On August 7 this year, the Chief of Defence Staff of India, released the Joint Doctrine for Cyberspace Operations. 

• The unveiling of this declassified document represents India’s formal acknowledgement that future warfare will be as much about bytes as bullets. 

About Joint Doctrine For Cyberspace Operations

• Core Objective: The doctrine’s primary aim is to achieve cyber immunity for India. 
  • It recognises that in future warfare, data will be as vital as bullets in conventional conflict.
• Key Understanding in Cyber Warfare: Unlike traditional warfare, cyber warfare has no fixed boundaries. 
  • In cyber warfare, a nation’s capacity and capability define the boundaries of its defence.
• Strategic Emphasis: The doctrine places strong emphasis on threat-informed planning to counter evolving cyber risks.
  • It prioritises the integration of real-time intelligence to strengthen national defence.
  • A major objective is to achieve true jointness among the Army, Navy, and Air Force to bridge operational gaps in tackling cyber threats.
• National Security Perspective: The doctrine strategically recognises cyberspace as a critical domain for national security.
• Lessons from Past Incidents: The 2007 cyber attacks on Estonia demonstrated how digital infrastructure can be paralysed.
  • The 2010 Stuxnet attack on Iran’s nuclear facilities showed that cyber attacks can cause physical, kinetic effects.
  • The 2020 Mumbai power grid attack, allegedly linked to Chinese hackers, highlighted vulnerabilities in India’s critical infrastructure.
• Information Warfare Challenges: The spread of misinformation during Operation Sindoor underscored the need for stronger countermeasures in the information domain.

Challenges  in implementation of the Doctrine

• Difficulty in Attacker Attribution: In cyber warfare, it is incredibly challenging to identify the source of an attack. 
  • It could be a state actor, a criminal network, or even a lone hacker. 
  • Traditional response mechanisms are difficult to apply when the attacker is unknown. 
    • For instance, the 2017 WannaCry ransomware attack demonstrated how over 300,000 computers could be globally paralysed without clear attribution.
• Lack of Tri-Service Integration:
  • The Army, Navy, and Air Force have historically operated in separate domains, each with distinct focus areas—regional tactics, maritime domain awareness, and space/cyber integration, respectively.
  • Separate procurement systems, distinct operational protocols, and varied technological preferences among the services hinder unified action.
  • Previous attempts, such as establishing the Defence Cyber Agency in 2019, have struggled with resource allocation, operational authority, and effective intelligence sharing, failing to achieve desired outcomes.
• Continuous Updation: There is a conceptual misunderstanding that cyber integration is a one-time effort. 
  • Cyber space demands continuous organisational adjustment to keep pace with rapidly evolving technologies like Artificial Intelligence and Machine Learning.
  • Even the advanced US military, with its Cyber Command established in 2009, faces struggles with inter-service coordination, indicating the complexity of this challenge.
• Severe Human Capital Shortage: India faces a critical deficit of skilled cybersecurity professionals, with an estimated requirement for 1 million experts that current supply cannot meet. 
  • Military cyber operations demand specialised skills beyond general cybersecurity expertise, requiring personnel to continuously adapt to technological advancements. 
  • The half-life of cybersecurity knowledge is measured in months, not years, necessitating unprecedented investment in continuous learning. 
  • The military also finds it challenging to compete with private sector salaries and work conditions for top cyber talent.
• Confidentiality Issues: A significant portion of India’s critical infrastructure, including power and transportation networks, is managed by the private sector. 
  • While integrating civilian expertise and private entities into military cyber operations is essential for strengthening national defence, it also presents complexities, particularly in maintaining confidentiality. 
• Dependence on Foreign Technologies: Despite the National Cyber Security Strategy aiming for self-reliance in cybersecurity for over a decade, India remains heavily dependent on foreign technologies for tools and systems. 
  • Even Indian cybersecurity startups often rely on major funding from foreign IT companies, further perpetuating this dependence. 
  • Building truly indigenous capabilities requires massive investments in research and development with uncertain timelines for operational readiness.
• Limited Applicability of Foreign Models:
  • China’s comprehensive national power model is incompatible with India’s democratic values and the significant role of its private sector. 
    • China’s ability to mobilise private sector cyber capabilities through national intelligence laws has no equivalent in India’s democratic framework.
  • Russia’s model, which reportedly utilises non-state actors or criminals for national defence, raises ethical issues that conflict with India’s governance principles, as it tolerates criminal cyber activities when they serve state interests.
  • The US model of ‘persistent engagement’, involving continuous monitoring and expansion of cyber expertise against neighbours, is impractical for the conflict-prone South Asian subcontinent. 
    • This approach could escalate regional hostilities and complicate relationships with neighbours, creating new vulnerabilities.
• Ambiguity in the Doctrine: The current doctrine lacks clear timelines for implementation, specific resource commitments, and a detailed operational blueprint. 
• Cyber Deterrence Complexities: Unlike nuclear deterrence, where the physical presence and potential damage are calculable, cyber deterrence is complicated by the anonymity of attackers and the unpredictable nature of potential damage. 
  • The doctrine’s deterrence strategy requires clearer articulation.

Way Forward

• Eliminate Institutional Barriers: India needs to actively address and bridge the existing gaps in decision-making, resource allocation, and procurement processes within the tri-services to foster genuine integration.
• Embrace Continuous Adaptation: Cyber security requires constant organisational adjustment to keep pace with rapid technological advancements and evolving threats.
• Invest Heavily in Human Capital Development: Implement robust and continuous training programmes to develop specialised cybersecurity professionals, effectively addressing the severe talent shortage.
• Strengthen Civil-Military and Private Sector Collaboration: Establish clear mechanisms for effectively integrating civilian expertise and private sector entities into national cyber defence, ensuring critical infrastructure protection while safeguarding sensitive information.
• Prioritise Indigenisation through Robust R&D: Significantly increase investment in research and development to cultivate indigenous capabilities in cybersecurity technologies. 
  • This will reduce reliance on foreign systems and enhance national self-reliance.
• Refine the Doctrine with Clarity: The doctrine must be refined to include precise timeframes, specific resource commitments, and a detailed operational blueprint for its implementation.

Conclusion

India’s Cyber Doctrine represents a strategic and essential step in acknowledging the complexities of modern warfare and the critical imperative of cyber security. 

• Translating doctrinal ambitions into operational capabilities, therefore, will require sustained political commitment, significant resource allocation, and institutional reforms that extend far beyond military structures.

DOWNLOAD PDF