Published: Yojana, April 2026
As welfare delivery, payments and identity move onto digital rails, the issue argues that digital trust is now a public good, and cybersecurity its supply chain. The chapter builds a layered model of where that trust can break.
The Six-Layer Security Architecture
| Layer | Examples of risk |
|---|---|
| Material / communication | Undersea cables, spectrum |
| Hardware | Chip-level backdoors, counterfeit components |
| OS / network | Unpatched systems, protocol exploits |
| Application | Malware, API abuse |
| Task / functional | Process manipulation, insider misuse |
| Human | Phishing, social engineering: 85 percent of incidents involve human error |
The weakest layer is human, which is why awareness programmes sit alongside technical hardening in the national strategy.
Why the Attack Surface Is Expanding
- BRAIN convergence (Biotechnology + Robotics + AI + Nanotechnology) multiplies entry points faster than defences mature, in a VUCA threat environment
- 95 percent of India’s international internet traffic flows through undersea cables (roughly 400 submarine cables exist globally), a chokepoint largely outside national control
- India ranked 3rd globally in ransomware attacks (Check Point Research 2024)
- 30,000+ tracked space debris objects threaten the satellite layer that communications depend on
Institutional Response
- CERT-In: mandatory reporting of cyber incidents within 6 hours (rule in force since April 2022)
- NCIIPC protects Critical Information Infrastructure under Section 70A, IT Act 2000 (sectors: power, banking, telecom, transport, government)
- I4C under the Ministry of Home Affairs coordinates cybercrime response
- Policy lineage: National Cyber Security Policy 2013; National Cyber Security Strategy 2020
Case Studies the Issue Uses
- AIIMS Delhi ransomware (November 2022): around 5 crore patient records affected; the wake-up call for health-sector CII
- Colonial Pipeline (2021) and Ukraine grid attacks (2015-16): energy infrastructure as target
- SolarWinds (2020): supply-chain compromise that triggered the US Zero Trust mandate, the model now shaping Indian government architecture
Mains Angle
Critical analysis: India’s framework remains reactive (post-incident reporting) rather than preventive (mandatory security-by-design); the 2013 policy predates the UPI-era attack surface. Way forward: a statutory national cybersecurity authority, sectoral CERTs with real audit powers, and treating undersea cable resilience as strategic infrastructure.
📌 Facts Corner — Knowledgepedia
Numbers:
- 85 percent of cyber incidents involve human error
- 95 percent of India’s international data traffic rides undersea cables; ~400 cables globally
- India: 3rd globally in ransomware attacks (Check Point Research 2024)
Institutions and rules:
- CERT-In: 6-hour incident reporting (since April 2022)
- NCIIPC: CII protection under Section 70A, IT Act 2000
- I4C: cybercrime coordination under MHA
Case studies:
- AIIMS Delhi ransomware (Nov 2022, ~5 crore records); SolarWinds (2020) led to US Zero Trust mandate
Sources: Yojana / Publications Division, CERT-In
