Last Updated: May 2026 | UPSC GS3 — Internal Security & Science & Technology | Pillar Article
India recorded over 15.92 lakh cybersecurity incidents in 2024 as per CERT-In data, with critical sectors absorbing 41% of high-severity attacks. India cybersecurity strategy upsc 2026 is one of the most testable GS3 themes for UPSC CSE 2026 Mains, sitting at the crossroads of internal security, science & technology, and economy. The Digital India Act draft, the National Cyber Security Strategy 2027 timeline, and the rise of AI-enabled threat surfaces have made this a rapidly evolving examination area. This pillar article covers the institutional architecture, key legislations, threat landscape, recent attacks, and a Mains answer-writing template.
Why Cybersecurity Is a GS3 Priority in 2026
The shift to digital public infrastructure (Aadhaar, UPI, DigiLocker, ABDM) has expanded India’s attack surface dramatically. UPI alone clocked over 17,200 crore transactions worth Rs 246 lakh crore in FY 2024-25. Each transaction is a potential vector. The Cooperative Bank ransomware incidents, the AIIMS Delhi server attack of 2022, and the SpiceJet/Air India breaches show that critical information infrastructure (CII) is repeatedly targeted by both state-sponsored actors and organised crime syndicates.
Institutional Architecture (Memorise This Table for Prelims + Mains)
| Body | Year | Mandate | Reports To |
|---|---|---|---|
| CERT-In | 2004 | National incident response, advisories, vulnerability tracking | MeitY |
| NCIIPC | 2014 | Critical Information Infrastructure Protection (Sec 70A IT Act) | NTRO / PMO |
| I4C (Indian Cyber Crime Coordination Centre) | 2018 | Citizen-facing cybercrime, helpline 1930, Sahyog portal | MHA |
| National Cyber Security Coordinator (NCSC) | 2014 | Inter-agency coordination, policy advisor to PM | NSCS |
| NCSAP / NCRB Cyber Cells | State-level | FIR registration, investigation | State DGPs |
| Defence Cyber Agency (DCyA) | 2019 | Tri-Service military cyber operations | HQ IDS / CDS |
| NTRO TARANG | 2017+ | Technical surveillance, signals intelligence | NSA |
Legislative Framework
The legislative pillars for India’s cyber regime are:
- Information Technology Act 2000 — Section 43A (data protection compensation), Section 66 (hacking), Section 66F (cyber terrorism), Section 69 (interception), Section 70 (protected systems), Section 70A (NCIIPC), Section 70B (CERT-In).
- Digital Personal Data Protection (DPDP) Act 2023 — operational draft rules notified January 2025, establishes Data Protection Board, defines significant data fiduciaries, and prescribes penalties up to Rs 250 crore.
- CERT-In Directions April 2022 — mandatory 6-hour incident reporting, 180-day log retention, KYC for VPN/VPS providers.
- Telecommunications Act 2023 — replaced Telegraph Act, includes lawful interception, OTT clarity pending in rules.
- Bharatiya Nyaya Sanhita 2023 — Section 111 (organised crime), Section 113 (terrorist act) include cyber attacks within scope.
- Digital India Act (Draft) — proposed replacement for IT Act 2000, awaited.
Threat Landscape — Current Affairs Hooks for May 2026
The threat surface has evolved through five distinct vectors that examiners reward when cited specifically:
- Ransomware-as-a-Service (RaaS) — LockBit, BlackCat, and the rise of Indian-targeting affiliates.
- State-sponsored APTs — APT41, Bitter, Mustang Panda, and Sidewinder targeting defence and energy.
- Supply chain attacks — SolarWinds-style compromises now affecting Indian financial institutions.
- AI-enabled phishing & deepfakes — Voice cloning attacks on banking customers; the 2024 Lok Sabha election deepfake incidents.
- Critical infrastructure targeting — Mumbai grid blackout October 2020 (RedEcho), AIIMS Delhi 2022, oil refinery probes 2024-25.
National Cyber Security Strategy — Status
The successor to the National Cyber Security Policy 2013 has been in the drafting/review pipeline for over five years. Key proposals leaked into public domain include a unified cyber command, 0.25% of GDP allocation for cyber defence, mandatory cyber audit for listed companies, and a national cyber registry. The Strategy was expected to be released ahead of UPSC Mains 2026 — aspirants should verify the exact release date in their final revision.
Comparison: India vs Global Cyber Powers
| Country | Lead Agency | Cyber Defence Spend (% GDP est.) | Major Doctrine |
|---|---|---|---|
| USA | CISA + USCYBERCOM | 0.30%+ | Defend Forward, Persistent Engagement |
| China | SSF (Strategic Support Force) | Classified, est. 0.40% | Information Dominance |
| Israel | INCD + Unit 8200 | 0.50%+ | Active Cyber Defence |
| UK | NCSC + GCHQ | 0.20% | Active Cyber Defence Programme |
| India | NCIIPC + DCyA + CERT-In | ~0.05% (est.) | Pending NCSS — defensive posture |
Mains Answer Writing Template (GS3 — 250 words / 15 marks)
Question: “Critical Information Infrastructure has emerged as the new battleground of asymmetric warfare. Examine the institutional and legal preparedness of India to safeguard its CII.” (2026, GS3, 250 words)
Structure:
- Intro (40 words): Define CII per Section 70 IT Act + cite one current incident (e.g., AIIMS Delhi 2022 / oil refinery probe 2025).
- Body Part 1 — Institutional Preparedness (80 words): NCIIPC mandate, sectoral CISOs, DCyA, CERT-In’s 6-hour rule. Mention the inter-agency coordination through NCSC.
- Body Part 2 — Legal Preparedness (60 words): Section 70/70A IT Act, DPDP Act 2023, BNS Section 111. Note absence of dedicated cyber-warfare statute and pending Digital India Act.
- Body Part 3 — Gaps (40 words): Talent shortage (15K cyber professionals vs 1.5L need), absence of bug-bounty culture, low cyber-defence GDP allocation, federal-state fragmentation.
- Way Forward (30 words): Operationalise NCSS, unified Cyber Command, mandatory cyber audits for listed entities, public-private threat-sharing platform.
Recent High-Impact Indian Incidents (2022-2025)
- AIIMS Delhi (Nov 2022) — Five servers encrypted; 14-day patient record outage. Attribution probable to Chinese APT.
- Mumbai Power Grid (Oct 2020) — Linked to RedEcho group; revealed CII vulnerability in SCADA systems.
- SpiceJet (May 2022) — Slot-booking ransomware; flights delayed 6+ hours.
- Air India (May 2021) — 4.5 million passenger records leaked via SITA breach.
- Cooperative Bank Ransomware Wave (2023-24) — RBI mandate on cyber insurance for banks tightened post these.
- BSNL Data Leak (May 2024) — Reported 278 GB of subscriber data on dark web marketplaces.
Way Forward — Five Lever Framework
- Capacity — Triple cyber-defence budget; create 1.5 lakh trained professionals via dedicated NIELIT-IIT-IIIT pipeline.
- Coordination — Operationalise unified Cyber Command at CDS level; harmonise CERT-In + NCIIPC + DCyA mandates.
- Compliance — Mandatory annual cyber audit for all CII operators and listed entities above Rs 500 crore turnover.
- Cooperation — Active participation in QUAD Cyber Group, ITU norms, Budapest Convention (after careful review).
- Citizen Awareness — Scale Cyber Surakshit Bharat, helpline 1930 reach, school curriculum integration.
Internal Resources for Aspirants
- India’s Defence Modernisation 2026 — UPSC GS3 Internal Security
- Critical Minerals Mission 2026 — GS3 Strategic Resources
- India Space Policy 2023 — GS3 Science & Technology
- Civils Gyani Mains Answer-Writing Course
- Free UPSC Mock Test — GS3 Practice
FAQs
Q1. What is Critical Information Infrastructure (CII) under Indian law?
CII is defined under Section 70 of the IT Act 2000 as any computer resource whose incapacitation or destruction shall have a debilitating impact on national security, economy, public health, or safety. Power, banking, telecom, transport, e-governance, and strategic public enterprises are notified as CII sectors.
Q2. Which agency is the nodal CII protection body in India?
The National Critical Information Infrastructure Protection Centre (NCIIPC), set up in 2014 under Section 70A of the IT Act, is the designated CII protection body. It functions under the National Technical Research Organisation (NTRO).
Q3. What is the difference between CERT-In and NCIIPC?
CERT-In handles general national incident response across all sectors and operates under MeitY. NCIIPC focuses exclusively on protecting notified critical sectors and operates under NTRO. CERT-In’s 2022 directions mandate 6-hour incident reporting; NCIIPC sets sector-specific security baselines for CII operators.
Q4. What is the DPDP Act 2023 and how does it relate to cybersecurity?
The Digital Personal Data Protection Act 2023 establishes data fiduciary obligations including security safeguards, breach notification to the Data Protection Board, and penalties up to Rs 250 crore. It complements the IT Act’s Section 43A by codifying citizen rights and creating an enforcement architecture, directly linking data protection with cybersecurity practice.
Q5. Why is cybersecurity asked in GS3 and not GS2?
UPSC syllabus places cybersecurity under GS3 — Internal Security (“challenges to internal security through communication networks, role of media and social networking sites in internal security, basics of cyber security, money laundering”). It also overlaps with GS3 Science & Technology when discussing emerging tech like AI in cyber operations.
Quiz data missing.
Master GS3 Internal Security with Civils Gyani
Daily current affairs, structured Mains answer templates, and personalised mentor evaluation. Join 5,000+ aspirants preparing the smart way.
