New Delhi — India’s cybersecurity startups are increasingly merging with international firms to scale their operations — a trend driven by limited domestic demand and which could persist unless India strengthens its internal market, Information Technology Secretary S Krishnan said on Friday.
“This won’t change until Indians start paying for cybersecurity tools and services,”
Krishnan said, emphasizing the urgent need for stronger local demand to foster a homegrown cybersecurity ecosystem.
The remarks were made at the launch of the white paper ‘Transitioning to Quantum Cyber Readiness,’ jointly authored by CERT-In (India’s nodal cybersecurity agency) and cybersecurity firm SISA.
Krishnan highlighted that according to CERT-In’s assessment, 15–20% of all spending on IT, software, and digital infrastructure should be allocated to cybersecurity — a benchmark that India is yet to meet.
While acknowledging the long-term goal of mandating India-made cybersecurity tools in critical infrastructure, he cautioned:
“The ecosystem isn’t ready yet,”
and described the current situation as a
“chicken-and-egg” problem — without local demand, domestic capacity won’t grow, and without that capacity, mandates aren’t feasible.
Calling attention to India’s geopolitical risks, Krishnan added:
“India’s not very friendly neighbourhood makes strategic cybersecurity all the more urgent,”
and emphasized that India
“must aim for fully homegrown solutions in both hardware and software.”
Tarun Wig, CEO and co-founder of Innefu Labs, echoed Krishnan’s concerns about weak domestic market appetite. While acknowledging progress on the software front, Wig pointed out a significant gap:
“One major challenge the industry still faces is the lack of Indian-made hardware that can support secure-by-design systems,”
he said, stressing the importance of sustained R&D investment and skilled talent for building end-to-end secure platforms.
The white paper also underlined the critical need to prepare for the post-quantum era, where existing encryption systems like RSA and ECC could become obsolete due to the immense power of quantum computers.
“This makes all encrypted data immediately vulnerable, jeopardising the digital economy by putting the confidentiality and integrity of data at risk,”
the document warned.
It further listed the potential risks of quantum-era cyberattacks, including threats to:
- Financial and health records
- Internet traffic and instant messaging
- Digital certificates and signed documents
- Blockchain networks and cryptocurrencies
- “Harvest now, decrypt later” attacks
Krishnan stressed the urgent need to adopt post-quantum cryptography (PQC):
“Work on PQC is a must. Everyone who uses a computer must be aware of the cryptographic tools available to protect themselves,”
he said, adding that quantum and classical computing are expected to coexist for the foreseeable future.
Sanjay Bahl, Director General of CERT-In, added:
“CERT-In recognises that quantum computing will fundamentally change the threat landscape. We must evolve our security frameworks today to protect India’s expanding digital infrastructure tomorrow.”