Article Keywords : Critical infrastructure protection, hybrid protest-sabotage, infrastructure interdependency, BNRI, CIPA, resilience by design, continuity planning, digital-twin stress testing, attribution discipline, national resilience, cyber-physical security, systems failure, crisis optics, institutional legitimacy, strategic deterrence
India’s critical infrastructure has emerged as a primary
arena where street mobilisation can be converted into systems failure.
Adversarial coalitions utilise a hybrid sequence: legitimacy is cultivated
through student wings, NGOs and influencer ecosystems; crowds are synchronised
at pressure points across the urban landscape; and low-footprint sabotage or
cyber intrusion is directed at power, telecom or transport systems to produce
visible governance collapse. The objective is not protest, but institutional
delegitimisation by generating outrage that forces political intervention or
concessions. This paper proposes an immediate national response grounded in two
instruments: the Bharat National Resilience Index, a measurable readiness and
recovery mechanism that assesses redundancy, digital-twin stress testing and
continuity heatmaps; and the Critical Infrastructure Protection Act, which
provides statutory authority to integrate cyber and physical resilience,
interdependency assessments and crisis-transparent accountability. The policy
message is direct: deterrence now depends on resilience by design. India has
the capability to harden critical nodes, reduce recovery time and apply
attribution discipline, preventing adversarial coalitions from converting public
discontent into engineered infrastructure failure or political instability.
Introduction:
1.
Hybrid Sabotage Targeting Critical Infrastructure
Critical infrastructures
such as power grids, telecom and fibre nodes, railway and highway signalling,
ports, fuel terminals, water treatment facilities and data centres are prime
targets for sabotage by hostile actors who aim to achieve maximum disruption
with minimal effort. Recent CERT-In reporting confirms that more than 9,700
cybersecurity audits were conducted across critical sectors in 2024–25,
signalling intensified threat activity directed at national infrastructure
(MeitY, 2025, July 26). Cyber advisories have repeatedly highlighted
vulnerabilities in power grids and operational-technology environments,
particularly in supervisory control and data acquisition (SCADA) systems that
maintain grid reliability and substation automation (Hartek Group, 2025, July
31; Robinson, 2025, September 1). International frameworks reinforce the same
priority through resilience planning, layered protection of critical nodes and
mandated business continuity standards (CISA, 2025, January 24; ISO, 2019;
Cassels, 2024, April 25; OECD, 2024/Rev. February 2025; ANL, 2013).
Youth-centric
mobilisation patterns create an enabling environment for these disruptions.
Gen-Z’s intense engagement with social media, rapid street mobilisation and
short-video virality make protests an ideal amplification layer. In Bangladesh,
platform-driven escalation increased crowd size and volatility (Ahmed, 2025,
June; Dutta & Dawar, 2024, July 31). Nepal’s street unrest was planned in
advance through Discord channels, illustrating the emergence of digitally
coordinated mobilisation (Dudraj & Pokharel, 2025, October 19/20). The same
hybrid protest-to-disruption pattern continues to be observed across South
Asia, enabled by narrative warfare and real-time micro-coordination (Monaghan
& McDonald, 2024, October 14; NATO, 2024, May 7; Perera & BBC Sinhala
Service, 2024, September 17).
Sabotage may take kinetic
form (explosives, track obstruction, transformer damage, arson) or non-kinetic
form (cyber intrusions, denial-of-service attacks on telecom or data nodes,
malware insertion into OT/SCADA). India has recorded multiple low-footprint
sabotage attempts against rail infrastructure, including removal of fittings
and placement of cement or metal blocks on active tracks (Vijay Kumar, 2025,
July 31; Times of India, 2025, September 11). These cases show the
characteristic hybrid equation in action:
digital narrative + youth
mobilisation + predatory or directed sabotage = disproportionate national
impact.
2.
Actor Archetypes and the Delegitimisation Objective: How Infrastructure
Disruption Becomes a Political Weapon
The intention of hostile
operators is not limited to disrupting essential services. Their core objective
is to delegitimise institutions, convert outages into outrage, erode public
trust and provoke state overreaction that polarises society. Infrastructure
failure becomes a political weapon when it is paired with real-time narrative
manipulation. Mitigation requires simultaneous action on three fronts:
real-time social listening to detect mobilisation narratives, hardening of
cyber and physical access points using SCADA security practices (ENISA, 2012,
July 10), and rapid public communication to prevent disinformation.
Infrastructure protection and protest management must operate as distinct
missions. When disinformation amplification appears early, when sudden youth
mobilisation spikes are noticed at geotagged locations and when anomalies are
detected across OT, SCADA or telecom telemetry, security posture must be
elevated immediately and a public advisory issued without delay (WEF, 2024,
January 11; UNDP, 2023, October 5).
2.1
Foreign-sponsored terrorist proxies / external grey-zone units
Foreign proxies and
state-supported grey-zone actors seek disruption without escalating to open
conflict. They commonly target infrastructure such as power grids, railways,
fuel facilities and telecom nodes, while amplification of outrage on digital
platforms is used to pull young crowds into the streets. Hybrid actors study
regional protest waves and replicate tactics that proved effective elsewhere.
Sri Lanka’s mass mobilisation in 2022 demonstrated how youth-led agitation
escalated into occupation of government properties and paralysis of
institutions (Perera & BBC Sinhala Service, 2024, September 17). This
method aligns with hybrid-threat doctrine: exploit a grievance, mobilise youth
at scale, trigger an infrastructure shock and weaponise public anger to gain
political advantage (NATO, 2024, May 7; Monaghan & McDonald, 2024, October
14).
2.2
Left-wing insurgent / Maoist networks
Insurgent organisations
view infrastructure disruption as a direct attack on state capacity. Damaging
railway tracks, telecom towers or substations weakens state reach and fuels
public anger, which they redirect toward agitation. Bangladesh’s student-led
protests in 2018 escalated into street confrontation within a short span (Dutta
& Dawar, 2024, July 31; Ahmed, 2025, June). India has documented cases of
sabotage involving removed fittings and obstruction material placed on railway
tracks, showing the low-footprint tactics used historically by violent networks
to disrupt logistics (Vijay Kumar, 2025, July 31; Times of India, 2025,
September 11). These patterns reveal how insurgent groups exploit youth unrest
as operational cover for infrastructure interference.
2.3
Foreign influence operations and cyber intrusion units
State-linked intrusion
units conduct influence operations and cyber campaigns designed to undermine
institutional trust and use protests as narrative accelerators. Their actions
include probing OT and SCADA environments, attempting denial-of-service attacks
on telecom and data centres and deploying malware against power grid
infrastructure (Recorded Future, 2021, February; Robinson, 2025, September 1;
Hartek Group, 2025, July 31). Nepal’s recent unrest shows that mobilisation can
be organised in advance through platforms such as Discord and then escalate
into coordinated street occupation (Dudraj & Pokharel, 2025, October
19/20). When cyber disturbances such as telecom outages or power instability
occur simultaneously, youth protests can rapidly evolve into a multi-domain
crisis (WEF, 2024, January 11; MeitY, 2025, July 26; ENISA, 2012, July 10).
1.
Hybrid Sabotage Targeting Critical Infrastructure
Critical infrastructures
such as power grids, telecom and fibre nodes, railway and highway signalling,
ports, fuel terminals, water treatment facilities and data centres are prime
targets for sabotage by hostile actors who aim to achieve maximum disruption
with minimal effort. Recent CERT-In reporting confirms that more than 9,700
cybersecurity audits were conducted across critical sectors in 2024–25,
signalling intensified threat activity directed at national infrastructure
(MeitY, 2025, July 26). Cyber advisories have repeatedly highlighted
vulnerabilities in power grids and operational-technology environments,
particularly in supervisory control and data acquisition (SCADA) systems that
maintain grid reliability and substation automation (Hartek Group, 2025, July
31; Robinson, 2025, September 1). International frameworks reinforce the same
priority through resilience planning, layered protection of critical nodes and
mandated business continuity standards (CISA, 2025, January 24; ISO, 2019;
Cassels, 2024, April 25; OECD, 2024/Rev. February 2025; ANL, 2013).
Youth-centric
mobilisation patterns create an enabling environment for these disruptions.
Gen-Z’s intense engagement with social media, rapid street mobilisation and
short-video virality make protests an ideal amplification layer. In Bangladesh,
platform-driven escalation increased crowd size and volatility (Ahmed, 2025,
June; Dutta & Dawar, 2024, July 31). Nepal’s street unrest was planned in
advance through Discord channels, illustrating the emergence of digitally
coordinated mobilisation (Dudraj & Pokharel, 2025, October 19/20). The same
hybrid protest-to-disruption pattern continues to be observed across South
Asia, enabled by narrative warfare and real-time micro-coordination (Monaghan
& McDonald, 2024, October 14; NATO, 2024, May 7; Perera & BBC Sinhala
Service, 2024, September 17).
Sabotage may take kinetic form (explosives, track obstruction, transformer damage, arson) or non-kinetic form (cyber intrusions, denial-of-service attacks on telecom or data nodes, malware insertion into OT/SCADA). India has recorded multiple low-footprint sabotage attempts against rail infrastructure, including removal of fittings and placement of cement or metal blocks on active tracks (Vijay Kumar, 2025, July 31; Times of India, 2025, September 11). These cases show the characteristic hybrid equation in action:
digital narrative + youth
mobilisation + predatory or directed sabotage = disproportionate national
impact.
2. Actor Archetypes and the Delegitimisation Objective: How Infrastructure Disruption Becomes a Political Weapon
The intention of hostile
operators is not limited to disrupting essential services. Their core objective
is to delegitimise institutions, convert outages into outrage, erode public
trust and provoke state overreaction that polarises society. Infrastructure
failure becomes a political weapon when it is paired with real-time narrative
manipulation. Mitigation requires simultaneous action on three fronts:
real-time social listening to detect mobilisation narratives, hardening of
cyber and physical access points using SCADA security practices (ENISA, 2012,
July 10), and rapid public communication to prevent disinformation.
Infrastructure protection and protest management must operate as distinct
missions. When disinformation amplification appears early, when sudden youth
mobilisation spikes are noticed at geotagged locations and when anomalies are
detected across OT, SCADA or telecom telemetry, security posture must be
elevated immediately and a public advisory issued without delay (WEF, 2024,
January 11; UNDP, 2023, October 5).
2.1
Foreign-sponsored terrorist proxies / external grey-zone units
Foreign proxies and
state-supported grey-zone actors seek disruption without escalating to open
conflict. They commonly target infrastructure such as power grids, railways,
fuel facilities and telecom nodes, while amplification of outrage on digital
platforms is used to pull young crowds into the streets. Hybrid actors study
regional protest waves and replicate tactics that proved effective elsewhere.
Sri Lanka’s mass mobilisation in 2022 demonstrated how youth-led agitation
escalated into occupation of government properties and paralysis of
institutions (Perera & BBC Sinhala Service, 2024, September 17). This
method aligns with hybrid-threat doctrine: exploit a grievance, mobilise youth
at scale, trigger an infrastructure shock and weaponise public anger to gain
political advantage (NATO, 2024, May 7; Monaghan & McDonald, 2024, October
14).
2.2
Left-wing insurgent / Maoist networks
Insurgent organisations
view infrastructure disruption as a direct attack on state capacity. Damaging
railway tracks, telecom towers or substations weakens state reach and fuels
public anger, which they redirect toward agitation. Bangladesh’s student-led
protests in 2018 escalated into street confrontation within a short span (Dutta
& Dawar, 2024, July 31; Ahmed, 2025, June). India has documented cases of
sabotage involving removed fittings and obstruction material placed on railway
tracks, showing the low-footprint tactics used historically by violent networks
to disrupt logistics (Vijay Kumar, 2025, July 31; Times of India, 2025,
September 11). These patterns reveal how insurgent groups exploit youth unrest
as operational cover for infrastructure interference.
2.3
Foreign influence operations and cyber intrusion units
State-linked intrusion units conduct influence operations and cyber campaigns designed to undermine institutional trust and use protests as narrative accelerators. Their actions include probing OT and SCADA environments, attempting denial-of-service attacks on telecom and data centres and deploying malware against power grid infrastructure (Recorded Future, 2021, February; Robinson, 2025, September 1; Hartek Group, 2025, July 31). Nepal’s recent unrest shows that mobilisation can be organised in advance through platforms such as Discord and then escalate into coordinated street occupation (Dudraj & Pokharel, 2025, October 19/20). When cyber disturbances such as telecom outages or power instability occur simultaneously, youth protests can rapidly evolve into a multi-domain crisis (WEF, 2024, January 11; MeitY, 2025, July 26; ENISA, 2012, July 10).
2.4
Digital mercenaries, troll farms and organised disinformation
Postmodern information ecosystems allow hired influence networks and coordinated troll farms to operate as highly sophisticated amplifiers of social unrest. Their function is not to damage infrastructure directly, but to convert small incidents into nationwide moral panic. They target younger audiences by saturating the information space with short videos, memes and hashtag cascades. They create crowding, distraction and flashpoint conditions in which any later disruption, whether accidental or deliberate, becomes framed as proof of state failure. When infrastructure is damaged, amplified narratives can turn a peaceful protest into an apparent riot. Protest dynamics in Bangladesh show how youth grievances can rapidly expand from a campus issue to capital-level mobilisation (Dutta and Dawar, 2024, July 31; Ahmed, 2025, June). Mobilisation today accelerates even further through platform amplification and coordinated influence networks targeting Gen-Z, enabling near real-time flash-action coordination by threat actors (Monaghan and McDonald, 2024, October 14; NATO, 2024, May 7).
2.5
Domestic radical identity / extremist groups
Small extremist groups, whether ideological, sectarian or ultra-regional, often pursue symbolic sabotage. Their targets are chosen not for operational value but for spectacle: a water treatment plant, a bridge or a transport node. Youth protests provide both cover and emotionally charged recruits. At moments of peak anger, identity actors steer agitation toward confrontation or infrastructure targeting. Sri Lanka’s large protest wave demonstrated how diverse actors converging on a protest space can convert a demonstration into arson, vandalism and ransacking of state property (Perera and BBC Sinhala Service, 2024, September 17). In India, targeted obstruction of railway tracks shows how motivated groups or opportunists can generate disproportionate disruption during chaotic periods (Vijay Kumar, 2025, July 31; Times of India, 2025, September 11).
2.6
Lone-actor and small-cell radicalised youth
Radicalised individuals
and micro cells often self-radicalise online and seek “spectacle attacks” with
high viral impact. Infrastructure is especially attractive to them. A derailed
train, a burnt substation or a severed telecom fibre produces immediate operational
shock and gains rapid visibility. Recent incidents in India show evidence of
attempted derailments using wooden blocks and iron angles placed on tracks,
demonstrating how low-cost and low-skill sabotage can have cascading effects
(Vijay Kumar, 2025, July 31; Times of India, 2025, September 11). Across South
Asia, youth movements in Bangladesh, Sri Lanka and Nepal show how quickly
street energy can shift into militant outcomes when narrative escalation and
physical opportunities converge (Dutta and Dawar, 2024, July 31; Ahmed, 2025,
June; Perera and BBC Sinhala Service, 2024, September 17; Dudraj and Pokharel,
2025, October 19/20).
2.7
Organised crime networks
Organised crime networks view large protests as high-value opportunities to execute parallel offences. These range from looting to diversionary attacks that draw police away from smuggling or illegal trade. Sudden disruption of transport nodes, especially railways or highways, creates openings for cargo theft, extortion and black market operations. India has recorded deliberate obstruction of railway tracks using wooden blocks, metal angles and unbolted fittings, all investigated as sabotage (Vijay Kumar, 2025, July 31; Times of India, 2025, September 11). A breakdown in essential services benefits crime syndicates because chaos increases black market margins and reduces enforcement pressure. Even minor damage can escalate into wider systemic disruption (WEF, 2024, January 11; MeitY, 2025, July 26).
3. Hybrid Political
Mobilisation and Critical Infrastructure Disruption: Mechanisms, Sequencing,
and Strategy
South Asia’s current
protest ecosystem shows a convergence between political mobilisation and
infrastructure disruption. What begins as an authentic grievance, often
amplified through Gen-Z networks, think-tank narratives, campus collectives and
media optics, can evolve into manufactured crisis politics when paired with
covert sabotage or cyber intrusion. The hybrid approach does not rely on mass
violence. It weaponises legitimacy, virality and interdependency. Social energy
mobilises crowds, digital narratives mobilise outrage and infrastructure
disruption mobilises fear. When these vectors intersect, system breakdown
becomes political capital.
The subsections that follow (1 to 10) map the full architecture: the overt mechanisms of mobilisation, the covert triggers of escalation, the actors involved and the vulnerabilities exploited. Together they demonstrate how hybrid mobilisation can convert unpredictable community unrest into deliberate manipulation of state stability.
3.1 The white-collar playbook: how legal, respectable tactics create a Gen-Z mobilisation architecture
Political parties and lawful movements increasingly rely on high-legitimacy mechanisms that generate youth momentum while maintaining plausible deniability for any later escalation. These mechanisms include student wings and campus networks, collaborations with NGOs and civil society groups, think tank outputs and policy reports that reframe personal grievances as structural problems, litigation and public-interest petitions, mainstream and influencer-driven media campaigns, and targeted social-media engagement using short videos and hashtag cascades directed at Gen-Z attention cycles. These non-violent, lawful pathways create large and visually compelling protests without overt aggression, while allowing organisers to preserve the public posture of peaceful intent. Hybrid-threat literature shows how legitimate political mobilisation, when paired with covert or disruptive tools, can produce systemic shock if required (Monaghan and McDonald, 2024, Oct 14; NATO, 2024, May 7). The white-collar toolkit matters because it lowers the barrier to participation for students, unemployed youth and gig-economy workers, stretches policing resources, and directs national attention to protest locations. These conditions become exploitable for covert actors seeking to escalate the situation (Dutta and Dawar, 2024, Jul 31; Ahmed, 2025, Jun).
3.2 Narrative scaffolding plus platform mechanics: preparing Gen-Z to escalate (voluntarily or manipulatively)
Movements construct
mobilisation through layered narrative design. A simple grievance (exams, jobs,
corruption, inflation) is reframed as moral injustice, followed by explicit
calls to action pushed through hashtags, campus meet-ups and flash-point gatherings.
Platform mechanics then take over. Algorithmic amplification, influencer
seeding and short-form video virality push the narrative rapidly through dense
Gen-Z networks and convert a local issue into national optics. Bangladesh’s
student protests demonstrate how fast grievances scale when platform dynamics
accelerate circulation (Dutta and Dawar, 2024, Jul 31; Ahmed, 2025, Jun).
Systems-level analyses show that it is the architecture of the platform and the
design of the narrative that determine mobilisation speed and spillover
potential (Monaghan and McDonald, 2024, Oct 14; WEF, 2024, Jan 11). Once the
viral frame settles and public attention peaks, disparate groups converge
physically at protest nodes, increasing the probability that non-peaceful actors
such as extremist elements, criminal networks or foreign proxies may act under
the cover of crowds.
|
Actor Category |
Most Likely CI Targets |
Typical TTPs (Tactics, Techniques, Procedures) |
Early Warning Indicators |
Rapid Mitigations |
|
Foreign-sponsored terrorist / grey-zone units |
Major
power substations, fibre junctions, port fuel terminals, rail chokepoints |
Clandestine
explosives, drone surveillance, OT probing & intrusion, narrative warfare |
Cross-border
chatter, suspicious OT access attempts, drones near CI, viral narratives
blaming the state |
Harden
breakers, isolate suspicious OT se ssions, fast-response CI security,
proactive public communication |
|
Left-wing insurgent / Maoist networks |
Rural/semi-urban
tracks, freight corridors, telecom towers |
Track obstruction,
arson on signalling huts, ambushes, grievance-driven youth recruitment |
Sudden grievance
mobilisations, recon behavior near tracks |
Corridor patrols,
secure maintenance crews, local grievance resolution cell |
|
Foreign cyber influence ops |
Power
grid SCADA, data centers, backbone ISPs, signaling servers |
SCADA
reconnaissance, malware implants, DDoS attacks |
Scanning
from foreign IP blocks, abnormal vendor credential use |
OT
segment isolation, MFA for vendors, telecom DDoS shield |
|
Digital mercenaries / troll farms |
Crowd concentration
areas: metro stations, junctions, campuses |
Viral hashtag
campaigns, deepfakes, geotag push for protest hotspots |
Bot amplification
patterns, script-repetitive accounts, flash crowd formation |
Platform takedown,
rapid counter-narratives, campus helpline triggers |
|
Domestic radical identity groups |
Symbolic
CI: bridges, water plants, towers |
Arson,
flashpoint sabotage, hit-and-run |
Escalating
rhetoric, “retribution” calls, mobilisation notices |
CCTV
perimeter tightening, community policing, temporary closure during tension |
|
Organised crime networks |
Ports, container yards,
fuel depots |
Fibre cuts for
diversion, smuggling cover using chaos |
Unusual convoy
movement, price anomalies |
Port scanning, convoy
escorting, crime intel ops |
|
Lone actors / radicalised youth |
Tracks,
substations, cell towers |
Low-skill
sabotage: wedges on tracks, fibre cuts |
Radical
online posts, odd purchase patterns, geo-tagged reconnaissance |
Public-facing
surveillance, anonymous reporting, quick repair teams |
3.3 How “white-collar” tactics and covert sabotage can be coordinated in time and effect
Sophisticated hybrid
campaigns combine three synchronous layers of action: (A) visible and legal
mobilisation such as mass protests, litigation and media engagement; (B)
cognitive operations including disinformation and narrative amplification
within Gen Z ecosystems; and (C) kinetic or cyber sabotage timed to coincide
with peak mobilisation. Hybrid and grey-zone doctrines of warfare explicitly
link information operations, propaganda and denial of access to operational
technology within an integrator playbook intended to create a perception of
institutional failure (NATO, 2024, May 7; Monaghan & McDonald, 2024, Oct
14). Hacking into power grids and transport signalling infrastructure has
already been reported as preparatory activity by hostile operators during
periods of political tension (Recorded Future, 2021, Feb). When destabilising
narratives are paired with visible infrastructure stress, a catalysing effect
is produced: viral content drives confirmation bias and reinforces a belief
that governance has failed (WEF, 2024, Jan 11; MeitY, 2025, Jul 26).
3.4
Why sabotage is a force multiplier for political takeover ambitions
Sabotage, whether
physical or cyber, converts contentious politics into crisis politics. When
critical services such as power, telecom, trains or fuel fail during protests,
public psychology shifts rapidly to fear, confusion and anger. Blame is
directed toward the State, creating an impression of incompetence or loss of
control. Localised breakdowns can escalate into national political crises that
pressure resignations, emergency measures or leadership change. The 2022
Aragalaya movement in Sri Lanka demonstrates this chain reaction: youth
protests escalated to seizure of state buildings and paralysis of governance
within weeks, forcing top-level exits (Perera & BBC Sinhala Service, 2024,
Sep 17). Hybrid-warfare literature consistently shows that non-violent mass
pressure, when combined with symbolic disruptions like blackouts or
infrastructure seizure, produces political outcomes that exceed the resources
invested (NATO, 2024, May 7; Monaghan & McDonald, 2024, Oct 14).
3.5 South Asian
examples that trace the pattern (empirical observation)
The same model of escalation is repeated across South Asia. An alarm is raised; the alarm is expressed into narrative content; the content is inflated into outrage; the outrage solidifies into action; and that action is directed toward destabilising essential infrastructure. When the turmoil becomes visible and affects basic services, society habitually interprets it as State failure. This trend of complaint evolving into institutional disintegration constitutes a recurring pattern of fact.
Sri Lanka remains the
most visible case of mobilisation leading to political downfall. The economic
crisis of 2022 resulted in shortages and long queues for fuel. The situation
escalated rapidly on social media, with influencers intensifying narratives about
government inefficiencies. Demonstrations shifted from public spaces into
government compounds. Symbolic buildings were occupied by crowds, and
eventually the president resigned, leading to governance paralysis (Perera and
BBC Sinhala Service, 2024, Sep 17). The simultaneous collapse in fuel supply
and electricity supply intensified the perception that the State had lost
operational control.
Bangladesh stands as the clearest example of how youth mobilisation can translate into system failure and ultimately into a political result. What began as a grievance about governance and citizen security escalated quickly into a coordinated national movement. In earlier cycles, online outrage grew through short video content and influencer amplification, with crowds forming within hours due to algorithmic push and network effects (Dutta & Dawar, 2024, Jul 31; Ahmed, 2025, Jun). Later waves showed that the mobilisation was no longer fully organic. Messaging clusters shifted simultaneously. Digital accounts advanced identical narratives despite having no prior connection. Crowd movements focused on key pressure points such as intersections, administrative complexes and transport nodes. These actions created visible overload on governance systems and generated a perception of State paralysis.
In the aftermath, a
former minister publicly alleged that the mobilisation was a well-planned
scheme backed by outside interests with geopolitical agendas, describing it as
an effort to force a change of leadership (Times of India, 2025, Nov 09). The
allegation does not only by itself establish intent, but it shows how street
mobilisation represent only the visible surface while other actors operate
behind the scenes with deeper penetration and regime sabotage intent.
Bangladesh reveals the completed escalation ladder:
Grievance → Virality →
Mobilisation → Infrastructure disruption → Political pressure → regime change
Nepal demonstrated rapid
digital-to-street synchronisation. Coded communication and coordination
platforms enabled student groups to transform grievance into physical
mobilisation within hours. Demonstrators concentrated at critical urban
locations and formed highly visible choke points (Dudraj & Pokharel, 2025,
Oct 19/20). This outpaced State communication and demonstrated the efficiency
of decentralised digital networks in reducing organisational friction.
In India, a similar
pattern exhibits deliberate attempts to use infrastructure interdependency as a
weapon. In 2024 and 2025, a series of low-profile sabotage actions placed
concrete fragments, wooden blocks and metal angles on railway tracks to trigger
signalling failures and disrupt traffic (Vijay Kumar, 2025, Jul 31; Times of
India, 2025, Sep 11). The goal was not destruction, but to create the optics of
systemic collapse. Parallel cyber attacks paralysed digital operations at a
major hospital and disrupted service delivery. Malicious actors have a known
pattern of conducting preparatory intrusions into transport and power networks
(Recorded Future, 2021). Even the breakdown of a single substation can trigger
cascading effects across dependent grids (Hartek, 2025). A small act can
therefore create a large perception of collapse.
Tactics escalate when
disruption does not produce the expected political effect. Sabotage shifts from
passive obstruction to active attack. Actors progress from placing blockages to
damaging signalling huts, cutting fibre lines or interfering with pumping
equipment. If visible disruption still does not generate sufficient outrage,
escalation may move to violent actions such as arson or explosive attacks at
infrastructure bottlenecks. Historical railway investigations show that track
fittings were intentionally removed to cause derailments, demonstrating that
disruption can evolve into a deadly attack when political stakes are high
(Perera and BBC Sinhala Service, 2024).
Across these instances,
one lesson remains constant: hybrid actors exploit the public tendency to
interpret visible service failure as governance incompetence rather than
deliberate sabotage. The visible agitation becomes the process; the latent aim
becomes institutional delegitimisation through intentional operational
breakdown. The escalation is not accidental.
3.6
The regional and global geopolitical window that enables faster execution
Two conditions widen the operational window for hybrid sabotage. First, regional adversaries increasingly use proxies, information operations and coordinated disruption to erode rival states while avoiding open conflict (NATO, 2024, May 7). Second, distraction at the global level, due to conflicts or shifts of great-power attention, reduces diplomatic scrutiny and creates space for proxies. Research on hybrid competition finds that exploiting domestic unrest aligns with strategic incentives of rival actors (Monaghan & McDonald, 2024, Oct 14).
3.7 How political actors rationalise or justify such campaigns in public (the “white-collar” justification)
Overground political actors justify large-scale mobilisation by adopting lawful, civic and democratic terminology such as “students demanding accountability,” “citizens defending rights,” and “restoring democracy.” These framings reduce public resistance to mobilisation and give organisers plausible deniability for any subsequent escalation. Legal demonstrations, press conferences, think tank papers, student collectives and the strategic use of social media help build a protective legitimacy shield for the movement. When a service or infrastructure failure occurs, the narrative frame is already set: the public interprets the failure as evidence of state incompetence, corruption or administrative breakdown rather than sabotage. Research on hybrid-threats demonstrates that legitimate mass mobilisation can be combined with covert information campaigns to influence political outcomes without appearing violent or illegal (NATO, 2024, May 7; Monaghan & McDonald, 2024, Oct 14). Mobilisation waves in Bangladesh and Sri Lanka show how peaceful protest narratives provided legitimacy and ultimately produced political outcomes (Dutta & Dawar, 2024, Jul 31; Perera & BBC Sinhala Service, 2024, Sep 17).
3.8 Operational vulnerabilities that make this strategy work (and hence alarming)
This strategy succeeds
because it exploits existing structural, behavioural and technological
vulnerabilities. First, youth synchronisation velocity, meaning the speed with
which young people mobilise physically, is now unprecedented. Bangladesh and
Nepal’s student protests, organised on platforms like Discord and rapidly
shifting from grievance to street presence, demonstrate how Gen Z leverages
platform-driven coordination (Dutta & Dawar, 2024, Jul 31; Ahmed, 2025,
Jun; Dudraj & Pokharel, 2025, Oct 19/20). Second, due to interdependency
among critical infrastructure, disruptions rapidly spread to telecom, payments
and transport, making the impact highly visible and socially disruptive (NATO,
2024, May 7; WEF, 2024). Third, hybrid operators rely on low-cost, high-impact
sabotage. India saw repeated incidents of wooden blocks, concrete pieces and
metal angles being placed on railway tracks, illustrating how minimal input can
achieve national-level effects (Vijay Kumar, 2025, Jul 31; Times of India,
2025, Sep 11). Fourth, information-vacuum exploitation. When state
communication is delayed, disinformation fills the gap and shapes public
perception in real time. During the Bangladesh protests, viral falsehoods
accelerated mobilisation and intensified outrage (Dutta & Dawar, 2024, Jul
31; Ahmed, 2025, Jun).
3.9
What “success” means to actors using this hybrid approach
For hybrid actors,
success unfolds in three stages. The short-term goal is service failure:
blackouts, halted trains or telecom outages dominating media cycles and
creating a perception of “state failure.” The medium-term result is political
destabilisation, seen in resignations, emergency politics, weakened
institutions and loss of governmental legitimacy. Sri Lanka’s 2022 protest arc
demonstrates this progression, ending with the exit of senior leadership
(Perera & BBC Sinhala Service, 2024, Sep 17). The long-term objective is
structural realignment through new coalitions or sustained erosion of public
trust, allowing anti-establishment forces to gain. Hybrid actors consider even
partial results, such as public mistrust, weakened bureaucracy or polarised
citizens, as strategic success (NATO, 2024, May 7; Monaghan & McDonald,
2024, Oct 14).
3.10
Guardrails on attribution and caution
Protests occurring
alongside sabotage do not automatically indicate coordination. Escalation may
arise organically, black market actors may exploit chaos, foreign proxies may
probe for vulnerabilities without links to domestic players, and criminal elements
may act opportunistically. Attribution requires forensic evidence including
cyber intrusion logs, money flow tracing, material origin analysis and
validated intelligence inputs. Hybrid-warfare doctrine highlights the need for
caution and warns that premature accusations can worsen polarisation and
unintentionally amplify adversarial narratives (NATO, 2024, May 7; WEF, 2024).
The state must respond, ensure rapid restoration of services, communicate
transparently to prevent information vacuums and conduct intelligence-based
attribution rather than assumption-driven blame.
4.
Hybrid Protest – Sabotage Events: Detection, Mitigation and Institutional
Resilience Architecture
If political actors
intend to use Gen-Z mobilisation as a political lever, the pathway with the
highest impact is hybrid. The sequence is predictable: build a dominant
narrative through lawful, high-legitimacy channels; establish mass mobilisation
platforms in campuses and youth networks; and time sabotage or cyber disruption
to create crisis optics. Grey-zone tactics and global distraction further
increase the operational opportunity for such campaigns (NATO, 2024; Monaghan
& McDonald, 2024). Because this combination produces disproportionate
political effect, the necessary countermeasures become practical and immediate:
integrated social-listening systems to detect early narrative priming and
sudden geotag surges; prioritised hardening of interdependent infrastructure
nodes such as power, fibre meet-points, signalling servers and data centres;
transparent public communications to prevent information vacuum; and legally
framed mechanisms that allow rapid forensic attribution and corrective action
(MeitY, 2025; CISA, 2025; Argonne, 2013). These measures reinforce each other:
social-listening reduces surprise, hardened nodes increase resistance to
attack, rapid communication reduces misattribution, and statutory attribution
processes reduce narrative manipulation and enable enforcement.
4.1
For Leadership and Operational Decision-makers
As shown by the growing combination of large visible mobilisation and attacks on critical infrastructure, adversarial coalitions increasingly pursue not policy reform but the quick de-legitimisation of political authority through disruption of essential services. Traditional protest methods now converge with hybrid warfare tools, information manipulation, cyber intrusion and targeted sabotage of interdependency nodes. When regional proxy competition and global distraction limit early intervention, the operating environment becomes favourable to such actors (Monaghan & McDonald, 2024; NATO, 2024). The hybrid model proceeds as follows: narrative priming, where a simple grievance is reframed as systemic injustice; legitimacy building by political parties, student groups, NGOs and think tanks; mass social-media mobilisation with short videos, hashtags and influencer amplification; and crowd concentration at symbolically visible yet operationally vulnerable nodes (Dutta & Dawar, 2024; Ahmed, 2025).
The trigger phase is a
low-footprint, high-impact sabotage or cyber action timed for maximum effect.
Typical targets include power substations, long-haul fibre meet-points, railway
or metro signalling, water and fuel terminals, and OT/SCADA assets (Hartek
Group, 2025; Recorded Future, 2021). Disruptions may be physical, for example
wedges on tracks, signalling hut fire, fibre cuts, or digital, such as dormant
malware activation, OT tampering or coordinated denial-of-service against
telecom networks. The operational goal remains constant: create the appearance
of spontaneous service failure or incompetence, enabling protest optics to
escalate into political extraction.
Crisis conversion is fast
and highly leveraged. Service disruption triggers confusion, rumour and anger;
partisan channels amplify the moment and depict it as systemic state collapse;
public attention shifts from the original grievance to claims of structural
failure. This environment makes resignation pressure, coerced negotiations and
emergency politics more likely, provided adversarial actors maintain control of
narrative dominance (Perera & BBC Sinhala Service, 2024; WEF, 2024).
Leadership must treat such incidents as multi-domain crises: synchronised civil
communication, law enforcement containment of criminal activity, emergency
restoration teams and intelligence-driven attribution. Only unified, lawful and
transparent responses prevent adversaries from converting manufactured
infrastructure crises into political gains.
4.2
Key Indicators and Early Warning Signals
Operational indicators
reveal when mobilisation begins transitioning to hybrid action. The earliest
signals are narrative: identical slogans, frames and talking points suddenly
appearing across student unions, campus collectives, NGOs, op-eds and influencer
ecosystems. Digital-layer telemetry follows: abrupt spikes in bot-amplified
hashtags, cloned short-form videos, sudden increases in encrypted channel
chatter and geotagging that concentrates crowds around critical nodes (Monaghan
& McDonald, 2024; WEF, 2024). Physical reconnaissance indicators emerge
next: drones loitering around substations, repeated photographing of signalling
or control equipment and unusual vendor maintenance enquiries at long-haul
fibre or port logistics. At the technical layer, OT/SCADA telemetry begins to
behave abnormally, such as unexplained tripping, privilege misuse or scan
traffic from foreign IP ranges (Recorded Future, 2021; Hartek, 2025). The most
decisive indicator is temporal convergence: infrastructure anomalies within minutes
of peak crowd density or at the moment of narrative escalation.
4.3
Immediate Mitigation — First 72 Hours
Mitigation during the
early window must be structured, sequential and prioritised. The most
cascade-prone systems need immediate hardening: critical power substations,
fibre meet-points, signalling servers, major data centres and primary pumping
stations. Control actions include revoking unused vendor credentials, enforcing
multifactor authentication, isolating suspicious OT network segments and
blocking foreign IP scans (MeitY, 2025; ISO, 2019). Aerial reconnaissance
should be countered through RF detection and interception around sensitive
nodes. Communication must shift to real-time public engagement: credible
channels, live service dashboards and rapid myth-correction within minutes, not
hours (WEF, 2024). Peaceful assembly must be separated from criminal activity,
and fast repair teams should be pre-positioned to prevent local sabotage from
escalating into system failure. Evidence discipline remains critical: securing
scenes, aligning OT logs, preserving telemetry and ensuring chain of custody to
support forensic attribution later.
4.4
Anticipated Threat Vectors and Near-Term Outlook
India can expect recurring grievance-to-crowd surges triggered by predictable stress points such as examination outcomes, unemployment spikes, price shocks and identity-linked flashpoints. The highest payoff for adversaries does not lie in large-scale attacks but in low-effort disruptions that cause visible system failures: short blackouts, signalling faults, fibre interruptions or payment slowdowns during peak public attention. The intent is to militarise interdependency so that one small failure cascades into wider disruptions across telecom, finance and transport (Argonne, 2013; OECD, 2024/25). Hybrid actors optimise for a simple formula: minimum action, maximum systemic effect.
4.5 Forensic Checklist: Distinguishing Organic Events from Engineered Disruption
Determining whether a disturbance is natural or engineered requires forensic discipline. Investigators must correlate the timing of crowd density peaks with the moment of infrastructure failure, inspect OT systems for anomalies, examine authentication logs for suspicious credential use or scanning attempts, and collect physical indicators such as wedge marks on tracks or interference with signalling units (Recorded Future, 2021; Vijay Kumar, 2025). Coordinated disinformation exhibits identifiable patterns: identical influencer narratives, bot amplification, sudden alignment between accounts with no prior connection and links through psychology, geography, finance or device behaviour. Attribution must be defensible in a judicial setting. Premature public accusations risk damaging credibility and granting narrative advantage to adversaries (Monaghan & McDonald, 2024).
5. Institutionalising Resilience — BNRI and the Critical Infrastructure Protection Act (CIPA)
The long-term solution
lies in the institutionalisation of resilience. Across power, telecom,
logistics, finance, water and data infrastructure, the Bharat National
Resilience Index (BNRI) must function as India’s national measurement tool for
preparedness, mitigation, response and adaptive recovery. BNRI should quantify
redundancy, mean time to recovery, digital-twin stress testing and compliance
transparency. Resilience audits must include red-team cascading failure
exercises, adversarial OT/SCADA emulation and supply chain credential
verification (Argonne, 2013; CISA, 2025; OECD, 2024/25). BNRI outputs should
generate a national heatmap of the top 100 nodes whose failure would cause the
highest systemic consequences, supported by continuity playbooks at the city
level with explicit accountability.
To make BNRI actionable, the proposed Critical Infrastructure Protection Act (CIPA) must give it statutory enforceability. CIPA would function as a cluster-based consolidation of fragmented authorities across critical infrastructure, logistics, supply chains and essential institutional sectors. During hybrid disruptions, CIPA should allow rapid operational powers such as asset access, emergency repairs and information requisition, governed by judicially reviewable triggers to prevent misuse. CIPA must require interdependency studies for all capital expenditure decisions in critical sectors and establish a national command structure during crises to operate continuity cells.
Vendor and cyber hygiene
must become non-negotiable statutory requirements under CIPA. These include
mandatory multifactor authentication, software bill of materials for OT
systems, breach notification timelines and explicit liability for negligent
credential management (MeitY, 2025; ISO, 2019). Legal frameworks are also
required for the information layer: digital platforms should coordinate during
hybrid events to restrict mass manipulation, university-level grievance ombuds
structures may be formed and transparency reporting for incidents adjacent to
protests must be mandated (WEF, 2024; UNDP, 2023). Together, CIPA and BNRI make
resilience measurable, enforceable and permanent.
Strategic
Objective
The only way to prevent
high-visibility protest movements from being manipulated into artificial
infrastructure crises is by deploying measurable resilience supported by
legislative authority (CIPA) and national resilience accounting (BNRI). The
strategic intent is clear: preserve continuity of the State, deny adversaries
the ability to weaponise interdependency and prevent rapid political collapse
(NATO, 2024; Monaghan & McDonald, 2024).
References
Ahmed, M. (2025, June). Bangladesh in crisis: Social
media, algorithmic radicalization, and mob trials around the 5 August 2024
unrest (Preprint). Preprints.
https://doi.org/10.20944/preprints202506.0194.v1
Argonne National Laboratory. (2013). Resilience
Measurement Index (RMI): Framework and Methodology. https://publications.anl.gov/anlpubs/2013/07/76797.pdf
Cassels, N. (2024, April 25). What is the new NFPA 1660?
National Fire Protection Association (NFPA). https://www.nfpa.org/news-blogs-and-articles/blogs/2024/04/25/what-is-the-new-nfpa-1660
Cybersecurity and Infrastructure Security Agency (CISA).
(2025, January 24). Infrastructure Resilience Planning Framework (IRPF).
U.S. Department of Homeland Security. https://www.cisa.gov/resources-tools/resources/infrastructure-resilience-planning-framework-irpf
Dudraj, D., & Pokharel, G. (2025, October 19; updated
2025, October 20). In-depth investigation: How the two days of Nepal’s
September protests were planned on Discord. The Kathmandu Post. https://kathmandupost.com/national/2025/10/19/in-depth-investigation-how-the-two-days-of-nepal-s-september-protests-were-planned-on-discord
Dutta, S., & Dawar, T. (2024, July 31). Explainer:
What’s behind Bangladesh’s deadly protests? Asia Pacific Foundation of
Canada. https://www.asiapacific.ca/publication/explainer-whats-behind-bangladeshs-deadly-protests
European Union Agency for Network and Information Security.
(2012, July 10). ENISA smart grid security recommendations. ENISA. https://www.enisa.europa.eu/publications/ENISA-smart-grid-security-recommendations
Hartek Group. (2025, July 31). The role of SCADA systems
in ensuring grid reliability and efficiency. https://hartek.com/post/the-role-of-scada-systems-in-ensuring-grid-reliability-and-efficiency/
International Organization for Standardization (ISO).
(2019). ISO 22301:2019 — Security and resilience: Business continuity
management systems — Requirements (2nd ed.). https://www.iso.org/standard/75106.html
Ministry of Electronics & Information Technology. (2025,
July 26). Government strengthens cybersecurity across critical sectors; Over
9,700 CERT-In audits conducted in 2024–25 [Press release]. Press
Information Bureau, Government of India. https://www.pib.gov.in/PressReleasePage.aspx?PRID=2148943
Monaghan, S., & McDonald, T. (2024, October 14). Campaigning
in the grey zone: Towards a systems approach to countering hybrid threats
(HCSS Hybrid Threat paper series, 2023). RAND Corporation. https://www.rand.org/pubs/external_publications/EP70676.html
National Critical Information Infrastructure Protection
Centre (NCIIPC). (n.d.). Official website. Government of India. https://nciipc.gov.in/
North Atlantic Treaty Organization (NATO). (2024, May 7). Countering
hybrid threats. NATO. https://www.nato.int/cps/en/natohq/topics_156338.htm
Organisation for Economic Co-operation and Development
(OECD). (2024). Compendium of good practices on quality infrastructure 2024:
Building resilience to natural disasters (Revised February 2025). OECD
Publishing. https://doi.org/10.1787/54d26e88-en
Perera, A., & BBC Sinhala Service. (2024, September 17).
Chased out by protesters, a political dynasty plots its comeback. BBC
News. https://www.bbc.com/news/articles/cr5n51ym19jo
Recorded Future. (2021, February). Continued targeting of
Indian power grid assets by Chinese state-sponsored activity group. https://www.recordedfuture.com/research/continued-targeting-of-indian-power-grid-assets
Robinson, A. (2025, September 1). India's critical
infrastructure under siege: New CERT-In rules. 6clicks. https://www.6clicks.com/resources/blog/india-critical-infrastructure-cybersecurity-cert-in-audit-rules
Thakur, R. K. (2024, October 14). Railways grapples with
‘sabotage’ attempts. The New Indian Express. https://www.newindianexpress.com/nation/2024/Oct/14/railways-grapples-with-sabotage-attempts
Times of India. (2025, September 11). Cement block bits
found on train track. https://timesofindia.indiatimes.com/city/aurangabad/cement-block-bits-found-on-train-track/articleshow/123816396.cms
United Nations Development Programme (UNDP). (2023, October
5). Global infrastructure resilience: Capturing the resilience dividend.
UNDP India. https://www.undp.org/india/publications/global-infrastructure-resilience-capturing-resilience-dividend
Vijay Kumar, S. (2025, July 31). Investigation confirms
sabotage in Bagmathi Express accident: Fittings of crucial point were forcibly
removed, leading to the collision, says CRS report. The Hindu. https://www.thehindu.com/news/national/tamil-nadu/investigation-confirms-sabotage-in-bagmathi-express-accident/article69874547.ece
World Economic Forum. (2024, January 11). Global
Cybersecurity Outlook 2024. https://www.weforum.org/publications/global-cybersecurity-outlook-2024/