Cyber war without a strategy

  The critical infrastructure was targeted in May 2025, when the Power Grid Corporation of India, which operates the national electricity transmission system, experienced a DDoS (distributed denial of service) attack that disrupted online customer services  for over 30 minutes. 

  Similar cyber attacks on the Kudankulam Nuclear Power Plant occurred in 2019, with agencies later linking it to North Korea. “The size of these cyber attacks is very large. It comes in millions,” said Dr Rajkumar Upadhyay, chief executive officer,  Centre for Development of Telematics (C-DOT). “All the sectors are under attack, including power, telecom, banking, and critical infrastructure.” 

Upadhyay pointed out that cyber threats today are no longer limited to human-led intrusions. “Earlier, people used to attack. Now AI is attacking. AI finds out everything in your network.”

  This evolving threat environment has forced Indian agencies to focus not just on blocking attacks, but on detecting hostile activity much earlier in the chain. According to Upadhyay, cyber operations often begin long before visible damage occurs.  “Which port is open, which window is open — Trinetra detects that before the actual attack happens.” 

  Trinetra is India’s indigenous cyber monitoring system developed by C-DOT, positioned as an early warning layer rather than a defensive shield. “It looks at the entire traffic and generates alerts on where the attack is coming from and why it is coming,” Upadhyay said. He was clear about its limits: “Trinetra does not mitigate attacks. It only tells you where the attack is coming from. Mitigation is the responsibility of the respective organisations.” 

While detection capabilities are improving, senior military cyber experts caution that cyber conflict is fundamentally different from conventional warfare and often invisible to the public. Explaining how this domain actually functions, Major General P K Mallick (retired), who has extensive experience in signals and cyber-related operations, said cyber warfare must be understood as a layered activity rather than a single act of attack.

  “Cyber operations have three parts — offensive cyber operations, defensive cyber operations and cyber exploitation, which sits in between,” Mallick said. Cyber exploitation involves quietly entering an adversary’s systems and remaining undetected, collecting intelligence and mapping networks over time. “When the time comes, you simply change the intention. What was espionage becomes destruction.”

  This preparatory phase, Mallick emphasised, is what makes cyber conflict fundamentally different from conventional warfare. “Overnight cyber offence is not possible. You have to be inside the system much before the conflict begins.” 

  Mallick argued that resilience, not prevention, is the real measure of preparedness. “The most important word in cyber security is resilience. Attacks will happen. The question is how fast you isolate, recover, restore, and identify the source.” 

  However, basic cyber hygiene still makes a major difference. “If you have proper backups, ransomware attacks lose their power. That is why large organisations regularly shut systems at night — to take massive backups.” 

  Cyber operations have also become evident as nation-states are also involved in such attacks with military contingencies. Commander Vivek Yadav (retired),  director (IT and cybersecurity) in the defence ministry, said, “During recent military contingencies, including Operation Sindoor, cyber intrusions were not isolated events but coordinated nation-state attacks involving actors beyond the immediate adversaries.”

  He added that India’s response combined defence and disruption. “India not only adopted a defensive cyber posture to protect critical and classified data but also disrupted hostile command-and-control (C2) servers attempting to breach Indian networks.”

  Yadav explained that government systems are designed with a different philosophy from commercial networks. “Unlike the private sector’s ‘fail-safe’ approach, government and defence systems are designed to ‘fail-secure’, prioritising data integrity over uninterrupted operations,” he said. 

  Dr Sameer Patil, director, Centre for Security, Strategy and Technology at the Observer Research Foundation, argued that India’s biggest vulnerability in cyber is not technical capacity but the absence of a guiding framework. “The real problem is that India still does not have a national cybersecurity strategy.  

We have a joint doctrine for cyber operations, but there is no clarity on who should do what, especially on the offensive side,” he said. 

  Patil noted that while India’s armed forces have adopted a joint cyber doctrine, the lack of a national strategy has left critical questions of authority, coordination, and intent unresolved, particularly when cyber operations extend beyond purely military targets.  

He pointed out that institutional separation complicates coordination. “Cyberspace cannot really be bifurcated. The civilian and military domains overlap, but our structures still treat them separately, and that is where the ambiguity comes from. The bone of contention remains: Who should really be in charge of cyberspace — civilian agencies or the military?”

  Patil warned that India’s rapidly expanding digital economy has created new vulnerabilities that are not being addressed in a coordinated manner beyond military and government networks. “Digital payment systems are clearly critical infrastructure, but there is no visible coordination between institutions like the Reserve Bank of India and defence cyber agencies for their protection,” he said. Patil noted that while platforms such as Unified Payments Interface have transformed financial inclusion, their scale also makes them attractive to hostile actors, requiring closer integration between civilian regulators, security agencies and cyber defence personnel.

  The severe capacity constraints also limit India’s ability to respond to sustained cyber pressure.

  “The sheer scale of cyber threats means we simply do not have enough trained manpower, whether in law enforcement or cyber security,” he said, adding that this shortage is even more pronounced within the armed forces. “The kind of cyber and electronic warfare talent currently available within the armed forces is simply inadequate for the threat landscape we face.” 

He pointed to global examples that India needs to rethink its approach to talent integration. “Countries like Singapore and the  UK have found innovative ways to integrate private-sector cyber talent into national security and India needs to think along similar lines.” He added that most visible responses so far have been reactive. “Most of what we have seen are reactionary cyber responses rather than pre-emptive cyber operations, and that stems from the absence of a clear strategy.”  

The scale of recent attacks illustrates the pressure on existing systems. “During Operation Sindoor, India faced nearly 1.5 million cyber attacks in just three weeks: the same number CERT-In handled in the entire year of 2023,” Patil noted. At the same time, he acknowledged defensive success. “Despite the scale of attacks, India has not suffered a cyber incident that disrupted or degraded critical infrastructure, and credit is due to the security agencies for that.”

  Upadhyay warned that cyber vulnerabilities can quickly translate into systemic collapse if communications fail. “Cyber security is as strong as its weakest link. This war will not be fought only by soldiers. If communication fails, banking, health, power — everything will collapse.” He argued that dependence on foreign cyber tools remains a major risk. “You buy a firewall, but you don’t know whether the policy inside it is correct. You install an agent on your system, and that agent keeps communicating outside the country. Your data is being protected, but it is also being taken away.” 

  According to him, the policy solution is clear. “The biggest policy change required is complete indigenisation of cybersecurity. At least in government systems, there should be fully indigenous solutions.”  

Mallick echoed this concern, pointing to deeper structural weaknesses. “Most of our cyber defence today depends on foreign companies. If a foreign company detects a serious attack, do you really think they won’t inform their own government?” He added that “indigenisation of cyber software and hardware is the only way forward”.

  Looking ahead, both experts flagged emerging threats tied to quantum computing. “Countries are storing encrypted data today so that it can be decrypted later when quantum computers arrive,” Upadhyay warned. “China is doing this already — store now, harvest later.”

  Despite these challenges, India’s talent pool remains a strategic advantage. Experts said that the contrast is not about the absence of talent in the country, but the inability of state institutions to effectively employ them at scale.

  “There is no shortage of cyber talent in India. Our talent is among the best in the world,” Upadhyay said, though he added that the problem lies in uneven understanding of cyber risks and the lack of institutional priority across sectors. 

While agencies have shown sustained efforts to withstand such attacks and protect the country from cyber threats, the future needs a clear strategy, coordination and ownership. 

  The absence of a national cyber framework continues to leave critical questions unresolved.