persona non grata in the new world in which we live in. i would ask you to help us wrap around this and maybe it's easing regulatory burdens. maybe there's things we can do that's not a dollar/cents component. but tax credits. things like that, it's very difficult to do in today's environment. i just throw that out. thank you, mr. chairman. >> thank you. with the committee's indulgence, doctor, can you explain d-dosed? >> that stands for distributed denial of service. when i speak to you, it's one thing to many ears and it works great if you're all quiet and you listen, but if you could bounce my voice off to you, it would sound like you're shouting to him. my voice to your ears and you reflect it back. that's a denial of service attack. we hit all your pcs and then tell all your pcs to shout this

way and it sounds like this big attack and it clogs the pipes and knocks him out. that's how it works. >> thank you, doctor. now we go to ms. matsui. >> thank you, mr. chairman, and this is all challenging and frightening at the same time here. and i do appreciate all of your testimony. i want to go into another area here. as we look into developing an industry best practices, should isps own cloud services be included as well as other cloud providers or do you think because the technology is newer it would be better to form their own best practices to secure data in the cloud? and like mr. mahon and dr. amoroso to answer that, please. and we don't have much time. >> well, first of all, we're already talking to the cloud provider and some of us are cloud providers.

i do think the conversation is well underway. we're familiar with the challenges. if you think about it, the term cloud is a rather generic term that is probably misunderstood. it can mean a number of different things for different type of customer. and so therefore i would say we continue to include them in the conversation. as we have everyone else at the table as partners. the solutions you're looking for will have to be integrated across a wide platform. i would say that you want to keep them in the conversation. >> thank you. >> so my mother has a pc at home that at this instant i'm sure is like attacking china or something. it's probably going -- because it's not administered properly. and she's got, you know, big tower with verizon fios, the whole thing. she doesn't need that. she'd be better served to have a cloud provider take care of that for her.

she'd be using some appliance to hit the internet. the reason she doesn't is because there's software on the pc that she wants to be able to use, it hasn't been put in the cloud. in general, that concept is a more secure concept than my mom trying to do administration. so i think cloud in general is a more secure model than the one we have now. >> okay. that's good to know. >> yeah. >> dr. amoroso, given your expertise in this area, what are the differences between securing wired and wireless communications networks and how can these differences be accounted for in any type of cybersecurity initiatives? >> they're pretty big. the differences are significant. you know, if we had three hours i would take you through the whole thing. i'll give you one example. remember when -- i'm guessing most of you remember when computer security was just don't put an infected floppy in your

computer, remember that? it was like don't put software in your machine where you don't know where it came from. it seemed like perfectly good common sense. what do we do every single day in app stores? we're downloading stuff. i don't know where it came from. it looks cool. i'll download it to my device. that's something we have to address from the security perspective. that's a big difference between wired and wire line. >> i'm thinking also too that so much of what we do is wireless. so much we do within our own homes are wireless. and yet, it's just so easy to do it that most people don't think about it at all. and i'm concerned that we're not thinking as broadly as we should be thinking as far as some of the personal use. i think it came about here with mr. doyle too in the government area too. but it's so easy to be carrying,

you know, tablets and different cell phones around. and for me it's the part that's really to me quite frightening is that nobody knows what they don't know and we're looking at you and you're saying that there's a lot of things you don't know too. we look upon you as experts. i'm hoping that we can build in some incentives here with a sort of a sharing of information that goes beyond some of your commercial type of concerns. because i'm looking ahead -- this is even going to get more and more complicated as we develop more tablets and smartphones and whatever that we're looking control of the cyber security aspect of it. and the software aspect i think you brought up, dr. amoroso, is really very important. the education of that and whether or not we are actually

kind of building our own principles and standards into that too. so that's just a comment and i really do appreciate your being here. i think i'm learning more and more every time one of you opens your mouth. thank you for being here. >> thank you for your comments. we'll go now to ms. blackburn for five minutes. >> thank you, all, so much. i'll tell you what i think i'm going to do is just ask my questions. then if you all want to respond or respond in writing, that would be wonderful. first of all, going back to something that mr. shimkus said, i would like to hear from each of you and you can say now or send it to me what you're seeing as the disturbing trends, and what is kind of the next thing out there. i'd like to know that. i'd like to get an idea of how much of your cost of doing business is beginning to center around the cyber security

issues. in your testimony, several of you have mentioned in one way or another, either in response to the questions or testimony, fear that the federal government could end up being more of an impediment that a facilitator in bolstering some of the cyber security efforts. i would like for you to speak to what you are concerned that we might do and then what we are not doing that we should be doing. and hear from you in that vein. with your consumers, i would appreciate knowing what you're doing to educate them. i think one of the things that helps us as we go through the process is being certain that consumers are being educated so if i could get that bit of

information and then when we look at the hacker attacks that are out there, some of the unanimous attacks, there's one in the news today or there are five people that they are bringing forward on charges. what kind of government imposed performance requirements would help keep pace with some of the technological evolution that you're seeing in these cyber attacks and if we were to do a government top down sort of structure to try to deal with cyber enemies, would that be giving a signal to that cyber enemy? is that too much information for them to be able to work around? with that, those are the questions that i'd love to hear from you on the trends, the cost, what we are doing, what we're not doing, dealing with consumers, how you're educating them and then looking at the attacks. the cautions you would give to

us there and with that, anyone that wants to respond. >> sure, i can go first. then i'll try to be quick so others can answer. in terms of the positive things that government can do, i think making information sharing easier. there are a number of things to help. i think government has a role to play in education, whether that's psa or other types of education for end users. i think there's an opportunity to help fund additional r&d. i know nist and other groups try to do research in security and other internet futures. i think that that's more that can be done there that's important. and in terms of things to be careful of or be aware of, i think it's to be aware of mandates and be careful of mandates. i think we don't want to be focused on checklists and compliance. we want to be focused on innovation and the threats of tomorrow, not the threat of today. >> thank you. anyone else? >> well, i can just make two comments. several of the questions and comments today mentioned incentives.

i can tell you as an i.t. professional we are heavily sin sented to make sure we're protecting our partners that are interconnected with our systems. i think one of things that's a little scary so far, we monitor the call center, websites, we're not seeing a lot of requests from our customers concerning their own security of their hand handsets and devices. so i think education is certainly going to be important. i think there's just not a general awareness in the consumer population, how big an issue this is. >> okay. >> maybe a comment more around why it's so difficult to regulate this arena. i think we have been speaking here rather generically about mobile devices and cyber security threat. but it's a much broader problem depending on what category you're looking at.

because there's multiple categories of threat actors, trying to be -- finding a solution and prescriptive way is very difficult. if you think about who's coming at you, you could have a nation state coming at you for all sorts of reasons. they could be coming at the federal government for military reasons. but that same nation state could be coming after a corporation for intellectual property. everything from understanding that intellectual property is not in a 50,000 environment, but 50 person law firm doing work for you. if you look at criminal activity sure you have what used to be the script doing something that was harmless and you have hired them today as your network administrator if they grew up. on the other hand, you have organized crime looking at more broadly the world and how to make money.

look at the recent fbi investigation on the dns, and the malware that affected hundreds of thousands of computers. then you can look at your anonymous and the others more activist, trying to make a point. you come down to the insider threat and the companies that are doing it to you. if you think of the data they're after, they're after it for sometimes different reasons. when you try to put a regulatory overlay on that it it's very difficult to put us in a position to respond to the four broad categories and then at the same time make sure we have our checklist compliance programs going. thank you. >> thank you. i yield back. >> gentle lady's yielding back. recognize the gentle lady from the virgin islands, ms. christensen. >> thank you. i have a couple of questions. let me begin with mr. amoroso. you suggest in your testimony

that congress define the roles of the various executive branch agencies in cyber security. where do you see the fcc as an independent agency playing a role? >> well, i don't -- i mean, i don't think there's an agency right now that's in a good position to come in and solve a problem we can't solve ourselves. i mean, if it really was a case where you could write out these five things that we should all be doing, and for whatever reason negligence, ignorance, whatever we're not doing it, then you need somebody in government to shake us into action. the problem is that we don't know what it is that you should be telling us we should be doing that's why we're pointing to innovation as the key. so it's almost kind of a moot question whether it should be dhs or fcc, because i'm not sure what they should be telling us. that's the problem. and, you know, there are some things, i said i'm part of the team. i'm trying to make recommendations.

i'm not -- i don't want to lead you to believe that we're not trying to reduce the risk, but i would say from an agency perspective if there was an obvious set of things that should be done right now, kind of thinking the groups that are here would be doing it. we are insented to do that. that's the problem. so i hope that addresses the question. >> okay. yes, thank you for that answer. and mr. livingood, you mentioned that comcast -- is an active participate on the on the fcc reliability and interoperabilitc reliability and interoperabiln c reliability and interoperabilt c reliability and interoperability council. can you describe for us how you envision the council's contributing to the improvements in cyber security, especially with the attacks, like the bot nets? >> sure. there are a number of working groups.

i'm on one. one of the folks that works with me is here. they focus on the security of the routing infrastructure. dns sect and a whole range of other things. i think that's a process that works pretty well. people voluntarily get involved. they work together on what they think the current best practices are. that repeats regularly every year so it's not static. it's not sort of -- in 2008 we came up with some best practices. that's what we're still focussed on. it's something that gets renewed and refreshed all the time. so it can look at every, you know, new threat that comes out. that's one of many places we all work together. there are lots of others, the north american network operators group. and a whole range of other, other acronyms i could go on about. i think they're consensus based, voluntary focused on best practices and really current issues. >> okay. and while your customers are mainly using your service for

in-home computer, they use it to access the comcast e-mail and other video products. how do you continue to ensure the same protections extend to these uses as well? >> so a number of the security protections are things that a customer can download and install on their device like their home computer. but we have a bunch of things like the constant guard system and other systems. maybe it's a friend visiting their house and they're on their wi-fi network and they talk to a bot net, we'll see those kind of things. so, you know, we can alert customers to that. whether they have installed software that we have provided on the device or not, we still have tools in the tool box to identify that and help them, you know, tell them about it and help them solve it. >> okay. mr. amoroso, you stressed the need for the information

sharing, but a lot between the government and the private industry. what protections do you think are necessary to protect civil liberties and consumer privacy and what do you think the reasonable boundaries to liability protections and antitrust exceptions? >> well, i'm an american, i want civil liberties and all those things. so the current state, we have swung the pendulum in the direction of making absolutely certain that we're protecting civil liberties. that's a good thing. so the question is how do we somehow preserve those liberties and allow us to know that's a malware thing? i think we have to figure that one out. i'm not sure i can give you a real good answer on how we do it. i think it's got to be a high priority. everyone's heads shake. if that's malware, that's not really a civil liberties issue. comcast should know -- that's a

problem and can code that into their system. maybe we need to get the lawyers out of the room and come up with a common sense approach. but that's the reason. all the things you listed. that's why we can't take those signatures today. >> thank you. thank you, mr. chairman. >> thank you, dr. christensen. dr. amoroso, you should have seen the people shake behind you when you said get the lawyers out of the room. let's go to mr. bass. >> thank you very much. i have a couple of questions for mr. livingood. but before i ask those questions can i ask a mobile or smartphone question for dummies. why -- is there a difference in cyber security issues between an ipad or a smart device like this and a laptop or desktop computer? make it quick because i want to ask some others. can anyone answer that question for me?

>> there's probably a firewall between your pc at work or something. a wired land, so we can do more filtering and policy control. with your wireless, you go direct to us, to the isp. and we have been insented and led, you know, particularly in washington, push the packets, don't look at them. don't do anything. don't impose -- god forbid you impose some kind of policy. so your connection for wireless is directly to the internet, whereas your wire connection probably has an i.t. group at work. >> so is this unit here exposed to bots? is there cyber security issue with my ipad? >> i don't know what you're connected to. >> let's say i'm connected to comcast which i am. >> there's a new class of device and a lot of the hackers and other criminals, they're very focused on return on investment. they're focused on where the biggest platforms are.

the more they get out there, the bigger the target that makes. and so they'll see, okay, i have a few million devices. so you'll start to see more and more of those things. depending upon the tablet that you have, some are more vulnerable at the moment than others. that's something that the americans are buying. that will be the next threat. >> who's responsible? is apple responsible for this or are you? >> i think it's a variety. i think with that device it's apple that plays a role. with the android devices, google plays a role. then all the software vendors that make the apps that go on that play a role. but there's a component of customer education. and i'm sure over time, you know, just in the same way that we have software that runs on pcs to provide security, you know, that's going to start to develop and evolve for tablets and provide that extra level of security as well. we're just i think at the early stages of the adoption group. >> the same is true for blackberry, right?

>> i mean, all of the tablets are going to have different risks and different threats. we look at it in terms of how we protect our platform. but the theme that i keep hearing over and other is the need for education. and when you talk about computer security, one of the inevitable comparisons is to driving a car. we don't let people drive a car without a license, but we let them connect to the internet and download software without understanding what the risks are. that piece of education, i'm not suggesting we license people to use a computer, but we need a level of education in how we inform people of risks that they have. >> fair enough. i want to ask a couple of questions about the constant guard protection suite. i note in your testimony on page 6 it says at comcast we understand that securing cyberspace is a complex task. education, prevention, detection, repudiation and recovery are the core objectives

of our anti-malware efforts. does comcast require its customers to download the constant guard protection suite and if not, how is the customer going to know that it exists and how are you going to notify them that they have a problem? >> so it is not required that a customer download that to use our service. they have to have normal internet connectivity to do that. but we do a lot to make customers aware of that and to insent them to download it. before they have an issue, when they're installed they're given a lot of information and they're given links to that and so on. when they sign up for service we're reiterating that for them. we do a lot of things on the website and others to promote these are available. certainly after they have an issue and we notice it we drive them to the remediation portal.

that's one of the first things that we recommend they download is that suite we do a lot when they come on, and we do things to reiterate that. >> real quick, it's limited to windows operating system, correct? how long has it been around? >> that protection suite is pretty recent. more than a year. that's a supplement to a larger antivirus and security suite that we have had for many, many years that is -- >> real quick, because i have run out of time. what business incentives if any did you get or did you have to developing and offering this service? >> well, we view it in two ways. number one, there's a competitive incentive. if we can be seen as having a more security features or more secure than the next guy, someone chooses us as their isp rather than someone else. customers when they come on

board as a customer used to tell us that the two reasons were price and speed. and today, it's price, speed and security. so customers are very aware, increasingly so. not as aware as they need to be, but very aware about security. they ask us about those things when they call us up to order service. we view it as a competitive feature we need to add and that's why all of the things that we're doing is important to us. >> thank you. we now go to chairman dingell for five. >> mr. chairman, thank you. gentlemen, we have much to do and little time so i'm going to try to ask questions, if you'll answer yes or no to. starting off with mr. livingood. gentlemen, you seem to be in agreement that imposing new federal cyber security regulations on industry would stifle innovation and harm industry's ability to protect consumers from cyber threats. is that correct, yes or no?

starting with you, mr. -- >> yes, i am concerned about that. >> yes. >> sir? >> yes. >> yes. yeah, i think you have consensus here. >> gentlemen, let us assume for a moment that the congress will pursue the no regulation path in this matter. and instead, facilitate greater information sharing about cyber threats between industry and the government. would that be your collective preference, yes or no? >> yes. >> sir? >> yes. >> yes. >> yes. >> thank you. in that case, would the congress need to consider granting exemptions to the antitrust laws and the federal trade commission act in order to allow the companies to share cyber security information amongst themselves? yes or no? >> yes. >> yes. that's right. >> yes. >> yes. >> i can't comment on that.

>> now, gentlemen, similarly, do you believe that a safe harbor provision should be created in statute to permit companies to share serious cyber threat information with government agencies without fear of class action or other lawsuits being brought against them, yes or no? >> yes. >> yes. >> the reporter doesn't have a nod button, sir, so you have to say yes. >> it's a yes. >> thank you. sir? >> yes. >> sir? >> i'm afraid i can't comment on that. i don't know. >> yes. yeah. >> now, gentlemen, my last several questions have been premised on a no regulation scenario. wherein the congress adopts legislation to promote information sharing between industry and government. would you please submit for the record what enforcement tools you believe the federal

government would have in this scenario to ensure that industry is adequately guarding and being guarded against cyber threats? i'm asking you to make a submission there for the record because of the shortness of time. now, gentlemen, let us assume that the government would have some role in promoting cyber security in the private sector. if the federal government were to require the promulgation of cyber security standards, should such standards preempt state laws? starting with you, mr. livingood, yes or no? >> yes. easier to have one standard. >> i'm not sure. i haven't thought that through. >> yes. >> sir? >> i'll have to agree with dr. amoroso, i haven't considered that. >> yeah, i can't comment on that either. >> now, gentlemen, i have read

with some interest in mr. olsen's testimony that -- and i quote, the ongoing valuation or metro pcs's security program is based on periodic internal and third party assessments and auditing, would your respective companies object if such audits were government mandated? yes or no? >> no, we already provide all those things already. we already do that. >> i think we would object, yes. >> we'd object. >> you would object. >> yes, we would. >> now, then i come back and ask you to explain that. the next witness, if you please. >> so, yeah, we'd probably object. but we do this already. >> now, those who have indicated no, would you please explain briefly.

>> i can explain. when you write a law, we do paperwork. so i take people away from doing their day to day work to sit and do work. we have an ops lab. one of our favorite things to show people in the ops lab is along one of the walls we have about a mile's worth of ring binders. and they always say there's the government paperwork followed by a lot of sort of chuckling laughter, but it's true. we have a great deal of paperwork that we fill out when we're dealing with different federal groups or sarbanes-oxley or whatever. there's a lot of paperwork. i'm just suggesting we're already doing that and government says i need you to fill out this compliance checklist, you're taking people away from the work to to do the paperwork. that's why we'd object. >> very quickly, if i can make a note this is the danger of sending an engineer sometimes. but i'm told we'd have the same concerns and we'd object. >> gentlemen, thank you. mr. chairman, thank you.