Intelligence Wars: Sabotage in the Shadows of Conflict

Sabotage has suddenly gained a high profile in international dialogue about conflict. This occurs most obviously in the context of an evolving “gray zone conflict” with Russia linked to sabotage in European States (see here, here, and here). However, sabotage is also an integral part of hostilities more often assessed through a Large Scale Conventional Operations (LSCO) lens, as demonstrated in: Operation Spider’s Web, the Ukrainian drone attack on Russian strategic bombers; resistance group attacks on railways (see here) and airfields in Russia (see here); and Israel’s Operation Rising Lion carried out against Iran’s air defences, leadership, and nuclear capacity.

While sabotage is part of armed conflict, a particular challenge arises because it has not been comprehensively defined or subjected to significant legal analysis. Sabotage is part of the legal ambiguity existing for contemporary intelligence wars (see here and here). A recent Royal United Servies Institute analysis of Russian activities recommends the adoption of “a shared operational definition of sabotage across EU and NATO states that captures both physical and symbolic acts, including arson, parcel bombs, reconnaissance, couriering and politically motivated vandalism.”

This post assesses sabotage in terms of existing definitional deficiencies, its historical background, the wide scope of such activity, issues of accountability for such action, and ends with a proposed legal definition applicable during armed conflict.

Definitional Ambiguity

Sabotage has not completely escaped definitional scrutiny as can be seen in John Tramazzo’s very helpful 2023 Articles of War post, Sabotage and Law: Meaning and Misunderstanding, in which he indicated it “should be understood to mean clandestine, hostile acts, typically (but not exclusively) performed behind enemy lines and with the intent to harm the enemy’s war effort.” What remains to be discussed is the full range of actions that might fall within such a broad definition, and what limits there may be in using such terminology.

A particular definitional challenge is that in treaty terms sabotage is only referred to in Articles 5 and 68 of Geneva Convention IV on Civilians (GC IV). As the 1958 Pictet Commentary on GC IV noted, compared to spies, “Sabotage is harder to define, as no definition of it is given in any text in international law” (p. 57). References to sabotage and saboteurs in various International Committee of the Red Cross (ICRC) commentaries and military manuals have focused on causing damage and destruction. As the most recent 2025 ICRC GC IV Commentary indicates, “Saboteurs are generally understood to be persons who are acting clandestinely or under false pretences behind enemy lines to commit acts of destruction or damage against objects and materiel belonging to the enemy” (para. 1106).

A focus on physical destruction can also be seen in military manuals such as the Canadian manual entitled Law of Armed Conflict at the Tactical and Operational Level, which states, “Sabotage consists of acts of destruction committed by persons operating behind the lines of an adverse party. … Saboteurs are persons operating behind the lines of an adverse party to commit acts of destruction” (§ 610.1).

In contrast, dictionary definitions indicate sabotage has a much broader scope, with the Cambridge English Dictionary extending it to preventing the success of a plan or action, such as by sabotaging a ceasefire. Similarly, the Oxford English Dictionary includes disrupting “the economic or military resources of an enemy,” while the Merriam-Webster Dictionary states it involves “the destructive or obstructive action carried on by a civilian or enemy agent to hinder a nation’s war effort.”

Hints of such a broader application are found in GC IV and the ICRC commentaries, although the GC IV Commentary to Article 68 might be interpreted  to be more restrictive. Article 68 states that an occupier may “impose the death penalty on a protected person only in cases where the person is guilty of espionage, of serious acts of sabotage against the military installations of the occupying power or of intentional offences which have caused the death of one or more persons.” The 2025 GC IV Commentary indicates, “The destruction of an air base or a line of communication of strategic importance constitutes a serious act of sabotage” and that seriousness was referred to “in light of the tendency of belligerents to interpret ‘sabotage’ very broadly” (para. 3862).

Confusingly it goes on to state “individual acts, such as work stoppage or refusal to obey orders while carrying out an imposed task, cannot be punished as acts of sabotage, despite any damage they may cause.” This ICRC reference to sabotage in a general context is inconsistent with the limited scope of Article 68, which only addresses the imposition of the death penalty for serious acts of sabotage against military installations. It does not refer to sabotage against non-military assets or less serious acts. As will be discussed, sabotage has historically encompassed a substantially wider range of action. Such acts remain a significant threat to an occupying power. Further, Article 64 of GC IV specifically provides that existing penal laws of the occupied territory continue in force unless repealed or suspended by the occupying power. The penal laws of many jurisdictions criminalize such lesser acts as sabotage. Those laws could be relied on by the occupying authorities to address the threat.

In addition, the 2020 GC III Commentary concerning prisoners of war states that, in addition to causing damage and destruction, sabotage includes “killing and kidnapping of the enemy” (para. 990). This raises questions of whether such action must be connected to the destruction or damage of property or can be the sole purpose of the operation. Is sabotage so broad that it includes what is now commonly referred to as “targeted killing”?

Historical Background: More Than Destruction and Damage

As John Tramazzo highlights, sabotage was historically associated with industrial disputes where workers acted to attain “improved working conditions and increased wages.” Sabotage has been called “malicious mischief” and as noted in the Foreword to the Second World War era Special Operations Executive (SOE) Group B Sabotage Training Handbook sabotage was used to “describe poor quality work undertaken by unskilled labourers and people who deliberately destroyed property or obstructed the normal operations of machinery.” In a domestic industrial context, sabotage included more than destruction, extending to various forms of obstruction. This approach is consistent with both the dictionary definitions of the sabotage and the offence of sabotage under domestic law of various States. For example, see the Canadian Criminal Code, § 52; the United States Code, 18 U.S. Code Chap. 105, Part I, §§ 2151-2156; and United Kingdom National Security Act, § 12 for various references to impairing, impeding, interference, obstruction etc., in addition to causing physical damage.

That sabotage during conflict includes far more than damage or destruction is evident in how it was referred to during the Second World War, immediately before its inclusion in the 1949 GC IV. The British SOE and the American Organization of Strategic Services (OSS) were established specifically to conduct and facilitate sabotage. It was divided into two categories: active sabotage involving damage and destruction to enemy infrastructure and material; and its simple or passive counterpart that focused on more obstructive activity. This was evident in various Second World War doctrine manuals, such as: the OSS Simple Sabotage Manual and Special Operations Field Manual; the SOE Group B Sabotage Training Handbook, and How to Become a Spy used at Canada’s Camp X; and other books reflecting such practice (e.g. see Ferdinand Otto Miksche’s 1950, Secret Forces, and H. Von Dach’s 1965, Total Resistance: Swiss Army Guide to Guerrilla Warfare and Underground Operations).

Passive or simple sabotage could involve non-cooperative civilians in occupied territory, working slower, misdirecting material, re-directing convoy and rail traffic, delaying deliveries, and neglecting maintenance on equipment. It could also involve actions resembling peacetime labour disputes. These more passive acts were preferred, in part because occupying authorities could potentially retaliate should the saboteurs undertake more active, and thus more destructive, sabotage. Perhaps one of the most famous examples of such low-level sabotage was the alteration of road signs, re-direction of units, and acts otherwise creating panic carried out by Otto Skorzeny’s German troops. Clad in American uniforms, these troops successfully infiltrate behind enemy lines during the 1944 Battle of the Bulge.

Second World War sabotage doctrine also extended to attacks on “key personnel, staffs, sentries, outposts, bridge and other guards,” the “liquidation or physical harassment of political and administrative leaders,” and “physical attacks on collaborationists” (OSS Special Operations Field Manual, paras. 31(a) and (c) at p.13). The 1942 British SOE operation to kill SS General Reinhard Heydrich, and the 1944 sinking of a rail ferry by Norwegian saboteurs that killed four Germans and 14 Norwegians are two examples of such action, showing that sabotage covered an exceptionally broad range of activity at the time it was incorporated into GC IV.

The Scope of Sabotage

Within the term sabotage then, what limits exist? A recent analysis suggests that being faced with “the somewhat murky and contentious term Russian hybrid operations” means sabotage “is best used in the traditional sense: to refer to attacks or incidents that cause physical damage to, or the destruction of military (and, increasingly, civil) infrastructure and equipment.” In this regard, “calling out physical sabotage—separate from propaganda, cyber-attacks and other “gray zone” activities—would help draw a line in the sand and mitigate effective sabotage.” Although closer to the ICRC interpretation, this approach does not account for sabotage having traditionally encompassed action that is significantly broader in scope. Any meaningful definition of sabotage must refer to targeting resources, production, personnel, materiel, infrastructure, systems or information not only belonging to enemy forces, but also used to support the war effort, as well as encompass action that does not result in damage or destruction.

In a contemporary context, cyber induced sabotage must be considered. Just as the internet and the use of social media has drastically changed how spies are recruited, so have cyber operations significantly affected sabotage. This was clearly demonstrated in the Stuxnet attack against Iran discovered in 2010. Acknowledging cyber sabotage also helps avoid the debate about whether data constitutes a military object for the purposes of an attack (see Tallin Manual 2.0 paras. 6 and 7, at p. 437). A definition of sabotage that includes cyber operations emphasizes the effects of attacks that impede or impair the war effort, rather than whether data is an object.

The fact that all sides in any hostilities are likely to engage in sabotage impacts how broadly it is defined. While much of the contemporary debate is focused on Russian-linked sabotage, European and supporting States are also likely to carry out sabotage operations, should hostilities increase to a recognized armed conflict. Resistance to actual and potential Russian aggression under the concept of “total defence” relied on by Ukraine, as well as the Baltic and Nordic States, is reflected in the Resistance Operating Concept. This contemporary doctrine refers to the use of “passive resistance” involving acts of minor sabotage that do not involve damage or destruction.

There are limits on what constitutes sabotage. Perhaps the most significant limit is that it invariably involves operations carried out in secrecy and usually behind enemy lines. In contrast to spies who secretly collect intelligence, saboteurs and the sabotage they engage in, represent the action arm of shadow warfare. Sabotage operations are usually covert but may also be carried out under false pretences or even conducted clandestinely. Exceptionally, work stoppages or re-direction of convoys might even be carried out openly. However, conventional operations openly involving attacks that degrade the enemy war effort would not ordinarily be called sabotage.

An interpretational limit on sabotage has been identified by Joshua Rovner, Rory Cormac, and Lennart Maschmeyer in their September 2025 article, Sand in the Gears: Sabotage in World Politics. These authors suggest that the strategic logic of sabotage differs from other covert activity because it is focused on “weaponizing friction inside a system.” Subversion is generative and manipulates behaviour, while sabotage differs because it is degenerative seeking to degrade or disrupt the information ecosystem.

How broadly sabotage is viewed may also be limited by the application of other legal and policy frameworks for assessing the conduct of hostilities. Sabotage has historically included covert killing. However, the adoption of the targeting precautions in Article 57 of 1977 Additional Protocol I (AP I), along with greater attention being paid specifically to “targeted killing” in the post- 9/11 security environment, are likely to result from a practical perspective in such killing being assessed as either a lawful attack, or one constituting assassination rather than as sabotage.

Accountability and Contemporary Application

Sabotage is not prohibited by international law. What the definition of sabotage lacks is the overt authorization for espionage found in Article 24 of the 1907 Hague Land Warfare Regulations. While a distinct activity, the secret collection of information about a target through spying can be the precursor of an act of sabotage. Both actions can be carried out by persons having or feigning civilian status or wearing an enemy uniform.

However, sabotage differs from espionage in that it operates more as an umbrella term for “covert action” involving undercover operations directed at the enemy. The clandestine collection of intelligence by members of the armed forces wearing their nations’ uniform is not considered to be espionage. Sabotage more broadly encompasses acts covertly carried out by persons who qualify for lawful belligerency (e.g. members of the armed forces and organized resistance movements). Unlike with unprivileged belligerents, the principle of combat immunity shields saboteurs who are lawful belligerents from penal consequences.

While both spying and sabotage can involve treachery, not all such perfidious activity is prohibited by humanitarian law. First, if an act of sabotage does not result in death or injury it would not fall within the perfidy prohibitions established in Article 23(b) of the Hague Regulations, or Article 37(1) of AP I. Secondly, as discussed in an earlier post, like espionage, sabotage may involve a degree of treachery, but it would not necessarily be considered a war crime if it is not the proximate cause or is considered too remote from any resulting death or injury.

The suggestion in Tallin Manual 2.0 that the rule against perfidy is “violated even though substantial time has passed since the initiating perfidious act” (rule 122, para. 6) is far too limiting. Such an approach does not reflect the impact on interpretations of humanitarian law caused by the involvement of the Allies in such activity in the Second World War. Those activities heavily influenced the development of the concept of unprivileged belligerency where saboteurs would not be considered war criminals but rather would, like spies, remain subject to domestic criminal prosecution of a capturing State.

Sabotage remains a feature of armed conflict in the 21st century. Ultimately, consideration of whether acts of sabotage, such as during Operation Spider’s Web, Operation Rising Lion, the 2024 Israeli pager/walkie talkie attack on Hezbollah, the killing of Russian Generals in Moscow (see here, here, and here), or the three attacks on the Kerch bridge (see here, here, and here) transgress international law requires a nuanced consideration of perfidy. That means a realistic assessment of proximate cause and remoteness, as well as a clear understanding of the history and continuing widespread State participation in such operations occurring in the shadows.

Conclusion: A Definition of Sabotage

Sabotage is a legally ill-defined but integral part of warfare, whether conducted as part of LSCOs or during insurgencies. It includes more than the damage or destruction of objects and material. Sabotage requires a sufficiently broad definition that reflects the complexity of such operations and the full scope of action taken against an enemy. The following proposed definition reflects its history, includes less serious action taken to impede or impair the enemy war effort, and accounts for the use of new technology such as cyber.

The destruction, damage, obstruction, or impairment of the effectiveness of the resources, production, personnel, materiel, infrastructure, systems or information belonging to enemy forces, or used to support the war effort that is ordinarily carried out covertly, clandestinely, or under false pretences.

Such sabotage occurs regularly in the shadows of modern conflict. As a European intelligence official stated, “Political leaders are increasingly asking intelligence agencies not only to collect information but also to affect the situation on the ground. It’s increasingly important to have a special-forces unit inside your intelligence agency.” This reality will not diminish.

***

Ken Watkin served for 33 years in the Canadian Forces, including four years (2006-2010) as the Judge Advocate General.

The views expressed are those of the author, and do not necessarily reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense. 

Articles of War is a forum for professionals to share opinions and cultivate ideas. Articles of War does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published. Authorship does not indicate affiliation with Articles of War, the Lieber Institute, or the United States Military Academy West Point.

Photo credit: National Police of Ukraine