this commercial. that is a dns sc. that is the serve er attesting to the fact. if somebody is breaking into and owns the server, the signature is meaningless. i would say imperially, i see a lot more break ins to dns servers than forged, you know, different protocol responses and so on. i think we need to keep in mind as we develop legislation that when we add complexity and when you add things we need to keep track of, do this, do that, overlay this. the complexity can be very stifling. dns sc was proposed decades ago. this was not dreamed up last week. we have been working on adding cryptography. we don't have them today because

they are unbelievably complicated to run. they add some benefit. it is like bringing a senior citizen to the doctor with five ailments and the doctor says i'll give you medicine for one of them, but it has side effects. it does have benefit, but it has side effects. it doesn't fix everything. the third and last issue i want to raise is software. at the root of every cyber attack, every problem i have ever dealt with in my career is bad software. it needs to be addressed. the discipline of software engineering. the profession of writing software is one that is a complete mess right now. i'm a professor at stevens institute of technology. i have been teaching there for 22 years. i teach software engineering and computer security. maybe you can blame me. the bottom line is that youngsters and even

professionals today cannot write a non-trivial piece of software that is bug free and those bugs are the way our adversaries get into our companies. we open up web sites because we have no choice. we will close a web site down? it is there. the software powering that has vulnerabilities we don't know about. i bought it. i installed it. everything is great. some adversary finds an open door that i don't know about and the manufacturer doesn't know about it and they dance right in. bad software is a fundamental problem here and it needs to be addressed through the educational system. thanks. >> thank you. we appreciate your comments. we'll be back to you with questions as well. now, i'm joined by mr. david mann. chief security officer for century link. thank you for being here. we look forward to your comments.

pull that microphone closer to you. >> thank you for the opportunity to testify before you. >> excuse me. is your microphone on? >> we're having trouble hearing you. is that light lit up there? you have to get really close. just saying. >> chairman walden and ranking member eshoo and members, thank you for the opportunity to testify on this important topic. century link, a provider, provides communications services to over 14 million homes and businesses in more than 37 states around the world. our services include voice, broadband, video and data as well as fiber call and cloud and managed security solutions. we have voice and internet

customers to the largest fortune 500 customers. as vice president for century link, i'm responsible for all corporate functions, including information security. before joining century link, i worked for 30 years with the fbi and was responsible for investigative teams and programs related to targeted attacks on the internet, computer systems and networks exploited by terrorist organizations and foreign governments and white collar crime investigations and crisis management. the cyber threat is real and serious. our networks and those of our customers are the targets of thousands of events daily from simple port scans to sophisticated attacks. century link and our customers invest significant resources in efforts to keep those assets secure. century link uses an overarching risk and compliance network.

as stew arrestards of the netwo have several categories. protecting the customers and providing secure services. we have worked with our industry peers, partners in government and other stake holders to strengthen our cyber attacks. from the ceo participation on the national telecommunications advisory committee to my security team participation in organizations such as dhs communication sector council and the fbi alliance council, we conduct risk assessments, information sharing and response planning and government sponsored cyber security exercises. in addition, century link's ceo

chairs the fcc communications security reliability council which is working on voluntary best practices for bot net remediation and domain name security and internet route hijacking and other issues unique to the communications industry. more can and should be done, but carefully. public/private partnerships have yielded significant process by building a framework of defense and cooperation and helping us understand the cyber threat. as many of you have pointed out, we are entering into a new era of cyber security threats where our adversaries are sophisticated. the need to step up our game is acute. we have hr 3523. the cyber protection act and similar provisions in bills that could enhance cyber related

public/private sharing. as communication providers, we see a number of areas where we can make improvements. such as improving information sharing and improving the federal government's posture and expanded research and development. shifting to a mandated-based approach would be counter productive. we strongly caution against the traditional regulatory approach based on government mandates or performance requirements. because our network is the one central assets of the business, century link and peers have the strongest commercial incentives to invest in robust cyber security. there is neither a lack of will nor a lack of commitment to do this among the communication providers. at its best, cyber security is a dynamic and evolving challenge. best done in a collaborative

partnership. at its worst, cyber security can evolve in a check list and divert resources away from protections intoco compliance measures that may be outdated by the time they are implement implemented. we understand the ways to protect the assets. we commend the members of the commerce committee for improving the nation's cyber security and delivering the process. the committee is trying to find the right mix. century link is striving to a partner in the effort. we will continue to do so. thank you. >> thank you, sir. we appreciate your testimony. now we will move to mr. john ulsan, chief security officer for metro pcs. welco welcome. >> thank you, chairman walden. it is an honor to appear before you today.

i'm the senior vice president and chief information officer for metro pcs. i have 30 years of i.t. experience and responsible for the i.t. networks. metro is a wireless communication services with a flat rate with no contract. we sell through stores to retail consumers. we do not sell business to business or to the government. we use four network vendors. we also purchase hand sets from well known vendors. these vendors are not our primary vendors, where a hand set vulnerability could be implemented into the network. we have also adopted measures both physical and logical to protect the networks. we have four i.t. networks that are important to our business. as we will discuss in more detail, we have voluntarily

undertak undertaken cyber security measures. the security of the networks is important to metro pcs. we have a security program built on industry best practices covering people, process and technology. we use a combination of hardware and software services. our security program directives are driven by a function and include centralized policy management, security awareness, training and internal and third-party monitoring, physical protection, threat identification and vulnerability management and intrusion prevention. we are particularly focused on security at the perimeter of our i.t. networks and use multilevels to prevent access to our networks from inside and outside of our company. we conduct regular network security audits and penetration

tests and standardized on all network equipment. our 24/7 monitoring efforts, which are augmented by our partners, can generate hundreds of thousands of cyber threat alerts a day. a handful of real threats we address immediately. we cannot say we have never had a cyber intrusion, we are not aware of any significant intrusion or attack that has been successful in attacking our networks. we adopted a number of other measures to proper connect customer information. encrypting hard drives and installing malware software. we conduct background checks and segregate duties of all personnel. metro pcs has implemented physical security with card key and biometric access.

we recognize certifications and regularly participate in vendor-sponsored symposiums and conferences. we are involved in these groups because they are a valuable source of information and best practices. metro pcs does not believe that regulation is required or warranted at this time, particularly for carriers that do not provide to government or public safety organizations. carriers are protecting the networks. this is true for month to month for pcs. if we do not provide the level of protection our customers demand, they can terminate service without penalty and activate with a competitor. private sector certification such as pci also forced providers to invest in the appropriate tools and practices to detect cyber threats. market forces are better to respond to cyber threats. if regulations are considered,

metro pcs are asking that these be tailored to the threat. regulatory compliance can be burdensome for carriers who compete by providing a service for consumers that is affordable. voluntary obligations can evolve into a mandate. we support voluntary industry efforts and standard and enhanced governmental consumer education and the fcc cyber security stake holder efforts. along with government sharing along with a national clearing house. no carrier should be libel for using such information. thank you for the opportunity to testify and i look forward to questions you may have. >> thank you, mr. olsen. we will be back with you with questions as well. we will turn to our final witness on the panel this morning. mr. scott totsky. blackberry security group. rim, research in motion. >> thank you. members of the committee, thank

you. i'm the senior vice president of blackberry security of research in motion. i'm here to talk to you about security. our products and services are used around the world. we have partners in 175 countries that offer blackberry products. more than 90% of the fortune 500 customers are blackberry customers. several of the same times of threats and techniques can impact smart users today. as the power and competing ability of smartphones have increased over the last few years, the threat matrix has evolved. most users have yet to realize

the an applicability of the emerging threats to what is a smaller and more mobile computing platform than what they have at the office. we must provide protection to provide access to the smartphone and protect the data and protect the corporate network using features built into the platform. while vendors can provide technology, but it is important to note as an industry, we help consumers better understand the risks of the online actives. rim fhas a history of integratig security feature into the products. rim has built security features that allow for data to be protected from unauthorized access, to limit and control

access on the smartphone from third-party applications and remotely erase information when the phone is lost or stolen. this can be managed by the rim network. rim also believes there needs to be more focus on security, test that establishes a baseline for vendors. without the baseline to gauge the product, it is difficult to make a decision. they provide assurances to governments or consumers who are otherwise unable to make claims against the vendor. blackberry products have more security credits than any other wireless solution. our consumers value this level. we feel the greater adherence to security standards would help

the customers better understand the personal and professional investments in protecting information. this panel has raised a number of concerns over two points of security in the mobile industry that i would like to address. the first concern is information sharing. there is increased competition with vendors, there is a degree of commonality with the platforms. this translates into a risk of cross platform creating a level of shared risk that increases the need of vendors to work together to disclose and address concerns. this also means a program like rim's sharing program needs to share with the u.s. cert to provide timely information. the second issue is relating to the supply chain and the ability of networks. a product that has been created

to impose risks to the customers' information and have a posture on the rim network. rim has been working for years to embed security features. only authentic products are able to obtain products. we believe this software and network security work together to mitigate the concerns about knockoff products or products that have been tampered with impacts customers. we would like to raise awareness in respect to supply chain. chairman walden, i would like to thank you for the opportunity to provide you with information on the topic. >> thank you. all of you, thank you for the testimony. we appreciate you being here. i will lead off with questions. dr. amaroso and mr. olsen.

you say in your testimony you routinely track threats to your n networks. how can we protect consumers privacy and sensitive data from companies? >> i think the big debate has been between government and thb. if i go to a conference and a hacker is saying there is a signature i should look at. i scribble it down and look at it. if a government individual does that, i cannot put it in the network. we would be operating as a branch or agent of the government. that seems to me a little silly. that is something that probably ought to be addressed. >> that is the specific issue we are trying to drill down to here. >> yeah. >> can you give us something

more specific. >> the united states intelligence agencies and law enforcement see different signatures we don't look for. we are not in law we're not in law enforcement, we're providing service to customers. we don't chase that sort of thing down. we chase it to the point where we can stop it and that's it. but like intelligence groups will really dig down deep and see something we don't. for them to share that, particularly if it's classified or something is awkward and it's stilted. i know in my own company, whenever i get involved in something like that, there's more lawyers involved in the discussion than people in the room here. we're disinsented to even bother. frankly, we kind of do, the internet wouldn't work if we weren't sharing constantly. it's government. >> but are there any

prohibitions? if you go to the conference and the hacker says look for this signature, is that something that, you know, mr. olsen, mr. mahon and others should be looking for as well on their networks? >> i'm sure they do. >> but then is there a way you can share that information with them or are there impediments to that kind of sharing? >> i mean, we all buy services from a lot of the same companies that do that. we pick companies that do a great job. i'd buy from three or four different companies that provide about the same intelligence everybody else is going to get here. it's pretty good, you know? you know, they're insented to make sure it's useful because i pay them every month for it. >> and as do the customers. so i guess the question is there's not a problem sharing information back and forth? >> sometimes there is. >> is that a problem we should -- >> i mean -- >> we're looking for barriers here. >> at&t had an exclusive on the iphone for some period of time.

i put down the ph -- ph.d.s out of school and once other carriers got access to the iphone, do you really think i'd wand to give them the fruits of the work we're doing? their incentive is to do it as well. you know, compete with us. and i'd like my customers to say, hey, i'm going to stay with at&t because they're invested in protection and we innovate that way. that's a case where it's not necessary for me to share the market is going to force our competitors to want to catch up or for me to catch up to somebody else. that's the right balance between i believe -- i believe between all of us. but between government and industry, it should be i think the information sharing should be more free. >> thank you, doctor. mr. olsen -- >> and metro pcs, besides our

internal systems we have cyber security partners, so security monitoring firms that we use to monitor our network and our systems 24 hours a day. those firms do share information between them. but if i believe i understand your question, there is not a central clearinghouse for that information for the folks that are outside of those security companies to easily share information. so if mr. amoroso recognizes a threat or is told about a threat in his network there isn't a central place where he could notify other companies or other carriers in the same industry that this threat is out there and we should respond to it. >> is there an incentive -- because i almost here a disincentive to do that. if you protect your customer, why do you tell the other iphone -- >> i don't know if it's a disincenti disincentive. you're telling the bad guys too when you broadcast the threat. so it's a little weird to be too

open about what you're concerned with. i kind of like the existing model. i think there are companies that do this. we evaluate them. when the intelligence looks pretty good we buy it. >> all right. my time is expired. we'll turn now to the gentle lady from california. >> thank you. excellent testimony. first, to mr. livingood, i think it's really terrific that you're the first isp in north america to fully implement the dns second as you noted in your testimony. how do we encourage other isps to follow your lead? what would be just quickly -- i have a whole series of questions so i want to go as quickly as possible. >> i think on that regard by other providers, i think it's important to keep in one mind. it is not just about network operators. it is about banking sites, software operators.

but specific to network operators i would say there's a lot of the interaction going on already. you know, one of the beautiful things about the way that the internet has worked and is successful is there are a lot of the multistakeholder consensus based organizations that groups get involved in one. one of the groups is one i'm working on. they're coming out with a recommendation soon. >> when will that be? >> i think that it's due today. the recommendation -- >> oh, good. you never know on government time. congress has an extensive network to ensure the security of our mobile devices and the network that they run on. i experienced this firsthand last year when i traveled abroad as part of a congressional delegation. and my device became infected during the trip.

and because of the -- and the device never left me. i practically slept with the thing under my pillow. it was never out of my purse, never left in the hotel, but nonetheless it was infected. because of the proactive measures in place, the threat was detected prior to being reactivated in the house network. so as a company,b what steps do you take to ensure that your customers, particularly those in smaller organizations that adhere to the same proactive security measures, and i guess my question is to mr. totzke, to dr. amoroso, i love your name, amoroso, and mr. olsen. >> sure thing. thank you. i'll go first. i mean, we provide a comprehensive list of guidelines for configuration of the device. so our administrators have white papers and information they can

access on the website. our goal is to make sure that your administrator, your i.t. organization that looks after your device, if it's a blackberry device has full control over that device at all times. so there's a comprehensive set of policies, more than 500 of them, that a administrator can send to control all aspects of the platform including preventing access to information or disallowing you the information of software on the device. so we try and do that as i think will be a common thread here. there's a lot of education in this industry. and we have to do it on a daily basis and a lot of risk that is really difficult for people to understand. we're trying to offer as much transparency and help to our customers through publication and forums like this. >> as i understand, one way to

prevent potential bots activity is to block i.p. addresses that pose a threat. do you have the technology to do this today and if so, has it been effective? >> i can comment. we have the technology to block. but it doesn't work. so, you know, we can certainly -- >> there you go. >> we do try real hard. bot nets, like we made the mistake in computing of turning every person in this room into a windows system administrator. that's what you do part-time when you're not legislating. so that model is wrong and most of you don't do a very good job of it. nor do i. we'd probably say we don't do it well already, so we have distributed the responsibility massively, and that -- >> is that what causes the complexity that you just -- >> well, it's billions of people around planet earth with pcs that are improperly protected. it's a piece of cake to build

bot nets. ones that are 50,000, 100,000, we don't bother naming them. we track them and try to contain it. it's not a matter of blocking the i.p. addresses because we'd be blocking you. you probably wouldn't like you. sorry you can't get on the internet today. we'd shut the whole internet down if we did that. >> and in my opening statement, i mentioned the issue of supply chain. and the security that i think really needs to be brought to that. first of all, do you share these concerns about the supply chain and if so, what do you think would be the appropriate role for us to play in addressing it? i think it's a serious issue. our telecommunications network as we