Rapid digital modernization across a large and heterogenous demographic has provided unique economic, social, and developmental opportunities for South Asia. At the same time, this digitization has also birthed a vast array of cyber threats that South Asia’s legal, institutional and policy architecture needs to adapt to relatively quickly.
By examining cyber resilience in South Asia’s two largest digital economies, this essay attempts to take stock of the threats, opportunities, and mitigation measures in India and Pakistan’s civilian cyber and digital ecosystems. A cyber resilience assessment not only considers whether an individual entity is able to respond to a cyber-attack in the short run but also whether these attacks can be resisted and mitigated in the long and medium-term through a broader systemic approach.
The first part of this essay surveys the threats and risks in India and Pakistan’s cyber architecture in a civilian context (that is outside the scope of armed conflict during “peace time”) and the second part of the essay explains the measures that have been taken to counter these risks and evaluates their efficacy.
Cyber Risks and Vulnerabilities
The nature of cyber threats faced by South Asian countries does not differ significantly from those faced by countries in other parts of the world, including developed nations. That said, the scale and impact of these risks in the majority world vary significantly for three reasons.
First, the developed world digitized first and faced an array of cyber threats in the past decade. While facing these threats, their state institutions and the private sector put in place a range of institutional mechanisms that made life more difficult for potential threat actors. Attracted by the nascency of the digital ecosystem and its governance in the majority world, threat actors are now turning their attention to countries where state capacity to counter cyber threats and public awareness for cyber hygiene is still playing catch-up. Second, the sheer scale of the online population in South Asia makes countering cyber threats a significant challenge. India by itself is expected to have 900 million individuals using the internet in 2025, three times the population of the United States, which increases the potential volume and variety of incidents significantly. Third, South Asia is a geopolitically contested region. The fractures in India-Pakistan relations writ large have led to tit-for-tat cyber-attacks conducted by state-supported non-governmental actors on both sides, including as recently as the crisis in May.
“The sheer scale of the online population in South Asia makes countering cyber threats a significant challenge. India by itself is expected to have 900 million individuals using the internet in 2025, three times the population of the United States, which increases the potential volume and variety of incidents significantly.”
The vulnerabilities in India and Pakistan’s cybersecurity architecture include both technical glitches in the hardware or application layer of these systems as well as a lack of human capability or awareness about cybersecurity. This includes low awareness among users as well as individuals managing key cyber systems. Further, while India has a burgeoning domestic cyber security industry providing cyber security solutions and services to enterprises, Pakistan still needs to grow its cyber talent and presently relies on foreign providers. In the words of one analyst, “Without significant local investment in cybersecurity skills, Pakistan’s reliance on foreign technology makes it exposed to external pressures and potential geopolitical influence.”
Cyber threats faced by both countries can be broadly classified into three types:
(1) Attacks on critical infrastructure: Cyber threats to critical infrastructure can stymie the daily functioning of healthcare, financial, or power systems with devastating socio-economic impacts on society today, especially in developing countries. Indian critical infrastructure has been subjected to a larger number of attacks than Pakistan’s, allegedly from China-based attackers. Significant cyber incidents include an attack on the Kundankulam nuclear reactor’s administrative network in 2019, disruption of the IT network of the All India Institute of Medical Sciences in 2022 and a cyber-attack enabled outage of Mumbai’s electricity grid in 2021. All these attacks involved the technically sophisticated positioning of malware into hardware devices and not human error of any form. Pakistan’s electricity grid has also been disrupted a few times with some reports suggesting the involvement of malware placed by India-based threat actors.
(2) Cybercrime: Vulnerable populations in both countries have frequently been subjected to online fraud and harassment. A 2023 study by Visa revealed the pervasive nature of online fraud in Pakistan, including online phishing, online shopping scams and investment scams. This vulnerability stems largely from a lack of human awareness, including among users who broadly know of such scams. The Global Anti-Scam Alliance suggests that Pakistan lost a massive 4.6 percent of its GDP to digital fraud in 2024.
While losses to cyber fraud are estimated to amount to a more moderate 0.7 percent of GDP in India, recent cases of Indian citizens being targeted by scam compounds in Southeast Asia have raised significant concern. Studies also suggest that actors now have greater access to sophisticated tools like artificial intelligence that enables the personalization of phishing attacks using data harvested from social media and other sources. Such incidents have not only detrimental economic impacts but reduce the trust and confidence that users repose in digital systems writ large.
(3) Surveillance: Increasing digital penetration has led to growing surveillance and monitoring of online communications by the governments of both countries. The Indian government has been accused of deploying the Pegasus spyware against journalists, human rights defenders, and opposition figures to conduct electronic surveillance. Journalists in Pakistan equally fear the state gaze in their electronic surveillance, which impacts both their personal and professional lives. Such surveillance leads to a “chilling effect” on speech in both public and private spaces, thus restricting the exercise of free expression online.
Resilience against Cyber Threats
Given the proliferation of risks in the cyber domain, both India and Pakistan have taken several steps to proactively counter and mitigate them. A few are enumerated below:
National Cybersecurity Strategies: As recently as 2021, Pakistan published a National Cyber Security Policy that makes a number of institutional and operational recommendations. The policy centralizes cybersecurity governance through a Cyber Governance Policy Committee and introduces mandatory security standards and risk management processes for critical infrastructure. It also encourages multi-stakeholder collaboration between government, industry, and academia through the Cyber Patriot program, which encourages the public reporting of vulnerabilities.
Across the border, India’s first National Cyber Security Policy was published in 2013 and put forward a number of high-level objectives such as early-warning systems, assurance frameworks, and public-private cooperation. This policy has not been updated since. A process to publish an updated national cybersecurity strategy had commenced in 2020 but the final version is yet to be published for publicly undisclosed reasons. While the 2013 policy identifies some reasoned and well-thought-out objectives, it is outdated given the range of threats and opportunities brought on by emerging technologies like artificial intelligence.
National interpretation of international law: Unlike Pakistan, which published a detailed statement in 2023 outlining how specific provisions of international law apply to cyberspace, India has not yet taken a stance on this issue. While India has actively participated at UN cyber norms discussions, its interventions have been limited to less politically controversial issues such as capacity-building or critical infrastructure.
Institutions: Both India and Pakistan have developed institutions across government to deal effectively with cyber risks. The formalization of the cybersecurity architecture has led to both countries being ranked in Tier-1 of the International Telecommunication Union ITU’s Global Cybersecurity Index. India has set up an office of the National Cyber Security Coordinator within the Prime Minister’s Office to produce cybersecurity advice at the highest level. India’s Computer Emergency Response Team, set up through the Information Technology Act in 2002, has been tasked with detecting and mitigating the fall-out from all cyber incidents with the exception of critical infrastructure sectors, which are handled by the National Critical Information Infrastructure Protection Centre. The Ministry of Home Affairs has also set up the Indian Cyber Crime Coordination Centre to enable law enforcement agencies across the country to coordinate in the fight against cybercrime.
Pakistan’s cyber institutions are more nascent in comparison. Pakistan’s Computer Emergency Response Team was formed only in March 2024 while the National Response Centre for Cyber Crime was set up in 2007. Pakistani scholars suggest that the country’s cybersecurity governance is still evolving, and faces some legal, normative, and capacity gaps.
International cooperation: Both countries have voiced their support for multilateralism and international cooperation on cyber governance issues and participated at both multilateral and multistakeholder fora. However, India has leveraged its geopolitical relationships and institutional experience more effectively to stitch together cyber-specific partnerships and coalitions. India’s CERT, for example, is a member of the global Forum of Incident Response Teams (FIRST), the premier global organization fostering cooperation among cyber incident response teams. Further, the Quad, which includes India, Japan, Australia and the United States, has a Senior Cyber Group that engages in conversations around enhanced cooperation, shared threats in the domain of emerging technologies and joint capacity-building efforts. Pakistan’s cyber institutions are younger and are yet to set international cooperation mechanisms in place but should look to do so quickly in order to build a better understanding of the cyber threat landscape around the world and build domestic capacity.
Funding: Both India and Pakistan have allocated increasing monetary resources to support cyber institutions and further cybersecurity related projects and initiatives. Pakistan has allocated in excess of 10 billion Pakistani rupees (around USD $36 million) to various cybersecurity projects. India’s allocation is unsurprisingly much larger, given its larger budget. The 2025 annual budget allocated around USD $90 million to cybersecurity projects alone and an additional INR 255 crore (USD $29 million) for CERT-IN’s functioning and operation.
Capacity-Building and Awareness Raising: As human error remains one of the biggest vulnerabilities enabling cybercrime, both countries have instituted capacity and awareness raising measures targeting users, especially vulnerable populations. In India, many of these efforts are led by states. For example, Karnataka has put in place a cybersecurity policy and allocated a budget solely focused on capacity-building. The National Commission for Women has teamed up with Meta and the NGO Cyber Peace Foundation to start a “Digital Literacy and Online Safety Programme” targeted at college-going women to enable them to differentiate between credible and suspect information online. Likewise, the State Bank of Pakistan has joined forces with Karandaaz, a financial inclusion organization to implement technical measures such as mobile app security standards such as muti-factor authentication. Karandaaz has also worked on national level awareness campaigns to counter online fraud.
“Notwithstanding geopolitical strife, it is imperative for Pakistan and India to share information and best practices where possible on common threat actors and vulnerabilities that both countries are facing.”
Conclusion and Policy Recommendations
India and Pakistan have acknowledged the strategic benefits of digitization along with the significant costs if these cyber defenses are breached. Both countries have put in place the basic institutional, policy and financial mechanisms needed to proactively detect and respond to a range of cyber threats as outlined above. Yet, cyber threats and associated damage continue unabated. The sheer scale of the challenge requires more nimble and dynamic enforcement with clearer and more transparent coordination among ministries and the private sector. Further, state orchestration or involvement in acts of censorship or online harassment damages national interest in the long run as users cease to trust the rapidly burgeoning digital space. Notwithstanding geopolitical strife, it is imperative for Pakistan and India to share information and best practices where possible on common threat actors and vulnerabilities that both countries are facing.
To overcome ongoing threats and improve enforcement of existing policies and law, this essay concludes with some macro-level policy recommendations for both India and Pakistan. Pakistan has identified and articulated the relevance of cybersecurity as a national policy and strategic priority and called for a ‘whole-of-society’ approach. However, it is yet to operationalize declaratory priorities, either through concrete partnerships with other countries’ cyber institutions or with the private sector. Setting up institutions is important but without proactive partnerships, Pakistan’s institutional posture could be quickly hampered. In fact, public-private partnerships in Pakistan have often been hindered by sectoral and legislative barriers, which would need to be ironed out. Further, the growth of cyber institutions in New Delhi and more recently, Islamabad augurs well for cyber resilience in both countries. However, as other countries have done with some success, it might make sense to anoint a single point of coordination such as a “Cyber Ambassador.” This individual or group could represent India and Pakistan’s respective interests at global fora and negotiations while also actively forging partnerships between government institutions, the private sector and academia at home. India has already set up an Office of the National Cyber Security Coordinator, which is well primed to take on this role.
While India’s cyber institutions and strategic thinking on cyber issues are more advanced than Pakistan’s, New Delhi has refrained from articulating its normative understanding of cyber issues and strategic priorities in a single document or statement. While the absence of a single written document does not undermine the key institutions, domestic legislation, and policy on cyber issues, clearly articulating India’s policy thinking in a cohesive strategy would provide both internal and external stakeholders the opportunity to appreciate India’s perspectives on cyber threats and opportunities. Putting on record the government’s thinking on questions such as cyber partnerships, norms, financing and cyber awareness strategies would augment India’s reputation on cyber issues and fit into its larger quest of being a leading power.
India and Pakistan fare well in their cyber resilience assessment. But threat actors are multiplying and altering their tactics, which calls for continuous vigilance, self-reflection and the dynamic evolution of each country’s strategy.
Views expressed are the author’s own and do not necessarily reflect the positions of South Asian Voices, the Stimson Center, or our supporters.
Also Read: Cyber Quicksand? Uncharted Risks and Escalatory Dynamics in a Future India-Pakistan Crisis
***
Image 1: i-Tech Support
Image 2: Future Link IT
