In this Interview, Shukla discussed following pointers mainly:
Foreign LLM dependence is a strategic vulnerability, exposing India to access cuts, geopolitical lockouts and supply-chain contamination.
India needs a sovereign tech and cybersecurity framework, backed by much higher R&D spending and indigenous infrastructure in AI, quantum, satellites and cloud.
Stronger cyber laws and mass-scale awareness campaigns are essential to protect citizens and critical infrastructure from evolving threats.
With cybercrimes causing an estimated ₹22,000 crore in losses in 2024 and posing serious risks to both individual privacy and national critical infrastructure, India’s existing laws such as the IT Act and the DPDP Act are no longer sufficient, and the country now needs a dedicated cybersecurity law, according to Professor Sandeep Shukla, Director-Designate at IIIT Hyderabad.
Professor Shukla, one of India’s top cybersecurity experts who works with financial institutions like the RBI, NPCI and Kotak Mahindra, spoke with Outlook Business about the evolving nature of cyber threats, how the shifting geopolitical landscape makes sovereign technology increasingly important, the growing role of AI in such attacks, and the urgent need to raise awareness among last-mile users.
Edited Excerpt :
In your experience, what are the most significant cyber threats or attack trends you have observed recently?
Cybercrime, often conflated with other forms of digital threats, largely involves individuals being defrauded through malware infections, social engineering to obtain OTPs, theft of passwords via data breaches, malicious links, “digital arrest” scams, matrimonial fraud, investment traps, and cryptocurrency schemes. Such crimes have surged in recent years ₹22,000 crore was reported lost in 2024, though the actual figure is likely much higher due to underreporting driven by embarrassment or fear. While police cyber cells and the Ministry of Home Affairs’ Indian Cyber Crime Coordination Centre (I4C) are working to counter these threats, recovery is difficult because perpetrators are often organised gangs rather than lone actors. Traditional hotspots like Jamtara have been replaced by multi-state border areas such as Bharatpur and parts of North Bengal near the Bihar–Bengal–Nepal border, with many operations now run from Southeast Asia particularly Cambodia and Thailand often by Chinese-linked syndicates.
A disturbing trend is “cyber slavery,” where victims lured abroad by fake job offers have their passports seized and are forced into running scams. Once funds are stolen, they are rapidly funneled through “mule accounts” rented from poor individuals unaware of the legal risks, broken into smaller parcels, layered across multiple accounts, and ultimately converted into cryptocurrency and transferred overseas.
Beyond individual scams, India’s critical infrastructure like banks, stock exchanges, power plants, water treatment systems, refineries, and more are targeted by nation-state actors via Advanced Persistent Threat (APT) groups such as APT 36 (Pakistan), APT 37 (North Korea), APT 3 (China), and APT 28/29 (Russia). These groups infiltrate systems, implant stealth malware, and remain dormant until activated, communicating covertly with remote command-and-control servers.
Much of the intelligence on them comes from Western sources, leaving threats from allied nations less documented. Even friendly countries may quietly place APT malware as a contingency. Detecting and removing such implants is challenging due to the attackers’ high skill and resources. While APT attacks stay hidden, the most visible profit-driven threats are ransomware and large-scale data exfiltration where gangs, often from Eastern Europe or North Korea, steal or encrypt data and demand cryptocurrency ransoms to prevent public leaks.
Data breaches can affect thousands to millions of records, with stolen credentials frequently traded on the dark web, underscoring how cyber threats today range from petty fraud to sophisticated, state-backed intrusions targeting the very systems a nation depends on.
Common cyberattacks, apart from the silent and less visible ones like Advanced Persistent Threats (APTs), often make headlines due to their disruptive nature ransomware and large-scale data exfiltration being prime examples.
Unlike APTs, which operate quietly and remain undetected for long periods, these attacks are highly visible and damaging. In recent years, ransomware incidents in particular have intensified sharply, and data shows that the overall cyberattack landscape has expanded significantly over time.
Do you think the rise in such cyberattacks is linked to the increased use of AI, not just for detection and defence?
Yes, absolutely; AI is increasingly helping attackers. Today, if you try to get one of the mainstream LLMs to generate malicious code, it usually refuses due to built-in filters. But those filters are easy to bypass, and open-source or locally-run models like Mistral or Meta’s LLMs do not even have such safeguards. You can simply ask them to create an executable with specific malicious capabilities and they will. My own students have used LLMs to generate malware, and much of that code remains undetected by antivirus tools. So for attackers, developing malware or crafting convincing phishing emails has become far easier.
Earlier, phishing emails were full of grammatical errors or obviously fake scenarios like the “Nigerian prince” stories. Now, with LLMs, it’s possible to generate extremely believable and highly customised messages for a specific target for instance, a student receiving an email with content tailored to their background. In short, social engineering, malware creation and automated attacks are all being accelerated by AI.
That said, AI is also going to play a major role in better malware detection, better intrusion detection systems, and more accurate identification of potential vulnerabilities. AI can help both red-teaming and blue-teaming efforts. So whoever uses AI more effectively will gain an advantage. It’s essentially a constant race: attackers are already using AI to craft new payloads and strategies, and defenders need to build stronger AI models to keep up. AI won’t magically solve cyber defence and at the same time, it won’t be the sole reason cyber threats become worse. It will influence both sides. Another growing concern is that the AI systems we rely on might themselves be compromised.
If an attacker manipulates an AI model, it could produce untrustworthy outputs or respond incorrectly to prompts, which introduces a whole new set of risks. So yes, AI is going to fundamentally change both threats and defences and while we are still in the early phase, things in the AI space move extremely fast. What took months earlier now changes in days, and this pace means both the risks and the required defences can escalate very quickly. We need to prepare in a deliberate and coordinated way and at the moment, we haven’t fully caught up yet, though hopefully we will.
You spoke about the role of LLMs, and nowadays many AI startups are building their applications on top of open-source or foreign LLMs like ChatGPT, LLaMA, or DeepSeek. In your view, how risky is it for Indian companies to rely on these external models for their AI use cases?
Obviously, if startups build AI applications specifically for Indian users, they’ll be collecting and processing Indian data. But the problem is that many of these applications are actually built on top of foreign open-source models. So your data might be coming from Indian users, but the underlying model is still controlled by an external entity and that poses serious national security risks. There are two major concerns here from a supply-chain security perspective.
First, access risk. Tomorrow, someone like a Trump-style administration could decide to restrict exports of high-end GPUs to India. If that happens, even if we have all the code and talent, we simply won’t be able to train our own foundational models because we depend on foreign hardware. China anticipated this long ago and is already building its own GPUs. Huawei, for example, now makes chips that are not as good as Nvidia yet, but they are catching up. India has not even started.
Second, dependency risk. As we’ve already seen in the case of companies using Russian oil getting cut off from Microsoft services due to sanctions, we can easily be locked out of models like LLaMA or DeepSeek if geopolitical conditions change. These tools can be withdrawn or disabled unilaterally.
And finally, there’s supply-chain contamination. It is entirely possible that a foreign open-source model comes with a malicious component embedded either unintentionally or by the instruction of a foreign government. If we build our products on top of such contaminated models, we inherit the risk.
In today’s geopolitical climate, especially after the Trump era, India needs to completely rethink its strategic mission and move rapidly towards full technological sovereignty, ideally within the next decade.
As India builds LLMs, fabs and pursues the quantum mission, do you think we first need a strong national cybersecurity framework especially for critical sectors like telecom and space where players like Starlink are entering?
I was in favour of the government blocking Starlink’s entry. If we become dependent on Starlink and, at some point, Elon Musk decides he doesn’t like our policy position and switches it off as he did in Ukraine we would be in serious trouble.
India already has ISRO and significant capabilities in space; we are among the top five space powers globally. So, instead of allowing Starlink, we should be building our own satellite-communication infrastructure.
More broadly, India needs to invest much more in cybersecurity and build its own security technologies, instead of relying on foreign firewalls, antivirus products, or even forensic tools. At the same time, I do believe missions like quantum and AI are necessary. Quantum is strategically critical, because if quantum computing becomes a reality, today’s encryption will simply break and that would be catastrophic. So the national quantum mission is essential, though I am not sure whether we need to focus on all its sub-areas (sensing, communication, computation, etc.) or prioritise specific ones.
Similarly, the AI mission is needed, not only to build our own foundational model but also to cover our many Indian languages and make the benefits of AI reach the last mile.
The real issue is that we are trying to achieve sovereignty while spending only 2–3% of our GDP on research. You cannot build a sovereign tech ecosystem on that level of investment. Countries like the US (pre-Trump) and China consistently invested 6–8% of their GDP in R&D. Given what we’ve seen in the last few years Trump-era restrictions, China leapfrogging in key technologies India needs, at least for the next 5–10 years, to significantly increase R&D spending and adopt a clear strategic vision for technology sovereignty, not only in cybersecurity but across fundamental areas, from operating systems and satellite systems to our own cloud infrastructure. Today, we depend on AWS and Azure, and if they decide to cut us off, we will be in serious trouble.
You mentioned that even educated and tech-savvy people are falling victim to ransomware and social engineering attacks. So how do we protect people in rural India, those with just a basic smartphone and very limited awareness, from losing their data or money to such attacks?
I wouldn’t say ransomware is the biggest problem, the bigger concern is actually attacks on critical infrastructure. Those attacks are already inside the systems; they just have not been activated yet, which makes them much more dangerous than ransomware. That said, your question about who is falling victim to ransomware is still important.
When a large company that holds sensitive customer data suffers a ransomware or data-leakage attack, the impact goes far beyond the organisation itself. Millions of individuals are affected not just in terms of privacy, but because that stolen data is later used for other frauds: Aadhaar numbers are used to obtain SIM cards, open mule accounts, and carry out further scams. So the impact of a company-level ransomware attack is completely different from an individual losing access to their laptop. Even a single individual losing access to their files can be devastating, but a breach at scale harms everyone whose data is involved.
Now, on your question about awareness, that's a real challenge. The government is trying, but it’s very hard because these threats are technical and most people simply don’t understand that something as simple as responding to an SMS or downloading a free game can lead to OTP interception or a ransomware infection. Awareness campaigns through posters or videos often don’t register because people find it difficult and abstract. In my view, we need a massive, long-term awareness campaign, something similar to the AIDS awareness campaigns in the 1990s, which involved hoardings, TV and radio commercials, everywhere.
Right now we hear short messages like Amitabh Bachchan’s voice warning about fraud when we make a call but that’s not enough. We need sustained messaging across media, plus sensitisation at the ground level; panchayat leaders, local police, bank staff, and other local actors should actively engage communities and repeatedly reinforce what to do and what not to do. Only that kind of mission-mode effort will make people truly aware.
In India, however, we still rely largely on the IT Act, 2000 and the yet-to-be-implemented DPDP Act. Do you think our policymaking is being held back by geopolitical pressure from big tech-driven countries like the US and are we hesitant to implement stronger laws because of how companies like Meta or Google might react?
I don’t think the issue is external pressure from the U.S. or Big Tech. The problem is that India currently has only one cyber-related legislation, the IT Act, 2000, amended in 2008 and it is simply inadequate for today’s threat landscape. If you read it, you’ll see that the penalties for offences like data theft, malware distribution or fraud are very mild often just one to three years in prison and fines of a few lakh rupees. For gangs like those operating from Jamtara, that’s barely a deterrent; they serve a short sentence and return to making far more money through fraud.
The Act is also outdated, it doesn’t even recognise many modern cybercrimes such as ransomware, matrimonial fraud or digital arrest. As a result, the police are forced to charge perpetrators under unrelated provisions like unlawful confinement, instead of having dedicated clauses for these offences. For years we’ve been hearing that a dedicated Cyber Security Act is coming, but it hasn’t materialised.
Similarly with the DPDP Act, after the Supreme Court’s Puttaswamy judgment recognised privacy as a fundamental right, the government began drafting a data protection law. The original Srikrishna Committee draft was revised, then withdrawn, and a new version was passed in December 2023.
In my view it is not as strong as the GDPR, but it’s a start. The problem is that even after being passed, it still has not been notified or enforced. And enforcement itself is another issue. To enforce such a law, you need to demonstrate negligence and conduct proper forensics which in turn requires a strong regulator. The DPDP Act proposes a Data Protection Board, but that body is more of an adjudicator than a real regulator, unlike institutions such as RBI or SEBI.
