Strategic Cybersecurity Thinking

Strategic Cybersecurity Thinking

The ability to come up with effective plans in line with an organization's objectives within a particular cybersecurity situation. Strategic thinking helps cybersecurity managers review policy issues, perform long term planning, set goals and determine priorities, and identify potential risks and opportunities.

Clearly, there needs to be a clear strategy as to what needs to be done with respect to security. Such a strategy should determine the policies and procedures. However in practice rarely a strategy for security is created. Most emphasis is placed on policies, implementation of which is generally relegated to the lowest levels. Rather it is assumed that most people will follow the policy that is created. 

A strategic cybersecurity programme does not begin with tools and tactics, but with an articulation of one or more programme goals. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution. First, the strategy-minded CISO gets executive buy-in to those goals. To that end, the CISO must incorporate all levels of strategic thought, starting with the board and CEO – everyone must feel ownership and participation. 

The smart CISO recognises that security is a journey, not a destination, and that relationship building requires an ability to translate between technical and non-technical vocabularies. The CISO ensures that the programme goals accurately govern the objectives of the enterprise’s digital security programme. In our scenario, the CISO, board, and CEO all agree that, with respect to intellectual property, trade secrets, and sensitive data, the new policy goal is to minimise loss due to intrusion. 

This statement implies that everyone understands that stopping all adversaries and all attacks is simply not possible, especially when dealing with nation-state actors and some advanced criminal groups. The primary objective of this exercise is to achieve consensus on a simply stated, non-technical programme goal. No in-depth technical discussion is needed to achieve consensus, although the CISO must ensure that all goals, policies, and strategies are technically feasible. With a mandate in hand, the CISO can confidently work with his or her security team to plan the necessary operations and campaigns and, if necessary, acquire new tools and tactics to facilitate them. Together, they decide to implement a network security monitoring (NSM) operation, defined as the collection and escalation of indications and warnings to detect and respond to intruders. 

The security team begins the long-term, strategic process of hunting for hostile cyberattack campaigns, encompassing both known and unknown intrusion patterns. The CISO, board, and CEO all agree that a second programme goal is a rapid detection, response, and containment of cyber threats. This goal helps to ensure that when intruders breach the perimeter defences, the game is far from over. 

Defenders can still win, so long as they contain the threat before the attacker can accomplish his or her ultimate mission. Therefore, the security team will develop strategies to identify compromises quickly, determine their nature, give them some level of attribution, and above all develop a plan to stop the attacker from accomplishing his or her mission. At the tactical level of individual engagements with the adversary – the equivalent of battles in war – the security team will have myriad decisions to make, including whether to dislodge the intruder immediately or whether to watch the intruder for a time in order to collect valuable intelligence.

Some tactics govern how specific tools or techniques can be used, such as when Star Trek personnel switch their hand phasers between ‘stun’ and ‘kill’. As always, the adversary gets a say in what happens, but from the enterprise’s point of view, programme goals, policies, and guidelines should be written to govern this entire process.

Legal Framework for e-pharmacy in India

E-pharmacy or Online Medical Shop : Legal Framework in India

In India, 50-plus e-pharmacies including Medlife, 1MG, NetMeds, PharmEasy and others continue to do online sale-purchase of drugs, medicines, etc. even today. Because they have physical medical stores that are licensed to sell drugs.

In India, the legal and regulatory provisions for manufacture and sale of medicines are covered under the Drugs and Cosmetics Act, 1940 (D&C Act), Drugs and Cosmetics Rules, 1945 (D&C Rule), Pharmacy Act, 1948, The Information Technology Act, 2000 (IT Act,2000)., Indian Medical Act, 1956 and Code of Ethics Regulations, 2002, Narcotic Drug and Psychotropic Substances Act, 1985 and Drugs and Magic Remedies (Objectionable Advertisement) Act, 1954. Consumer Protection (E-Commerce) Rules, 2020

However, these donot define the regulations for online sale and monitoring of pharmaceutical medicines clearly. Accordingly, various stakeholders approached the government which then constituted an expert committee under the chairmanship of Maharashtra’s ex-Food and Drug Commissioner Dr. Harshdeep Kamble in the 2015, to assess the possibility of online pharmacy sector in India. After continued discussions and various deliberations, the Ministry of Health and Family Welfare vide its notification G.S.R. 817 (E) dated August 28, 2018 came out with a draft to amend the Drugs and Cosmetics Rules, 1945 (“Rules”).

The Draft Rules include certain provisions added Part VIB for sale of drug by e-pharmacy. Under the draft rules, the term ‘e-pharmacy’ has been introduced to define it as the business of distribution or sale, stock, exhibit or offer for sale of drugs through a web portal or any other electronic mode. Further, the terms ‘e-pharmacy portal’ and ‘sale by way of e-pharmacy’ has been suitably defined.

In addition, provisions for application for registration and its validity; conditions for registration imposed on the e-pharmacy like location, disclosure of information, procedure for distribution and sale etc. were provided. Certain restrictions are imposed on the e-pharmacy which include the prohibition of advertisement any drugs on radio, television, internet, print or any other media for any purpose; and restriction on dealing in narcotic and psychotropic drugs as defined under the Narcotic Drugs and Psychotropic Substances Act, 1985, tranquilizers and the drugs specified in the Schedule X of the Rules.

Additionally, monitoring of e-pharmacy, complaint redressal mechanism has been introduced which provides the rights to file a complaint to the state drugs controller (the “Drugs Controller”) for any suspicion of supply of non-standard quality, adulterated or misbranded drugs through the e-pharmacy besides the Consumer Protection Act, 1986. However, the Draft Rules are still pending for approval.

Delhi and Madras High Court orders

Pursuant to issuance of the Draft Rules, various petitions were filed in Delhi and Madras High Court(s) seeking a ban on all e-pharmacy operations, due to public safety.

Later, the Madras High Court pronounced a decision for temporarily banning the online sale of drug and also directed the government to notify the regulations by January 31, 2019 on a petition filed by Tamil Nadu Chemists and Druggists Association,which was later extended by July 31, 2019.

Further, in an official letter dated November 28, 2019, the Drugs Controller General of India (DCGI) issued a notification to all drug Controllers to enforce an order given by Delhi High Court in December 2018 in the case of Zaheer Ahmed v.Union of India which prohibited the online sales of medicines without a valid license. The order was given in response to a public interest litigation (PIL) filed by Delhi-based dermatologist Dr. Zaheer Ahmed who submitted that in absence of monitoring, online sale of medicines would be a risk to patients and doctors.

The said letter is the latest progress about development of e-pharmacy policy and regulation in India, which seems to be reconfirming the existing position of the scenario that online sale should not be done by the pharmacies not having valid license for the same.

The Drug Controller General of India (DGCI) had formed a panel to look into the issue of online drug sales and even suggested the licensing of pharmacies three years ago. As per the draft guidelines which have yet to become law, e-pharmacies will need to register with the DCGI for a fee of Rs 50,000, which will be valid for three years.

In these rules, there are several stringent clauses that prevent e-pharmacies from selling narcotic drugs, tranquillisers, and Schedule X drugs. They also cannot advertise any drugs on their portals. Periodic inspections and stringent penalties for violators are prescribed. Basically, the e-pharmacy draft rules will provide sector-specific e-commerce regulations so as to harmonise existing laws/ guidelines which is similar to FSSAI guidelines for e-commerce food operators, etc. All are waiting for these rules to be notified.

Under the new Consumer Protection (E-Commerce) Rules, 2020, e-tailers have to compulsorily display details about return, refund, exchange, warranty and guarantee, delivery and shipment, modes of payment, and grievance redressal mechanism as well as the ‘country of origin’. Any e-commerce marketplace provider, whether local- or foreign-owned, cannot generate more than 25 percent of its total sales from a single vendor. 

Companies are also not allowed to “manipulate the price" of goods and services offered on their platforms to make “unreasonable profit", discriminate between consumers or make any arbitrary classification of consumers affecting their rights under the Act.