CYBERTERRORISM AND STATE-SPONSORED CYBERATTACKS IN INDIA: LEGAL GAPS, NATIONAL SECURITY, AND POLICY CHALLENGES

Introduction

India is one of the world’s leading digital economies, having a $402 billion digital economy and over 971 million internet users. Despite its digital growth, India has faced a sharp rise in ransomware, phishing, and other cyberattacks between 2019 and 2023, making India’s cyberspace among the most targeted globally.[1] Cyberterrorism is the use of digital networks to support terrorist activities, such as propaganda, data theft, or disruption of critical systems. A widespread power outage in Mumbai in 2020 was allegedly caused by a state-sponsored hack. At the same time, terrorist organisations such as “Lashkar-e-Taiba” and other non-state actors are using free communication tools and false online personas to coordinate with their accomplices and carry out terrorist actions. This blog examines India’s legal readiness and policy reaction to cyberterrorism and state-sponsored cyberattacks rather than offering a technical explanation of cyber activities.

Cyberterrorism and State-Sponsored Cyberattacks in India

Significant cyber incidents have already occurred in India, some of which may have had connections to foreign entities. Important examples include:[2]

1. Union Bank of India SWIFT hack in 2016:

In an attempt to steal approximately ₹1,100 crore (USD 171 million) using SWIFT, hackers employed malware through a phishing email attack. Before it was discovered, the stolen money was transferred through accounts in Taiwan, Thailand, and Cambodia. This was one of India’s biggest banking cyber heists.

2. Kudankulam Nuclear Plant breach in 2019:

The Kudankulam Nuclear Power Plant’s administration networks were reportedly compromised, according to cybersecurity researchers, by a North Korea-linked cyber group known as “Lazarus.” This incident indicates that nuclear power plants can be vulnerable to cyberattacks even if no damage has been confirmed.

3. Mumbai power blackout in 2020:

During the peak of the COVID-19 outbreak in October 2020, a significant portion of Mumbai went without power. An examination suggested that malware installed by the Chinese-linked hacker group RedEcho was allegedly responsible for the power failure. The outages affected water and healthcare facilities, showing the impact on citizens.

India’s Legal Framework on Cyberterrorism    

India’s main legal weapon against cyberterrorism is the “Information Technology Act, 2000.[3] The IT Act’s Section 66F,[4] which” was only added in 2008, defines “cyber terrorism” for the first time and prescribes harsh punishments, including life in prison, for attacks on critical systems or data that are intended to endanger national sovereignty or cause death or serious injury. Sections 43 and 66 criminalise data theft and hacking.[5]  “The Indian Penal Code[6] and the Unlawful Activities (Prevention) Act, 1967,[7] deal with funding and other generic aspects of terrorism,” but they don’t fully cover offences unique to cyberspace. Enforcement authorities have also received support from the government. In 2019, Parliament amended the National Investigation Agency Act.[8] to allow the NIA to investigate Section 66F cases. Central organisations like I4C and CERT-In were created to coordinate cybercrimes, and an internet platform called the National Cyber Crime Reporting platform was launched for reporting offences.[9]

Despite this, experts believe the framework has several deficiencies. Since 2013, the first National Cyber Security Policy has been considered outdated and largely theoretical. As a result, there is also a perceived weakness in the manner in which existing legislation combats ransomware, the Internet of Things, and fake news on social media. Since India has not joined the Budapest Convention on Cybercrime, which has been criticised for potentially limiting international extradition and evidence sharing, there is also a lack of international cooperation. In summary, India has laws to combat cyberterrorism and agencies to carry out these laws face implementation and coordination challenges when considering cyberthreats from an international perspective.

Legal and Policy Gaps in Addressing Cyberattacks

Despite having institutional procedures and legislative safeguards, India’s response to cyberterrorism has a number of legal and policy flaws.[10]

1. Outdated Policy Structure:

NCSP 2013 is outdated and does not address modern threats. Additionally, there are no practical defences against emerging threats like ransomware, APTs, or IoT vulnerabilities under this strategy. Despite being written, a new plan known as the NCSS 2020 has not been officially approved. As a result, India lacks a thorough, cutting-edge cybersecurity plan.

2. Fragmented Enforcement:

India lacks a comprehensive and dedicated cyberterrorism statute beyond the limited scope of Section 66F.[11] In general, IPC and UAPA are often relied upon alongside the IT Act, a commercial-oriented act. Thus, cyberattacks are often treated as ordinary cybercrime unless linked to terrorism. There is no dedicated legal framework to address state-sponsored cyber warfare. According to cybersecurity and legal experts, Indian policy is largely reactionary, emphasising punishment following an offence rather than being proactive and occasionally broad enough to impact civil liberties.

3. Jurisdictional & Cooperation Issues:

Cyberspace has no boundaries, but the law does not reflect these large treaties, like “the Budapest Convention on Cybercrime, ” which have not yet been ratified.” Additionally, it lacks a policy on how it should react to cross-border cyber wars. When hacking incidents are committed by a competing country, it does not assign blame. It does not want it to escalate the conflict.

4. Private Sector and Public Awareness:

In India, the private sector runs several vital industries, including healthcare, energy, and banking. Before the DPDP Act, the introduction of mandatory disclosure of breaches and cyber incident notification remained unregulated. Because of this, many incidents, especially those involving the private sector, probably go unreported or unaddressed. Furthermore, ransomware and phishing take advantage of the general lack of cyber understanding.

National Security Implications for India

Cyberterrorism and state-sponsored cyberattacks are crucial to India’s national security, not merely technological problems:

1. Critical Infrastructure Risks:

Cities may be affected and their social and economic systems paralysed by attacks on financial, transportation, water, and electricity infrastructure. This was demonstrated by the 2020 RedEcho attack on Mumbai, which affected emergency services and hospitals. According to Kaspersky, such attacks in the future might target essential services like transportation, water, and power in order to cause chaos.

2. Economic and Social Impact:

Financial losses can result from ransomware and cyberattacks, like the one that happened to Union Bank. Confidence may be damaged if the RBI or stock markets are successfully targeted. India’s competitiveness may also be impacted by cyberattacks on businesses, such as intellectual property theft or sabotage. “Although the Digital Personal Data Protection Act, 2023,[12] focuses on individual privacy,” it does not comprehensively address national security threats arising from cyberterrorism and state-sponsored attacks.

3. Defence and Military Concerns:

The military’s increased use of computer networks raises the risk of state-sponsored hackers attacking the nation’s military command or disclosing private information. In reality, attacking naval or missile command systems may be considered an “act of war,” particularly if the strike resulted in damage. Under established principles of international law reflected in the UN Charter, such actions may amount to an unlawful use of force. The Indian military has officially acknowledged cyberwarfare as a threat.

4. Deterrence and Diplomacy:

It becomes challenging to deter adversaries since attribution is difficult. Compared to the US and the UK, India publicly names fewer offenders, which could give these attackers even more confidence. It is a security dilemma in that cyber-attacks are evolving quietly, creating uncertainty. Analysts have maintained that such hacks undoubtedly undermine strategic stability in the absence of clear standards and mechanisms for retaliation.

conclusion

While the Indian economy has benefited greatly from technological advancements, it has also become more vulnerable to cyberattacks. Cyberterrorism and state-sponsored cyberattacks are now dangers to vital systems like government operations, banks, and power corporations. Despite the existence of organisations like CERT-In and I4C, as well as regulations like the Information Technology Act and UAPA, the current laws are insufficient to address contemporary cyber threats. Because of these outdated rules and inconsistent enforcement, cyberattacks continue to pose a threat to India’s economy and national safety. Therefore, India must update cyberterrorism laws, improve international cooperation, and strengthen public-private coordination.

Author(s) Name: Gungun Sharma (Prestige Institute of Management and Research, Department of Law, Indore)

References:

[1] Tejas Bharadwaj, Mapping India’s Cybersecurity Administration in 2025 (Carnegie Endowment for International Peace, 1 September 2025) https://carnegieendowment.org/research/2025/09/mapping-indias-cybersecurity-administration-in-2025?lang=en accessed 17 January 2026.

[2]Amit Rangi, ‘Cyber Terrorism in Indian Law’ (2025) International Journal of Environmental Sciences Vol 11 No 11s https://theaspd.com/index.php/ijes/article/download/1507/1220/2944 accessed 17 January 2026.

[3] Information Technology Act 2000 (Act No 21 of 2000.

[4] Information Technology Act 2000 (Act No 21 of 2000) s 66F.

[5] Information Technology Act 2000 (Act No 21 of 2000) s 43 and s 66.

[6] Indian Penal Code 1860 (Act No 45 of 1860).

[7] Unlawful Activities (Prevention) Act 1967 (Act No 37 of 1967).

[8] National Investigation Agency Act 2008 (Act No 2 of 2009).

[9]Ministry of Home Affairs, Unstarred Question No 2153 to be answered on 20 December 2022: Cross-border Terrorism and Cyber Crimes (Lok Sabha, Government of India, 20 December 2022) https://sansad.in/getFile/loksabhaquestions/annex/1710/AU2153.pdf?source=pqals accessed 17 January 2026.

[10] Anuradha Chakraborty and Sanyogita Tiwari, An analytical study on challenges and gaps in India’s cyber security framework (2025) 5(1) International Journal of Criminal, Common and Statutory Law 04–07 https://www.criminallawjournal.org/article/110/5-1-3-412.pdf accessed 15 January 2026.

[11] Information Technology Act 2000 (Act No 21 of 2000) s 66F.

[12] Digital Personal Data Protection Act 2023.