Defensive Hybrid Intelligence | Principles
Ethical and legal principles of DHI, for the private sector.
1. All actions undertaken must derive their legitimacy and strategic value from strict adherence to applicable law. All actions must be lawful and defensible. Compliance with domestic and international legal standards is not a constraint, but a strategic advantage.
Defensive Hybrid Intelligence operates within the constitutional, regulatory and human rights frameworks. Adherence to these norms must be interpreted functionally, not restrictively, ensuring that they enhance legitimacy, build institutional resilience, strengthen evidentiary standards, and expand international cooperation.
2. The law is a force multiplier. Legality is a shield, not a constraint. DHI uses legal principles aggressively in defence. This includes:
a. Employing regulatory mechanisms and public-private sector cooperation as protective tools.
b. Engaging courts, regulators, and international bodies to impose cost on adversaries.
Legality empowers defense. It converts law into a strategic defensive weapon, within the constitutional and regulatory frameworks.
3. Defensive responses must remain proportionate. Hybrid threats justify proportionate, evidence based defensive actions.
Proportionality does not mean minimalism. It means that actions must be justified by the threat environment. But it also means that organisations must not self limit through overly cautious interpretations of legal or ethical norms, when facing adversaries who exploit hesitation as a tactical asset.
4. Information disclosure must balance operational necessity with accountability obligations. Governance requires clarity, documentation, auditability and internal accountability. None of this requires operational disclosure to adversaries, competitors, or unaligned stakeholders. This principle prevents entities from being forced into operational exposure that hostile states would never reciprocate.
5. Ethical oversight must be grounded in practical operational realities. We follow ethical and legal norms, but we do not permit ethics to become a vector of hybrid vulnerability. Ethics must strengthen, not weaken our defense. We reject overly simplistic ethical interpretations that fail to reflect operational realities.
Hybrid adversaries exploit ethics and law as attack surfaces. They file complaints, initiate legal actions, and weaponising due process. Organisations must anticipate such misuse and develop legally sound countermeasures that prevent ethics and law from becoming vectors of hybrid coercion.
6. All activities must safeguard the integrity, chain of custody, and admissibility of digital and intelligence derived evidence. DHI requires the protection of the cognitive environment, including facts, evidence, and signals, on which decision making relies. Organisations must preserve evidentiary chains. This supports internal decision making, but also enables legal and regulatory defence, and attribution efforts.
Structural principles of DHI
1. Build a documentation strategy. Under the guidance of the legal counsel, organisations may maintain internal detailed operational records (intelligence, methods, sources, indicators, hybrid intelligence workflows), and external defensible documentation (principles, governance decisions, high level controls).
The internal layer is classified, and never shared outside protected channels. It may contain intelligence collection, fusion, interpretation, methods, indicators, sources, algorithms.
The external layer satisfies regulators, demonstrates compliance, and does not expose operational capabilities. In many jurisdictions, regulators require evidence of preparedness, prevention, detection, response, escalation, monitoring. They do not require disclosure of operational details that would compromise national or corporate security.
2. Build a disclosure policy. Establish that certain security sensitive materials may be withheld or summarised, when full disclosure would compromise operational integrity, induce unacceptable security exposure, or facilitate adversarial exploitation. This mirrors government practice, and is legally defensible in many jurisdictions, when it is documented and proportionate.
Define in the policy what is operationally sensitive information. This includes hybrid intelligence indicators, detection or monitoring methods, fusion methodologies, weak signal correlation criteria, algorithmic verification processes, insider risk methodologies, threat actor attribution logic, geopolitical assessments, and cross domain anomaly maps.
Classifying these in advance prevents litigants from arguing that the designation is tactical, after an incident, to hide the truth.
Implement jurisdictional shielding. Hostile states often attempt to force disclosure through foreign discovery orders, cross border subpoenas, and extraterritorial regulatory actions.
Countermeasures include data localisation, segmented data governance, limiting cross border system access, and explicit contractual prohibitions. This ensures adversaries cannot exploit weaker jurisdictions.
Maintain an evidentiary narrative without revealing methods. In many countries, regulators and courts do not require detailed intelligence sources. They require a coherent narrative, evidence of reasonable decisions, proof of adequate oversight, and documentation of defensive actions.
Show your conclusions and decisions, not your intelligence methods. This mirrors national security intelligence practice.
Courts in many jurisdictions accept tiered documentation systems when justified by security necessity.
3. Use legal privilege.
This is not an effort to hide the truth. This is an effort to protect what is confidential, and can be exploited by competitors and adversaries. Legal advice is required in every step in this process.
Many defensive hybrid intelligence activities can be structured under:
a. Attorney client privilege. It protects confidential communications between legal counsel and the client that are made for the purpose of seeking or providing legal advice. It can include, depending on the jurisdiction, written or oral communications, internal investigations directed by legal counsel, requests for legal assessment of risk, exposure, or regulatory duties, and intelligence analysis prepared for counsel. Sensitive hybrid intelligence findings can be channeled through counsel to allow safe legal analysis, and avoid operational exposure.
b. Work product doctrine. It protects materials prepared in anticipation of litigation, including investigative notes, internal memos, hybrid risk assessments, draft reports, and legal strategy documents.
This is broader than attorney client privilege, especially in common law jurisdictions, and it protects analysis and legal strategy from disclosure.
c. Regulatory privilege. In certain sectors (financial services, critical infrastructure, medical, energy), communications with regulators, when properly structured, may be privileged or confidential.
d. Board privilege. Board deliberations, especially in risk, compliance, or crisis management contexts, are shielded in many jurisdictions by corporate privilege, fiduciary deliberation privilege, and statutory confidentiality duties.
Board level privilege protects strategic discussions, hybrid intelligence briefings to directors, governance judgments, and crisis readiness evaluations.
The allegation: “You Are Hiding the Truth.”
Adversaries, including authoritarian states, politically motivated litigants, opportunistic plaintiffs, or corporate rivals, may claim that the organisation is asserting privilege only to hide wrongdoing.
This is a common attack tactic. It can appear in civil suits, shareholder actions, cross border litigation, politically motivated legal proceedings, and foreign state aligned lawfare.
The goal is to pierce privilege and force disclosure of internal methods, hybrid intelligence analyses, vulnerabilities, remediation failures, internal decision logs, and anything useful for coercion or intelligence exploitation.
In many jurisdictions, courts and regulators respect privilege. It is crucial to emphasise that invoking privilege is not evidence of wrongdoing. It is normal legal behaviour, protecting confidential information.
Courts consistently hold that privilege is a fundamental legal right, it is critical to effective legal advice, and cannot be overcome by mere suspicion. Allegations of concealment must be substantiated.
Regulators also recognise privilege, and they expect organisations to structure sensitive investigations under privilege.
You avoid the risk of appearing to hide the truth by structuring privilege correctly, documenting lawfully, and maintaining a clear evidentiary trail.
Use privilege proactively, not reactively. Courts and regulators treat privilege more favourably when it is established from the start, it is applied consistently, it is covered in organisational policy, and it is aligned with legal and compliance obligations.
Separate protected analysis from operational facts. Courts draw a line between facts that are discoverable, and analysis / strategy that is privileged.
We must document facts separately, and we may place intelligence, analysis, assessments, and evaluations under counsel. Facts are not hidden. Interpretation remains protected.
Document good faith. Judges and regulators look for bad faith concealment. You must prove prompt remediation, timely reporting, full cooperation with regulators, good internal governance, audit trails, board oversight, and continuous monitoring.
Do not mix privileged and non privileged content. Mixing destroys privilege.
Privilege can be lost. It may be challenged if the communication was not for legal advice, or it was shared beyond the protected group.
Invoking privilege preserves the organisation’s ability to investigate hybrid threats, and prevents adversarial actors from exploiting disclosure mechanisms to weaken defensive capacity.
Principles that distinguish hybrid threats from cybersecurity and security threats.
The following principles outline the core characteristics that distinguish hybrid threats from cybersecurity and security threats. They capture the complexity, ambiguity, and multidimensional nature of hybrid operations, helping clarify how they evolve, how they exploit vulnerabilities, and why they are difficult to detect, attribute, and counter.
Principle 1. Multi domain convergence.
Hybrid activity cannot be properly understood, assessed, or governed, if it is analysed within a single functional or technical silo. In the context of Defensive Hybrid Intelligence, any serious attempt to manage hybrid risks must start with the convergence of several domains of activity, including cyber, human, legal, regulatory, cognitive, informational, algorithmic, and supply chain. This principle reminds to Boards, senior management, risk, and compliance, that these threats are cross domain and deliberately designed to fall between traditional institutional boundaries.
The principle of multi domain convergence rejects the assumption that risks can be effectively governed through domain specific frameworks that treat cyber incidents as purely technical events, regulatory exposure as purely legal, insider behaviour as purely human resources challenges, or disinformation campaigns as merely reputational concerns.
In a hybrid environment, adversaries design campaigns that combine cyber intrusion, legal pressure, media and information manipulation, exploitation of supply chain weaknesses and, increasingly, exploitation or corruption of algorithmic systems. The principle requires that risk assessments, internal control systems, compliance frameworks, and incident response arrangements, are capable of integrating signals from all these domains into a single, coherent analytical picture.
Principle 1 is a lens for interpreting the duties of care and oversight. Directors and executive managers are required to establish and maintain adequate risk management and internal control systems. Where hybrid threats are foreseeable, the adequacy of those systems cannot be judged by their performance within individual silos. The question becomes whether the governance framework recognises the convergence of domains, and whether it enables the timely synthesis of information across them.
The principle has implications for how risk and compliance professionals interpret regulatory expectations. Many modern regimes, particularly in financial services, critical infrastructure, data protection, and operational resilience, employ technology neutral language that requires effective risk management, proportionate controls and appropriate governance. These open standards must be interpreted against the factual background of hybrid threats that operate across domains.
Supervisory authorities assessing compliance will not be satisfied with a checklist of domain specific controls. They increasingly look to whether the organisation is capable of recognising a hybrid campaign, and they ask for resilience, not only controls.
Risk and compliance must implement hybrid risk management policies and procedures, and explain carefully the new hybrid environment. For example, human resources and insider risk teams must understand the possibility that behavioural anomalies and targeted pressure on key individuals are part of wider adversarial campaigns that also have technical and legal components.
Where the principle of multi domain convergence has been operationalised, the organisation will be able to demonstrate that its hybrid intelligence and risk management functions were expressly designed to capture cross domain interactions. Where each domain has been treated as self contained, and no structures for cross domain synthesis exist, it may be difficult to argue that the organisation took all reasonable steps to defend against emerging risks.
In an environment where hybrid threats are known to exist, an organisation that entirely ignores convergence and persists in a purely siloed view of risk will fall below the evolving standard of prudence. In this sense, multi domain convergence is both descriptive, in that it reflects the nature of modern hybrid activity, and normative, in that it explains what governance should do in response.
Principle 2. Weak signals.
The principle reflects the reality that hybrid adversarial activity rarely involves a single, unambiguous event that clearly triggers established legal or compliance thresholds. Adversaries deliberately distribute their actions across domains, jurisdictions, and timeframes, in ways designed to ensure that each individual indicator appears inconsequential when examined in isolation.
Organisations must have the ability to recognise hybrid patterns by correlating subtle, low intensity indications that, when fused, reveal a materially different risk profile. This is not an exercise in speculation. It is a response to well documented adversarial strategies that rely on ambiguity, fragmentation, and cumulative escalation.
Principle 2 challenges the traditional compliance model built around fixed triggers, thresholds, and materiality assessments. Classical internal control systems are designed to escalate matters once they reach a predefined level of seriousness, whether in terms of financial exposure, security compromise, or regulatory significance. Hybrid campaigns are crafted to avoid triggering these thresholds.
Isolated unsuccessful login attempts do not constitute a reportable incident. A supplier’s unusual behaviour often does not justify contractual escalation. Small discrepancies in an AI model’s output do not seem as material. The principle of weak signal correlation recognises that hybrid adversaries rely on this institutional over reliance on thresholds, and it asks organisations to evaluate such indicators in combination, not in isolation. We will understand more at the 1. Collection domain, later.
Under corporate law and regulatory regimes governing financial services, critical infrastructure, and data protection, boards and senior management are required to maintain systems capable of identifying emerging risks. Weak signal correlation defines one of the characteristics of such risks. Patterns become intelligible only when multiple weak signals are considered collectively.
Many laws and regulations, such as those governing operational resilience, cybersecurity, supply chain due diligence, anti money laundering oversight, and data protection, require organisations to maintain effective risk detection mechanisms, and to notify authorities when certain kinds of harm become likely or actual. Weak signal correlation becomes relevant because regulators increasingly evaluate whether organisations should have recognised the significance of early, dispersed indicators.
Defensive Hybrid Intelligence requires that intelligence analysts, risk managers, compliance officers, cybersecurity professionals, and legal teams, have access to a shared mechanism for aggregating, contextualising and interpreting weak indications. This may take the form of an integrated system, cross functional internal forum, shared risk taxonomies, or intelligence fusion cells.
Without such structures, weak signal correlation is difficult, because information becomes trapped within domain silos. It is not that individual functions lack competence. It is the architecture of information flow that prevents them from recognising a hybrid pattern. The principle shapes not only analysis, but institutional design too.
Weak signal correlation also has a direct evidentiary impact in the event of litigation, regulatory enforcement, and internal investigations. In hybrid contexts, the question often becomes what the organisation ought reasonably to have known at a given time. If weak signals were present but were never correlated, the organisation will struggle to justify its inaction.
The existence of documented correlation mechanisms enables the organisation to demonstrate that it took proactive steps to recognise emergent hybrid patterns. This can be relevant in legal proceedings, shareholder litigation, administrative investigations, cross border regulatory inquiries, and criminal negligence cases where the adequacy of risk management systems is evaluated.
Principle 3. Exploiting fragmentation of information, authority and analytical capability across multiple functional silos.
The principle addresses a structural deficiency in many organisations’ governance, risk, and compliance architectures. This is the fragmentation of information, authority and analytical capability across multiple functional silos. Hybrid adversaries deliberately exploit these internal separations. They count on the fact that cyber teams will view an anomaly strictly through a technical lens, that legal departments will interpret a regulatory inquiry solely as an isolated compliance matter, that human resources will treat behavioural indicators merely as personnel issues, and that procurement will consider vendor irregularities only in contractual terms. The principle of cross silo fusion asserts that effective detection, attribution and mitigation of hybrid activity require the active dissolution of analytical barriers between functions, enabling the synthesis of information that, when considered together, reveals materially different risk implications than when examined in isolation.
This principle challenges the classical corporate model in which departments operate autonomously under discrete mandates. Traditional governance structures were developed in an era when risks were more linear, when adversaries engaged in domain specific conduct, and when the legal system asked for controls, not resilience across digital, human, regulatory and supply chain environments.
The principle shapes the interpretation of what constitutes an adequate internal control system under corporate law, regulatory frameworks and sector specific obligations. Laws such as the EU’s Digital Operational Resilience Act (DORA), the NIS 2 Directive, various financial services supervisory regimes, anti money laundering directives, and data protection statutes require organisations to implement effective and proportionate control mechanisms. These regulations generally do not mandate the precise architecture for information sharing across functions. The principle of cross silo fusion provides the normative standard against which the adequacy of such systems can be assessed. In a hybrid threat environment, a governance or compliance program that isolates incident detection, risk management and legal oversight into functionally sealed compartments may fail to meet the reasonable expectations of regulators, courts, and shareholders.
Cross silo fusion counters a well documented cognitive risk, the tendency of domain experts to interpret signals within their professional area of expertise, even when the significance of the signal lies outside that frame.
For example, a cybersecurity analyst may not appreciate the regulatory implications of a technical anomaly. Hybrid adversaries exploit this cognitive segmentation. The principle of cross silo fusion reduces the likelihood that each function misinterprets or downplays signals that would be alarming if considered in aggregate.
Principle 4. Cognition is a battlefield.
Hybrid adversaries do not limit themselves to technical, legal, or organisational attacks. They increasingly manipulate the perception, judgment, and decision making processes of individuals and institutions. Defensive Hybrid Intelligence requires that organisations treat cognition as a domain that can be targeted, shaped, or degraded by adversarial activity.
The principle expands the concept of risk management and compliance beyond the traditional protection of assets and processes, and into the protection of the informational and psychological conditions under which decisions are made. It acknowledges that adversaries frequently aim to influence how key actors interpret facts, assign credibility, weigh risks, respond to incidents, and prioritise internal actions. The principle imposes a governance obligation: Organisations must anticipate, detect and mitigate adversarial attempts to distort cognition at individual or collective levels.
Cognition becomes a vulnerability, because organisations rely on human interpretation in risk management, incident triage, regulatory reporting, board oversight, internal investigations, external disclosures, and strategic decision making. If adversaries can influence or manipulate the cognitive environment, through misinformation, selective disclosures, identity based attacks, deepfakes, targeted pressure on individuals, and a mix of real and fake strategic revelations, they can indirectly shape the organisation’s behaviour.
Attempts to manipulate perception must be recognised, and treated with the same seriousness, as attempts to compromise data or operational systems.
Principle 5. Persistence.
Hybrid activity unfolds in a persistent, adaptive, low visibility manner. Defensive Hybrid Intelligence asks for defense that is continuous, anticipatory, and capable of maintaining situational awareness across multiple domains at all times. This principle reframes monitoring as a duty that must align with the adversary’s operational tempo, not the organisation’s internal administrative schedule and audits. It elevates continuous monitoring from a technical best practice to a governance requirement grounded in statutory and regulatory expectations concerning operational resilience, timely detection of incidents, and the maintenance of effective internal control systems.
Historically, important parts of the corporate monitoring infrastructure were built around periodic assessments, like quarterly risk reports and annual audits. These periodic structures assume that risks evolve slowly, and that meaningful change can be captured at fixed intervals.
Hybrid threats invalidate that assumption. A hybrid campaign may escalate within hours, and capitalise on the vulnerability of a single employee. Monitoring that is limited to periodic intervals is structurally mismatched to the threat environment. Continuous hybrid monitoring responds to this temporal mismatch by requiring an always on capacity to detect, contextualise and escalate hybrid indicators as they emerge.
Continuous hybrid monitoring is defined as the systematic, ongoing, and technology enabled process designed to detect, assess, and document hybrid threats that may adversely affect an entity’s legal, regulatory, or prudential obligations. It involves real time or near real time collection of multi domain indicators, including cyber telemetry, information environment signals, reputational indicators, supply chain indicators, and geopolitical risk factors.
It includes structured analysis against statutory, regulatory, and supervisory criteria, ensuring that emerging hybrid threats are evaluated through the lens of established compliance duties, including due diligence, operational resilience, governance, and reporting.
Continuous hybrid monitoring is not legally or operationally viable without real time human expertise supporting automated systems. Legally defensible monitoring requires 24×7 human analytical capability, ensuring that threat intelligence is interpreted in real time and contextualized against legal obligations.
Continuous hybrid monitoring establishes a perpetual situational awareness mechanism that allows an organization to fulfil its duty of care, resilience obligations, and risk based supervisory requirements in an environment where hybrid threats evolve across multiple domains and operate 24x7.
Principle 6. Attribution fluidity.
The principle addresses one of the most complex and legally consequential characteristics of hybrid adversarial activity, the deliberate use of ambiguity and proxy structures to prevent clear identification of the responsible actor. Hybrid operations are designed to frustrate the evidentiary, procedural and jurisdictional requirements.
Attribution fluidity challenges traditional assumptions that wrongdoing must be linked to a clearly identifiable actor before legal action can be justified. Hybrid adversaries routinely employ technical proxies, including botnets, compromised infrastructures, anonymisation technologies, rented or compromised resources, and third country infrastructures. They also deploy human proxies, front organisations, manipulated insiders, and shell entities.
They also consider regulators and supervisors as legal proxies, through the initiation of regulatory complaints, strategic litigation, or administrative actions, intended to mask the ultimate source and objective of the pressure. Cognitive proxies, including media, synthetic personas, and disinformation channels, can further distort the perception of adversarial intent. These layers of indirection ensure that no single indicator provides a definitive attribution path.
From a compliance perspective, the principle counters the belief that regulatory reporting should be delayed until the identity of the adversary is confirmed, and facts are confirmed. In practice, many breach notification regimes require organisations to evaluate impact, likelihood of harm, and operational relevance, not the specific identity of the attacker.
If attribution becomes a precondition for notification, organisations will miss statutory deadlines, and expose themselves to liability and regulatory sanctions.
The evidentiary consequences of attribution fluidity are significant. Courts, regulators and investigative bodies increasingly recognise that hybrid campaigns are structured to defeat traditional attribution standards. When assessing whether an organisation acted reasonably, the question is not whether it identified the adversary with forensic certainty, but whether it took reasonable steps under conditions of uncertainty. Organisations are expected to act on incomplete evidence when delay would lead to harm.
LEGAL DISCLAIMER. The information contained herein is provided for general informational, educational, and conceptual purposes only. It does not constitute, and must not be construed as, legal advice, regulatory advice, or any other form of formal advisory service. No legal, regulatory, fiduciary, or professional relationship must be created through the use, distribution, or interpretation of this material.
Laws, regulations, supervisory expectations, industry standards, and evidentiary rules vary significantly across jurisdictions and sectors. Applications of the principles, frameworks, and concepts described herein may differ depending on local legal requirements, organisational structures, regulatory mandates, contractual obligations, and sector specific compliance regimes. The material may not be appropriate, sufficient, or applicable to every jurisdiction or circumstance.
Legal entities and professionals must seek independent advice from qualified legal counsel licensed in the relevant jurisdiction before making any decisions, taking any action, or relying on any information contained in this document. No representation or warranty, express or implied, is made regarding the accuracy, completeness, reliability, or suitability of this material for any specific particular purpose, entity, or situation. We expressly disclaim any and all liability arising from reliance on the content, including but not limited to actions taken or not taken, errors or omissions, or any direct, indirect, incidental, consequential, or punitive damages.
References to regulatory concepts, legal doctrines, or governance practices are presented solely for educational discussion and do not constitute authoritative statements of law. Where examples are provided, they are illustrative in nature and do not describe actual events, individuals, or organisations. By accessing, using, or distributing this material, you acknowledge and agree that you are solely responsible for obtaining appropriate professional advice and for ensuring compliance with all applicable laws and regulations.
This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.
Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.
Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.