Editor’s Note: This essay is part of a series entitled “Cybersecurity Threats, Law, and Norms: Priorities for South Asia,” a collaboration between the Stimson Center Cyber and South Asia programs.
The recent India-Pakistan crisis in May illustrated how cyber and artificial intelligence are being integrated into military combat in the subcontinent, a significant development for South Asia’s fragile strategic stability. Along with an exchange of drone strikes, conventional missile firings, and aerial dogfights, the skirmish continued in the information domain, with Pakistani media reporting that the country’s military cyber wing disrupted a communications network in India, predominantly affecting power distribution lines and government websites. Meanwhile, hackers sympathetic to the Indian government leaked compromised data from Pakistan’s taxation authority and targeted other digital infrastructure.
The active incorporation of cyber operations in this recent crisis, at least as acknowledged in public media reporting on both sides, is a departure from the past. It also raises serious concerns about the challenge of attribution on the subcontinent.
Assigning responsibility for cyber operations comes with political, legal, and technical challenges. For one, in hostile India-Pakistan ties, there is limited space to entertain an ill-substantiated or inaccurate attribution as it risks escalation or creates domestic pressure for retaliation. Also, public attribution may be limited by the lack of well-established national frameworks for doing so. Neither India nor Pakistan currently have an official public attribution policy, making it difficult to assess their evidentiary standards and the validity of their threat intelligence. Limited official documents on procedures for incident response and forensic capacity suggest caution with regard to the credibility of public attribution. Thirdly, in cyber geopolitics, public attribution is a strategic choice determined by decisionmakers on a case-by-case basis. Cyber operations work best when clandestine and thus attribution is often intentionally restricted to avoid exposing technical capability. This is likely why Pakistan and India have generally approached official public attribution for cyber operations with caution in the past.
The deployment of cyber-attacks complementary to kinetic operations along with unverifiable and potentially premature public attribution could set a dangerous precedent for a strategic environment as hostile and fragile as South Asia.
Thus, in the absence of credible attribution tools and mechanisms, Islamabad and New Delhi would have to firmly resolve to adhere to responsible state behavior in cyberspace by doing the following: 1) establishing a cyber hotline to ensure communication channels are open, 2) supporting the applicability of international law to cyberspace, and 3) committing to non-proliferation of intrusive cyber technologies to non-state Advanced Persistent Threat (APT) groups to conduct cyber operations on their behalf.[1] More broadly for each, institutionalizing their attribution process would ensure transparency and reassurance.
India and Pakistan’s Cyber Doctrines
Even apart from its prominent role in the recent India-Pakistan crisis, cybersecurity has found a significant place in both countries’ national security postures in recent years. In 2019, then Indian Minister of State for Defence confirmed the development of a defense cyber agency to handle cyber threats in a military context as well as budgetary allocations for cyber operations. In 2021, India’s former National Security Advisor acknowledged New Delhi’s capability to conduct “cyber sabotage and cyber warfare.” And in 2024, the Indian Ministry of Defence announced a joint doctrine for cyberspace operations, shifting away from the country’s previous policy of strategic ambiguity on the use of cyber in the warfare domain, and integrating both defensive and offensive capabilities.[2]
While Pakistan does not have a pronounced cyber doctrine, Islamabad’s national security posture reflects the necessity of integrating cyber capabilities with military operations. Inaugurating the Army’s Cyber Division in 2018, the then Chief of Army Staff articulated that “firepower and cyber have emerged as the mainstay of future war.” Pakistan has also invested in cyber capacity, as the 2021 National Cybersecurity Policy reiterates, to protect national critical infrastructure as well as government information systems.
These policy documents underline that India and Pakistan recognize the importance of investing in cyber capability to uphold their national interests. The next section explores how each state potentially uses these capabilities for strategic gain.
Cyber Capability and Operations
Countries are increasingly employing state capabilities to conduct cyber operations to achieve strategic objectives such as intelligence gathering; Pakistan and India are no different. Over the past few years, each state is alleged to have engaged in malicious and covert cyber activities such as hacking official websites, conducting coordinated phishing campaigns, and cyber espionage. This is done either through state capability or threat actors backed by the state. Publicly available information suggests that APT 36—also known as Transparent Tribe and SideCopy—is a Pakistan-linked APT group, alleged to have conducted cyber espionage particularly in India and Afghanistan. Likewise, APT groups such as Sidewinder and Patchwork are thought to be Indian state-backed threat actors, conducting cyber operations in Pakistan and elsewhere.
“Over the past few years, [India and Pakistan are] alleged to have engaged in malicious and covert cyber activities such as hacking official websites, conducting coordinated phishing campaigns, and cyber espionage.”
While there is limited information publicly available regarding the cyber operations conducted by each side, some sources do point to state acquiescence or support. A report by a Canadian firm revealed that in 2021, the Indian government had allegedly conducted cyber surveillance on Pakistan’s political leaders using the Israeli Pegasus software. India-based hacking groups reportedly continued to target Pakistani government entities in the following years aiming to infiltrate systems and access computer controls.
Similarly, media reports claimed that Pakistan-based hackers had deployed malware against Indian government and defense sectors, attempting to gain access to sensitive information. In 2019, the cyber-attack on India’s nuclear facility, the Kudankulam Nuclear Power Plant, was thought by some analysts to have been perpetrated by Pakistan, though there was no public attribution. The technical attribution by cybersecurity firms pointed to a North Korean state-sponsored entity, the Lazarus Group. This complex picture of the potential use of proxies points to the challenge of attribution in an India-Pakistan context.
The Attribution Challenge
Attribution in cyberspace is the process of identifying and assigning responsibility to threat actors behind the cyber operation or malicious activity. However, attribution is rarely straightforward because, unlike physical crimes, cyber actors can hide behind the anonymity of the internet or impersonate other computers. Threat actors can also remain in the system undetected, silently stealing information through stolen passwords or impersonation.
In terms of technical challenges, the sophistication of the operation depending on capability could also make it difficult to trace the crime back to an actor. For instance, during the India-Pakistan crisis in May, the Indian cyber agency, Maharashtra Cyber, reported a significant surge in cyber-attacks originating from Pakistan as well as countries like Indonesia, Morocco, and Bangladesh. Threat actors using the location of a third country is often a deliberate and popular tactic to confuse the perpetrator’s identity and origin, as an IP address is usually the first source of identification. A popular global example is the 2018 Olympic Destroyer cyberattack in South Korea, when the Russian threat actors used sophisticated tactics to conceal their identity, enabling the blame to be deflected to North Korea and China. Thus, even if one actor might visibly be responsible, there might be someone else behind the keyboard.
Moreover, technical attribution requires advanced threat intelligence capability, without which attribution could be erroneous and enable “false flag” categorization. For example, recently, Russian state-linked cyber group Turla allegedly attempted to access data exfiltrated from Indian military networks. Threat intelligence by Microsoft and Lumen’s BlackLotus Labs indicate that Turla compromised a network of Pakistan-based group SideCopy to spy on the Indian network. This created a false impression, shifting the blame towards Pakistan. This reiterates that the use of sophisticated techniques in an operation and the lack of advanced capability for forensic analysis can potentially obscure a threat actor’s identity, making attribution a challenge. Even advanced nations struggle with having requisite forensic capacity, so relatively newer cyber entrants like India and Pakistan will have to invest more efforts in this space.
The key legal challenge India and Pakistan face regarding attribution is the lack of a transparent, and credible attribution framework. Unlike some countries, India and Pakistan do not have a formal attribution policy, making it difficult for independent analysts to assess the validity of their institutional processes. In practice, the process involves a loose network of agencies coordinating technical and intelligence findings, raising concerns about the lack of consistent and verifiable evidentiary standards. It was in highlighting some of these challenges that Pakistan’s 2023 position on applicability of international law in cyberspace emphasized cross-border coordination and cooperation globally to ensure substantiated attribution. A lack of consistent evidentiary standards complicates attribution and can leave such efforts open to criticism as being politically motivated, making it critical for India and Pakistan to address this lacuna.
This leads to the political challenge of attribution. The United States and Five Eyes allies often attribute cyber-attacks when they need to reinforce international pressure on political adversaries or justify policy shifts. New Delhi and Islamabad have approached attribution rather cautiously. Though there are multiple reasons for this, the obvious one is to avoid jumping the gun and pointing to an adversary, which may create a particularly dangerous scenario of escalation.
Redefining Crises and Stability in South Asia
Attribution uncertainty creates costs for stability in South Asia and risks escalation in a future India- Pakistan crisis. Both countries share a hostile past and a tense strategic environment, leaving limited space for misunderstanding and miscalculation. A misattributed cyber operation, especially on or near critical nuclear infrastructure, could be destabilizing, tarnishing trust on both sides and instilling doubt. Misperceptions about the intent of a cyber operation could lead to retaliatory action, especially if interpreted as a deliberate act of aggression. Pakistan’s 2021 Cyber Security Policy explicitly mentions that a cyberattack on critical infrastructure would be regarded as an act of aggression and be met with an appropriate response.
“A misattributed cyber operation, especially on or near critical nuclear infrastructure, could be destabilizing […] Misperceptions about the intent of a cyber operation could lead to retaliatory action, especially if interpreted as a deliberate act of aggression.”
Another predicament is the question of proportionate response to an offensive cyber intrusion conducted by a state or state-linked threat actors without clear attribution. This is a conundrum faced by states globally, not just India and Pakistan. Determining what is a proportionate response in cyberspace currently lies at the discretion of the state. Some countries have included the principle of proportionality in formal statements unpacking how they interpret international law as applying to their conduct in cyberspace. According to its 2023 statement, while Pakistan acknowledges proportionality as applying in the context of conflict and international humanitarian law, it does not otherwise present views on response. India has not yet published a national statement. Such norms and behavior are either unaddressed or awaiting legal applicability in international frameworks. For the complicated security environment of South Asia, integration of cyber capability without legal clarity is thus worrisome. In times of active conflict, cyber operations, including information and influence operations, can create a fog of war for decisionmakers and undermine the process of crisis management. Persistent cyber intrusions could also further compromise trust and impact and possibly backtrack the confidence-building measures (CBMs) already in place between India and Pakistan. Given that nuclear CBMs between India and Pakistan are already tenuous, a potential cyber-attack or even a data breach could be misperceived as altering the balance of power.
Policy Recommendations
To ensure that cyber does not introduce yet another element of uncertainty and that the precarious balance of power is maintained on the subcontinent, policymakers in India and Pakistan should:
Establish a cyber hotline: Cyber operations can perpetuate misperception and misunderstanding, especially with attribution challenges. Therefore, rapid communication during a cyber crisis is critical. Both countries could exchange doctrines, ensure technical cooperation, and maintain a directory in case of crisis. Cyber CBMs, including hotlines and dedicated focal points for exchange, can also potentially enhance a sense of predictability.
Support the applicability of international law to cyberspace: While there is consensus across the board that international law applies to cyberspace, states are still discussing how core legal principles and existing commitments, such as the non-use of force, proportionality, sovereignty, and due diligence, apply to cyberspace. Islamabad and New Delhi are advised to actively adhere to international and bilateral negotiations, such as the UN’s recently launched Global Mechanism on ICTs, successor to the Open-ended Working Group on security of and in the use of information and communications technologies. Pakistan published its national position paper in 2023 outlining the applicability of international law. India could follow suit, to maintain accountability and transparency.
Commit to restraining proliferation of offensive intrusion capabilities: To dodge attribution and accountability, states often employ non-state APT groups to influence cyber operations. This results in proliferation of sophisticated intrusive cyber technologies and capabilities to non-state threat actors, not bound by rules and norms of state responsibility. Cyber operations through non-state APT actors help maintain plausible deniability. India and Pakistan should refrain from transferring capabilities to non-state APT groups to ensure responsible state behavior and maintain stability.
Institutionalize attribution: To ensure responsible state behavior, both India and Pakistan should consider improving their attribution process. Institutionalizing the process and detailing their evidentiary standards to substantiate the findings will build confidence in their intelligence and threat assessments. Publishing a national attribution policy would explain the objectives behind disclosing a breach or attack, beyond merely aiming for political scoring. Further, both states could also benefit from investing in legal and technical capacity-building for attribution, including in collaboration with private entities and multilateral partnerships.
As their decades-long hostilities spill over into cyberspace, there is likely a higher probability of cyber operations increasing in an India-Pakistan context. Realizing the serious implications of cyber threats to strategic stability, Pakistan and India are advised to seriously engage in the measures above that would reduce misperception, increase accountability and transparency, and indicate their commitments to the norms and practices of international law and responsible state behavior during conflict and peace time.
Views expressed are the author’s own and do not necessarily reflect the positions of South Asian Voices, the Stimson Center, or our supporters.
Also Read: Cyber Quicksand? Uncharted Risks and Escalatory Dynamics in a Future India-Pakistan Crisis
[1] Advanced Persistent Threat (APT) groups are state-sponsored threat actors who are well-funded and conduct long-term cyber operations on their victims i.e. political adversaries. States use APT groups for various objectives such as cyber espionage, influence operations, and critical information theft.
[2] The difference between offensive and defensive cyber capabilities is the purpose they are used for. Defensive capabilities, as the name suggests, are used for building resilience. The aim is to build capacity to protect and respond, minimizing risks and mitigating cyber threats. Offensive capabilities are used to deny, disrupt, and degrade or destroy the adversary’s systems or networks for military or strategic purposes. However, the nature of cyberspace makes it difficult to neatly distinguish between offensive and defensive actions; some activities, like those carried out by security researchers for the purpose of testing for vulnerabilities, could be viewed as an offensive action.
***
Image 1: blickpixel via Pixabay
Image 2: Great Norwegian Encyclopedia
