As cyberspace becomes an ever more contested arena of international politics, countries are racing to stake their claim, rolling out national cybersecurity strategies and appointing cyber ambassadors to defend their interests and shape global cyber norms.
So why have democratic emerging powers like India and Indonesia taken a different path? Despite being active in cyber diplomacy and possessing growing digital capabilities, neither has published a comprehensive cybersecurity strategy nor appointed a dedicated cyber envoy, thus differentiating themselves from more established cyber powers in the West. By relying on a context- and issue-specific approach to cybersecurity, driven by ad hoc interagency coordination, they maintain flexibility in a complex geopolitical environment. This model may lack the formality of others, but it reveals how emerging powers from the developing world navigate cyber diplomacy on their own terms.
Strategic ambiguity and India’s non-committal cyber strategy
A cyber strategy serves as a government’s blueprint for safeguarding its digital domain. Such strategies can enhance transparency, strengthen interagency coordination, and clarify national intentions. More states are gradually moving in this direction. Yet the world’s first and third largest democracies – India and Indonesia – have yet to publish public, cohesive cybersecurity strategies.
India’s only formal cybersecurity document is the 2013 National Cyber Security Policy. The policy, only nine pages long, outlines broad goals, including enhancing resilience and fostering public-private partnerships, but lacks operational detail and strategic clarity. It does not map out the threat landscape or define how India would use cyber tools in its statecraft. With the rise of AI-enabled threats, supply-chain attacks, and growing military use of cyberspace, the document is now outdated.
This relatively skeletal approach can be contrasted with fellow BRICS member Brazil’s ‘E-Ciber’ strategy, released in 2020, which lays out a centralised institutional architecture, outlines the development of norms and legal frameworks, and explicitly discusses ways in which Brazil’s role as an international cyber player can be enhanced.
Despite this, India has made meaningful institutional advances. The same year the policy was issued, the government established the National Critical Information Infrastructure Protection Centre, and public-private partnerships have grown, including with Mastercard and Google.
In 2019, the National Security Council Secretariat initiated work on an updated cybersecurity strategy. A draft – reportedly focused on infrastructure resilience, institutional coordination, and international cooperation – was widely circulated within government but never published. The government has provided no explanation for this.
Meanwhile, the Indian military has begun articulating its own cyber doctrine, releasing in 2024 a Joint Doctrine for Cyberspace Operations to guide offensive and defensive cyber operations . While only applicable to the armed forces, this document is quite comprehensive and summarises India’s cyber threat landscape and cyber institutions. It also articulates clear guidance for military commanders on effective cyber defence, though it does not pronounce a doctrine governing offensive operations.
India’s reluctance to publish a strategy is consistent with its broader diplomatic culture, which values strategic ambiguity and avoids rigid doctrines. Indian policymakers generally prefer to maintain flexibility, building partnerships and responding to global shifts without being locked into formal commitments. This flexibility provides more options when engaging on cyber issues but simultaneously limits clarity for stakeholders both within and outside government. Further, holding back from formally articulating a strategy also helps placate institutions within India’s cyber architecture who may not entirely be on board with the contents of the final draft.
Indonesia’s slow and fragmented cyber approach
Indonesia has followed a comparable path, with limited national attention to cybersecurity inhibiting the development of an official strategy. In 2023, Presidential Regulation No. 47/2023 mandated the development of a national cybersecurity strategy, though such a strategy has not yet been made public. Meanwhile, the National Cyber and Crypto Agency (BSSN) was tasked with leading an institutional five-year action plan focused on cyber governance, infrastructure protection, capacity-building, and international cooperation. Internal resistance from other ministries and a lack of cross-agency alignment have also slowed progress.
Cyber governance in Indonesia is shaped by overlapping laws and fragmented institutional mandates. The 2008 Electronic Information and Transactions Law and its 2016 amendment provide a base legal framework, while regulators like the Financial Services Authority and Bank Indonesia impose their own cyber rules. Yet coordination is weak. Even the BSSN, created in 2017 to centralise policy, lacks strong legal authority and faces competition from other agencies. Its long-term Cybersecurity Roadmap to 2045 is largely conceptual and inward-looking.
The 2023 regulation attempted to address this gap, but without transparency or stronger political backing, its impact has been limited. A draft Cybersecurity Resilience Law, expected later this year, may strengthen the BSSN’s mandate and improve coordination. Until then, Indonesia’s strategy remains more aspirational than actionable.
In both countries, the absence of a public strategy reflects deeper preferences for strategic autonomy, adaptability, and decentralised policymaking. Both have developed cyber capabilities and institutions but have stopped short of codifying them into formal documents that could constrain diplomatic options or commit them to fixed positions in global negotiations.
Missing cyber ambassadors
This absence of public strategy is mirrored in the absence of leading cyber diplomats. While many governments have appointed dedicated cyber or digital ambassadors to lead bilateral and multilateral engagements, both India and Indonesia have relied on earlier institutional arrangements rather than creating standalone envoy roles.
In Indonesia, cyber diplomacy is managed through a network of existing officials and agencies. Two individuals largely fulfil the functions of a cyber ambassador: the director for international security and non-proliferation at the Ministry of Foreign Affairs (Kemlu) represents Indonesia in international negotiations and the assistant deputy for international cooperation at the BSSN leads on cyber capacity-building. Responsibilities are divided across forums; Kemlu handles political negotiations while the BSSN leads in technical settings and computer emergency response team cooperation. The Ministry of Communication and Informatics also has staff focused on digital policy.
While the idea of a cyber ambassador has occasionally surfaced – including during the 2024 presidential debates – it has not gained traction for several reasons. First, institutional turf concerns are significant. Creating a cyber envoy under the Foreign Ministry or as a post in the president’s office could trigger tensions with the BSSN or other agencies, disrupting the bureaucratic balance. Second, until recently, Indonesia’s focus has been on domestic capacity building and regulation, with limited need for global advocacy. That may change as Jakarta increasingly loudly voices its positions in international cyber forums. Third, the current political elite does not seem to view the role as pressing.
India has also refrained from appointing a cyber ambassador. Instead, various agencies collectively contribute to the country’s cyber diplomacy, which is fronted by the Ministry of External Affairs (MEA). The MEA maintains a Cyber Diplomacy Division for global forums and a New and Emerging Strategic Technologies Division for issues like AI and digital governance. The Ministry of Electronics and Information Technology, meanwhile, handles domestic incident response and technical cooperation. The Prime Minister’s Office houses the National Cyber Security Coordinator, responsible for high-level strategy and inter-agency alignment.
These entities have gradually increased coordination, representing India’s position in multilateral forums with increasing consistency. While no single figure leads these efforts, the system has become more streamlined.
New Delhi’s diplomatic history, however, suggests that when governments believe issues are important, they appoint key individuals to central positions. The role of India’s ‘nuclear lady’, Ambassador Arundhati Ghose, in the 1996 Comprehensive Test Ban Treaty negotiations and Sherpa Amitabh Kant’s stewardship of India’s G20 presidency in 2023 demonstrate the value of strong public-facing figures in shaping global narratives. For now, it seems India does not see cyber diplomacy as requiring that level of representation. But with initiatives like the AI Safety Summit on the horizon, the government may find that a dedicated ambassador, capable of engaging with governments, civil society, and the private sector, will be increasingly necessary.
A flexible approach in uncertain times
India and Indonesia’s decision not to adopt formal cybersecurity strategies or appoint cyber ambassadors is not a sign of disengagement but a deliberate choice. Rooted in their diplomatic traditions and institutional setups, both countries favour a decentralised, multi-agency model that prioritises flexibility, balance, and alignment with domestic priorities. While this approach may lack coherence and could lead to negligence or institutional turf wars, it does offer autonomy and adaptability.
Yet as global cyber threats intensify and diplomatic negotiations deepen, India and Indonesia may soon face pressure to formalise their approaches – both to coordinate more effectively at home and to lead more credibly abroad. To become more influential, Jakarta and New Delhi may need to adopt formal strategies or designate cyber envoys to boost coordination and credibility. For now, their fragmented but functional model reflects a pragmatic path through the shifting terrain of global cyberspace politics.
Related Posts
