1. Hybrid Sabotage Targeting Critical Infrastructure

Critical infrastructures such as power grids, telecom and fibre nodes, railway and highway signalling, ports, fuel terminals, water treatment facilities and data centres are prime targets for sabotage by hostile actors who aim to achieve maximum disruption with minimal effort. Recent CERT-In reporting confirms that more than 9,700 cybersecurity audits were conducted across critical sectors in 2024–25, signalling intensified threat activity directed at national infrastructure (MeitY, 2025, July 26). Cyber advisories have repeatedly highlighted vulnerabilities in power grids and operational-technology environments, particularly in supervisory control and data acquisition (SCADA) systems that maintain grid reliability and substation automation (Hartek Group, 2025, July 31; Robinson, 2025, September 1). International frameworks reinforce the same priority through resilience planning, layered protection of critical nodes and mandated business continuity standards (CISA, 2025, January 24; ISO, 2019; Cassels, 2024, April 25; OECD, 2024/Rev. February 2025; ANL, 2013).

Youth-centric mobilisation patterns create an enabling environment for these disruptions. Gen-Z’s intense engagement with social media, rapid street mobilisation and short-video virality make protests an ideal amplification layer. In Bangladesh, platform-driven escalation increased crowd size and volatility (Ahmed, 2025, June; Dutta & Dawar, 2024, July 31). Nepal’s street unrest was planned in advance through Discord channels, illustrating the emergence of digitally coordinated mobilisation (Dudraj & Pokharel, 2025, October 19/20). The same hybrid protest-to-disruption pattern continues to be observed across South Asia, enabled by narrative warfare and real-time micro-coordination (Monaghan & McDonald, 2024, October 14; NATO, 2024, May 7; Perera & BBC Sinhala Service, 2024, September 17).

Sabotage may take kinetic form (explosives, track obstruction, transformer damage, arson) or non-kinetic form (cyber intrusions, denial-of-service attacks on telecom or data nodes, malware insertion into OT/SCADA). India has recorded multiple low-footprint sabotage attempts against rail infrastructure, including removal of fittings and placement of cement or metal blocks on active tracks (Vijay Kumar, 2025, July 31; Times of India, 2025, September 11). These cases show the characteristic hybrid equation in action:

digital narrative + youth mobilisation + predatory or directed sabotage = disproportionate national impact.

2. Actor Archetypes and the De-legitimisation Objective: How Infrastructure Disruption Becomes a Political Weapon

The intention of hostile operators is not limited to disrupting essential services. Their core objective is to delegitimise institutions, convert outages into outrage, erode public trust and provoke state overreaction that polarises society. Infrastructure failure becomes a political weapon when it is paired with real-time narrative manipulation. Mitigation requires simultaneous action on three fronts: real-time social listening to detect mobilisation narratives, hardening of cyber and physical access points using SCADA security practices (ENISA, 2012, July 10), and rapid public communication to prevent disinformation. Infrastructure protection and protest management must operate as distinct missions. When disinformation amplification appears early, when sudden youth mobilisation spikes are noticed at geotagged locations and when anomalies are detected across OT, SCADA or telecom telemetry, security posture must be elevated immediately and a public advisory issued without delay (WEF, 2024, January 11; UNDP, 2023, October 5).

2.1 Foreign-sponsored terrorist proxies / external grey-zone units

Foreign proxies and state-supported grey-zone actors seek disruption without escalating to open conflict. They commonly target infrastructure such as power grids, railways, fuel facilities and telecom nodes, while amplification of outrage on digital platforms is used to pull young crowds into the streets. Hybrid actors study regional protest waves and replicate tactics that proved effective elsewhere. Sri Lanka’s mass mobilisation in 2022 demonstrated how youth-led agitation escalated into occupation of government properties and paralysis of institutions (Perera & BBC Sinhala Service, 2024, September 17). This method aligns with hybrid-threat doctrine: exploit a grievance, mobilise youth at scale, trigger an infrastructure shock and weaponise public anger to gain political advantage (NATO, 2024, May 7; Monaghan & McDonald, 2024, October 14).

2.2 Left-wing insurgent / Maoist networks

Insurgent organisations view infrastructure disruption as a direct attack on state capacity. Damaging railway tracks, telecom towers or substations weakens state reach and fuels public anger, which they redirect toward agitation. Bangladesh’s student-led protests in 2018 escalated into street confrontation within a short span (Dutta & Dawar, 2024, July 31; Ahmed, 2025, June). India has documented cases of sabotage involving removed fittings and obstruction material placed on railway tracks, showing the low-footprint tactics used historically by violent networks to disrupt logistics (Vijay Kumar, 2025, July 31; Times of India, 2025, September 11). These patterns reveal how insurgent groups exploit youth unrest as operational cover for infrastructure interference.

2.3 Foreign influence operations and cyber intrusion units

State-linked intrusion units conduct influence operations and cyber campaigns designed to undermine institutional trust and use protests as narrative accelerators. Their actions include probing OT and SCADA environments, attempting denial-of-service attacks on telecom and data centres and deploying malware against power grid infrastructure (Recorded Future, 2021, February; Robinson, 2025, September 1; Hartek Group, 2025, July 31). Nepal’s recent unrest shows that mobilisation can be organised in advance through platforms such as Discord and then escalate into coordinated street occupation (Dudraj & Pokharel, 2025, October 19/20). When cyber disturbances such as telecom outages or power instability occur simultaneously, youth protests can rapidly evolve into a multi-domain crisis (WEF, 2024, January 11; MeitY, 2025, July 26; ENISA, 2012, July 10).

 2.4 Digital mercenaries, troll farms and organised disinformation

Postmodern information ecosystems allow hired influence networks and coordinated troll farms to operate as highly sophisticated amplifiers of social unrest. Their function is not to damage infrastructure directly, but to convert small incidents into nationwide moral panic. They target younger audiences by saturating the information space with short videos, memes and hashtag cascades. They create crowding, distraction and flashpoint conditions in which any later disruption, whether accidental or deliberate, becomes framed as proof of state failure. When infrastructure is damaged, amplified narratives can turn a peaceful protest into an apparent riot. Protest dynamics in Bangladesh show how youth grievances can rapidly expand from a campus issue to capital-level mobilisation (Dutta and Dawar, 2024, July 31; Ahmed, 2025, June). Mobilisation today accelerates even further through platform amplification and coordinated influence networks targeting Gen-Z, enabling near real-time flash-action coordination by threat actors (Monaghan and McDonald, 2024, October 14; NATO, 2024, May 7). 

2.5 Domestic radical identity / extremist groups

Small extremist groups, whether ideological, sectarian or ultra-regional, often pursue symbolic sabotage. Their targets are chosen not for operational value but for spectacle: a water treatment plant, a bridge or a transport node. Youth protests provide both cover and emotionally charged recruits. At moments of peak anger, identity actors steer agitation toward confrontation or infrastructure targeting. Sri Lanka’s large protest wave demonstrated how diverse actors converging on a protest space can convert a demonstration into arson, vandalism and ransacking of state property (Perera and BBC Sinhala Service, 2024, September 17). In India, targeted obstruction of railway tracks shows how motivated groups or opportunists can generate disproportionate disruption during chaotic periods (Vijay Kumar, 2025, July 31; Times of India, 2025, September 11).

 2.6 Lone-actor and small-cell radicalised youth

Radicalised individuals and micro cells often self-radicalise online and seek “spectacle attacks” with high viral impact. Infrastructure is especially attractive to them. A derailed train, a burnt substation or a severed telecom fibre produces immediate operational shock and gains rapid visibility. Recent incidents in India show evidence of attempted derailments using wooden blocks and iron angles placed on tracks, demonstrating how low-cost and low-skill sabotage can have cascading effects (Vijay Kumar, 2025, July 31; Times of India, 2025, September 11). Across South Asia, youth movements in Bangladesh, Sri Lanka and Nepal show how quickly street energy can shift into militant outcomes when narrative escalation and physical opportunities converge (Dutta and Dawar, 2024, July 31; Ahmed, 2025, June; Perera and BBC Sinhala Service, 2024, September 17; Dudraj and Pokharel, 2025, October 19/20).

2.7 Organised crime networks

Organised crime networks view large protests as high-value opportunities to execute parallel offences. These range from looting to diversionary attacks that draw police away from smuggling or illegal trade. Sudden disruption of transport nodes, especially railways or highways, creates openings for cargo theft, extortion and black-market operations. India has recorded deliberate obstruction of railway tracks using wooden blocks, metal angles and unbolted fittings, all investigated as sabotage (Vijay Kumar, 2025, July 31; Times of India, 2025, September 11). A breakdown in essential services benefits crime syndicates because chaos increases black market margins and reduces enforcement pressure. Even minor damage can escalate into wider systemic disruption (WEF, 2024, January 11; MeitY, 2025, July 26).

3. Hybrid Political Mobilisation and Critical Infrastructure Disruption: Mechanisms, Sequencing, and Strategy

South Asia’s current protest ecosystem shows a convergence between political mobilisation and infrastructure disruption. What begins as an authentic grievance, often amplified through Gen-Z networks, think-tank narratives, campus collectives and media optics, can evolve into manufactured crisis politics when paired with covert sabotage or cyber intrusion. The hybrid approach does not rely on mass violence. It weaponises legitimacy, virality and interdependency. Social energy mobilises crowds, digital narratives mobilise outrage and infrastructure disruption mobilise fear. When these vectors intersect, system breakdown becomes political capital. The subsections that follow (1 to 10) map the full architecture: the overt mechanisms of mobilisation, the covert triggers of escalation, the actors involved and the vulnerabilities exploited. Together they demonstrate how hybrid mobilisation can convert unpredictable community unrest into deliberate manipulation of state stability.

3.1 The white-collar playbook: how legal, respectable tactics create a Gen-Z mobilisation architecture

Political parties and lawful movements increasingly rely on high-legitimacy mechanisms that generate youth momentum while maintaining plausible deniability for any later escalation. These mechanisms include student wings and campus networks, collaborations with NGOs and civil society groups, think tank outputs and policy reports that reframe personal grievances as structural problems, litigation and public-interest petitions, mainstream and influencer-driven media campaigns, and targeted social-media engagement using short videos and hashtag cascades directed at Gen-Z attention cycles. These non-violent, lawful pathways create large and visually compelling protests without overt aggression, while allowing organisers to preserve the public posture of peaceful intent. Hybrid-threat literature shows how legitimate political mobilisation, when paired with covert or disruptive tools, can produce systemic shock if required (Monaghan and McDonald, 2024, Oct 14; NATO, 2024, May 7). The white-collar toolkit matters because it lowers the barrier to participation for students, unemployed youth and gig-economy workers, stretches policing resources, and directs national attention to protest locations. These conditions become exploitable for covert actors seeking to escalate the situation (Dutta and Dawar, 2024, Jul 31; Ahmed, 2025, Jun).

3.2 Narrative scaffolding plus platform mechanics: preparing Gen-Z to escalate (voluntarily or manipulatively)

Movements construct mobilisation through layered narrative design. A simple grievance (exams, jobs, corruption, inflation) is reframed as moral injustice, followed by explicit calls to action pushed through hashtags, campus meet-ups and flash-point gatherings. Platform mechanics then take over. Algorithmic amplification, influencer seeding and short-form video virality push the narrative rapidly through dense Gen-Z networks and convert a local issue into national optics. Bangladesh’s student protests demonstrate how fast grievances scale when platform dynamics accelerate circulation (Dutta and Dawar, 2024, Jul 31; Ahmed, 2025, Jun). Systems-level analyses show that it is the architecture of the platform and the design of the narrative that determine mobilisation speed and spillover potential (Monaghan and McDonald, 2024, Oct 14; WEF, 2024, Jan 11). Once the viral frame settles and public attention peaks, disparate groups converge physically at protest nodes, increasing the probability that non-peaceful actors such as extremist elements, criminal networks or foreign proxies may act under the cover of crowds.

 3.3 How “white-collar” tactics and covert sabotage can be coordinated in time and effect

Sophisticated hybrid campaigns combine three synchronous layers of action: (A) visible and legal mobilisation such as mass protests, litigation and media engagement; (B) cognitive operations including disinformation and narrative amplification within Gen Z ecosystems; and (C) kinetic or cyber sabotage timed to coincide with peak mobilisation. Hybrid and grey-zone doctrines of warfare explicitly link information operations, propaganda and denial of access to operational technology within an integrator playbook intended to create a perception of institutional failure (NATO, 2024, May 7; Monaghan & McDonald, 2024, Oct 14). Hacking into power grids and transport signalling infrastructure has already been reported as preparatory activity by hostile operators during periods of political tension (Recorded Future, 2021, Feb). When destabilising narratives are paired with visible infrastructure stress, a catalysing effect is produced: viral content drives confirmation bias and reinforces a belief that governance has failed (WEF, 2024, Jan 11; MeitY, 2025, Jul 26).

3.4 Why sabotage is a force multiplier for political takeover ambitions

Sabotage, whether physical or cyber, converts contentious politics into crisis politics. When critical services such as power, telecom, trains or fuel fail during protests, public psychology shifts rapidly to fear, confusion and anger. Blame is directed toward the State, creating an impression of incompetence or loss of control. Localised breakdowns can escalate into national political crises that pressure resignations, emergency measures or leadership change. The 2022 Aragalaya movement in Sri Lanka demonstrates this chain reaction: youth protests escalated to seizure of state buildings and paralysis of governance within weeks, forcing top-level exits (Perera & BBC Sinhala Service, 2024, Sep 17). Hybrid-warfare literature consistently shows that non-violent mass pressure, when combined with symbolic disruptions like blackouts or infrastructure seizure, produces political outcomes that exceed the resources invested (NATO, 2024, May 7; Monaghan & McDonald, 2024, Oct 14).

3.5 South Asian examples that trace the pattern

The same model of escalation is repeated across South Asia. An alarm is raised; the alarm is expressed into narrative content; the content is inflated into outrage; the outrage solidifies into action; and that action is directed toward destabilising essential infrastructure. When the turmoil becomes visible and affects basic services, society habitually interprets it as State failure. This trend of complaint evolving into institutional disintegration constitutes a recurring pattern of fact.

Sri Lanka remains the most visible case of mobilisation leading to political downfall. The economic crisis of 2022 resulted in shortages and long queues for fuel. The situation escalated rapidly on social media, with influencers intensifying narratives about government inefficiencies. Demonstrations shifted from public spaces into government compounds. Symbolic buildings were occupied by crowds, and eventually the president resigned, leading to governance paralysis (Perera and BBC Sinhala Service, 2024, Sep 17). The simultaneous collapse in fuel supply and electricity supply intensified the perception that the State had lost operational control.

Bangladesh stands as the clearest example of how youth mobilisation can translate into system failure and ultimately into a political result. What began as a grievance about governance and citizen security escalated quickly into a coordinated national movement. In earlier cycles, online outrage grew through short video content and influencer amplification, with crowds forming within hours due to algorithmic push and network effects (Dutta & Dawar, 2024, Jul 31; Ahmed, 2025, Jun). Later waves showed that the mobilisation was no longer fully organic. Messaging clusters shifted simultaneously. Digital accounts advanced identical narratives despite having no prior connection. Crowd movements focused on key pressure points such as intersections, administrative complexes and transport nodes. These actions created visible overload on governance systems and generated a perception of State paralysis.

In the aftermath, a former minister publicly alleged that the mobilisation was a well-planned scheme backed by outside interests with geopolitical agendas, describing it as an effort to force a change of leadership (Times of India, 2025, Nov 09). The allegation does not only by itself establish intent, but it shows how street mobilisation represent only the visible surface while other actors operate behind the scenes with deeper penetration and regime sabotage intent.

Bangladesh reveals the completed escalation ladder:

Grievance → Virality → Mobilisation → Infrastructure disruption → Political pressure → regime change

Nepal demonstrated rapid digital-to-street synchronisation. Coded communication and coordination platforms enabled student groups to transform grievance into physical mobilisation within hours. Demonstrators concentrated at critical urban locations and formed highly visible choke points (Dudraj & Pokharel, 2025, Oct 19/20). This outpaced State communication and demonstrated the efficiency of decentralised digital networks in reducing organisational friction.

In India, a similar pattern exhibits deliberate attempts to use infrastructure interdependency as a weapon. In 2024 and 2025, a series of low-profile sabotage actions placed concrete fragments, wooden blocks and metal angles on railway tracks to trigger signalling failures and disrupt traffic (Vijay Kumar, 2025, Jul 31; Times of India, 2025, Sep 11). The goal was not destruction, but to create the optics of systemic collapse. Parallel cyber-attacks paralysed digital operations at a major hospital and disrupted service delivery. Malicious actors have a known pattern of conducting preparatory intrusions into transport and power networks (Recorded Future, 2021). Even the breakdown of a single substation can trigger cascading effects across dependent grids (Hartek, 2025). A small act can therefore create a large perception of collapse.

Tactics escalate when disruption does not produce the expected political effect. Sabotage shifts from passive obstruction to active attack. Actors progress from placing blockages to damaging signalling huts, cutting fibre lines or interfering with pumping equipment. If visible disruption still does not generate sufficient outrage, escalation may move to violent actions such as arson or explosive attacks at infrastructure bottlenecks. Historical railway investigations show that track fittings were intentionally removed to cause derailments, demonstrating that disruption can evolve into a deadly attack when political stakes are high (Perera and BBC Sinhala Service, 2024).

Across these instances, one lesson remains constant: hybrid actors exploit the public tendency to interpret visible service failure as governance incompetence rather than deliberate sabotage. The visible agitation becomes the process; the latent aim becomes institutional de-legitimisation through intentional operational breakdown. The escalation is not accidental.

3.6 The regional and global geopolitical window that enables faster execution

Two conditions widen the operational window for hybrid sabotage. First, regional adversaries increasingly use proxies, information operations and coordinated disruption to erode rival states while avoiding open conflict (NATO, 2024, May 7). Second, distraction at the global level, due to conflicts or shifts of great-power attention, reduces diplomatic scrutiny and creates space for proxies. Research on hybrid competition finds that exploiting domestic unrest aligns with strategic incentives of rival actors (Monaghan & McDonald, 2024, Oct 14).

3.7 How political actors rationalise or justify such campaigns in public (the “white-collar” justification)

Overground political actors justify large-scale mobilisation by adopting lawful, civic and democratic terminology such as “students demanding accountability,” “citizens defending rights,” and “restoring democracy.” These framings reduce public resistance to mobilisation and give organisers plausible deniability for any subsequent escalation. Legal demonstrations, press conferences, think tank papers, student collectives and the strategic use of social media help build a protective legitimacy shield for the movement. When a service or infrastructure failure occurs, the narrative frame is already set: the public interprets the failure as evidence of state incompetence, corruption or administrative breakdown rather than sabotage. Research on hybrid-threats demonstrates that legitimate mass mobilisation can be combined with covert information campaigns to influence political outcomes without appearing violent or illegal (NATO, 2024, May 7; Monaghan & McDonald, 2024, Oct 14). Mobilisation waves in Bangladesh and Sri Lanka show how peaceful protest narratives provided legitimacy and ultimately produced political outcomes (Dutta & Dawar, 2024, Jul 31; Perera & BBC Sinhala Service, 2024, Sep 17).

3.8 Operational vulnerabilities that make this strategy work (and hence alarming)

This strategy succeeds because it exploits existing structural, behavioural and technological vulnerabilities. First, youth synchronisation velocity, meaning the speed with which young people mobilise physically, is now unprecedented. Bangladesh and Nepal’s student protests, organised on platforms like Discord and rapidly shifting from grievance to street presence, demonstrate how Gen Z leverages platform-driven coordination (Dutta & Dawar, 2024, Jul 31; Ahmed, 2025, Jun; Dudraj & Pokharel, 2025, Oct 19/20). Second, due to interdependency among critical infrastructure, disruptions rapidly spread to telecom, payments and transport, making the impact highly visible and socially disruptive (NATO, 2024, May 7; WEF, 2024). Third, hybrid operators rely on low-cost, high-impact sabotage. India saw repeated incidents of wooden blocks, concrete pieces and metal angles being placed on railway tracks, illustrating how minimal input can achieve national-level effects (Vijay Kumar, 2025, Jul 31; Times of India, 2025, Sep 11). Fourth, information-vacuum exploitation. When state communication is delayed, disinformation fills the gap and shapes public perception in real time. During the Bangladesh protests, viral falsehoods accelerated mobilisation and intensified outrage (Dutta & Dawar, 2024, Jul 31; Ahmed, 2025, Jun).

3.9 What “success” means to actors using this hybrid approach

For hybrid actors, success unfolds in three stages. The short-term goal is service failure: blackouts, halted trains or telecom outages dominating media cycles and creating a perception of “state failure.” The medium-term result is political destabilisation, seen in resignations, emergency politics, weakened institutions and loss of governmental legitimacy. Sri Lanka’s 2022 protest arc demonstrates this progression, ending with the exit of senior leadership (Perera & BBC Sinhala Service, 2024, Sep 17). The long-term objective is structural realignment through new coalitions or sustained erosion of public trust, allowing anti-establishment forces to gain. Hybrid actors consider even partial results, such as public mistrust, weakened bureaucracy or polarised citizens, as strategic success (NATO, 2024, May 7; Monaghan & McDonald, 2024, Oct 14).

3.10 Guardrails on attribution and caution

Protests occurring alongside sabotage do not automatically indicate coordination. Escalation may arise organically, black market actors may exploit chaos, foreign proxies may probe for vulnerabilities without links to domestic players, and criminal elements may act opportunistically. Attribution requires forensic evidence including cyber intrusion logs, money flow tracing, material origin analysis and validated intelligence inputs. Hybrid-warfare doctrine highlights the need for caution and warns that premature accusations can worsen polarisation and unintentionally amplify adversarial narratives (NATO, 2024, May 7; WEF, 2024). The state must respond, ensure rapid restoration of services, communicate transparently to prevent information vacuums and conduct intelligence-based attribution rather than assumption-driven blame.

4. Hybrid Protest – Sabotage Events: Detection, Mitigation and Institutional Resilience Architecture

If political actors intend to use Gen-Z mobilisation as a political lever, the pathway with the highest impact is hybrid. The sequence is predictable: build a dominant narrative through lawful, high-legitimacy channels; establish mass mobilisation platforms in campuses and youth networks; and time sabotage or cyber disruption to create crisis optics. Grey-zone tactics and global distraction further increase the operational opportunity for such campaigns (NATO, 2024; Monaghan & McDonald, 2024). Because this combination produces disproportionate political effect, the necessary countermeasures become practical and immediate: integrated social-listening systems to detect early narrative priming and sudden geotag surges; prioritised hardening of interdependent infrastructure nodes such as power, fibre meet-points, signalling servers and data centres; transparent public communications to prevent information vacuum; and legally framed mechanisms that allow rapid forensic attribution and corrective action (MeitY, 2025; CISA, 2025; Argonne, 2013). These measures reinforce each other: social-listening reduces surprise, hardened nodes increase resistance to attack, rapid communication reduces misattribution, and statutory attribution processes reduce narrative manipulation and enable enforcement.

4.1 For Leadership and Operational Decision-makers

As shown by the growing combination of large visible mobilisation and attacks on critical infrastructure, adversarial coalitions increasingly pursue not policy reform but the quick de-legitimisation of political authority through disruption of essential services. Traditional protest methods now converge with hybrid warfare tools, information manipulation, cyber intrusion and targeted sabotage of interdependency nodes. When regional proxy competition and global distraction limit early intervention, the operating environment becomes favourable to such actors (Monaghan & McDonald, 2024; NATO, 2024). The hybrid model proceeds as follows: narrative priming, where a simple grievance is reframed as systemic injustice; legitimacy building by political parties, student groups, NGOs and think tanks; mass social-media mobilisation with short videos, hashtags and influencer amplification; and crowd concentration at symbolically visible yet operationally vulnerable nodes (Dutta & Dawar, 2024; Ahmed, 2025).

The trigger phase is a low-footprint, high-impact sabotage or cyber action timed for maximum effect. Typical targets include power substations, long-haul fibre meet-points, railway or metro signalling, water and fuel terminals, and OT/SCADA assets (Hartek Group, 2025; Recorded Future, 2021). Disruptions may be physical, for example wedges on tracks, signalling hut fire, fibre cuts, or digital, such as dormant malware activation, OT tampering or coordinated denial-of-service against telecom networks. The operational goal remains constant: create the appearance of spontaneous service failure or incompetence, enabling protest optics to escalate into political extraction.

Crisis conversion is fast and highly leveraged. Service disruption triggers confusion, rumour and anger; partisan channels amplify the moment and depict it as systemic state collapse; public attention shifts from the original grievance to claims of structural failure. This environment makes resignation pressure, coerced negotiations and emergency politics more likely, provided adversarial actors maintain control of narrative dominance (Perera & BBC Sinhala Service, 2024; WEF, 2024). Leadership must treat such incidents as multi-domain crises: synchronised civil communication, law enforcement containment of criminal activity, emergency restoration teams and intelligence-driven attribution. Only unified, lawful and transparent responses prevent adversaries from converting manufactured infrastructure crises into political gains.

4.2 Key Indicators and Early Warning Signals

Operational indicators reveal when mobilisation begins transitioning to hybrid action. The earliest signals are narrative: identical slogans, frames and talking points suddenly appearing across student unions, campus collectives, NGOs, op-eds and influencer ecosystems. Digital-layer telemetry follows: abrupt spikes in bot-amplified hashtags, cloned short-form videos, sudden increases in encrypted channel chatter and geotagging that concentrates crowds around critical nodes (Monaghan & McDonald, 2024; WEF, 2024). Physical reconnaissance indicators emerge next: drones loitering around substations, repeated photographing of signalling or control equipment and unusual vendor maintenance enquiries at long-haul fibre or port logistics. At the technical layer, OT/SCADA telemetry begins to behave abnormally, such as unexplained tripping, privilege misuse or scan traffic from foreign IP ranges (Recorded Future, 2021; Hartek, 2025). The most decisive indicator is temporal convergence: infrastructure anomalies within minutes of peak crowd density or at the moment of narrative escalation.

4.3 Immediate Mitigation — First 72 Hours

Mitigation during the early window must be structured, sequential and prioritised. The most cascade-prone systems need immediate hardening: critical power substations, fibre meet-points, signalling servers, major data centres and primary pumping stations. Control actions include revoking unused vendor credentials, enforcing multifactor authentication, isolating suspicious OT network segments and blocking foreign IP scans (MeitY, 2025; ISO, 2019). Aerial reconnaissance should be countered through RF detection and interception around sensitive nodes. Communication must shift to real-time public engagement: credible channels, live service dashboards and rapid myth-correction within minutes, not hours (WEF, 2024). Peaceful assembly must be separated from criminal activity, and fast repair teams should be pre-positioned to prevent local sabotage from escalating into system failure. Evidence discipline remains critical: securing scenes, aligning OT logs, preserving telemetry and ensuring chain of custody to support forensic attribution later.

4.4 Anticipated Threat Vectors and Near-Term Outlook

India can expect recurring grievance-to-crowd surges triggered by predictable stress points such as examination outcomes, unemployment spikes, price shocks and identity-linked flashpoints. The highest payoff for adversaries does not lie in large-scale attacks but in low-effort disruptions that cause visible system failures: short blackouts, signalling faults, fibre interruptions or payment slowdowns during peak public attention. The intent is to militarise interdependency so that one small failure cascades into wider disruptions across telecom, finance and transport (Argonne, 2013; OECD, 2024/25). Hybrid actors optimise for a simple formula: minimum action, maximum systemic effect.

4.5 Forensic Checklist: Distinguishing Organic Events from Engineered Disruption

Determining whether a disturbance is natural or engineered requires forensic discipline. Investigators must correlate the timing of crowd density peaks with the moment of infrastructure failure, inspect OT systems for anomalies, examine authentication logs for suspicious credential use or scanning attempts, and collect physical indicators such as wedge marks on tracks or interference with signalling units (Recorded Future, 2021; Vijay Kumar, 2025). Coordinated disinformation exhibits identifiable patterns: identical influencer narratives, bot amplification, sudden alignment between accounts with no prior connection and links through psychology, geography, finance or device behaviour. Attribution must be defensible in a judicial setting. Premature public accusations risk damaging credibility and granting narrative advantage to adversaries (Monaghan & McDonald, 2024).

5. Institutionalising Resilience — BNRI and the Critical Infrastructure Protection Act (CIPA)

The long-term solution lies in the institutionalisation of resilience. Across power, telecom, logistics, finance, water and data infrastructure, the Bharat National Resilience Index (BNRI) must function as India’s national measurement tool for preparedness, mitigation, response and adaptive recovery. BNRI should quantify redundancy, mean time to recovery, digital-twin stress testing and compliance transparency. Resilience audits must include red-team cascading failure exercises, adversarial OT/SCADA emulation and supply chain credential verification (Argonne, 2013; CISA, 2025; OECD, 2024/25). BNRI outputs should generate a national heatmap of the top 100 nodes whose failure would cause the highest systemic consequences, supported by continuity playbooks at the city level with explicit accountability.

To make BNRI actionable, the proposed Critical Infrastructure Protection Act (CIPA) must give it statutory enforceability. CIPA would function as a cluster-based consolidation of fragmented authorities across critical infrastructure, logistics, supply chains and essential institutional sectors. During hybrid disruptions, CIPA should allow rapid operational powers such as asset access, emergency repairs and information requisition, governed by judicially reviewable triggers to prevent misuse. CIPA must require interdependency studies for all capital expenditure decisions in critical sectors and establish a national command structure during crises to operate continuity cells.

Vendor and cyber hygiene must become non-negotiable statutory requirements under CIPA. These include mandatory multifactor authentication, software bill of materials for OT systems, breach notification timelines and explicit liability for negligent credential management (MeitY, 2025; ISO, 2019). Legal frameworks are also required for the information layer: digital platforms should coordinate during hybrid events to restrict mass manipulation, university-level grievance ombuds structures may be formed and transparency reporting for incidents adjacent to protests must be mandated (WEF, 2024; UNDP, 2023). Together, CIPA and BNRI make resilience measurable, enforceable and permanent.

Strategic Objective

The only way to prevent high-visibility protest movements from being manipulated into artificial infrastructure crises is by deploying measurable resilience supported by legislative authority (CIPA) and national resilience accounting (BNRI). The strategic intent is clear: preserve continuity of the State, deny adversaries the ability to weaponise interdependency and prevent rapid political collapse (NATO, 2024; Monaghan & McDonald, 2024).

References

Ahmed, M. (2025, June). Bangladesh in crisis: Social media, algorithmic radicalization, and mob trials around the 5 August 2024 unrest (Preprint). Preprints. https://doi.org/10.20944/preprints202506.0194.v1

Argonne National Laboratory. (2013). Resilience Measurement Index (RMI): Framework and Methodology. https://publications.anl.gov/anlpubs/2013/07/76797.pdf

Cassels, N. (2024, April 25). What is the new NFPA 1660? National Fire Protection Association (NFPA). https://www.nfpa.org/news-blogs-and-articles/blogs/2024/04/25/what-is-the-new-nfpa-1660

Cybersecurity and Infrastructure Security Agency (CISA). (2025, January 24). Infrastructure Resilience Planning Framework (IRPF). U.S. Department of Homeland Security. https://www.cisa.gov/resources-tools/resources/infrastructure-resilience-planning-framework-irpf

Dudraj, D., & Pokharel, G. (2025, October 19; updated 2025, October 20). In-depth investigation: How the two days of Nepal’s September protests were planned on Discord. The Kathmandu Post. https://kathmandupost.com/national/2025/10/19/in-depth-investigation-how-the-two-days-of-nepal-s-september-protests-were-planned-on-discord

Dutta, S., & Dawar, T. (2024, July 31). Explainer: What’s behind Bangladesh’s deadly protests? Asia Pacific Foundation of Canada. https://www.asiapacific.ca/publication/explainer-whats-behind-bangladeshs-deadly-protests

European Union Agency for Network and Information Security. (2012, July 10). ENISA smart grid security recommendations. ENISA. https://www.enisa.europa.eu/publications/ENISA-smart-grid-security-recommendations

Hartek Group. (2025, July 31). The role of SCADA systems in ensuring grid reliability and efficiency. https://hartek.com/post/the-role-of-scada-systems-in-ensuring-grid-reliability-and-efficiency/

International Organization for Standardization (ISO). (2019). ISO 22301:2019 — Security and resilience: Business continuity management systems — Requirements (2nd ed.). https://www.iso.org/standard/75106.html

Ministry of Electronics & Information Technology. (2025, July 26). Government strengthens cybersecurity across critical sectors; Over 9,700 CERT-In audits conducted in 2024–25 [Press release]. Press Information Bureau, Government of India. https://www.pib.gov.in/PressReleasePage.aspx?PRID=2148943

Monaghan, S., & McDonald, T. (2024, October 14). Campaigning in the grey zone: Towards a systems approach to countering hybrid threats (HCSS Hybrid Threat paper series, 2023). RAND Corporation. https://www.rand.org/pubs/external_publications/EP70676.html

National Critical Information Infrastructure Protection Centre (NCIIPC). (n.d.). Official website. Government of India. https://nciipc.gov.in/

North Atlantic Treaty Organization (NATO). (2024, May 7). Countering hybrid threats. NATO. https://www.nato.int/cps/en/natohq/topics_156338.htm

Organisation for Economic Co-operation and Development (OECD). (2024). Compendium of good practices on quality infrastructure 2024: Building resilience to natural disasters (Revised February 2025). OECD Publishing. https://doi.org/10.1787/54d26e88-en

Perera, A., & BBC Sinhala Service. (2024, September 17). Chased out by protesters, a political dynasty plots its comeback. BBC News. https://www.bbc.com/news/articles/cr5n51ym19jo

Recorded Future. (2021, February). Continued targeting of Indian power grid assets by Chinese state-sponsored activity group. https://www.recordedfuture.com/research/continued-targeting-of-indian-power-grid-assets

Robinson, A. (2025, September 1). India's critical infrastructure under siege: New CERT-In rules. 6clicks. https://www.6clicks.com/resources/blog/india-critical-infrastructure-cybersecurity-cert-in-audit-rules

Thakur, R. K. (2024, October 14). Railways grapples with ‘sabotage’ attempts. The New Indian Express. https://www.newindianexpress.com/nation/2024/Oct/14/railways-grapples-with-sabotage-attempts

Times of India. (2025, September 11). Cement block bits found on train track. https://timesofindia.indiatimes.com/city/aurangabad/cement-block-bits-found-on-train-track/articleshow/123816396.cms

United Nations Development Programme (UNDP). (2023, October 5). Global infrastructure resilience: Capturing the resilience dividend. UNDP India. https://www.undp.org/india/publications/global-infrastructure-resilience-capturing-resilience-dividend

Vijay Kumar, S. (2025, July 31). Investigation confirms sabotage in Bagmathi Express accident: Fittings of crucial point were forcibly removed, leading to the collision, says CRS report. The Hindu. https://www.thehindu.com/news/national/tamil-nadu/investigation-confirms-sabotage-in-bagmathi-express-accident/article69874547.ece

World Economic Forum. (2024, January 11). Global Cybersecurity Outlook 2024. https://www.weforum.org/publications/global-cybersecurity-outlook-2024/

[This work has been funded by the Indian Council of Social Science Research (ICSSR), Ministry of Education, New Delhi, under the ―ICSSR Post-Doctoral Programme‖ 2019-20 on “Critical Infrastructure Protection Programme for India”.