Operation Sindoor revealed that India's cyber defences can hold the line, but deterrence demands more: a proactive posture, credible attribution, and a long-overdue national strategy
This article is part of the essay series: From Response to Reorientation: One Year of Operation Sindoor
Even before Indian missiles struck the terrorist infrastructure in Pakistan and Pakistan-occupied Jammu and Kashmir on the night of 6-7 May 2025, Pakistan-sponsored threat actors and hackers had undertaken a sustained parallel campaign through a barrage of cyberattacks targeting India following the April 2025 Pahalgam attack. These cyberattacks peaked with the launch of Operation Sindoor. Maharashtra Cyber estimated that there were 10 million intrusions, including Distributed Denial-of-Service (DDoS) attacks, phishing campaigns, and website defacements. Accompanying these cyberattacks, an intense anti-India disinformation campaign powered by deepfakes flooded social media, primarily X (formerly Twitter), and was often amplified by Chinese social media accounts.
These cyber activities neither altered the battlefield dynamics nor changed the outcome for Pakistan. Yet the seamless integration of malicious campaigns and narrative warfare that Pakistan executed stood in stark contrast to India's defensive, reactive cyber posture.
These cyber activities neither altered the battlefield dynamics nor changed the outcome for Pakistan. Yet the seamless integration of malicious campaigns and narrative warfare that Pakistan executed stood in stark contrast to India's defensive, reactive cyber posture. This was all the more striking given the steady buildout of Indian cyber capabilities — institutional and operational — over the last decade. A year on, the question is no longer whether gaps in India's cyber posture exist or have been identified, but the degree to which they have been plugged. The concept of cyber deterrence offers a useful framework for assessing this.
Conceptually, cyber deterrence parallels the traditional deterrence framework: shaping the adversary's behaviour by instilling the fear of unacceptable consequences. This happens through deterrence by denial (strong defences) or deterrence by punishment (robust counter- or second-strike capabilities, sanctions, etc.). In cyber deterrence, besides punishment and denial, two other elements are generally included: entanglement (mutual dependencies) and norms (global agreements or taboos). More significantly, operationalising cyber deterrence requires a combination of capability, communication, and credibility. Operation Sindoor stress-tested this logic of deterrence.
Defending Indian Cyberspace
The element of deterrence by denial performed reasonably well during Operation Sindoor. Just days after the Pahalgam attack, the Computer Emergency Response Team-India issued multiple advisories (Advisory CIAD-2025-0018 and CIAD-2025-0019) warning critical infrastructure operators and the financial sector about a surge in threats, including ransomware attacks, DDoS incidents, and malware infections. This prevented large-scale disruptions by Pakistani threat actors and hackers. According to Maharashtra Cyber's assessment, only 150 attacks were successful out of 1.5 million.
However, a far more critical aspect of this reporting was the attribution of these attacks. Unlike previous state-sponsored attacks targeting Indian cyberspace, this was one of the rare instances where an Indian government agency named a country as the perpetrator. Additionally, it noted that many of these attacks were routed through third countries such as Bangladesh, Morocco, and Indonesia in an attempt to mask the Pakistani origin of the attacks. India's record on cyber attribution has been thin, with sensitive intrusions — such as the targeting of power grids by Chinese threat actor RedEcho in 2020 and 2022 — identified by a foreign entity, the American threat intelligence firm Recorded Future, rather than by Indian cybersecurity agencies.
Offensive Capabilities and Punishment
Since the formation of the Defence Cyber Agency in 2019, India has built relatively advanced offensive cyber capabilities. Moreover, there has been a steady public reporting of Indian hacking groups targeting Pakistani and Chinese cyberspace. However, during Operation Sindoor, these offensive capabilities were utilised reactively rather than proactively. According to agencies, Indian cyber groups targeted the Pakistan Army Welfare Trust, the Pakistan Air Force's Shaheen Foundation, and the Defence Housing Authority, among other targets. These reported attacks on Pakistani targets were retaliatory, in response to the barrage of Pakistani cyberattacks.
In essence, India exercised punitive cyber measures in retaliation. Notably, Operation Sindoor was the first time that cyber operations unfolded simultaneously with an active military campaign between the two countries.
In August 2025, India declassified its Joint Doctrine for Cyberspace Operations (JDCO), which appeared to incorporate lessons from Operation Sindoor. It noted the two elements of deterrence — denial and punishment.
While India's offensive capabilities are undoubtedly robust and now acknowledged by the JDCO, the reactive posture and the absence of an integrated military-civilian view weaken the overall cyber posture and signalling. Adversaries tend to exploit weak signalling.
On deterrence by denial, the doctrine advocates for a "multi-layered resilience" and a "credible cyber defensive posture" sufficient to make adversaries doubt the value of attacking India. As far as deterrence by punishment is concerned, it adopts the concept of "Cyber Deterrence Operations," which can create deception, denial, degradation, disruption, and/or destruction. The JDCO explicitly conceptualises cyber operations as a response option to any inimical action against national sovereignty, and not just cyberattacks. Through this formulation, the doctrine has unambiguously communicated that cyberattacks imperilling national sovereignty will always be met with a response.
This is a meaningful declaration of offensive intent from India in the post-Sindoor cyber environment. However, the formulation remains responsive rather than proactive or initiative-shaping. Moreover, it excludes civilian critical infrastructure, which sits outside its scope. The National Cyber Security Strategy (NCSS), which has been in the works since 2020, was supposed to bridge this gap but has yet to be released.
While India's offensive capabilities are undoubtedly robust and now acknowledged by the JDCO, the reactive posture and the absence of an integrated military-civilian view weaken the overall cyber posture and signalling. Adversaries tend to exploit weak signalling.
On the question of attribution, the doctrine focuses on the challenges of operationalisation. For instance, it notes that attributing operations in cyberspace to specific actors may not always be possible. It highlights that criminals today employ anti-forensics specifically to defeat attribution, and also identifies attribution as a capability gap that the Indian military must address.
While these challenges are pertinent, the ability to publicly and credibly name and shame the perpetrator remains essential — for without it, deterrence loses its value, as punishment, signalling, and the imposition of reputational cost become impossible. Maharashtra Cyber's public attribution during Operation Sindoor — identifying the Pakistani threat actors and the transiting geographies — is therefore significant and should mark the beginning of a change in India's cyber attribution policy. Attribution forms an indispensable element of cyber deterrence.
New Delhi will need to plug the gaps in its cyber posture by expediting the release of the NCSS and ensuring civil-military fusion to tackle cyber threats.
Artificial Intelligence (AI) and agentic AI are reshaping the cyber threat landscape. State-sponsored threat actors have already weaponised generative AI to augment their malicious activities. The deepfake videos of Indian leaders circulated by Pakistan during Operation Sindoor were harbingers of a graver threat that India will face. In that sense, AI will sharpen every existing weakness — making attribution harder, countering disinformation more difficult, and raising the cost of maintaining undeclared red lines.
Strategic ambiguity, as a feature of nuclear calculus, has benefited India in the past. However, such a posture will not advance Indian interests in the cyber domain, which demands clarity over opacity. Therefore, New Delhi will need to plug the gaps in its cyber posture by expediting the release of the NCSS and ensuring civil-military fusion to tackle cyber threats.
Sameer Patil is the Director of the Centre for Security, Strategy, and Technology at the Observer Research Foundation.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Sameer Patil is Director, Centre for Security, Strategy and Technology at the Observer Research Foundation. Based out of ORF’s Mumbai centre, his work focuses on ...
Read More +
PREV
