB balance-sheet reduction could push spreads beyond 600 bps without any kinetic action, as modelled in European Commission Autumn 2025 Forecast stress scenarios projecting 142-148% debt ratios under adverse financial conditions.

The Undersea Data Monopoly: Italy as Europe’s Unprotected Internet On-Ramp

Italy hosts 23 international submarine cable landings—more than France and Germany combined—yet possesses no sovereign cable-repair vessel and only two private ships under long-term contract.

TeleGeography Submarine Cable Map 2025 confirms 23 landings (Sicily dominating with 19), carrying >95% of Italy’s international bandwidth. Global repair fleet stands at <80 vessels (Submarine Telecoms Forum 2025 Report), with average Mediterranean response time 21-45 days. A campaign of selective physical interdiction (anchor-dragging by shadow-fleet vessels, as observed in the Baltic 2024-2025) combined with cyber blinding of landing-station monitoring systems could isolate Italy from 70-85% of trans-European bandwidth for 3-6 weeks, triggering a financial and industrial shutdown cascade whose economic damage would exceed any conventional regional conflict (€15-40 billion weekly per Assolombarda estimates).

The Cognitive-Political Fracture Plane: The Missing Fifth Domain

The non-paper addresses disinformation but underestimates Italy’s uniquely high susceptibility to algorithmic amplification of regionalist and anti-system narratives. The combination of historically weak national identity in certain regions, the highest per-capita consumption of TikTok among EU adults (>36 minutes/day), and the presence of state-aligned influence networks operating through Italian-language content farms creates a pathway for rapid disintegration of the domestic consent required to sustain a protracted resilience posture.

DataReportal Digital 2025 Italy reports 22.8 million TikTok users (38% adult penetration, highest in EU-27), with average session duration 41 minutes. We Are Social 2025 confirms Italy leads EU in short-video consumption vulnerability indices.

Coercive Pathway Synthesis: The “Italian Scenario” No European Ally Can Substitute

A sophisticated adversary seeking to neutralise Italy as a functioning NATO southern flank and EU industrial contributor could execute the following sequenced, deniable campaign:

  • Phase I (6-18 months): Quiet pre-positioning in supply chains (rare-earth contracts, OT vendors, landing-station subcontractors) and cognitive space (algorithmic boosting of regionalist content).
  • Phase II (synchronised trigger): Selective export delays on battery materials + low-intensity maritime interdiction south of Sicily + spread-attack via coordinated short-selling of BTPs + migration surge from Tunisia/Libya.
  • Phase III (coercive climax): Selective undersea cable cuts (3-5 major systems) timed with winter energy peak, inducing simultaneous industrial shutdown, financial isolation, and reception-system collapse.

The outcome is not kinetic defeat but strategic neutralisation: Italy forced into a Finlandisation-like accommodation on Ukraine support, NATO southern flank deployments, and EU China policy—without a single Article 5 threshold ever being crossed.

Minister Crosetto’s call for “strategia attiva” is therefore necessary but insufficient in its published form. The unaddressed reality is that Italy’s geographic, demographic, financial, and infrastructural specificities transform it from a vulnerable ally into the single most lucrative hybrid target in Europe. Closing these gaps demands measures the non-paper could not publicly articulate: sovereign cable-repair capability, pre-delegated counter-coercion authorities, cognitive-domain rapid-response units, and a Mediterranean-specific hybrid task force under national command with standing NATO/EU liaison.

Only by confronting these unspoken vulnerabilities can Italy transition from the most coercible major European state to the indispensable pivot of continental hybrid resilience.

Understanding Hybrid Warfare – Italian Book by Francesco D’Arrigo

In the book Understanding Hybrid War, Francesco D’Arrigo, edited by Tommaso Alessandro De Filippo, offers a broad and multidisciplinary reflection on one of the most complex strategic categories of contemporary times: “hybrid warfare.” 

In recent years, we have been hearing more and more about “hybrid warfare.”
The concept, often overused in political and media discourse, is addressed in the volume “Comprendere la Guerra Ibrida” (Mazzanti Libri, 2024 )  , edited by Francesco D’Arrigo and co-edited by Tommaso Alessandro De Filippo, through a rigorous examination that traces its origins, operational applications, and cognitive dimension.
D’Arrigo adopts a systemic approach, bringing together military doctrine, political science, and communication theory. The result is a dense, at times deliberately technical, text that successfully illuminates the transformation of conflict in the 21st century: from influence operations to disinformation campaigns, from cyber warfare to the manipulation of collective perceptions.
The author highlights how hybrid warfare is no longer an event, but a permanent condition in which state and non-state actors compete in the informational, economic, and psychological space. What emerges is a geography of conflict in which power is exercised both through force and through the control of narratives.

D’Arrigo adopts a systemic approach, bringing together military doctrine, political science, and communication theory. The result is a dense, at times deliberately technical, text that illuminates the transformation of conflict in the 21st century: from influence operations to disinformation campaigns, from cyber warfare to the manipulation of collective perceptions.
The author highlights how hybrid warfare is no longer an event, but a permanent condition in which state and non-state actors compete in informational, economic, and psychological space. What emerges is a geography of conflict in which power is exercised both through force and through the control of narratives.
Among the most incisive passages, D’Arrigo denounces the  democratic vulnerability  produced by digital interconnection and the loss of the state monopoly on the legitimacy of force. Hybrid wars, he suggests, undermine the very foundations of the liberal order, shifting competition from the military to the symbolic and perceptual.  Understanding Hybrid Warfare  thus follows in the footsteps of authors such as Hoffman, Gerasimov, and Pomerantsev, offering a lucid and independent Italian perspective.

Among the most incisive passages, D’Arrigo denounces the  democratic vulnerability  produced by digital interconnection and the loss of the state monopoly on the legitimacy of force. Hybrid wars, he suggests, undermine the very foundations of the liberal order, shifting competition from the military to the symbolic and perceptual.  Understanding Hybrid War  thus follows in the footsteps of authors such as Hoffman, Gerasimov, and Pomerantsev, offering a lucid and independent Italian perspective.
Ultimately, the work invites us to  rethink national and international security  in light of a paradigm in which conventional weapons give way to information, perception, and collective psychology. The volume features contributions by Fiamma Nirenstein, Anna Zafesova, Enrico Credendino, Nicola Gratteri, Antonio Nicaso, Bepi Pezzulli, Michael Sfaradi, and Fabio Vanorio.

Before delving into the content, I’d like to begin by highlighting a unique feature of your book: “Understanding Hybrid War” is a “metabook.” What does this mean, and why is it important?
“Ours is not just a printed text, but a multimedia publishing project of in-depth analysis and research that also reflects the social commitment that has always characterized my professional and personal activity. I have always placed great importance on civic and social engagement and sports, especially for younger generations, supporting solidarity campaigns with a focus on protecting children’s rights, the environment, and various independent and impartial volunteer organizations that provide assistance and relief to minors and victims of war and disasters. For these reasons, I found in  Mazzanti Libri  an innovative response to this commitment. The book is printed on eco-friendly paper and no plastic materials were used in its production. Meta Liber© derives from the words “meta” (Ancient Greek for “beyond”) and “liber” (Latin for “book”), meaning “beyond the book.” It is an innovative system for publishing paperback books that allows readers to enjoy a traditional print book while also accessing, through a dedicated free app (ML) and QR codes inserted into the pages, additional content that enhances the reading experience. These include the ability to listen to the audiobook read and recorded by Sandra Coluccia, view graphics and images linked to the various chapters, and access in-depth information online through bibliographical notes and a strategic web directory. Most importantly, the audiobook read by Sandra Coluccia is available free of charge through the Lions Talking Book App
service  ,  reserved for people who are visually impaired or have reading difficulties.  www.applibroparlatolions.it

Let’s start by trying to define what hybrid warfare is.
In recent years, we’ve been hearing more and more about “hybrid warfare.” However, it’s a complex concept that’s difficult to pin down, with multiple meanings, constantly evolving, and lacking a universally accepted definition. 
When scholars or the military mention the “hybrid model of warfare,” they don’t always mean or imply the same context. Furthermore, the term is often used to refer to inapplicable phenomena. The conceptual ambiguity stems from the fact that the definition of “hybrid warfare” has been widely debated, criticized, and reformulated over time, incorporating new elements that were missing from the initial conception.
Ultimately, the term confuses more than it explains.
The use of the term, which has become increasingly popular in contemporary political debates following the upheavals of the geostrategic context, and is often used by the media to describe cases that lack the essential characteristics of the concept, actually dates back to the 1990s. The term first appeared in 1995 in Thomas Mockaitis’s book ” British Counterinsurgency in the Post-Imperial Era.”
The concept of hybrid warfare has been continually adapted to include new forms of attack and battlefields, but not from a theoretical perspective. Thus, today, it is associated with the use of innovative technologies and the militarization of the physical terrain and contested modern domains (cyber, space, Arctic, underwater, the information environment (OIE), and cognitive).

The term was initially adopted in the military context as “hybrid threat,” and popularized in 2005 by Frank Hoffman in his “ Conflict in the 21st Century: The Rise of Hybrid Wars, ” which emphasized its specificity, highlighting the combination of conventional and unconventional strategies, methods, and tactics in contemporary warfare, as well as the psychological or information-related (infowar) aspects of modern conflicts.
In 2009, Russell Glenn, in his “ Thoughts on ‘Hybrid’ Conflict,”  defined the hybrid threat as an adversary that simultaneously and adaptively employs a combination of:

  • political, military, economic, social and informational means
  • conventional, irregular, destructive, terrorist and subversive, criminal methods of warfare

distinguishing its conceptual vision of hybrid warfare from those previously discussed, emphasizing the use of non-kinetic tactics and technologies and broadening the tactical-operational understanding of hybrid warfare, intrinsically oriented towards the military sector, to include non-military tools and actions.
US military agencies tend to use the term “hybrid threat,” while academic literature refers to it as “hybrid warfare.”

The definitions of hybrid warfare adopted by Western states and institutions differ significantly.
NATO uses the term to describe ” adversaries with the ability to simultaneously employ conventional and unconventional means adaptively in pursuit of their objectives .”
The  European Commission’s “Joint Framework on Countering Hybrid Threats”  states that ” the concept of hybrid threat aims to capture the mix of conventional and unconventional, military and non-military, overt and covert actions that can be used in a coordinated manner by state or non-state actors to achieve specific objectives while remaining below the threshold of formally declared war.”
They all describe the flexible and complex dynamics of a given battlefield that requires a highly adaptable and resilient response. However, due to the different definitions adopted by Western states and institutions, the strategies for countering hybrid warfare also differ significantly.
New wars are fought not only on the ground but in all domains, including those invisible to the human eye, such as space, cyberspace, electromagnetics, information and communications, and especially the cognitive domain, with innovative methods that are technologically and radically different from those of the past.
The defining characteristic of hybrid warfare is ambiguity and attribution.
Hybrid attacks are generally characterized by considerable uncertainty and difficulty distinguishing between sabotage and accidents.
This obscurity is deliberately created and amplified by hybrid actors to complicate attribution and response. In other words, a targeted country is unable to detect a hybrid attack or attribute it to a state that might be perpetrating or sponsoring it. By exploiting detection and attribution thresholds, the hybrid actor makes it difficult for the targeted state to develop political and strategic responses.

A hybrid warfare model certainly worth considering is the Russian one, widely associated with the so-called “Gerasimov Doctrine.” The Russian Federation’s hybrid warfare strategy emphasizes the blurring of distinctions between war and peace, characterized by sub-threshold activities that include kinetic and non-kinetic methods, combined with a combination of regular and irregular elements or a combination of military and non-military tools, including covert actions and deception ( maskirovka ).
This doctrine’s strengths include complexity, uncertainty, and the capacity for destabilization.
The interaction of kinetic tools and non-kinetic tactics, conventional and unconventional power with cyber-  and  artificial intelligence-enhanced tools of subversion, define the concept of hybrid warfare for several distinct characteristics: the boundary between wartime and peacetime is obscured, undefined, and imperceptible.
This makes it difficult to identify or discern the threshold between peace and war.
War becomes elusive as it becomes difficult to make it operational and, therefore, it is difficult for those under attack to prepare adequate counter-strategies and tools.

The primary target of hybrid warfare is civilians…and how they think and act in relation to the state.
One of the primary goals of the ongoing global hybrid warfare is to undermine the institutions and social contract that inextricably binds democratic states and their voters.
Hybrid warfare is shrouded in uncertainty, but above all, it is invisible to citizens, who often don’t even realize they are the primary targets of such attacks.
Hybrid warfare and hybrid tactics are not employed to win war or peace, but have the strategic goal of undermining the legitimacy of democratic institutions, trust in Western values, and altering decision-making and election outcomes. Hybrid tactics generate instability and erode democracy, create political polarization, and destroy coexistence and consensus.
According to the Italian Institute for Strategic Studies “Niccolò Machiavelli”,   hybrid warfare can essentially be defined as ” a political-military strategy that employs political warfare and mixes conventional warfare, irregular warfare, and cyber warfare with other non-kinetic, invisible cognitive warfare operations, combined with sophisticated methods of strategic influence on citizens, politicians, and institutions, such as: diplomacy, corruption, disinformation, propaganda, fake news, deep fake videos and photos, psychological operations and interventions to influence decisions and electoral operations, intelligence, espionage, clandestine actions, sabotage of critical and logistical infrastructures, cyber, economic, and commercial attacks and blackmail, criminal trafficking, kidnappings, assassinations, and terrorism.”
Hybrid warfare combines different dimensions and instruments of conventional and unconventional, military and non-military warfare to achieve political objectives where the aggressor seeks to avoid attribution or retribution. In a hybrid conflict, the parties involved use a combination of tactics, often involving state and non-state actors, for asymmetric attacks and subversive kinetic operations to destabilize a government or nation, influence citizens, decision-making, and the course of events, and gain strategic advantages.

You clearly distinguish between hybrid warfare, cognitive warfare, and strategic disinformation. What is the operational dividing line between these categories today? “ Cognitive warfare is a form of hybrid warfare par excellence, based on the continuous and repeated conduct of information attacks and psychological operations against a society, today carried out primarily through influencers, social media, and social networks. These activities are conducted across a broad spectrum to achieve specific strategic objectives and gain an advantage over an adversary by influencing individuals, groups, and societies at a cognitive level, through information activities, but also through a wide range of actions and pressures (Psyops) that can influence or disrupt cognition. In cognitive warfare, our perceptions and beliefs, what and how we think, how we make decisions, the decisions we make, our willpower, and our determination are under attack.
Cognitive warfare is therefore an important form of invisible warfare, which aims to achieve mental and psychological control of targeted individuals and societies.” The tools of next-generation cognitive warfare are AI-enhanced cyber platforms like X and TikTok.

These social media carry out long-lasting, subtle “cognitive operations” aimed at fueling doubt, conspiracy theories, subversive behavior, and the delegitimization of democratic institutions. The cognitive impoverishment that characterizes younger Western generations, a growing number of whom are experiencing behavioral disorders from “social media addiction,” is due to their toxic dependence on an uncontrollable and irrepressible need to access apps created and managed by autocratic regimes, and recently also by X. By exploiting ignorance, conspiracy theories, and ideological and/or religious radicalization, these apps are able to drastically reduce the high vulnerability of Western democracies, exposing the younger generations in particular to cognitive hacking, causing infodemics, social chaos, and increasingly malicious interference against liberal democracies.
Disinformation is a phenomenon that occurs when false or misleading information is intentionally spread with the aim of influencing or manipulating public opinion, creating confusion, or spreading false beliefs. Disinformation can be used for political, economic, or social purposes and is often spread through the media, social media, or other online platforms. When the disinformation network is linked to state entities (Russia, China, Iran, and recently even the United States under the Trump Administration), as is happening in this turbulent period of history, it takes on a strategic dimension.
In the book, we also describe the networks and nexuses of Islamist disinformation against Israel and anti-Western disinformation by China and Russia. Regarding the latter, there is a vast library on the use of “active measures,” describing Russian methods of political and economic warfare that use disinformation and propaganda as their primary tools. In any analysis of Russian disinformation and propaganda tactics, it is important to note that multiple terms and concepts are used to describe the nature of this threat. ” Information Confrontation”  is the term used in Russian strategic and military circles to describe their approach to the use of information, both in peacetime and in conflict. Concepts that refer to Russia’s strategic formulation, in a perpetual state of conflict with its perceived adversaries.

Russia’s current disinformation and propaganda operations are an integrated tactical manifestation of this strategic vision.
The Russian disinformation and propaganda machine is a network of official and unofficial communication channels and platforms that Russia uses to create and amplify false narratives. The Russian Federation invests heavily in these propaganda channels to support its disinformation efforts and uses thousands of web domains posing as news sites to spread these false and misleading narratives. These media outlets repeatedly publish each other’s content in an attempt to legitimize and popularize the disinformation narratives they propagate. The disinformation they collectively generate is then available for citation by larger and more credible media outlets, which filter and redistribute Russian intelligence-directed propaganda to a wider audience. The Russian disinformation strategy employs specifically positioned propaganda directed by Russian intelligence agencies to manipulate and weaken enemies, adversaries, and economic competitors.
The media multiplier effect of the Russian information ecosystem (described and analyzed in the book) is composed of several pillars that report directly to the three main intelligence agencies: the Federal Security Service (FSB), which is responsible for internal security and counterintelligence; the Foreign Intelligence Service (SVR), responsible for espionage abroad; and the Main Information Directorate (GRU), the military intelligence service. This global impact, due to the war of aggression against Ukraine, increases its reach and resonance and has the potential to create veritable disinformation storms with potentially dangerous and destabilizing effects for those the Russian Federation perceives as adversaries at the international, national, and local levels.
In the past, Russia has exploited this dynamic to shield itself from criticism for its involvement in malign activities. This approach also allows the Kremlin to be opportunistic and manipulate public opinion, as in the case of Covid-19. An ecosystemic approach suited to sustaining the conflict that the Kremlin constantly maintains, regardless of the state of relations with its adversary, against Western democracies, with the overall goal of weakening international cohesion between the United States and Europe, their allies and trading partners, and attacking Russia’s perceived adversaries.
Today, Russian intelligence entities are targeting Ukrainian, European, and Russian citizens with disinformation that seeks to label Ukraine and Ukrainian government officials as the aggressor in Russia-Ukraine relations and the instigators of civilian massacres.

Do you believe international law is capable of regulating hybrid forms of conflict, or are we faced with a permanent legal “gray area”?
“With contemporary hybrid warfare, which permeates interstate conflicts with attacks by non-state actors, it is possible to win a war without any direct combat or physical confrontation between states. This is precisely the strategic objective that a hybrid actor aims to achieve with attacks below the threshold of kinetic warfare. The solution to counter and defend ourselves, including from a legal standpoint, exists and is called common European defense : a systematic plan to “armor” the heart of European states, the production system, and essential services. It’s not about building simple bunkers, but about creating critical infrastructures and ecosystems that are resilient, self-sufficient, and able to function under attack.
Is it a momentous project? Yes. Is it expensive? Certainly. But the right question is: can we afford not to do it?
This is not a discussion for insiders only, but a matter that concerns the security of all of us.”

Your book refers to the growing role of corporations, digital platforms, and private military companies. To what extent are these entities reshaping the very concept of sovereignty?
 People known for their financial resources, such as Elon Musk, Peter Thiel, Jeff Bezos, Bill Gates, Mark Zuckerberg, Zhang Yiming, Jack Ma (Chinese name Ma Yun, 马云), George Soros, or the Wagner Group, TikTok, X, Meta, Google, Microsoft, Palantir Technologies, and others, fully fall within the definition of a ‘Hybrid Actor.'”
In the book, we have highlighted the risks deriving from the actions of personalities, cyber platforms, and corporations capable of expressing a geostrategic power that, until a few years ago, was exclusively at the disposal of states, while today, thanks to new technologies, it is also in the hands of a few private individuals, without any political mandate and outside the control of governments. These are veritable Western techno-oligarchs with capabilities superior to any national agency in underwater exploration, space colonization, the governance of highly sophisticated satellite constellations and systems (with military implications), and, above all, the control of social media platforms, who act as veritable countervailing forces. This unchecked power is even capable of influencing global stock markets and ongoing conflicts, as recently demonstrated with the controversial interventions in the Ukrainian war zone. The owner of Space X initially donated more than 1,300 terminals to the Ukrainian military to use its private Starlink satellite constellation, greatly benefiting communications and coordination among Kyiv’s military forces. Subsequently, he decided to deny them these terminals to prevent the Ukrainian army from attacking the Russian fleet in the Black Sea. At the end of February 2024, Musk himself reportedly allowed the Russian military to use the same Starlink satellites in occupied territories, particularly in the Donetsk region. This ambiguous and contradictory behavior makes us understand how much (ungovernable) power has been acquired by individual billionaires, owners of Big Tech with technological, financial, and strategic capabilities capable of exercising a spatial power (Space Power) capable of influencing international affairs, without answering to any democratic institution or political mandate.»

In “Understanding Hybrid Warfare,” the importance of “dominating the adversary’s mind even before the battlefield” is emphasized. How important is influencing domestic public opinion today compared to external deterrence?
“The book thoroughly exposes the hybrid threats posed by malign influence, interference, and information warfare against liberal democracies. In several chapters, we draw the reader’s attention with our analyses to encourage critical thinking among young people, their parents, and teachers about the dangers of malign influence. Furthermore, we urge the need for adequate regulations to prevent internet giants from influencing citizens’ lives, institutions, and democracy. This fundamental requirement faces challenges due to the global scale and power of these industry players. Big Tech has become monopolists and its presumption is to operate without rules or, when unavoidable, to dictate them rather than being the recipients of regulation, fair taxation of its immense profits, and ethics consistent with the values ​​and laws (especially those concerning privacy, protection of minors, and monopolies) of the European Union.

The European Union appears vulnerable in terms of information and cybersecurity. What concrete tools would you suggest for building a “European cognitive defense”?
“The concept of cognitive warfare developed under  NATO’s Allied Command Transformation  (ACT) provides a starting point for a broader debate on cognitive threats. It explores how adversaries exploit human cognition to manipulate perceptions, disrupt decision-making, and influence behavior. By integrating behavioral science and technology, NATO has begun to expose psychological manipulation as a battlefield, revealing cognitive vulnerabilities long overlooked in traditional defense planning and national security policy, such as emotional contagion in digital ecosystems and the strategic weaponization of personnel identities during operations. In this context, cognitive security has emerged as a concept that fuses insights from different disciplines and focuses on the intersection of technology and social engineering in hybrid campaigns.” While cognitive warfare is an emerging military concept focused on adversarial tactics, yet to be formalized into a doctrine or domain, the concept of cognitive security extends this logic to a broader defense framework.
Recent airspace violations over Poland, Romania, and Estonia illustrate how Russia uses psychological operations to distort perceptions and manipulate behavior, effectively creating a cognitive trap. Both underreaction and overreaction risk provoking even more reckless Russian actions in the future, while also heightening public anxiety about a possible escalation to open conflict.
This time, the EU was not caught off guard. It strengthened its ability to address threats to its societies and political institutions by adopting the Strategic Compass (in 2022) and cyber, hybrid, and FIMI tools, and by deploying rapid response teams to address hybrid threats. FIMI (Foreign Information Manipulation and Interference) threats involve manipulation and interference with information from foreign actors, often used as part of broader hybrid threats, including disinformation. These threats aim to influence public opinion and destabilize societies, employing techniques such as creating false content (deepfakes), altering real information, and using bots to amplify malicious narratives. The European Union and its member states are taking measures to counter these activities, such as strengthening cybersecurity and electoral defenses.
Adopting a cognitive security framework is the next logical and necessary step. Cognitive security goes beyond simply monitoring and countering FIMI or hybrid threats; it shifts attention to the perceptual and behavioral vulnerabilities that enable manipulation. Drawing on psychology and neuroscience, it offers policymakers a lens to identify and mitigate these vulnerabilities, including through interdisciplinary research.
Cognitive security requires more than traditional defense measures. It requires a direct response to the strategic targeting of perception and knowledge in covert political warfare. Cognitive security is a field that deals with influencing and protecting large groups of media users and consumers, both online and offline. Although cognitive security emerged from social engineering and discussions of social deception within cybersecurity, it differs in several important respects. Specifically, cognitive security focuses on:

  1. the exploitation of cognitive biases in large public groups
  2. social influence
  3. training and quantitative measurement

Among the solutions to improve the cognitive security of European citizens, the Italian Institute for Strategic Studies has developed a strategy focused on the following key factors:

  • cognitive advantage  i.e. the consistent ability to anticipate, outperform, and outsmart opponents in the cognitive domain by maintaining a superior understanding of the cognitive environment and a deep understanding of what our opponents are doing:  cognitive intelligence .
  • Cognitive intelligence  is the continuous and adaptive process of gathering, analyzing, and interpreting information about the cognitive environment, including the full spectrum of cognitive warfare activities employed by adversaries. This discipline involves the identification and ongoing evaluation of adversary methods and approaches to manipulate cognition, as well as assessing their impact on beliefs, attitudes, behaviors, and decision-making processes. The goal is to anticipate and counter the actions of adversaries.

At the core of  cognitive security  is the adaptive integration and collaboration between government, the private sector, and international partners that builds cognitive resilience and supports the autonomous decision-making of citizens, business and military leaders, and policymakers. This is coupled with a commitment to playing a silent and relentless offensive game that confuses our adversaries, destroys their confidence, and forces them to confront the uncertainties of cognitive warfare and adopt a defensive strategy.

—– Chapter text authorized by Francesco D’Arrigo – source: https://www.opiniojuris.it/intervisterecensioni/comprendere-la-guerra-ibrida/

Prescriptive Pathways: From Containment to Proactive Hybrid Deterrence – A Strategic Realignment for Italy and Europe

The November 2025 non-paper Non-paper sul contrasto alla guerra ibrida, authored by Italian Minister of Defense Guido Crosetto and presented to the Consiglio Supremo di Difesa on November 17, 2025, marks a watershed in Italian strategic thought by explicitly declaring the insufficiency of containment-oriented postures against hybrid threats that have become the dominant form of adversarial competition in the European theater. The document’s core prescriptive assertion—that “contenere non basta”—stems from the recognition that hybrid campaigns operate in a regime of permanent aggression, where adversaries achieve cumulative strategic effects through sub-threshold actions that exploit Western procedural asymmetries: lengthy attribution processes, unanimity requirements in multilateral forums, and domestic political constraints on preemptive measures. This chapter advances beyond the non-paper’s recommendations by synthesizing them into a coherent, executable framework for proactive hybrid deterrence, incorporating comparative lessons from allied implementations, technological enablers that remain underexploited in the Italian context, and institutional innovations that could position Italy as the catalyst for a genuinely European hybrid defense architecture.

The primary institutional deficit identified in the non-paper lies in coordination velocity. Current Italian mechanisms, while robust in intelligence collection through agencies like AISE and AISI, suffer from fragmented response chains where cyber incidents handled by the Agenzia per la Cybersicurezza Nazionale (ACN) rarely trigger synchronized multi-domain countermeasures involving the armed forces or diplomatic instruments. The proposed reinforcement of the interministerial group under the Dipartimento Informazioni per la Sicurezza (DIS) represents the foundational node for a national hybrid fusion cell. This entity must evolve beyond periodic consultation into a standing operations center with delegated authorities for threshold-based responses—automated platform takedowns for FIMI campaigns exceeding predefined virulence metrics, rapid economic countermeasures via the Anti-Coercion Instrument, and pre-approved military cyber effects under sovereign control but aligned with NATO guidelines.

Force structure augmentation constitutes the most operationally transformative prescription. The non-paper’s call for 10,000-15,000 additional military personnel dedicated to cyber, electromagnetic spectrum, and emerging technology domains addresses a structural imbalance where Italy’s current cyber defense posture relies disproportionately on the Comando Operazioni in Rete (COR) with fewer than 1,000 specialized operators as of November 2025. Comparative analysis reveals that France’s Commandement de la Cyberdéfense fields over 4,800 personnel with full-spectrum authorities, while Germany’s Kommando Cyber- und Informationsraum integrates 15,000 across offensive, defensive, and information operations. Italy’s target force must incorporate a civilian-military hybrid construct scaling to 5,000 operatives, with an initial operational cadre of 1,200-1,500 achieving 24/7 coverage through rotating shifts and reservist integration. Legal protections—”tutele funzionali”—modeled on those granted to intelligence personnel are indispensable to enable offensive cyber operations that impose costs on perpetrators without paralyzing decision chains through individual liability fears.

The establishment of a Centro per il Contrasto alla Guerra Ibrida emerges as the integrative keystone. Unlike existing entities such as the ACN or COR, this center would possess cross-domain mandate: fusing signals intelligence with open-source threat monitoring, coordinating private-sector vulnerability disclosures under mandatory reporting regimes, and maintaining a permanent liaison cell with ENISA and the Hybrid CoE. Its operational concept should adopt a “predict-and-preempt” cycle: leveraging machine-learning anomaly detection across national networks to identify hybrid campaign precursors—unusual GNSS interference patterns, coordinated inauthentic behavior surges, or anomalous vessel movements near submarine infrastructure—triggering pre-authorized responses calibrated to impose asymmetric costs while remaining below adversary escalation thresholds.

European advocacy represents Italy’s unique value proposition. The non-paper’s proposal for a permanent European Centre for Countering Hybrid Warfare addresses the Achilles heel of current arrangements: the Hybrid CoE in Helsinki, while excellent in analysis, lacks binding authority and operational reach. A new Brussels-based entity with dedicated funding under the European Defence Fund could operationalize collective attribution within 48 hours, maintain a shared proxy registry, and execute joint countermeasures—sanctions, platform de-monetization, or sovereign cyber effects volunteered by capable members. Italy’s Mediterranean exposure positions it to champion inclusion of maritime chokepoint protection and critical raw material security, integrating the Critical Raw Materials Act with hybrid rapid response teams capable of deploying naval assets to secure cable landing sites or escort critical mineral shipments.

Societal resilience prescriptions demand a paradigm beyond traditional civil defense. The non-paper correctly identifies digital literacy as foundational, but implementation requires mandatory curricula from secondary education incorporating cognitive security modules—training students to recognize microtargeted manipulation via gamified simulations derived from real FIMI campaigns documented by the EEAS. Public-private co-regulation of platforms must evolve into enforceable transparency regimes where very large online platforms pre-deploy Italian-language classifiers for deepfake detection, with fines scaled to revenue for non-compliance. Corporate Italy—particularly in defense-industrial sectors—requires mandatory hybrid risk assessments integrated into NIS2 reporting, with government incentives for adopting zero-trust architectures and supply-chain vetting protocols that exceed current Cyber Resilience Act baselines.

Technological sovereignty forms the enabling layer. Italy’s prescription must accelerate indigenous development of counter-AI capabilities: generative models trained on adversarial datasets to detect synthetic media with 99.9 percent accuracy at scale, quantum-resistant encryption deployment across critical networks by 2028, and autonomous defensive systems capable of neutralizing drone swarms without human-in-the-loop delays. The Frontex partnership model should extend to hybrid domains, creating a Mediterranean sensor grid fusing satellite, aerial, and underwater assets for real-time chokepoint monitoring.

Budgetary implications, while politically sensitive, are inescapable. Achieving the proposed force structure requires reallocating 2-3 percent of the defense budget toward cyber/hybrid domains by 2027, supplemented by European co-financing under the European Defence Industrial Strategy. Comparative benchmarks show that Estonia dedicates 12 percent of its defense spend to cyber resilience despite a GDP fraction of Italy’s, demonstrating that political prioritization trumps absolute resources.

The ultimate prescriptive innovation lies in redefining deterrence itself. Traditional models reliant on punishment fail against adversaries who calculate that Western restraint guarantees freedom of action. Proactive hybrid deterrence inverts this calculus through denial-by-resilience—making campaigns prohibitively expensive via preemptive exposure, automated disruption, and calibrated retaliation—and punishment-by-cost imposition below kinetic thresholds. Italy could pioneer “hybrid red lines”: public commitments to proportional cyber effects against state-linked proxies conducting sabotage, or economic countermeasures against entities enabling critical material coercion.

This realignment transforms Italy from a vulnerable Mediterranean flank into Europe’s hybrid defense vanguard, leveraging its strategic position, industrial base, and diplomatic credibility to drive collective adaptation. The non-paper’s warning—”siamo sotto attacco e le bombe hybrid continuano a cadere”—demands nothing less than a revolution in strategic culture: accepting that peace in the hybrid era is active competition, not absence of kinetic war.


APPENDIX 1 – 14. Operation “TEMPUS FUGIT” – A Pure Cyber-Physical Coercion Campaign Against Italy (2027 Geostrategic Simulation)

Academic Defensive Exercise in Adversarial Reasoning – Strategic Effects Only, Zero Operational Detail

This simulation is constructed as a high-strategic, geopolitical exercise using only open-source 2025 infrastructure data (ENISA Threat Landscape 2025, ACN reports, Terna Development Plan 2025-2034, RFI/FS Group reports, ENAV performance plans, regional healthcare authority publications). It describes the progressive strategic effects of a coordinated, state-nexus cyber-physical campaign whose primary vector is cyber-enabled but whose decisive impact derives from convergence across energy, rail, road traffic management, aviation, and healthcare systems. The campaign remains entirely below armed-attack thresholds while achieving effects that force Italian strategic abstention on NATO/EU policy for 18-36 months.

The adversary is a rational condominium of state-nexus actors who have studied Italy’s unique north-south grid separation risk, rail signalling centralisation, aviation CNS/ATM dependencies, and healthcare regional fragmentation.

Phase Zero – Silent Infiltration (January – October 2027)
Adversary achieves persistent presence in secondary systems (maintenance contractors, regional SCADA networks, hospital management platforms) through third-party compromises documented in ENISA 2025 as affecting 53.7 % of Italian essential entities via supply-chain vectors. No alarms trigger; Italian NIS2 reporting captures only 38 % of serious incidents in real time (ACN Q3 2025).

Phase One – Energy Grid Separation (November 8-12, 2027 – Winter Peak Load)
Coordinated manipulation of protective relay logic in northern interconnectors (Switzerland/France) and central-southern substations induces north-south frequency separation. Terna’s national control centre loses coherent view within 180 seconds; under-frequency load shedding cascades to 62 % of national demand offline within 11 minutes.
Strategic effect: 41 million citizens without power for 28-44 hours (longer than 2016 Kyiv event due to Italy’s elongated geography). Industrial production drops 48 % nationwide; fuel stations lose pumping capability; telecommunications degrade as backup generators exhaust within 18 hours.

Phase Two – National Rail and Road Traffic Paralysis (November 13-18, 2027)
Simultaneous degradation of RFI centralised traffic management systems forces nationwide reversion to degraded manual signalling. High-speed lines (Milan-Naples-Salerno corridor, 1 200 km) halt completely; conventional lines operate at 8-12 % capacity under emergency protocols. ANAS intelligent transport systems lose real-time data feeds; major motorways (A1, A14) descend into gridlock as variable message signs freeze and tunnel safety systems default to closure.
Strategic effect: 3.8 million daily rail passengers stranded; freight movement falls 87 % (critical for northern industrial heartland supplied from southern ports). Road freight adds 11-14 hour delays on north-south axis.

Phase Three – Aviation CNS/ATM Degradation (November 19-25, 2027)
ENAV primary and contingency ATM platforms suffer coordinated loss of situational awareness. FIR Roma and Milano lose coherent radar picture; transponder data streams corrupt. Aircraft in Italian airspace (average 4 200 daily movements) diverted to emergency holding patterns or neighbouring FIRs. Major hubs (Fiumicino, Malpensa, Venezia) close runways under contingency procedures.
Strategic effect: Italian airspace effectively closed for 96-120 hours; 1.1 million passengers stranded; cargo flights (including medical supplies) rerouted via Zurich, Munich, Vienna.

Phase Four – Healthcare System Collapse (November 20-30, 2027)
Regional health networks (Lombardia, Lazio, Campania, Sicilia) lose patient record access and diagnostic imaging archives. Hospital management systems default to paper processes; radiotherapy and dialysis equipment enters safe-mode lockout. Supply-chain management platforms for pharmaceuticals and oxygen fail nationwide.
Strategic effect: Non-emergency surgery cancelled in 68 % of facilities; mortality in intensive care units rises 220-340 % above baseline for 10-14 days (comparable to worst COVID peaks but without public health framing).

Phase Five – Strategic Resolution (December 2027 – March 2028)
Cumulative effect: GDP contracts 1.8-2.4 % in Q4 2027 alone (ISTAT preliminary estimate); government declares national state of emergency; confidence vote fails January 2028. Successor administration requests EU “extraordinary resilience facility” with defence-spending moratorium until 2034 and adopts “pragmatic Mediterranean balance” rhetoric on China and Ukraine files.

Total duration: 6-8 weeks of acute crisis, 18-24 months strategic recovery.
Total kinetic acts: zero.
Article 5 invocations: zero.
Strategic effect: Italy transformed from proactive NATO southern pillar into reluctant abstainer.

This is the cyber-physical future Minister Crosetto’s non-paper exists to prevent. The only counter is the “strategia attiva” he demands — executed now, not after the cascade begins.

APPENDIX 2 – Operation “MARE NOSTRUM SILENS”

Operation “MARE NOSTRUM SILENS”

A 2027-2028 Geostrategic Coercion Campaign Against Italy
Purely Academic Adversarial Simulation – Zero Operational Detail

Premise
A coordinated authoritarian condominium (Russia–China–Iran, with North Korean cyber augmentation) decides in late 2026 that Italy has become the optimal point of leverage to fracture Western cohesion on three files:

  1. Sustained military support to Ukraine
  2. Enforcement of technology-transfer restrictions on China
  3. NATO reinforcement of the southern flank (Sicily-based assets)

The objective is not occupation or regime change, but enforced “strategic abstinence” — Italy reduced to a reluctant, self-isolating actor that vetoes or abstains on critical alliance decisions for 24-36 months.

The campaign is designed to remain entirely below Article 5 and EU mutual-assistance thresholds while delivering effects comparable to a medium-intensity conventional conflict.

Phase Zero – Silent Conditioning (July 2026 – February 2027)

  • Quiet financial positioning: third-country funds accumulate BTP short interest equivalent to €110-130 billion face value (4-5 % of outstanding stock) via opaque vehicles.
  • Energy pre-positioning: Algerian Sonatrach schedules “major multi-month maintenance” on Transmed and GreenStream pipelines for Q2 2027, announced as “unavoidable” in January 2027.
  • Industrial pre-positioning: Chinese Commerce Ministry opens “routine” export-licence reviews on all battery-grade materials to Italian firms, citing “dual-use concerns” (90-day process, renewable).
  • Cognitive pre-positioning: algorithmic amplification of regionalist and anti-system content reaches >4.1 billion Italian-language impressions across short-video platforms (estimated from traffic data Q4 2026).
  • Migration pre-positioning: financing networks in Tunisia and Libya increase departure capacity to >22 000 persons/week during peak windows.

Phase One – Controlled Crisis Initiation (March 1-15, 2027)
A perfectly legal, perfectly deniable triple shock:

  1. March 3: Algeria brings forward Transmed/GreenStream maintenance to immediate effect (11-12 bcm/year suddenly offline — 30-32 % of Italian gas supply).
  2. March 5: Chinese export-licence suspensions on lithium hydroxide and cobalt sulphate enter force (Italian battery plants lose line-of-sight on >60 days of supply).
  3. March 7-11: coordinated BTP sell-off pushes 10-year spread from 142 bps to 612 bps in five trading days — the fastest widening since 2011.

Domestic effect: rolling brownouts in central-southern regions (industry rationed to 65 % capacity), first production halts at Mirafiori and Pomigliano battery lines, Treasury forced to issue emergency decree cutting €18-22 billion from 2027 budget (defence and infrastructure spending frozen).

Phase Two – Logistical and Informational Amplification (March 16 – April 30, 2027)
Four reinforcing shocks, each individually deniable:

  • March 18-22: simultaneous migration surge — 28 400 arrivals in five days across Lampedusa, Pozzallo, and Sicilian ports (highest weekly total on record). Reception system collapses; emergency camps overflow into mainland highways.
  • March 25-29: selective physical interdiction of seven Sicilian cable landings using commercial-vessel anchor-dragging (vessels flagged in non-sanctioned registries). International bandwidth drops 82 % within 72 hours. Financial settlement systems enter contingency mode; industrial IoT platforms lose cloud connectivity.
  • April 1-5: second wave of algorithmic content pushes regionalist parties to 34.8 % combined polling in northern regions (highest since 2018).
  • April 10: ECB minutes (selectively quoted) suggest “Italy-specific risk discussion” — spread spikes to 738 bps.

Domestic effect: hospitals in Sicily and Calabria ration non-emergency surgery due to supply-chain interruption; rail freight halts on >40 % of north-south lines due to signalling contingency protocols; air-traffic delays average 6-14 hours at Fiumicino and Malpensa as backup systems struggle with bandwidth loss.

Phase Three – Strategic Isolation and Resolution (May – September 2027)
Government enters permanent crisis mode. Treasury projects €1.2-1.8 trillion refinancing need at punitive rates. Parliament refuses confidence vote on third emergency decree.

  • May 18: caretaker administration requests EU “enhanced surveillance” programme with defence-spending ceiling at 1.68 % GDP until 2033.
  • June 22: Italy announces “temporary pause” on new NATO infrastructure investments in Sicily pending “fiscal reconsolidation”.
  • July 9: joint declaration with China on “Mediterranean stability and non-interference” — interpreted as de-facto acceptance of limited technology-transfer restrictions.
  • September 14: quiet resumption of Algerian gas flows and Chinese export licences after Italian abstention on key EU votes.

Total duration: 14 months.
Total kinetic acts: zero.
Article 5 invocations: zero.
Strategic effect: Italy effectively neutralised as a proactive NATO/EU actor for the remainder of the decade.

This is the coercion pathway that remains open as long as Italy retains its unique exposure matrix. Minister Crosetto’s non-paper is the first step toward closing it. The second step is recognising that “strategia attiva” must be Mediterranean-specific, debt-aware, migration-absorptive, and financially counter-coercive — or the cascade becomes inevitable.


Copyright of debuglies.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito utilizza Akismet per ridurre lo spam. Scopri come vengono elaborati i dati derivati dai commenti.