Why Strong Public Private Partnerships Are Critical to Cybersecurity

Tim Callahan

CISO at Aflac

Learning Objectives

Please Join the SVP, Global CISO of Aflac, Tim Callahan in this Executive Interview where he will discuss the short term and long term wins with implementing a Public Private Partnership.


"One of the things that we strongly advocated was the appointment of a National Cyber Director, and it became law."

Tim Callahan

CISO at Aflac

Transcript

Britt Erler

Hello, everyone. Welcome to the CISO VISION Cybersecurity Virtual Summit hosted on Quartz Network. My name is Britt Erler, QN Executive Correspondent. Thank you so much for joining us. I am pleased to welcome our Executive Speaker Tim Callahan, SVP and Global CISO of Aflac, as he discusses why strong public private partnerships are critical for cybersecurity. Welcome, Tim. Thank you. It’s so good to be here. It’s a pleasure to have you here as well and really excited to do this interview today. Before we get started, if you wouldn’t mind providing us some more information about your background and your current role with Aflac.


Tim Callahan

Sure, I’ll give you a quick overview. I served in the military, major career in the military. When I left the Air Force, I went to work for a bank—SunTrust bank, which used to be in a very prominent bank in the southeast. They recently merged with BB&T, became Truist. I was there for a while, then went to be the CISO of a bank in Connecticut—People’s United Bank. I was there for about 4 years, and then came back to SunTrust briefly for about 4 years, and then was recruited to come to Aflac about 2014. I’ve been at Aflac, now a little over 7 years, serving as the CISO, so that’s where I am.


Britt Erler

Fantastic, and that’s great. I think with the background that you have today, it’s so perfect because our audience is really looking to understand this public private partnership aspect a little bit more. For those that are unfamiliar, let’s start with the most basic question: What is it? Why is it so critical?


Tim Callahan

Public-private partnership acknowledges a couple of things. That acknowledges one, that the private sector can’t do this alone. It’s just too expansive, too big. It’s hard to imagine private sector companies being able to fend off nation state attacks in the cyber world. I often look at it from a standpoint of almost a kinetic threat. I know it’s not exactly the same. The other day, I was talking to my boss about this very thing, and I said, “We shouldn’t be expected to put anti missile systems on the top of our buildings, in Aflac tower, can you imagine that?” In fact, probably, some parts of the government would be very disturbed if we did that. Here we are, fighting off these nation state attacks. There’s a balance and all of this, and I get that. I don’t think any of us want the government to be running our networks or for that matter, you can probably remember when it came out about the NSA monitoring phone call. Simplifying a very complex thing, but that’s the way it was in the press. A lot of people were upset about that, so certainly, we’re free people. We want to be a free people, and we want our privacy, but there’s some things that the government can do better than the private sector. The government private cooperation is really taking advantage of information that the government has that maybe as a private company, we may not have access to, so that’s one thing. Cooperating on particular campaigns against adversaries, and fairly recent, came out where Microsoft and segments of the federal government cooperated to take down botnets—bought networks. Those are the kinds of things, I think, come about when we’re talking private public partnerships. Again, letting the government do what it can do and does best, protecting kind of the e-commerce environment to the extent it can, but then lending a hand to the private sector, through information and techniques and those kinds of things.


Britt Erler

Of course, and I know you just mentioned Microsoft there as an example, but what are some other examples of public private partnerships and what were some of the outcomes that afford it?


Tim Callahan

I don’t think there’s as many successful examples in the cyber world, and that’s something we’re working on. We have been alerted in the past of maybe some particular campaigns. I think, obviously, we need to do better than that as a nation. If you look at the history of the government public private partnership, it really goes down to the very early founding of our nation, where you can read back in history and see the founding of the US Navy had to do with protecting the shipping lights, so that we could engage in commerce. More recently, in the pandemic, the government enabled private labs through incentives and taking care of some of the yellow tape, so to speak, and accelerating some of the approvals of the vaccines so that we could get ahead of this pandemic issue. There are examples where government and private operate together in a cooperative fashion, so that we can overcome things that the private sector couldn’t itself. Another example is our reporting, we participate in the Department of Homeland Security, automated into tighter sharing program. I do think that that’s an area where the private sector can feed what we’re seeing up to a central clearing house, Department of Homeland Security, so that maybe they haven’t seen it yet, and maybe they can react to it.


Britt Erler

Absolutely. I think with this new digital age that we’re seeing, especially everything last year due to COVID, everything’s becoming virtual. How has that escalated these types of partnerships?


Tim Callahan

I think it heightens the risk, is the simplest way to say it—that really heightens the risk. Like many companies, during the early days of the pandemic, we had to send our workforce home. Fortunately, we were well prepared. We had thought through kind of a work from anywhere model, so we could do that, but quite a [unintelligible] for many companies and across US and the world, for that matter, it put people onto networks that the infrastructure of the company did not control. It introduced quite a bit of risk in some cases. Again, I think we were well prepared, but in some cases it did. It kind of highlights that there’s an area out there the company can’t control. The backbone, the internet, the different providers of internet services, those are the kinds of things that the company has relied on, but can’t control. I do think it’s an opportunity for both the private and government to come through, and through a series of standards or expectations have these providers, maybe have a little bit better security. When you think about it, the really large people, the large providers probably are fine in security, probably close. If you kind of look across the nation, there’s a whole lot of smaller size that probably struggle with that and could benefit from some type of cooperatives fashion. Up here, the standards here’s how to secure and then, in some cases, government incentives to secure. I think those kinds of things can help. I think another area with the solar winds issue we saw a while back, is having an underwriter laboratories type certification program, some quasi-governmental entity that can give us better assurance that software that we’re using is safe. This goes across companies as well as the private sector. I’m sure many of the people listening, and I know I have, you wind up downloading software off the internet, you hit a kind of a shrink wrap agreement “I accept”, but most of us have no clue what we’re accepting, right. There’s no lot of liability there for the provider. I do think that’s something that we have to work on. Again, you have to have a balance. You have to be very careful because we don’t want to stifle incentives and innovation. When someone trusts, I often equate this to the Food and Drug Administration, I want to know that the whole process of providing food for my family is a safe process. I can’t peek behind the curtain to the sausage makers. I don’t care how it’s made, I just need to know it’s safe. I think that’s becoming the world as a software in the digital age—we need to know it’s safe and there has to be a way to assure that. In some cases, it probably matters less than another’s, but if your life is depending on the safety of the hardware, firmware, software that drives life support systems, that’s pretty important or aviation systems, that’s pretty important. As we saw the disruption of the colonial pipeline, what effect that had, at least in the Midwest southeast US, the effect it had almost immediately. Those are the kinds of things that we need to have better cooperation.


Britt Erler

Definitely, at least just more transparency. You say, we signed these agreements, and I could be signing my life away and I genuinely have no idea. You’re so right, there doesn’t need to be some more communication, I think in that factor. I think it would also make the partnerships a lot more open, and a lot more companies willing to do so as well. You mentioned this a little bit of at the beginning, too, but there are so many threat actors out there right now. What are the most concerning and what are kind of their main function? What are they targeting? What’s motivating them?


Tim Callahan

I generally classify threat actors in three categories. Some would do it for that you may even [unintelligible], but basically, it’s criminal, the kind of social hacktivist kind, and then nation state. The lines begin to blur a little bit like on cyber terrorism, you could argue, well, they’re, they’re trying to pull a social or it’s more political. Some cases, they’re supported by nation states, some cases they’re kind of on their own. If you kind of look at those, the motivators, they’re certainly the criminals motivated by money. That’s important to know because sometimes, you have to make it very expensive for them to get to you, very hard. When they stop making money and wasting money, then their backers are going to want them to back off and go to softer targets. The hacktivist or, in some ways, they’re motivated by some social means. Generally, they’ll continue until they can meet those means or their message. They’ll go at it with different fervor, depending on what their cause is. The nation, I’ve never seen it so divided in so many realms. Again, I’m nondenominational when it comes to a lot of this politics or whatever, but as both sides, there’s extremes on both sides that we have to really watch for in kind of the social hacktivist kind of why. Certainly, nation states, they’re motivated by sometimes influenced politically. Their primary motivation is their own self interest, which you expect that from a nation state, but different nation states will take different measures. They don’t necessarily always have the same morals as the US, and so they’ll be very aggressive. If you’re a target, they’re going to pursue until they get you. I think that’s the one round where the federal government really needs to help us in the private industry.


Britt Erler

Absolutely. I think that leads really well into my next question. We’ve discussed the benefits, why these partnerships need to become more of a reality. What are some of the short and long term wins that you’re personally looking to achieve with these partnerships?


Tim Callahan

I think the short term is good information sharing, and we’re seeing more of that, I think. We’re pleased, and when I say we, I represent an organization, the Founder, Chairman of the Board of an organization called the National Technology Security Coalition. What we do is we try very hard to educate members of Congress and Public Figures, especially at the federal level, about what is going to be good for the nation, while we can all cooperate. It’s a non-profit, non-partisan organization. We don’t pick political sides. Our objective is what’s good for the nation, what’s good to protect us from the cyber criminals and the nation states. One of the things that we strongly advocated was the appointment of a National Cyber Director, and it became law. The hearings were this past week for Chris Inglis to fill that role, and then for a CISO Director. Jenny Easterly—those hearings for this past week as well last Thursday. My understanding, I wasn’t able to watch them. Those are two figures that are very important and they’re very well known and very respected people in the community. Jen has had private experience as well as military as well as federal government. We really look to these folks to help unify our efforts across the board. We’ve got a deep policy, politics sighs if that’s the right word, this notion of, you know, cyber, cyber security, it’s not a political issue at all. It’s an issue that’s at the very fundamental, us having a vibrant, trusted e-commerce environment.


Britt Erler

I completely agree. I think while as we’ve done this interview, so many people are sitting here—they’re either at the beginning stages of wanting to develop this sort of partnership or they’re in the middle of it and thinking, Okay, how do I move this partnership forward to make sure that it’s benefiting both myself and the partner at the same time?” Final pieces of advice for Executives out there that are looking to put together a public private partnership?


Tim Callahan

I think there’s blame on both sides, if we wanted to go in that direction, and I really want to concentrate on the positive. From a private sector, we need to trust these officials and trust the government that we want to do the right thing, so that’s one thing. There has been mistakes in the past, there’s been kind of a feeling in the past that the private entities would feed information into the central clearing houses and never get anything back. That’s something that has to be worked on. We have to build that trust between our government and our private sector Security Executives. I would encourage my counterparts, we do this, like I said, through the NTSC, through other forums, to work together and try to bolster, if you will, this partnership. One of the things and this was a piece of legislation that NTSC really supported. It was introduced in the House by Representative Catco and then in the Senate by a bipartisan partnership between then Senator Perdue and Sonoma in Arizona. It created an advisory board—a factory Board of Security Executives from the private sector to the Department of Homeland Security and the details of the legislation. At the high level, it would be 35 CISOs or Security Executives from the private sector that would form an Advisory Council to help the DHS CSA understand what they can do—what we can do together to build this partnership. I’m looking very forward, obviously. Director [unintelligible], again, I’m assuming she’s going to. We’ll begin to work to form that Advisory Council on it. I really think that that’s going to help in this public private partnership.


Britt Erler

Hopefully, we do see that is kind of the New Age coming into the end of this year and also into 2022. Tim, thank you so much for being here today and providing your insights on this. I really think this is going to be a key theme, so to speak, as we move forward into the new year, so appreciate you taking the time and appreciate everyone who has joined us today as well. I’m sure you will all have further questions for Tim—not to worry—we will have a discussion forum underneath this presentation. Thank you again for joining us and enjoy the rest of the CISO VISION Cybersecurity Virtual Summit. Thank you.


Tim Callahan

Thank you.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden