Opinion India’s cyber doctrine has an ambitious vision, but there are implementation challenges

The doctrine’s emphasis on “threat-informed planning and real-time intelligence integration” acknowledges cyber warfare’s unique characteristics. Unlike conventional military operations that follow established patterns, cyber attacks can emerge from state actors, criminal networks, or lone hackers with equal destructive potential. The 2017 WannaCry ransomware attack, which affected over 300,000 computers globally within days, exemplifies how rapidly cyber threats can escalate beyond traditional containment strategies.

However, the doctrine’s most ambitious goal — achieving true jointness in cyberspace — faces significant structural obstacles. The Indian military’s historical tendency toward service-specific cultures runs deep. Each service has developed distinct procurement systems, operational protocols, and technological preferences over decades. The Army’s focus on tactical cyber capabilities, the Navy’s emphasis on maritime domain awareness, and the Air Force’s space-cyber integration represent fundamentally different approaches to the same domain.

Consider the ongoing challenges with India’s Defence Cyber Agency, established in 2019. Despite its mandate to coordinate tri-service cyber operations, reports suggest that resource allocation, operational authority, and intelligence sharing still remain non-optimal. The doctrine’s success will require overcoming these institutional barriers that have proven resistant to reform efforts.

The US offers a cautionary tale. Despite establishing Cyber Command in 2009, American forces still struggle with inter-service coordination in cyberspace. The complexity of integrating Army network operations, Navy information warfare, and Air Force cyber capabilities has required constant organizational adjustments. If the world’s most technologically advanced military faces such challenges, India’s path toward cyber jointness will likely be even more complex.

The doctrine’s emphasis on human capital development reveals perhaps its most critical vulnerability. India faces a severe cybersecurity talent shortage, with industry estimates suggesting a deficit of over 10 lakh skilled professionals. The military’s ability to compete with private sector salaries and work conditions for top cyber talent remains challenging but not impossible.

This challenge is compounded by the specialised nature of military cyber operations. Unlike traditional military skills that can be developed through established training programs, cyber warfare requires continuous adaptation to evolving threats. The half-life of cybersecurity knowledge is measured in months, not years, requiring unprecedented investment in continuous learning and development.

The doctrine’s call for “indigenous cyber capabilities” also raises practical concerns about India’s technological ecosystem. While initiatives like the more than decade old National Cyber Security Strategy emphasize self-reliance, India’s cybersecurity industry remains heavily dependent on foreign technologies and expertise. Building truly indigenous capabilities would require massive investments in research and development, with uncertain timelines for operational readiness. No doubt many start-ups have come up but they are mostly acquired by deep pocket foreign IT giants.

The doctrine’s analysis of international approaches, while informative, may oversimplify complex realities. China’s cyber doctrine, for instance, isn’t just about “comprehensive national power” — it reflects a fundamentally different relationship between state and society. China’s ability to mobilise private sector cyber capabilities through national intelligence laws has no equivalent in India’s democratic framework. Similarly, the Russian model of leveraging “non-state actors” for strategic objectives operates within a governance structure that tolerates criminal cyber activities when they serve state interests. India’s approach to cyber deterrence must account for these fundamental differences in political systems and strategic cultures.

The US model of “persistent engagement” has also faced criticism for its potential to escalate conflicts and blur attribution lines. India’s adoption of similar approaches could complicate its relationships with neighbors and create new vulnerabilities in an already complex regional security environment.

Despite these challenges, the doctrine represents necessary progress in India’s cyber evolution. Its public release serves important strategic communication purposes, signaling serious intent while maintaining operational ambiguity. However, several critical gaps require urgent attention.

First, the doctrine lacks specific timelines and resource commitments for implementation. Without concrete benchmarks, it risks becoming another aspirational document rather than an operational blueprint.

Second, the integration of civilian cybersecurity infrastructure with military operations remains underexplored. Given that most of India’s critical infrastructure operates in the private sector, effective cyber defence requires unprecedented civil-military cooperation.

Finally, the doctrine’s deterrence strategy needs clearer articulation. Unlike nuclear deterrence, cyber deterrence operates in a domain where attribution is often uncertain and escalation dynamics are poorly understood.

Translating doctrinal ambitions into operational capabilities, therefore, will require sustained political commitment, significant resource allocation, and institutional reforms that extend far beyond military structures.

The writer, a defence and cyber security analyst, is former country head of General Dynamics