i'm pleased the sub committee is here. every week, we learn a breach of vulnerability. it is vital we are paying attention. like the smart grid, which was the topic of our last hearing by the sub committee, it was a sub committee on oversight investigations. communications networks are vulnerable to cyber attack. the potential for disruption are high because communications networks are the common thread to all critical infrastructure sectors. in fact, the public safety legislation that was just signed into law exemplifies these concerns. under the new law, the first responders will rely on broadband to secure the safety of life and property. that will strengthen their ability to protect the network. today, i look forward to continuing the discussion of the security threats faced by mobile devices and the role for ensuring cyber security. our witnesses today represent a broad cross section of internet service providers as well as a hand set manufacturer. this should further help our

understanding of what risks threaten the networks and what companies are doing to mitigate the risks and what the sub committee will do to help in these efforts. i believe the federal government has an important role to play in the nation's communications network. one important federal role is developing practices that will keep the internet safe. the fcc upcoming release of the cyber best practices report developed by the communications security reliability and interoperable council such a long name reduced to srioc. i understand the chairman is planning a third hearing with government agencies.

i commend him for this series of hearings and look forward to what our witnesses have to tell us. i want to thank you, mr. chairman, for organizing a bipartisan working group to study cyber threats and inform the committee of the findings. this is a good opportunity for staff to work together on the issue of common concern the i look forward to hearing back from the working group and exploring for further actions. thank you for the hearing. i thank the witnesses for being here. i look forward to the testimony. i yield back. >> the gentleman yields back his time. we have a lot of big brains on the committee. we need them all to protect america. thank you for agreeing to serve on that working group. gentlemen, we are delighted to

have you hear today. we will start with mr. livingood. we appreciate you being here. from comcast corporation. thank you for being here. just a friendly reminder, being a radio guy, pull the microphone close and make sure the button is lit. >> thank you very much, mr. chairman. ranking member eshoo and members inviting me to discuss the work that comcast is doing to discuss consumers in cyberspace. we appreciate your interest in the issue and the willingness to hear from me, an engineer working on cyber security and other issues every day. i serve as vice president of internet systems engineering at comcast. i'm the engineering leader in charge of the high speed internet service. i currently serve on the fcc working group on security and stability advisory committee on the broadband internet group and board member of the internet

society. i am a contributor of the task force. at comcast, we take cyber security issues seriously. we know our customers are concerned about security. we strive to provide them with the best, fastest and most secure internet service possible. we engineer -- our engineering team devotes significant time, energy and investment to update our cyber security efforts. one such threat that we focused on comes from malicious software called bot. computer and controlled they are used for fraud and steal user name and send spam.

it is important to understand that a person need not consequently do something like downloading an app to be infected. you can be infected by using a web site. to counter bot, we have a customer facing system which first detects bot net traffic and notices alerts and providing them with tools to remove the infections. another area of threat is to the domain name system, which is a foundation and extraordinarily important and critical part of the internet. the domain name system or dns for short is responsible for translating names like comcast.com into ip addresses which are the addresses used to connect and route traffic across the internet. it is extremely important. a vulnerability can prevent an attacker to inject a fake answer. an attacker can direct traffic to a site like a banking site to

computers that they control to collect log in information. the address in the web browser still appears correct. the long-term fix is to implement extensions or dns extensions. this involving someone doing two things. signing the domain names they own and service providers validating before connecting a user to that site. this is basically akin to a bank keeping your signature on file and cashing a check. it is important to note that the dns was developed on an international stake holder process at the itf and will require adoption across the ecosystem like banks and web browsers and cloud. i'm pleased to report that as part of constant regard, comcast was the first to employ this in january. it is important to understand

that no open network can ever be completely and totally secure. our focus has been to roll up our sleeves and get to work chipping away at the security threats day in and day out. quickly learning and adapting. we are working within the industry and on a global basis to combat the key threats to protect our customers the best we can and to help them protect themselves. they are powerful incentives to take strong and effective measures and ensure network security and safety. our consumers want assurance that the networks they are using are safe and secure and we have strong reasons to invest capital and resources into cyber security safeguards. the same is true for other network providers. we all have power incentives to take action to secure our

substantial investments in our networks. policymakers can help these efforts by removing uncertainties that can inhibit collaboration while strengthening the flexibility to provide the best solutions for our networks. as a member said a moment ago, there is no one size fits all solution. so flexibility is key and it is important because the threats change as rapidly as they do. flexibility will help to ensure we focus on security and innovation rather than compliance and regulation. thank you. >> thank you, sir. we appreciate your comments. we'll be back to you with questions on the specifics of what those uncertainties are in the law. we are now delighted to have dr. edward amaroso with us. he with at&t services. doctor, we are glad you are here. >> great. thanks.

i'm ed amaroso. i have spent my entire adult life in cyber security. in fact, as a teenager, my dad was a computer scientist. i have been in and around this forever. i started work at bell laboratories. i found i was a pretty good hacker. i had been doing that ever since. now i'm the chief security officer. i kind of come at this with, you know, a very practical perspective on threat. there are three things i want to share with you that i think are observations that might help you as you develop legislation. they are based on imperial day-to-day dealings with security issues with our mobility network and wire line network and entire fortune 1,000 in lots of different countries. i do that all day long. i wanted to share. the first one is about innovation. we are being out innovated by

our adversaries. i don't know if you ever bought a piece of furniture and taken it home and admired the handiwork. that is what we do with the malware. it is so good and so well crafted that we marvel at how far the adversary has come. these are not script kitties doing dopey things. these are pretty good. i don't know if you watched "60 minutes." you saw that piece. that is an incredible piece of computer science. that worm. i think we need to recognize that whatever we do collectively as a nation, we need to figure out a way to incentivize companies and government agencies to innovate in this area. we will be in trouble if we don't. i think everybody on the panel would agree with me.

the best state of the art security protections that any one of us can put in place will not stop at a determined adversary in 2012. that is a fact. we need to do something to get ahead of that and the way you do something is you innovate. you need to do something to get ahead of it. part of the problem with pre-scripting an answer to everyone, we will all do the following. it is like every nba team publishing their defense. this is what we are going to do. do you think the adversaries don't read your legislation? you lay it out and you say, okay. i will step around these things that you are doing. that's just a practical issue in cyber security. this is not, you know, the kind of thing where we can all kind of do common sense stuff and it will fix it. there are a million things in our lives if we all go back to

the basics and do a set of common sense things that will make things better. we all live our lives that way. cyber security doesn't work that way. we are dealing with an adversary. the first issue is innovation. the second is infrastructure. i think everybody at this table would agree that complexity in infrastructure is the biggest problem for cyber security. when things get way too complicated, we can't keep track of it. it becomes almost impossible to protect something that has become so big and complicated that you can't get your arms around it. part of the problem with the dns and others, which have clearly benefits. i certainly agree with a lot of the points that were made. they add complexity. the way to think a dns srioc is, i'm such and such and i approve this commercial. that is a dns sc. that is the server attesting to the fact. if somebody is breaking into and

owns the server, the signature is meaningless. i would say imperially, i see a lot more break ins to dns servers than forged, you know, different protocol responses and so on. i think we need to keep in mind as we develop legislation that when we add complexity and when you add things we need to keep track of, do this, do that, overlay this. the complexity can be very stifling. dns srioc was proposed decades ago. this was not dreamed up last week. we have been working on adding cryptography. we don't have them today because they are unbelievably complicated to run. they add some benefit.

it is like bringing a senior citizen to the doctor with five ailments and the doctor says i'll give you medicine for one of them, but it has side effects. it does have benefit, but it has side effects. it doesn't fix everything. the third and last issue i want to raise is software. at the root of every cyber attack, every problem i have ever dealt with in my career is bad software. it needs to be addressed. the discipline of software engineering. the profession of writing software is one that is a complete mess right now. i'm a professor at stevens institute of technology. i have been teaching there for 22 years. i teach software engineering and computer security. maybe you can blame me.

the bottom line is that youngsters and even professionals today cannot write a non-trivial piece of software that is bug free and those bugs are the way our adversaries get into our companies. we open up web sites because we have no choice. we will close a web site down? it is there. the software powering that has vulnerabilities we don't know i installed it. everything is great. some advry door that i don't know about and the manufacturer doesn't know about it and they dance right in. bad software is a fundamental addressed through the educational system. thanks. >> thank you. we appreciate your comments. we'll be back to you with questions as well. now, i'm joined by mr. david mahon. chief security officer for century link. thank you for being here. we look forward to your comments. pull that microphone closer to you.

>> thank you for the opportunity to testify before you. is your microphone on? >> we're having trouble hearing is that light lit up there? you have to get really close. just saying. >> chairman walden and ranking member eshoo and members, thank you for the opportunity to testify on this important topic. century link, a provider, provides communications services to over 14 million homes and businesses in more than 37 states around the world. our services include voice, broadband, video and data as well as fiber call and cloud and managed security solutions. we have voice and internet customers to the largest fortune

500 customers. as vice president for century link, i'm responsible for all corporate functions, including information security. before joining century link, i worked for 30 years with the fbi and was responsible for investigative teams and programs related to targeted attacks on the internet, computer systems and networks exploited by terrorist organizations and foreign governments and white collar crime investigations and crisis management. the cyber threat is real and serious. our networks and those of our

customers are the targets of thousands of events daily from simple port scans to sophisticated attacks. century link and our customers invest significant resources in efforts to keep those assets secure. century link uses an overarching risk and compliance network. as stewards of the network, we have several categories. protecting the customers and providing secure services. we have worked with our industry peers, partners in government and other stake holders to strengthen our cyber attacks. from the ceo participation on the national telecommunications advisory committee to my security team participation in organizations such as dhs communication sector council and the fbi alliance council, we conduct risk assessments, information sharing and response planning and government sponsored cyber security exercises. in addition, century link's ceo chairs the fcc communications security reliability council which is working on voluntary best practices for bot net remediation and domain name security and internet route

hijacking and other issues unique to the communications industry. more can and should be done, but carefully. public/private partnerships have yielded significant process by building a framework of defense and cooperation and helping us understand the cyber threat. as many of you have pointed out, we are entering into a new era of cyber security threats where our adversaries are sophisticated. the need to step up our game is acute. we have hr 3523. the cyber protection act and similar provisions in bills that could enhance cyber related public/private sharing. as communication providers, we see a number of areas where we can make improvements. such as improving information sharing and improving the federal government's posture and expanded research and

development. shifting to a mandated-based approach would be counter productive. we strongly caution against the traditional regulatory approach based on government mandates or performance requirements. because our network is the one central assets of the business, century link and peers have the strongest commercial incentives to invest in robust cyber security. there is neither a lack of will nor a lack of commitment to do this among the communication providers. at its best, cyber security is a dynamic and evolving challenge. best done in a collaborative partnership. at its worst, cyber security can evolve in a check list and divert resources away from protections into expensive compliance measures that may be outdated by the time they are implemented. we understand the ways to protect the assets.

we commend the members of the commerce committee for improving the nation's cyber security and delivering the process. the committee is trying to find the right mix. century link is striving to a partner in the effort. we will continue to do so. thank you. >> thank you, sir. we appreciate your testimony. now we will move to mr. john ulsan, chief security officer for metro pcs. welcome. >> thank you, chairman walden. it is an honor to appear before you today. i'm the senior vice president and chief information officer

for metro pcs. i have 30 years of i.t. experience and responsible for the i.t. networks. metro is a wireless communication services with a flat rate with no contract. we sell through stores to retail consumers. we do not sell business to business or to the government. we use four network vendors. we also purchase hand sets from well known vendors. these vendors are not our primary vendors, where a hand set vulnerability could be implemented into the network. we have also adopted measures both physical and logical to protect the networks. we have four i.t. networks that are important to our business. as we will discuss in more detail, we have voluntarily undertaken cyber security measures. the security of the networks is important to metro pcs. we have a security program built on industry best practices covering people, process and technology. we use a combination of hardware

and software services. our security program directives are driven by a function and include centralized policy management, security awareness, training and internal and third-party monitoring, physical protection, threat identification and vulnerability management and intrusion prevention. we are particularly focused on security at the perimeter of our i.t. networks and use multilevels to prevent access to our networks from inside and outside of our company. we conduct regular network security audits and penetration tests and standardized on all network equipment. our 24/7 monitoring efforts, which are augmented by our partners, can generate hundreds of thousands of cyber threat alerts a day. a handful of real threats we address immediately. we cannot say we have never had a cyber intrusion, we are not aware of any significant intrusion or attack that has been successful in attacking our networks. we adopted a number of other measures to proper connect

customer information. encrypting hard drives and installing malware software. we conduct background checks and segregate duties of all personnel. metro pcs has implemented physical security with card key and biometric access. we recognize certifications and regularly participate in vendor-sponsored symposiums and conferences. we are involved in these groups because they are a valuable source of information and best practices. metro pcs does not believe that regulation is required or warranted at this time, particularly for carriers that do not provide to government or public safety organizations. carriers are protecting the networks. this is true for month to month for pcs. if we do not provide the level of protection our customers demand, they can terminate service without penalty and activate with a competitor. private sector certification such as pci also forced providers to invest in the appropriate tools and practices to detect cyber threats. market forces are better to respond to cyber threats. if regulations are considered, metro pcs are asking that these be tailored to the threat.

regulatory compliance can be burdensome for carriers who compete by providing a service for consumers that is affordable. voluntary obligations can evolve into a mandate. we support voluntary industry efforts and standard and enhanced governmental consumer education and the fcc cyber security stake holder efforts. along with government sharing along with a national clearinghouse. no carrier should be libel for

using such information. thank you for the opportunity to testify and i look forward to questions you may have. >> thank you, mr. olsen. we will be back with you with questions as well. we will turn to our final witness on the panel this morning. mr. scott totzke. blackberry security group. rim, research in motion.

>> thank you. members of the committee, thank you. i'm the senior vice president of blackberry security of research in motion. i'm here to talk to you about security. our products and services are used around the world. we have partners in 175 countries that offer blackberry products. more than 90% of the fortune 500 customers are blackberry customers. several of the same times of threats and techniques can impact smart users today. as the power and competing ability of smartphones have increased over the last few years, the threat matrix has evolved. most users have yet to realize the an applicability of the emerging threats to what is a smaller and more mobile computing platform than what they have at the office. we must provide protection to

provide access to the smartphone and protect the data and protect the corporate network using features built into the platform. while vendors can provide technology, but it is important to note as an industry, we help consumers better understand the risks of the online actives. rim has a history of integrating security feature into the products. rim has built security features that allow for data to be protected from unauthorized access, to limit and control access on the smartphone from third-party applications and remotely erase information when the phone is lost or stolen. this can be managed by the rim network. rim also believes there needs to

be more focus on security, test that establishes a baseline for vendors. without the baseline to gauge the product, it is difficult to make a decision. they provide assurances to governments or consumers who are otherwise unable to make claims against the vendor. blackberry products have more security credits than any other wireless solution. our consumers value this level. we feel the greater adherence to security standards would help the customers better understand e