PDF Download 
Ayyappan Rajesh, “A Strategic Framework for Mitigating Electronic Hardware-Related National Security Risks in India,” ORF Occasional Paper No. 530, Observer Research Foundation, March 2026.
In the twenty-first century, the global contest for power and influence is increasingly being waged not on traditional battlefields, but within the intricate pathways of global supply chains. Control over hardware and the silicon that powers the modern world has become a defining element of national strength, transforming electronic components from mere commodities into potent vectors for espionage, sabotage, and geopolitical leverage. The highly interconnected and globalised nature of electronics manufacturing, while a triumph of economic efficiency, has simultaneously created a landscape of profound vulnerability. A single, compromised microchip, a malicious firmware update, or a backdoor embedded in the right network equipment can undermine the integrity of an entire nation's critical infrastructure.[1]
This new reality demands a fundamental shift in the understanding of national security. The focus must expand beyond software-based cybersecurity to encompass the physical integrity of the hardware itself. Foreign-manufactured hardware, sourced from countries with opaque or adversarial geopolitical interests, can be weaponised in ways that are difficult to detect and catastrophic in their potential impact. These components can be designed for surveillance, enabling persistent data exfiltration of state secrets or sensitive commercial information. They can be engineered with hidden ‘kill switches’ or backdoors, allowing a foreign power to remotely disrupt or disable essential services such as power grids, communication networks, or financial systems at a time of heightened geopolitical tension. This capability to compromise hardware supply chains represents one of the most strategically valuable tools in modern statecraft, offering persistent, covert access that traditional cyberattacks cannot replicate. Therefore, hardware security is no longer a niche technical concern but a paramount strategic imperative for any nation seeking to safeguard its sovereignty.
For India, this global hardware security challenge is particularly acute. The nation is navigating a dual imperative: the urgent need to fuel rapid economic growth and advance its 'Digital India' vision, which requires a massive influx of electronic hardware, set against the stark reality of its deep and widening import dependency. The challenge for New Delhi is to secure the foundations of the country’s digital future without stifling the growth it is designed to support. This precarious balance makes the development of a robust national hardware security strategy not just prudent, but also essential for India's survival and success in the digital age.
The concept of ‘value-chain dependency’ is central to understanding India's specific vulnerability. It describes a situation where a nation may appear to be advancing its domestic manufacturing capabilities yet remains critically reliant on imports for the most technologically complex and strategically significant components. This creates a dangerous illusion of self-reliance. While India has achieved notable success in the lower-value assembly of finished goods, particularly mobile phones, the core intelligence and control systems of its vital sectors, such as Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, are often sourced from abroad. Consequently, even as domestic production figures for finished goods rise, the most severe national security risks, which reside in sophisticated components such as core network processors, advanced microchips, and industrial control systems, remain largely unmitigated.
Current data shows the depth of this dependency,[2] with a NITI Aayog study[3] observing that India imports nearly 80 percent of its electronic components, including semiconductors, printed circuit boards (PCBs), and other critical hardware.[4] The scale of this exposure is immense and only growing. India's semiconductor imports nearly doubled in a single year, from US$8.1 billion to an estimated US$15.6 billion in 2022, and have increased by 92 percent over the past three years.[5]
This dependency is geographically concentrated, with 70 percent of India's electronics imports originating from China and Hong Kong, and another 13 percent from Singapore, which is a trans-shipment hub for Chinese goods.[6] This heavy reliance on a single geographical region, particularly on a nation with which India has active border disputes and a history of cyber conflict, transforms a commercial dependency into a direct national security threat. Foreign entities, through control over critical hardware, can gain leverage over sensitive sectors, making them vulnerable to sabotage or espionage. As India pursues its ambition to become an economic powerhouse, the very hardware enabling this growth could become its Achilles' heel.
A systematic audit of India's critical national infrastructure reveals the pervasive and deep-seated nature of this hardware-based risk. The vulnerability is not uniform but is present across all key sectors, creating a systemic threat to the nation's stability and security.
The telecommunications network―the veritable backbone of the 'Digital India' initiative is built upon foreign technology. Critical components such as core network routers, switches, and base stations are predominantly imported. Analysis reveals that Chinese equipment from vendors such as Huawei and ZTE accounts for around 30 percent of Bharti Airtel’s network infrastructure and 40 percent of Vodafone Idea’s, as well as 40 percent of BSNL’s 3G network.[7] This deep entrenchment of foreign hardware from a country like China makes comprehensive rip-and-replace strategies[a] both financially prohibitive and logistically disruptive. This reality underpins the government's current policy―the National Security Directive on Telecommunication Sector (NSDTS)―which prioritises vetting new procurements over mandating the replacement of existing equipment, thereby leaving a vast legacy attack surface intact.
India's energy sector confronts a new and less visible threat in its reliance on foreign hardware. The nation's power grid is increasingly managed by imported Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, which are the central nervous systems of grid operations. The government's ambitious plan to roll out 250 million smart meters by 2027, a project representing an estimated US$20-billion opportunity in energy management, relies heavily on imported devices.[8]
The Indian government and industry bodies have raised specific concerns that smart meters and grid controllers sourced from China could be compromised with spyware or malware, enabling remote manipulation or even the collapse of an entire power grid. The highly interconnected nature of the grid means that a single vulnerable component can trigger a cascading failure, making the hardware supply chain a critical point of failure for national energy security.
Despite a concerted push under the 'Make in India' initiative, which has increased domestic production to account for nearly 65 percent of defence procurement, India remains one of the world's largest importers of arms.[9] Key strategic platforms and weaponry are sourced from a diverse set of countries, including Russia, France, the United States (US), and Israel. The primary vulnerability lies not in the platforms themselves, but in the complex, often opaque supply chains of their embedded electronic subsystems.[10]
As per a member of India’s security establishment, there are persistent fears about undocumented microchips or compromised components being inserted into imported defence systems, potentially acting as ‘kill switches’ or backdoors for espionage and sabotage. The ongoing struggle to develop indigenous critical technologies underscores the persistent technological gap that perpetuates this strategic dependency.
The hardware infrastructure that underpins India's vast and rapidly digitising financial sector is substantially foreign-sourced.[11] This includes the network of automated teller machines (ATMs), point-of-sale (PoS) devices that facilitate daily commerce, and the powerful networking equipment, servers, and storage systems within data centres that process billions of transactions daily. While the Reserve Bank of India (RBI) is a well-regarded regulator and foreign investment in the banking sector is being cautiously encouraged, the physical hardware layer presents a systemic risk. A sophisticated hardware-based compromise could bypass software security measures, leading to catastrophic data breaches, financial theft, or a disruption in the entire financial system, undermining public confidence and economic stability.
India's ambitious Smart Cities Mission, designed to modernise urban infrastructure, explicitly relies on foreign collaboration and technology.[12] While this accelerates development, it also embeds foreign hardware deep within critical urban systems. This risk is amplified by the strategic objectives of nations such as China, whose Digital Silk Road (DSR) initiative uses smart city projects as a primary vehicle for its geoeconomic statecraft, aiming to export its technology and create dependency by integrating nations into its digital supply chains. A key part of this strategy involves building the foundational digital backbone of entire regions, including critical undersea cables and 5G networks, according Beijing considerable influence over regional data flows.[13]
This vulnerability extends directly to the nation’s maritime infrastructure. As crucial hubs for trade, Indian ports are prime targets for cyber espionage and ransomware, with expert analyses highlighting significant security gaps.[14] Many ports operate on outdated legacy systems, lack comprehensive cybersecurity audits, and face new risks from the push towards automation and digitisation. The presence of foreign-made hardware in critical port operations, such as container scanners and automated cranes, heightens fears that embedded backdoors could be used for sabotage or espionage, risks that are magnified by rising geopolitical tensions with China. The proliferation of Internet of Things (IoT) devices in both smart cities and ports, from smart streetlights to automated cargo solutions, substantially expands the potential attack surface, posing direct threats to citizen privacy, public safety, and economic stability.[15],[16]
India's increasing healthcare digitisation, especially with regard to telemedicine and digital hospitals, heightens hardware-based national security risks. Critical medical infrastructure relies heavily on imported components, creating vulnerabilities. Chinese-made medical devices, flagged by domestic manufacturers, pose a threat due to potential embedded surveillance chips and software that could compromise patient data and institutional integrity. Industry bodies such as the Association of Indian Medical Device Industry (AiMeD) call for urgent government intervention, including stringent security vetting and quality audits for imported devices, particularly from China.[17] This highlights hardware supply chain security as a paramount national security imperative.
The threat extends deep into India's industrial base, particularly the chemical sector, which is vital for the national economy. Modern chemical facilities are increasingly reliant on the convergence of information technology (IT) and operational technology (OT), using imported ICS and SCADA hardware[b] to manage sensitive and hazardous processes. This creates a vulnerability wherein a cyberattack targeting these hardware systems could have catastrophic physical consequences, such as triggering explosions, releasing toxic materials, or sabotaging production. The lack of robust, sector-specific cybersecurity guidelines for OT systems in this domain leaves many facilities ill-prepared to counter sophisticated hardware-based threats, making them an attractive target for state-sponsored actors seeking to inflict economic and physical damage.[18]
The threat posed by compromised hardware is no longer in the realm of the theoretical; it is a documented reality demonstrated by high-profile global incidents and increasingly observed within India's own borders. A crucial pattern emerges from these cases: the nature of the threat is evolving from simple espionage into ‘pre-positioning’ of disruptive capabilities.[19] Adversaries are today not just seeking to steal data; they are aiming to secure persistent, deep-level access that can be activated for strategic effect during a future geopolitical crisis.[20] This shift makes threat detection far more difficult, as it requires looking for dormant implants and hidden backdoors, a task for which India's current security posture is ill-equipped.[21],[22]
The 2018 Bloomberg Businessweek report, “The Big Hack”, sent shockwaves through the global technology industry as it alleged that Chinese intelligence operatives had infiltrated the supply chain of Supermicro, a server motherboard manufacturer, to implant tiny, malicious microchips on boards destined for companies such as Apple and Amazon.[23] According to the report, these rice grain-sized chips were designed to create a stealthy backdoor into the companies' networks, enabling long-term access to high-value corporate secrets and sensitive government data.
The story was met with immediate and vehement denials from all implicated parties, including Apple, Amazon, and Supermicro itself, all of which said they conducted rigorous internal investigations and found no evidence to support the claims.[24] The US and UK government agencies also stated they were not aware of such a hack.[25] To this day, the allegations remain unproven and highly contested, with many experts suggesting the story may have conflated separate incidents involving firmware vulnerabilities. However, the ultimate significance of the Supermicro affair lies not in its veracity, but in its plausibility. It forced governments and corporations worldwide to confront the tangible possibility of a hardware-based supply chain attack at scale.[26]
The global effort to restrict Huawei from 5G networks highlights the security risks of relying on hardware from companies tied to foreign adversaries. Concerns, led by the US and its Five Eyes partners,[c] centre on the fear that Huawei’s equipment could enable Chinese government surveillance. These fears are reinforced by the founder’s ties to the Chinese military[27] and by China’s 2017 National Intelligence Law,[28] which requires all organisations to support state intelligence work. Huawei has also been accused of intellectual property theft and violations of international sanctions. In response, countries including the US, the UK, Australia, Japan, and India have imposed full or partial bans on its equipment.[29]
India's power sector has become a primary target for hardware-related cyber threats, making it a live battlefield in the digital domain. In June 2020, in the immediate aftermath of the deadly Galwan Valley clashes, the Indian government explicitly acknowledged these when Power Minister R.K. Singh stated that imported equipment, particularly from China, could contain malware or Trojan horses designed to trigger grid failures.[30] This led to a policy mandating that all power equipment imported from China undergo thorough checks for such malicious implants. These fears were substantiated by credible intelligence and documented incidents.[31]
A report from threat intelligence firm Recorded Future detailed a sustained campaign by a Chinese state-sponsored group targeting India's power grid infrastructure.[32] The activity involved likely network intrusions at no fewer than seven Indian State Load Despatch Centres (SLDCs) in the Himalayan region, using the modular backdoor malware known as ShadowPad. The Indian government later confirmed that Chinese hackers had made unsuccessful attempts to disrupt electricity distribution centres near Ladakh.[33]
The threat in the defence sector has been starkly illustrated by recent events involving unmanned aerial vehicles (UAVs). In a move in February 2025, the Indian government scrapped contracts for 400 drones, worth approximately INR 230 crore (US$27.5 million), after it was discovered that the drones, supplied by domestic vendors, contained Chinese-made components.[34] This action was prompted by severe cybersecurity concerns, including the risk that adversaries could exploit 'backdoors' in the electronics to seize control of or extract sensitive data from the drones during sensitive operations. A backdoor in critical systems, especially in navigation or communications units, poses an even greater threat, as it could compromise both mission integrity and situational awareness in real-time.
These fears were amplified by a media report on 23 August 2024 that detailed hacking incidents where sabotage was suspected. A defence official, referred to in news reports, described two separate cases: “In the first case, the drones refused to take off and, in the second case, the drones veered off course and entered Pakistani territory after ‘people across the border’ took control of those drones.”[35] In 2025, as a response, the military is enforcing a zero-tolerance policy, banning Chinese components from military equipment and mandating stringent audits and certifications to ensure the security of its drone fleet.[36]
The rapid proliferation of IoT devices in India's consumer and public spheres has created a vast and porous new attack surface, with documented security weaknesses serving as a canary in the coal mine, foreshadowing systemic hardware and firmware vulnerabilities. India's Computer Emergency Response Team (CERT-In) has issued alerts on specific products, such as a vulnerability in certain IoT doorbells that could allow a local attacker to perform unauthorised activities.
More alarming incidents have demonstrated the potential for large-scale compromise. In one instance, researchers exploited vulnerabilities in the telematics systems used by Indian automobile manufacturers to gain control of over 600 internet-connected vehicles across metropolitan cities such as Mumbai, Pune, Hyderabad, Visakhapatnam, and Bengaluru, demonstrating the ability to track their real-time location and even remotely control them.[37] These incidents prove that even non-critical, commercially available hardware can be a powerful vector for mass surveillance and data exfiltration, undermining both individual privacy and public safety.
In response to the growing threat from compromised hardware, India has deployed a dual strategy: building a self-reliant domestic manufacturing ecosystem while simultaneously implementing regulatory frameworks to secure its import-dependent supply chains. This approach is spearheaded by flagship programmes such as 'Make in India' and the Production-Linked Incentive (PLI) scheme, complemented by targeted security directives.
Launched a decade ago, the 'Make in India' initiative has aimed to transform the country into a global manufacturing hub, achieving notable success in specific, policy-driven sectors. Beyond headline growth in electronics, with production soaring to INR 11.3 lakh crore (US$127.59 billion),[38] the initiative has fostered a domestic drone ecosystem driven by the liberalised Drone Rules, 2021[39] and incentive schemes. Propelled by national security concerns and 'Atmanirbhar Bharat' (Self-Reliant India),[40] domestic manufacturing of advanced defence equipment has surged, including platforms such as the Tejas fighter jet[41] and Garuda Aerospace's drones.[42] Similarly, Indian brands such as CP Plus and Vintron are now significant players in CCTV camera production, substantially reducing import dependency.[43]
However, critics argue that this growth often represents low-value final assembly of imported components instead of deep, export-oriented manufacturing. Deeper structural impediments remain a barrier for investors, including complex land acquisition laws, labour regulations, and tax environment, hindering the initiative's broader transformative potential.
The PLI scheme is the government's primary tool for incentivising domestic manufacturing. The schemes for large-scale electronics manufacturing (LSEM)[44] and IT hardware offer fiscal incentives, typically ranging from four percent to six percent of incremental sales over a base year, to companies that manufacture in India. The initial PLI for IT hardware,[45] launched in 2021 with an INR 7,350 crore (US$828.84 million) outlay, met with a lukewarm response. This prompted the government to launch PLI 2.0 in 2023,[46] more than doubling the budget to INR 17,000 crore (US$1.92 billion) and increasing the average incentive to about five percent over six years.
The schemes have achieved notable successes. They have been instrumental in attracting global giants such as Foxconn, HP, and Dell to either set up or expand their manufacturing operations in India. The most visible impact has been in mobile phone manufacturing, wherein exports have surged at a compound annual growth rate of 78 percent since the scheme's introduction, rising from INR 22,870 crore (US$2.59 billion) in 2020–2021[47] to INR 1.2 lakh crore (US$13.56 billion) in 2023–2024.[48] However, this success is largely confined to assembly. The schemes have been less effective at fostering deep value addition, and India remains heavily dependent on imports for key components such as PCBs, camera modules, and displays, with a significant portion sourced from China.[49]
c. The Strategic Imperative: Confronting Semiconductor Dependency
While these initiatives have boosted local assembly, they have not resolved India's most critical strategic vulnerability: an almost total dependence on imported semiconductors. This dependency is not merely a trade imbalance; it is a national security risk that leaves the country dangerously exposed. The extreme concentration of advanced semiconductor manufacturing creates a fragile global chokepoint, with over 90 percent of the world's sub-10 nm semiconductors produced by a single company, TSMC, in Taiwan.[50] A regional conflict or natural disaster in this single location could halt the global supply of critical technology overnight.
In an era of great-power competition, this supply chain is no longer just a commercial network; it has been actively weaponised. The US-China tech war provides a stark illustration, where the US has leveraged its control over chip design software and manufacturing equipment to impose crippling export controls on Chinese technology giants. These actions were formalised in October 2022, when the Department of Commerce’s Bureau of Industry and Security implemented sweeping restrictions to curtail China's ability to both purchase and manufacture high-end chips with military applications.[51] These policies were intensified in 2025, effectively cutting China off from the global supply of the most advanced semiconductors and the equipment needed to produce them.[52] This demonstrates that access to chips is now a potent tool of statecraft. This unilateral approach, however, also created friction with key US allies such as Japan and the Netherlands, whose own industries were deeply integrated into these global supply chains, demonstrating the disruptive and far-reaching consequences of such policies.[53]
For India, this vulnerability is existential. A foreign adversary could potentially replicate these tactics, restricting or denying access to the foundational technology that underpins the nation's most critical ambitions. A chip embargo could halt the production lines, derail the national 5G infrastructure rollout, and even hinder the development of India's AI ecosystem. This creates the intolerable risk that a foreign power could hold a virtual ‘kill switch’ over India's economy and security, fundamentally compromising its strategic autonomy. In a future border crisis, an adversary could exert immense non-military pressure by threatening India's access to these components, forcing it to negotiate from a position of weakness. This acute and unacceptable vulnerability created the urgent strategic imperative for a targeted, mission-mode policy: the India Semiconductor Mission (ISM).
The ISM is India's most ambitious and direct attempt yet to enter the strategic field of semiconductor manufacturing. Launched in 2021 with a massive financial outlay of INR 76,000 crore (US$8.64 billion), the Mission aims to create a comprehensive ecosystem for semiconductors and display fabrication, propelling the country towards technological leadership and reduced import dependence.[54] The policy offers fiscal support, including covering up to 50 percent of the project cost for approved facilities.[55]
While initial progress was deliberative, the Mission has now gained momentum. As of August 2025, the government has approved 10 semiconductor projects with a cumulative investment of around INR 1.60 lakh crore (US$18.18 billion) across six states.[56] This progress is evident across the ecosystem. A pivotal early success came in June 2023 with the approval of Micron Technology's ATMP plant in Sanand, estimated at INR 22,516 crore (US$2.56 billion). This was followed by a wave of approvals in February 2024, including India's first commercial semiconductor fabrication plant by Tata Electronics in Dholera for INR 91,000 crore (US$10.34 billion), a Tata ATMP facility in Assam for INR 27,000 crore (US$3.07 billion), and a CG Power ATMP unit in Sanand fir INR 7,600 crore (US$860 million).[57]
These foundational approvals set the stage for 2025, a year that has seen the Mission transition from policy to tangible production. On 28 August 2025, the Mission's first commercial facility under the new policy―the CG Power OSAT (Outsourced Semiconductor Assembly and Test) pilot line―was inaugurated in Sanand, Gujarat. The significance of this progress was a central theme at the Semicon India 2025 conference. At the same event, a separate, historic milestone was celebrated: the presentation of the Vikram-32 microprocessor to the Prime Minister.[58] This chip, designed by the Indian Space Research Organisation (ISRO) and fully fabricated and packaged at the government's Semiconductor Laboratory (SCL) in Mohali, represents India's established indigenous capability and was presented as a symbol of the nation's progress. Concurrently, Micron has commenced pilot production at its ‘mini-plant’ in Sanand, and construction is visibly underway at the Tata Electronics fabrication plant in Dholera, slated for operations in the 2026–2027 timeframe.[59],[60]
Beyond these projects, the government demonstrated a sophisticated, long-term strategy in August 2025 by approving four new semiconductor projects. With a combined investment of approximately INR 4,600 crore (US$520 million),[61] this new batch signals a clear intent to diversify the ecosystem beyond mature-node logic chips. The approvals include India's first commercial Silicon Carbide (SiC) fabrication plant by SiCSem in Odisha, a critical component for high-power devices used in electric vehicles and power grids. This was complemented by approvals for advanced packaging facilities (3D Glass Solutions and ASIP Technologies) and an expansion for discrete semiconductors by Continental Device (CDIL), all of which are crucial for building a complete and resilient domestic supply chain.
The Mission is successfully building a robust 'fabless' ecosystem and talent pipeline. The Chips to Startup (C2S) programme has provided critical Electronic Design Automation (EDA) tools to 278 academic institutions and 72 startups. This focus on indigenous R&D has already yielded tangible results, with 20 chips from 17 institutions fabricated so far. Complementing this, the Design-Linked Incentive (DLI) scheme, with an outlay of INR 1,000 crore (US$120 million), has sanctioned 23 domestic chip design projects to boost 'designed-in-India' intellectual property.[62] Furthermore, a new All India Council for Technical Education (AICTE) curriculum for VLSI and IC manufacturing is being rolled out with the goal of developing 85,000 skilled engineers over the next decade.[63] Together, these projects and human capital initiatives represent a notable positive step towards achieving strategic self-reliance in a critical technology sector.
However, this self-reliance in manufacturing is critically dependent on a secure supply of raw materials. To address this vulnerability, the government has launched the parallel and complementary National Critical Minerals Mission (NCMM).
The NCMM,[64] formally announced with a list of 30 critical minerals, including lithium, cobalt, gallium, germanium, and other rare-earth elements, marks a foundational shift from passive import reliance to active resource security for the nation. The Mission's primary objective is to secure a resilient supply chain for those materials, which are essential inputs for electronics, semiconductors, defence, and clean energy transition.
Launched in 2025 for a seven-year period from 2024–2025 to 2030–2031, the NCMM operates on several pillars with a proposed expenditure of INR 16,300 crore (US$1.84 billion) and is expected to attract an additional INR 18,000 crore (US$2.03 billion) from public sector undertakings and other stakeholders.[65]
Domestically, the government has initiated the first auctions of critical mineral blocks. This is complemented by an international strategy to acquire mineral assets abroad and forge supply chain agreements through mechanisms such as the Minerals Security Partnership.
Furthermore, the policy aims to move India up the value chain by promoting domestic processing, refining, and recycling. This is supported by an INR 1,500 crore (US$169.5 million) incentive scheme, which aims to build 270-kilo tonne in annual recycling capacity and generate nearly 70,000 jobs. To drive breakthroughs, the Mission has established seven new Centres of Excellence (CoEs) and set a target to file 1,000 new patents by 2030.[66]
The NSDTS, effective since 15 June 2021, is India's most direct policy response to the hardware security threat in a critical sector. It mandates that telecom service providers (TSPs) can connect to their networks only new equipment designated as a 'trusted product' from a 'trusted source.' This framework aims to classify telecom products and their sources into 'trusted' and 'non-trusted' categories to maintain the integrity of the supply chain. The institutional mechanism involves a list of trusted vendors being determined by the National Cyber Security Coordinator (NCSC), based on the approval of the National Security Committee on Telecom (NSCT), which is headed by the Deputy National Security Adviser.[67]
The Trusted Telecom Portal[d] serves as the operational arm of the NSDTS. It is a web-based platform where TSPs must register the details of the vendors and products they intend to procure. The portal facilitates the evaluation process and only approved products can be deployed. While the portal streamlines the compliance process for new procurements, its primary limitation is its scope. The directive does not explicitly mandate replacement of existing equipment already inducted into the networks, nor does it affect ongoing annual maintenance contracts. This leaves a significant legacy attack surface vulnerable, a compromise that acknowledges the immense cost and disruption a full rip-and-replace mandate would entail.[68]
Demonstrating a significant policy evolution, the Indian Computer Emergency Response Team (CERT-In) has expanded its compliance framework well beyond software. New technical guidelines now mandate a more holistic ‘Bill of Materials’ (BOM) approach,[69] explicitly covering hardware (HBOM), AI (AIBOM), cryptography (CBOM), and quantum computing (QBOM). This shift directly confronts the hardware-level vulnerabilities identified in this report, moving India’s security posture from a software-centric view to a full-stack assessment.
To address the pervasive risks identified in the rapidly expanding IoT ecosystem, the government has established a dedicated certification framework. The Internet of Things Security Certification Scheme (IoTSCS)[70] is administered by the Standardisation Testing and Quality Certification (STQC) Directorate, a body under the Ministry of Electronics and Information Technology (MeitY). This scheme provides an 'Essential Requirements' clearance for IoT devices, creating a baseline for security and data privacy. By setting standards for various parameters, from secure data transmission to device hardening, the IoTSCS aims to build trust in connected devices and mitigate the risks of mass surveillance and disruption highlighted by recent vulnerabilities in consumer and public IoT products.
e. Active Assurance through Nodal Agencies
A key component of India's counter-strategy involves the active monitoring and auditing functions performed by its nodal agencies. CERT-In and the National Critical Information Infrastructure Protection Centre (NCIIPC) are tasked with carrying out regular cybersecurity audits.[71] The scale of these efforts highlights the government's proactive stance in identifying vulnerabilities across vital sectors, as demonstrated by recent data.
Table 1: Cybersecurity Audits of Critical Infrastructure Sectors (FY 2024–2025)
| Sector | CERT-In Security Audits | NCIIPC Audits |
| Power and Energy | 1,579 | 46 |
| Transport | 582 | 3 |
| Banking, Financial Services, and Insurance (BFSI) | 7,547 | 41 |
Source: Press Information Bureau, Government of India, 2025[72]
Complementing government regulations, industry-led efforts are beginning to address the foundational gaps in India's hardware security ecosystem. A key example is the Cybersecurity Hardware and Embedded Systems Repository and Directory (C-HERD) initiative by the Data Security Council of India (DSCI). This programme aims to create a national hub for hardware security by promoting research, fostering a talent pool of security researchers, and developing tools for hardware system assurance. In collaboration with academic partners such as IIT Kharagpur and IIT Madras, C-HERD focuses on the comprehensive security evaluation of hardware components, developing next-generation cryptography and incubating hardware security startups. By focusing on both supply chain security analysis and commercialisation of secure domestic IP, the initiative directly tackles the threat detection and ecosystem immaturity challenges outlined in this paper.[73]
The performance of India's counter-strategy is mixed. On one hand, policies have successfully catalysed a boom in local assembly, particularly for smartphones, and have attracted marquee global manufacturers. The government has set an ambitious goal to meet up to 70 percent of the country's IT hardware demand through domestic production within the next three years.[74] Yet, this growth has not translated into self-reliance in strategic components. The ecosystem for true indigenous manufacturing, from chip design and fabrication to other high-value parts, is still nascent.
Attempts to enforce stricter import controls have often been met with industry backlash and subsequently diluted. For example, a plan to restrict laptop imports[75] was softened into a mere monitoring system after concerns were raised about supply chain disruptions and price hikes. This reveals a fundamental tension between the government's protectionist security goals and prevailing market realities, casting doubt on the feasibility of its ambitious domestic production targets.
Despite ambitious policies and a great degree of government attention, India's quest for hardware security and self-reliance is hindered by a set of deep, interconnected foundational challenges. These systemic weaknesses create a vicious cycle: the lack of a mature manufacturing ecosystem deters investment and prevents the creation of high-skilled jobs, which in turn leads to a brain drain of talent, further weakening the ecosystem. Addressing these issues requires more than just financial incentives; it demands a holistic, long-term strategy that tackles capital, skills, threat detection, and the entire supply chain simultaneously.
The primary obstacle to India establishing a semiconductor industry has historically been a lack of decisive political will. While high-technology manufacturing is capital-intensive, with a single modern fabrication plant costing billions of dollars, the financial challenge is made insurmountable by policy failure. For decades, potential investors faced an environment of uncertainty, marred by inconsistent funding cycles and bureaucratic delays.[76],[77] This instability is toxic to the long-term, high-risk investment that semiconductor manufacturing demands.
A prime example occurred in 2007, when Intel was actively considering India for a multi-billion-dollar semiconductor plant. The investment ultimately went to other countries. Intel's then chairman, Craig Barrett, later confirmed that the decision was due to the government's inefficiency in handling semiconductor manufacturing proposals.[78] This policy paralysis was a clear signal to the market that the necessary government partnership was absent.
The recent flurry of successful project announcements, such as the Tata Group's fabrication plant in Dholera, signals a fundamental shift in this dynamic. This progress is a direct result of stronger political will, now formalised as the INR 76,000-crore (US$10-billion) India Semiconductor Mission (ISM).[79] By committing massive and stable financial backing, including covering up to 50 percent of project costs, the government is finally providing the credible, long-term commitment that the private sector requires.[80] This has, in turn, unlocked the private capital that was previously, and justifiably, hesitant to engage.[81]
Perhaps the most critical bottleneck is the shortage of a skilled workforce. While India produces a vast number of engineering graduates annually, a huge gap exists between academic qualifications and industry requirements. Industry experts estimate that very few graduates are "industry-ready" and most require one to two years of intensive on-the-job training. The electronics sector is projected to require millions of new workers by 2028, but it currently faces a massive deficit of trained professionals.[82] This shortage is especially acute in the highly specialised domains required for a hardware ecosystem.
There is a shortage of engineers skilled in semiconductor fabrication, device physics, and process technology. The talent deficit for the semiconductor industry alone is projected to be between 250,000 and 300,000 professionals by 2027.[83] This problem is exacerbated by ‘brain drain’, with top talent often moving abroad for better opportunities in research and advanced manufacturing, and by a lack of hardware-centric academic programmes within the country.
India's indigenous capability to detect and analyse sophisticated hardware-based threats is currently limited. Recognising the critical need to secure its hardware supply chain, India is actively working to overcome previous limitations in detecting sophisticated threats. This national effort includes notable investment in building highly specialised expertise in fields such as hardware reverse engineering, analysis, and non-destructive testing to identify malicious implants and counterfeit components. To close the threat detection gap, the country is rapidly expanding its forensics infrastructure and fast-tracking the development of a reliable, sovereign mechanism to verify hardware integrity. These crucial measures are strategically designed to reduce historical reliance on foreign platforms and establish a robust, self-sufficient security framework.
A semiconductor fabrication plant or an advanced electronics manufacturing plant cannot exist in isolation; it requires a mature and resilient local ecosystem to support it. India currently lacks this complete value chain. A successful hardware industry depends on the ready availability of critical raw materials, such as high-purity silicon wafers, speciality chemicals, and industrial gases, almost all of which are currently imported. Recent events have starkly exposed this vulnerability. China's export curbs on rare-earth elements and critical minerals, such as gallium and germanium, coupled with new Indian import restrictions on essential components such as gold compounds used for PCB manufacturing, have created supply chain disruptions and threaten to derail production schedules. This lack of a domestic supply chain for foundational materials and manufacturing equipment makes India an unattractive and high-risk location for global manufacturers, who are hesitant to invest without the support of a robust local ecosystem.
The strategic challenges outlined in this paper are increasingly resonating within India’s critical sectors. Perspectives from within India's power sector establishment indicate that a new policy framework is actively being drafted in collaboration with key government agencies. There is a clear consensus among senior officials on the need for a more granular and dynamic understanding of the assets being deployed across the infrastructure.
The policy direction is moving towards mandating a comprehensive, real-time inventory of all technology components. This initiative aims to provide the government with unprecedented visibility, which is considered essential for proactive cybersecurity and national safety assurance. Such a development would signal a significant shift from reactive measures to a more integrated, data-driven approach to securing the nation's critical cyber-physical systems.
As India grapples with the challenge of securing its hardware supply chains, it can draw valuable lessons from the strategies implemented by other key global powers. An analysis of the frameworks in the US, the European Union (EU), and Taiwan reveals a spectrum of options from which India can construct a hybrid strategy tailored to its unique geopolitical and economic context.
The US has adopted a robust, multi-layered strategy that combines legal restrictions with proactive institutional mechanisms to secure its critical supply chains.
NDAA Section 889: Section 889 of the 2019 National Defense Authorization Act (NDAA) stands as a powerful legal instrument for excluding untrusted technology from government-related supply chains. Part A directly bars US federal agencies from procuring any equipment or services that use "covered" telecommunications technology from a list of named Chinese companies, including Huawei and ZTE. Part B goes a step further, prohibiting federal agencies from entering, or renewing, a contract with any entity that uses such “covered” equipment as a substantial part of its system, even for commercial purposes. This second provision has a profound effect, compelling private sector contractors to scrutinise their own supply chains and purge untrusted equipment if they wish to do business with the US government.[84]
The Connected Vehicle Rule: Complementing the NDAA's entity-based blacklist, the US Commerce Department's rule[85] on connected vehicles represents a more proactive, "class prohibition" model. Instead of waiting for a threat to emerge from a specific company, this rule pre-emptively prohibits a whole class of transactions deemed high-risk. It specifically targets the importation and sale of connected vehicles and their underlying systems if the hardware or software has been designed, developed, or supplied by entities subject to the influence of foreign adversaries, namely China and Russia. This approach is designed to prevent future dependencies from taking root in an emerging and critically important technology sector.
The European Union has pursued a different, market-wide regulatory approach centred on its Cyber Resilience Act (CRA).[86] The core principle of the CRA is mandating "security-by-design." The Act imposes legally binding cybersecurity requirements on all manufacturers and retailers of products with digital elements sold in the EU market. These obligations extend throughout the product's entire lifecycle, compelling manufacturers to provide security support and timely software updates to address identified vulnerabilities. This approach rebalances responsibility, shifting the security onus from the end-user to the manufacturer. It is a powerful tool for raising the baseline security of the entire commercial market, contrasting with the US model, which is more narrowly focused on government procurement and specific national security threats.
Taiwan's strategy is unique, born of its singular geopolitical position and its unparalleled dominance in the global semiconductor industry. The "Silicon Shield"[87] is a doctrine of deterrence rooted in semiconductor dominance, whereby Taiwan's indispensable role in the global industry makes any military attack on the island tantamount to mutually assured economic destruction, thus serving as a deterrent.
Internally, Taiwan's strategy for resilience involves distributing its manufacturing hubs to reduce risk concentration, mandating cybersecurity standards at the chip design level, and investing heavily in R&D and talent pipeline to maintain its technological lead. Crucially, its strategy is also outward-looking, built on forging deep, trusted partnerships with allies such as the US for co-investment, R&D sharing, and supply chain diversification.
India has already established a robust framework of international cooperation aimed at bolstering its technological capabilities and supply chain resilience. These engagements with key democratic partners form the foundation for a more secure hardware ecosystem. A significant pillar of the Indo-US partnership is the initiative on Critical and Emerging Technology (iCET),[88] which fosters collaboration in areas such as AI, quantum computing, and semiconductors. With the European Union, India's primary engagement platform is the Trade and Technology Council (TTC),[89] which works to create resilient value chains and has resulted in a memorandum of understanding (MoU) on semiconductors.
Similarly, the “India-Japan Digital Partnership” drives cooperation in cybersecurity and emerging technologies, complemented by a specific agreement on the semiconductor supply chain.[90] This partnership was further strengthened when an Indian delegation met with Japan’s Minister of Digital Transformation, Masaaki Taira, for discussions on building a robust framework to protect critical infrastructure and promoting responsible AI development.[91] Furthermore, engagement with Taiwan is central to India's semiconductor ambitions, involving direct industry-to-industry collaboration and joint ventures.
Translating analysis into action requires a clear, phased, and comprehensive roadmap. India must move beyond its current fragmented approach to hardware security and adopt a multi-decade, whole-of-government mission. This roadmap is structured across three horizons—short-term fortification, medium-term capability-building, and long-term strategic autonomy—to create a secure, resilient, and ultimately self-reliant hardware ecosystem. The elements of this roadmap are not a menu of options but an integrated, interlocking strategy where progress in one area is a prerequisite for success in others.[92]
Refine PLI and Incentives Beyond Assembly: The PLI scheme must be surgically refined. The primary metric for incentives should shift from gross output and incremental sales to domestic value addition (DVA). However, while DVA is a better way of achieving higher indigenisation, the programme itself would likely be difficult for the government to monitor effectively, given the administrative burden of auditing complex, multi-tiered global supply chains.
A viable, scalable solution is to mandate a Digital Bill of Materials Portal for all PLI applications, following the success of the Ministry of Heavy Industries (MHI)’s “Automated Online Data Transfer”[93] system for the PLI-Auto scheme, designed specifically to capture DVA data directly from the applicant’s ERP systems. This recommendation is to expand the proven model to all other PLI schemes, including IT Hardware.
This digital-first approach provides a transparent, auditable, and efficient mechanism for PLI monitoring. Additionally, this policy also serves a critical dual-use function, as the data required for compliance directly enhance national security. This portal would effectively operationalise the new technical guidelines from CERT-In, which already recommends that organisations review and update their HBOM. By creating a centralised, searchable database of all hardware and software components being incentivised by the government, policymakers and security agencies gain further visibility into the national electronics supply chain.
Furthermore, additional weightage and higher incentives should be granted for R&D expenditure, generation of domestic intellectual property, and manufacturing of foundational components and sub-assemblies such as PCBs, power management ICs, and display drivers. A ‘multiplier’ incentive should be introduced for companies that use chips designed and/or fabricated in India, creating the demand-side pull that will make a future domestic fabrication plant economically viable.
Establish National Hardware Assurance Centres: India must establish at least two national-level hardware testing and validation centres. These centres, modelled on the concept of the US DHS’s Supply Chain Resilience Centre (SCRC), must be equipped with state-of-the-art capabilities for hardware reverse-engineering, analysis, and non-destructive inspection. Their mandate will be to conduct rigorous security assessments of all hardware and software imported for use in critical national infrastructure, moving beyond simple compliance checks to active security research for backdoors and potential attack vectors.
Formalise and Expand Risk-Based Supply Chain Audits: The principles of the Trusted Telecom Portal must be expanded and codified into a formal, legally mandated framework for all critical infrastructure sectors, including energy, finance, and defence. This would require all public procurement and critical private sector entities to conduct comprehensive supply chain security audits. A tiered risk framework, ranging from voluntary certification for low-risk components to comprehensive blacklisting for high-risk scenarios, should be implemented to balance security with economic efficiency.
Launch a National Hardware Skills Mission: Addressing the human capital deficit is non-negotiable and a prerequisite for any serious attempt at building a domestic semiconductor industry. This mission should be a concerted effort involving MeitY, the Ministry of Education, and industry partners. Key actions must include overhauling the engineering curriculum to include dedicated streams in VLSI design, semiconductor physics, and hardware security; establishing a network of advanced vocational training institutes to create a pipeline of skilled fabrication plant technicians and operators; and providing funding and grants for research programmes in hardware security to reverse the brain drain.
Evolve Existing Partnerships into Formal ‘Trusted Technology Alliances’: India must elevate its international partnerships from transactional buyer-seller relationships to strategic alliances for co-development and co-production. Formal ‘Trusted Technology Alliances’ should be established with democratic partners such as the US, Taiwan, Japan, and the EU. These alliances would differ from existing efforts by focusing on joint R&D in critical areas; creating deeply integrated and defensible supply chains exclusively among members; and establishing a seamless, integrated talent pool through dual-degree programmes and streamlined mobility for researchers and engineers. This would elevate international partnerships from transactional relationships to strategic alliances for shared manufacturing and co-owned intellectual property, building on the successful model of defence joint ventures, such as the BrahMos programme with Russia, but adapted for the specific challenge of securing hardware supply chains with democratic partners.
Audited Open-Source Hardware for Public Procurement: To enhance transparency and reduce reliance on proprietary, black-box systems, the government should mandate a preference for open-standard and auditable hardware in public procurement where feasible. This would allow for greater scrutiny of system designs and reduce the risk of hidden backdoors, fostering an ecosystem of trust and verifiability.
Establish a National Hardware Security Mission: To ensure policy coherence and sustained focus, India should establish a dedicated National Hardware Security Mission. Given its role as the apex body for national security policy and coordination, this mission should be led by the National Security Council Secretariat (NSCS). This would empower the NSCS, through the National Cyber Security Coordinator (NCSC), to coordinate policy across all relevant ministries, including electronics and IT, commerce, defence, power, and finance, and drive the implementation of the long-term roadmap.
Placing the mission under the high-level authority of the NSCS would be the most effective way to break down bureaucratic silos, ensure that national security objectives are not diluted, and leverage its direct oversight across all domains of national importance. This structure is inspired by the focused, mission-driven approach of recent successful international initiatives, such as the US “Unleashing Military Drone Dominance” plan, which aims to cut through red tape and accelerate capability development.[94]
Enact a Comprehensive Supply Chain Security Act: To provide a stable and predictable environment for both domestic and foreign investors, India should move away from ad-hoc regulations and enact a comprehensive Supply Chain Security Act. This legislation should codify the best elements of international models. It could include a clear legal basis for creating and maintaining a ‘Restricted/Untrusted List’ of entities and technologies, similar to the US NDAA; mandatory security-by-design and lifecycle support requirements for all digital products sold in India, learning from the EU's Cyber Resilience Act; and transparent processes for FDI screening based on national security criteria.
The intricate global web of hardware supply chains, once a driver of unprecedented technological progress and economic efficiency, has become a new and formidable front in the twenty-first-century geopolitical contest. For India, a nation with aspirations of global leadership and a deep-seated reliance on imported technology, this reality presents a strategic challenge of the highest order. The analysis presented in this paper is unequivocal: the widespread deployment of foreign-manufactured hardware, particularly from nations with conflicting strategic interests, has embedded a deep and systemic vulnerability at the very foundation of India's critical national infrastructure. This is not a future threat, but a clear and present danger, evidenced by documented cyber intrusions targeting the nation's power grid and defence establishments.
The core of India's vulnerability lies in its value-chain dependency, wherein success in low-end assembly masks a critical weakness in the high-value, technologically complex components that form the nervous system of modern infrastructure. Current policies, while laudable in their ambition, are yet to fundamentally alter this dynamic. They are further undermined by foundational challenges, a chasm in capital, a deficit in specialised skills, and an immature domestic ecosystem, which create a vicious cycle, deterring the very investment needed to break free from dependency.
However, this challenge also presents a generational opportunity. The global realignment of supply chains, driven by geopolitical tensions and a universal quest for resilience, offers India a window to pivot from being a vulnerable technology consumer to a trusted global partner in secure hardware manufacturing. The path forward is not easy and requires a sustained, multi-decade national mission, underpinned by unwavering political will and strategic clarity.
The roadmap outlined in this paper provides a blueprint for this transformation. It calls for a hybrid strategy that learns from the world's best practices, combining the legal force of US prohibitions, the market-wide scope of European regulations, and the ecosystem-focused approach of Taiwan. By immediately fortifying its defences through robust testing and refined incentives, building sovereign capabilities in talent and R&D in the medium term, and committing to the long-term goal of strategic autonomy in chip fabrication, India can systematically reduce its vulnerabilities.
Ultimately, securing India's hardware supply chains is more than a matter of economic policy or technical cybersecurity. It is a fundamental prerequisite for preserving national sovereignty and ensuring economic stability. The transition from dependence to resilience will be challenging, yet it is a critical endeavour in which India is poised to succeed. As a developing nation, India has the opportunity to glean insights from global experiences.
Ayyappan Rajesh is an Offensive Security Engineer at Block Harbor Cybersecurity and an NYU Cyber Fellow, specialising in wireless and cyber-physical systems.
Disclosure on the use of AI: Portions of this document were refined with the assistance of Gemini 2.5.
All views expressed in this publication are solely those of the author, and do not represent the Observer Research Foundation, either in its entirety or its officials and personnel.
[a] Complete removal of legacy systems and their immediate replacement with new infrastructure.
[b] Specialised computing systems and physical components used to monitor, control, and automate industrial processes and critical infrastructure.
[c] Australia, Canada, New Zealand, and the UK.
[d] The portal can be accessed here: www.trustedtelecom.gov.in
[1] ICT Supply Chain Risk Management Task Force, Securing the U.S. ICT Supply Chain: A Report from the ICT SCRM Task Force, Year Two Report, Washington, DC: Cybersecurity and Infrastructure Security Agency, 2020, https://www.cisa.gov/sites/default/files/publications/ict-scrm-task-force_year-two-report_508.pdf.
[2] Stephen Ezell, “Assessing India's Readiness to Assume a Greater Role in Global Semiconductor Value Chains,” Information Technology and Innovation Foundation, February 14, 2024, itif.org/publications/2024/02/14/india-semiconductor-readiness/.
[3] NITI Aayog, Electronics: Powering India's Participation in Global Value Chains (New Delhi: NITI Aayog, July 2024), https://www.niti.gov.in/sites/default/files/2024-07/GVC%20Report_Updated_Final_11zon_0.pdf.
[4] Ezell, "Assessing India's Readiness."
[5] Ezell, "Assessing India's Readiness."
[6] Ezell, "Assessing India's Readiness."
[7] Harsh V. Pant and Aarshi Tirkey, "The 5G Question and India's Conundrum," Orbis 64, no. 4 (2020): 571-588, https://pmc.ncbi.nlm.nih.gov/articles/PMC7515818/.
[8] "India targets 250 million smart meters by 2027, $20 billion opportunity in energy management," ETEnergyworld.com, October 2, 2024, https://energy.economictimes.indiatimes.com/news/power/india-targets-250-million-smart-meters-by-2027-20-billion-opportunity-in-energy-management/114162408.
[9] Stockholm International Peace Research Institute, Trends in International Arms Transfers, 2024, Stockholm, Stockholm International Peace Research Institute, 2025, https://www.sipri.org/sites/default/files/2025-03/fs_2503_at_2024_0.pdf.
[10] Col. Rahul Tripathi (Retd), "Bill of Material (BOM), Vulnerability for Supply Chain Attacks," Centre for Land Warfare Studies, September 11, 2025, https://claws.co.in/bill-of-material-bom-vulnerability-for-supply-chain-attacks/
[11] Abhijit Majumdar, "Promoting and Incentivising Manufacturing of PoS Terminals in India," PwC India, March 2021, https://www.pwc.in/assets/pdfs/consulting/technology/promoting-and-incentivising-manufacturing-of-pos-terminals-in-india.pdf
[12] Nadine Oliver, "Transforming Urban India: PM Modi's Smart City Initiative," Asia Pacific Foundation of Canada, October 3, 2016, https://www.asiapacific.ca/blog/transforming-urban-india-pm-modis-smart-city-initiative
[13] Sameer Patil and Prithvi Gupta, "The DSR’s Urban Frontiers: China’s Smart Cities Strategy," Observer Research Foundation, July 1, 2024, https://www.orfonline.org/expert-speak/the-dsr-s-urban-frontiers-china-s-smart-cities-strategy.
[14] UNCTAD, "Case Study 16: Jawaharlal Nehru Port Trust (JNPT), India," UNCTAD Resilient Maritime Logistics Guidebook, n.d., https://resilientmaritimelogistics.unctad.org/guidebook/case-study-16-jawaharlal-nehru-port-trust-jnpt-india
[15] Anusha Guru, "Securing Indian Ports: Cybersecurity Vulnerabilities and the Road Ahead," Observer Research Foundation, July 17, 2025, https://www.orfonline.org/expert-speak/securing-indian-ports-cybersecurity-vulnerabilities-and-the-road-ahead.
[16] Gemini 2.5, response to “Refine the selected text” Google, September 2025.
[17] "Domestic Med-Tech Companies Flag Security Threat from Chinese Devices," The Economic Times, July 16, 2025, https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/domestic-med-tech-companies-flag-security-threat-from-chinese-devices/articleshow/122589770.cms?from=mdr.
[18] Shravishtha Ajaykumar, "Securing India’s Critical Infrastructure: Prioritising Cybersecurity in Chemical Facilities," Observer Research Foundation, July 24, 2025, https://www.orfonline.org/expert-speak/securing-india-s-critical-infrastructure-prioritising-cybersecurity-in-chemical-facilities.
[19] Sameer Patil, "Operation Sindoor and India's Cyber Threat Landscape," Observer Research Foundation, May 28, 2025, https://www.orfonline.org/expert-speak/operation-sindoor-and-india-s-cyber-threat-landscape
[20] Cybersecurity and Infrastructure Security Agency, National Security Agency, and Federal Bureau of Investigation, "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure," Cybersecurity and Infrastructure Security Agency, February 7, 2024, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
[21] Data Security Council of India and Seqrite, "India Cyber Threat Report 2025," Data Security Council of India, December 5, 2024, https://www.dsci.in/files/content/knowledge-centre/2024/India-Cyber-Threat-Report-2025.pdf
[22] SecurityScorecard, "India Supply Chain Report 2025," SecurityScorecard, September 2025, https://securityscorecard.com/wp-content/uploads/2025/09/India-Supply-Chain-Report_2025.pdf
[23] Jordan Robertson and Michael Riley, "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies," Bloomberg Businessweek, October 4, 2018, https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies.
[24] Dhwani Mehta et al., "The Big Hack Explained: Detection and Prevention of PCB Supply Chain Implants," ACM Journal on Emerging Technologies in Computing Systems, August 2020, https://tehranipoor.ece.ufl.edu/wp-content/uploads/2021/07/2020-JETC-BigHack.pdf
[25] Greg Otto, "U.S. and British security agencies support Apple, Amazon denials of Bloomberg’s ‘Big Hack’ story," CyberScoop, October 6, 2018, https://cyberscoop.com/dhs-bloomberg-supply-chain-story-apple-amazon-denial/
[26] Jordan Robertson and Michael Riley, "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies."
[27] Norman Pearlstine et al., "Who is the man behind Huawei and why is the U.S. intelligence community so afraid of his company?," Los Angeles Times, April 10, 2019, https://www.latimes.com/projects/la-fi-tn-huawei-5g-trade-war/
[28] Standing Committee of the National People's Congress, "National Intelligence Law of the People's Republic of China," National People's Congress of the People's Republic of China, June 27, 2017, https://www.lawinfochina.com/display.aspx?id=23733&lib=law
[29] International Institute for Strategic Studies (IISS), “Australia, Huawei and 5G,” Strategic Comment, last modified August 2019, https://www.iiss.org/publications/strategic-comments/2019/australia-huawei-and-5g.
[30] "India to Check Power Equipment from China for Malware." The Economic Times, June 28, 2020. https://economictimes.indiatimes.com/news/economy/foreign-trade/india-to-check-power-equipment-from-china-for-malware/articleshow/76671038.cms.
[31] P.J. George, "'Red Echo' Over India," The Hindu, March 7, 2021, https://www.thehindu.com/sci-tech/technology/red-echo-over-india/article34008299.ece
[32] Insikt Group, "China-linked Group RedEcho Targets the Indian Power Sector Amid Border Tensions," Recorded Future, February 28, 2021, https://www.recordedfuture.com/fr/research/redecho-targeting-indian-power-sector
[33] Insikt Group, "RedEcho Targets the Indian Power Sector."
[34] "Government scraps deals for 400 defence drones with Chinese parts." The Times of India, February 7, 2025, https://timesofindia.indiatimes.com/india/government-scraps-deals-for-400-defence-drones-with-chinese-parts/articleshow/117997096.cms
[35] FP Staff. "Indian Army's 'Make in India' drones hacked in border areas: Report." Firstpost, February 4, 2025. https://www.firstpost.com/india/indian-army-make-in-india-drones-hacked-in-border-areas-report-13859474.html.
[36] "India Today impact: China shadow on military drones, govt cancels deals," India Today, February 10, 2025, https://www.indiatoday.in/india-today-insight/story/india-today-impact-china-shadow-on-military-drones-govt-cancels-deals-2677752-2025-02-10.
[37] Ayyappan Rajesh, “Cyber Terror on Wheels: Remotely Hijacking 600+ Indian Automobiles," Ayyappan Rajesh's Writeups, August 2023, https://writeups.ayyappan.me/tor-iot-mqtt/.
[38] Press Information Bureau (PIB), Ministry of Electronics and Information Technology (MeitY), "India's Electronics Leap: Production Soars to ₹11.3 Lakh Crore in 2024–25, Six-Fold Over the Decade," October 11, 2025, https://www.pib.gov.in/PressReleasePage.aspx?PRID=2177755
[39] Press Information Bureau (PIB), Ministry of Civil Aviation, "The Drone Rules, 2021," January 28, 2022, https://static.pib.gov.in/writereaddata/specificdocs/documents/2022/jan/doc202212810701.pdf.
[40] Press Information Bureau (PIB), Ministry of Defence, "Marching Towards Atmanirbharta: India's Defence Revolution," October 29, 2024, https://www.pib.gov.in/PressReleasePage.aspx?PRID=2069090.
[41] India greenlights ₹62,000 cr deal for 97 LCA Tejas jets in big boost to Make in India defence push," The Economic Times, August 19, 2025, https://m.economictimes.com/news/defence/india-greenlights-rs-62000-crore-tejas-mark-1a-deal-iaf-to-boost-indigenous-fleet-with-97-fighter-jets/articleshow/123392768.cms.
[42] "Drone Startup Garuda Aerospace Secures ₹100-Crore Funding," The Hindu, April 16, 2025, https://www.thehindu.com/business/garuda-aerospace-raises-100-crore-in-series-b-finding/article69456927.ece
[43] Aditya Khemka, Managing Director at CP PLUS, quoted in "India tightens rules on security cameras – and CP PLUS seeks to harness change," Asmag, June 12, 2025, https://www.asmag.com/showpost/35090.aspx.
[44] Press Information Bureau, “Cabinet approves Production Linked Incentive Scheme for Large Scale Electronics Manufacturing,” Press Information Bureau – Government of India, March 21, 2020, https://www.pib.gov.in/PressReleasePage.aspx?PRID=1607487
[45] Press Information Bureau, “PLI for IT Hardware,” Press Information Bureau – Government of India, March 23, 2022, https://www.pib.gov.in/Pressreleaseshare.aspx?PRID=1808682
[46] Press Information Bureau, “Cabinet approves Production Linked Incentive Scheme – 2.0 for IT Hardware,” Press Information Bureau, May 17, 2023, https://www.pib.gov.in/PressReleasePage.aspx?PRID=1924766
[47] Press Information Bureau, “Mobile Production Surges by 146% to ₹5.25 Lakh Crore in 4 Fiscals, Exports up 775%: Piyush Goyal,” ETTelecom, July 23, 2025, https://telecom.economictimes.indiatimes.com/news/policy/indias-mobile-production-and-exports-skyrocket-146-increase-in-value-amid-government-initiatives/122848439
[48] Ministry of Electronics & IT, Government of India, “Make in India’s Leap in Electronics Manufacturing & Exports,” Press Information Bureau – Government of India, March 26, 2025, https://www.pib.gov.in/PressReleasePage.aspx?PRID=2115171
[49] “Make in India’s Leap in Electronics Manufacturing & Exports.”
[50] Andreas Schumacher, “For Semiconductors, Smaller Is Not Always Better,” ORF America, September 5, 2024, https://orfamerica.org/orf-america-comments/smaller-semiconductor-chips.
[51] U.S. Department of Commerce, Bureau of Industry and Security, "Commerce Strengthens Export Controls to Restrict China’s Capability to Produce Advanced Semiconductors for Military Applications," Bureau of Industry and Security, December 2, 2024, https://media.bis.gov/sites/default/files/documents/FINAL DOC Nat Sec Action Rls Dec 2 24.pdf
[52] U.S. Department of Commerce, Bureau of Industry and Security, "Commerce Strengthens Export Controls to Restrict China’s Capability to Produce Advanced Semiconductors for Military Applications”.
[53] Vivek Mishra and Yogesh Mohapatra, "Trump's Chip Policy Disrupts Alliances," Observer Research Foundation, August 11, 2025, https://www.orfonline.org/expert-speak/trump-s-chip-policy-disrupts-alliances
[54] Government of India, Press Information Bureau, "Powering the Future: The Semiconductor and AI Revolution" (factsheet), August 15, 2025, https://www.pib.gov.in/FactsheetDetails.aspx?Id=149242.
[55] Ministry of Electronics & IT, Government of India, “Government of India Spurs Chip Manufacturing with Fiscal Support, Global MoUs and Talent Development Initiatives,” Press Information Bureau – Government of India, April 2, 2025, https://www.pib.gov.in/PressReleaseIframePage.aspx?PRID=2117925
[56] Government of India, "Powering the Future."
[57] Government of India, "Powering the Future."
[58] “IT Minister Ashwini Vaishnaw Presents First ‘Made‑in‑India’ Chip to PM Modi at Semicon 2025,” The Hindu, September 2, 2025, https://www.thehindu.com/business/Industry/it-minister-ashwini-vaishnaw-presents-first-made-in-india-chip-to-pm-modi-at-semicon-2025/article70004784.ece.
[59] TOI Business Desk, "Tata Electronics builds India's 1st semiconductor fabrication unit: Gujarat enables 1,500 residential units; mainly for Tata Group staff, suppliers," Times of India, June 17, 2025, https://timesofindia.indiatimes.com/business/india-business/tata-electronics-builds-indias-1st-semiconductor-fabrication-unit-gujarat-enables-1500-residential-units-mainly-for-tata-group-staff-suppliers/articleshow/121875951.cms
[60] Gemini 2.5, response to “Refine the selected text,” Google, December 2025.
[61] Government of India, "Powering the Future."
[62] Ministry of Electronics & IT, Government of India, “Government pushes semiconductor design innovation with the Design Linked Incentive (DLI) Scheme,” Press Information Bureau, August 22, 2025, https://www.pib.gov.in/PressReleasePage.aspx?PRID=2159727.
[63] Government of India, "Powering the Future."
[64] Press Information Bureau, India’s Critical Mineral Mission: Securing the Minerals of Tomorrow (Government of India, September 6, 2025), https://www.pib.gov.in/PressNoteDetails.aspx?NoteId=155158&ModuleId=3.
[65] Press Information Bureau, India’s Critical Mineral Mission.
[66] Press Information Bureau, India’s Critical Mineral Mission.
[67] National Security Council Secretariat, "Brief on launch of Trusted Telecom Portal for implementation of the National Security Directive on Telecommunication Sector," Department of Telecommunications, June 15, 2021, https://dot.gov.in/sites/default/files/Brief%20on%20launch%20of%20Trusted%20Telecom%20Portal-1_0.pdf
[68] National Security Council Secretariat, "Brief on launch of Trusted Telecom Portal for implementation of the National Security Directive on Telecommunication Sector," Department of Telecommunications, June 15, 2021.
[69] Indian Computer Emergency Response Team (CERT-In), "Technical Guidelines on SBOM, QBOM & CBOM, AIBOM and HBOM (Ver 2.0 Dated 09.07.2025)" (Ministry of Electronics and Information Technology, Government of India), https://www.cert-in.org.in/PDF/TechnicalGuidelines-on-SBOM,QBOM&CBOM,AIBOM_and_HBOM_ver2.0.pdf.
[70] Standardisation Testing and Quality Certification (STQC) Directorate, "IoT System Certification Scheme (IoTSCS)" (Ministry of Electronics and Information Technology, Government of India), https://www.stqc.gov.in/iot-system-certification-scheme-iotscs.
[71] National Critical Information Infrastructure Protection Centre (NCIIPC), https://nciipc.gov.in/.
[72] "Government Strengthens Cybersecurity Across Critical Sectors; Over 9700 CERT-In Audits Conducted in 2024–25," Press Information Bureau, July 26, 2025, https://www.pib.gov.in/PressReleseDetailm.aspx?PRID=2148943.
[73] "C-HERD: Cybersecurity Hardware and Embedded Systems Repository and Directory," Data Security Council of India, https://www.dsci.in/content/c-herd.
[74] PTI, "Govt aims to meet 70% of country's IT hardware need through local production in 3 yrs: MoS IT," Deccan Herald, September 22, 2023, https://www.deccanherald.com/india/govt-aims-to-meet-70-of-countrys-it-hardware-need-through-local-production-in-3-yrs-mos-it-2696812.
[75] Rhea Mogul, "India restricts imports of laptops, tablets and other personal computers," CNN, August 3, 2023, https://www.cnn.com/2023/08/03/tech/india-restrict-import-laptops-intl-hnk
[76] Trisha Ray, "Lessons from India's Past for its Semiconductor Future," Observer Research Foundation, June 22, 2023, https://www.orfonline.org/expert-speak/lessons-from-indias-past-for-its-semiconductor-future
[77] Debjyoti Paul, "Reclaiming India's Leadership in the Global Semiconductor Industry," LinkedIn, September 23, 2024, https://www.linkedin.com/pulse/reclaiming-indias-leadership-global-semiconductor-industry-paul-uhnec/
[78] “India Snoozed, Lost Intel Chip Plant,” Forbes, September 6, 2007, https://www.forbes.com/2007/09/06/intel-india-china-markets-equity-cx_rd_0906markets1.html.
[79] Government of India, "Powering the Future."
[80] Ministry of Electronics & IT, "Government of India Spurs Chip Manufacturing with Fiscal Support, Global MoUs and Talent Development Initiatives," Press Information Bureau, April 2, 2025, https://www.pib.gov.in/PressReleaseIframePage.aspx?PRID=2117925.
[81] Gemini 2.5, response to “Refine the selected text,” Google, September 2025.
[82] Nelson Rajkumar, "Bridging the EMS talent gap in India through upskilling and training youth," ETManufacturing, August 29, 2025, https://manufacturing.economictimes.indiatimes.com/news/industry/bridging-the-ems-talent-gap-in-india-through-upskilling-and-training-youth/123584012.
[83] “Chip Industry to Face Crunch of 300,000 Professionals by 2027 (TeamLease Study),” Financial Express, June 11, 2024,
[84] John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. 115-232, § 889 (Aug. 13, 2018), https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf.
[85] Connected Vehicles, Final Rule, Department of Commerce, Bureau of Industry and Security, 90 Fed. Reg. 5360 (Jan. 16, 2025) (to be codified at 15 C.F.R. pt. 791), https://www.federalregister.gov/documents/2025/01/16/2025-00592/securing-the-information-and-communications-technology-and-services-supply-chain-connected-vehicles.
[86] European Parliament and Council, Regulation (EU) 2024/2847 of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act), Official Journal of the European Union L, no. 2024/2847 (November 20, 2024), https://eur-lex.europa.eu/eli/reg/2024/2847/oj.
[87] Pamela Kennedy, "Why Taiwan Fears 'America First' Risks Eroding Its 'Silicon Shield'," Stimson Center, October 10, 2025, https://www.stimson.org/2025/why-taiwan-fears-america-first-risks-eroding-its-silicon-shield/.
[88] Office of the Principal Scientific Adviser to the Government of India, "US - India TRUST Initiative (formerly iCET)," Office of the Principal Scientific Adviser to the Government of India, February 13, 2025, https://www.psa.gov.in/icet
[89] Angelos Delivorias, "EU-India Trade and Technology Council," European Parliamentary Research Service (EPRS), January 2024, https://www.europarl.europa.eu/RegData/etudes/ATAG/2024/757587/EPRS_ATA(2024)757587_EN.pdf
[90] Ministry of Electronics and Information Technology of India and Ministry of Economy, Trade and Industry of Japan, "Memorandum of Cooperation on India-Japan Digital Partnership," Ministry of External Affairs, October 29, 2018, https://www.mea.gov.in/Portal/LegalTreatiesDoc/JP18B3389.pdf
[91] "India–Japan Strengthen Digital Partnership with AI and Cybersecurity Focus," Japan Calling, August 12, 2025, https://www.japancalling.in/post/india-japan-strengthen-digital-partnership-with-ai-and-cybersecurity-focus.
[92] Gemini 2.5, response to “Refine the selected text,” Google, September 2025.
[93] Press Information Bureau. “Ministry of Heavy Industries Launches Automated Online Data Transfer for capturing critical data related to Domestic Value Addition (DVA) from the PLI applicant’s ERP system to PLI Auto Portal,” Press Information Bureau – Government of India, August 11, 2022. https://www.pib.gov.in/PressReleasePage.aspx?PRID=1850892
[94] "Hegseth orders military to 'unleash' use of small drones in new memo," Breaking Defense, July 11, 2025, https://breakingdefense.com/2025/07/hegseth-signs-unleashing-us-military-drone-dominance-memo/.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Ayyappan Rajesh is a cybersecurity professional specialising in wireless security and cyber-physical systems.He is actively involved with the Car Hacking Village, a non-profit organisation dedicated ...
Read More +
PREV
