The Aakhya Weekly #172 | The Digital Revolution India Wanted—And the Cyber Chaos It Didn’t
In Focus: Rising Cyber Threats in a Rapidly Digitising India
India today stands at a pivotal moment in its digital journey. Over the past decade, the country has witnessed explosive growth across the cyber ecosystem—an expansion that has reshaped everything from governance to banking to daily life. With the government’s ambitious Viksit Bharat 2047 vision placing artificial intelligence and digital infrastructure at the heart of national progress, India is clearly betting on a technologically empowered future. But rapid technological acceleration always brings an unavoidable question: Are we truly prepared to confront the darker side of this transformation? Because while the country’s digital leap has unlocked opportunities, jobs, and unprecedented access to public services, it has also opened the floodgates to a whole new generation of cyber threats.
A Rapidly Expanding Digital Landscape—and Its Consequences
The rise in cybercrime is not an unfortunate side-effect but a structural consequence of the speed at which India has digitised. As millions of new users came online and as critical infrastructure shifted to digital platforms, India unwittingly created a vast and vulnerable attack surface. Cybercrime today is no longer limited to opportunistic phishing scams or low-grade hacking attempts; it now spans sophisticated ransomware networks, AI-generated deepfake extortion, large-scale data breaches, and calculated attempts to compromise national security. And this reality raises a difficult but necessary question: Can India protect the digital architecture it is working so hard to build?
Lessons from Recent Cyberattacks
A good place to begin answering this is by looking at the cyberattacks India has already faced in the past few years.
Targeted APT Campaigns from Pakistan
One of the most concerning episodes involved Pakistan-based Advanced Persistent Threat (APT) groups, which have emerged as persistent actors targeting the Indian government and strategic sectors. In 2024, Pakistani cyber operatives deployed malware into aerospace, defence, and governmental networks using carefully crafted phishing emails. While only a few hundred attempts were successful, these were not random breaches; they targeted critical systems in banking, healthcare, and public services.
The 2025 DRDO Malware Attempt
This trend continued into 2025. In January, Pakistan-backed groups sent malware-laden PDF attachments to Defence Research and Development Organisation (DRDO) researchers. The exfiltration attempts were detected early, but the incident revealed something more troubling: even highly secured research spaces remain vulnerable and are increasingly becoming prime targets.
Breaches in State E-Governance Portals
At the same time, attacks on state e-governance portals across 2024 resulted in the exposure of over 2.5 million citizen records, including Aadhaar-linked information. Many of these websites lacked even basic HTTPS encryption. Outdated plugins and weak administrative credentials, issues that should have been addressed long ago, provided easy entry points for cybercriminals.
Geopolitical Adversaries and Critical Infrastructure Risks
China has also remained an active and persistent threat. Chinese cyber actors have repeatedly attempted to infiltrate critical infrastructure systems, especially the energy grid. Efforts to tamper with power systems in Ladakh and other regions revealed deep vulnerabilities in SCADA and OT networks, systems never originally designed with cybersecurity in mind. Pakistan-linked APT groups have probed these same networks, exploiting default configurations and unpatched devices. These intrusions are not impulsive hacking attempts; they are deliberate strategies aimed at undermining national stability.
The Cybercrime Reality for Citizens
While state-sponsored attacks draw headlines, the more pervasive danger lies in the everyday cybercrime that affects ordinary citizens. The notion that regular people are largely insulated from cyber threats has collapsed under overwhelming evidence. According to the Ministry of Home Affairs and the Indian Cyber Crime Coordination Centre (I4C), India registered more than 36 lakh cyber-fraud complaints in 2024. The financial fallout was staggering, with losses approaching ₹22,845 crore.
One of the most alarming developments was the surge of the so-called “digital arrest” scam. Using video calls, spoofed phone numbers, and AI-generated voices, scammers impersonated law enforcement officials to coerce victims into paying large sums under fabricated allegations. These scams were dangerous not only for their technical sophistication but also for the psychological accuracy with which they weaponised fear and authority.
Evaluating India’s Legal and Institutional Readiness
Given the escalating threat landscape, the natural question is whether India’s legal and institutional framework is capable of keeping pace. The Information Technology Act, 2000, continues to form the backbone of the country’s cyber laws, addressing offences ranging from hacking to identity theft. More recently, the Digital Personal Data Protection Act (DPDP) 2023 has sought to strengthen data governance and breach management protocols. Sector-specific regulations—such as SEBI’s Cyber Security and Cyber Resilience Framework—have pushed financial institutions to adopt stronger governance structures, secure interfaces, and more resilient supply chains.
The release of the CERT-In Comprehensive Cyber Security Audit Policy Guidelines in July 2025 marked an important step forward. These guidelines expanded regulatory oversight into emerging domains such as blockchain vulnerabilities and artificial intelligence systems, while also requiring more thorough organisational risk assessments. CERT-In also introduced the Cyber Crisis Management Plan (CCMP), a framework for all government bodies to counter cyber attacks and cyber terrorism through improved recovery and enhanced resilience.
CERT-In’s frequent advisories on ransomware and deepfakes complement the IT Act’s provisions on privacy violations and harmful content. Citizen reporting infrastructure has also improved. The National Cybercrime Reporting Portal, supported by I4C, has created a unified system for lodging cybercrime complaints—an essential development in a country where reporting was previously fragmented across jurisdictions.
Persistent Gaps and the Need for Structural Reform
Despite these improvements, several gaps remain entrenched. A significant challenge is that cybercrime evolves faster than regulation, with policymakers playing catch-up. Many policies emerge only after substantial damage has already taken place, making the regulatory response feel reactive rather than proactive. The surge in AI-driven scams, escalating fraud cases, and continued targeting of critical infrastructure all demonstrate a system that struggles to keep pace with the threat environment.
Another structural concern is the low level of cybersecurity maturity among Indian institutions. The Cisco 2025 Cybersecurity Readiness Index shows that only about 7% of Indian organisations have reached a “Mature” readiness level—an improvement from 4% in 2024, but still inadequate for an economy undergoing rapid digitisation. Human capital shortages compound this challenge. India faces a deficit of trained cybersecurity professionals, cyber-forensic experts, specialised police units, and judicial officers familiar with digital evidence. Without strengthening this ecosystem, even well-crafted laws cannot be effectively enforced. Adding to this is India’s growing exposure on the global cyber stage. CloudSEK’s Threat Landscape Report ranking India as the second most targeted nation worldwide underscores how quickly the threat surface is expanding as the country’s digital footprint grows.
The Road Ahead: Securing India’s Digital Future
India’s cybersecurity policies—though increasingly comprehensive—still lag behind the sophistication and frequency of cyber threats. Bridging this gap will require more than updated legislation or periodic audits. What is needed is sustained long-term investment in cybersecurity education, enhanced digital infrastructure, intelligence-led threat hunting, and collaboration across government, industry, and international partners. India has built a vast new digital frontier for itself. The question now is whether it can build defences robust enough to safeguard it.
Top Stories of the Week
India Approves ₹7,172 Crore Investment for 17 ECMS Projects
In a major push to deepen its electronics manufacturing ecosystem, the Government of India has approved 17 new projects under the Electronics Component Manufacturing Scheme (ECMS), involving an investment of ₹ 7,172 crore. These projects are expected to generate a cumulative production worth ₹ 65,111 crore and create around 11,808 direct jobs.
The manufacturing units will span nine states and union territories, including Karnataka, Maharashtra, Tamil Nadu, Jammu & Kashmir, Uttar Pradesh, Gujarat, Madhya Pradesh, Andhra Pradesh, and Goa. Key components to be produced include multi-layer printed circuit boards (PCBs), optical transceivers (SFP), camera modules, connectors, oscillators, and high-end enclosures, marking the first time some of these, like quartz crystal components and optical transceivers, will be manufactured in India.
Electronics & IT Minister Ashwini Vaishnaw said that strengthening domestic design capabilities and ensuring high quality (six-sigma standards) remain non-negotiable for India’s long-term electronics ambitions. Separately, India’s first energy-efficient edge-platform-on-chip, ARKA-GKT1, has been announced. Developed jointly by Cyient Semiconductors and Azimuth AI, it targets applications such as smart utilities, industrial IoT, and high-efficiency power systems. The scheme also includes plans for a new skilling framework that will focus on providing hands-on manufacturing experience to youth from Tier-2 and Tier-3 cities, integrating local talent into the electronics ecosystem.
Mandatory IMEI Registration: A Step Towards Safer Networks
The Department of Telecommunications (DoT) has issued a stern warning to manufacturers, importers, and resellers regarding mandatory IMEI registration for all mobile phones sold in India. This directive, aimed at bolstering national security and curbing mobile theft, mandates the registration of both Indian and imported handsets with the Indian Counterfeited Device Restriction portal before sale. The move is a crucial step in ensuring that only legitimate devices operate within the country’s telecommunications networks.
Non-compliance carries severe penalties under the Indian Telegraph Act, 1885, and the Indian Wireless Telegraphy Act, 1933, including fines and imprisonment. The DoT emphasises that any tampering with IMEI numbers is a criminal offence, reinforcing the government’s commitment to creating a secure mobile ecosystem. This initiative not only deters illicit activities but also provides consumers with assurance regarding the authenticity of their mobile devices, safeguarding them from counterfeit products.
A Few Good Reads
Shashi Tharoor says the Global South is redefining climate action, urging COP30 to recognise its role as an active co-creator of solutions.
Yogendra Yadav argues that both the celebrators and critics of the Bihar verdict miss the deeper political shifts reshaping voter priorities.
Rohini Nilekani calls for community-rooted mental health action to transform India’s wellness landscape.
Soumya Swaminathan highlights how India’s point-of-care TB diagnostics are reshaping global eradication efforts.
A.M. Saleem Beg argues that NH-701A is a test of India’s environmental governance in the fragile Himalayan terrain.
The digital arrest scam section really hits home. My uncle actualy fell for one of these calls last month where someone pretended to be from the police and demanded money over a video cal. The fact that scammers are now using AI-generated voices makes it even scarier becuse most people still trust authority figures. What's troubling is that even tech-savvy folks can get tricked when the fear factor kicks in. More public awarenes campaigns are desperately needed here.
Informative