India is a major cyber actor with extensive digital infrastructure, especially in urban areas. While the cybersecurity policy framework is fairly developed, India has faced many significant cyberattacks. Additionally, internet freedom in the country has been repressed through shutdowns and surveillance. India’s unclear orientation to international internet governance makes India a “swing state” in international cybersecurity matters (Maurer & Morgus, 2014).
Internet Landscape
India’s internet landscape has improved due to the Digital India Initiative (Digital India, n.d.), however, there is a disparity between the access of urban and rural communities and high-risk factors for users. As of September 2024, there are 918.19 million internet users in India. 131.86% of the urban population is connected to the internet compared to only 58.48% of the rural population (Telecom Regulatory Authority of India, 2025). There are several public and private sector initiatives in India that are attempting to improve internet access such as the prime minister’s Wi-Fi Access Network Interface (PM-WANI) and a multi-stakeholder collaboration to drive innovation in 6G technology (Department of Telecommunications, n.d.; Dixit, 2023).
The most visited websites in India were Google, YouTube, and social media (Tambe, 2024). The frequent use of social media platforms and YouTube suggests that the risk of disinformation is high if users do not check the accuracy of the information they are exposed to through these platforms. India scored 50 out of 100 on the Freedom on the Net report and has led global internet shutdowns since 2018 (Access Now, 2023; Freedom House, 2024). The Software Freedom Law Center’s Internet Shutdown Tracker reported 96 internet shutdowns in 2023, and 60 in 2024, and 6 so far in 2025 (Software Freedom Law Center India, n.d.). India surveilled activists and journalists with Pegasus spyware from the NSO Group and NetWire spyware in 2019 (Amnesty International, 2020; Chishti, 2019). The Indian government denied purchasing Pegasus spyware even though the NSO group says it allows only government agencies to use Pegasus to combat terrorism and other crimes (Masih & Slater, 2019; Paliwal, 2019). In March 2023, the Financial Times reported that the Indian government was seeking spyware that rivaled the Pegasus software (Srivastava and Wiggins, 2023). Surveillance of communications is legal under the Telegraph Act of 1885 and the Information Technology Act of 2000 (Indian Telegraph Act, 1885; The Information Technology Act, 2000). A new Telecommunications Act was passed in 2023 which retains the right of the government to surveil communications in the interest of national security (The Telecommunications Act, 2023).
Domestic Cybersecurity Policy
India is vulnerable to cyberattacks and faces many significant cyber threats every year. Geopolitical tensions in the region continue to increase, making the country more vulnerable. There are three major entities that are responsible for cybersecurity in India – the Computer Emergency Response Team, the National Critical Information Infrastructure Protection Centre, and the National Cyber Coordination Centre (CERT-In, n.d.; National Critical Information Infrastructure Protection Centre, n.d.; Press Trust of India, 2017). A majority of the cyberattacks on India are carried out by Chinese or Pakistani actors, and around 83% of Indian organizations face cyber threats every year (Sharma, 2024). According to a study done by CISCO, only 24% of Indian organizations are prepared to face cyberattacks (CISCO, 2023). India released a National Cyber Security Policy in 2013, which is seen as ineffective (Sharma, 2024). Data protection in India used to be governed by different sector-specific law, however, in 2023 the landmark Digital Personal Data Protection Act was passed in 2023 and covers all forms of personal data (Burman, 2023; Digital Personal Data Protection Act, 2023).
International Cybersecurity Policy
The Indian government claims that it uses a multi-stakeholder approach to cybersecurity; however, India is typically is seen as a “swing state” because of its variable approaches to internet governance in international venues (Maurer & Morgus, 2014; Ministry of Electronics and Information Technology, n.d.). India focuses on criminalizing cybercrime and allies with countries that use an internet sovereignty approach such as China and Russia (United Nations Office on Drugs and Crime, n.d.a.). It was not a part of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) until 2017, but was involved in the United Nations Open-ended Working Group on Cybersecurity (OEWG) and officially endorsed the report despite having mixed feelings about it (United Nations Digital Library, 2021; United Nations Office for Disarmament Affairs, n.d.). India did not support the French and Egyptian led Programme of Action (PoA) which aimed to reconcile the UN GGE and the OEWG while creating a permanent UN body to consider the use of ICTs by countries. Instead, India chose to join the OEWG 2021-2025 along with China, Cuba, Indonesia, Russia, and South Africa (Ittelson, 2021).
India is involved with the United Nations Internet Governance Forum, which is a multi-stakeholder platform, and has a domestic chapter known as the India Internet Governance Forum (India Internet Governance Forum, n.d.). India is also involved in the United Nations Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes which aimed to draft a comprehensive convention that governs cybercrime (Aryan, 2024). India made many proposals for this treaty, including a 24/7 global communication link to combat phishing and data-oriented jurisdiction which will enable countries to have more control over the data of their citizens regardless of where it is stored (Aryan, 2024; NT, 2023). The United Nations Convention against Cybercrime was officially adopted in December 2024 by the General Assembly (United Nations Office on Drugs and Crime, n.d.b.).
India is not a party to the Budapest Convention on Cybercrime for reasons that remain unclear, but concerns were voiced about India not participating in the drafting of this treaty (Seger, 2016). More than 60 Indian civil society organizations, businesses, and NGOs are involved with the Paris Call for Trust and Security in Cyberspace, but the government is not (Frank, 2019). India is in involved in the regional security dialogue of the Quadrilateral Security Agreement (Quad) with the US, Japan, and Australia (The White House, 2023). Additionally, ICANN launched its grant program in India in 2024 (Business Wire India, 2024).
India has extensive offensive cyber-capabilities and has four known major Advanced Persistent Threat (APT) groups. These groups are known as Dropping Elephant, Viceroy Tiger, and Dark Basin (Vijayan, 2020). Dropping Elephant was identified by Kaspersky in 2016, CrowdStrike reported on Viceroy Tiger in 2013, and Dark Basin was discovered by Citizen Lab in 2020 (Gorobets, 2016; Meyers, 2013; Scott-Railton et al., 2020). Dropping Elephant (also known as Patchwork and Monsoon) targets mainly government agencies in China, Viceroy Tiger focuses on diplomatic and security organizations in Pakistan, and Dark Basin has reportedly targeted journalists worldwide as well as certain advocacy groups based in the United States (CrowdStrike, n.d.; Gorobets, 2016; Scott-Railton et al., 2020). Additionally, SideWinder is believed to be of Indian origin and has targeted multiple government agencies in many nations, notably Pakistan and Afghanistan (The Hindu Bureau, 2023).
Sources
Access Now. (2023). Five years in a row: India is 2022’s biggest internet shutdowns offender. https://www.accessnow.org/press-release/keepiton-internet-shutdowns-2022-india/
Amnesty International. (2020). India: Human Rights Defenders Targeted by a Coordinated Spyware Operation. https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/
Aryan, A. (2024, February 22). India proposes 24×7 global communication link to curb cybercrimes. The Economic Times. https://economictimes.indiatimes.com/tech/technology/india-proposes-round-the-clock-global-communication-link-to-curb-cybercrimes/articleshow/107891624.cms
Burman, A. (2023). Understanding India’s New Data Protection Law. Carnegie Endowment for International Peace India. https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law
Business Wire India. Icann brings its grant program to India. (n.d.). https://www.businesswireindia.com/icann-brings-its-grant-program-to-india-88317.html
CERT-In. (n.d.). Welcome to CERT-In. https://www.cert-in.org.in/s2cMainServlet?pageid=PUBWEL01
Chishti, S. (2019). WhatsApp confirms: Israeli spyware was used to snoop on Indian journalists, activists. https://indianexpress.com/article/india/whatsapp-confirms-israeli-spyware-used-snoop-on-indian-journalists-activists-pegasus-facebook-6095296/
CISCO. (2023). 2023 Cybersecurity Readiness Index. https://www.cisco.com/c/m/en_us/products/security/cybersecurity-reports/cybersecurity-readiness-index.html
CrowdStrike. (n.d.). Viceroy Tiger. https://www.crowdstrike.com/adversaries/viceroy-tiger/
Department of Telecommunications. (n.d.). Pm-wani central registry. https://pmwani.gov.in/wani/
Digital India. Program Pillars. (n.d.) https://www.digitalindia.gov.in/programme-pillars/
Diplo. What’s new with cybersecurity negotiations? UN Cyber OEWG Final Report analysis. (2021, March 19). https://www.diplomacy.edu/blog/whats-new-cybersecurity-negotiations-un-cyber-oewg-final-report-analysis/
Dixit, P. (2023). Centre launches Bharat 6G Alliance as India acquires 200 patents relating to 6G. Business Today. https://www.businesstoday.in/technology/news/story/centre-launches-bharat-6g-alliance-as-india-acquires-200-patents-relating-to-6g-388053-2023-07-04
Frank, J. (2019). Paris call: Growing consensus on cyberspace. Microsoft On the Issues. https://blogs.microsoft.com/on-the-issues/2019/11/12/paris-call-consensus-cyberspace/
Freedom House. (2023). Freedom on the Net 2024 Country Report: India. https://freedomhouse.org/country/india/freedom-net/2024
Gorobets, O. (2016). Dropping Elephant: Inelegant Espionage. https://www.kaspersky.com/blog/dropping-elephant/15149/
India Internet Governance Forum. IIGF’23 to be held in New Delhi tomorrow. (n.d.). https://pib.gov.in/pib.gov.in/Pressreleaseshare.aspx?PRID=1982217
Indian Telegraph Act. (1885). https://dot.gov.in/sites/default/files/Indian%20Telegraph%20Act%201885.pdf?download=1
Ittelson, P. (2021). What’s new with cybersecurity negotiations? UN Cyber OEWG Final Report analysis. Diplo. https://www.diplomacy.edu/blog/whats-new-cybersecurity-negotiations-un-cyber-oewg-final-report-analysis/
Masih, N., Slater, J., (2021). The spyware is sold to governments to fight terrorism. In India, it was used to hack journalists and others. The Washington Post. https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/
Maurer, T., & Morgus, R. (2014). Tipping the Scale: An Analysis of Global Swing States in the Internet Governance Debate. https://www.cigionline.org/publications/tipping-scale-analysis-global-swing-states-internet-governance-debate/
Ministry of Electronics and Information Technology. Internet governance. (n.d.). https://www.meity.gov.in/content/internet-proliferation-governance/
National Critical Information Infrastructure Protection Centre. (n.d.). https://nciipc.gov.in/index.html
NT, S. (2023, May 25). India’s focus areas in its proposals at the UN Cybercrime Convention. MediaNama. https://www.medianama.com/2023/05/223-indias-focus-areas-un-cybercrime-convention/
Paliwal, A., (2019). Government denies purchasing Pegasus spyware from NSO Group. India Today. https://www.indiatoday.in/india/story/government-pegasus-spyware-nso-group-1614951-2019-11-01
Press Trust of India. (2017). First phase of National Cyber Coordination Centre made operational, says PP Chaudhary. Firstpost. https://www.firstpost.com/tech/news-analysis/first-phase-of-national-cyber-coordination-centre-made-operational-says-pp-chaudhary-3914699.html
Scott-Railton, J., Hulcoop, A., Razzak, B. A., Marczak, B., Anstis, S., & Deibert, R. (2020). Dark basin: Uncovering a massive hack-for-hire operation (Citizen Lab Research Report No. 128). University of Toronto. https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/
Seger, A. (2016). India and the Budapest Convention: why not? Digital Debates, 42–49. https://www.orfonline.org/public/uploads/posts/pdf/20230503130101.pdf
Sharma, S. (2024). Securing India’s Digital Future: Cybersecurity Urgency and Opportunities. https://thediplomat.com/2024/01/securing-indias-digital-future-cybersecurity-urgency-and-opportunities/
Software Freedom Law Center India. (n.d.). India’s Internet Shutdowns. Internet Shutdowns Tracker. https://internetshutdowns.in/
Srivastava, M., Wiggins, K. (2023). India Hunts for Spyware That Rivals Controversial Pegasus System. Financial Times. https://www.ft.com/content/7674d7b7-8b9b-4c15-9047-a6a495c6b9c9.
Tambe, N. (2024). Top website statistics and trends. Forbes Advisor INDIA. https://www.forbes.com/advisor/in/business/software/website-statistics/
Telecom Regulatory Authority of India. (2025). The Indian Telecom Services Performance Indicators July–September, 2024. https://trai.gov.in/sites/default/files/2025-01/QPIR_01012025_0.pdf
TeleGeography (n.d.a.). Internet Exchange Map. https://www.internetexchangemap.com/
TeleGeography. (n.d.b.). Submarine Cable Map. https://www.submarinecablemap.com/country/india
The Digital Personal Data Protection Act. (2023). https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
The Hindi Bureau. (2023). India-linked APT group carried out phishing attacks against government organisations in Asia, say analysts. The Hindu. https://www.thehindu.com/sci-tech/technology/india-linked-apt-group-carried-out-phishing-attacks-against-government-organisations-in-asia-say-analysts/article66516032.ece
The Information Technology Act. (2000). https://www.meity.gov.in/static/uploads/2024/03/ITbill_2000.pdf
The Telecommunications Act. (2023). https://dot.gov.in/sites/default/files/Telecommunications%20Act%202023_1.pdf?download=1
The White House. Quad joint statement on cooperation to promote responsible cyber habits. (2023). https://www.whitehouse.gov/briefing-room/statements-releases/2023/02/07/quad-joint-statement-on-cooperation-to-promote-responsible-cyber-habits/
United Nations Digital Library. (2021). Compendium of statements in explanation of position on the final report. https://digitallibrary.un.org/record/3950223
United Nations Office for Disarmament Affairs. Group of governmental experts. (n.d.). https://disarmament.unoda.org/group-of-governmental-experts/
United Nations Office on Drugs and Crime. Ad hoc committee. (n.d.a.) www.unodc.org/unodc/en/cybercrime/ad_hoc_committee/home
United Nations Office on Drugs and Crime. (n.d.b.). United nations convention against cybercrime. United Nations Office on Drugs and Crime. www.unodc.org/unodc/en/cybercrime/convention/home.html
Venkat, R. (2023). India cabinet approves $11 billion revival plan for state-owned BSNL. Reuters. https://www.reuters.com/business/media-telecom/india-cabinet-approves-11-bln-revival-package-telecom-firm-bsnl-cnbc-tv-18-2023-06-07/
Vijayan, J. (2020). India’s Cybercrime and APT Operations on the Rise. https://www.darkreading.com/threat-intelligence/india-s-cybercrime-and-apt-operations-on-the-rise
