India’s National Load Dispatch Centre monitors the country’s electricity grid. | Grid Controller of India Limited.
India's rise as a great power in the 21st Century, will be built or undermined in the digital domain, as much as on any conventional battlefield. The nations that will define the geopolitical order of the coming decades will be those that secured their digital ecosystems, built sovereign technological capabilities, and cultivated societies resilient enough to function and fight under sustained digital pressure. This article is a strategic assessment for apex decision-makers, policymakers and national stakeholders.
The Strategic Reality
Strategic competition and persistent hostile activities have already permeated India’s digital domain
Technology, digital infrastructure, and data now lie at the heart of global power struggles. India is facing a major strategic challenge, having built one of the world's most ambitious digital public infrastructures, including Aadhaar, Unified Payments Interface (UPI), DigiLocker, FASTag, the Ayushman Bharat Digital Mission (ABDM), GSTN, and a growing 5G network. At the same time, these advances have also created a large, mostly hidden attack surface that adversaries can exploit.
This is not simply a future risk but an ever-present reality. India's power grids have already been probed, and financial systems have been targeted. MIT's military communication architectures have also been tested for vulnerability. Its citizens, meanwhile, have been subjected to large-scale disinformation campaigns. The digital front is active, severely contested and increasingly consequential today.
What sets this moment apart from previous periods of technological disruption is the convergence of four accelerating forces. These include the extraordinary scale of India's digital exposure; the rapidly expanding capabilities of adversarial states, particularly the deepening Sino-Pakistani technological nexus; the democratisation of offensive cyber tools using AI and open-source frameworks; and the inadequacy of current governance, procurement, and industrial structures to respond at the required pace.
Future conflicts may not begin with artillery. Instead, they could begin, and perhaps even end with coordinated attacks on payment systems, power grids, and waves of automated disinformation. Such attacks could unfold simultaneously, with no clear source.
For India's political and military leadership, policymakers at the Centre and in every state, industry leaders, security and law enforcement institutions, and over one billion internet users, the message from the strategic environment is increasingly clear: the digital domain is now a primary theatre of national security. Those who govern, protect and inhabit this domain will need to act with the promptness and clarity that such a reality demands.
Understanding the Threat: How Cyber Attacks Manifest in the Indian Ecosystem
Critical Infrastructure as a Strategic Target
The most consequential category of cyber threat targets the systems that hold modern India together. Today, power grids, railway networks, air traffic management, banking clearing systems, port logistics, hospital networks and satellite ground stations are far more than just conveniences. Together, they form the nation's nervous system.
The documented intrusions into India's power infrastructure, some linked to hostile state actors, offer a glimpse of what a coordinated, large-scale cyber campaign might look like. A simultaneous multi-sector disruption affecting power, telecommunications and financial clearing across four to five major urban centres would involve far more than inconvenience. It could severely disrupt emergency services, freeze economic activity, disrupt military logistics and generate cascading crises that existing governance structures may struggle to manage simultaneously.
India’s rapidly expanding Internet of Things (IoT) ecosystem of smart meters connected to industrial systems and autonomous sensors, all embedded in critical infrastructure, further widens this vulnerability. Many of these devices still operate on legacy software that lacks uniform security standards and are manufactured within global supply-chains that may not have been fully audited.
Financial and Economic Disruption
With India’s UPI processing over 20 billion transactions monthly, making it the world’s largest real-time payments system by volume, a targeted disruption of UPI's backbone or a cascading failure triggered by a compromised National Payments Corporation of India (NPCI) infrastructure would have consequences extending well beyond financial inconvenience. It would strike at the foundational trust architecture of the Indian economy. The erosion of public confidence, capital flight and political instability could follow with significant speed.
Beyond payment systems, India's growing dependence on cloud infrastructure, much of it hosted on servers outside national jurisdiction, creates a strategic vulnerability that deserves far greater policy attention.
Data sovereignty is not just a legal concept. It has become an operational imperative during geopolitical crises when foreign jurisdictions may restrict, withhold or exploit access to critical national data.
Cognitive Warfare and the Battle for Indian Minds
One of the most difficult challenges of cyber threats facing India today is cognitive warfare. The systematic use of AI-generated deepfakes, coordinated disinformation, algorithmic amplification and targeted propaganda to manipulate public perception, inflame communal tensions, distort electoral processes and erode confidence in national institutions.
In a country as diverse and connected as India, where over 500 million citizens are active social media users and communal sensitivities can be weaponised rapidly, cognitive warfare is not just a nuisance. It has become a powerful tool for destabilisation.
Adversarial actors have already demonstrated the capacity to engineer viral disinformation campaigns targeting India's internal cohesion. The scale and sophistication of these operations are likely to increase with the continued advancement of generative AI.
Supply-Chain Compromise and Hardware Vulnerabilities
India's dependence on imported electronics, telecommunications equipment, semiconductor systems, and application software creates a structural vulnerability that cannot be resolved by software security alone. Hardware backdoors, compromised firmware, supply-chain infiltration and embedded malicious code represent threat vectors against which traditional perimeter cybersecurity defences are often ineffective.
These risks are particularly acute in network and cloud infrastructure, where equipment from vendors with opaque ownership structures and potential state-linked obligations creates persistent intelligence and disruption risks. Across India's expanding 5G network, smart city deployments, defence communication systems, and government digital infrastructure, the integrity and long-term security of software, alongside hardware, must become a non-negotiable strategic concern. The application and data centre ecosystem also requires full accountability and visibility, with API interfaces needing real-time monitoring for vulnerabilities.
Strategic competition is increasingly unfolding below the threshold of conventional war through cyber operations, economic coercion, disinformation campaigns, supply-chain manipulation and technological dependencies.
The Adversarial Landscape: Pakistan's Capabilities and the China Dimension
Pakistan: A Persistent and Evolving Cyber Threat
Pakistan's cyber capabilities have historically relied on and operated a combination of state-directed actors, military intelligence-linked groups, and non-state proxies. Groups attributed by international cybersecurity researchers to Pakistani state-backed threat actors such as APT36, also known as Transparent Tribe, have demonstrated sustained, systematic operations targeting Indian defence establishments, government institutions, diplomatic networks, universities, and energy sector organisations.
Pakistan's documented cyber playbook against India includes spear phishing campaigns against defence and government personnel, deployment of remote access trojans (RATs) to establish persistent presence within sensitive networks, targeting of Indian mobile platforms to gather geolocation and communications intelligence and cognitive warfare operations exploiting India's communal and regional fault lines.
While Pakistan's indigenous technical capabilities remain more limited than those of major state cyber powers, this assessment must be qualified by two strategic considerations. First, Pakistani intelligence has demonstrated a consistent willingness to deploy advanced commercial and proxy capabilities to compensate for indigenous limitations. Second, and more significantly, Pakistan's cyber capabilities cannot be assessed in isolation from its strategic partnership with China.
The China-Pakistan Cyber Nexus: A Strategic Force Multiplier
The deepening technological alignment between China and Pakistan has become one of the most consequential and underappreciated dimensions of India's strategic cyber threat environment. It extends beyond arms transfers or diplomatic alignment. It encompasses technology transfer, cyber capability sharing, network infrastructure integration, AI system development, satellite intelligence cooperation, and the embedding of Chinese technical expertise within Pakistan's military and intelligence digital infrastructure.
China's advancements across the full spectrum of digital warfare technologies, offensive cyber capabilities, quantum communications research, AI-driven autonomous systems, electronic warfare integration, satellite intelligence architectures, and deepfake generation platforms are all being progressively transferred, adapted, and operationalised within the Pakistani strategic establishment.
Independent threat intelligence firms have documented extensive cyber operations with footprints tracing to Chinese state-linked actors. The Galwan Valley crisis of 2020 was accompanied by a reported escalation in Chinese cyber activity targeting Indian financial institutions, power infrastructure, defence networks, and government systems. Chinese state-linked groups, notably those associated with APT41, have demonstrated advanced persistent threat capabilities that include long-term network infiltration, patient intelligence collection, and the prepositioning of disruptive capabilities within critical infrastructure for potential future activation.
The China-Pakistan digital nexus does not merely double India's adversarial cyber challenge. One where sophisticated state-level capability, regional intelligence access, and aligned strategic motivation converge against Indian interests.
The strategic implications are sobering. India faces not a bilateral cyber contest but a technologically reinforced adversarial ecosystem in which Chinese technical sophistication, Pakistani regional intelligence, and shared strategic objectives combine to create capabilities and persistence that neither adversary could sustain independently. India's strategic planning, capability development, and policy frameworks must explicitly account for this convergence.
The Policy Imperative: What India Must Build, Change, and Accelerate
National Cyber Command: Unity of Effort at the Apex
India's current cybersecurity governance architecture, while evolving, remains characterised by fragmentation. The National Security Council Secretariat (NSCS), through the office of the National Cyber Security Coordinator (NCSC), provides apex-level coordination but the Defence Cyber Agency (DCyA), Service Cyber Organisations, CERT-In, NCIIPC, NTRO, state police cyber cells, RBI’s financial cyber frameworks and sector regulators continue to function with inadequate coordination mechanisms. This architecture was designed for a period of lower threat intensity. It is insufficient for the strategic environment India now faces.
What India requires at the apex is an empowered, unified National Cyber Command with statutory provisions, a dedicated intelligence fusion capability, a real-time coordination architecture spanning military and civilian domains, and the mandate to defend as well as deter in the digital domain.
Moreover, this is not a matter of bureaucratic reorganisation. It is a strategic requirement for coherent national action in a domain where outcomes are determined by speed, effective integration, and above all, decisiveness.

Former Chief of Defence Staff of India, General Anil Chauhan at a military cyber defence exercise. | Press Information Bureau.
Digital Sovereignty: Building India's Own Ecosystem
India's strategic vulnerability in the digital domain is structurally inseparable from its dependence on foreign hardware, software platforms, cloud infrastructure, and telecommunications equipment. Reducing this dependence should not be viewed as technological nationalism. It is strategic logic. A nation that cannot guarantee the integrity of its communications in a crisis, that stores its citizens' most sensitive data on servers beyond its sovereign control, and that deploys critical infrastructure running on hardware with uncertain credentials has accepted a permanent structural vulnerability that no software security solution can fully remediate.
The priorities for building sovereign digital capability must include:
Technology Agnostic Policies and Procurement Reform
India's strategic technology policies, procurement frameworks, and regulatory structures must be explicitly designed to be technology-agnostic, vendor-neutral, and future-adaptive. The pace of technological evolution in the cyber domain renders rigid, technology-specific frameworks obsolete almost before they are implemented. Governance structures built around specific platforms, vendors, or technological paradigms create strategic rigidity and commercial binding that undermine security without compromising.
Procurement philosophy for technology must shift from lowest-cost commodity acquisition to strategic capability acquisition, evaluated based on security architecture, supply chain integrity, sovereign control provisions, technology transfer obligations, and long-term support independence. The Defence Acquisition Procedure under revision must cater for this or be supplemented by an equivalent framework for critical civilian digital infrastructure that applies analogous strategic scrutiny.
Regulatory frameworks governing telecommunications, data centres, cloud services, apps, APIs, and digital platforms must be built around results-oriented security requirements rather than specific technical prescriptions, enabling them to remain relevant through successive generations of technological change. Specifications must meet global benchmarks but be made in India and evaluated and certified by Indian labs.
Accelerating R&D: India Cannot Afford Decades-Long Innovation Cycles
The speed of capability development in cyber and digital warfare technologies has compressed strategic lead times from years to months. India's traditional research and development timelines, characterised by long gestation periods, sequential funding cycles, and inadequate industry-academia-defence integration, are structurally misaligned with this operational tempo.
India must create rapid cycle innovation mechanisms within its defence and national security R&D ecosystem. This requires:
Legislation for the Cyber Age: Laws That Govern, Not Constrain
India's legal framework remains fragmented and, in several respects, incomplete in the face of the strategic threat environment. The Information Technology Act, despite amendments, was not designed to govern the full spectrum of modern cyber conflict, cognitive warfare, or supply chain security obligations. The Digital Personal Data Protection Act 2023 represents important progress on data governance, and CERT-In's 2022 directions on incident reporting strengthened operational frameworks. However, significant legislative gaps remain regarding state-sponsored cyber operations and response mechanisms, as well as critical infrastructure liability.
Comprehensive, forward-looking cyber legislation must address:
Roles and Responsibilities: A Nation-Wide Response Architecture
The Central Government: Setting Standards and Enabling Capability
At the Centre, the imperative is to translate strategic intent into operational architecture not merely by issuing advisories and policies but by creating the institutional machinery, funding mechanisms, legal frameworks and inter-agency coordination structures that enable coherent national action.
Cybersecurity needs to be treated as a national security priority at the highest political and institutional levels rather than as a secondary domain delegated entirely to the technology ministry. The NSCS’ digital security mandate must be operationalised with the same seriousness of purpose applied to conventional military preparedness.
State Governments: The Critical Last Mile
State governments are simultaneously among India's most significant digital infrastructure operators and among its most attractive cyber-vulnerable ecosystems. State-managed power distribution networks, police communication systems, land records databases, health information systems and citizen service platforms constitute a vast array of potentially exploitable entry points into India's national digital ecosystem.
State Cyber Security Operations Centres, aligned with the national framework but operationally responsive to state requirements, are not optional features. They are operational necessities. State governments must be empowered with funding, technical assistance, and standardised frameworks to build genuine cyber resilience across their digital infrastructure. The Centre-State relationship in cybersecurity must evolve from a directive model to a collaborative partnership for capability-building.
Industry: Security as a Strategic Obligation
India's private sector, which owns and operates the overwhelming majority of the nation's critical digital infrastructure, bears a strategic responsibility that extends beyond commercial risk management. Banks, telecommunications providers, logistics networks, power distribution companies, healthcare systems and digital platform operators are not merely businesses. They are components of national critical infrastructure whose failure in a coordinated cyberattack would generate consequences indistinguishable from an attack on state systems.
Industry must internalise security by design principles across all digital products and services, invest in operational technology security with the same rigour applied to information technology, participate actively in national threat intelligence sharing frameworks, enforce supply-chain security standards and support the development of indigenous cybersecurity capabilities through procurement preference, investment, and technology collaboration with Indian developers. India possesses some of the finest cybersecurity talent and technical competence in the world and Indian industry must leverage it.
Law Enforcement: Capability for the Digital Crime Environment
India's law enforcement architecture, from state police cyber cells to the National Investigation Agency (NIA) and Central Bureau of Investigation (CBI) technology crime units, requires systematic capability enhancement calibrated to the sophistication of the threat environment. This encompasses advanced digital forensics capabilities across state and central agencies; AI-assisted threat detection and network monitoring systems; structured coordination mechanisms that enable rapid joint operations across jurisdictional boundaries; dedicated capacity for investigating and attributing state-sponsored cyber intrusions; and international law enforcement partnerships for coordinated responses to transnational cyber threats.
The cybercrime investigation capability gap between India's major metropolitan centres and its smaller cities, towns, and rural areas represents both a law-enforcement vulnerability and a national-security risk. Equalising this distribution of capabilities must be treated as a national priority.
Citizens: The Nation's First Line of Digital Defence
In the cyber domain, India's over one billion internet users are not merely passive beneficiaries of government-provided security. They are simultaneously the most numerous potential victims and the most important line of active national defence. Citizens who can recognise phishing attempts, verify information before sharing it, protect personal data, identify deepfakes, and practise basic digital hygiene constitute a formidable collective security asset.
National digital literacy programmes must be elevated from the status of government schemes to a strategic national priority on par with physical fitness or civil defence preparedness. Schools, employers, community organisations, and the media all have roles to play in building a digitally resilient citizen. The Cyber Swachhta Kendra model offers a foundation. What is needed is a programme of genuinely national scale, continuity, and strategic purpose.

Server infrastructure inside a modern data centre. | Economic Times.
The Choice Before India
India stands at a strategic inflexion point in the digital domain. The transformation of cyber operations from peripheral inconveniences to central instruments of strategic competition has outpaced the adaptation of governance structures, industrial capabilities, and public consciousness. The adversarial ecosystem arrayed against Indian interests, characterised increasingly by the convergence of Chinese technological capability and Pakistani strategic motivation, is not static. It is expanding, accelerating, and deepening its penetration into India's digital landscape.
The window for resolute action is open, but it will not remain so indefinitely. With every passing year without the establishment of a coherent national cybersecurity architecture, adversaries deepen their mapping of India's critical systems. Every procurement cycle that prioritises cost over supply chain integrity embeds another potential vector of compromise into India's infrastructure. Every month of delay in building sovereign digital industrial capability is another month of structural vulnerability that no software patch can remediate.
The strategic choices before India are not primarily technical. They are choices of national will, institutional priority, and resource allocation. Building a digitally sovereign and cyber-resilient India requires investment at a scale commensurate with the threat, governance reform at a pace commensurate with the adversary's speed of adaptation and a national consciousness that recognises the digital domain not as a sphere of commercial opportunity alone, but as a theatre of strategic contest where India's sovereignty, prosperity, and democratic resilience are actively at stake.
India's rise as a great power in the 21st Century, will be built or undermined in the digital domain, as much as on any conventional battlefield. The nations that will define the geopolitical order of the coming decades will be those that secured their digital ecosystems, built sovereign technological capabilities, and cultivated societies resilient enough to function and fight under sustained digital pressure.
A secure digital India is not merely a technology project. It is the foundational infrastructure of sovereignty itself.
The foundation architecture of India's digital future, trusted, sovereign, resilient, and strategically independent, must be built now, with the promptness that a clear and present strategic challenge demands. The decision rests with those who hold the levers of national power, industry leadership, and institutional authority. The responsibility rests with all of us.
In this rapidly evolving geopolitical environment, India’s digital ecosystem is no longer merely an engine of economic growth. It is a significant national asset operating within an increasingly contested global technological order.
[The article is exclusive to NatStrat. The views expressed by the author(s) are personal and do not necessarily reflect the views of the organisation.]
References
Note on References: All threat intelligence citations draw from publicly available reports by accredited cybersecurity research firms. Attribution of cyber operations to state actors reflects the assessments of these independent researchers and does not constitute official attribution by the Government of India. Statistical figures are drawn from the most recent available data as of the date of publication; readers are advised to verify current figures against live NPCI, TRAI, and MeitY data sources.
A. Threat Intelligence and Adversarial Landscape
B. Digital Infrastructure and Statistical Data
C. Frameworks: Policy, Legislative, and Governance
D. Strategic and Academic Literature