appreciate after our country was attacked was the system that we relied on. we didn't have that. i don't know what we would have done. so i think that -- and there are constant things that keep coming up relative to the supply chain. so i welcome any comments on that. >> so i'll answer that from a device manufacturer's standpoint. this has been a concern for r.i.m., you know, for the decade plus that i have been there. we have to understand where we get our components from. where we manufacture the devices. and when we started it was really easy because we made everything in our factory and it was under our control and you grow into the global entity you deal with outsource manufacturing and kind of directing that around the world with different partners. so it brings into question are you actually manufacturing the product you think you're making or are you getting something out that's whole and intact? we really focused on

understanding what we can do to secure our products in the manufacturing process, as well as the parts that come in. for some of the strategic vendors we are doing serialization and encrypting before it gets to us and then we go through the verification of every tool along the line, checking with r.i.m. head office to say are you allowed to perform this operation? and the combination of hardware and software so the embedded certificates in the silicone, the hardware checking that the software hasn't been tampered with is used to get blackberry services. so we know that the device hasn't been tampered with and it's been manufactured by r.i.m. and it's intact when you first turn it on. that protects our network and your networks. it's that hardware, software and network layer working together to ensure the integrity of the blackberry services that we

provide to our services. >> mr. terry? >> thank you. with my five minutes and five people, i want to ask you the same question. and that's in regard to the fact that you're the interface. if i want to have an internet experience i have to hire one of you. so what are you doing to provide me services that will protect at least to some extent from bot nets and viruses or attacks to my information and my computer? and we'll start from left to right, my left to right, mr. livingood. >> thank you. so i think we have somewhat similar capables. it's a multilayered approach. that's not one any one thing that will solve it. it's like an onion, lots of layers. the intrusion protection at the

edge of the network and mitigation to bot net intelligence systems. and then to notify customers and there are also a number of things that we all do and we do in particular to educate customers to help them understand what things they need to secure in their network. the software they need to manage gets them the software they need to secure their network and their computers. it's a multilayered approach. >> that was exactly what we do, same thing. i mean, i don't know -- there's a lot of different products and product names. i'll tell you the one thing we don't do. we didn't sell you the computer. we didn't sell you the operating system that runs on the computer. we didn't help you select what type of software to put on there. and increasingly the isps are getting dragged into that and

it's a difficult situation. isp, you know, i have something wrong with my pc. you're sitting off in the cloud watching. you should figure out how to fix my pc. that's something all of us struggle with. >> we do all a number of similar things i think in the isp world. you know, to protect residential customers. i think you have heard of them. the spyware, the antivirus, parental controls. we all have educational and awareness, you know, places on our website, our home page where you can go to. we have a bot net notification program. we have a method to notify you and then facilitate you cleaning up your home device. >> i think there's a lot of commonality in the approaches that we're all taking. one of the distinctions that i

mentioned in my opening comments regarding our cyber security partner i think is -- our partners is really important. these are people that are focused, their full-time job is cyber security. they're looking for threats all the time and they have hundreds if not thousands of customers that are feeding them information and they are seeing realtime threats go through many companies. so a threat that might hit one company, they're aware of be many of us would see that. so i think that information sharing in that cyber security industry is really critical and it's something that we value. >> all right. many totzke, you may have answered this already. >> yeah, we have administrator user security, which allows them to dictate what level of protection they put in and we

allow for on device encryption, remote restore, the ability to wipe a device. you can deal with the eventuality as it's lost or stolen or left in a taxi cab. we give you the capability to deal with that. >> good. i appreciate that. i guess the last 47 seconds i'm going to give to mr. amoroso. should the responsibility be on the isp providers to have a system to detect viruses as they enter into your network before they get to my computer? >> if we knew how to do that reliably, i'll be trying to sell you that years ago. it's a very difficult thing to detect viruses and malware. we do notify like the rest of them. i call a hundred to a thousand people every week. the problem is if i really knew

what to tell them, knew exactly how that fix their pc i'd call everybody. the problem is there isn't a person in this room that can tell you how to clean malware off your pc. other than re-image your computer. you know, that's the best we can do. >> can we just tell you to stop it? >> i wish i knew -- you know, here's the reason we can't stop it. i don't know if you're familiar with the encrypted tunnel, but when you visit a ewebsite you se hppts, that's encrypted tunnel. every hacker in the world know to make sure they're pushing their malware thousand that tunnel. they hide the malware in places we can't see. that's where anybody would go. >> it's a fun issue to deal with. >> when we pick up malware it's

the equivalent to somebody falling over and having a heart attack on the table, that's rapid response to preventive care. you fell over, you had a heart attack, that's easy. it's picking up the stuff that's not easy. that's why it's difficult to build reliable services to detect malware because it's hidden. any hacker would do it that way. >> thanks. mr. doyle, you're up next. >> i think we ought to call him dr. sunshine. mr. totzke, i want to ask you about federal workers. as you might know, the white house is currently working on a national mobility strategy to determine how the employees of the federal government are using their mobile devices and they're going to decide for example, if all agency workers can bring their mobile devices to work much like private sector

employees do. we don't -- we're not advocating for one type of phone to use in the federal government, but what security issues do you foresee if we allow all workers to use their own mobile devices and how do you think device manufacturers can make sure that the data that's on the phone of federal workers especially in sensitive agencies remains secure? >> as you move more of the heterogenous environment and you bring your individual liable devices, one of the challenges you face is that the security of platforms is going to vary based on the vendor and the features that they built into that. so getting a consistent view of security and how you're protecting your information is probably one of the issues. there are, you know, kind of liability and discovery issues in more of a corporate context. if you have to do through the litigation, maybe not such a big case n the case of a federal government employee and how do

you protect the information on the device? there is a level of encryption built into blackberry to enscript all of that data. whether that's personal or government day tta. as we look at how we -- how we go into a bring your own device scenario, you know, the biggest concern that i have is this lack of a standard bar for protecting information and what i would be most concerned about is sort of a race to the lowest denominator. we have three or four competing platforms. in order to allow everything, we'll reduce our security requirements to the bear minimum which i think is the wrong thing able the government level. >> thank you. mr. livingood, given the concerns outlined by dr. sunshine about outlining the dns sect, can you tell us why comcast decided to use dns sect and whether you think it had the

intended benefits that you think it would? >> sure. it's a long-term gain there. i think one of the challenges was that you needed some critical mass more people to start signing their names, to build software to do that we felt like we could play a role in creating that critical mass. that's part of the reason we did it. i think the reason, you know, at root why we did that, when the ka minsky vulnerable came out in 2008 it fundamentally scared the heck out of us. if our customers couldn't be share when they went to bank of america.com, it was that website, that scared us because they're less likely to use the internet and that's incredibly important to us. to have a way -- we all certainly had a short term fix to that, but to have a long term fix to that was important to that. we're pleased to help lead the

way to help the adoption. >> thank you. just in closing, dr. amoroso, i have enjoyed your testimony and it makes us realize how much work we have to do to together to face this problem that is certainly there's no easy answer to. but i want to thank all the panelists for your testimony today. >> thank you very much. mr. shimkus? >> thank you. i kind of want to build a little bit on what my friend mike doyle mentioned but i wanted a different perspective. your -- because it's kind of tied -- popped in my mind when he talked about federal workers. where are you finding your cyber warriors today from? where are they coming out of? coming from private universities, the military? briefly, cutting edge new people who are helping you do this stuff, where are they coming from? >> so -- >> go on down, real quick.

>> i think it's a variety of places. i would say, you know, there's a need for more educational focus, in ict generally. but we find people on a variety of ways. some are former military service members, former law enforcement. others are just linus system administrators. others are former childhood hackers or something like this. and they're interested in it. so it's variety of things. >> but is there a college path? is it a -- i mean, can you get i.t. training in the business schools or computer science class? >> i can comment. i teach at stephens for 22 years. if you looked at my class in 1990, you would see something that would look like, you know, typicalwent to dickinson, pennsylvania. so, you know, pretty -- a mix of kids. my class today at stephens is about 98% about foreign

nationals. i have got about 65 in a classroom. and almost all of them have the intention of leaving the country when they complete their master's or pht because they see bigger opportunities elsewhere. >> if you all want to jump in, i don't want to forget about the compensation of people entering the private sector and government sector. we have the same is issues about bringing in the best and the brightest, but if we're not compensating them for what the private market bears, then that's another thing. anyone want to jump in? >> just on where we source, so there is out of the education system. out of the military and intelligence. we find people moving into private industry. the most talented one in my team is a high school dropout.

i think using it as a bar doesn't identify them. so it varies. and i don't think you can actually teach somebody to be a hacker. there's sort of -- if you want to be a researcher, there's an ingrained mentality. it's not like i'm teaching somebody a trade. being an hacker is a different mind set. >> thanks. i don't know if i'll get to both of them, but the debate on the senate side and this is how you provide is what happens if we -- the federal government requires you to follow a new government security standard? what happens to you? that's the debate on the senate side legislatively. one has a government imposed standard and the other i think is letting you fight yourself. anyone to fight in? >> i'll offer up a brief point. my guess is anything you can

write down that you can think of as kind of a best practice, it's already being done here. and the thing we're back at the shop worrying about now are things that are not on your list. like as an example we talked about bot nets. remember y 2 k? we were worried that we were going to get d-dosed for one day. that would be bad if you missed the millennium change. you can't move that date, right? so we were completely freaked out by bot nets then. a lot of people in this room, we have built ways to steer traffic around and fix it. and now we have a service and it's -- we have moved on to the next thing. >> the final challenge out, because i do agree how do we insent innovation in this area which is part of the opening statement. incentivizing usually means government money here or

government tax credits. you know, that's all kind of persona non grata in the new world in which we live in. i would ask you to help us wrap around this and maybe it's easing regulatory burdens. maybe there's things we can do that's not a dollar/cents components. but tax credits. things like that, it's very difficult to do in today's environment. i just throw that out. thank you, mr. chairman. >> thank you. with the committee's indulgence, doctor, can you explain d-dosed? >> that stands for distributed denial of service. when i speak to you, it's one thing to many ears and it works great if you're all quiet and you listen, but if you could bounce my voice off to you, it would sound like you're shouting to him. that's a denial of service

attack. we hit all your pcs and then tell all your pcs to shout this way and it sounds like this big attack and it clogs the pipes and knocks him out. >> thank you, doctor. now we go to ms. matsui. >> thank you, mr. chairman, and this is all challenging and frightening at the same time here. and i do appreciate all of your testimony. i want to go into another area here. as we look into developing an industry best practices, should isps own cloud services be included as well as other cloud providers or do you think because the technology is newer it would be better to form their own best practices to secure data in the cloud? and like mr. mahon and dr. amoroso to answer that, please. and we don't have much time. >> well, first of all, we're

already talking to the cloud provider and some of us are cloud providers. i do think the conversation is well underway. we're familiar with the challenges. if you think about it, the term cloud is a rather generic term that is probably misunderstood. it can mean a number of different things for different type of customer. and so therefore i would say we continue to include them in the conversation. as we have everyone else at the table as partners. it has to be integrated across the wide platform. i would say that you want to keep them in the conversation. >> thank you. >> so my mother has a pc at home that at this instant i'm sure is like attacking china or something. it's probably going -- because it's not administered properly. and she's got, you know, big tower with verizon fios, the

whole thing. she'd be better served to have a cloud provider take care of that for her. she'd be using some appliance to hit the internet. the reason she doesn't is because there's software on the pc that she wants to be able to use, it hasn't been put in the cloud. in general, that concept is a more secure concept than my mom trying to do administration. so i think cloud in general is a more secure model than the one we have now. >> okay. that's good to know. >> yeah. >> dr. amoroso, given your expertise in this area, what are the difrmss between -- differences between securing wired and wireless communications networks and how can these differences be accounted for in any type of cyber initiative? >> they're pretty big. the differences are significant. you know, if we had three hours i with take you through the whole thing. i'll give you one example. remember when -- i'm guessing

most of you remember when computer security was just don't put an infected floppy in your computer, remember that? it was like don't put software in your machine where you don't know where it came from. it seemed like perfectly good common sense. what do we do on app stores, i don't know who wrote that, but i think it looks cool. i'll download it to my device. that's something we have to address from the security perspective. that's a big difference between wired and wire line. >> i'm thinking also too that so much of what we do is wireless. so much we do within our own homes are wireless. and yet, it's just so easy to do it that most people don't think about it at all. and i'm concerned that we're not thinking as broadly as we should be thinking as far as some of the personal use. i think it came about here with mr. doyle too in the government area too.

but it's so easy to be carrying, you know, tablets and different cell phones around. and for me it's the part that's really to me quite frightening is that nobody knows what they don't know and we're looking at you and you're saying that there's a lot of things you don't know too. we look upon you as experts. i'm hoping that we can build in some incentives here with a sort of a sharing of information that goes beyond some of your commercial type of concerns. because i'm looking ahead -- this is even going to get more and more complicated as we develop more tablets and smartphones and whatever that we're looking control of the cyber security aspect of it. and the software aspect i think you brought up, dr. amoroso, is

really very important. the education of that and whether or not we are actually kind of building our own principles and standards into that too. so that's just a comment and i really do appreciate your being here. i think i'm learning more and more every team one of your opens your mouth. thank you for being here. >> thank you for your comments. we'll go now to ms. blackburn for five minutes. >> thank you, all, so much. i'll tell you what i think i'm going to do is just ask my questions. then if you all want to respond orb respond in writing, that would be wonderful. first of all, going back to something that mr. shimkus said, i would like to hear from each of you and you can say now or send it to me what you're seeing as the disturbing trends, and what is kind of the next thing out there. i'd like to know that. i'd like to get an idea of how

much of your cost of doing business is beginning to center around the cyber security issues. in your testimony, several of you have mentioned in one way or another, either in response to the questions or testimony, fear that the federal government could end up being more of an impediment that a facilitator in bolstering some of the cyber security efforts. i would like for you to speak to what you are concerned that we might do and then what we are not doing that we should be doing. and hear from you in that vein. with your consumers, i would appreciate to no what you're thing to educate them. i think one of the things that helps us, being certain that consumers are educated so if i could get that bit of

information and then when we look at the hacker attacks that are out there, some of the anonymous attacks, some of those -- there's one in the news today or i think there are five people that they have -- are bringing forward on charges. what kind of government imposed performance requirements would help keep pace with some of the technological evolution that you're seeing in these cyber attacks and if we were to do a government top down sort of structure to try to deal with cyber enemies, would that be giving a signal to that cyber enemy? is that too much information for them to work around? with that, those are the questions that i'd love to hear from you on the trends, the cost, what we are doing, what

we're not doing, dealing with consumers, how you're educating them and then looking at the attacks. the cautions you would give to us there and with that, anyone that wants to respond. >> sure, i can go first. then i'll try to be quick so others can answer. in terms of the positive things that government can do, i think making information sharing easier. there are a number of things to help. i think government has a role to play in education, whether that's psa or other types of education for end users. i think there's an opportunity to help fund additional r&d. i know nist and other groups try to do research in security and other internet futures. i think that that's more that can be done there that's important. and in terms of things to be careful of or be aware of, i think it's to be aware of mandates and be careful of mandates. i think we don't want to be focused on checklists and compliance. we want to be focused on innovation and the threats of tomorrow, not the threat of today. >> thank you. anyone else?

>> well, i can just make two comments. several of the questions and comments today mentioned incentives. i can tell you as an i.t. professional we are heavily invented to make sure we're protecting our partners that are interconnected with our systems. i think one of things that's a little scary so far, we monitor the call center, websites, we're not seeing a lot of requests from our customers concerning their own security of their hand sets and devices. so i think education is certainly going to be important. i think there's just not a general awareness in the consumer population, how big an issue this is. >> okay. >> maybe a comment more around why it's so difficult to regulate this arena. i think we have been speaking here rather generically about mobile devices and cyber

security threat. but it's a much broader problem depending on what category you're looking at. trying to be -- finding a solution and a prescriptive way is very difficult. if you think about who's coming at you, you could have a nation state coming at you for all reasons. they could be coming at the federal government for military reasons. but that same nation state could be coming after a corporation for intellectual property. everything from understanding that intellectual property is not in a 50,000 environment, but 50 person doing work for you. if you look at criminal activity sure you have what used to be the script doing something that was harmless and you have hired them today as your network administrator if they grew up. on the other hand, you have organized crime looking at more broadly the world and how to

make money. look at the recent fbi investigation on the dns, and the malware that affected hundreds of thousands of computers. then you can look at your anonymous and the others more activist, trying to make a point. you come down to the insider threat and the companies. if you think of the data they're after, they're after it for sometimes different reasons. when you try to put a regulatory overlay on that it it's very difficult to put us in a position to respond to the four broad categories and then at the same time make sure we have our checklist compliance programs going. thank you. >> thank you. i yield back. >> gentle lady's yielding back. recognize the gentle lady from the virgin islands, ms. christensen. >> thank you. i have a couple of questions. let me