Maintaining the UK's Intelligence Edge in the Grey Zone

The most immediate threat to UK national security in 2026 is unlikely to take the form of a conventional military attack by Russia against the British homeland or a European NATO ally. Instead, the UK – like a growing number of European states – faces a more insidious challenge: the gradual erosion of its resilience through a sustained campaign of sabotage, malign interference and provocation.

Much of this activity appears to be directed or enabled by the Kremlin, though typically carried out through proxies and other deniable channels. These operations, subtle and dispersed across multiple domains, are designed to discredit European governments, probe for weaknesses in their defences, drain resources and reduce capacity for coherent, timely response.

Maintaining a decision-making advantage amid this intensifying grey zone competition requires not only having access to a wider array of intelligence sources, but also new ways of interpreting them. Traditional threat assessments – grounded in detailed knowledge of state military capabilities, extremist ideologies and clear indicators of intent – are no longer sufficient. Analysts now need frameworks and tools capable of tracing opaque influence networks, mapping disinformation flows and understanding how economic, societal and technological pressures interact to produce strategic effect.

Grey Zone Disruption is Defining European Security

A direct, conventional war between Russia and NATO cannot be ruled out in the coming years, even if neither side currently seeks one. Moscow sees itself as engaged in a long-term competition with NATO, and is determined to restore its former great power status. It appears to view its war in Ukraine through this strategic lens and a Russian victory there would probably embolden further attempts to expand its influence and territorial control.

In October, Germany’s top military commander cautioned that Russia could be capable of mounting a large-scale assault against NATO by 2029 should its military rearmament continue unchecked. His comments echoed assessments by other European defence leaders. In July, for instance, Finland’s Chief of Defence Command told an audience at RUSI that the number of Russian soldiers behind Finland’s shared border would rise to 80,000 when the war in Ukraine ends. These warnings come as the United States – traditionally the guarantor of European security – shows increasingly signs of reluctance to maintain that role and is reducing its military presence on the continent.

Such scenarios deserve attention but are unlikely in the near term, not least because Moscow remains deeply committed to the war in Ukraine – a conflict that shows little sign of ending soon. President Putin seems disinterested in a negotiated peace short of Ukrainian capitulation, at least according to the UK’s most senior intelligence officer. By contrast, the Kremlin’s evolving campaign of hybrid and grey zone operations across Europe is almost certain to remain a persistent – and increasingly complex – challenge for regional security in 2026 and beyond.

Russia’s Campaign of Grey Zone Activity is Intensifying

Russia is waging an assertive campaign of sabotage, disinformation, cyberattacks and military provocation across Europe. As of early October, suspected Russian hybrid warfare activity in European states during 2025 surpassed the total number of incidents for all of 2024 – according to data compiled by Dragonfly. In total, several hundred disruptive incidents have occurred across Europe since 2014 which the London-based geopolitical intelligence firm suspects are linked to Moscow.

These disruptive actions range from severing undersea power cables in the Baltic Sea and placing incendiary devices on air freight, to attempts to manipulate democratic processes and inflame societal divisions. Strikingly, around 90% of these incidents have taken place since Russia’s full-scale invasion of Ukraine in 2022, with 2024 seeing a sixfold rise compared with the previous year. Moscow’s brazenness is also increasing. Drone swarms over Poland and airspace incursions involving Estonia, Romania, Denmark and Norway in September 2025 brought Russia and NATO closer to direct confrontation than at any time since the Cold War.

The UK is not exempt and remains among the most frequently targeted states along with the Baltic countries, Finland, Germany, Norway and Poland. Over the past year alone, suspected Russia-linked activity in the UK has included arson attacks at properties connected to Prime Minister Keir Starmer, attempts by ‘Russian diplomats’ to enter a restricted area of Parliament and the use of Telegram channels with Russian links to encourage Londoners to commit violent attacks on mosques.

On 19 November, UK Defence Secretary John Healey warned that a Russian spy ship was close to UK waters near Shetland, having entered them earlier in the month. A Royal Air Force surveillance aircraft, which had been tracking the ship’s movements, was reportedly targeted by lasers. Just a few days prior to this incident, the head of the Security Service, the UK’s domestic intelligence agency also known as MI5, delivered the agency’s annual threat assessment noting a 35% increase over the past year in the number of individuals under investigation for involvement in state-linked activity. Many of these cases are likely connected to Russia, which the government has accused of conducting daily cyberattacks against the UK.

NATO’s head of cyber operations warned in early December that the Kremlin could have assisted ransomware groups in launching costly attacks on British companies. Among the possible victims is British retailer Marks & Spencer, whose profits for the first half of the year reportedly fell by 99 percent after an April cyber-attack.

Yet the Kremlin’s tactics appear carefully calibrated. They likely aim to identify and chip away at weak spots in European defences, shape political and informational conditions to Russia’s advantage, signal that enforcing sanctions against Moscow carries costs and divert attention and resources away from Ukraine – all while staying below the threshold that Moscow judges would trigger a direct NATO response.

Where Traditional Intelligence Falters

Traditional approaches to intelligence risk being outpaced by the dynamics of grey zone competition. Hybrid operations exploit the structural limitations of target states’ national security apparatus. The UK’s intelligence community, for example, was built for a different era – one where hostile action was easier to attribute, operational theatres clearly defined and superiority in human, signals or geospatial intelligence usually ensured advanced situational awareness. In the grey zone, none of these assumptions consistently hold. Attribution is obscured, lines between domestic and foreign, civilian and military, peace and war are blurred and indicators of escalation emerge incrementally across disparate domains, often going unnoticed.

By acting through proxies, private companies or online influencers and between legal jurisdictions, states like Russia can ensure that investigations result in ambiguity rather than prosecution, enabling plausible deniability. A disinformation campaign tied to a marketing firm abroad, a cyberattack attributed to patriotic hackers, or sabotage carried out by commercial contractors all fall into this grey space – leaving governments hesitant to call out or respond.

This challenge is compounded by the movement of hostile activity into private digital spaces, encrypted messaging services and commercial data environments that often sit beyond the routine reach of state intelligence collection. Advantages enjoyed by Western intelligence agencies, once derived from signals and imagery intelligence, now rely on partnerships with technology firms and the ability to mine and fuse vast quantities of open-source information at speed.

Grey zone threats also exacerbate longstanding analytical dilemmas. Intelligence analysts tracking state-linked grey zone activity must increasingly make high-impact judgments based on fragmentary, time-lagged or circumstantial information that is intentionally ambiguous, misleading and politically charged. Meanwhile, the sheer volume of fast-moving potentially relevant open-source material – much of which can be low quality and deliberately manipulative – threatens to overwhelm analyst workflows built for closed, classified intelligence streams.

Towards Decision Advantage in the Grey Zone

Hybrid activity has long been part of Moscow’s playbook. Today, the Kremlin is again using it as a low-risk, high-impact way to exert economic and psychological pressure on Europe – and there is little sign this pressure will ease. If anything, Russia is likely to pursue even more imaginative forms of disruption.

The UK government has already taken steps to strengthen resilience. Through Operation Nordic Warden, the UK is leading Joint Expeditionary Force efforts to track threats to undersea infrastructure and has tightened obligations on critical infrastructure providers to bolster cyber defences.

For the UK intelligence assessment community, however, improving its ability to understand and anticipate grey zone activity – whether from Russia or other hostile states – must now be a priority. This requires investing in analytical methods that reveal patterns and relationships, not simply cataloguing incidents. Techniques such as complex network analysis, potentially once confined to specialist teams working on proscribed terrorist groups, should become mainstream for analysts focused on less conventional threats closer to home.

These approaches must be matched with better access to advanced software, data-analytics and machine-learning tools able to turn large volumes of diverse data into actionable insight. Developing stronger capacity for systems thinking would enhance sense-making in the grey zone, enabling analysts to decipher how economic dependencies, technological vulnerabilities and societal pressures interact – and how adversaries can exploit these intersections to create strategic effect.

Genuine cross-domain intelligence fusion is equally essential. Integrating open-source, technical and human intelligence in systematic ways would improve detection of coercion or proxy activity across sectors. Achieving this requires strong leadership and clear standards for data collection, integration and analytic interoperability.

Operational agility must accompany methodological innovation. Grey zone activity moves faster than traditional intelligence reporting cycles can absorb. Continuous, collaborative sense-making, enabled by shared datasets and models and secure analytic environments, can shorten the distance between observation and action. Yet greater agility demands blending established tradecraft with interdisciplinary expertise: data science to interrogate digital ecosystems, behavioural science to analyse influence operations and narrative analysis to understand how information shapes public perceptions.

Achieving this level of reform does not require merging the UK’s three main intelligence collection agencies – a proposal some former intelligence chiefs have supposedly favoured. Instead, the key to giving decision-makers the intelligence edge needed to confront grey zone threats lies in enabling even closer cooperation between them, across the wider UK intelligence community and with allies.

Embedding these capabilities will require sustainable investment, clear priorities and leadership willing to drive organisational change. To stay ahead of adversaries whose grey zone tactics are becoming faster, more adaptive and more disruptive, the UK must make intelligence innovation and cross-domain integration central national security priorities, not optional extras.

© RUSI, 2025.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.