Introduction
India is currently witnessing a rapid digitisation in all aspects. As per the 79th National Sample Survey conducted in 2022-23, more than 85% of individuals above the age of 15 can use smartphones, whereas 59.8% individuals can use the internet. Even in the rural areas, the percentage of individuals who can use the internet is above 50%. A stunning 99.7% individuals in India, including 99.5% in rural areas, are users of the 4G or 5G technology. More than 30% of the rural and 50% urban population can perform online banking transactions. With 80% of overall retail payments across the country, India’s indigenous digital payment system, UPI, has seen tremendous growth in terms of both volume and value over time. UPI transactions in volume went from 4.21 billion in October 2021 to 16.58 billion in October 2024. In value, the transactions went from Rs 7.71 lakh crores in October 2021 to Rs 23.49 lakh crores in October 2024. The Aadhar has helped digitise many of India’s public services. According to UIDAI, the Aadhar is widely used to avail public services, with overall coverage at 92.7%, and 99.9% coverage amongst adults. However, the system is vulnerable to cyber threats. Additionally, the increased usage of internet services including the rampant use of Artificial Intelligence (AI) tools is going to further add to the problems in the digital world.
Considering the vastness of the digital landscape in India, the cyber threats and attacks are only going to increase both in terms of volume and intensity. With average 761 cyber threat detections per minute, India has emerged as the second most-affected country of cyber attacks in the world. In 2024 alone, phishing attacks on India’s financial sector increased by 175%. According to the Cost of Data Breach Report, the cost of data breach in India was USD 1.22 million in 2023. The cost increased by more than 10% – to USD 1.36 million in 2024.
The cyber threats and attacks don’t just attack individuals, but also the government entities to cause maximum damage. The damage, most often, is not only in the hampered operations or stolen identities. There is a huge financial cost attached to such cyber attacks. As the onboarding of India’s day-to-day activities on the digital landscape proliferates, the threats are also maturing and attaching strategic infrastructure points (public services, industry, etc.). In such times, it is important to assess India’s readiness for cyber threats from the national security perspective. As the scale and complexity of attacks evolve, so must the country’s cybersecurity architecture – through updated policies, and greater investment in digital resilience. The question is not whether India will be targeted, but whether it is prepared to respond swiftly, smartly, and securely.
Current Cybersecurity Framework: Present Setup
Institutional Setup
India’s cybersecurity infrastructure rests on a multi-agency institutional setup, which, notwithstanding the good intent, suffers from conflicts in coordination and overlapping jurisdictions. The CERT-In (Indian Computer Emergency Response Team), established under the Ministry of Electronics and Information Technology (MeitY) in 2004, is the nodal agency that responds to all incidents of cybercrime in India, and to issue advisories for possible threats. As per their annual report 2023, CERT-In handled more than 15 lakh incidents in the year 2023 – including phishing, Distributed denial of service (DDoS) attack, ransomware attacks, data breach, etc.
Source: Organisation Governance of Cyber Space in India (R. Reghunadhan, E. Dilipraj)
While the CERT-In is responsible for all non-critical systems, the NCIIPC (National Critical Information Infrastructure Protection Centre) is responsible for the protection of the Critical Information Infrastructure (CII). Established in 2014 under the Information Technology Act 2000, one of the major duties of the NCIIPC is to protect and reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats. The NCIIPC looks after critical sectors such as energy, banking, transportation, e-governance, and Information and Communication Technology (ICT).
The PMO took into consideration the issue of real-time collection of threat intelligence and coordination to protect CII from cyberattacks, and set up the National Cyber Coordination Centre (NCCC) in 2017. The NCCC primarily functions to aid the government agencies working in the sphere of national security. On the contrary, the Indian Cyber Crime Coordination Centre (I4C) which was set up by the Ministry of Home Affairs in 2020 focuses mainly on cybercrimes that affect citizens like online fraud, cyberbullying, and child exploitation, to name a few. The I4C acts as an aid for law enforcement machinery by providing investigation tools and operating the cybercrime portal. A distinction between the NCCC and the I4C with regards to their area of work can be drawn by understanding that the NCCC is engaged in surveillance and strategic threat response, whilst the I4C is engaged in crime prevention, reporting, and enforcement support. Although these factors may distinguish both the bodies, in reality, they complement each other. Recently the government brought the I4C under Prevention of Money Laundering Act (PMLA) 2002. With the growing financial cyber frauds, this move will help detect money trail and identify the culprits of cyber frauds.
Legal and Policy Framework
The laws that govern the sphere of cybersecurity in India are the Information Technology Act 2000 and the Bharatiya Sakshya Adhiniyam 2023. The IT Act of 2000, amended in 2008, has provisions for hacking, identity theft and other cybercrimes under Section 66. Section 66(F) provides for punishment for cyber terrorism. Section 69 allows for the government to monitor, intercept or decrypt information needed for national security. However, since the Act was brought in before the AI era, it does not have any coverage for AI-driven threats such as deepfakes, unethical usage of AI, etc. Even the penalty for such crimes cannot be considered proportionate for today’s scale of cybercrimes.
Keeping in tune with the evolving cybercrimes, the Bharatiya Sakshya Adhiniyam 2023 which replaced the Indian Evidence Act 1872, recognises electronic and digital records as admissible evidence. However, it does not provide for prevention or regulation of cyber threats. While these laws serve the purpose, they are not adequate to keep up with the more complex changes in cyberspace with the advent of AI.
India had brought in the National Cyber Security Policy 2013 with the aim to to protect information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities, and minimize damage from cyber incidents. However, the NCSP only provides for general guidelines but has no enforceable standards for security agencies or private players. This policy was relevant for the prevailing cyber security scenario, but needs a lot of tweaking if it is to be made workable in the present scenario.
The recently enacted Digital Personal Data Protection Act, 2023 mandates the data fiduciaries to implement safeguards mainly with regards to individual users. However, this law doesn’t bring into picture the threat response mechanisms or national cybersecurity responsibilities as it deals mostly with individual users and their data privacy.
In 2022, the Government of India formulated the National Cyber Security Strategy (NCSS) to address the issue of national cyberspace security. In 2023, the then National Cyber Security Coordinator Lt Gen Rajesh Pant (Retd) said that the strategy was in the final stages of approval, and would be released for the public soon. However, as of April 2025, the strategy has still not been released by the government for public comments. The country’s cyber security is still governed by the National Cyber Security Policy of 2013. With the advent of AI, the cyber world has seen magnificent changes that need to be considered in the policy. The government needs to take urgent steps to ensure NCSS is in accordance with the times while also being futuristic to keep up with the everchanging cyber world, and is implemented soon.
International Collaborations
In 2020, India and Israel signed an MoU for operational collaboration on cyber security. The MoU lays down the framework for dialogue, cooperation in capacity building, mutual exchange of best practices in the field and facilitates regular exchanges. Amongst other things, both countries under this agreement will watch for cyber incidents in their respective cyberspace, support each other in prevention measures, exchange of information in order to prevent serious attacks, and explore opportunities to collaborate on research development on cybersecurity.
In January 2025, India and US signed an MoU to enhance cybercrime investigations in both the countries. Both the countries are significantly affected by cybercrime, which has direct links with terrorism and extremist violence, terror financing, human trafficking, drug trafficking, etc. This MoU will allow both India and US to improve cooperation and training regarding the use of cyber threat intelligence and digital forensics in criminal investigations.
Nature of Emerging Threats
As discussed earlier, the ever-evolving cyberspace has also brought with it cyber threats that are more sophisticated and efficient. The evolving nature of cyber warfare poses a great threat to national security. In 2022, in an attempt to hack into the critical infrastructure, likely state-sponsored Chinese hackers targeted India’s power grids in the UT of Ladakh. In the series of the Doklam standoff in 2017 and clashes in the Galwan Valley in 2020, these cyber-attacks could be seen as compromising national sovereignty. Moreover, Chinese cyberattacks are also well-known for the purposes of production data collection.
In May 2024, Pakistani hackers allegedly targeted India’s defence and aerospace sectors. More recently, post-Pahalgam terror attacks, Pakistani hacker groups launched and claimed responsibility for a series of cyberattacks on Indian websites, which were quickly foiled by the Indian agencies. However, these repeated attempts from Pakistan and China signal towards a shift in warfare strategies. It shouldn’t come as a surprise if cyber warfare is used by these countries as a line of first attack. India needs to further strengthen its cyber warfare capabilities as an essential aspect of national security.
Similarly, cyberattacks are made on the critical infrastructure of the country for multiple reasons: a) for want of money; or b) to disrupt the system and cause chaos. In 2022, AIIMS Delhi was hit by a ransomware attack, and apparently demanded Rs 200 crore in cryptocurrency. The attack targeted sensitive and confidential data, and caused the AIIMS server to be down for six days. The cost of such attacks is not just monetary, but also patients’ wellbeing. In the same year, data of 30 million Indian Railway Catering and Tourism Corporation (IRCTC) users was leaked for sale on the dark web. Such attacks serve as a wakeup call for the government to remove vulnerabilities from the CII systems, and update the security mechanism.
Another type of attack – the supply chain attack – was a big concern for the banking and finance industry in India. The supply chain attack is a cyberattack where hackers target a third-party provider or a software vendor to inject malicious code in legitimate applications. In 2017, more than 3 million debit cards in India were compromised. It was found that hackers had injected malware in the Hitachi network, which was used by many banks that operate in India to outsource their ATM transaction processing. This highlights how even one compromised entity can snowball into impacting financial services, making people lose their money. It underscores the urgent need for stronger regulatory oversight and mandatory cybersecurity audits of third-party providers in critical sectors. As we push for digital inclusion and financial integration through services like UPI, ensuring the cyber-resilience of the entire supply chain—not just frontline institutions—must become a policy priority.
With the advent of AI, the attacks have become more dangerous. Attackers now use AI for data mining to imitate trusted features of cyberspace or to target weak points in the system, and launch undetectable attacks. These AI driven tools are much faster and complex for traditional cybersecurity tools to get hold of them. As per the Digital Threat Report 2024, “emergence of the malicious Large Language Models (LLMs), such as WormGPT and FraudGPT, has lowered the barrier to entry for sophisticated cyber-attacks, enabling less skilled actors to craft convincing phishing emails, generate malware, and exploit vulnerabilities”. A study suggested that in 2023, AI was 31% less effective than humans. However, in March 2025, AI was found to be 24% more effective than humans. This is indicative enough of how evolved the cyberattacks driven by AI would be. Another study reported that there was an approximately 60% increase in global phishing attacks, with significant role played by the generative AI-driven schemes such as voice phishing and deepfake phishing.
For example, it was recently revealed that AI models like ChatGPT can generate fake Aadhaar and PAN cards. This can turn into a serious security threat. Government and security agencies should adopt AI-driven technology for detection of synthetic alterations and inconsistencies in the documents. According to a report, there was a 704% increase in face swaps – a form of deepfake attack – to bypass identity verification in 2023. The World Economic Forum recommended use of Digital Identity Wallets to combat such frauds. With systems like DigiLocker, India has been ahead of time when it comes to digital identity wallets. Further strengthening DigiLocker’s security will be key to keeping it a trusted shield against AI-driven identity fraud. As AI accelerates cybercrime, India must urgently rethink its cybersecurity framework on all fronts, shifting from reactive, tool-based defences to anticipatory, AI-augmented security systems that can detect, learn, and evolve just as rapidly as the threats themselves.
Addressing Gaps to Move Forward
Policy Delays
As mentioned earlier, the draft of the National Cyber Security Strategy introduced in 2020 and drafted in 2022, has not been released. In today’s era with constantly evolving cyberattacks, such a long delay in implementation of cyber security strategies can prove to be detrimental for a country’s cyberspace. Not having the policy updated from 2013 can also cause fragmentation of responsibilities, where several ministries and agencies working in silos, sometimes with overlaps, which may result in loopholes or incoherent implementation.
The government should urgently release the draft and invite stakeholders for suggestions and deliberations, so that a comprehensive and future-ready NCSS is implemented at the earliest. Special emphasis should be placed on the CIIs such as energy, transportation, finance and defence sectors that are increasingly vulnerable to both state-sponsored and AI-driven cyber threats.
Lack of Centralised Authority
As discussed earlier, India has many agencies that look after different aspects of cyber security in the country. All these agencies work under different ministries such as the PMO, MeitY, MHA, etc. For example, CERT-In looks after non-critical attacks, whereas NCIIPC takes care of the security of CII infrastructure. The NCCC is for real-time threat intelligence and coordination to protect CII from cyberattacks, I4C targets cybercrime affecting citizens.
While it is clear which agency takes care of which aspect of cybersecurity, how they interact with each other is not clearly known yet. Additionally, India does not have a unified cyber command – a nodal agency under the aegis of which all agencies would work, like Cybersecurity and Infrastructure Security Agency (CISA) of the USA or National Cyber Security Centre (NCSC) of the UK. This would unify efforts across ministries, public institutions, and private sectors, avoiding duplication and enhancing coordination during cyber incidents.
Capacity and Training
India has an ever-flourishing IT industry that includes many tech giants operating from India with a large Indian workforce. However, this has not translated into a strong cybersecurity workforce for the country. Due to the increased incidents of cyberattacks, there is huge demand for cybersecurity experts across the world. However, according to the World Economic Forum, 67% of organisations reported a moderate-to-critical skills gap in cybersecurity. As for India, a study estimated that India would need over 1.5 million cybersecurity professionals to bridge the skills gap. Almost 40 thousand job vacancies for cybersecurity professionals remained unfilled due to talent shortages in May 2023.
To address this issue, the government needs to take multipronged measures. The government should continue to push programs in collaboration with private organisations such as NASSCOM that provides various cybersecurity courses and certifications. The government should also introduce fellowships in this domain to attract more technology savvy people towards cybersecurity.
There is also a need to introduce subjects like cybersecurity in schools, so that children are familiar with the domain before they are faced with the decision to make career choices. Taking a leaf out of China’s cybersecurity skilling initiatives, the government should establish cybersecurity schools with future-ready curricula to prepare a workforce. China runs multiple hacking competitions every year. The Indian government should encourage such ethical hacking competitions to improve competitiveness of the cybersecurity workforce and its aspirants through NITI Aayog. The Atal Innovation Mission (AIM) can launch a program focused on cybersecurity innovation and capacity building. Under this vertical, AIM could conduct career orientation programs in schools and colleges, organise national level hackathons, and offer industry-aligned certificate courses in collaboration with academia and private players.
Citizen Cyber Hygiene
In India, only 38% of households and approximately 40% individuals are digitally literate. However, the mobile phone penetration in the country is said to be between 70 to 80%. This data indicates that there is a significant population that has access to the technology, but is not well versed with its operations and functions. This makes them vulnerable to potential cyberattacks. Government and civil society organisations should come together to organise campaigns like to educate the masses about digital literacy, phishing education, and fraud prevention.
Conclusion
Aided by initiatives such as Digital India, UPI and Aadhar, India is seeing a rapid growth in its digital landscape. These platforms have revolutionised delivery of public services, financial inclusion and governance. However, this surge in digital adoption has also exposed the country to unprecedented levels of cyber vulnerability. From critical infrastructure and financial services to everyday digital interactions, the threats have become more frequent, more complex, and increasingly AI-driven.
From state-sponsored cyberattacks by the neighbouring countries, to attacks on critical infrastructure such as that of AIIMS’, it is crystal clear that India needs to match up to the sophistication and efficiency with which the attacks are conducted. Without a comprehensive, cross-sectoral cybersecurity framework, the country’s digital backbone remains at risk. The government should take urgent steps to finalise and implement the National Cyber Security Strategy. There is a need for sector-specific guidelines to safeguard the critical infrastructure. The policies for cyber security should have mandatory minimum security standards for banking, healthcare and energy sectors which deal with crucial information and data.
All the policies and initiatives will only work if we have a competent workforce in the field of cyber security. The young population of the country should be leveraged by equipping them with advanced knowledge and education of the cybersecurity, introducing internships and fellowships to train them better, and guiding them for better career opportunities. Encouraging young professionals to pursue and excel in this critical field is essential to safeguard the digital ambitions of the nation.
To conclude, India has made significant progress in building its digital ecosystem. These advances have laid a strong foundation, but the evolving nature of digital threats—especially those powered by AI—demands a continuous upgrade of both strategy and preparedness. While there are gaps in policy implementation, capacity building, and public-private coordination, India has also shown agility in responding to cyber incidents and investing in critical infrastructure. With timely execution of the National Cyber Security Strategy, stronger citizen awareness, and a skilled cybersecurity workforce, India is well-positioned to not only face but lead in securing the next phase of global digital transformation.
