Cyberspace is arguably the next battlefield for strategic adversaries, with offensive cyber operations (OCOs) potentially playing a decisive role in future India-Pakistan crises. The May 2025 crisis revealed the early signs of this emerging domain. These episodes underscore that cyber capabilities, once peripheral, are now edging closer to the core of strategic competition in South Asia. It is important to explore the implications of OCOs through three key questions: how might OCOs factor into a potential future crisis? To what extent do both sides understand each other’s cyber capabilities? And finally, what risks do these operations carry and what measures can mitigate escalation risks? By examining states’ cyber capabilities, assessing the implications of OCOs in the conventional and nuclear domains, and analyzing their impact on escalation, this piece argues that OCOs introduce a layer of strategic ambiguity and misperception that could destabilize deterrence in South Asia, unless India and Pakistan develop clearer doctrines, stronger defenses, and shared understandings.
Offensive Cyber Operations in a Future India-Pakistan Crisis
OCOs can be employed in several ways in a future India-Pakistan crisis. The May 2025 confrontation already saw limited attempts at probing cyber defenses by groups sympathetic to each state, with reports of disruptions to civilian websites and financial networks. While these incidents fell short of sophisticated operations, they hint at how OCOs could evolve into decisive tools of coercion and chaos in future crises. The disruption of military communication systems is a key way to utilize OCOs. Considering that a smooth flow of information is necessary for command and control, coordination of forces, and execution of military operations, any interruption in communication could lead to confusion and may cause mission failure. OCOs against cyber elements in nuclear command, control, and communication (NC3) systems could potentially lead to unauthorized access, manipulation of data, and, in an extreme-case scenario, the incapacitation of critical communication links.
OCOs against early-warning systems (EWS) can exploit vulnerabilities in the hardware, software, and communication networks. Some examples of these OCOs include spoofing or data injection, where the injection of false data in the system can simulate a non-existent threat, such as a missile launch, jamming, or corrupting signals between detection systems and command centers to prevent reliable communication, hacking the algorithms that process and analyze the incoming data to spoil the threat assessments, and overload the EWS network to cause a distributed denial-of-service (DDoS) attack. Due to South Asia’s geography-induced time compressed crises, radars are vital for early warning. OCOs can degrade radar systems, preventing aircraft or missile detection through data corruption or system disabling. Additionally, as India and Pakistan enhance satellite-based EWS components, OCOs targeting ground stations can prevent timely assessment of adversary movements.
Offensive cyber operations introduce a layer of strategic ambiguity and misperception that could destabilize deterrence in South Asia, unless India and Pakistan develop clearer doctrines, stronger defenses, and shared understandings.
Capabilities and Constraints: Mutual Perceptions
Despite the promise of OCOs, there is a gap between the perceived and actual cyber capabilities of both India and Pakistan. India emphasizes its tech sector and OCO capabilities to position itself as a digital power. Pakistan plays up its cyber defense and offensive potential to maintain deterrence against India’s conventional military advantage. This positioning implies that there is ambiguity about the actual capabilities, which in turn leads domestic audiences in both states to overestimate their countries’ cyber prowess. This serves the political purposes of the national security elite in both countries without developing advanced cyber weapons in earnest. However, this does not imply that both countries have not invested in developing their cyber capabilities. India has reportedly established dedicated cyber units within its military and intelligence agencies and integrated cyber warfare into its broader military strategy. Pakistan established the Army Cyber Command, incorporating a Cyber Division and an Army Centre of Emerging Technologies in 2022, but there is not much publicly available information regarding its role and scope.
The use of OCOs in military crises is a new phenomenon globally and in South Asia. Few cases of overt operations exist (e.g., Russian cyber activities in Ukraine), which do not translate to South Asian security dynamics. OCOs were absent during the Kargil Crisis and were not employed during the 2019 Pulwama-Balakot crisis. Neither state has launched sophisticated cyber-attacks against the other, nor have the few state-linked attacks caused significant damage. Past cyber-attacks mostly involved basic techniques, such as defacing a website. The absence of historical precedent makes it difficult to predict the dynamics and consequences of OCOs. There is no established playbook on how either the state would employ OCOs or respond to the adversary’s OCOs. Conversely, even though past cyber-attacks fall below the threshold of what might be considered a sophisticated OCO, a continual level of this activity could cause disruption without triggering a kinetic response, and can have strategic implications. Low-intensity yet persistent cyber activities can introduce uncertainty,[1] erode trust,[2] and may even shift decision-making thresholds.[3] Even if these cyber-attacks are individually nondestructive, their cumulative impact could gradually create a destabilizing environment, leading to disproportionate responses to minor escalations. The May 2025 crisis illustrated this dynamic: mis- and disinformation campaigns, amplified by hackers sympathetic to each state as well as the spread of fake or out-of-context photos and videos, added fuel to an already tense situation.[4]
The cyber landscape is rapidly evolving, necessitating continuous adaptation. India and Pakistan would have to invest in technological advancements and develop a comprehensive understanding of their own doctrinal integration and posturing, as well as the tactics and strategies of the adversary. This requires strategic thinking, intelligence gathering, analysis, and collaboration among various stakeholders, including government agencies, the military, private sector entities, and academic institutions. Military commanders in both states have given statements about cyberwar and cyber-attacks. While India has released a Joint Doctrine for Cyberspace Operations in 2024, Pakistan has not declared a cyber doctrine or explained its cyber strategy alignment with its warfighting plans. Pakistan’s newly-released National Artificial Intelligence Policy indicates the country is integrating emerging technologies into defense and governance, but its emphasis remains on capacity building and civilian applications rather than the operational doctrine.[5] Both states face organizational challenges, such as the integration of OCOs into their battle strategies and coordination between their civilian and military cyber agencies.
Escalation Dynamics
The impact of OCOs on escalation dynamics can be analyzed in several ways. During a crisis, standalone cyber-attacks could be interpreted as a precursor to kinetic operations. Traditional warfighting doctrines emphasize weakening the enemy’s capabilities before launching offensives. If electronic warfare tactics were employed for this in the past, OCOs could serve this purpose in modern battlefields. India and Pakistan could interpret a cyber-attack as the start of a larger military operation and may accidentally initiate warfighting. This misinterpretation and the resulting overcompensation could likely manifest in South Asia, as neither country has experience of integrating cyber-attacks into broader strategic concepts. An unprecedented event, coupled with the overblown fear of destruction caused by cyber warfare, may push decisionmakers to act preemptively.[6]
During an armed conflict, OCOs can impact escalation dynamics by causing disruption and destruction beyond kinetic operations. OCOs targeting NC3 systems, if successful, can create a perception of vulnerability. Panicked decisionmakers in a time-compressed environment might overreact and order a nuclear strike. This manifestation of “the use-it-or-lose-it” is in itself an extreme worst-case scenario where several things have to go wrong and right conditions have to be present (in terms of the personalities of the decisionmakers, confidence in the resilience of the NC3 systems, scale of disruption, etc.). A more plausible scenario is that OCOs disrupt the coordination and operational readiness of military forces. For Pakistan, conventional asymmetry against India could increase the perception of vulnerability and create a sense of urgency to regain the initiative. One way to stop India from exploiting Pakistan’s weakened position could be shifting from a defensive to an offensive posture quickly, in either the conventional or nuclear domain, depending on disruption and destruction caused by India’s OCOs.
The effect of OCOs on escalation dynamics in an India-Pakistan crises can also manifest in cyber-physical systems. Cyber-physical systems integrate information and communication technologies (ICTs) with physical processes and are susceptible to cyber-attacks, which can disrupt both communication and operational capabilities. Cyber-attacks against unmanned combat aerial vehicles can disrupt the communication link with the command-and-control center and result in operational failure. This could impact military warfighting strategy and battlefield outcomes, potentially causing either country to lose strategic advantage against the adversary.
Escalatory Potential of OCOs in the Nuclear Context
Whether OCOs can result in accidental or unauthorized nuclear launches in South Asia depends on several factors: the escalation level of the crisis and readiness of the nuclear arsenal (whether the missiles are deployed or not), intelligence and surveillance conducted in the years before the adversary’s NC3 systems, collusion of an insider during a crisis situation, and the vulnerabilities existing in the NC3 and early warning systems. Neither India nor Pakistan currently deploy nuclear weapons in peacetime. However, the exception is sea-launched missiles that would eventually be deployed at all times—peace or crisis—in the future if they are not already deployed.[7]
A key detail, however, is if accidental or unauthorized nuclear strikes are in the interest of either India or Pakistan. Why would either country risk a nuclear strike because of its OCO against the NC3? Is the annihilation of millions of people because of the nuclear strike caused by the OCO in the interests of either country? Does this strengthen deterrence, or permanently establish military superiority over an adversary? These are key considerations that indicate that neither Pakistan nor India would risk nuclear annihilation to launch OCOs against NC3 systems.
Managing and Mitigating Escalation Risks
Because cyber operations remain uncharted territory in South Asia, India and Pakistan should prioritize deep strategic thinking to understand their impact on escalation dynamics. This requires investing in technological defenses while acknowledging that confirmation biases, asymmetries, and psychological effects may shape crisis responses.
This requires investing in technological defenses while acknowledging that confirmation biases, asymmetries, and psychological effects may shape crisis responses.
One priority is securing communication channels in NC3 and military systems. Cryptography, quantum key distribution (QKD) systems, diverse communication technologies (e.g., shortwave communication and mobile ad-hoc networks (MANETs)), and secure communication protocols, such as the Secure Communication Interoperability Protocol (SCIP), are some technical solutions to address cybersecurity challenges. Enhanced cybersecurity infrastructure would protect these critical assets and reduce the incentive for the adversary (or adversaries) to launch OCOs. Strengthening cyber defenses can prevent crises from climbing a dangerous escalatory ladder.
Deeper strategic thinking is required in India and Pakistan to assess cyber deterrence strategies and response options during a crisis. The potential value of OCOs must be weighed against their risks, recognizing that strategic costs may outweigh tactical benefits. They need to clearly communicate their cyber deterrence posture in relation to nuclear deterrence through policy statements or public doctrinal declarations to reduce uncertainty and enhance mutual understanding. Such strategic clarity would strengthen internal preparedness and deter adversaries by signaling a credible commitment to respond appropriately in the cyber domain or engage in cross-domain retaliation.
Finally, India and Pakistan need to work together to develop norms and rules of engagement in cyberspace. Pakistan has already taken a step by sharing its national interpretation of the application of international law to cyberspace and ICTs.[8] Both states would benefit from building on such national positions to craft shared understandings and reduce the risk of miscalculations. Additionally, there are some ambiguities in the use of the Law of Armed Conflict in the context of OCOs, which means that existing legal frameworks are insufficient to clearly define the thresholds of acceptable cyber behavior, or that more clarity is needed on how states interpret existing international law and legal principles in their cyber conduct. Therefore, both states must develop agreed-upon thresholds for cyber-attacks and establish red lines to reduce the risks of misinterpretation and unintended escalation. For example, both states could agree to avoid targeting each other’s NC3 systems with the OCOs. The scope of the existing non-attack agreement could be broadened to include cyber-attacks on nuclear facilities and NC3 systems or both states could negotiate a new regional agreement.
Conclusion
The May 2025 crisis offered only a glimpse of how cyber-enabled operations could complicate decision-making, but it underscored that the risks of misperception and unintended escalation are real. The use of OCOs in a future crisis will remain fraught with uncertainty, and the strategic costs could easily outweigh any perceived tactical benefit. For India and Pakistan, the challenge ahead is whether to pursue cyber tools as instruments of coercion or prioritize resilience, restraint, and norm-building, while the latter offers the best chance of avoiding destabilization in South Asia’s already fragile deterrence environment.
Views expressed are the author’s own and do not necessarily reflect the positions of South Asian Voices, the Stimson Center, or our supporters.
Also Read: Protecting Critical Infrastructure in South Asia: Cyber Threats and Solutions
[1] A minor cyber intrusion or disruption can create doubts about the reliability and security of critical systems. For example, military commanders might begin to question the integrity of their data and communication channels if their communication networks experience repeated, small-scale cyber interferences. The implication of this uncertainty is that decision-makers may adopt preemptive measures.
[2] Continuous, low-level cyber-attacks can raise suspicions that the adversary’s intentions are more aggressive than they appear. This erosion of trust can have the potential to destabilize the existing balance of power.
[3] High frequency of minor cyber disruptions can decrease the tolerance for uncertainty in the decisionmakers. This implies that states may decide to respond by taking actions that are more aggressive than an individual situation warrants or take measures that may escalate a crisis situation.
[4] These episodes show that persistent low-level cyber activity magnifies mistrust and distorts decision-making. The looming specter is no longer a dramatic “Cyber Pearl Harbor” but the steady, cumulative effects of ongoing cyber campaigns that raise the questions of when persistent harassment and disruption cross an intolerable threshold.
[5] While it signals the intent to modernize, it does not yet provide doctrinal clarity or strategic guidance that would shape Pakistan’s approach to cyber warfare in a crisis.
[6] In theory, OCOs against EWS (e.g., radar networks or satellite communication infrastructure) appear to be a logical move. In reality, it could be interpreted as attempts to blind defensive capabilities before a kinetic strike and result in overcompensation by the military leadership, leading to not only destruction, but also more confusion.
[7] Considering that neither state has exhibited sophisticated OCOs in a past crisis, an OCO against the adversary’s NC3 would require sufficient groundwork for identification and exploitation of the vulnerabilities of ICT systems. This groundwork would involve preparatory efforts such as finding and utilizing insider assistance to obtain critical technical and operational details, intelligence of nuclear supply chain as well as sensors, control systems, and embedded software in the NC3 systems, and information about mimicking a legitimate-looking authorization. This is a herculean task – which implies that the probability of such an OCO against adversary’s NC3 is low at present.
[8] While this enhances transparency, bilateral convergence on thresholds, red lines, and agreed restraints remains absent.
***
Image 1: jaydeep_ via Wikimedia Commons
