A hack at the Dutch police department. Suspicions of Russian sabotage in the Baltic Sea. Global chaos caused by a faulty software update.These incidents highlight the growing pressure on the digital security of our vital infrastructure. How can we strengthen our digital safeguards? And who bears the responsibility? A conversation with Sjoerd van der Smissen, Partner and Industry Leader for Government & Public Services at Deloitte, and Frank Groenewegen, Partner in Cyber Risk at Deloitte.
Groenewegen: "Vital infrastructure is a collection of processes and services that form the foundation on which Dutch society operates. Think of electricity, internet access, drinking water, and payment systems. It's important to realize that all these elements have both a physical and a digital side, and they have become completely intertwined. Power plants, hubs, and cables are inseparable from software, the internet, and other networks. There are even bridges that can no longer be operated manually."
Van der Smissen: "Because there is still a significant blind spot for many people and organizations. Traditionally, we have been more focused on our physical safety. Simply put: if we are robbed, we call the police. If the sea level rises, Rijkswaterstaat must do something about it. If tanks approach, it’s up to the military. So, for our physical protection, we know who is responsible for what. But on the digital side of infrastructure, that responsibility is far less clear.
Recently, Belgian ports were hacked by a pro-Russian hacker group. This same group was responsible for last year’s cyberattack on the five largest ports in our country. Who is responsible for the protection? We host AMS-IX, one of the largest internet exchange points in the world. The TAT-14 transatlantic internet cable lands in Katwijk. These are all vulnerabilities that need to be well protected."
Groenewegen: "The threats are escalating. Look at the recent suspicions of sabotage on internet cables in the Baltic Sea. These cables connect European countries with each other and the rest of the world. Germany suspects Russia is behind this sabotage, and the incident underlines the fact that critical infrastructure—whether it’s internet cables, energy facilities, or data centers—remains a target in geopolitical tensions. The situation shows that the risk is not hypothetical; physical attacks on digital infrastructure are becoming more likely.”
Van der Smissen: “These developments align with what we already see happening in the North Sea. There, under the sea, lie cables for internet, electricity, and large gas pipelines. The Dutch Military Intelligence and Security Service has found that Russian spy ships have gathered data on wind farms, data cables, and other critical infrastructure. There is a real risk that it will not stop at data collection.
In short, the pressing question is: 'Who protects it?' In this case, Defense has taken on that task. But it remains a thorny issue. Internet cables? They are often owned by American tech companies or international consortia. Power cables from wind farms? Owned by private energy companies. Yet, we all depend on them. These are urgent issues."
Van der Smissen: "Indeed. And the threat is not limited to geopolitical tensions. Last July, a faulty software update from the security company Crowdstrike caused global chaos. Disruptions at airports and in public transport, hospitals had to scale back care services, and disruptions in communication systems of companies and government agencies.
Although this was not a cyberattack, it emphasizes the urgency to strengthen our digital infrastructure. Next time, payment systems, power grids, or water purification could be affected. We need a vision and an approach to our digital risks. We cannot afford to sit back and wait for the next digital breach."
"We can't afford to wait for the next digital breach."
Groenewegen: "Almost all parties are in favor of strengthening cyber capacity and digital knowledge in organizations like intelligence services, defense, and the police. But in practice, there is a lack of cohesion and priority. Our infrastructure is one dynamic public-private whole. Silo thinking does not work.
What we need is a clear allocation of responsibilities and priorities. Everyone—the government, companies, and citizens—must know what is expected of them. This requires leadership that encourages collaboration and looks beyond the short term. There is no lack of plans, but there is a lack of decisiveness.”
Van der Smissen: "It starts with awareness. A useful comparison is sustainability, which has become a major societal focus. Governments, politics, companies, citizens, almost everyone in the Netherlands is now convinced that we must take sustainability seriously. Policies have been formulated, objectives have been set, and in many companies, it is embedded in ESG principles. But the awareness around safety is far from there. A cultural change is needed to make us realize that safety, like sustainability, concerns us all. It’s not just a task for the government, businesses, or citizens—it’s a collective effort."
Groenewegen: "Additionally, we need to invest in long-term solutions. This goes beyond technology; we need the right people and processes to keep our infrastructure safe.”
"Sustainability has become a priority. Digital security needs to follow suit."
Groenewegen: "We cannot avoid it: we must tackle our digital security in a coherent manner. Organizations, systems, citizens, everything is interconnected. If we do not work from an integrated vision, departments, companies, emergency services, and other parties will each go their own way. Then we will get all kinds of isolated solutions. And then we miss the most important point. Then the most vulnerable spots fall out of sight: all those connections and networks between the parties. The in-between space, the cement of our society. Therefore, our protection can only be effective if we centrally manage and tackle it in connection. Physically and digitally, publicly and privately, governments and citizens."
Van der Smissen: "The role of the government is one of the most urgent elements. It needs to be much more clearly defined to assign the right responsibilities to the right places. When does the government take the lead? In which situations is it an executor, like defense? And when is it a supervisor, like the AFM and DNB are for payment traffic? When it comes to the digital safety of our infrastructure, responsibilities are currently unclear in many cases. That really needs to be addressed quickly."
Groenewegen: "Back to the example of those undersea cables . You want to do something about that growing threat. You want to provide effective protection. And if something does happen with them, you must be able to respond immediately. So, agreements will have to be made with the foreign owners of those internet cables. When it comes to the power cables of the wind farms, we cannot expect an energy company to patrol them day and night with guard ships. And even though the navy has taken that on now, structural solutions will have to be found for the future. In short, we will all have to roll up our sleeves in the Netherlands."