Institutional Architecture

Segments 18 & 19 — Mapping the fragmented authority structure of India's cybersecurity governance

47
Ministries with cyber responsibilities
6+
Major institutional actors
28
States with cyber cells
0
Agencies with genuine command authority

47 Ministry Matrix

Cyber responsibility score by ministry (0-100)

MeitY
MHA
MOD
NSCS
RBI

Jurisdictional Overlap Matrix

Authority claim by domain (0-100%)

MeitY
MHA
MOD
NSCS
RBI

State Cyber Cell Readiness

Personnel count vs readiness score (28 states with cells)

Tier 1 (Adequate)
Tier 2 (Moderate)
Tier 3 (Critical)

Power/Authority Distribution

Relative cyber governance authority by agency

MeitY Hierarchical Structure

MeitY subordinate bodies - complete cybersecurity value chain control

🔐Secretary MeitY
🪪UIDAI
Technology Division
Operations
Security Wing
🖥️NIC
Data Centers
Security Ops
NICNET
🚨CERT-In
Incident Response
Vulnerability Analysis
🔬CDAC
Hyderabad
Pune
Bangalore
STQC
Testing Labs
Certification
📡C-DOT
Telecom R&D
5G/6G Dev
Primary Actor
Subsidiary
Individual

MOD Tri-Service Cyber Architecture

Fractured across service silos - IC4 proposal stalled repeatedly

🛡️MOD Cyber Command
⚠️DCyber (Proposed IC4)
STALLED - Inter-service rivalry
⚔️Army Cyber
Corps of Signals
Military Intelligence
SAG (Offensive)
Navy Cyber
Naval Comms Sec
Maritime Domain
✈️Air Force Cyber
C2 Systems
Radar Networks
ATC Systems
🔭DRDO
LRDE (EW/Radar)
CAIR (AI/ML)
SAG (C4ISR)
RCI (Embedded)
Primary Actor
Subsidiary
Individual

Agency Interrelationship Network

Coordination without command - information flow dependencies

MandateCoordinationPolicyCoordinationIntelligenceStrategicComplianceAdvisoryAdvisoryFundingIntel ShareClassifiedFinance SecMeitYCERT-InMHAMODNSCS/CyCordRBISEBITRAINTROState Cells
Primary
Secondary
External

Institutional Mandate Overlap

Authority claims by domain - no single entity has comprehensive authority

Critical Infra
Financial
Telecom
Government IT
Law Enforcement
Defense
Healthcare
Energy
Critical Infra
70
0
0
0
0
0
0
0
Financial
0
40
0
0
0
0
0
0
Telecom
0
0
60
0
0
0
0
0
Government IT
0
0
0
95
0
0
0
0
Law Enforcement
0
0
0
0
20
0
0
0
Defense
0
0
0
0
0
15
0
0
Healthcare
0
0
0
0
0
0
55
0
Energy
0
0
0
0
0
0
0
45
0
100

State Cyber Capability Radar

Multi-dimensional comparison: Maharashtra vs Tier 3 states

Threat Exposure vs Capability

Population exposure vs state cyber capability (bubble = population scale)

Procurement & Acquisition Timeline

Market entry pathways - 12 months to 7+ years

Q1 0Q2 25Q3 50Q4 75Q 100
NIC Empanelment
100%
CERT-In Empanelment
100%
STQC Certification
75%
CDAC Partnership
30%
State Cell (Tier 1)
60%
MOD Defense Procurement
10%
IC4 Cyber Command
0%
National Cyber Strategy
5%
Completed
In Progress
Planned
Delayed

Cumulative Capability Gap Analysis

National average vs minimum viable standards - no state meets minimum

Increase
Decrease
Total

The Ministry of Electronics and Information Technology controls the most cybersecurity-relevant portfolio in Indian government. This concentration reflects the reality that cybersecurity in India is treated primarily as an IT governance problem rather than a national security problem.

UIDAI — Quasi-Sovereign
• 1.4 billion enrolled residents
• Controls foundational identity infrastructure
• CEO holds de facto veto on auth decisions
• Financial autonomy from budget process
NIC — Invisible Backbone
• 5,000+ technical staff
• 50+ data centers across India
• Government network (NICNET)
• DG NIC controls infrastructure standards
CERT-In — Reactive Only
• 200-300 analysts handling 3M+ incidents
• Ratio: 1 analyst per 10,000 incidents
• No enforcement authority
• Creates compliance-driven demand
Secretary MeitY
• Most powerful bureaucratic position
• Shapes markets through mandates
• Direct access: political connections only
• 18-24 month relationship minimum

MeitY Org Structure

Most powerful cyber governance position

Secretary MeitY
Most powerful position
UIDAI
Identity Infrastructure
1,400M+ enrolled
Quasi-sovereign
NIC
Government IT backbone
5,000+ staff
Infrastructure control
CERT-In
Incident Response
200-300 analysts
Mandatory reporting
CDAC
R&D / Indigenous Tech
Multiple centers
Technology development
STQC
Certification
Testing labs
Procurement gatekeeper
C-DOT
Telecom R&D
Research labs
Indigenous standards

Public-Private Information Flow

CERT-In
Telecom (TRAI/DoT)
Banking (RBI)
NDEMA
State Cyber Cells
MHA
Coordination centers
Regulatory bodies

International Partnership Network

QUAD (Strategic Forum)
Australia
Japan
FIVE EYES (Intelligence Alliance)
United States
United Kingdom
Canada
Australia
New Zealand
BILATERAL PARTNERSHIPS
United States
United Kingdom
Israel
Singapore
SCO (Limited Engagement)
Russia
China

Budget vs Expertise Alignment

Budget Authority
Technical Expertise

Coordination Failures

750M Data Breach Response
2023
CERT-InMHAMeitY
Parallel action without integration
Huawei/ZTE Equipment Risk
2020-present
DoTMHAIntelligence
Identified risk, no resolution pathway
National Cyber Strategy Stalling
2020-2026
MeitYNSCSIntelligence
Bureaucratic conflict preventing reform

Critical Assessment: Structural Coordination Failure

India's cybersecurity governance is not merely inadequate — it is incoherent. The architecture distributes authority without establishing clear lead responsibility, creates coordination mechanisms without providing enforcement power, and allocates resources in proportion to institutional prestige rather than operational need. The result: when a significant cyber incident occurs, no single entity has visibility into the full picture, and no single entity has authority to coordinate response across the multiple agencies that hold fragments of the solution.

750M data breach: parallel investigations without integration
2020-2026: National Cyber Strategy draft never released
IC4 cyber command proposed, stalled multiple times
Previous: Uncomfortable TruthsBack to Analysis