In this interview with The Policy Edge, Ms. Nanda reflects on building India’s early cybercrime capabilities, the evolving design of policing institutions, the role of technology in governance, and emerging risks at the intersection of AI, youth employment, and internal security.
When cybercrime first emerged, India had virtually no institutional capacity to respond. What does it take to build state capability from scratch in emerging domains where even the problem definition is evolving, and what role do leadership, experimentation, and external learning play?
Around 2000, there was really no clarity on what the problem even looked like. We were not expanding an existing system, we were trying to create one. We started with just one Pentium-3 computer and a very small team. But that is how most institutional journeys begin. You cannot wait for a perfect blueprint.
What made the difference was a willingness to start and learn simultaneously. Leadership played a role in recognising early that this would become important, but after that it was largely iterative. We learnt from international agencies, from the few cases that came in, and from our own mistakes. We converted that learning into systems such as training programmes and the first handbook for investigators on digital evidence.
The key lesson is that early efforts shape the trajectory. Even small beginnings matter if they create a framework that others can build on. Capacity is not built in one step, it is built through continuous adaptation.
In the early years of cybercrime, investigative agencies had to innovate while operating within legal frameworks that were not designed for digital evidence. How can institutions maintain evidentiary credibility and judicial trust when the underlying technology is not well understood?
The real challenge was not only technological, it was about making the system trust something it had never seen before. Courts were used to physical evidence and established procedures. Digital evidence did not fit neatly into that.
In cases like the Naval War Room leak, we had to reconstruct data from hard disks and present it in a way that a judge could understand its seriousness. If you show one line of code or one file, it does not convey the magnitude. So we had to take extensive printouts and walk the court through how sensitive information had moved out of the system.
In another case involving international fraud networks, we had to bring in a technical expert from Nokia to extract and validate conversations from devices like communicators. The court had to first accept the expert, then the process, and then the evidence.
Innovation was necessary, but it had to be accompanied by rigour. You cannot take shortcuts just because the law has not caught up. Over time, that consistency builds credibility. That is how new forms of evidence gain acceptance.
India has moved towards specialised cybercrime units, but the first point of contact for citizens remains the local police station. How should systems balance front-end sensitivity with back-end specialisation, and what happens when that first layer fails to recognise the problem?
This is really about how you design the system from the citizen’s point of view versus the investigator’s point of view. A citizen should be able to walk into any police station and report a complaint without worrying about categories like cyber or non-cyber.
At the same time, not every officer can have deep technical expertise. That is why specialised cyber units become necessary. The front desk has to be sensitive enough to recognise the nature of the complaint, and from there, the investigation can move through specialised teams.
Even today, during this transition, you still see confusion. A citizen may be told to go to a cyber cell, while the cyber unit may expect the complaint to originate from a police station. This is exactly where system design needs to improve. The citizen should not have to navigate institutional boundaries.
The principle is simple. Recognition should be universal, expertise can be specialised. The system has to connect the two seamlessly.
You have argued that policing combines distinct functions: citizen services, investigation, and emergency response. As policing increasingly shifts from reactive investigation to anticipatory, intelligence-led prevention, how should police station design evolve to reflect this transition?
Policing cannot be treated as a single function. At the police station level, you are dealing with citizen services, investigation, and response. Each requires different skills and a different orientation.
Increasingly, policing has to move towards prevention. That means recognising patterns early, picking up signals, and acting before an incident escalates.
I remember a case where a constable noticed some individuals conducting detailed mapping activity near a sensitive rare earth facility. On the face of it, it could have been routine work. But he found it unusual, alerted his seniors, and it turned out to have serious implications. That is prevention in action.
This kind of alertness cannot come only from specialised units. It has to be built into the entire system. The design challenge is to combine functional separation for efficiency with awareness across all levels for prevention.
Your work suggests that transparency, standardisation, and process design can significantly reduce corruption. But policing also operates within political and administrative constraints, where the police function as an instrument of the state. How should we think about the limits of system-driven anti-corruption reforms?
Corruption is often discussed in moral terms, but from an administrative perspective it is also about systems. Wherever there is opacity, discretion, and unnecessary interaction, the scope for corruption increases.
When I was working in the licensing branch, we tried to redesign the system itself. We put all information in the public domain, standardised processes, and most importantly, changed the physical interface. Instead of people going into officers’ chambers, we created an open service area where interactions were visible and structured. This significantly reduced discretion.
But there are limits. Policing operates within a larger political and administrative framework. There will always be pressures and situations where discretion is unavoidable.
The realistic approach is not elimination, but reduction of opportunity. You design systems in a way that makes corruption difficult, even if you cannot remove it completely.
You have highlighted emerging risks at the intersection of AI, cybercrime, and youth employment. How do you see the interaction between labour market disruptions, global cybercrime networks, and internal security challenges evolving over the next decade?
The biggest concern going forward is how technology intersects with our demographic profile. We have a large number of young people entering the workforce, and many of them have been part of a growth model linked to technology and services.
With AI and automation, that landscape is changing. If opportunities do not expand at the same pace, skilled youth may not find meaningful employment. t. That creates frustration, with implications for internal security.
We have already seen how global cybercrime networks operate. In some cases, Indian youth have been drawn into operations in places like Cambodia, where they end up being part of organised cyber fraud systems. This is not just a law enforcement issue, it is a systemic issue.
The response, therefore, cannot be limited to policing. It has to involve education, skilling, and economic planning. Managed well, this demographic is an asset. If not, it becomes a vulnerability.
You have consistently emphasised training and exposure as critical to policing reform. Yet such investments often remain under-prioritised or have limited scale. What explains this gap between recognising the importance of capability-building and actually institutionalising it?
Training is something everyone agrees is important, but it is often not prioritised in practice. The benefits are long-term, while operational pressures are immediate, so it tends to get pushed aside.
But whenever officers are exposed to new environments, you see the impact very clearly. We used to send officers for training programmes abroad, including to places like Singapore. When they returned, they came back with a different perspective on how systems can function, especially in terms of technology and service delivery.
The challenge is that such experiences remain limited to a small group. They do not always translate into systemic change. That is because training is not fully embedded into career progression or institutional incentives.
For reform to scale, training must move from occasional exposure to a core institutional function.