>> thank you for your questions. i think you got to the heart of the matter quickly. and now we turn to mr. rodgers. >> thank you, thanks for the witnesses as well. i think one of the big problems that we run into this is that we haven't sounded the alarm bell. i think in all of the circles of people who look at this every day, all the security shops, the i.t. security shops across america, they know what the problem is. average users don't see it. and that's why there's just -- there's no hue and cry about how we get this fixed. i appreciate all of your comments today. you talk -- each of you talked about information sharing and talk about how that would work. if we bring the folks together, we're sharing the government secret sauce with you all and you're sharing back malicious ware that the government is not aware of, talk about how fast this is. there's talk about civil liberties.

i think people have this visual that people are reading e-mails. some guy -- a guy named bob in cleveland is reading everybody's e-mail to find this malicious software. not how it works. as a matter of fact, if that's how it works it's a miserable failure. can you talk about how you envision how will that will work with the sharing, realtime, no regulatory? >> i'd be happy. i want to compliment you on the legislation. first of all, realtime absolutely. independently auditable i think is important. so that somebody can come in and look at the way this is done, but it also has to be controlled. like blasting it out over the internet would be a bad idea, but i think you need to balance this realtime, but also the

ability to come back and look at the process, make sure it's transparent without like i said exposing it to our adversaries. >> there's also different levels of sharing by industry. i think you have to look at how you do your risk assessment on each category that i previously described. there's a very good example out there what's working well. that's the defense industrial based pilot that's going on. that particularly is supporting defense contractors and dod. you can expand that to the financial services industry and other industries. >> anybody else want to take that? and just for clarification, when we talk about realtime, i have seen numbers as high as 100 million a second. that packets of information flying around. so if this is going to work, the malicious source code has to be compared at an incredibly fast rate. can you talk about that from an engineering perspective? anyone? anyone? >> so i think one of the challenges is trying to do any kind of pattern matching. a lot of the malware that we see and have seen for a number of

years is what is called polymorphic where every single instance is different from the next. a lot of stuff changes. it's not like it is with anti-spam where you can match on a few key words or one file attachment. no, that's it. that's the target, and flank it that way. you need to come up with ways, and a number of us have systems like this and there are others that are in development that can do this on a wider basis. but that is the very challenge, doing that in realtime is incredibly difficult and you're at the edge of computer science at this point. >> which is why i think many of you told us before the legislation was written, be careful of the regulatory scheme. if we slow you down, if we give you another row of books down your mile-long hallway there, it doesn't work. we already have outdated what you're trying accomplish in the room. this is a value added not only for you, but for the government, is it not? the government also gets benefit

from the protection of all of your great work in the private sector, correct? >> that's correct. and there are two things that raises that are interesting. one is by the time a very prescriptive law would be written, by the time ink would dry, the threats would have moved on. we need with our software developers, they need to be hard at work in a room, not with half a room full of lawyers with them slowing them down and asking questions why are you doing this and that. they need to be at work every day trying to solve this problem. >> and i have to say for the record this may be my favorite panel of all time since i've been in congress. never so often have a group of engineers belittled lawyers at the table. you have warmed my heart today that we have faith that we're moving forward. i wish we had time to talk about all the issues. i'm very curious about how you would fix the programing issue. a huge problem for us as we move forward.

we didn't talk about exfiltration, which is very difficult for any of you to catch, which i would argue right now is the single greatest threat to our economy moving forward, aside of the things we know today. yeah? >> tell me, could you outline exfiltration? >> sure. we know that nation states today are engaged in getting on to your network, lurking. they'll be there for a very long time. you don't know it. your system administrators don't know it. these folks can't catch it. sometimes the government -- a lot of the times the government can't catch it either. and then they'll latch on to that intellectual property that is on everybody's computer today. all those designs, everything that is of value to that company. and at the right time, at the right speed, they latch on to it and run like heck through your neck work and take it bactck ww.

and we know a country like china, who is investing in this as a national strategy to exfiltrate intellectual property and directly use that intellectual property to directly compete against united states businesses. and unfortunately, it is happening at a breathtaking pace, breathtaking pace. and what is concerning these folks are looking for malicious software that is disruptive or theft-oriented. this is very sophisticated. this is as sophisticated as any you'll see. hard to detect. they don't want to break anything. they want to get in and steal it without you knowing it. that is what is so troubling. hundreds and hundreds of thousands of jobs lost every year for the theft of that intellectual property that is being reprogrammed commercially against u.s. companies. this is a big a problem as i have ever seen. it's one of the things, of the many that keeps me up at night, mr. chairman. so thanks for letting me explain it. it's something we didn't really get into today, because that's not the focus of what they can even watch. that's why this information

sharing i think is so important. it would help american businesses by the federal government having information, being able to identify that code, share it with the right partners. amazing what we would be able to stop. >> with the indulgence of the committee members, perhaps given the importance of that topic, you could each, if you have anything you want to add on that area. then we'll go to mr. stearns and mr. gingrey. does anybody want to comment on what the chairman -- >> i will. it's called advanced persistent threat. he's got it exactly right. it's somebody targeting any of you. if we know the folks you run around with, we can craft a fake e-mail that looks pretty realistic, points you to a website that establishes a tunnel. it drops a remote access tool on your pc. you know how you log in when you

do remote access from work or home or wherever you're doing it? this is a hacker now doing remote access to you. you're now the server. and once they are on, they can troll around your pc, your network, and the intellectual property theft has become significant. it is probably the number one thing i bet all of us when we go back, we talk about bot-nets and dns. when we go back to the office, we're dealing with apt, which is kind of our point, right? we're ahead of the discussions, things we've been dealing with in the past, and the things we deal with now are probably things we'll be here testifying about five years from now. so that is an issue. >> and just to echo, the advanced persistent threat, these are remarkably sophisticated adversaries. these are slow, patient. they'll lurk on your network for years. i'm from the canadian headquarters. we had a large company go out of business, nortel. part of the attribution of that is loss of intellectual

property, ciphering secrets right off their network. when you look at that, this is a serious concern. five years from now you'll probably be looking at that. that's how advanced they are. it's great you're looking at it now, congressman. the threat is real. it's persistent today. it is a threat to jobs and an economic threat to the united states and elsewhere. >> thank you. >> thank you. can i just for the record thank mr. mann for his 30 years of fbi service as well. thank you for all the time you put on the target, sir. >> thank you. >> you would think rogers was a former fbi agent himself. let's go to mr. stearns now. >> thank you, mr. chairman. let me take my questions a little along the line that my colleague from michigan talked about when he talked about advanced persistent threat. dr. amoroso, when you did your opening statement, you were speaking quite eloquently, talking about malicious software, malware you talked about. and you painted this picture that the malware itself you were impressed how well it was

developed, put together, and you sort of alluded to the fact that it was almost not unpenetrable, but it was to the point you were respectful of it and were not sure we were keeping up. is that my interpretation of what you said? >> that's exactly right. we're definitely not keeping up. we're trying. think of the dizzying pace of innovation you see out in silicon valley, right? new things every day. the hacking and the malicious adversary community, they're moving at the same pace. so the job we have, we've got to keep up. and you would say, hey guys, you better be ahead of them. not even enough to keep up. you better be ahead. so we're always going to be sort of biased. >> so you're saying you're always catching up. >> we've got to go faster. we have to innovate. >> is that true you think you're always catching up then? that's what you implied to me by saying the respectability you

had for this malware. >> yes. >> is this true for adware, spyware? all of these others? applicable to that too? >> apts are the best. the exfiltration point that the congressman spoke about, that is the elite kind of attack vector in 2012. spyware maybe not so much. >> with the malware, who are the people that are doing this? can you name them? >> i can't. i'm not law enforcement. >> is there anybody on the panel? dr. amoroso talked about this malware so respectfully, and how eloquently it is put together. is there anybody can tell me who we're talking about? >> i think if you take a look at the most recent investigation conducted by the fbi on the dns changer malware, you'll see it was a group of individuals operating out of estonia that basically sent malware to

individuals in various forms and e-mails, and you clicked on it, and it infected your computer in a way that it directed you went you went out to do a dns type search, you were looking for amazon.com or some other company, you really went to their servers. their own servers were embedded in various locations in the united states. so these are organized groups. they figured out how to capitalize on the money you can make with the malware. >> are these people, for example in estonia, are they part of a mafia, underground, an organization? it's larger than just estonia, without you revealing any -- >> these are no longer just individual hackers. the individual hackers are out there. but now they've actually formed themselves into types of federations to work together. >> across the world? >> you can do it across the world there are certain hacking groups you can join and be a member from different countries. >> so it's like a fraternity.

you say i'm a member of the estonia hackers? >> estonia seems to be a hotbed right now, i think because of how the economy is run over there. >> anyone else? >> if i could add to that. >> sure. >> it's actually pretty interesting. this is a very large and very well-organized underground economy. they're specialized. so you have some people that rent tools. other people that rent access to botnets. you can tell them where you want the bots to be, where you want the computers. payment mechanisms between the parties. so it's very sophisticated. when you think from a criminal standpoint, it's a lot easier to get an investment return this way. and the scale is so much larger. these are folks that operate across borders, internationally. and there is just an enormous amount of economic incentive for them to do it. and unlike apt, this is primarily an economic crime. apt is focused certainly on economics, but more on intellectual property or embarrassing companies.

this is all about the money. >> well, i guess mr. mahon, is there a possibility we have terrorists involved with this that are part of this estonia, the terrorists could go to this group or this federation across and are using them? is that a possibility? >> absolutely. terrorists use these types of schemes for funding. number one, they need funding for their operations. and number two, they use it just as a communication system. they know they're being looked at. the ways they need to communicate are surreptitiously. they use these technologies to communicate with one another. but they need to fund their operations. >> the basic question comes down. and that is probably the premise or understanding what the hearing is all about. what could we as legislators on this subcommittee or the full committee or members of congress, what can we do to make it easier for you to operate and at the same time, give you the

wherewithal to compete? and what should we not do? what should we do and what should we not do. as a closing statement, mr. livingood, if we could go down the panel and give what we should do and what we should not do that, would be helpful for one legislator. >> sure, of course. what you should do is help make information sharing easier. remove those impediments. i think there is a goal for government to play in education to raise awareness about security issues. and i think there are r&d types of things through agencies that you can help fund to focus on this. i think what you should not do is focus on mandates and compliance. that enables us to focus instead of innovation. >> wow, that sounded good. i would exactly repeat those comments. i'll add one additional, and that's that you do have influence around the federal

procurement process. a lot of times we see procurements come out and scratch our heads. boy, don't you think there ought to be -- like through gsa there is this m-tips. a lot of us are m-tips vendors. there ought to be more business there isn't. so i would recommend that that procurement process ought to be the most secure process in the entire world. >> i would echo what both of them said, and just add the importance of information sharing. we have limited resources. we conduct risk assessments. that risk assessments when we're trying to decide on impacts and probability of events is based upon the information we have at the time. if a government agency or another carrier has additional information, we don't factor that into our analysis, we're really misaligning our resources in how we develop our counter measures. >> i think there is a lot of commonality among the panel here on what we would like to see. i think just to add a little bit to the information sharing area,

i think the federal government has access to information through various agencies that are watching the country's cyberborders. and we've seen in our own company the vast majority of reconnaissance scans and attempts to gain access are coming from china and eastern europe. and i think the federal government would be in a good position to monitor and provide more information on that. >> i'm sorry. going last, i get to say i agree with everybody else on the panel here, especially i want to hammer out that information sharing from government to industry. the purview that intelligence agencies have and that you have at a state level in terms of what you see is much different than what we see. so my team works with dr. amoroso's team on areas of commonality between rim and at&t where we think we have issues that need to be addressed that impact the security of our customers, but we don't necessarily get that feedback from the government about what do you see that we need to be aware of.

and if there is anything i could ask for, it's a more transparent, more realtime information sharing mechanism to let industry know what government knows so that we can act to protect our networks and by extension protect your information. >> thank you. mr. gingrey, thanks for your patience. as we have gone through the hearing, you're the last. >> mr. chairman, you took the words right out of my mouth. exacting the last measure of patience out of the last member to ask a question. i moved down here early in the hearing because i couldn't hear very well, even though the chairman said speak right into your microphones. but i'm glad i did move down close because i knew it was going to be interesting. i knew that all five of you experts were going to have a lot of useful information to present to us. and quite honestly, after two hours of this, i'm trying to figure out a way to beat these guys. and the only thing i can think

of is an opportunity to invest in these hacking operations. i don't guess that would be legal. but if it were, i think that would probably be one of the best ways to -- for us to win. but thank you all very much. let me ask a couple of specific questions. and maybe this cuts a little bit to the chase of one of the main reasons why the chairman is holding this hearing. and each one of you, please, starting with mr. livingood answer this for me please. do you believe the fcc has enough cybersecurity expertise to allay the concerns that some industry stakeholders have with the commission if they do choose to impose cybersecurity regulations on you guys, on the network providers. do you think you have enough confidence in their expertise to do that? mr. livingood? >> so i don't know the answer to that. we work with a lot of folks at the fcc and enjoy doing that.

they have a lot of expertise. whether they have enough here, i think that's a tough question. i don't know the answer. >> i've said earlier, i don't think there is any agency that think there is any agency that has the right expertise to do that. if we knew what the answer was, we would be doing that. i don't think it's a knock on any one particular agency. i just don't think there is any agency that has that capability right now. >> mr. mullen? >> and i would agree with ed. the answer is no, but i don't think anyone does. and i think that is the importance of collaborative relationships. you do need to bring people in from all sorts of the federal arena, as well as the private industry arena to work together, do the evolving nature of the threats in this arena. >> mr. olsen? >> it's an important question, but i would have to agree with mr. livingood. i don't know whether they do or not. >> i don't know either. i think what you're hearing here and common amongst the panel is the defender job, the job we're trying to do to protect your information is exceptionally hard. much harder than being on the other side.

>> speaking of hedge funds. let me go back to mr. olsen and your formal testimony that you gave. you talked about the clearing house. i would like to know a little bit more about that specifically. and do you think that would be helpful? and maybe you could elaborate a little bit more on that. >> yeah. i think there is really two aspects to that. one is where the federal government is sharing with private sector, with industry, what they're seeing as far as threats. i mentioned a little while ago about threats from outside the u.s. i think that's a critical component. the other is where companies

could share -- private companies could share information on threats that they're seeing. and that clearing house would have to be sponsored by somebody, and i think the federal government is really the right place to do that. >> and i think you address also in your testimony the whole harmless profession that would be necessary. >> absolutely. >> to share that information. so that you wouldn't be subject to lawsuits and that sort of thing. >> yes, sir. >> i've got a little time left. let me have one more question then. the internet is currently transitioning from this internet provider v-4 to v-6 addressing. does that process create any new cybersecurity issues, and will transitioning alone solve any cybersecurity issues that currently exist? does the process of transitioning present opportunities to resolve existing cybersecurity issues? we'll start with mr. livingood and go right through. >> sure. we've been a leader on ipv-6. all of those issues that exist in the current internet and ipv-4 simply carry over to ipv-6. it's just a new form of addressing. that being said, because it's a new form of dressing and a new technology, you're introducing

new things into the ecosystem. to the point earlier, it's a complex ecosystem. when you change something, it can have unintended consequences. it's something you have to keep an eye on and make sure you're not introducing any new vulnerabilities. is there were any, it's because some security tool that worked great in ipv-4. >> would be routable. and that's a pretty dangerous situation. so for all of us, we've got to figure out how to architect security protections around that. so i do -- i do have some concerns about the v-6 transition. >> mr. mullen? >> the architect and engineering teams are still working through those. as they've said, you have legacy systems being married up with new evolving technology. whenever you do that, you're going to have things evolve as you begin to deploy it. >> mr. olsen? >> i think from a protection

standpoint, it's a step ahead. but the bad guys are out there working as hard as we are to find a way around that. as soon as we make an advancement in technology, they're out there keeping pace with us. >> it expands the attack surface, and by doing so, it increases the risks. we have new and unknown risks that we're going to have to learn how to mitigate. >> mr. chairman, thank you for the generosity of the 45 extra seconds. and i yield back. >> actually, you got clear to 49. glad to help. thank you, mr. gingrey for staying and participating. i want to thank all of our witnesses and all the folks behind them who i'm sure played some role. but we really appreciate your insights. it's very helpful in our effort. obviously we're trying to do the

right thing. you're out there fighting the battle every day, and we don't want to get in your way. we may be back to you with our working group, digging a little deeper on some of the issues and getting as specific as possible. we hope to look out too at some of the other types of networks and small providers. you obviously represent the major providers or a representation of them. we're also wondering about the weakest link, which might, might be small isps, and how do they deal with this, and do they have the same sorts of capabilities to fight back. and so anyway, i deeply appreciate your willingness to be here today. and share your knowledge with us. we're better for it. so with that, the subcommittee on communications and technology stands adjourned.

tonight, c-span's road to the white house coverage is on the bam baalabama and mississip primaries. we'll have speeches from the primary night headquarters and election results. viewers can join in the conversation by phone and facebook, facebook.com/c-span and also follow us at twitter.com. we'll also simulcast a part of politco's election night coverage. can you also watch us online at c-span.org's dedicated site, c-span.org slash campaign2012. the o the obama administration blocked a texas voter id law. it helps to prevent fraud and election tampering, they're saying that law harms elderly citizens and hispanic voters who are less likely to have a

driver's license or personal identification card. we're asking if you're for or against a voter id law. the poll is now nearly sighed, 175,000 people are voting for, 188,000 again. now is your chance to weigh in. cast your vote. >> i hope that as we move forward in this world there are a number of problems that we have to resolve. problems with genocide in darfur, problems with the growing problem with people's republic of china. we have a lot of problems to deal with. i think diplomatic solutions are going to have to be the answer in the future as we start to deal with the problems coming. >> congressman donald payne who passed away this past week was the first african-american to serve in the u.s. house from new jersey.

elected in 1988, he was a former head of the black congressional caucus and served on house committees on education and foreign affairs. watch speeches from the house floor and other c-span appearances all archived and searchable online at the c-span video library. general motors reported the most profitable year ever in 2011. the nation's largest automaker reported a profit of $7.6 billion for last year. three years after receiving a government bailout. the bailout's been a topic of discussion in this year's presidential campaign. gm's chair and ceo dan ackerson sat down for a conversation in san francisco last week. this is about an hour. >> welcome to climate one, a conversation about america's energy, economy, and environment. i'm greg dalton. the chevy volt is the centerpiece a lot of gm strategy right now.

gm paid back half of the money but the 30% stake in the country could be seen as a financial and political liability. over the next hour, we'll discuss this american come back story as well as gas prices, fuel economy, and the move toward electric cars such as the chevy volt. along the way, we'll include questions for dan ackerson from our live audience in san francisco. before taking the reigns at gm in 2010 mr. ackerson was head of the local buyout from a private equity firm in washington, d.c. he was ceo of general instrument where he succeeded donald rumsfeld and then ceo as nextel. join me in welcoming dan ackerson to