On August 7, 2025, India’s Chief of Defence Staff, General Anil Chauhan, released the Joint Doctrine for Cyberspace Operations, marking a significant step in acknowledging the central role of cyber capabilities in future warfare. The doctrine underscores that modern conflicts will be shaped as much by digital attacks as by conventional weaponry.
Strategic Vision and Global Lessons
The doctrine’s central premise is that cyber threats cross traditional service boundaries, demanding integrated responses from the Army, Navy, and Air Force. It draws from key international incidents, including: the 2007 cyber assault on Estonia, the 2010 Stuxnet attack on Iran’s nuclear facilities, and the 2017 WannaCry ransomware outbreak, to illustrate the strategic potential of cyber operations.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
India’s own experiences reinforce this assessment. The 2020 cyber intrusion into Mumbai’s power grid, allegedly linked to Chinese actors, exposed vulnerabilities in critical infrastructure during heightened border tensions. More recently, Operation Sindoor combined digital media influence campaigns with targeted cyber intrusions, further blurring lines between information warfare and network attacks.
The doctrine calls for “threat-informed planning” and “real-time intelligence integration,” recognizing the diverse origins of cyber threats, from state adversaries to criminal networks and individual hackers.
Operational Barriers and Capability Gaps
While the doctrine sets out an ambitious vision of “jointness” in cyberspace, longstanding structural and cultural challenges within the armed forces present obstacles. The Defence Cyber Agency, created in 2019 to coordinate tri-service cyber operations, has faced persistent issues with resource distribution, operational authority, and intelligence sharing. International experience suggests these hurdles are formidable. The United States Cyber Command, despite being established in 2009, continues to refine coordination among its services. For India, similar integration will require sustained institutional reforms.
A shortage of skilled cybersecurity professionals further complicates implementation. Industry estimates indicate a shortfall exceeding one million experts, with the private sector able to offer more competitive pay and working conditions. Military cyber operations also demand specialised, constantly updated expertise, making talent retention a persistent challenge.
The doctrine’s goal of building “indigenous cyber capabilities” confronts technological realities. Despite government initiatives toward self-reliance, India’s cybersecurity industry remains dependent on foreign hardware, software, and expertise. While domestic start-ups have emerged, many are acquired by global technology firms before scaling.
Additionally, the document offers limited details on civil-military integration, despite most critical infrastructure in India being privately operated. Without stronger public-private cooperation and clearer deterrence strategies, experts warn the doctrine risks becoming aspirational rather than operational.