Authored By : Sanya Ashraf
Lloyd School of Law
The morning of September 23, 2025, began like any other at Mumbai’s financial district until a sophisticated ransomware attack brought the National Stock Exchange’s trading systems to a grinding halt. Within minutes, billions of rupees in trades were frozen, and panic rippled through India’s economic nerve center. While the attack was eventually contained, it served as yet another wake-up call about India’s vulnerability to cyberterrorism—a threat that exists in the shadows of our increasingly digital society.
India’s tryst with cyberterrorism isn’t new, but the sophistication and frequency of these attacks have reached alarming levels. From the 2022 AIIMS Delhi ransomware attack that compromised 1.6 million patient records to the recent WazirX cryptocurrency exchange hack attributed to North Korea’s Lazarus Group, the writing on the wall is clear: India’s legal framework is struggling to keep pace with the evolving nature of cyber threats.
The Legal Labyrinth
At the heart of India’s cybersecurity legal framework lies the Information Technology Act, 2000—a legislation that predates Facebook, Twitter, and the smartphone revolution. While amendments in 2008 introduced Section 66F specifically addressing cyberterrorism with provisions for life imprisonment, the reality on the ground tells a different story.
“The IT Act was revolutionary for its time, but it’s like trying to regulate space travel with laws written for bullock carts,” remarks a senior cybercrime investigator from Bangalore, requesting anonymity. His frustration reflects a systemic problem: the law’s inability to address emerging threats like AI-generated deepfakes, cryptocurrency-based terror financing, and state-sponsored attacks through advanced persistent threats (APTs).
The recent introduction of the Bharatiya Nyaya Sanhita (BNS) in 2023 promised modernization, incorporating cybercrimes under organized crime provisions and recognizing electronic evidence as primary evidence. However, the transition hasn’t been seamless. Section 111 of BNS, which deals with organized cybercrime, remains vaguely worded, leaving investigators and prosecutors grappling with interpretation challenges.
The Enforcement Nightmare
Perhaps nowhere is the chasm between legislative intent and ground reality more evident than in India’s cybercrime conviction rates. In Karnataka alone—India’s cybercrime capital with over 21,000 cases registered in 2023—convictions stood at a dismal 44 out of thousands of cases, translating to less than 0.3% conviction rate in Bangalore.
“Every morning, I see at least a dozen distraught victims waiting outside our station,” shares a police officer at Hyderabad’s dedicated cybercrime station. “From elderly citizens who’ve lost their life savings to phishing scams to companies held hostage by ransomware, the stories are heart-wrenching. But the truth is, we’re fighting a 21st-century crime with 20th-century tools.”
The challenges are multifaceted. Rural police stations often lack basic cybercrime investigation capabilities, with many officers still uncomfortable using computers. The National Crime Records Bureau data reveals that while cybercrime cases jumped 31% nationally in 2023, the majority of police personnel receive no specialized cybersecurity training.
Cross-jurisdictional issues further complicate matters. When a terrorist group in Pakistan targets Indian banking infrastructure, or when Chinese state-sponsored hackers breach Indian defense networks, investigators find themselves entangled in diplomatic red tape and mutual legal assistance treaties that can take years to yield results.
The Technology Gap
The rapid evolution of technology has created what cybersecurity experts’ term “legal lag”— the time gap between the emergence of new cyber threats and the legal framework’s ability to address them. India’s laws struggle with concepts like zero-day exploits, botnets, and cryptocurrency mixers used for terror financing.
Take the case of deepfake technology. While the government has acknowledged the threat, current laws remain inadequate. The recent viral deepfake video featuring a prominent Indian actress highlighted how easily AI-generated content can be weaponized for extortion, reputational damage, or even to incite communal violence. The existing legal provisions under Sections 66C (identity theft) and 66E (privacy violation) of the IT Act feel like using a hammer to perform surgery.
The cryptocurrency conundrum adds another layer of complexity. While India has implemented taxation on cryptocurrency transactions, the lack of comprehensive regulation creates fertile ground for terror financing. The WazirX hack, where 234 million was stolen by North Korean hackers, exposed how vulnerable Indian exchanges are to state-sponsored cyberterrorism.
Privacy vs. Security: The Eternal Dilemma
The tension between national security and individual privacy rights has reached fever pitch in India’s cybersecurity discourse. The government’s push for data localization and enhanced surveillance capabilities through initiatives like the Central Monitoring System clashes with privacy advocates who argue for stronger data protection measures.
The Digital Personal Data Protection Act of 2023 attempted to strike a balance, but critics argue it created more confusion than clarity. “We now have overlapping jurisdictions between the IT Act, DPDPA, and BNS,” explains a Delhi-based technology lawyer. “A single cyberterrorism case might involve multiple agencies—CERT-In, NCIIPC, state cyber cells, and intelligence agencies—each with different mandates and sometimes conflicting priorities.”
International Cooperation: A Pipe Dream?
In an interconnected digital world, cyberterrorism knows no borders. Yet India’s efforts to combat cross-border cyber threats remain hampered by limited international cooperation. While India participates in various bilateral cybersecurity agreements, the absence of a comprehensive international legal framework for cyberterrorism prosecution creates safe havens for attackers.
The Budapest Convention on Cybercrime, the only binding international treaty on cybercrime, remains unsigned by India due to sovereignty concerns. This isolation limits India’s ability to extradite cyber terrorists and access critical evidence stored on foreign servers.
The Road Ahead: Urgent Reforms Needed
As India hurtles toward its Digital India 2.0 vision, the legal challenges in addressing cyberterrorism demand immediate attention. The proposed National Cyber Security Strategy 2025 promises modernization, but implementation remains key.
Legal experts advocate for specialized cyber terrorism courts with fast-track procedures, similar to the successful model implemented for POCSO cases. “We need judges who understand blockchain forensics and prosecutors who can explain SQL injection attacks to juries,” argues a senior advocate specializing in cyber law.
The massive skill gap—India faces a shortage of nearly one million cybersecurity professionals—requires urgent addressing. Law enforcement agencies need specialized training programs, while universities must update their curricula to produce legally-literate technologists and tech-savvy legal professionals.
Public-private partnerships hold promise, but regulatory clarity is essential. The recent draft Telecom Cybersecurity Rules 2025 attempt to expand monitoring obligations, but industry stakeholders worry about compliance costs and privacy implications.
Conclusion: A Call for Comprehensive Action
The cyberterrorism threat facing India isn’t just a legal or technical challenge—it’s an existential one that threatens the very fabric of our digital society. As attackers become more sophisticated, employing AI-driven attacks and quantum-resistant encryption, India’s response must evolve accordingly.
The solution lies not in piecemeal amendments but in a comprehensive overhaul of our cybersecurity legal framework. This includes updating existing laws to address emerging threats, establishing specialized investigation and prosecution capabilities, fostering international cooperation, and most importantly, bridging the chasm between legislative intent and enforcement reality.
As one cybersecurity expert poignantly observed, “In the digital age, cyberterrorism isn’t a question of if but when. The only question is whether our legal system will be ready when that moment arrives.”
The clock is ticking, and India’s digital future hangs in the balance. The choice is clear: adapt quickly or remain vulnerable to the invisible enemies of the digital realm.
