H-Diplo | RJISSF Roundtable 16-37 on Maschmeyer, Subversion73 min read

Subversion is a “menace that spreads in the shadows…it secretly infiltrates and adversary’s society and institutions, manipulating, weakening, and disintegrating them from within” (2). Lennart Maschmeyer’s new book provides a theory of how subversion works, what its limitations are, and how it changes with technology. Maschmeyer frames subversion as an instrument of power that is distinct from warfare or diplomacy; he argues that it reverses structural power by turning a state’s institutions against the state.

 

H-Diplo | Robert Jervis International Security Studies Forum

Roundtable Review 16-37 

Lennart Maschmeyer. Subversion: From Covert Operations to Cyber Conflict. Oxford University Press, 2024. ISBN: 9780197745861.

9 May 2025 | PDF: https://issforum.org/to/jrt16-37 | Website: rjissf.org | X: @HDiplo

Editor: Diane Labrosse
Commissioning Editor: Rebecca Slayton
Production Editor: Christopher Ball
Pre-Production Copy Editor: Katie A. Ryan

 

Introduction by Rebecca Slayton, Cornell University. 2

Review by Richard J. Harknett, University of Cincinnati 6

Review by Melissa M. Lee, University of Pennsylvania. 16

Review by Josephine Wolff, Tufts University. 20

Response by Lennart Maschmeyer, Carleton University. 24

Subversion is a “menace that spreads in the shadows…it secretly infiltrates and adversary’s society and institutions, manipulating, weakening, and disintegrating them from within” (2). Lennart Maschmeyer’s new book provides a theory of how subversion works, what its limitations are, and how it changes with technology. Maschmeyer frames subversion as an instrument of power that is distinct from warfare or diplomacy; he argues that it reverses structural power by turning a state’s institutions against the state.

In theory, subversion is the perfect weapon since it is inexpensive, low risk, and highly effective. But Maschmeyer argues that in practice it is limited by a subversive trilemma, which is set of trade-offs between the speed, intensity, and control that an actor can exert over subversion. High speed operations rarely achieve intense effects, and risk discovery and loss of control. Maximizing control over subversive effects means moving slowly and minimizing the intensity of those effects. Achieving intense effects similarly takes time and risks a loss of control.

Maschmeyer further argues that cyber operations are “new tools of subversion” which are also constrained by the trilemma but can achieve fewer strategically significant effects than traditional subversion (2). He outlines five different subversive effects: 1) manipulating public opinion; 2) manipulating government policy; 3) degrading material and economic capabilities; 4) undermining institutional effectiveness; and 5) regime change. Maschmeyer argues that cyber operations, which he defines as the subversion of computers and networks, cannot manipulate government policy or effect regime change because these goals require human intervention. Thus, “cyber operations do not expand the range of outcomes states can achieve short of war, compared to traditional subversion. On the contrary…they further narrow it” (58).

Maschmeyer supports these theoretical arguments by analyzing three subversive campaigns in Eastern Europe: the Soviet Union’s efforts to crush the Prague Spring in the late 1960s and early 1970s, Russia’s efforts to stop Ukraine’s integration with Western Europe after 2013, and finally Russia’s early use of subversive cyber operations to support its war on Ukraine after 2022. In each case, he finds evidence that the subversive operations were limited by a trilemma, though he also notes some successes which suggest the need for further research to understand the circumstances under which subversion can be successful.

Each of the reviewers sees considerable value in the subversive trilemma. They also, in their own way, raise questions about its scope and what kinds of actors, operations, and effects it constrains. Some of these questions stem from Maschmeyer’s empirical focus on subversive campaigns by the Soviet Union and its successor state, Russia. Melissa Lee suggests that more capable actors, such as China, might be more able to overcome the limitations of the trilemma than the Soviet Union or Russia, whose subversive efforts sometimes resemble a “clown show.”

Reviewers also raise questions about the scope of operations that are constrained by the subversive trilemma. Maschmeyer’s book focuses on the use of subversion to achieve “active effects,” and in his conclusion he notes two different uses of subversion—disinformation campaigns, and intelligence collection—that may be more successful than active measures (225-6). Josephine Wolff raises important questions about how well Maschmeyer’s theory can be applied to espionage, where the intensity of effects is often difficult to observe.

Lee suggests that Maschmeyer misses an important opportunity by excluding election interference from his definition and his analysis of cyber operations. She notes that election interference can achieve two strategic effects, policy influence and regime change, which are not possible through “cyber operations” as defined by Maschmeyer, i.e. efforts to subvert the operation of hardware-software systems.

Harknett makes a similar critique, but from a different direction: he rejects Maschmeyer’s definition of cyber operations, which focuses on the manipulation of machines. He argues that cyber operations are sociotechnical, which means that they include the use of computers to shape human and social beliefs and feelings. According to Harknett, since computers can affect how people think and behave, cyber operations can in fact shape government policy and regime change.

Josephine Wolff raises similar questions about the scope of effects that are achievable by subversion, suggesting that Maschmeyer’s focus on “active effects” may blind us to other equally important kinds of effects. For example, Maschmeyer frames the failure of Stuxnet—a worm designed to subversively destroy Iran’s nuclear program—as evidence of the limitations of subversion, but Wolff notes that this limitation may have been “by design…a feature, not a bug, of cyber operations.” Here she highlights important, and perhaps ironic, similarities between Maschmeyer’s theory of subversion and very early writing about “cyberwar.” John Arquilla and David Ronfeldt, perhaps two of the earliest scholars to write about “cyberwar,” were optimistic that cyber operations might be less destructive than traditional war.[1] Maschmeyer similarly hints that “cyber operations offer a way to pursue goals without escalating to use of force,” but he labels this subversion rather than war.

Harknett argues that the book overextends the theory of subversion by treating all cyber conflict as fundamentally subversive. He argues that while cyber operations may be subversive in their mechanism (i.e., they subvert an adversary’s computer systems), their strategic goals are not necessarily subversive. For example, North Korea subverts computerized financial systems for non-subversive purposes, namely, to finance its nuclear weapons and missile development programs.

Maschmeyer responds by acknowledging that the strategic objectives of some cyber operations are not always subversive but maintains that the subversive trilemma is important to understanding the subversive mechanisms by which these objectives are pursued. He also acknowledges that subversion might be more successful in some circumstances than others, and that China’s subversive campaigns are worthy of further study. However, he expects that the subversive trilemma, the set of tensions between speed, intensity, and control, will apply regardless of how successful subversion’s ultimate aims become.

The reviewers also suggest that further research should examine the multi-dimensional dynamics of subversion. Lee also raises important questions about how target states respond to subversive efforts: do they learn? How might such learning affect further attempts at subversion? What kinds of responses do subversive operations engender from their targets? Harknett similarly notes that the loss of secrecy in a cyber operation can sometimes be turned to advantage, as adversaries can observe how their targets respond. Maschmeyer agrees with these reviewers that studying subversion as a multi-directional phenomenon is an important future direction.

Subversion makes an important contribution to theories of power in world politics as well as the rapidly growing field of cyber conflict.[2] As this roundtable demonstrates, Maschmeyer’s book has succeeded in not only presenting an innovative theory of subversion but also spurring a lively debate and suggesting promising directions for further research.

 

Contributors:

Lennart Maschmeyer is Assistant Professor of Cybersecurity at the Norman Paterson School of International Affairs at Carleton University. His main research focus is the impact of technological change on international and transnational security. Pursuing both theory-building and empirical investigation, he examines how advances in information technologies affect outcomes in security competition, as well as how pathologies in knowledge production shape threat perception and policy. Recent publications include “Subversion, Cyber Operations, and Reverse Structural Power in World Politics,” European Journal of International Relations 29:1 (1 March 2023): 79–103; “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations.” International Security 46: 2 (25 October 2021): 51–90; and “A Tale of Two Cybers – How Threat Reporting by Cybersecurity Firms Systematically Underrepresents Threats to Civil Society,” Journal of Information Technology & Politics 18:1 (2 January 2021): 1–20, (co-authored with Ron Deibert and Jon Lindsay). Lennart also co-chairs the Threat Intel Coalition, a special interest group at the Forum for Incident Response and Security Teams (FIRST) that helps civil society defend itself against cyber attacks.

Rebecca Slayton is an Associate Professor in the Department of Science & Technology Studies and Director of the Judith Reppy Institute for Peace and Conflict Studies. Her research and teaching examine emerging technology, expertise, and risk, with a focus on international security and cooperation since World War II. Slayton’s current book project, Shadowing Cybersecurity, examines the historical institutionalization of cybersecurity expertise.

Richard J. Harknett is Professor and Director of the School of Public and International Affairs and Director of the Center for Cyber Strategy and Policy at the University of Cincinnati, where he also co-directs the Ohio Cyber Range Institute, which serves as a cyber education, workforce, and economic development organization for the state of Ohio. He served as scholar-in-residence at US Cyber Command.

Melissa M. Lee is the Klein Family Presidential Associate Professor of Political Science at the University of Pennsylvania. She studies the international and domestic politics of statebuilding and state development. Lee is the author of Crippling Leviathan: How Foreign Subversion Weakens the State (Cornell University Press, 2020). Her work has received the American Political Science Association’s 2016 Helen Dwight Reid (now Merze Tate) award, APSA’s European Politics and Society Section 2020 Best Article Prize, and Perry World House’s inaugural Emerging Scholar Global Policy Prize. She received her PhD in Political Science from Stanford University. Prior to joining the faculty at Penn, Lee was Assistant Professor of Politics and International Affairs at Princeton University.

Josephine Wolff is an Associate Professor of Cybersecurity Policy at the Fletcher School of Law and Diplomacy at Tufts University. She has published two books: “You’ll See This Message When It Is Too Late”: The Legal and Economic Aftermath of Cybersecurity Breaches (MIT Press, 2018) and Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks (MIT Press, 2022). Her research interests include liability for cybersecurity incidents, government responses to cyberattacks, economics of information security, and mechanisms for cyber risk transfer. She has published academic articles in the Harvard Journal of Law & Technology, Contemporary Security Policy, and the Journal of Management Information Systems, as well as at the Workshop on the Economics of Information Security and USENIX Security. Her writing on cybersecurity has also appeared in the Financial Times, the Wall Street Journal, the New York Times, the Washington Post, The Atlantic, Wired, and Slate.

Good scholarship can advance thinking as an author intends or it can impact analysis in unintended ways. Lennart Maschmeyer’s Subversion is good scholarship. Maschmeyer offers a theory of subversion which, through its nuanced reasoning and case study-based analysis, will advance intelligence studies’ understanding of this state practice with greater precision and, potentially, guide policy consideration. This was the author’s primary aim, and the book accomplishes it. The author also offers an extension of the theory and seeks to apply it to the study of cyber operations. It is here where the author’s analysis leads this reviewer to think in new, perhaps unintended, ways. While I will briefly touch on the goal accomplished, most of the following analysis focuses on the overextension of the theory and what it does and does not advance in the emerging sub-field of cyber security studies.

Understanding Subversion

Maschmeyer correctly distinguishes subversion from force, coercion, persuasion, and bargaining and makes the case that as a distinct instrument of power it requires its own theory. He constructs a definition, from an intelligence studies context, that subversion is an “indirect and secret mechanism of exploitation and manipulation that allows projecting of power and shifting its balance short of war” (2). It involves “infiltration, exploitation, and manipulation of groups, institutions, and society in the pursuit of three distinct goals: first, to manipulate policy and public opinion; second, to sabotage infrastructure, institutions, and other facilities; and third, to effect regime change from within” (8).

The book’s strength is in bringing a nuanced understanding of how subversion works. According to the author, the efficacy of subversion rests on the limiting nature and limiting interplay between three key variables: the speed at which operations can occur, the intensity of their effect, and the control one has. Given subversion’s reliance on exploitation and manipulation, each variable has limits which states need to overcome in order to achieve effective subversion and Maschmeyer shows effectively how these three variables create a “trilemma;” that is, that enhancement of one is counteracted by the other two and the pursuit of two of the variables creates a “doubly” limiting effect through the remaining third variable (13). Each of his case studies reveal evidence of this fundamental interplay and thus advances a nuanced understanding of how subversion works. In this manner, the author provides a reasonable explanation for why subversion rarely meets its promise of independent strategic effect but remains an important instrument for state power projection.

A Mis-Extension

The development of new theory is no easy task. Had Subversion satisfied itself with offering its new theory to explain how traditional subversion works and why it may tend to fall short of its promise in actual state practice, the book itself would merit little push-back. The inclusion of new source material across Maschmeyer’s three main case studies elevates the value of the manuscript. The book seeks to additionally examine how technological change might alter the quality of subversion. This, by itself, is a worthy secondary research question, particularly given the growing interest in how cyberspace may impact state relations.

Throughout the book the author at times directs cordial agreement with the work to which I am associated, the development of Cyber Persistence Theory (CPT) and its attendant alignment with the US doctrine of persistent engagement.[3] These areas of agreement include the belief that fundamentally war and coercion are not exclusively strategic, but that other state behavior can achieve shifts in the distribution of power and that cumulative campaigns (rather than episodic operations) are the most likely cyber activity that can advance strategic-level outcomes.[4] Maschmeyer ends with the suggestion, one with which I agree, that a promising line of research would be to examine how traditional subversion can be combined with cyber operations into integrated campaigns.

However, large sections of his examination of cyber operations and their comparison to traditional subversion divert from (rather than challenge directly) the tenets of CPT. It is important to clarify these differences to advance the conversation.

At one level, Cyber Persistence Theory and Maschmeyer’s theory of the subversive trilemma are apples and oranges. CPT seeks to explain how states are approaching national security in and through cyberspace, and why the behavior we are witnessing needs to be understood as potentially strategic in nature.[5] It argues that the cyber strategic environment has its own structurally reinforced logic of initiative persistence, which if accepted, redefines how security is obtained (or lost). CPT posits that this logic is distinctive from that which defines the nuclear strategic environment and the conventional strategic environment.[6] In conventional environments, security is obtained by being capable of fighting and winning war. In the nuclear environment, security rests on avoiding nuclear war, which cannot be achieved through reliance on defense. One plane, one bomb, one city changed that calculus and thus the structural imperative when nuclear weapons are possessed rests on deterrence. Both strategic environments fundamentally involve force and coercion.

My co-authors, Michael Fischerkeller and Emily Goldman, and I argue that the combination of interconnectedness, macro-resilience/micro-vulnerability, and the mutability of information communication technology create a condition of constant contact and, thus, a different core security mechanism from coercion; that is, exploitation, the anticipation of which defines whether a state will be more or less secure. This is the focus on initiative. Given the three elements of the cyber strategic environment, the initiative is always obtainable (and thus logically always something that can be lost). Since security flows from seizing and holding the initiative, everyone in the system has an incentive to pursue it. Thus, the second part of the logic, persistence—if one does not wish to cede their security to someone else, one must persist in seeking initiative. States that seek security in and through the cyber strategic environment have a structural imperative to anticipate the exploitation of cyber-based computing vulnerabilities, which, given their ties to individual-level and societal-wide activities, creates a constant prospect of shifting national sources of power be they economic, political, military, or social.[7]

Maschmeyer’s Trilemma is a theory about how subversion works, not an attempt to offer a grander new definition of security itself as it relates to a new emergent technology. In this regard the authors of CPT are, admittedly, going big to explain why a new set of capabilities, authorities, doctrines, strategies, and activities (operations and campaigns) have emerged and have converged around a different anchoring approach to national security than the logic of deterrence associated with the nuclear strategic environment. While Maschmeyer discusses the US version of persistent engagement, the number of states (for example, the United Kingdom, Netherlands, Japan, Canada) explicitly adopting a proactive anticipatory posture in cyberspace is growing, which aligns with the structural imperative expectations of CPT. [8]

I would submit, therefore, that Maschmeyer’s focus on cyber operations throughout the book is not a direct critique of CPT but rather raises questions about how we understand the tactical and operational levels of cyber activity. This is, however, not how he treats the analysis, which he argues shows that cyber operations are even more constrained and potentially strategically less effective than traditional subversion, which leads to his suggestion that state strategies based on initiative persistence are “prioritizing the lesser threat” (220). This prescriptive assertion does not hold under further scrutiny (and maybe be extraneous since under the logic of initiative persistence, cyber-enabled subversive operations are part of the strategic mix and thus not dismissed).

While the theory of subversion is developed well in the book, its application to cyber operations requires some reconsideration. First and foremost, Maschmeyer considers cyber operations as exclusively a form of subversion. He argues that since they subvert information computer technology (ICT) by exploiting vulnerabilities and manipulating systems to do things they otherwise are not programmed to do, they must be understood synonymously as subversion. He then applies the logic of the trilemma to conclude they are much more constrained than traditional subversion.

I have several concerns: First, this is too narrow a definition of cyber activity. It applies a tactical level of analysis to a broader category of state activity.[9] Yes, the tactics of cyber operations do involve exploitation of computer vulnerability and manipulation of how the computer system functions, but that tactic does not always and exclusively align with Maschmeyer’s definition of subversion or the core objectives he associates with it. He argues that subversion is indirect and secret; and presents subversion as unidirectional (my term) in that his definition and analysis focus on how one can harm an adversary. There is an inherent bias toward subversion creating “detrimental” harm. Cyber operations are not exclusively focused on harm, they are not exclusively indirect, nor are they always secret. They can position one in a favorable situation; they can create opportunity; and they can enhance other elements of national power.[10]

Many of the cyber operations that are publicly discussed by the United States, for example, are defensive in nature and produce security through anticipation (or the seizing back of initiative). In this sense, CPT aligns with the notion that cyber operations are multidirectional; they are not exclusively about harming the other side (this is a new clarifying categorization spurred by reading Subversion that will require more reasoning and discussion with my co-authors). Hunt Forward Operations, which are all about initiative persistence, involve US cyber operators sitting by invitation on foreign networks and searching for malware and exploits of vulnerabilities. When discovered, they can be countered immediately or can be enclaved, studied to gain intelligence, provide time to build resiliency in US networks, or crowd-sourced for resiliency by making the exploits public (uploads to Virus Total, for example). Recent law enforcement cyber operations under the US 2023 National Cyber Strategy’s call to limit, frustrate, and disrupt malicious cyber activity have led to state-sponsored large-scale Internet-of-things botnet takedowns as well as major criminal organizations being disrupted.[11] In these instances, the goal of cyber operations is not necessarily to harm the adversary as much as to restore one’s control over one’s own systems, or what unidirectional analysis calls offense or defense. Importantly, the book does not address the defense side of the coin.

This critique also applies to the case-study work in the book involving Russian cyber operations against Ukraine, where the author suggests that the lack of Russian gain is due to the inadequacies of cyber means (the trilemma’s limiting impact); what is not discussed and thus overlooked is that Ukrainian cyber resilience might have played a role over time. It is possibly Ukraine’s ability to seize the initiative away from Russia by persistently engaging over the 2014-2022 period and anticipate enough of Russia’s cyber activity that could be the explanation for why Russian cyber operations have not met expected levels of effectiveness since the war began (which admittedly is beyond the scope of the book).[12]

While Maschmeyer does acknowledge CPT’s focus on cumulative gain and the linking of operations into coherent campaigns and acknowledges that this could “produce significant strategic value,” this does not translate into a recognition that not all cyber operations are subversive in objective (39). North Korean manipulation and exploitation of cyber financial system vulnerabilities to obtain resources to fund their nuclear weapon and missile production in the face of international sanctions are strategic competitive operations that are outside the five types of effects that Maschmeyer associates with subversion.[13]

At the operational level, the book also does not address directly how cyber operations are conducted at times to create unexpected opportunities and allow lateral and horizontal movement through interconnected systems. The reason behind such operations is to ‘live off the land’ to discover and create new opportunities to exploit. When one moves from an episodic operations frame and adopts a campaigning mindset, cyber activity takes on a much wider set of activity than subversion. The tactic of living off the land by using the computer system’s legitimate tools and functions to gain advantage also raises questions about Maschmeyer’s assumption that cyber operations are slow because they take significant time to build tailored code. This core element of the trilemma collapses in the face of evolving cyber techniques and tactics that can easily be absorbed and practiced. The conduct of cyber operations further creates a learning by doing efficiency since the entry and sustainment costs are relatively low given the mutability of the technology and the significant expanse of vulnerabilities.[14]

Cyber is Sociotechnical

In the extension of his theory of subversion to examine cyber operations, the author acknowledges that the link between ICT and human activity is increasing, and thus he notes that exploitation and manipulation are not occurring purely in a technical computer system, but rather across sociotechnical systems in which both social and technical vulnerabilities are embedded. Unfortunately, the analysis that follows almost exclusively examines exploitation as a technical act leading to a conclusion that “cyber operations rely on a subversive mechanism that produces effects through secret exploitation of flaws in computer systems and the way they are used” (48).

This runs counter to the idea that these are “socio” technical. According to reports, US Cyber Command leveraged unauthorized access to the Russian Internet Research Agency (IRA) and made its presence known within the IRA systems. The principal objective was to put Russian operatives on their back foot right before the 2018 US midterm elections. Instead of launching cyber-enabled information campaigns against the US election, Russian operatives had to play defense and hunt for the Americans in their network, assuming surely that the Americans would not engage in an exquisite infiltration just to say hello. They had to assume the Americans may have planted malware or exfiltrated data. Doubt about their operational security techniques added a layer that distracted the Russians from their plans. One might hypothesize that the psychological effect was as important as the technical breach in creating essentially organizational friction within the IRA (without destroying or disabling anything directly according to reports).[15] This operation might align with Maschmeyer’s fourth subversive effect of undermining institutional effectiveness and efficiency, but it is not clandestine or covert and thus has to be understood in a broader context than merely the initial tactical infiltration of the computer system. It is about how people interface with embedded computer processing through organizational adaptation. The United Kingdom’s National Cyber Force’s operational primer released in 2023 emphasizes how a proactive cyber posture can support a doctrine of cognitive effect,[16] which is focused on manipulating the interface of humans in specific organizational roles and responsibilities through their embedded use and connection to computer networks and digital interfaces. The core definitions offered in Subversion capture this application of cyber operations, but the author’s attempt to elevate the importance of traditional subversive operations at times in the book underplays or undervalues cyber operations’ influence on people.

This undervaluing becomes pronounced when Maschmeyer introduces a fuller list of five types of subversive effects (an extension of his earlier focus on three main objectives). To support his claim that cyber operations are less effective than traditional subversion, he places significant weight on the assertion that cyber operations are only capable of three of the five effects with two being “beyond their reach” (50). Three counterpropositions suggest the difference is not as significant as this presupposes, neither theoretically nor prescriptively.

First, throughout the book Maschmeyer acknowledges that cyber operations can scale more easily than traditional subversion. A typical human spy infiltration into one room in one building gives that person access to what is in that room. Infiltration into an interconnected computer system can grant access to the room, but also to the other rooms in the building, and to other buildings across a complex and so forth. Interconnectedness creates a qualitatively different exploitation environment than terrestrial-based systems, institutions, and people. Maschmeyer’s suggestion that both subversion and cyber operations can achieve three of five subversion effects (manipulate public opinion, degrade material capabilities and disrupt the economy, and undermine institutional effectiveness and efficiency), is not grounded on an analysis of whether this scaling capacity actually prospectively positions cyber operations to have a greater range of impact (his intensity variable, for example) than subversion. They both may be capable of the effect, but what if cyber operations with lower cost and more speed can scale to bigger effects in each of those categories. Even if one accepts the assertion that Maschmeyer’s two other subversive effects are beyond cyber operations, their qualitative advantage in the other three can make them more attractive prescriptively than traditional subversion. Empirical state behavior seems to suggest that states are at least leaning toward such a conclusion.[17] The three-out-of-five critique is not sufficient without this deeper comparative analysis within each effect.

Second, it is not clear that Maschmeyer’s other two subversive effects are beyond cyber operational reach. Let’s look at each—regime change and manipulating government policy. He asserts that “as long as government is carried out by people rather than computers, cyber operations alone will be incapable of overthrowing” governments (51). This claim does not accord with other arguments presented in the book. Again, Maschmeyer notes that in cyber, we are talking about sociotechnical systems, and yet this conclusion seemingly dismisses the social piece of the system. There is significant evidence that computer interfaces can have neurological and biological impacts on users. The interface itself changes how people think and feel.[18] It can motivate and demotivate. This is especially pertinent in democratic societies, where “regime change,” needs to be understood as producing electoral outcomes that may not have otherwise occurred. This happens not through technical manipulation of the vote, but by manipulation of the voter. It also is captured by cyber-enabled divisive information campaigns that seek to amplify factionalization across democratic societies.[19] In the book Maschmeyer equates human agents in a traditional subversion operation to computer code as immaterial “agent” (42). If that holds, there is no single human agent who on their own can overthrow a government. It is thus not clear why he concludes that since code cannot by itself overthrow a government, regime change is beyond the reach of cyber operations, but not beyond the reach of traditional subversion. If that is the measure, then traditional subversion cannot achieve it either. Importantly, if one considers how authoritarian governments reacted to the Arab Spring, they certainly thought cyber activity was an existential threat. China’s cyber operation efforts are primarily about population control (rather than external subversion) and thus is a form of regime maintenance (another example of the multidirectional utility of cyber operations not considered by the author through a narrow frame of cyber as harmful subversion).[20]

Regarding manipulating government policy, the same counter argument holds. Maschmeyer is too dismissive of cyber operation’s potential by once again focusing only on the technical portion of his sociotechnical system when he asserts that if people and not computers carry out policy, cyber is limited. Additionally, there is no acknowledgement that much policy is moving toward automated processing. For example, it is difficult to buy a house in the United States, where credit ratings impact mortgage approvals and sentencing in the criminal justice system. Such automation opens the door for manipulation that may or may not be seen at the individual level. There is no consideration in the book of how the conduct of cyber operations themselves are undermining and requiring significant adjustments to government policy and strategies (and this is where not recognizing that cyber operations are more than subversion limits the analysis to the point of it being an overextension of the theory itself). The significant shifts states are making in authorities, capabilities, and strategies to adopt proactive cyber postures aligned with initiative persistence, what CPT classifies as a paradigm shift, is directly related to the conduct of cyber operations over the past 10 years and recognition of what is needed for security.[21] Cyber operations are displacing legacy strategies and government policy through their conduct (not their theoretical promise).

Government policy shifts regarding social media platforms again are not the product of subversion but are substantial reactions at the operational level to cyber activity Maschmeyer is interested in studying. Tik Tok can be classified as a social media platform. It might also be understood as a two-way communication device that advances the interests of the Chinese Communist Party (through narrative shaping and influencing government policy). Proposed and executed government bans of the platform are significant policy shifts brought about by cyber activity (but not subversive activity). Cyber operations at the individual user level may fit the definition of covert or clandestine, but the platform itself and the challenge it presents for governments is certainly neither.

Episodic versus Continuous

Another consideration is that Maschmeyer’s trilemma rests on a bias toward an episodic understanding of the control variable. When applied to traditional subversion, a focus on control of effects ultimately rests on whether an actor can maintain secrecy. Increasing the intensity of effects or the speed at which one tries to deliver them seems at logical tension with control. That argument is convincing. But there is the prospect that cyber activity is not exclusively subversive in its objective but in mechanism as well. The limiting nature of the trilemma is that subverters worry about losing control because loss of control can undermine the entire operation—the spy network is rolled up. Thus, they do self-limit and necessarily must consider limiting intensity and speed.

Empirically, this just does not seem to be the case with a large percentage of cyber operators, who burn through exploits with a good bit of abandon. Discovery does not shut things down and in certain cases, in fact, such discovery prompts reactions by the other side and reveals how the defender operates, which creates the opportunity to exploit elsewhere. This results from both the nature of the technology itself and the structural imperative of persistence. The loss of any single exploit does not match the level of the loss of a human spy. There is not a version 2 that can relatively easily be dropped into the same place and pick up where the compromised spy left. The point in cyber, however, is that actors do not necessarily need to pick up at the exact point to not lose the investment that was made in the discovered exploit because there are so many other holes through which to exploit.

There is a different dynamic that can be considered: loss of control is not the same as grappling over control. States in cyberspace accept that what they are doing is grappling over initiative (shifting control) and loss of control is more likely if they move slow and without scale (intensity of effect). If control is contested and thus shifting, the self-limiting logic of the trilemma does not apply to cyber operations.[22]

Constructive Rejection

In the end, Maschmeyer’s dual conclusion that “cyber operations do not expand the range of outcomes states can achieve, short of war compared to traditional subversion. On the contrary, these characteristics indicate they further narrow it” is unconvincing (58). It is based on a narrow definition of cyber operations as subversion, rather than understanding that cyber activity is broader, and that while operational or campaign modalities can enable subversion, they are not synonymous with subversion.

In developing this rejection of the conclusion, however, my own thinking (which will require more work and analysis subsequently) advanced on a few fronts thanks to Maschmeyer’s book.

First, Cyber Persistence Theory is a multidirectional explanatory framework. This is not how it has been presented, but this may be a useful categorization. It explains the seeking of initiative and the restoring of initiative (what unidirectional analysis calls offense and defense). While Maschmeyer differentiates subversion from force and coercion, his theory examines how it is used to harm an opponent; it examines one direction. The full range of cyber operations and campaigns involves activity that is much broader and does not always involve undermining the other side. It can produce resilience (defense) and opportunity and be primarily about gain rather than the other side’s loss.

Second, loss of control is a different dynamic, mindset, and objective than grappling over control. In CPT logic, most cyber operations run parallel and past each other in pursuit of initiative and, again in a multidirectional fashion, on any given day can lead to both opponents seizing initiative across different platforms. This is fundamentally different than anchoring success on the avoidance of loss of control. In cyber, control is not assumed to be anything more than fleeting, but importantly losing initiative is something one can recover from so the risk from speed and intensity is not necessarily self-constraining, as the trilemma suggests for traditional subversion. Not only are cyber operations not synonymous with subversion and thus the theory is not fully applicable to understanding security in and through cyberspace, but the unique feature of cyberspace also undermines the inherent logic of the trilemma. There is not the level of countervailing limitation that is found in traditional subversion.

Third, CPT emphasizes the mutability of the technology but can emphasize more how that mutability interacts with actual cyber operations (learn by doing) to produce the capacity to develop capabilities much more rapidly than Maschmeyer’s assumes. We are seeing that in the Russo-Ukraine war on both sides.[23] So, speed may also be an element that does not translate from the theory of the trilemma due to a self-reinforcing economy of scale effect produced through conducting operations. The emergence of automation also will challenge the trilemma’s applicability further to cyber operations.

Why does this matter? Academic precision is important for the field of cyber security studies to move forward; healthy constructive exchange from different perspectives can serve as an engine for improvement. The theory of Subversive Trilemma is a clear advancement in precision for understanding traditional subversion and its operational level insights can aid in understanding aspects of cyber operations. Applied to cyber operations writ large, however, it requires the adoption of a questionably narrow understanding of cyber activity and ultimately sets aside too much. Sometimes theory can stand on its own. Subversion is a good explanation of traditional subversion and need not overextend to have a positive impact in security studies thinking.

In March 2014, “little green men” crossed the border from Russia into Ukraine.[24] Days later, Moscow annexed the Crimean peninsula. The event was a watershed moment. The United States, bogged down in Afghanistan and distracted by the rise of Islamic State, was forced to confront the specter of great power conflict over territory in Europe.

That conflict, Washington and its allies feared, was unfolding in seemingly new ways in Ukraine. A litany of terms proliferated in the media and among practitioners and scholars to describe the form of this conflict: hybrid warfare, grey zone warfare, conflict below the threshold of war, subversion.[25] Though ill-defined, the terms all pointed to the same phenomenon. What Russia was doing in Ukraine before 2022 was not warfare as it is traditionally understood by international relations theorists or military practitioners. For some observers, Russia’s activities against Ukraine heralded a revolution in conflict, a brave new world of technology-assisted instruments of power short of war.[26]

Lennart Maschmeyer’s new book discusses the nature of subversion, how it works, and in what way subversion supposedly changes the nature of conflict. In doing so, it offers a timely and much-needed critical look at the use of subversion that will be invaluable to students, scholars, and practitioners alike.

The provocative central argument of the book is that subversion, which Maschmeyer defines as an indirect, covert, and clandestine instrument of statecraft that turns an adversary’s own capabilities against it (2, 8), fails to live up to its strategic promise. Maschmeyer argues that far from revolutionizing conflict or replacing the use of force, subversion is a nuisance to its targets. It annoys, distracts, degrades, and erodes, but on its own subversion is no substitute for the territory-taking power of kinetic military force. He notes that even cyber conflict, a form of techno-subversion designed for the internet era, does not fulfill its potential.

The most important contribution of Maschmeyer’s work is that it provides the conceptual and theoretical framework that brings together different modalities of subversion into one object of study. Maschmeyer argues that the unifying properties of subversion are its indirect and covert nature: the sponsor turns the adversary’s power and capabilities against it, all while obscuring the identity of sponsor to prevent attribution and retaliation. Modalities of subversion also share a mechanism of action: the manipulation and exploitation of groups, institutions, and societies. In contrast, military force is direct, overt, and physically destructive.

The importance of this contribution should not be underestimated. Scholars have tended to study forms of subversion in isolation.[27] Having written on proxy conflict as a form of subversion, I count myself in this group.[28] By defining subversion in terms of its key characteristics and its mechanism of action, as opposed to the goals and objectives of that action, it becomes possible to study proxy warfare, cyber conflict, election interference, regime change, and the misinformation as variations of same phenomenon. Even though Maschmeyer focuses on just a handful of these modalities, his work allows scholars to move beyond the confines of a single form of subversion to better understand how states attempt to influence others in the pursuit of their strategic objectives. More importantly, his work improves our ability to understand the historical and evolving landscape of subversion as an instrument of statecraft, and to draw lessons for the theory and practice of international conflict.

The payoff of this approach becomes clear in the chapters that guide the reader through three major cases of subversion, which were selected on the basis of their similarities to each other: the Soviet Union’s use of “traditional” subversion against Czechoslovakia in the 1960s, Russia’s use of both traditional and cyber subversion against Ukraine beginning in 2013, and the evolution of the Russian-Ukrainian conflict beginning with Russia’s full-scale invasion of 2022. Viewed against its historical predecessor, the failure of cyber conflict to bring Ukraine to its knees is less surprising.

It turns out that subversion hardly ever works. The reasons for this poor track record, Maschmeyer argues, are inherent to the nature of subversion. The need to maintain secrecy and work through the adversary’s own capabilities produces a subversive trilemma (13), an inescapable tradeoff between speed, control, and intensity. Achieving strategically valuable effects requires a combination of all three factors, yet increases in one factor comes at the cost of decreases in the others. Maschmeyer studies only traditional subversion and cyber warfare, but one can easily see how the analysis extends to misinformation and election interference, which some scholars have argued have had limited or little casual effect on beliefs and outcomes.[29]

But does the analysis extend beyond Russia? This question lurks in the background for much of the book, which confines itself to the study of the Soviet Union and Russia as its successor state. To his credit, Maschmeyer confronts the question head-on in the conclusion, where he argues that Russia is a subverter par excellence. If the most technologically capable and most prolific subverter cannot escape the trilemma, then it is unlikely other subverters will either.

Yet here the argument falls victim to the same trap that Maschmeyer sought to avoid by advancing a unified theory of subversion. It is true that in the cyber domain, Russia is one of the most dominant actors. But the urge to wonder about China’s use of cyber warfare is irresistible. Does China face the same limitations as Russia? Could China, with its superior resources, functioning economy, and different autocratic structure, overcome the trilemma? In one colorful subsection on a botched Russian-backed coup attempt against President Volodymyr Zelenskiy in the months before the full-scale invasion, Maschmeyer writes that “the clowns fail to take over,” which raises the question of whether Russian subversion is, in effect, a clown show (188). Perhaps Russia is exceptionally bad at subverting its adversaries. There are many advantages of the “most similar” method of case selection, but ruling out “Russian incompetence” as an explanation is not one of them.

I also wonder whether the tradeoff between speed, control, and intensity is as inescapable for other modalities of subversion as it is for cyber warfare. As Maschmeyer notes, some subversive operations can cause physical damage while others cannot (32). This suggests that effect intensity may be a function of the mode of subversion in addition to speed and control. For example, distributed denial of service attacks do not destroy hardware in the way that explosives planted on power pylons do. While Maschmeyer argues that this difference in intensity points to the continued relevance of traditional subversion, the book would have benefited from a more sustained discussion about whether the trilemma binds less tightly for some modes of subversion than others.

The omission of a comparison beyond that of cyber conflict is a missed opportunity. One thinks, for example, about Russia’s interference in the 2016 US presidential election. Since the analysis here is constrained to traditional and cyber subversion, others must apply his framework to the case of election interference.

Yet election interference differs in important ways from cyber. Importantly, this modality of subversion can, at least in theory, produce different effects than cyber even while remaining more limited in its reach than traditional subversion. Whereas cyber can manipulate public opinion, degrade material capabilities, and undermine institutional effectiveness, election interference can in theory manipulate public opinion (about the integrity of the election), manipulate government policy (by tilting the election in favor of a particular candidate), or at the extreme, effect regime change. Moreover, election interference is unlikely to be deployed alongside the use of force, which might point to a different constellation of motivations and expectations around its use.

A sign of a compelling book is its ability to open new avenues for research and to raise new questions for scholars to pursue. Maschmeyer’s book does exactly that. One rich line of inquiry would be to explore target state responses to subversion. In multiple places the book points tantalizingly to evidence of learning among the victims of subversion, particularly the cyber variant. Under what conditions do targets learn from subversive attacks? What are the implications for target hardening and a subverter’s ability to carry out similar attacks in the future? A major drawback of cyber warfare is that attackers have only one opportunity to deploy malware; once unleashed and in the wild, the exploit is revealed and the vulnerability hopefully patched. Should we expect similar learning in the case of the other modalities of subversion?

Another avenue of research that is focused on target state responses could examine the proposition that subversive operations are less likely to lead to retaliation or escalation on the part of the victim. While Maschmeyer argues that the failure of subversion to fulfill its promise sometimes forces the subverter to fall back on the use of force, as Russia did in 2022, the book has almost nothing to say about how target states will respond. The existence of the subversive trilemma implies that retaliation and escalation are greater risks than one might expect. A subverter who attempts to move faster is more likely to lose control over the operation, leading to unintended consequences. If those consequences provoke retaliation or escalation, the subverter may find itself worse off than if it had avoided subversion all together.

That Maschmeyer’s book raises so many questions for future research is a testament to its contributions in bringing order and conceptual rigor to the study of subversion. It will be a valuable resource to any scholar or practitioner who seeks to make sense of conflict short of war in the twenty-first century.

In 1997, looking ahead to the coming decades in an essay enthusiastically titled “Cyberwar Is Coming!,” John Arquilla and David Ronfeldt predicted:

It is possible to see in cyberwar an approach to conflict that allows for decisive campaigning without a succession of bloody battles.…In the best circumstances, wars may be won by striking at the strategic heart of an opponent’s cyber structures—his systems of knowledge, information, and communications” (44-45).[30]

In the years that followed, as we have seen more examples of cyber capabilities being used in the context of conflicts between states, several scholars have pushed back against the notion that the use of these capabilities constitutes something akin to war[31] or that states have been able to successfully and effectively marshal these capabilities.[32] Lennart Maschmeyer’s thoughtful and incisive book on how computer technology does—and does not—change the nature and effectiveness of state-subversion efforts is a welcome and original addition to this literature, extending our understanding of why cyber operations have not radically transformed or replaced warfare in the ways that Arquilla and Ronfeldt once imagined they might.

Maschmeyer focuses specifically on state-subversion efforts, or operations that entail “identifying vulnerabilities in systems of rules and practices as well as among the participants of such systems and developing means to use those vulnerabilities to gain access and manipulate the system” (21). Couched thus, in the language of exploiting vulnerabilities, it is easy to see the links between subversion and computer hacking, but Maschmeyer is interested in subversion as a tactic more broadly, and includes a lengthy case study on the use of “traditional subversion” (that is, subversion that relies on human agents rather than cyber capabilities) during the Prague Spring in the mid-twentieth century. As his second case, Maschmeyer takes Russia’s use of subversion in Ukraine beginning in 2014 and carrying through its military invasion in 2022, to understand how cyber-enabled subversion differs from earlier, less technically sophisticated methods.

Using these richly drawn cases, which are built on archival documents as well as extensive interviews, Maschmeyer argues that subversion is more useful to states in theory than in practice, and that somewhat counterintuitively, actually render subversion tactics less, rather than more, effective. At the heart of this argument is a “trilemma” that Maschmeyer proposes: a state conducting a subversion operation can optimize for only one or at most two of three necessary characteristics in the operation: speed, intensity, and control. Any subversion effort that is fast and has a major impact, such as a cyberattack like 2017’s NotPetya wiper malware released by Russia, will require the perpetrator to sacrifice a great deal of control. Similarly, subversion tactics that enables a great deal of control, such as Stuxnet, the malware used to sabotage Iranian uranium enrichment facilities, will require more time to develop and have less intense impacts on the target. In some ways, this trilemma makes intuitive sense for cyber operations. After all, being able to control a piece of malware is often understood as being able to determine at a granular level which machines it will either infect or execute itself on. Almost by definition, therefore, a cyber operation with a lot of control will be one which has a smaller impact because its deployment is restricted to a certain set of machines. And often, designing these control and delivery mechanisms to target malware at specific computers requires more time than simply letting malware loose to infect as many servers as possible.

But in Maschmeyer’s analysis, these trade-offs are not specific to cyber-enabled subversion, rather they derive from the very nature of subversion itself and the requirements that it be both “indirect” (i.e., involves subverting an adversary’s systems rather than directly attacking the adversary) and secret. “Exploiting and manipulating adversary systems while staying secret is difficult by itself. Doing so and producing strategically significant effects is exceptionally challenging,” Maschmeyer explains (12). Explaining this trilemma and how it plays out in his case studies is central to his first main argument, namely that subversion is not very useful to states, that it often fails to achieve the desired results, and that when it does governments then often decide to intervene militarily (as they did in both of the case studies in the book).

Perhaps more surprising—and certainly more unusual in the field—is his claim that computer technologies actually render subversion efforts less effective than earlier, traditional tactics. The kernel of this argument is that the greater scale that cyber operations can achieve “is a double-edged sword since greater scale of effects impacts risks of discovery and control loss … obscuring an ongoing compromise in a system requires constant efforts, and the greater its scale, the greater the risk of being found out tends to become” (53). This is an argument that, at least in theory, seems to go against widely accepted ideas about the ways in which cyber capabilities can shift the nature of state-on-state conflict and provide aggressors with the ability to infiltrate and exploit many more targets simultaneously, without needing to put themselves directly in harm’s way. For instance, Michael Warner argues that “with most if not all types of covert actions … the problem has always been one of scale” and that “cyberspace seems to have fixed covert action’s problem of scale.”[33] Richard Harknett and Max Smeets build on this idea, arguing that “what cyber means appear to enable is capacity to piece together more continuously and more seamlessly at significant speed and scope activities that vary in their emphasis.”[34]

But in Maschmeyer’s analysis, cyberspace doesn’t fix the problems of scale, scope, or speed, for subversive actions, rather it compounds the challenges of trying to execute fast, impactful, well controlled operations by exacerbating the trade-offs in his trilemma. What this means in practice becomes more apparent reading the Ukraine case study, where Maschmeyer compares several examples of cyber-enabled subversion (for instance, the 2015 and 2016 blackouts in Ukraine caused by malware) to what he deems to be more traditional forms of subversion, in this case a series of explosions at power pylons that connected Crimea to Ukraine and at an arms depot in Kalynivka. The latter events, he argues, are much more impactful than the former because “both the scope and scale of effects were much higher than in any cyber operations” and also much cheaper and easier for Russia to execute since they “required no more than a few people and no specialized skill” (143). Maschmeyer is persuasive in making the case that blowing up infrastructure is more effective, easier, and cheaper than programming malware to disable it. But his argument seems to rest less on the nature of cyberspace and how it exacerbates the trade-offs in his subversion trilemma and more on how closely the examples of traditional subversion he provides as the basis for this comparison seem to resemble warfare, even though Maschmeyer takes pains to point out that they occurred independent of diplomatic or military efforts. But he acknowledges that blowing up the power pylons in Crimea was a “borderline case of subversion” (142).

This analysis suggests a strong motivation for Russia’s leaders to abandon sophisticated cyber tactics and instead focus their efforts on quick and easy cyber intrusions as well as explosives, which, as Maschmeyer points out, is a lesson the Russian military appeared to learn, eventually, when the Russian cyberwarfare unit Sandworm “abandoned attempts to cause physical effects in favor of lower-intensity but larger-scale effects” (153). In this regard, the case study is an extremely compelling explanation for why Russia has deployed so little sophisticated malware targeting Ukrainian critical infrastructure in recent years. Maschmeyer does a masterful job of probing at the failings of Russian cyber operations and the motivations that guide them in reformulating their strategic use of both cyber and traditional operations in Ukraine.

Certainly, one comes away from the Ukraine case study with the strong sense that the easiest way to cause an extended blackout is to blow up an adversary’s power grid. It is also possible to imagine that using malware to cause a shorter more contained blackout could serve a somewhat different purpose, at least for an adversary less determined to maximize destruction. Maschmeyer considers the possibility that Russia’s malware is intended, at least in part, as a signal or threat to Ukraine or others, but largely dismisses this idea because the intent of the signal seems unclear and any intended threat appears to have been ineffective. Also, “Ukrainian media barely noticed” the 2015 malware-enabled blackout (141).

But for countries that are not looking to maximize the damage of their subversion efforts, such constraints and the associated lack of physical violence and destruction could conceivably be a feature, not a bug, of cyber operations. For instance, Maschmeyer deems Stuxnet’s “strategic value” to be “at best limited” because it only delayed Iran’s nuclear program, rather than shutting it down entirely (10). But might that not have been by design? After all, one of the reasons Arquilla and Ronfeldt added an exclamation point to “Cyberwar is Coming!” precisely because they hoped that cyber operations might “allow victory to be achieved without the need to maximize the destruction of the enemy.”[35] Perhaps that was a naïve hope, and certainly Maschmeyer’s analysis of the war in Ukraine is a powerful reminder of how many of the predictions about the ways that cyber operations would alter conflict turned out to have been wrong. But he also hints, towards the end of the book, at an argument that seems to echo slightly the hopeful tone of Arquilla and Ronfeldt, writing that “rather than destabilizing world politics by enabling a new dimension of conflict, cyber operations offer a way to pursue goals without escalating to use of force” (214). There are limits to that stabilizing potential, he argues, due to the shortcomings of cyber-enabled subversion, but it would be interesting to understand better which goals he believes can be effectively pursued using cyber operations given the constraints he has identified.

In particular, Maschmeyer deems cyber-espionage to fall out of scope for this project, despite categorizing it as a form of subversion. But he acknowledges that “considering [cyber operations’] limitations in producing the active effects in the findings showed, intelligence collection may actually be their most effective use” (225-226). I found myself curious as to how he would apply his trilemma to the domain of cyber-espionage, where it is not always easy to measure intensity or impacts, and speed and control are perhaps less critical than in the cases that Maschmeyer examines since many cyber-espionage campaigns last for months, if not years, and appear to involve perpetrators casting a wide net with the intention of gathering as much information as possible and sifting through it later on. On the other hand, espionage also shares some characteristics with the operations aimed at active effects that Maschmeyer analyzes: for instance, the likelihood of discovery of espionage campaigns presumably increases with each additional target who is infiltrated, indicating a potential parallel trade-off between intensity and control.

Maschmeyer’s framing and analysis of subversion in general, and cyber-enabled subversion in particular, is a welcome and fascinating contribution to the literature on cyber conflict and its efficacy. In addition to the excellent cases he offers here, this book and the foundational framework it offers for understanding subversion will undoubtedly be a valuable lens though which to assess other types of cyber operations and understand the trade-offs inherent in their design for many years to come.

Response by Lennart Maschmeyer, Carleton University

---