Sweden’s Role in Countering Hybrid Threats in the Baltic Sea Region

Justina Budginaite‑Froehly

---

Bottom lines up front

• Despite NATO’s conventional superiority in the Baltic Sea region, the Alliance faces a persistent deterrence gap in the sub‑threshold domain.

• Russia exploits this gap by operating below the threshold of armed conflict, leveraging ambiguity, attribution challenges, and legal constraints.

• Sweden’s civil‑military integration, operational capabilities, and regional alignment position it as a key actor for converting NATO’s geostrategic advantages into effective sub‑threshold deterrence.

Sweden and Finland’s accession to NATO in 2024 has completed the Alliance’s northern arc, effectively transforming the Baltic Sea into what is often described as an “allied lake.” Yet the geostrategic gains of the Alliance have not eliminated the region’s exposure to sub‑threshold aggression, especially against critical infrastructure in the energy, data, communications, and transportation sectors. As Russia continues to probe NATO’s resolve with hostile actions calibrated to stay below the threshold of armed conflict, the core challenge for Sweden—as a Baltic littoral state and a NATO member—and for the Alliance more broadly is to extend deterrence and defense to the sub‑threshold domain. Failing to close this gap risks signaling political hesitation to Russia, which, in turn, might increase the likelihood that hybrid pressure escalates into a conventional conflict.

Geostrategic shifts after recent NATO enlargement

Sweden and Finland’s accession to NATO closed the long‑standing strategic gap in the Baltic Sea region. With nearly the entire northern coastline—from Norway to the Baltic states—now within NATO’s defense perimeter, only Russia’s Gulf of Finland coastline and the Kaliningrad exclave remain outside of the Alliance’s territory. This shift significantly strengthens NATO’s ability to reinforce the Baltic states and secure vital lines of communication in the entire region. Central to this new posture is Sweden’s Gotland island, whose location at the geographic centre of the Baltic Sea gives NATO a decisive position from which to influence regional air and maritime movement and to counter Russia’s anti‑access/area denial (A2/AD) capabilities, preventing the eastern Baltic from being sealed off militarily.

These strategic gains extend westward to the Danish Straits, the critical maritime chokepoints linking the Baltic and North Seas. With Sweden’s accession, NATO now controls both sides of these passages, enhancing the Alliance’s freedom of manoeuvre and safeguarding naval reinforcement routes. This consolidated control simultaneously restricts the operational flexibility of Russia’s Baltic Fleet, reinforcing NATO’s dominance across the broader Baltic maritime space.

Sub‑threshold aggression in the Baltic Sea region

These geostrategic shifts in the Nordic‑Baltic security map favour NATO and were met with an asymmetric response from Russia. Hesitant to use conventional military power against the enlarged Alliance, yet willing to test NATO’s readiness and political cohesion, Russia adapted to operate within the “allied lake” by employing covert hybrid tactics that exploit sub‑threshold seams in NATO’s deterrence and defence posture. Russia’s goal is to relativise and downplay the Alliance’s strategic advantage in the Baltic Sea region. Russia bets that its strategy of persistent sub‑threshold pressure can convince the Nordic‑Baltic societies that NATO is weak, unready, and unwilling to defend its member states, while signalling that Russia can retain the initiative within the so‑called “NATO lake.”

Russia’s hybrid toolkit includes, but is not limited to, sabotage against under‑sea energy, data and telecommunications cables; recurrent airspace violations using military jets, drones and meteorological balloons; and massive disruptions to civilian aviation through Global Positioning System (GPS) jamming and spoofing. These attacks are designed to exploit the densely networked character of the Baltic Sea and its surroundings, where pipelines, cables, liquefied natural gas terminals, ports and airports form an integrated energy, communications, transportation and trade hub.

As the sub‑threshold contest formally unfolds in a peacetime setting where traditional military superiority offers limited deterrent value, NATO’s geostrategic advantages resulting from the recent enlargement do not seamlessly translate into operational leverage against Russia’s hybrid strategy in the Baltic Sea region.

The Alliance has recognised the problem and taken steps to improve information sharing, coordination and situational awareness. This is demonstrated by the recent launch of the Baltic Sentry maritime and Eastern Sentry multi‑domain activities, the creation of a Critical Undersea Infrastructure Network, and the establishment of a Maritime Centre for the Security of Critical Undersea Infrastructure within NATO’s Maritime Command in Northwood, United Kingdom. Despite progress, NATO still lacks a comprehensive sub‑threshold deterrence and defence architecture that would enable swift responses to hybrid attacks and also serve to deter future disruptions.

Challenges with sub‑threshold aggression

Sub‑threshold attacks are designed to blur the lines between peacetime incidents and deliberate hostile actions, complicating the ability of NATO and littoral states to calibrate their responses. It is a combination of structural, legal, political and technical constraints that creates the gray zones that Russia exploits.

Sabotage of critical infrastructure in the Baltic Sea almost always occurs in environments where determining responsibility is slow, uncertain and highly contestable. Underwater pipelines and data cables lie in complex maritime traffic zones where accidental damage can look nearly identical to deliberate interference, making attribution analysis lengthy and often inconclusive. Russia also relies on commercial vessels and proxy actors—mainly from its shadow fleet—to launch hybrid operations, as seen recently in sabotage incidents against under‑sea energy infrastructure, and as suspected in some cases of drone sightings near European airports.

The timing, political context and type of attacks clearly point to Russia as the mastermind behind them. But because Moscow deliberately sustains this activity below the threshold of open conflict, allies lack the definitive evidence and legal grounding required for a conventional collective response. This creates a cycle of operational hesitation in which Western governments know who is responsible but cannot act decisively without risking escalation, undermining international law, or generating political divisions among NATO capitals. This ambiguity is precisely what Russia seeks to exploit.

Much of the critical infrastructure that has been targeted by sabotage includes under‑sea pipelines and cables that lie in international waters or exclusive economic zones (EEZ), where states have limited enforcement authority and ambiguous rights to interdict suspicious vessels. Russia conducts hybrid attacks through civilian‑flagged or dual‑use vessels, exploiting legal regimes that protect freedom of navigation under the United Nations Convention on the Law of the Sea (UNCLOS) and constrain states from boarding or detaining ships without incontrovertible evidence. Despite these legal constraints, Finland has set a significant precedent by boarding the Cook Islands‑flagged tanker Eagle S, which had damaged the Estlink 2 power cable connecting Estonia and Finland. Although this did not directly target Russia as the mastermind behind the attack, it at least had ramifications for the proxies executing its plans.

Furthermore, there is an acute issue with multi‑actor and inter‑agency coordination, which is crucial for countering hybrid threats. In addition to running through several EEZs and international waters, resulting in a single hybrid attack affecting several countries, critical infrastructure is often civilian and privately owned, further expanding the number of actors to consult in the event of an attack. As armed forces, coast guards, intelligence agencies and private operators act under different mandates, gaps emerge in who can respond, when, and under what legal justification.

Finally, there is a significant technological challenge. Russia’s war of aggression against Ukraine has accelerated its ability to combine inexpensive technologies—unmanned systems, electronic‑warfare tools and simple disruptive devices—with covert tactics to generate asymmetric, high‑cost effects for Baltic Sea littoral states. Europe is developing cost‑effective countermeasures, but these capabilities still lack scale and, more importantly, the defence‑industrial and governmental alignment needed to drive rapid operational innovation. Only by testing new technologies early and repeatedly in realistic operating environments can innovators adapt to a fast‑evolving threat landscape and stay ahead of Russian tactics rather than merely reacting to them. At the same time, European critical infrastructure often relies on bespoke, complex systems that are difficult to repair quickly and frequently lack redundancy or standardised backup capabilities, making them especially vulnerable to sabotage.

Sweden’s edge in countering hybrid threats

As NATO adapts to this non‑traditional security environment, Sweden offers several unique advantages that position it at the centre of the Alliance’s hybrid deterrence and defence architecture. While Sweden’s geography provides strategic depth and operational access to allied armed forces that would greatly benefit the Alliance in wartime, it is Sweden’s institutional, societal and technological foundations that give it leverage in shaping an effective allied response to hybrid threats evolving in the gray zone between war and peace.

1. Civil‑military integration. Sweden’s deeply institutionalised model of civil‑military integration, underpinned by its Total Defence concept, offers NATO a framework for improving cross‑sectoral, multi‑actor coordination in response to hybrid threats. Through this concept, Sweden integrates its armed forces, government agencies, civilian infrastructure operators, municipalities, private companies and the population into a single national preparedness system—precisely the type of model NATO now needs for the sub‑threshold domain.

2. Advanced armed forces. The Swedish Navy’s shallow‑water expertise and underwater‑domain‑awareness platforms are uniquely adapted to the Baltic Sea’s complex environment, making Sweden one of NATO’s most capable members for monitoring seabed infrastructure and detecting anomalous maritime activity. Likewise, the Swedish Air Force—equipped with an advanced Gripen fleet, dispersed basing, sophisticated surveillance systems and deep interoperability with other Nordic nations—provides NATO with a regionally integrated situational‑awareness model that can identify anomalies early and shorten the decision window for response.

3. Industrial and research capacity. Sweden’s well‑established defence industry and research ecosystem can give the Alliance a technological advantage in sub‑threshold competition. Innovations in integrated surveillance, unmanned platforms and electronic‑warfare solutions can directly support NATO’s emerging initiatives on seabed security, autonomous systems and contested electromagnetic environments.

4. Regional integration. Sweden participates in the Nordic Defence Cooperation (NORDEFCO), the Joint Expeditionary Force (JEF), the Nordic‑Baltic Eight (NB8) and numerous trilateral and bilateral arrangements with Finland, Norway, Denmark and the Baltic states. These formats enable intelligence sharing, coordinated crisis procedures, surveillance and cross‑border military support, creating a resilient, interoperable and politically agile security ecosystem.

5. Political credibility and strategic culture. Sweden has long prioritised resilience, whole‑of‑society readiness and the defence of critical infrastructure as core pillars of national security. As NATO strives to articulate clearer thresholds for hybrid aggression and improve coordination between civilian and military domains, Sweden can help integrate resilience, societal endurance, infrastructure protection and rapid attribution mechanisms into the Alliance’s broader deterrence and defence model.

Steps forward for Sweden and NATO

As hybrid aggression becomes an increasingly central feature of Russia’s strategy in the Baltic Sea region, Sweden and NATO must adopt a forward‑leaning posture that closes the current gaps between NATO’s geostrategic advantages and its sub‑threshold operational vulnerabilities. The following recommendations outline priorities for Sweden and NATO as they consolidate an effective hybrid deterrence and defence architecture in the Baltic Sea region.

Measures to strengthen the responses to hybrid attacks

1. Increase pressure on Russia’s shadow fleet. Expand the list of sanctioned shadow‑fleet vessels, blocking their access to services and ports; deny passage near critical infrastructure sites and allow inspections of vessels operating under false flags.

2. Create a Nordic‑Baltic inter‑agency hybrid‑attribution cell. Fuse intelligence, maritime surveillance, cyber forensics and private‑sector reporting to shorten the time between an incident and a coordinated response; adopt a flexible attribution principle that permits targeting proxies when the ultimate chain of command cannot be identified promptly.

3. Apply Ukraine’s lessons on operational innovation. Establish testing corridors along the Baltic littoral to accelerate deployment of unmanned systems, counter‑UAS solutions, distributed sensors and electronic‑warfare tools, prioritising modularity, adaptability and cost‑effectiveness.

4. Enhance redundancy and standardisation of critical infrastructure. Advocate for EU‑wide standards, backup systems and a standing capability to conduct urgent repairs after sabotage, reducing downtime and eliminating single points of failure.

5. Expand joint situational‑awareness and incident‑response exercises. Lead recurring exercises focused on cable failures, GPS interference and anomalous vessel activity to improve legal coherence, decision speed and inter‑agency coordination.

Measures to strengthen deterrence against further sub‑threshold aggression

1. Operationalise NATO’s 1.5 percent resilience‑spending pillar. Define qualifying projects, performance metrics and required outcomes to embed sub‑threshold defence into broader NATO capability planning.

2. Support innovation among Baltic‑littoral defence‑tech companies. Streamline procurement and enable rapid field testing of regional solutions, replicating successful Ukrainian models.

3. Impose coordinated consequences on hybrid proxies. Agree on diplomatic expulsions, maritime inspections, targeted sanctions or legal action against entities enabling malign activity.

4. Clarify NATO’s hybrid thresholds. Develop definitions that consider intent, pattern and cumulative destabilisation rather than rigid criteria that Russia could exploit.

5. Deepen integration with Nordic‑Baltic frameworks. Leverage NORDEFCO, JEF and NB8 to build habitual coordination on detection, strategic communications and consequence management, enhancing the credibility of deterrence.

Toward a Nordic‑Baltic sub‑threshold deterrence architecture

The strategic task now facing Sweden and NATO is to convert geostrategic advantage in the Baltic Sea region into operational resilience in the sub‑threshold domain. Hybrid threats will remain Russia’s preferred tool in the region for as long as they continue to produce political hesitation and asymmetric effects. Sweden’s accession to NATO offers an opportunity to close this gap by strengthening rapid‑response mechanisms and shaping a credible, collective deterrence framework for the sub‑threshold domain. By driving operational innovation, improving attribution processes, hardening critical infrastructure and enabling coordinated regional action, Sweden can help ensure that hybrid aggression in the Baltic Sea produces not operational indecision but strategic backlash.

---

About the author

Justina Budginaite‑Froehly is a non‑resident senior fellow with the Atlantic Council’s Europe Center and Transatlantic Security Initiative within the Scowcroft Center for Strategy and Security. Her professional focus is on security and defence‑related issues, including defence‑industrial developments, military mobility and energy security in Europe.

Acknowledgments

This issue brief was made possible by support from the Swedish Ministry of Foreign Affairs. The Atlantic Council maintains a strict intellectual‑independence policy for all its projects and publications. The Council requires all donors to agree to the Council maintaining independent control of the content and conclusions of any products resulting from sponsored projects.