you suggest in your testimony that congress define the roles of the various executive branch agencies in cyber security. where do you see the fcc as an independent agency playing a role? >> well, i don't -- i mean, i don't think there's an agency right now that's in a good position to come in and solve a problem we can't solve ourselves. i mean, if it really was a case where you could write out these five things that we should all be doing, and for whatever reason negligence, ignorance, whatever we're not doing it, then you need somebody in government to shake us into action. the problem is that we don't know what it is that you should be telling us we should be doing that's why we're pointing to innovation as the key. so it's almost kind of a moot question whether it should be dhs or fcc, because i'm not sure what they should be telling us. that's the problem. and, you know, there are some

things, i said i'm part of the team. i'm trying to make recommendations. i'm not -- i don't want to lead you to believe that we're not trying to reduce the risk, but i would say from an agency perspective if there was an obvious set of things that should be done right now, kind of thinking the groups that are here would be doing it. we are insented to do that. that's the problem. so i hope that addresses the question. >> okay. yes, thank you for that answer. and mr. livingood, you mentioned that comcast -- is an active participate on the fcc reliability and interoperability council. can you describe for us how you envision the council's contributing to the improvements in cyber security, especially with the attacks, like the bot nets? >> sure.

there are a number of working groups. i'm on one. one of the folks that works with me is here. they focus on the security of the routing infrastructure. dns sect and a whole range of other things. i think that's a process that works pretty well. people voluntarily get involved. they work together on what they think the current best practices are. that repeats regularly every year so it's not static. it's not sort of -- in 2008 we came up with some best practices. that's what we're still focussed on. it's something that gets renewed and refreshed all the time. so it can look at every, you know, new threat that comes out. that's one of many places we all work together. there are lots of others, the north american network operators group. and a whole range of other, other acronyms i could go on about. i think they're consensus based, voluntary and really current issues. >> okay. and while your customers are

mainly using your service for in-home computer, they use it to access the comcast e-mail and other video products. how do you continue to ensure the same protections extend to these uses as well? >> so a number of the security protections are things that a customer can download and install, like their home computer. but we have a bunch of things like the constant guard system and other systems. maybe it a's friend that's visiting their house and they're on the wi-fi network and they talk to a bot net, we'll see those kind of things. so, you know, we can alert customers to that. whether they have installed software that we have provided on the device or not, we still have tools in the tool box to identify that and help them, you know, tell them about it and help them solve it. >> okay.

mr. amoroso, you stressed the need for the information sharing, but a lot between the government and the private industry. what protections do you think are necessary to protect civil liberties and consumer privacy and what do you think the reasonable boundaries to antitrust violations? >> well, i'm an american, i want civil liberties and all those things. so the current state, we have swung the pendulum in the direction of making absolutely certain that we're protecting civil liberties. so the question is how do we somehow preserve those liberties and allow us to know that's a malware thing? i think we have to figure that one out. i think it's got to be a high priority. if that's malware, that's not really a civil liberties issue.

comcast should know -- that's a problem they can put in their system. maybe we need to get the lawyers out of the room and come up with a common sense approach. but that's the reason. all the things you listed. that's why we can't take those signatures today. >> thank you. thank you, mr. chairman. >> thank you, dr. christensen. dr. amoroso, you should have seen the people shake behind you when you said get the lawyers out of the room. let's go to mr. bass. >> thank you very much. i have a couple of questions for mr. livingood. but before i ask those questions can i ask a mobile or smartphone question for dummies. why -- is there a difference in cyber security issues between an ipad or a smart device like this and a laptop or desktop computer?

make it quick because i want to ask some others. >> there's probably a firewall between your pc at work or something. a wired land, so we can do more filtering and policy control. with your wireless, you go direct to us, to the isp. and we have been insented and led, you know, particularly in washington, push the packets, don't look at them. don't do anything. don't impose -- god forbid you impose some kind of policy. so your connection for wireless is directly to the internet, whereas you're wired connect has an i.t. at work. >> so is this unit here exposed to bots? is there cyber security issue with my ipad? >> i don't know what you're connected to. >> let's say i'm connected to comcast which i am. >> there's a new class of device and a lot of the hackers and other criminals, they're very

focused on return on investment. they're focused on where the biggest platforms are. the more they get out there, the bigger the target that makes. and so they'll see, okay, i have a few million devices. so you'll start to see more and more of those things. depending upon the tablet that you have, some are more vulnerable at the moment than others. that's something that the americans are buying. it will be those type -- >> who's responsible? is apple responsible for this or are you? >> i think it's a variety. i think with that device it's apple that plays a role. with the android devices, google plays a role. then all the software vendors play a role. but there's a component of customer education. and i'm sure over time, you know, just in the same way that we have software that runs on pcs to provide security, you know, that's going to start to develop and evolve for tablets and provide that extra level of security as well. we're just i think at the early

stages of the adoption group. >> the same is true for blackberry, right? >> i mean, all of the tablets are going to have different risks and different threats. we look at it in terms of how we protect our platform. but the theme that i keep hearing over and other is the need for education. and when you talk about computer security, one of the inevitable comparisons is to driving a car. we don't let people drive a car without a license, but we let them connect to the internet and download software without understanding what the risks are. that piece of education, i'm not suggesting we license people to use a computer, but we need a level of education in how we inform people of risks that they have. >> fair enough. i want to ask a couple of questions about the constant guard protection suite. i note in your testimony on page 6 it says at comcast we understand that securing cyberspace is a complex task.

remediation and recovery the core objectives of the anti-malware efforts. does comcast require itsstomers constant guard protection suite and if not, how is the customer going to know that it exists and how are you going to notify them that they have a problem? >> so it is not required that a customer download that to use our service. they have to have normal internet connectivity to do that. but we do a lot to make customers aware of that and to insent them to download it. before they have an issue, when they're installed they're given a lot of information and they're given links to that and so on. when they sign up for service we're reiterating that for them. we do a lot of things on the website and others to promote these are available. certainly after they have an issue and we notice it we drive

them to the remediation portal. that's one of the first thing that we recommend they download is that suite. w we do a lot when they come on, and we do things to reiterate that. >> real quick, it's limited to windows operating system, correct? how long has it been around? >> that protection suite is pretty recent. more than a year. that's a supplement to a larger antivirus and security suite that we have had for many, many years that is -- >> real quick, because i have run out of time. what business incentives if any did you get or did you have to developing and offering this service? >> well, we view it in two ways. number one, there's a competitive incentive. if we can be seen as having a more security features or more secure than the next guy, someone chooses us as their isp rather than someone else. customers when they come on

board as a customer used to tell us that the two reasons were price and speed. and today, it's price, speed and security. so customers are very aware, increasingly so. not as aware as they need to be, but very aware about security. they ask us about those things when they call us up to order service. we view it as a competitive feature we need to add and that's why all of the things that we're doing is important to us. >> thank you. we now go to chairman dingell for five. >> mr. chairman, thank you. gentlemen, we have much to do and little time so i'm going to try to ask questions, if you'll answer yes or no to. starting off with mr. livingood. gentlemen, you seem to be in agreement that imposing new federal cyber security regulations on industry would stifle innovation and harm industry's ability to protect consumers from cyber threats. is that correct, yes or no? starting with you, mr. --

>> yes, i am concerned about that. >> yes. >> sir? >> yes. >> yes. yeah, i think you have consensus here. >> gentlemen, let us assume for a moment that the congress will pursue the no regulation path in this matter. and instead, facilitate greater information sharing about cyber threats between industry and the government. would that be your collective preference, yes or no? >> yes. >> sir? >> yes. >> yes. >> yes. >> thank you. in that case, would the congress need to consider granting exemptions to the antitrust laws and the federal trade commission act in order to allow the companies to share cyber security information amongst themselves? yes or no? >> yes. >> yes. that's right. >> yes. >> yes. >> i can't comment on that. >> now, gentlemen, similarly, do

you believe that a safe harbor provision should be created in statute to permit companies to share serious cyber threat information with government agencies without fear of class action or other lawsuits being brought against them, yes or no? >> yes. >> yes. >> the reporter doesn't have a nod, but sir, so you have to say yes. >> it's a yes. >> thank you. sir? >> yes. >> sir? >> i'm afraid i can't comment on that. i don't know. >> yes. yeah. >> now, gentlemen, my last several questions have been premised on a no regulation scenario. wherein the congress adopts legislation to promote information sharing between industry and government. would you please submit for the

record what enforcement tools you believe the federal government would have in this scenario to ensure that industry is adequately guarding and being guarded against cyber threats? i'm asking you to make a submission there for the record because of the shortness of time. now, gentlemen, let us assume that the government would have some role in promoting cyber security in the private sector. if the federal government were to require the promulgation of cyber security standards, should such standards preempt state laws? starting with you, mr. livingood, yes for? >> yes. easier to have one standard. >> i'm not sure. i haven't thought that through. >> yes. >> sir? >> i'll have to agree with dr. amoroso, i haven't considered

that. >> yeah, i can't comment on that either. >> now, gentlemen, i have read with some interest in mr. olsen's testimony that -- and i quote, the ongoing valuation or metro pcs's security program is based on periodic internal and third party assessments and auditing, would your respective companies object if such audits were government mandated? yes or no? >> no, we already provide all those things already. we already do that. >> i think we would object, yes. >> we'd object. >> you would object. >> yes, we would. >> now, then i come back and ask you to explain that. the next witness, if you please. >> so, yeah, we'd probably object. but we do this already. >> now, those who have indicated no, would you please explain briefly.

>> i can explain. when you write a law, we do paperwork. so i take people away from doing their day to day work to sit and do work. we have an ops lab. one of our favorite things to show people in the ops lab is along one of the walls we have about a mile's worth of ring binders. and they always say there's the government paperwork followed by a lot of sort of chuckling laughter, but it's true. we have a great deal of paperwork that we fill out when we're dealing with different federal groups or sarbanes-oxley or whatever. there's a lot of paperwork. i'm just suggesting we're already doing that and government says i need you to fill out this compliance checklist, you're taking people away from the work to to do the paperwork. that's why we'd object. >> very quickly, if i can make a note this is the danger of sending an engineer sometimes. but i'm told we'd have the same

concerns and we'd object. >> gentlemen, thank you. mr. chairman, thank you. >> thank you for your questions. i think you got to the heart of the matter quickly. and now we turn to mr. rodgers. >> thank you, thanks for the witnesses as well. i think one of the big problems that we run into this is that we haven't sounded the alarm bell. i think in all of the circles of people who look at this every day, all the security shops, the i.t. security shops across america, they know what the problem is. average users don't see it. and that's why there's just -- there's no hue and cry about how we get this fixed. you talk -- each of you atalked talk about how that would work. if we bring the folks together, we're sharing the government secret sauce with you all and you're sharing back malicious

ware that the government is not aware of, talk about how fast this is. there's talk about civil liberties. i think people have this visual that people are reading e-mails. some guy -- a guy named bob in cleveland is reading everybody's e-mail to find this malicious software. not how it works. as a matter of fact, if that's how it works it's a miserable failure. can you talk about how you envision how will that will work with the sharing, realtime, no regulatory? >> i'd be happy. i want to compliment you on the legislation. first of all, realtime absolutely. independently auditable i think is important. so that somebody can come in and look at the way this is done, but it also has to be controlled. like blasting it out over the internet would be a bad idea, but i think you need to balance this realtime, but also the ability to come back and look at the process, make sure it's

transparent without like i said exposing it to our adversaries. >> there's also different levels of sharing by industry. i think you have to look at how you do your risk assessment on each category that i previously described. there's a very good example out there what's working well. that's the defense industrial based pilot that's going on. that particularly is supporting defense contractors and dod. you can expand that to the financial services industry and other industries. >> anybody else want to take that? and just for clarification, when we talk about realtime, i have seen numbers as high as 100 million a second. that packets of information flying around. so if this is going to work, the malicious source code has to be compared at an incredibly fast rate. can you talk about that from an engineering perspective? anyone? >> so i think one of the challenges is trying to do any

kind of pattern matching. a lot of the malware that we see and have seen for a number of years is sort of what's called next. a lot of stuff changes. it's not like it is with anti-spam where you can match on a few key words or one file attachment. no, that's it. that's the target, and flank it that way. you need to come up with ways, and a number of us have systems like this and there are others that are in development that can do this on a wider basis. but that is the very challenge, doing that in realtime is incredibly difficult and you're at the edge of computer science at this point. >> which is why i think many of you told us before the regulation is written, be careful of the regulatory scheme. if we slow you down, if we give you another row of books down your mile-long hallway there, it doesn't work. we already have outdated what you're trying accomplish in the room. this is a value added not only for you, but for the government,

is it not? the government also gets benefit from the protection of all of your great work in the private sector, correct? >> that's correct. and there are two things that raises that are interesting. one is by the time a very prescriptive law would be written, by the time ink would dry, the threats would have moved on. we need with our software developers, they need to be hard at work in a room, not with half a room full of lawyers with them slowing them down and asking questions why are you doing this and that. they need to be at work every day trying to solve this problem. >> and i have to say for the record this may be my favorite panel of all time since i've been in congress. never so often have a group of engineers belittled lawyers at the table. you have warm mid heart today that there we have faith that we're moving forward. i wish we had time to talk about all the issues. i'm very curious about how you

would fix the programing issue. a huge problem for us as we move forward. we didn't talk about ex-filtration, which is very difficult for any of you to catch, which i would argue right now is the single greatest threat to our economy moving forward, aside of the things we know today. yeah? >> tell me, could you outline exfiltration? >> sure. we know that nation states today are engaged in getting on to your network, lurking. they'll be there for a very long time. you don't know it. your system administrators don't know it. these folks can't catch it. sometimes the government -- a lot of the times the government can't catch it either. and then they'll latch on to that intellectual property that is on everybody's computer today. all those designs, everything that is of value to that company. and at the right time, at the right speed, they latch on to it and run like heck through your neck work and take it back. and we know a country like china, who is investing in this

as a national strategy to ex-fill trait intellectual property and directly use that intellectual property to directly compete against united states businesses. and unfortunately, it is happening at a breathtaking pace, breathtaking pace. and what is concerning these folks are looking for malicious software that is disruptive or theft-oriented. this is very sophisticated. this is as sophisticated as any you'll see. hard to detect. they don't want to break anything. they want to get in and steal it without you knowing it. that is what is so troubling. hundreds and hundreds of thousands of jobs lost every year for the theft of that intellectual property that is being reprogrammed commercially against u.s. companies. this is a big a problem as i have ever seen. it's one of the things, of the many that keeps me up at night, mr. chairman. so thanks for letting me explain it. it's something we didn't really get into today, because that's

not the focus of what they can even watch. that's why this information sharing i think is so important. it would help american businesses by the federal government having information, being able to identify that code, share it with the right partners. amazing what we would be able to stop. >> with the indulgence of the committee members, perhaps given the importance of that topic, you could each, if you have anything you want to add on that area. then we'll go to mr. stearns and mr. gingrey. does anybody want to comment on what the chairman -- >> i will. it's called advanced persistent threat. he's got it exactly right. it's somebody targeting any of you. if we know the folks you run around with, we can craft a fake e-mail that looks pretty realistic, points you to a website that establishes a tunnel. it drops a remote access tool on your pc. you know how you log in when you do remote access from work or home or wherever you're doing it? this is a hacker now doing

remote access to you. you're now the server. and once they are on, they can troll around your pc, your network, and the intellectual property theft has become significant. it is probably the number one thing i bet all of us when we go back, we talk about bot-nets and dns. when we go back to the office, we're dealing with apt, which is kind of our point, right? we're ahead of the discussions, things we've been dealing with in the past, and the things we deal with now are probably things we'll be here testifying about five years from now. so that is an issue. >> and just to echo, the advanced persistent threat, these are remarkably sophisticated adversaries. these are slow, patient. they'll lurk on your network for years. i'm from the canadian headquarters. we had a large company go out of business, nortel. part of the aatut

is loss of intellectual property, ciphering secrets right off their network. when you look at that, this is a serious concern. five years from now you'll probably be looking at that. that's how advanced they are. it's great you're looking at it now, congressman. the threat is real. it's persistent today. it is a threat to jobs and an economic threat to the united states and elsewhere. >> thank you. >> thank you. can i just for the record thank mr. mann for his 30 years of fbi service as well. thank you for all the time you put on the target, sir. >> thank y rogers was a former fbi agent himself. let's go to mr. stearns now. >> thank you, mr. chairman. let me take my questions alittle along the line that my colleague from michigan talked about when he talked about advanced persistent threat. dr. amoroso, when you did your opening statement, you were speaking quite eloquently, talking about malicious software, malware you talked about. and you painted this picture that the malware itself you were

impressed how well it was developed, put together, and you sort of alluded to the fact that it was almost not unpenetrable, but it was to the point you were respectful of it and were not sure we were keeping up. is that my interpretation of what you said? >> that's exactly right. we're definitely not keeping up. we're trying. think of the dizzying pace of innovation you see out in silicon valley, right? new things every day. the hacking and the malicious adversary community, they're moving at the same pace. so the job we have, we've got to keep up. and you would say, hey guys, you better be ahead of them. not even enough to keep up. you better be ahead. so we're always going to be sort of biased. >> so you're saying you're always catching up. >> we've got to go faster. we have to innovate. >> is that true you think you're

always catching up then? that's what you implied to me by saying the respectability you had for this malware. >> yes. >> is this true for adware, spy ware? >> apts are the best. the ex-filtration point that the congressman spoke about, that is the elite kind of attack vector in 2012. spy ware maybe not so much. >> with the malware, who are the people that are doing this? can you name them? >> i can't. i'm not law enforcement. >> is there anybody on the panel? dr. amoroso talked about this malware so respectfully, and how eloquently it is put together. is there anybody can tell me who we're talking about? >> i think if you take a look at the most recent investigation conducted by the fbi on the dns changer malware, you'll see it was a group of individuals operating out of estonia that

basically sent malware to individuals in various forms and e-mails, and you clicked on it, and it infected your computer in a way that it directed you went you went out to do a dns type search, you were looking for amazon.com or some other company, you really went to their servers. their own servers were embedded in various locations in the united states. so these are organized groups. they figured out how to capitalize on the money you can make with the malware. >> are these people, for example in estonia, are they part of a mafia, underground, an organization? it's larger than just estonia, without you revealing any -- >> these are no longer just individual hackers. the individual hackers are out there. but now they've actually formed themselves into types of federations to work together. >> across the world? >> you can do it across the world there are certain hacking groups you can join and be a memberm