Five years ago, a UPSC question on cybersecurity would simply ask you to identify the correct function of CERT-In from a list. Today, the examiner wants you to explain the architectural gaps in India’s cyber defence framework and suggest policy reforms. This shift is not random — it reflects how deeply technology governance has entered India’s national security conversation.
If you are preparing for UPSC in 2026, understanding this trend can help you anticipate what the Commission expects. I will walk you through the evolution of cyber policy questions, the core technical concepts you must know, and how to build answers that go beyond surface-level definitions.
Where This Topic Sits in the UPSC Syllabus
Cybersecurity and national cyber policy sit at the intersection of two GS papers. For Prelims, questions usually appear under Science and Technology. For Mains, they fall under GS-III, specifically the Internal Security and Science & Technology sections.
| Exam Stage | Paper | Syllabus Section |
|---|---|---|
| Prelims | General Studies | Science and Technology — developments and their applications in everyday life |
| Mains | GS-III | Internal Security — challenges through communication networks, role of media and social networking sites, cyber security |
| Mains | GS-III | Science and Technology — awareness in the fields of IT, Space, Computers |
Related topics in the same syllabus area include data protection legislation, social media regulation, critical infrastructure protection, and the role of artificial intelligence in governance. Over the past six years, at least 8 to 10 questions have directly or indirectly tested cybersecurity awareness.
How the Nature of UPSC Cyber Questions Has Changed
Until around 2018, most Prelims questions on cybersecurity tested basic awareness. You would be asked what a firewall does, or which body is India’s nodal agency for cyber incidents. A well-read newspaper reader could answer these comfortably.
Starting from 2019-2020, the pattern shifted noticeably. The Commission began asking questions that required understanding of technical architecture — not just institutional names. For instance, questions started testing the difference between cyber espionage and cyber terrorism, or the specific mandate of the National Critical Information Infrastructure Protection Centre (NCIIPC) versus CERT-In.
In Mains, the shift is even sharper. Recent questions expect you to discuss policy gaps, compare India’s framework with global standards, and propose reforms. Simply writing “India needs a strong cyber policy” will not earn marks anymore. The examiner wants specifics — which institutions need strengthening, what legislative changes are pending, and how India’s approach differs from, say, the European Union’s NIS Directive.
Core Concepts You Must Understand Technically
Let me break down the technical concepts that are now fair game for UPSC. You do not need engineering-level depth, but you must go beyond dictionary definitions.
Critical Information Infrastructure (CII) refers to computer systems and networks whose destruction would have a debilitating impact on national security, economy, or public health. Under the IT Act 2000 (Section 70), the government can declare any system as CII. The NCIIPC, which works under the National Security Council Secretariat, is responsible for protecting these systems. Sectors covered include power, banking, telecom, transport, and government networks.
CERT-In (Indian Computer Emergency Response Team) is the nodal agency for responding to cybersecurity incidents. Since 2022, CERT-In has mandated that organisations report cyber incidents within six hours — one of the strictest timelines globally. Understanding this six-hour rule and its implications for businesses and government agencies is now expected in Mains answers.
The National Cyber Security Policy 2013 was India’s first dedicated policy framework. It aimed to create a secure cyberspace ecosystem and build a workforce of 500,000 cybersecurity professionals. However, most experts agree it remained largely unimplemented. The policy lacked an enforcement mechanism, had no dedicated funding, and did not account for emerging threats like ransomware or supply chain attacks.
India has been working on a National Cyber Security Strategy to replace the 2013 policy. This updated framework is expected to address cloud security, IoT vulnerabilities, data localisation, and coordination between military and civilian cyber agencies. For your Mains answers in 2026, knowing the expected contours of this strategy is valuable.
Why the Examiner Is Going Deeper
There are three reasons behind this trend, and understanding them will help you prepare smarter.
First, cyber threats to India have grown dramatically. The AIIMS ransomware attack in 2022, repeated incidents targeting power grids, and data breaches affecting millions of citizens have made cybersecurity a front-page governance issue. The Commission tests what the nation is dealing with — and India is dealing with sophisticated cyber threats daily.
Second, the government itself has become more technically oriented in its policy responses. The Digital Personal Data Protection Act 2023, the expansion of I4C (Indian Cyber Crime Coordination Centre), and the creation of a Defence Cyber Agency all signal that governance now demands technical literacy. UPSC reflects this reality.
Third, the Commission wants to recruit officers who can engage with technical advisors meaningfully. A District Magistrate in 2026 needs to understand what a phishing attack is, how a ransomware incident should be reported, and what cyber hygiene means for government offices. The exam tests this readiness.
How to Build Strong Answers on Cyber Policy
When you write a Mains answer on cybersecurity, follow a structure that shows both knowledge and analytical ability. Start by framing the issue — what specific cyber challenge is the question addressing. Then lay out the institutional framework — which agencies are responsible and under what legal authority.
Next, identify gaps honestly. India’s cyber governance has real weaknesses: shortage of trained professionals, poor coordination between state and central agencies, absence of a unified cyber command for civilian networks, and delayed legislative updates. Mentioning these shows the examiner you are not just memorising — you are thinking critically.
Finally, suggest reforms that are grounded in reality. Reference the proposed National Cyber Security Strategy, the need for a dedicated cybersecurity budget, public-private partnerships for threat intelligence sharing, and capacity building at the state level. If you can mention a global best practice — like Estonia’s cyber defence model or Singapore’s Cybersecurity Act — it adds depth without sounding bookish.
Previous Year UPSC Questions on This Topic
Q1. What is CyberDome Project? Explain how it can be useful in controlling internet crimes in India.
(UPSC Mains 2022 — GS-III)
Answer: CyberDome is a technological research and development centre established by Kerala Police. It functions as a cyber threat monitoring hub that works with ethical hackers, industry partners, and academia. It helps in real-time surveillance of online criminal activity, including financial fraud, child exploitation, and radicalisation. For India, this model demonstrates how state-level police can build cyber capacity through public-private partnerships. Scaling this model nationally could address the shortage of cybercrime investigation capabilities at the district level. It also shows that cybersecurity is not only a central government responsibility — states must invest in technical infrastructure for law enforcement.
Explanation: This question tested whether candidates know about innovative governance models in cybersecurity. The examiner was looking for specific knowledge of CyberDome, not generic points about cybercrime. It also tested your ability to assess scalability of a state initiative. When you see questions like this, always connect the specific example to a broader national challenge.
Q2. Consider the following statements about CERT-In: 1) It operates under the Ministry of Home Affairs. 2) It mandates reporting of cyber incidents within six hours. Which of the above is/are correct?
(UPSC Prelims Style — GS)
Answer: Only statement 2 is correct. CERT-In operates under the Ministry of Electronics and Information Technology (MeitY), not the Ministry of Home Affairs. The six-hour reporting mandate was introduced in 2022 through new directions issued by CERT-In under the IT Act. This is one of the strictest incident reporting timelines globally.
Explanation: This is a classic factual question where the examiner tests whether you know the parent ministry of a key institution. Many aspirants confuse CERT-In with agencies under MHA because cybersecurity sounds like an internal security subject. Always be clear about institutional mapping.
Q3. Analyse the effectiveness of India’s National Cyber Security Policy 2013 in addressing contemporary cyber threats. Suggest improvements.
(UPSC Mains Style — GS-III, 15 marks)
Answer: The 2013 Policy set ambitious goals — creating a secure cyber ecosystem, building a workforce of 500,000 professionals, and establishing a national framework for threat response. However, its effectiveness has been limited. The target of training 500,000 professionals remains unmet. No dedicated funding mechanism was created. The policy did not anticipate threats like ransomware-as-a-service, supply chain attacks, or AI-driven cyber intrusions. Coordination between CERT-In, NCIIPC, Defence Cyber Agency, and state police remains fragmented. Improvements should include a legally binding cyber security framework with compliance penalties, a dedicated cyber security budget as a percentage of GDP, mandatory cyber audits for critical sectors, establishment of state-level CERTs with central funding, and integration of cyber security into school and university curricula. India should study models like Singapore’s Cybersecurity Act, which provides a clear legal framework for CII protection with defined obligations for operators.
Explanation: This type of question demands both evaluation and prescription. The examiner wants to see that you know what the 2013 policy promised, where it failed, and what concrete steps can fix the gaps. Avoid vague suggestions. Be specific about institutional reforms, funding models, and legislative needs.
Key Points to Remember for UPSC
- CERT-In operates under MeitY and mandates six-hour cyber incident reporting since 2022 — one of the strictest globally.
- NCIIPC protects Critical Information Infrastructure and works under the National Security Council Secretariat, not MeitY.
- The National Cyber Security Policy 2013 largely remained unimplemented — its workforce and infrastructure targets were missed.
- India’s Defence Cyber Agency, established in 2018, is a tri-service command handling military cyber operations.
- The Digital Personal Data Protection Act 2023 complements cyber policy by regulating how personal data is collected, stored, and processed.
- State-level cyber capacity varies hugely — Kerala’s CyberDome is a model, but most states lack dedicated cyber infrastructure.
- For Mains, always connect cyber policy to governance outcomes — healthcare data breaches, banking fraud, and election security are strong examples.
Cybersecurity is no longer a niche topic that appears once in three years. It is now woven into the fabric of GS-III questions on internal security, technology governance, and even ethics of surveillance. Build your preparation by reading CERT-In annual reports, tracking policy developments on data protection, and practising answer writing that combines institutional knowledge with analytical thinking. A solid grip on this domain will serve you well across multiple questions in both Prelims and Mains.