Securing Europe’s future

An interview with Pieter Cobelens, former director of the Dutch military intelligence and security service

Military and intelligence services have a long history of knowledge-exchange with civilian industries in both war and peace, and seldom more so than in an age when digital systems are creating both vast opportunities and great threats.

In common with nation states, civilian critical infrastructure organizations such as electricity systems operators and public healthcare services must protect and defend their digital infrastructure from cyber-attacks. Deterrence is a key pillar of effective strategies to achieve these aims. 

The stakes are high, according to former Dutch military intelligence and security chief Major-General Pieter Cobelens. “Militarily, failure of deterrence leads to war. Traditionally, deterrence means making enemies understand that the cost of attacking would be unbearable and that their target has the will to act,” he said. “That still holds in the digital environment, with IT and operational technologies adding two more layers to be defended. In the military arena, ‘Star Wars’ is here: we’re fighting hybrid wars involving not only bombs but cyber systems and OT.” 

_{NightWatch 2025 – building resilience in an era of disruption (Photo: DNV Cyber)}  

 

Redefining deterrence

Deterrence in cybersecurity should mean enemies knowing that if they attack, they will fail, and if they breach, the system will recover faster than they can exploit it, according to Cobelens.

Cobelens highlights that deterrence today is about capability, resilience, and accountability. Tanks still matter, but it is now also about satellite communication, software, supply chains, identity, access, and encryption. This all depends on trust and requires the verification of digital identities within organizations and throughout their supply chains.”

He draws analogies between military defence deterrence and vigilance and what civilian critical infrastructure organizations need to do to fend off criminal gangs, hostile nations, and other malicious cyber-attackers.

“Too many companies buy firewalls and think they are then safe. Meanwhile, the adversary enters through a contractor, a stolen password, and by manipulating employees,” he observed. “For 80% of new employees, there's no background check before they start work. So, I always say that security isn’t a product, it's discipline and culture.”  

Leadership and training

Pinpointing the critical role of leadership in defining, creating, and maintaining the right cybersecurity culture and discipline, according to Cobelens. “Strong leadership is important for creating a good team, which is vital in cybersecurity and for solving problems in a cyber crisis.”

When asking company boards who is in charge of cybersecurity, he is often told it is the Chief Financial Officer, who can call on a department of cybersecurity if something goes wrong. He also frequently finds that CIOs or CISOs do not have the same voting rights on executive teams.

“In both situations, you see that cybersecurity is not really part of management. That's wrong. It should be completely integrated into the organization’s way of managing,” he urged.

Who or what has access to what?

Cobelens places heavy emphasis on Identity and Access Management (IAM) and Identity Governance and Administration (IGA) – specifically, passwords, multi-factor authentication, and ensuring that both military and civil critical infrastructure organizations can trust people who have access to IT and OT.

When asked if small countries should base defence on having weapons like long-range missiles, he replied: “That’s starting at the wrong side of the escalation ladder. The most important things are the simple ones – passwords. Also, the vast majority of business leaders I lecture to have no idea what [Europe’s] NIS2 regulation is, when they should be practising it already.”  

UNDERSTANDING IAM AND IGA Identity and Access Management (IAM) helps ensure that the right individuals access the right resources at the right IAM. It includes tools and policies for managing digital identities and controlling user access. Under IAM there are three sub-domains: IGA (Identity Governance and Administration), CIAM (Customer Identity and Access Management) and PAM (Privileged Access Management). In this whitepaper we focus on IGA. Identity Governance and Administration (IGA) is a subset of IAM focused on compliance and oversight. It adds governance features like access reviews, role management, and policy enforcement to enhance security and meet regulatory requirements.

_{Source: Who or What has Access to What? DNV, 2025}

Knowing your suppliers

Just half of professionals working in critical infrastructure are confident that their organization has full visibility of the cybersecurity vulnerabilities that their supply chain exposes their businesses to, according to recent DNV Cyber research.

One example of what can go wrong is the 2021 cyber-attack in which managed service providers and their clients were hit by a ransomware attack by a Russian-speaking private ransomware-as-a-service group.

The attack exploited a vulnerability allowing the hackers to bypass authentication in remote monitoring and management software developed by a US-based IT company. On gaining access, the hackers spread a malicious payload throughout hosts managed by the software. 

More than 1,000 companies were affected. They included Norwegian financial software developer Visma, which manages systems for a Swedish supermarket chain and consequently had to shut hundreds of stores for several days, leaving some communities with none.

Gauging success in deterrence

In the complex and shifting cyber threat landscape, what then would ‘success’ for European critical infrastructure look like in 2030?

Cobelens replied: “First and foremost, vital services stay online during crisis. Second, Europe speaks and acts as one secure bloc. Third, adversaries believe the strength of our deterrence and calculate that Europe is united, resilient, and too costly to challenge. Last but not least, we have strong national foundations supporting strong European cyber defence.”

Heightened threats looming over the next 18 months add a sense of urgency to achieving these goals, he suggested: “Europe’s biggest risks in this period will be energy infrastructure and grids, subsea cables and data routes. You have to recognize our cloud and satellite dependency, including commercial systems. Then there is quantum computing breaking today's encryption, but there are already cybersecurity solutions for this, and we should apply them before it's too late. Insider manipulation and bio-digital identity risk are increasingly important because we use more and more bio-digital capability.

Systematic cybersecurity capability counts

Returning to a military example to make a broader point of relevance to critical infrastructure organizations, Cobelens cited the game-changing nature of highly automated drone and cyber swarms in the Russo-Ukraine war, in which drone capabilities are changing in weeks and sometimes days.

“When it comes to cyber-attacks, we're in a world of systematic capability contests. Make no mistake, adversaries are fully mobilized: we can’t afford strategic hesitation,” he warned.

Major-General Pieter Cobelens was a keynote speaker at Night Watch 2025, DNV Cyber’s industrial cybersecurity conference for Europe’s leading cybersecurity experts, national security stakeholders and critical infrastructure operators.

Watch presentations on-demand: the NightWatch 2025

 

1/15/2026 8:02:00 AM