investments in protecting information. this panel has raised a number of concerns over two points of security in the mobile industry that i would like to address. the first concern is information sharing. there is increased competition with vendors, there is a degree of commonality with the platforms. this translates into a risk of cross platform creating a level of shared risk that increases the need of vendors to work together to disclose and address concerns. this also means a program like rim's sharing program needs to share with the u.s. cert to provide timely information. the second issue is relating to the supply chain and the ability of networks. a product that has been created to impose risks to the customers' information and have a posture on the rim network.

rim has been working for years to embed security features. only authentic products are able to obtain products. we believe this software and network security work together to mitigate the concerns about knockoff products or products that have been tampered with impacts customers. we would like to raise awareness in respect to supply chain. chairman walden, i would like to thank you for the opportunity to provide you with information on the topic. >> thank you. all of you, thank you for the testimony. we appreciate you being here. i will lead off with questions. dr. amaroso and mr. olsen. you say in your testimony you routinely track threats to your networks. how can we protect consumers privacy and sensitive data from companies?

>> i think the big debate has been between government and industry. that has been the big issue. if i go to a conference and a hacker is saying there is a signature i should look at. i scribble it down and look at it. if a government individual does that, i cannot put it in the network. we would be operating as a branch or agent of the government. that seems to me a little silly. that is something that probably ought to be addressed. >> that is the specific issue we are trying to drill down to here. >> yeah. >> can you give us something more specific. >> the united states intelligence agencies and law

enforcement see different signatures we don't look for. we are not in law enforcement. we are providing service to customers. we don't chase that sort of thing down. we chase it to the point where we stop it and that's it. intelligence groups will dig down deep and see something we don't. i know in my own company, whenever i get involved in something like that, there's more lawyers involved in the discussion than people in the room here. we're disinsented to even bother. frankly, we kind of do, the internet wouldn't work if we weren't sharing constantly. it's government. >> but are there any prohibitions? if you go to the conference and the hacker says look for this signature, is that something that, you know, mr. olsen, mr. mahon and others should be

looking for as well on their networks? >> i'm sure they do. >> but then is there a way you can share that information with them or are there impediments to that kind of sharing? >> i mean, we all buy services from a lot of the same companies that do that. we pick companies that do a great job. i'd buy from three or four different companies that provide about the same intelligence everybody else is going to get here. it's pretty good, you know? you know, they're insented to make sure it's useful because i pay them every month for it. >> and as do the customers. so i guess the question is there's not a problem sharing information back and forth? >> sometimes there is. >> is that a problem we should -- >> i mean -- >> we're looking for barriers here. >> at&t had an exclusive on the iphone for some period of time. i put down the p -- ph.d.s out of school and once other carriers got access to the iphone, do you really think i'd wand to give them the fruits of the work we're doing? their incentive is to do it as well.

you know, compete with us. and i'd like my customers to say, hey, i'm going to stay with at&t because they're invested in protection and we innovate that way. that's a case where it's not necessary for me to share the market is going to force our competitors to want to catch up or for me to catch up to somebody else. that's the right balance between i believe -- i believe between all of us. but between government and industry, it should be i think the information sharing should be more free. >> thank you, doctor. mr. olsen -- >> and metro pcs, besides our internal systems we have cyber security partners, so security monitoring firms that we use to monitor our network and our systems 24 hours a day. those firms do share information between them. but if i believe i understand your question, there is not a central clearinghouse for that information for the folks that are outside of those security companies to easily share information. so if mr. amoroso recognizes a

threat or is told about a threat in his network there isn't a central place where he could notify other companies or other carriers in the same industry that this threat is out there and we should respond to it. >> is there an incentive -- because i almost here a disincentive to do that. if you protect your customer, why do you tell the other iphone -- >> i don't know if it's a disincentive. you're telling the bad guys too when you broadcast the threat. so it's a little weird to be too open about what you're concerned with. i kind of like the existing model. i think there are companies that

do this. we evaluate them. when the intelligence looks pretty good we buy it. >> all right. my time is expired. we'll turn now to the gentle lady from california. >> thank you. excellent testimony. first, to mr. livingood, i think it's really terrific that you're the first isp in north america to fully implement the dns second as you noted in your testimony. how do we encourage other isps to follow your lead? what would be just quickly -- i have a whole series of questions so i want to go as quickly as possible. >> i think on that regard by other providers, i think it's important to keep in one mind. it is not just about network operators. it is about banking sites, software operators. but specific to network operators i would say there's a lot of the interaction going on already.

you know, one of the beautiful things about the way that the internet has worked and is successful is there are a lot of the multistakeholder consensus based organizations that groups get involved in one. one of the groups is one i'm working on. they're coming out with a recommendation soon. >> when will that be? >> i think that it's due today. the recommendation -- >> oh, good. you never know on government time. congress has an extensive network to ensure the security of our mobile devices and the network that they run on. i experienced this firsthand last year when i traveled abroad as part of a congressional delegation. and my device became infected during the trip. and because of the -- and the device never left me. i practically slept with the thing under my pillow. it was never out of my purse, never left in the hotel, but

nonetheless it was infected. because of the proactive measures in place, the threat was detected prior to being reactivated in the house network. so as a company,b what steps do you take to ensure that your customers, particularly those in smaller organizations that adhere to the same proactive security measures, and i guess my question is to mr. totzke, to dr. amoroso, i love your name, amoroso, and mr. olsen. >> sure thing. thank you. i'll go first. i mean, we provide a comprehensive list of guidelines for configuration of the device. so our administrators have white papers and information they can access on the website. our goal is to make sure that your administrator, your i.t. organization that looks after your device, if it's a

blackberry device has full control over that device at all times. so there's a comprehensive set of policies, more than 500 of them, that a administrator can send to control all aspects of the platform including preventing access to information or disallowing you the information of software on the device. so we try and do that as i think will be a common thread here. there's a lot of education in this industry. and we have to do it on a daily basis and a lot of risk that is really difficult for people to understand. we're trying to offer as much transparency and help to our customers through publication and forums like this. >> as i understand, one way to prevent potential bots activity is to block i.p. addresses that pose a threat. do you have the technology to do this today and if so, has it been effective? >> i can comment.

we have the technology to block. but it doesn't work. so, you know, we can certainly -- >> there you go. >> we do try real hard. bot nets, like we made the mistake in computing of turning every person in this room into a windows system administrator. that's what you do part-time when you're not legislating. so that model is wrong and most of you don't do a very good job of it. nor do i. we'd probably say we don't do it well already, so we have distributed the responsibility massively, and that -- >> is that what causes the complexity that you just -- >> well, it's billions of people around planet earth with pcs that are improperly protected. it's a piece of cake to build bot nets.

ones that are 50,000, 100,000, we don't bother naming them. we track them and try to contain it. it's not a matter of blocking the i.p. addresses because we'd be blocking you. you probably wouldn't like you. sorry you can't get on the internet today. we'd shut the whole internet down if we did that. >> and in my opening statement, i mentioned the issue of supply chain. and the security that i think really needs to be brought to that. first of all, do you share these concerns about the supply chain and if so, what do you think would be the appropriate role for us to play in addressing it? i think it's a serious issue. our telecommunications network as we came to more fully appreciate after our country was attacked was the system that we relied on. we didn't have that. i don't know what we would have

done. so i think that -- and there are constant things that keep coming up relative to the supply chain. so i welcome any comments on that. >> so i'll answer that from a device manufacturer's standpoint. this has been a concern for r.i.m., you know, for the decade plus that i have been there. we have to understand where we get our components from. where we manufacture the devices. and when we started it was really easy because we made everything in our factory and it was under our control and you grow into the global entity you deal with outsource manufacturing and kind of directing that around the world with different partners. so it brings into question are you actually manufacturing the product you think you're making or are you getting something out that's whole and intact? we really focused on understanding what we can do to secure our products in the

manufacturing process, as well as the parts that come in. for some of the strategic vendors we are doing serialization and encrypting before it gets to us and then we go through the verification of every tool along the line, checking with r.i.m. head office to say are you allowed to perform this operation? and the combination of hardware and software so the embedded certificates in the silicone, the hardware checking that the software hasn't been tampered with is used to get blackberry services. so we know that the device hasn't been tampered with and it's been manufactured by r.i.m. and it's intact when you first turn it on. that protects our network and your networks. it's that hardware, software and network layer working together to ensure the integrity of the blackberry services that we provide to our services. >> mr. terry? >> thank you. with my five minutes and five

people, i want to ask you the same question. and that's in regard to the fact that you're the interface. if i want to have an internet experience i have to hire one of you. so what are you doing to provide me services that will protect at least to some extent from bot nets and viruses or attacks to my information and my computer? and we'll start from left to right, my left to right, mr. livingood. >> thank you. so i think we have somewhat similar capables. it's a multilayered approach. that's not one any one thing

that will solve it. it's like an onion, lots of layers. the intrusion protection at the edge of the network and mitigation to bot net intelligence systems. and then to notify customers and there are also a number of things that we all do and we do in particular to educate customers to help them understand what things they need to secure in their network. the software they need to manage gets them the software they need to secure their network and their computers. it's a multilayered approach. >> that was exactly what we do, same thing. i mean, i don't know -- there's a lot of different products and product names. i'll tell you the one thing we don't do. we didn't sell you the computer. we didn't sell you the operating system that runs on the computer. we didn't help you select what type of software to put on there. and increasingly the isps are getting dragged into that and it's a difficult situation.

isp, you know, i have something wrong with my pc. you're sitting off in the cloud watching. you should figure out how to fix my pc. that's something all of us struggle with. >> we do all a number of similar things i think in the isp world. you know, to protect residential customers. i think you have heard of them. the spyware, the antivirus, parental controls. we all have educational and awareness, you know, places on our website, our home page where you can go to. we have a bot net notification program. we have a method to notify you and then facilitate you cleaning up your home device. >> i think there's a lot of commonality in the approaches that we're all taking. one of the distinctions that i mentioned in my opening comments regarding our cyber security

partner i think is -- our partners is really important. these are people that are focused, their full-time job is cyber security. they're looking for threats all the time and they have hundreds if not thousands of customers that are feeding them information and they are seeing realtime threats go through many companies. so a threat that might hit one company, they're aware of be many of us would see that. so i think that information sharing in that cyber security industry is really critical and it's something that we value. >> all right. many totzke, you may have answered this already. >> yeah, we have administrator user security, which allows them to dictate what level of protection they put in and we allow for on device encryption, remote restore, the ability to wipe a device.

you can deal with the eventuality as it's lost or stolen or left in a taxi cab. we give you the capability to deal with that. >> good. i appreciate that. i guess the last 47 seconds i'm going to give to mr. amoroso. should the responsibility be on the isp providers to have a system to detect viruses as they enter into your network before they get to my computer? >> if we knew how to do that reliably, i'll be trying to sell you that years ago. it's a very difficult thing to detect viruses and malware. we do notify like the rest of them. i call a hundred to a thousand people every week. the problem is if i really knew what to tell them, knew exactly how that fix their pc i'd call everybody. the problem is there isn't a person in this room that can tell you how to clean malware

off your pc. other than re-image your computer. you know, that's the best we can do. >> can we just tell you to stop it?>> iish i knew -- you know, here's the reason we can't stop it. i don't know if you're familiar with the encrypted tunnel, but when you visit a website you see hppts, that's encrypted tunnel. every hacker in the world know to make sure they're pushing their malware through that incrypted tunnel. they hide the malware in places we can't see. that's where anybody would go. >> it's a fun issue to deal with. >> when we pick up malware it's the equivalent to somebody falling over and having a heart attack on the table, that's rapid response to preventive care. you fell over, you had a heart

attack, that's easy. it's picking up the stuff that's not easy. that's why it's difficult to build reliable services to detect malware because it's hidden. any hacker would do it that way. >> thanks. mr. doyle, you're up next. >> i think we ought to call him dr. sunshine. mr. totzke, i want to ask you about federal workers. as you might know, the white house is currently working on a national mobility strategy to determine how the employees of the federal government are using their mobile devices and they're going to decide for example, if all agency employees can bring their mobile devices to work much like private sector employees do. we don't -- we're not advocating for one type of phone to use in the federal government, but what

security issues do you foresee that might come up as a result of this if we allow all federal workers to use their own mobile device and how do you think device manufacturers can make sure that the data that's on the phone of federal workers especially in sensitive agencies remains secure? >> as you move more of the heterogenous environment and you bring your individual liable you face is that the security of platforms is going to vary based on the vendor and the features . so getting a consistent view of security and how you're is probably one of the issues. there are, you know, kind of liability and discovery issues in more of a corporate context. who owns the information and who owns the intellectual property if you have to go through litigation, maybe not such a big case in the case of a federal government employee and how do you protect the information on the device?

that's one of the more important ones. there is a level of encryption built into blackberry to incrypt all of that data whether that's personal or government data. as we look at how we -- how we go into a bring your own device scenario, you know, the biggest concern that i have is this lack of a standard bar for protecting information and what i would be most concerned about is sort of a race to the lowest common denominator. we have three or four competing wel reduce our security requirements to the bare minimum which i think is the wrong thing especially at the government level. >> thank you. mr. livingood, given the concerns outlined by dr. sunshine about outlining the dns sect, can you tell us why come baft made the decision to begin using dns sect and whether or not you think it has had the intended benefits that you think it would have?

>> sure. it's a long-term gain there. i think one of the challenges was that you needed some critical mass for people to start signing their names, to build software to do that we felt like we could play a role in creating that critical mass. that's part of the reason we did it. i think the reason, you know, at root why we did that, when the cam ins i can vulnerability came out in 2008, it fundamental scared the heck out of us. if our customers couldn't be sure when they went to bank of america.com, it was that website, that scared us because they're less likely to use the internet and that's incredibly important to us. to have a way -- we all certainly had a short term fix to that, but to have a long term fix to that was important to that. we're pleased to help lead the way to help the adoption. >> thank you. just in closing, dr. amoroso, i have enjoyed your testimony and

it makes us realize how much work we have to do to together to face this problem that is certainly there's no easy answer to. but i want to thank all the panelists for your testimony today. it's been very enlightening. >> thank you very much. mr. shimkus? >> thank you. i kind of want to build a little bit on what my friend mike doyle mentioned but i wanted a different perspective. your -- because it's kind of tied -- popped in my mind when he talked about federal workers. where are you finding your cyber warriors today from? where are they coming out of? coming from private universities, the military? briefly, cutting edge new people who are helping you do this stuff, where are they coming from? >> so -- >> go on down, real quick. >> i think it's a variety of places. i would say, you know, there's a need for more educational focus,

not just cybersecurity but ict generally. but we find people on a variety of ways. some are former military service members, former law enforcement. others are just linus system administrators that are interested in security. others are former childhood hackers or something like this. and they're interested in it. so it's variety of things. >> but is there a college path? is it a -- i mean, can you get i.t. training in the business schools or computer science class? >> i can comment. i have been teaching at stephens for 22 years. if you looked at my class in 1990, you would see something that would look like, you know, typical college class. i went to dickinson, pennsylvania. so, you know, pretty -- a mix of kids. my class today at stephens is about 98% about foreign nationals. i have got about 65 in a

classroom. and almost all of them have the intention of leaving the country when they complete their masters or ph.d. because they see bigger opportunities elsewhere. >> if you all want to jump in, i don't want to forget about the compensation of people entering the private sector and government sector. we have the same is issues about bringing in the best and the brightest, but if we're not compensating them for what the private market bears, then that's another thing. anyone want to jump in? >> just on where we source, so there is out of the education system. out of the military and intelligence. we find people moving into private industry. the most talented guy on my team is a high school dropout. i think using the education system as a bar doesn't identify them.

so it varies. and i don't think you can actually teach somebody to be a hacker. there's sort of -- if you want to be a researcher, there's an ingrained mentality. it's not like i'm teaching somebody a trade. being an hacker is a different mindset. >> thanks. i don't know if i'll get to both of them, but the debate on the senate side and this is how you provide is what happens if we -- the federal government requires you to follow a new government security standard? what happens to you? that's the debate on the senate side legislatively. one has a government imposed standard and the other i think is letting you fight yourself. anyone want to jump in? >> i'll offer up a brief point. my guess is anything you can write down that you can think of as kind of a best practice, it's already being done here.

and the thing we're back at the shop worrying about now are things that are not on your list. like as an example we talked about bot nets. remember y2k? we were worried that we were going to get d-dosed for one day. that would be bad if you missed the millennium change. you can't move that date, right? so we were completely freaked out by bot nets then. a lot of people in this room, we have built ways to steer traffic around and fix it. and now we have a service and it's -- we have moved on to the next thing. >> the final challenge out, because i do agree how do we insent innovation in this area which is part of the opening statement. incentivizing usually means government money here or government tax credits. you know, that's all kind of