Intelligence Architecture Failure

CRITICAL

India's intelligence apparatus is fractured across civil-military boundaries, incapacitated by coordination failures, and structurally incapable of producing the fused operational intelligence that modern threats demand. The result is strategic surprise, operational paralysis, and an attribution gap that renders Indian retaliation capability largely uninformed.

CERT-In Capacity Crisis

CRITICAL

Total Analysts

322

For 1.4 billion citizens

Incidents 2023

3M+

Reported cybersecurity incidents

Analyst-to-Citizen Ratio

1:4.3M

vs UK 1:81K, US 1:110K

6-Hour Reporting Compliance

<20%

Industry estimate; untested enforcement

International CERT Capacity Comparison

India: 322 analysts vs USA: 3,100 analysts | Note: India handles proportionally massive incident volume per analyst

National Incident Response Distribution

CERT-In Direct Response

Sectoral CERTs

State Cyber Cells

Private Sector SOCs

Unaddressed

CERT-In Mandate vs Reality

Provide 24/7 operational response

Enforce cybersecurity requirements on private sector

Conduct security audits without entity consent

Build national incident picture from fragmented reporting

Investigate to point of attribution and prosecution

Coordinate with international CERTs (non-urgent, formal channels)

Conduct basic malware analysis for submitted samples

Provide cybersecurity awareness training

Intelligence Agency Architecture

HIGH

RAW

Research and Analysis Wing

External Human Intelligence

Cyber Capability72/100

Cross-Agency Coordination45/100

Intelligence Bureau

Domestic Political Intelligence

Cyber Capability48/100

Cross-Agency Coordination38/100

NTRO

National Technical Research Organisation

Signals & Technical Intelligence

Cyber Capability88/100

Cross-Agency Coordination52/100

DIA

Defence Intelligence Agency

Military Intelligence

Cyber Capability65/100

Cross-Agency Coordination30/100

JSIB

Joint Signals Intelligence Bureau

Military Signals Collection

Cyber Capability70/100

Cross-Agency Coordination25/100

Structural Coordination Failures

Civil-Military Intelligence Barrier

TIER 1 - CRITICAL

RAW intelligence on PLA did not reach tactical commanders at Galwan 2020

Example: Galwan Valley June 15, 2020

DIA-NTRO Technical Competition

TIER 2 - SIGNIFICANT

Competing mandates for SIGINT create friction rather than fusion

Example: Resource competition, episodic coordination

MAC Coordination Limits

TIER 2 - SIGNIFICANT

Coordination forum without operational authority; agencies share selectively

Example: Post-26/11 reforms achieve incremental gains only

State-Central Information Asymmetry

TIER 2 - SIGNIFICANT

State police generate no cyber intel; consumers only of central agency output

Example: No state threat reporting upward to CERT-In

Intelligence-Law Enforcement Chasm

TIER 1 - CRITICAL

Raw and NTRO cyber intel inadmissible in court; no fusion to prosecution

Example: Pulwama 2019: multiple streams, no convergence

Private Sector Threat Intelligence Gap

HIGH

Visibility vs Sharing Gap by Sector

Financial Sector95% vis | 12% share

Threat Visibility

Intel Sharing

Reason: Competitive intelligence protection

Telecom90% vis | 8% share

Threat Visibility

Intel Sharing

Reason: Regulatory fear + Huawei equipment risk

IT Services85% vis | 15% share

Threat Visibility

Intel Sharing

Reason: Client confidentiality constraints

Pharmaceutical70% vis | 5% share

Threat Visibility

Intel Sharing

Reason: IP exfiltration fear + shareholder litigation

Healthcare55% vis | 10% share

Threat Visibility

Intel Sharing

Reason: No sector-specific regulation, immature security

Information Sharing Deficit Drivers

Competitive Intelligence Protection

Disclosing breach details informs competitors about attack vectors and detection capabilities already defended against.

Reputational Liability

Media covers breaches as crime-and-punishment narratives. Disclosure triggers months of reputational management.

No Immunity Provision

Reporting to CERT-In may create documentary evidence used against the reporting organization in litigation.

Bug Bounty Chilling Effect

Security researchers face IT Act Section 66 threats. 2019-2021 drove research underground or to anonymous foreign channels.

Police-Cyber Divide

CRITICAL

State Cyber Cell Personnel vs Population

Digital Forensics Crisis

Digital Forensics Experts

487

For all of India

RCFL Laboratories

Chronic equipment obsolescence

Evidence Backlog

For non-priority cases

Chain of Custody Rejections

40%

BSA evidence dismissed

3% Cyber Crime Conviction Rate

vs 40% overall cognizable crime conviction rate in India. The overwhelming majority of cyber crimes go uninvestigated not because they are found unsolvable, but because investigation capacity does not exist.

Attribution Capability Gap

Signals Intelligence (SIGINT)75/100

Gap: NTRO capacity, but siloed from law enforcement

Human Intelligence (HUMINT)65/100

Gap: RAW external reach strong, domestic gap

Cyber Forensics35/100

Gap: 487 experts for 18K+ stations; 18-month backlog

Attribution to Court Standard15/100

Gap: Intelligence cannot be introduced in evidence

Cross-Border Cooperation20/100

Gap: 60+ days for MLA requests; non-coop jurisdictions

Real-Time Threat Attribution25/100

Gap: No fused national incident picture

Strategic Assessment

India's attribution gap means that when Chinese APT groups target Indian government entities, CERT-In cannot provide meaningful operational support. Target organizations are largely on their own. Cross-border attribution to non-cooperative jurisdictions (China, Russia, Pakistan) is operationally useless. Indian retaliation capability - whatever form that might take - is uninformed.

Cross-Border Coordination Timeline

Incident Detection14-30Attribution Assessment

Attribution Confirmed30-45Mutual Legal Assistance Request

MLAT Filed60-180+Foreign Response

Foreign ResponseVariableActionable Intelligence

Total timeline from incident to cross-border coordination: 60+ days minimum, often exceeding 6 months for non-cooperative jurisdictions.

Structural Verdict

CERT-In is not a failure of personnel. Its staff, given the constraints they work under, perform with dedication and competence. CERT-In is a failure of institutional design - created for an India that no longer exists, given a mandate it cannot fulfill, provided resources that bear no relationship to its responsibilities, and positioned within a governmental architecture that prevents it from acquiring the authority it would need to be effective.

The Problem

No institution has the authority, mandate, or capability to produce integrated operational intelligence across the civil-military boundary.

The Cost

Strategic surprise at Galwan, operational paralysis at Pulwama, attribution vacuum for all Indian cyber intrusions.

The Trajectory

Incremental MAC improvements within existing architecture. The next major failure will expose the structural gap again.

Segment 13 | Intelligence Architecture Failure | CryptoMize Proprietary Research | March 2026