India’s digital frontlines have been tested repeatedly in the first half of 2024. A string of high profile data exposures and targeted intrusions against public sector portals, law enforcement applications, and health sector systems has exposed the brittle seams where information technology and public safety meet. That trend is not merely an IT problem. It is the signature of hybrid threat activity where cyber operations are used to shape perceptions, extract sensitive data, and create conditions for kinetic escalation or political pressure.

Two categories of incidents make the point sharply. First, compromises of citizen-facing government and police services create immediate operational risk to individuals and long term erosion of trust in state platforms. The breach of the Telangana Police Hawk Eye app in late May exposed hundreds of thousands of SOS requests and incident reports including location coordinates and contact details, demonstrating how operational policing data can be weaponized against the people it is meant to protect.

Second, large scale leaks of health and identity related data change the attack surface for the entire country. The fallout from the widely reported 2023 exposure of COVID testing and related records connected to ICMR remains an operational lesson in how aggregated datasets can persist in threat actor marketplaces and be repurposed for fraud, influence campaigns, or more direct targeting.

At the same time the criminal ransomware ecosystem reemerged in force during spring 2024, with major actors resurfacing after disruption operations and pivoting to high value targets worldwide. The LockBit family and other ransomware operations reasserted themselves in May, underscoring the persistent potency of organized cyber extortion and the value adversaries place on Indian targets. Those developments undermine continuity of services and increase the geopolitical risk profile for critical sectors.

Taken together these events show why India needs a purpose built hybrid threat policy that treats cyber incidents as integrated with information operations, supply chain risk, and kinetic readiness. Below I outline pragmatic policy steps that are achievable within existing institutional frameworks while also pushing for systemic modernization.

1) Reorient governance around hybrid threat risk

  • Establish a consolidated hybrid threat cell that layers civilian CERT functions, the Defence Cyber Agency, and national intelligence analytic capabilities for coordinated detection, attribution, and response. The Defence Cyber Agency already provides tri-service operational cyber capability and can and should be more tightly coupled with civilian incident responders for rapid escalation when national security implications emerge.

  • Move beyond ad hoc alerts to standing playbooks that define thresholds for escalation from CERT-In, critical information infrastructure owners, state police, and defence entities. Clear rules of engagement will shorten response time and reduce confusion when incidents affect cross-domain systems such as emergency services, medical networks, or transportation control systems.

2) Harden citizen-facing services and critical data stores

  • Mandate baseline secure development and deployment controls for any public sector app that collects PII or operational data. Requirements should include threat modeling, authenticated API access, secret management rules that forbid hard coded credentials, periodic third party code review, and a requirement that vulnerable endpoints be removed from public exposure within strict timeboxes. Incidents like the Hawk Eye leak highlight the consequences when those basics are not enforced.

  • Require encryption at rest and in transit for all databases holding health, identity, or law enforcement records. Combine that with mandatory logging and tamper-evident audit trails so that forensic timelines can be reconstructed without delay.

3) Segment and protect operational technology and critical infrastructure

  • Apply strict IT-OT separation and network microsegmentation for utilities, healthcare providers, and transport control centers. Where full air gaps are impractical, deploy robust unidirectional gateways, application allow lists, and strong multi factor authentication on all administrative interfaces.

  • Institute regular red team exercises that include chained attack scenarios from phishing to lateral movement to OT impact. These exercises should be sector prioritized and incorporate public private participation.

4) Elevate supply chain and third party risk management

  • Make vendor security ratings and demonstrated secure development lifecycle practices mandatory for procurement of software and managed services for government systems. Contracts must include breach notification clauses, escrow arrangements, and the right to audit.

  • Provide certification fast tracks for domestic security providers to reduce the temptation to import insecure or opaque solutions.

5) Expand resilient operational practices: backups, recovery, and incident drills

  • Enforce immutable, offline backups and verified restores for all critical public sector systems. The cost of reliable recovery plans is far lower than the operational and reputational cost of prolonged outages.

  • Run joint national recovery exercises at least annually that simulate ransomware, data exfiltration, and widescale misinformation operations tied to cyber incidents.

6) Build tailored workforce and reserve capacity

  • Create a national cyber reserve model to augment incident response capacity during surge events. The reserve should include cleared contractors, academic teams, and certified volunteers organized under standard operating procedures so they can be activated quickly.

  • Incentivize professional training pipelines and rotations between government, defence, and private sector CERTs to close the talent gap.

7) Strengthen information sharing and protective intelligence

  • Mandate timely, anonymized telemetry sharing between large network operators, cloud providers, and CERT-In while protecting privacy. Rapid sharing of indicators of compromise prevents mass reuse of IoCs against smaller targets.

  • Fund regional threat intelligence fusion centers that aggregate open source, commercial, and government telemetry into actionable alerts for states and municipal agencies.

8) Protect the information environment: counter disinformation and safeguard elections

  • Treat election periods as elevated threat windows and require targeted threat hygiene campaigns for all election administrators and media professionals. Technology vendors working with election infrastructure should be certified and monitored for supply chain integrity.

  • Support wideband public digital literacy programs so citizens can better identify deepfakes and influence operations that will almost certainly accompany major cyber incidents.

9) Legal and procurement reforms to enable speed and accountability

  • Create a fast track for emergency cybersecurity spend and rapid recruitment during incident surges. Procurement rules must balance oversight with the need for immediate mitigation during a crisis.

  • Introduce standard mandatory breach reporting timelines to CERT-In that distinguish between routine incidents and those with national security or hybrid threat implications. Clear classification reduces under reporting and normalizes cross agency action.

10) Diplomacy and norms: pursue multilateral restraint and attribution pathways

  • Push for regional incident attribution channels and a framework for crisis deconfliction. Attribution alone rarely deters; it must be paired with coordinated diplomatic consequences and signal mechanisms that elevate the political cost of cross border operations.

  • Invest in alliances for law enforcement cooperation that can follow money flows, seize infrastructure, and bring ransomware operators and enablers to justice. The international disruption campaigns against high profile ransomware operators in 2024 show the value of coordinated action.

Conclusion

India cannot treat cyber incidents as isolated technical failures. They are increasingly integrated into hybrid campaigns that combine data theft, service disruption, and narrative shaping to achieve strategic effect. The policy agenda I lay out prioritizes rapid detection, resilient operations, and institutional integration so the state can protect citizens and maintain strategic stability. Implementation will require investment and difficult governance tradeoffs. The alternative is a slow drift into a permanent reactive posture where each new breach raises the stakes for the next. The time to harden and reorganize is now.