On 7 August 2025, three months after the commencement of Operation Sindoor, India released the declassified version of the Joint Doctrines for Cyberspace Operations. Launched by the Chief of Defence Staff General Anil Chauhan and Secretary of the Department of Military Affairs, the doctrine indicated a timely effort at synergising the approach to cyber warfare across the army, navy and the air force.
A comprehensive document covering various aspects and characteristics of the cyber domain, the doctrine is significant as the first publicly released document meant not just for the consumption of the armed forces, but also the private sector, scholars and other states — inimical or otherwise.
But beyond what it represents, the doctrine is significant because it correctly conceptualises the cross-domain effects and other key features of cyber warfare, advocates for a greater role of the private sector, and focuses on the role of auditing and supply chain security.
Notwithstanding the hits, there are also certain misses in the doctrine, especially related to the understanding of information warfare and the inadequate focus on quantum technologies.
Features of the cyber domain and cyber warfare
The doctrine gets many complex conceptual ideas about cyberspace and cyber warfare correct. To begin with, the armed forces are not drawing any comfort from thinking that their cyberspace is separate and distinct from the global interlinked cyberspace.
The doctrine is as much concerned about air gapped defence systems as much as about the public facing ones. The doctrine also goes beyond the usual refrain in cyber studies that reliable and timely attribution is difficult to obtain in case of cyber attacks. The armed forces acknowledge that ‘when intent and impact are obfuscated, it is difficult to calibrate a just response. There would always be the risk of overreacting or underplaying.’
But what the joint doctrine misses conceptually is in the framing of information warfare. While it is understandable that cyber has cross-domain effects including cognitive, information warfare is not a subset of cyber warfare contrary to the impression that the doctrine leaves. Information warfare can be defined as ‘the use of information to influence decisions in order to achieve a political objective without necessarily using physical force.’
Mounting cyberattacks is one way to influence decisions (in addition to propaganda and espionage). Information warfare is the broader entity within which cyber is an element; politically-motivated cyber attacks have cognitive implications in addition to having any physical impacts.
Leveraging private sector’s cyber expertise
Perhaps the most significant component of the joint doctrine is seeking more collaboration with the private sector to strengthen the cyber capabilities of the armed forces. The doctrine exhorts the public-private partnership model and encourages ‘private sector companies, including start-ups to develop security technologies, platforms and solutions towards enhancing cyber security in Armed Forces.’ The document also identifies training infrastructure and a centre for excellence as areas in which the armed forces could work with companies and academia, respectively.
The private sector component of the doctrine also reveals the reason for making such a document public: the doctrine is framed to act as a signalling mechanism to the booming cybersecurity industry in the country that more opportunities would be coming their way from the armed forces.
Bereft of the signalling function, the doctrine would have served its purpose even if it was not declassified and only circulated among the armed forces in a restricted manner.
Auditing and supply chain security: Moving in the right direction
Keeping with the times, the doctrine rightly emphasises the importance of ensuring supply chain security. As Israel’s pager attack on Hezbollah demonstrated last year, even low-tech items could be subjected to sophisticated supply chain attacks having serious consequences for the acquiring group or nation-state.
As a significant chunk of India’s defence procurement is sourced from international partners, the importance of supply chain security cannot be understated. Similarly, a focus on cyber auditing is welcome as it strengthens cybersecurity of the armed forces. Beyond the first line of defence involving chief information security officers and the second line of defence involving risk management and regulatory compliance, audit as the third line of defence provides critical oversight over the first two lines. Additionally, the third line of defence is applicable to friends and foes alike.
While the doctrine gets audit and supply chain security right, the focus on quantum computing is quite inadequate. The armed forces should give due attention to developments in the quantum field that threaten the utility of current cryptography methods employed by the three forces.
Overall, the doctrine is a welcome attempt at signalling to the private sector and other stakeholders about how the armed forces are approaching the cyber domain. That said, there are many areas for improvement, including conceptual clarity on information warfare and expanding the focus on quantum technologies.
(Lokendra Sharma is a staff research analyst with the Takshashila Institution’s High-Tech Geopolitics Programme.)
Views are personal and do not represent the stand of this publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
