i am a mother. i can also -- always talk louder. the gao report mentioned we have seen a 650% growth in cyber attacks over the past five years. that caused a lot of people to sit up and take notes. you look at the attacks and what that equates to and the effect on the economy. chairman bono-mack and i are working on a bill. the concept we are reviewing our not to be overly prescriptive. we will work off of the first principle of, first do no harm. i want to hear you all talk about government that works and irresponsibility you think government has in securing its

own network systems. we would love to hear about incentive based security and how we approach that. with that, i will yield back. >> i recognize my friend in california, ms. anna eshoo. >> as the title of a today's hearing suggests, communications networks are part of the backbone of our nation's critical infrastructure. electricity generation, financial-services, transportation. we depend on our communications networks for all aspects of our daily lives. it was highlighted during our first cyber security hearing. our networks remain vulnerable to attack. there are three areas i would like to hear more about some of our witnesses today. the fcc chairman is currently

proposing a voluntary isp code of conduct as a way to alert consumers when now where inspections are discovered. -- malware inspections -- in sections are discovered. i think you are going to talk about that and i look forward to it. i would like to hear more about your views on the supply chain security. i continue to have concern stemming from minor 8 -- my 8 years i recently committed -- completed. i rode to the fcc -- wrote to

the fcc chairman about what transparency requirements should be placed on companies seeking to sell telecommunications equipment to u.s. network providers. i would like to learn about unique challenges in securing mobile networks. more data is transmitted widely -- wirelessly and we need to look closely at how these networks are secured to make sure they do not become the entryway to the broader network. today's hearing is an important aspect to our work on cyber security. i want to thank each one of our witnesses or be instructive to us. i want to thank the chairman for the spirit of cooperation on this issue. usually, there are some democratic witnesses that are called and republican witnesses. that is not the case today. this is something that rises

above that. i look forward to working with the entire committee so that we not only better understand the cyber security challenges facing our communications networks, but what steps we can take to secure them and strength in the country. i would like to yield the remaining time to representative matsui. >> thank you for yielding me time. mr. chairman, thank you for holding today's hearing. i would like to thank the witnesses for being here today. cyber attacks continue to pose a significant threat to several aspects of our e county. misled glad there is a bipartisan cyber working group so that we can explore -- i am glad there is a bipartisan cyber security working group

said that we can explore the issue. we must protect and ensure safety and soundness. we must tighten the concerns for cyber security. it is important that data is protected, from a pc to a cell phone in transit to cloud storage. more and more people send information to the cloud. the subcommittee will have the ability to promote information sharing on cyber threats. securing the supply chain will be of high importance so that technology components remain secure through manufacturing and distribution process these. -- processes. we can encourage industries to defend against malware. i look forward to working with my colleagues on ways this subcommittee can encourage greater protection against cyber threats. i thank the witnesses for

appearing today. i yield back the remainder of my time. >> i recognize the vice chairman of the committee. >> thank you. most of my colleagues on this committee share my optimism that a collaborative cyber defense capability is actually achievable. there might be a few differences of opinion on what needs to happen to reach this goal. we are getting closer. in reading through the writt testimony provided by today's witnesses, i notice a common thread through out. as one witness says, innovation is inconsistent with standardization. i agree wholeheartedly with our witness. i find this to be the most vice president joe biden the most

-- vital guiding principle on this issue. legislative efforts to provide certification regimes will surely come with unintended consequences. isp should have the flexibility to respond to real time security threats in a matter that minimizes delay and maximizes their ability to innovate as they strive to protect their consumers and their net worth. a couple of things i believe we can do to reach the goal of collaborative active cyruses capability, remove the barriers -- active cyber security capability is to remove the barriers, provide adequate liability protection in order for the sharing of cyber threat information. i thank our witnesses for joining us today. i yield.

>> i thank my colleague. the consistent message from our witnesses today is that the private-sector has strong commercial incentives to invest in and maintain robust cyber security. each of our witnesses has described unique and borrow approaches to protecting their own networks. these examples demonstrate one size fits all is not the appropriate solution to cyber security threats. these threats change every day. industry must be provided the flexibility to respond quickly to an attack. proscription, top-down government mandates are not necessary and will not work. government should seek to improve information sharing and consumer education. we should work to eliminate outdated regulations that have created unintentional barriers toward ensuring the security of

our networks. i look forward to our witnesses today and i thank you, mr. chairman, for this hearing. >> are there any other members seeking cheer -- seeking time on our side? if not, i recognize the gentleman from california, mr. waxman. >> thank you. i am please the committee is looking at this issue. this is our second hearing. every week we learned about a cyber breach and vulnerability. like the smart grid, which was the topic of our last committee , communications networks are vulnerable to sniper attack. the potential to severe disruptions -- vulnerable to cyber attack. the public safety legislation that was signed into law

exemplifies these concerns. under the new law, first responders will be allowed -- to be relying on network to secure the safety of life and property. that will strengthen their ability to protect the public, but only if the networks are protected from cyber attacks. i look forward to continuing our discussion of the security address space by mobile devices. our witnesses today represent a broad cross-section of internet service providers, as well as a handset manufacturers. this will help our understanding of what companies are doing to mitigate these risks and what the subcommittee might do to assist you in these efforts. i believe the federal government has an important role to play in ensuring the cyber security of the nation's communications

networks. we need to develop practices that will keep the internet say. the fcc's release of the cyber best practices report -- it is a long name -- will provide valuable guidance to industry and our subcommittee. the chairman is planning a third hearing with government agencies. i look forward to what our witnesses have to tell us. i want to thank you, mr. chairman, for organizing a bipartisan working group and and arming the subcommittee of its findings. this is a good opportunity for subcommittee members and their staff to gather on an issue of common concern. i look forward to exploring with the subsidy -- subcommittee put this action.

i look forward to the testimony. yield back. >> i thank you for your comments. we have a lot of big brains on this committee and we will need them all to protect america. gentlemen, we are delighted to have you here today. we will start with mr. livinggood. the vice president from comcast corp.. a friendly reminder. pull the microphone close and make sure the button is clicked and you will be good to go. >> thank you mr. chairman and members of the subcommittee for inviting me to discuss some of the things comcast is doing. i am an engineer working in cyber security and other technical issues every day.

i serve as vice president of internet services engineering at comcast. i am in charge of our residential high-speed internet service. i serve on the ftc working group, on the ican advisory committee and i am a member of the board of trustees for the internet society. also an active contributor to the internet task force. at comcast, we take cyber security issues seriously. we know our customers are concerned about security. we want to provide them with the best, fastest internet service as possible. our team devotes significant time, energy, an investment to update and refine our cyber security efforts. one such threat we focus on comes from a malicious software called the bot. it runs on an end user's

computer without their knowledge. it can steel user names and passwords and send spam. -- steal user names and passwords and san spam. -- send spam. we developed a system called constant guard. it notifies in users of infection by sending them on alert in their web browser and provides them with tools to remove those inspections. another area of bread is to the deal -- the domain name system. it is an important and critical part of the internet. it is responsible for translating names into ip addressesconnecting and realtyts the internet.

so it is extremely important. vulnerability can admit an attacker. an attacker, for example, can direct traffic to a said, such as a banking website, to computers that they control and collect financial reformation with the address of the user still looking correct. this involves some wondering two things. first, cryptographic reassigning the domain names that they own and donating the signatures before they direct someone to the site. it is important to note that it was developed through a multi- stakeholder process and will require adoption across the entire ecosystem such as by

banks, web browsers, software companies, and cloud services, not just i sp profs and not just isp's. it is important to understand that no open and massively interconnected network can never be completely and totally secure. while there is no perfect solution to security, that does not mean that there are no good solutions. our focus has been to roll up our sleeves and get to work chipping away at the security threat day in and day out, quickly learning and adapting. we are working within the industry and on a global basis to prevent key threats and to protect our customers the best rican and also to help them protect themselves. -- the best we can and also to help them protect themselves. retes and to take strong and effective measures. our consumers want assurance that the networks they're using are safe and secure and we have

strong reasons to invest capital and resources into severed security -- into cyber security safeguards. we'll have powerful and vengeance -- we all have powerful incentives. policy makers can help these efforts by removing legal uncertainties that can inhibit collaboration while preserving and strengthening this flexibility that providers have to develop the best solutions for each of our networks. there is no one size fits all solution. so flexibility is key. it is important because the threats change as rapidly as they do. this will help us make sure that we focus on security and innovation rather than compliance and regulation. thank you. >> thank you, sir. we appreciate your comments. we will be back to with some questions on the specifics of those uncertainties in the law.

we're delighted to have dr. oroso pop with us. we look forward to your comments. >> i have spent my entire adult life in sire security. in fact, even as a teenager, my dad was a computer scientist, so i was walking into our net -- logging into arpanet. i kind of come at this with a very practical perspective on threat. there are three things i want to share with you that i think our observations that might help you as you develop legislation and they are based on empirical, day-to-day dealings with

security issues with the mobility network and online network and the entire fortune 1000 and a lot of different countries we deal with. i do that all the long. -- all day long. we are being out-innovated by our adversaries. that is basically a case. i do not know if you have ever bought a piece of furniture and taken it home and admired the handiwork of the furniture. that is what we do with the middleware ridgeway -- the malware that we find. these are pretty good. on 60 minutes, we saw an incredible piece of computer science, that warm. a thicker need to recognize that whatever we do collectively as a nation we need to figure out a

way to incentivize companies and universities and government agencies to renovate in this area. if we don't, we will be in trouble. i think your body in the panel would agree with me. the best state of the art security protections that anyone of us can put in place will not stop a determined adversary in 2012. that is a fact. so we need to do something to get ahead of that. the way you do something is to innovate. you need to do something to get ahead of it. part of the problem is prescribing an answer to everyone. it would be like every nba team publishing their defense. guess what. do you think the adversaries don't read your legislation? do you think they don't look and see what we are going to do? then they say, ok, i will step

around these things that you're doing. that is just a practical issue in several security. this is not the kind of thing where we can all do common sense stuff and it will fix it. if we go back to the basics and do common sense things better, we all do you live our lives the way -- we all live our lives that way. the second is infrastructure. i think there everybody also at this table where great that the complexity in infrastructure is the biggest problem for cyber security. when things get way too complicated, we cannot keep track of it. it becomes almost impossible to protect something that has become so big and complicated that you can get your arms around it. i certainly agree with a lot of

the points that were made. but they add complexity. when you do a commercial and at the end use it, i am such and such and i approve this commercial -- that is dns. here is a signature. but someone is breaking into their own server, the signature is meaningless. i see a lot more break-ins to d ns servers than forgers on different types of protocols. i think we need to keep in mind, as we develop legislation, that when we add complexity, when you add things that we need to keep track of, do this, do that, overlay this, added this new thing, at that new thing, the complexity can be very stifling. dns was proposed decades ago.

it is not something that was dreamed up last week. we have been adding internet protocols forever. the reason we do not have them today is because they are unbelievably complicated to run. they do have some benefits, but it is like bringing a senior citizen to the doctor with five elements and the doctor says that i will give you medicine for one of them but it has side effects. that is the nsn. at the root of every cyber attack is bad software. i think it needs to be addressed. the discipline of software engineering, the profession of writing software, is one that is a complete mess right now. i am a professor at stevens institute of technology. i have been teaching there for

22 years. i teach software engineering and software security. perhaps you can blame me. but the bottom line is that youngsters and even professionals today cannot write a non-trivial piece of software that is above-free. and -- that is bug-free. and those bugs is a way that hackers get into our companies. they have vulnerability don'i i. everything is great. but an adverse jury finds an open door that i do not know about and the manufacturer know about and they danced right in. that software is the fundamental problem right here. it probably needs to be addressed through the educational system. >> thank you. we are joined by mr. david

mason. if you could pull that microphone really close to and make sure it is on. >> opportunity to -- >> ex-use me. is your microphone on? >> we are having trouble hearing you. is that light lit up there? then you really have to get really close. [laughter] >> thank you for the opportunity to testify today on this important topic. century link provides communications services to over 14 million homes and businesses in more than 37 states around the world. our services include voice, broadband, video entertainment,

and data as well as file computing and managed security solutions. our customers range from the most basic voice and internet customers to the largest fortune 500 companies and large government agencies. i am responsible for all security functions, including information security. before joining central link, i worked for 30 years for the fbi and was responsible for investigative teams and programs related to targeted attacks on the internet, computer systems, and networks explored by terrorist organizations. white-collar crime investigations and crisis management. the cyprus -- the cyber threat is real and serious. our customers are the targets of thousands of security schemes to sophisticated attacks.

we invest significant resources in our ongoing efforts to keep those assets secure. century link uses an overall framework to ensure cyber security threats are addressed and are priced right. as stewards of the internet into a structured, our programs on cyber security are in predicting the customer, protecting our core networks, and protecting and securing communication services. we have worked closely with our industry peers and government to work against cyber attacks. we conduct risk assessments,

information sharing, instant response plan, and government- sponsored cyber security exercises. in addition, glen post chairs the sec monetary practices for botnet and other emerging issues unique to the communications industry. more can and should be done, but carefully. public-private partnerships and real and significant progress in the last few years by building a framework of collective defense and cooperation in helping us understand the cyber threat appeared as many of you have pointed out, we are entering into a new era of cyber security threats where adversaries are more sophisticated and determined. we need to step up our game. we're particularly encouraged on legislation like h.r. 23 and

similar provisions in senate bills that clarify cyber-related public-private information sharing. as communications providers, we see a number of congressional budget receive various things where congressional action could help, such as improving information sharing, market- based incentives and market analysis, including expanded research and development. shifting to a mandated-based approach to be counterproductive. we strongly caution against a traditional regulatory approach based on government mandates or performance requirements. because our network is the one central lesson of our business, century link and our industry peers already have the strongest commercial incentives to invest in and maintain robust ever security. there is neither a lack of will or lack of commitment to do

this among the major communications providers. at its best, a security is a constantly evolving area. we have the most knowledge of our network systems and databases. we understand the most effective and efficient ways to protect these assets. we commend the members of the energy and commerce committee for their interest in improving the nation's cyber security and for the delivery process the committee is undertaking to find the right mix of incentives and elimination of legal barriers. century link has striven to be a partner and we will continue to do so. >> thank you, sir. we appreciate your testimony. now we will move to mr. john olson.

welcome. >> thank you. it is an honor to appear before you and your colleagues did. i have nearly 30 years of i.t. experience. i am responsible for i.t. networks. metropcs is at a provider of communications services for flat rate with nine of contract. we sell our services to our own retail stores -- with no contract. we sell our services to our own retail stores. we purchase handsets from well known and established vendors. these vendors are not our primary network vendors that enhances the risk. we have also adopted measures,

both physical and logical, to protect these networks. we have four i.t. networks are critically important to our business. we have voluntarily undertaken a number of cyber security measures to protect our 90 networks, both physical and logical. security of these networks is critical to metropcs. we use a combination of hardware and soft services. are directives are driven by a former governments function. and centralize policy management, internal and third- party monitoring, physical protection, threat identification, and vulnerability management as well as intrusion prevention. we're particularly focused on security at the premiere matter -- at the perimeter of our party networks.

we conduct and have third-party vendors conduct regular audits and have standardized on a single provider for all network equipment. further, our i.t. networks are broken up into segments with fire walls between critical segments. our 24/7 monitors can generate hundreds of thousands of potential cyber threat alerts a day. but results in only a handful of real threats that we address immediately. while we cannot say that we definitely have never had sever intrusion, we're not aware of any significance however intrusions or server attacks that have been successful at disrupting our i.t. or communication networks. we have also adopted a number of other measures to protect customer information, such as including hard drives, installing virus and malware software. we also conduct background checks, segregate duties of

personnel, and log all excess and changes to critical systems. metropcs has implemented numerous security measures, such as card key and biometric access. our staff also have vendor certifications and reeler participate in honor -- and regularly participate in vendor summits. metropcs does not believe that regulation is required or warranted at this time, particularly for carriers that do not provide services to government or local public safety organizations. carriers are already will incentivize to provide security. if we do not provide the level of protection our customers want or demand, they can terminate service without penalty and activate service with a competitor. government regulation and private-sector certification also force providers to invest

inappropriate tools and practices to detect and deter cyber threats. market forces are better suited to respond to constantly changing cyber threats. if regulations are concerned, metropcs urges that they be flexible and tailored to the threat. regulatory compliance can be particularly burdensome for carriers to compete by providing and affordably priced differentiated service for customers. unfortunately, even voluntary obligations can evolve into a mandate for industry. along with government sharing of cyber intelligence, including a national central clearing house. finally, no carrier should be liable for using such information. thank you again for the opportunity to testify. i look forward to any questions you may have. >> thank you. we appreciate your comments today and we will be back at you with questions as well. we will turn to our final witness, mr. scott eutotsky.

>> thank you. i am pleased to be a to talk with you on cyber security. revolutionized the industry. there are 1130 carries and distribution partners that are for blackberry products and services to our customers. with a 90% of the fortune 500 customers are blackberry customers today. and we have a longstanding relationship with the u.s. federal government, including congress, the department of defense, and the department of homeless security. mobillcash occasions faced several security prison mobile communications face several security threats. -- mobile communications

face several security threats. the threat continues to revolve exponentially. most of you have to realize the applicability of both existing and emerging threats to what is essentially a smaller and more computing platform than they are having their home or office. an effective and comprehensive mobile security solution must provide protection by preventing unauthorized access to the smartphone and its data. while technology vendors can offer components, it is important to note that we help government and consumers better understand the risks involved with online activities. for our part, will focus on security efficient solutions. we have a history of intervening security features and to the product and firmly believes that security technology is important -- is an important

foundation for a digital economy. these controls can be centrally managed by the blackberry solutions. we also believe that there needs to be more focus on security testing and certification that establishes a baseline for technology vendors. it is difficult to make informed decisions. vendors there were to certify their mobile solutions through trusted the addition programs provide her assurances to consumers who could not otherwise verify the claims made by the vendor.

our consumers appreciate this level of transparency. if it helps customers understand better protect their information. this panel has raised a number of concerns regarding two strew important point triggering the evolution of security technology in the mobile industry. the first concern is related to information sharing. while there is increased competition between vendors, there is also an increasing degree of commonality in the components used by many desktop and mobile platforms. this translates into an evolving risk of cross-platform vulnerable is that increases the need for vendors to work together. this also means the programs need to fully engage with public sector entities, such as the cert.circui

the second issue is the impact on security availability of networks. a product that has been modified in an unauthorized manner can post risk to the customers oppression and to the overall posture of the rim network and our customers and networks. we have been working for several years to invent a trio mr. clinton the silicon of our product. and -- in two in bed directly into the silicone of our product. many concerns about knockoff products or products that have otherwise been tampered with. we support the subcommittee's efforts to raise awareness of this word reaching impact with respect to supply chain sukuk issues. i would like to thank you again for the opportunity to provider perspective on this.

>> thank you for your testimony. all of you, thank you very much. we appreciate you being here. i will lead off with questions. you say in your testimony that you routinely track threats to your networks. i assume you all do better. how can we facilitate information sharing among network providers of such information while protecting consumers' privacy and competitively since the data? >> if i go to a security conference and some hacker whispers to me that there is a signature that i should be looking at, then i scribbled down, run back to my center and put it in place. if the government individual does that, then i cannot put that in the network because we would be operating as a branch or agent of the government or something like that. that seems to me a little silly.

it is something that ought to be addressed. >> that is the kind of specific issue will try to drill down to here. can you give us something more specific. where does that show what? >> yes. the united states intelligence agencies and law enforcement agencies regularly see different types of signatures that we do not look for. we are not in law enforcement. we provide service to customers. we don't chase the surfing down. which is a to the point where we can stop it and that is it. but intelligence groups will dig down deep and see something we don't care for them to share that -- they believe is classified. that is awkward and stilted. this person for my company, there are more lawyers involved in the discussion then there are people in this room right now. it is almost like we are this incentivized to even bother. i think -- we are

disincentivized to even bother. >> if you spot something, and you go to this conference and say the for this signature -- is that something that mr. olson and others should be looking for as well on their networks? >> i'm sure they do. >> is there a way that you can share that information with that or are there impediments to that kind of sharing. >> will buy services from a lot of the same companies that do that. bye-bye from three or four different companies that provide about the same intelligence that everybody else will get. it is pretty good. they are incentivized to make sure it is useful because i pay them every month for it. [laughter] >> so the question then there is not a problem sharing information back-and-forth? >> sometimes there is. >> is a problem that we shared

-- we're looking for barriers. >> at&t had an exclusive on the iphone for time. so i told some doctorates out of school to look for cyber attacks. once other carriers got access to the iphone, do you think you're really want to give them the fruits of the work they're we're doing? their incentive is to do it as well. and compete with us. and i would like my customers to say, hey, i was there with at&t because there are investing in putting in projections and our competitors are doing the same -- putting in protections and our competitors are doing the same thing. the market will force our competitors to want to catch up or for me to catch up to somebody else. that is the right balance between all of us. but between government and industry, i think the

information sharing should be more free. >> thank you. >> @ metropcs, besides our internal controls, we also have server security partners. firmscurity monitoring form that monitor us 24 hours a day. but there is not a central clearing house for that of permission for the folks there outside of the security companies to easily share information. so if he recognizes a threat or is told about a threat in his network, there is not a central place where he could notify other companies or other carriers even in this industry that this threat is out there and we should respond to it. >> and is there an incentive -- if you have done the research and detective the threat in protective gear comforters --

protected your customers -- >> if you tell them, you're telling the bad guys, too, right? so it would be strange to be to open with with your concern with. i kind of like the existing model. i think there are coming said do this. we evaluate them. and when the intelligence looks pretty good, we buy it. >> return now to the young lady from california. >> thank you to all of the witnesses. excellent testimony. first, i think it is really terrific that you're the first have seen in north america to fully implement the dns sec. how do we encourage other i s p 's to do the same thing? >> it is important to keep in

mind that it is not just about network operators. it is the bows banking sites, other web sites. and the people have to implement dns sec -- a lot of people have to implement dns sec. a number of our companies participate -- >> when is that do? >> i think the recommendation is due today. >> good. this congress has an extensive network to insure the security of our mobile devices and the networks their run on. i experienced this firsthand last year when i travel abroad

as part of the congressional delegation and my device became infected during the trip. and the device never left me. i slept with the thing under my pillow. it was never out of my purse. it was never left in the hotel. nevertheless, it was an effective -- it was infected. as a company, what steps do you take to insure that your customers, particularly those in small organizations committed here to the same proactive security measures? >> we provide a comprehensive

list of guidelines for committee duration of the device. -- for configuration of the device. there is a comprehensive set of policies, more than 500 of them, that and in minister can send to all aspects of the platform, -- that administers to all aspects of the platform. we are trying to offer as much transparency and how to our customers through publication of standards and best practices in forums like this.

>> has i anders stand, one way to prevent the potential b botnet technology -- >> we have technology to block, but it does not work. >> there you go. >> we can certainly try. botnet is all of your pc's being infected. we made the mistake of turning every person in this room into a microsoft administrator. we distributed the responsibility massively -- >> it that is where causes the

complexity that you just spoke about. >> ever ready of planet earth with a pc -- it is a piece of cake to build a botnet. we track them and try to contain it. it is not a matter of blocking the ip address. we would be blocking you. you probably would not like that. sorry, you cannot get on the internet today. why? you have a botnet. >> you mentioned the issue of supply chain and the security that i think really needs to be brought to that. first of all, do you share these concerns about the supply chain? if so, which you think would be appropriate role for us to play

in addressing it? i think it is a serious issue. our telecommunications network, as we came to more floor appreciated after 9/11, there are things that keep coming up relative to the supply chain. >> i will answer that from a device manufacturer standpoint. we have to understand where we get our components from, where we manufacture the devices. when we started, it was easy. we made everything in our factory and it was all under our control and you go into a global

entity and distribute that capability around the world with different partners. so are we actually manufacturing the product you're making or one that is different? we do what we can to secure the products in the manufacturing process. for some of our strategic vendors, we are putting cryptographic elements in their silicon before a guest to us. every process goes through a verification of every tool along the line. the combination of hardware and software so that the of its certificate in the silicone, the hardware checking that the software has not been tampered with his use to authenticate the device. we know that the device has not been tampered with and it has been manufactured by ram and it is intact when you first turn it on. that authentication protect our

network and your network. it is that hardware, software, and network working together to insure the integrity of the device services. >> thank you. f1 to have an internet experience, i have to hire one of you. -- if i want to have an internet experience, i have to hire one of you. so what you doing to protect me to some extent from attacks to my information in my computer? >> i think we'll have somewhat similar capabilities. it is a multi-layered approach. there is not one thing that will

solve this. it is like an onion. there are lots of layers. it is everything from intrusion protection which is at the edge of the network to things that provide denial of service attack and mitigation when you see those things to botnet intelligence systems and they start to notify customers and to notify customers. there are a number of things there will do and we educate customers on the things they need to secure their networks and their computers. is a multi-layered approach. >> that is exactly what we do. the same thing. there are a lot of different products and product names. i will tell you the one thing we don't do. we didn't sell you the computer. we didn't sell you the operating system on the computer.

we didn't help you select a kind of software to put on there. increasingly, the isp's are getting dragged into that. that is a difficult situation. some people say i got something wrong with my pc and you guys are sitting off in the cloud summer watching. you should figure out how to fix my pc. that is something that all of a struggle with. >> [inaudible] [laughter] >> we all do a number of similar things in the isp world to protect residential customers. we all have education and awareness places on our web sutter home page to you can go to. we have a botnet notification program. we of the method to notify you

and facilitate you cleaning up your home device. >> [inaudible] >> think there is a lot of commonality in the approaches we are all taking. one of the distinctions i mentioned in my opening comments regarding our server security part in -- security partner -- our cyber security partner -- their full-time job is cyber security. they're looking for a threat to all the time. they have thousands of customers that are feeding them information and they are seeing real time threats go through many companies. a threat that might hit one company, they are aware of it before many of us would see that. i think that information shared in the security industry is something critical and something that we value. >> you may have already answered this question. >> certainly, the security of mets are a part of that.

but we also have administrators control security. so you can deal with the eventually as a mobile devices will be lost or stolen are left in a taxicab. we give the capability out of the box to deal with any of those the eventualities. >> i appreciate that. the last 40 seconds i will give to mr. amaroso. should the responsibility be on the providers to detect viruses as they enter your network before they get to my computer? >> if we knew had to do that reliability -- i have been trying to sell you that years ago -- it is a very difficult thing to detect, viruses and malwrare. and we do pick them up and call

thousands of people every week. the problem is, if i really knew what to tell them, knew exactly how to fix their pc, i would call everybody. why just restricted to the ones to have noticed? the problem is that there's not a person in this room that can tell you how to clean malware off your pc other than to read a major computer. that is the best we can do. >> can we not tell you to stop it? >> here is the reason we cannot stop it. when you visit a web site and you see https, the reality is that every hacker in the world makes sure to push their ma lware through that included tunnel. they hide it in places we cannot see.

when we pick up malware, it is the equivalent a summary falling over and having a heart attack -- equivalent to someone falling over and having a heart attack. that is easy. it is picking up the stuff that is not easy. that is why it is difficult for us to build reliable services to detect malware. >> thank you. [laughter] >> mr. doyle, you are up next. >> i think we'll call him dr. sunshine. [laughter] i want to ask you about federal workers. the white house is currently working on national mobility strategy to determine how the employees of the federal government are using their mobile devices. they will decide, for example,

whether employees can bring their personal devices to work, much like many private sector employees do. we are not advocating prescribing one particular kind of phone forever ready to use in the federal government. what security issues do you foresee that might, as a result of this if we allow all federal agencies and workers to use their own mobile devices. how do think the manufacturers can ensure that the data on the phones of federal workers and agencies remain more secure. >> as you move into a more heterogeneous society where they bring their own devices, one of the challenges is that the security of platforms will be based on the vendor and the teachers a built into them. so getting a consistent view of security and how you protect your information is one of the issues. there are liability and discovery issues -- who owns the

information, who owns the intellectual property, if you have to go through litigation. and you -- and how do you protect the affirmation on the device? there is a level of encryption built into blackberry to encrypt all the data. it can be enforced remotely. but we look at how we go into a bring-your-own-a device syru scenario. we have this standard are for protecting information. what would be most concerned about is the race to the lowest common denominator. we have two or three competing platforms. in order to allow everything, we will reduce our secure carmen's to the bare minimum. that is the wrong thing -- our security requirements to the bare minimum. that is the wrong thing to do.

>> can you outline for us why comcast decided to begin using dbs sec, . >> you needed some critical mass for people to start signing their names, for people to build software to do that. we felt we could play a role in meeting the industry to create the critical mass. the reason we did that is that, when the kaminski vulnerability came out in 2008, it scared the heck out of us. if our customers cannot be sure that when they went to bankofamerica.com was that side, that was a problem. we certainly had a short-term fix to that.

to have a long-term fix, we thought it was incredibly important and dns sec appears to be that one. dr. amaroso, there is no easy answer to this problem. i want to thank all of the panelists today. it has been very enlightening. >> thank you. >> i want to build a little bit on what my friend mentioned. i want a different perspective. this is kind of tied to federal workers. where are you finding your cyber warriors from? in other words, where are they coming out of? are they coming from private universities? the military?

the cutting edge new people for helping you do this stuff, where are they coming from? >> it is a variety of places. there is a need for more educational focus, not to december secured, but ict generally. some are former military service members, former law enforcement. others are administrators who are interested in security. others are former childhood hector's or something like this. and they're interested in it. so it is eveready mystery -- childhood actorhackers or sometg like this. and they're interested in it. >> i have been teaching at stephens for 22 years. if you look at my class in 1990, you'd see something that would look like a typical college

class. i went to dickenson pennsylvania. it was a pretty good mix of kids. my class today is about 98% foreign nationals. and i have about 65 in the classroom. and almost all of them have the intention of leaving the country when they complete their masters or ph.d. because they see bigger opportunities elsewhere. >> i do not want to forget the aspect of compensation for people entering the private sector versus the government sector. there is this issue of compensation. we have the same issues of bringing in the best and brightest. but if we're not compensating them with with the market bears -- >> at the education and military intelligence, we see people

moving into private industry. the most talented guy on my team as a high-school dropout. using the education system as a bar has not helped identify the best talent. he was one of the top recognized hackers and researchers in the world. it varies. i do not think you can actually teach somebody to be a hacker. if you want to be a researcher in that area, there is an ingrained mentality that you're either born with or not. being an attacker is a much different mindset. >> the debate on the senate side, this is how you provide it. what happens if the federal government requires you to follow a new government securities standard? what happens to you? that is the debate on the senate side, legislatively. on the one hand, government

standard and the other one is letting you guys fight the battle yourselves. >> my guess is that anything you can write down that you can think of as a best practice is already being done here. worried back we're of the shop are things that are not on your list remember y2k? we were worried that we would get d dos for one day. that would have been really bad if you miss the millennium change. so we were completely freaked out by botnets. we built ways to steer traffic around and fix it. now have a service where we have moved on to the next thing. >> let me put out a final challenge. i agree.

how do incentivize it innovation in this area? that means government money or government tax credits. that is all persona non grata in this new world in which we live in. so i would ask you to help us wraparound this and maybe it is easing regulatory burdens or something that is not a dollars and cents components, but tax credits and things like that are difficult to do in today's environment. >> with the committee's indulgence, a doctor, could you explain d dos? >> that stands for this jury did denial of service. when my voice goes to all of your ears. it's one thing to many years. it is great when you're all quiet and your year's work.

but if you balance my voice from your ears to him, it would sound like shouting. we hit all your pc's and then tell them all to shout this way and it all comes and it sounds like this big attack and it knocks him out. >> thank you. now we go to ms. matsui. >> thank you. this is all challenging and frightening at the same time. i do appreciate all of your testimony. i want to go into another area. as we look into developing industry best practices and standards, do i see clouds services and providers included? or would it be better for cloud providers to consider forming their own best practices to secure data in a cloud?

we do not have much time. >> first of all, we are already talking to the cloud providers. some of us are clout providers. i think the conversation is well under way. we're familiar with the challenges. if you really think about it, the term "cloud" is a generic term that is misunderstood. it can mean a number of different things for a different type of customer. i would say we continue to include them in the conversation as we have everyone else, so to speak, at the table as partners. the solutions you're looking for will really have to be integrated across the very wide platform. therefore, i would say that you would want to keep them in the conversation. >> thank you. >> my mother has a pc at home that, at this instant, i am sure, is attacking china or something. it is not administered properly

and she has a big to our with verizon fios, the whole thing. she does not need that. she would be much better served with a cloud provider to take care of that for her and she would just be using some appliance to hit the internet. the reason she does not is because there is softer on the pc the issuance to be able to use. in general, that concept is a more secure concept than my mom trying to do administration. i think clout in general is a more secure model than what we have. >> that is good to know. give me your expertise in this area. what are the differences between securing wired and wireless communications networks? and how can the differences be accounted for in a type of site security initiative? >> they are pretty big.

the differences are significant. if we had three hours, i could take you through the whole thing. but i will give you one example. i guess the most of you remember when computer security was just do not put an infected floppy into your computer. remember that? don't put software in your machine where you don't know where it came from. it seemed like a perfectly good common sense. what do we do every single day on app stores. i do not know who wrote that a word came from. but it looks pretty good and i will download it to my device. that is something we will have to address from a security perspective. >> i am also thinking that some much of what we do is wireless. so much of what we do within our own homes is wireless. but it is so easy to do it and most people do not think about it at all. i am concerned that we are not

thinking as broadly as we should be thinking as far as some of the personal use. i think it came about here with mr. doyle in the government area, too. but it is so easy to be carrying tablets and different cell phones around. for me, it is the part that is really frightening. nobody knows what they don't know and we're looking at you and you're saying, too, that there are things you do not know, too. and we look at u.s. experts. i am hoping that we can build something here with a sharing of information that goes beyond because i'm looking ahead if and moreetting more complicated as we develop more tablets and smart phones and whatever, that we're losing control of the cyber security

aspect of it and the software aspect, i think you brought up, dr. amoroso, is really very important, the education fact of that and whether or not we are actually kind of building our own principles and standards into that, too. that's just a comment and i really do appreciate your being here and i think i'm learning more and more every time one of you opens your mouth. thank you very much for being here. >> thank you for your comments. we'll go to ms. blackburn, four or five minutes. >> thank you all so much. i tell you what i think i'm going to do is just ask my questions and then if you-all want to respond or respond in writing, that would be wonderful. first of all, going back to something their shimkus said, i would like to hear from each of you and you can say now or send it to me, what you're seeing as

disturbing trends and what is the next thing out there. i'd like to know that. i'd like to get an idea of how much of your cost of doing business is beginning to center around the cyber security issues. in your testimony, several of you have mentioned in one way or another, either in response to the questions or testimony, fear that the federal government could end up being more of an impediment than a facilitator in bolstering some of the cyber security efforts. i would like for you to speak to what you are concerned that we might do and then what we are not doing what we should be doing, and hear from you in that vein. which -- with your consumers, i would appreciate knowing what you're doing to educate them.

one of the things that helps us as we work through the process is being certain that consumers are educated so if i could get that bit of information and then when we look at the hacker attacks that are out there, some of the anonymous attacks, some of those, there's one in the news today or i think there are five people that they have, are bringing forward to charges. what kind of government imposed performance requirements would help keep pace with some of the technological evolution you're seeing in these cyber attacks and if we were to do a government top-down sort of structure to try to deal with cyber enemies, would that be giving a signal to that cyber enemies, is that too much information for them to be able to work around? those are the questions that i'd love to hear from you on, the

trends, the cost, what we are doing, what we're not doing, dealing with consumers, how you're educating them and in looking at the attacks, the cautions you would give to us there and with that, anyone that wants to respond. >> i can go first and i'll try to be quick. in terms of the positive things government can do, i think making information sharing easier. there are a number of things there to help. i think government has a role to play in education, whether that's p.s.a.'s or other kind of education for end users, for citizens. i think there's also an opportunity to help incent or fund additional r&d. i know nist and other groups try to do research in security and internet futures. there's more that can be done there that's important. in terms of things to be careful of, be careful of mandates. we don't want to be focused on

check lists and compliance but on innovation and the threats of tomorrow, not the threats of today. you.ank anyone else? >> i could just make two comments. several of the questions and comments today mentioned incentives. i can tell you as an i.t. professional, we are heavily incented to make sure we're protecting not only our internal resources but all of our partners that are interconnected with our systems. i think one of the things that is a little scary so far is we monitor all of our customer service channels, call centers, stores, website. and we're not seeing a lot of requests from our customers concerning their own security of their handsets and devices so i think education is certainly going to be important. i think there's just not a general awareness in the consumer population, how big an issue this is. >> maybe a comment more around why it's so difficult to

regulate this arena. i think we've been speaking here rather generically about mobile devices and cyber security threats but it's a much broader problem depending on what category you're looking at and because there's multiple categories of threat actors, trying to be finding a solution in a prescriptive way is very difficult. if you think about who's coming at you and why they're coming at you, you could have a nation state coming at you for all sorts of reasons. they could be coming at the federal government for military reasons but that same nation state could be coming after a corporation for intellectual property, everything from understanding that that intellect all property is not just 50,000 corporate environment. it could be in a 50-more than law firm that does your m&a work for you. if you're looking at criminal activity, you have what used to be the scriptity doing something

relatively harmless and maybe at best you hired them as your network administrator if they grew up. on the other hand, you have organized crime looking more broadly at the world and how to make money. the recent f.b.i. investigation on d.n.s. infected malware. then you can take a look at anonymous and others that are more hactivists trying to make a point and you come down to your insider threat and companies doing to you so if you think about the landscape and the data they're after, they're after it for different reasons. when you try to put a regulatory overlay on that it's difficult to put us in a position to respond to those four broad timeories and at the same make sure we have our checklist compliance programs going. thank you. you.ank yield back. >> gentlelady's yielding back. recognizing dr. christianon.

>> thank you, mr. chairman, good morning, everyone. i have a couple of questions. mr. amoroso, you suggest in your testimony that congress define the roles of the various executive branch agencies and cyber security. where do you see the fcc as an adependent agency playing role? >> i don't think there's an agency right now that's in a good position to solve a problem that we can't solve ourselves. if it really was a case where you could write out five things we should all be doing and for whatever reason -- negligence, ignorance, whatever, we're nol doing it; then you need someone in government to shake us into action. the problem is that we don't know what it is that you should be telling us we should be doing. that's why we're pointing to innovation as the key. so it's a moot question whether

it should be d.h.s. or fcc or whomever because i'm not sure what they should be telling us. that's the problem. there are some things, i'm part of the team trying to make recommendations, i don't want to lead you to believe that we're not trying to reduce the risk, but i would say from an agency perspective, if there was an obvious set of things that be done right now, kind of thinking the groups that are here would be doing it. we are incented to do it. that's a problem. i hope that addresses the question. >> ok. thank you for that answer. mr. livingood, you mentioned comcast is an active participant on the fcc security and reliable and interoperability council. could you mention how the council is contributing to the improvements in cyber security,

especially with respect to the threats they are addressing? >> there are a number of working groups. i'm on one. one of the folks that work for me is a chair of one of them and they focus on things like the security of the routing infrastructure, d.n.s. sec and the range of other things and i think that's a process that works pretty well. people voluntarily get involved and working to the what they think the current best practices are and that's a process that repeats regularly every year so it's not static. in 2008, we came up with best practices and that's what we're still focused on but it's something that gets renewed and refreshed all the time and looks at every new threat as it comes out and that's one of many places we all work together. there are lots of others. the north american network operators work, messaging anti-abuse group, other groups i could go on about but groups

like that are good because they're consensus based, voluntary and focused on best practices and current issues. >> and while your customers are mainly using a service for in-home computers, they also use the wi-fi networks, access comcast email and other comcast video products so how do you continue to ensure the same cyber security protections you develop for your core services extend to these uses, as well? >> a number of our security protections are things that a customer can download and install in their device like their home computer but we have a burch of things on the network like the constant guard system which is a bot intelligence and other security threat system and that's there for customers that might be bringing a device into their network and maybe it's a friend visiting them on their wi-fi network and they happen to talk to a botnet. we'll see those things so whether we've installed the

device or not, we have tools to identify that and help them to tell them about it and help to solve it. >> mr. amoroso, you stress a need foster information sharing and we've talked about that a bit here, a lot between the government and private industry as well as private companies. what protections do you think are necessary to protect civil liberties and consumer privacy and what would be the reasonable boundaries to liability protections and antitrust exceptions? >> the issues you raised are the reason we have those impediments now. i'm an american, i want civil liberties, so the current state that we've swung the pund -- pund pendulum of making certain we're protecting civil liberties. the question is how do we preserve those liberties and allow all of us to know if there's some malware thing. i really think we have to figure that one out. i'm not sure i can give you a real good answer on how we do it but i think it has to be a high

priority because the motivation, everybody's head shakes and goes, yeah, if there's malware, that's not a civil liberties issue, comcast should know that blah, blah, blah is a problem and code that into their system so somehow we maybe need to get the lawyers out of the room and come up with a common sense approach but that's the reason, all the things you listed, that's why we can't take those signatures today. >> thank you. >> thank you, dr. christensen. dr. amoroso, you should have seen the people shake behind you when you said get the lawyers out of the room. let's go to mr. bass from new hampshire. >> mr. chairman, i have a couple of questions for mr. livingood but before i ask those can i ask a mobile or smart phone question for dummies dummies -- is there a difference in cyber security issues between a ipad or smart device like this

and a laptop or desktop computer? anybody answer that question for me? >> there's probably a firewall between your p.c. at work. on a wired land so we can do more filtering and policy control. with your wireless, you go direct to us, to the i.s.p. and we've been incented and led, push the pacts, don't look at them, don't do anything, god forbid you impose any kind of policy or filtering. so we do nothing so your connection for wireless is directly to the internet whereas your wired connection probably has some i.t. group at work, whatever. >> is this unit here exposed to bots. is there a cyber security issue associated with my ipad? >> i don't know what you're connected to, but, yeah. >> let's say i'm connected to

comcast? >> there sure are those issues. those are a new class of device and a lot hackers are focused on the return on investment, where biggest platforms are so the more those devices get out there, the bigger targtheatmakes and they say i can spend a couple of days divhepg and i have a few million devices so you'll see more and more of those things and depending on the tablet you have, some are more vulnerable than others but that's something a lot of americans are buying and that's the next threat. >> who's responsible? is apple responsible for this or are you? >> it's a variety. with that device, it's apple plays a role, with the android devices, google plays a role and all the software vendors that make the apps that go on that play a role but there's also a component of customer education and i'm sure over time in the same way we have swor --

software that runs on p.c.'s to provide security, that will evolve on tablets but we're at the early stage of that curve. >> the same is true for blackberry, right? >> all of the tablets are going to have different risks and different threats and we look at it in terms of how we protect our platform but the theme i keep hearing over and over and i think it's one this committee has highlighted is the need for education and when you talk about computer security, one of the inevitable comparisons is to driving a car. we don't let them drive a car without a license but we let them connect to the internet and download software without the risks and that piece of education, we need a level of sophistication and education in how we inform people of risks they have when they connect a device. >> fair enough. i want to ask a couple of questions about the constant guard protection suite. i note in your testimony,

mr. livingood, on page six, "i understand it's a complex tax. education, remediation are core objectives of anti malware efforts." does comcast require customers to download it's anti-malware protection suite and if not, how does the customer know it exists and how do you notify them if they have a problem? >> it is not required that a customer download that to use our service. they need normal internet connectivity to do that but we do a lot to make customers aware of that and incent them to download it before they have an issue and after so before they have an issue, when they're installed, they're given a lot of information about things available for them and given throinks that and so on. when they get a welcome email from us when they sign up for service, we're reiterating that

for them and we do other things to promote the fact these are available. after they have an issue and we notice it, we drive them to a remediation portal and that's the first thing we recommend they download and take other steps. we do a lot of education when they come on as a customer and while they're a customer to reiterate that and afterwards. >> it's limited to windows operating system, correct? how long has it been around? >> that protection suite is pretty recent. that's a little bit more than a year. that's a supplement to a larger anti-virus and security suite we've had for many years. >> real quick. what business incentives if any did you get or do you have in developing and offering this service? we view it in two ways. number one, there's a competitive incentive, if we can be seen as having more security

features or more secure than the next guy, someone chooses us as their i.s.p. rather than someone else but the other thing, customers, when they come on board as a customer, used to tell us that the two reasons were price and speed and today it's price, speed and security. so customers are very aware, increasingly so, not as they need to be but very aware about security and they ask about those things when they call up to order service so we view it as a competitive feature we need to add and that's why all of the things we're doing is part of constant guard and other things are important to us. >> thank you, mr. chairman. >> now we go to chairman dingell for five. >> mr. chairman, thank you. gentlemen, we have much to do and little time so i'm going to try to ask questions that you will answer yes or no to. starting with mr. livingood, gentlemen, you all seem to be in agreement that imposing new federal cyber security regulations on industry would

stifle innovation and harm industry's ability to protect consumers from cyber threats. is that correct? yes or no? >> yes, i am concerned about that. >> mr. amoroso? >> yes. >> sir? >> yes. >> sir? >> yes. >> yeah, i think you have concerns. >> gentlemen, let us assume for a moment that the congress will pursue the no regulation path in this matter and instead facilitate greater information sharing about cyber threats between industry and the government. would that be your collective preference, yes or no? >> yes. >> sir? >> yes. >> yes. >> yes. >> sir? >> agreed. >> gentlemen, thank you. in that case, would the congress need to consider granting exemptions to the antitrust laws and the federal trade commission act in order to allow the companies to share cyber information amongst themselves? yes or no?

>> yes. >> yes, that's correct. >> yes. >> yes. >> i unfortunately can't comment on the that. not familiar with that. >> very good. gentlemen, similarly, do you believe that a safe harbor provision should be created in statute to permit companies to share serious cyber threat information with government agencies without fear of class action or other lawsuits being brought against them? yes or no? >> yes. >> yes. >> yes. >> the reporter doesn't have a nod button, sir, you have to say yes or no. >> it's a yes. >> thank you. sir? >> yes. >> i'm afraid i can't comment on that. i don't know. >> yeah, yeah, yes. >> gentlemen, my last several questions have been premised on a no-regulation scenario wherein

the congress adopts legislation to appropriate information sharing between industry and government. would you please submit for the record what enforcement tools you believe the federal government would have in this scenario to ensure that industry is adequately guarding and being guarded against cyber threats? i'm asking you to make a submission there for the record because of the shortness of time. now, gentlemen, let us assume that the government would have some role in promoting cyber security in the private sector. if the federal government were to require the promulgation of cyber security standards, should such standards preempt state laws? with you, mr. livingood? >> yes, easier to have one standard. >> i don't know. i'm not sure. i haven't thought that one

through. >> you, sir? >> yes. >> i'll have to agree with dr. amoroso, i haven't considered that. >> i can't component that, either. >> gentlemen, i've read with some interest in mr. olsen's testimon that, and i quote, the ongoing valuation or metro program iscurity based on periodic internal and third-party assessments and auditing. would your respective companies object if such audits were government mandated? yes or no? >> no, we already provide those things. >> i think we would object, yes. >> we would object. >> you would object? >> yes, we would. >> all right, then we come back and ask you to explain that. s in witness, if you please,

sir? >> we'd probably object but we do this anyway. we always do that. >> now, those who have indicated no, would you please explain briefly? >> i can explain. when you write a law, we do paper work. so i take people away from doing their day-to-day work to sit and do work. we have an ops lab and one of our favorite things to show people in the ops lab is along one of the walls we have a mile's worth of ring binders and they say there's the government paperwork followed by a lot of chuckling laughter but it's true, we have a great deal of paperwork that we fill out when we're dealing with federal groups or sarbanes-oxley or whatever. there's a lot of paperwork. i'm suggesting that if we're already doing it and government says you need you to fill out this compliance checklist, you're taking people away from the work to do paperwork. that's why we would object.

>> if i can make a note quickly. i think this is dangerous sending an engineer sometimes but i'm told we might have objections, we would have the same concerns. >> gentlemen, thank you, thank you for your courtesy. >> thank you for your questions. now turn to the chairman of the house intelligence committee and important member of our subcommittee, mr. rogers. >> thank you, mr. chairman, thank you for having the hearing and thanks to the witnesses, as well. i think one of the big problems we run into in this is we haven't really sounded the alarm bell. in all of the circles of people who look at this every day, the security shops, the i.t. security shops across america, they know what the problem is. average users don't see it. and that's why there's no hue and cry, i think, yet, but how we get this fixed. i appreciate your comments today. you talked about the importance of information sharing and keeping it as clean and simple as you can. talk about how that would work. if we bring the folks together,

we're sharing government secret sauce with you-all and you're sharing back malicious ware that maybe the government's not aware of, talk about how fast this is. there's talk about civil liberties and i think people have this visual that people are reading emails, some guy named bob in cleveland is reading everybody's email to find this malicious software. not how it works. if that's how it happens, it's a miserable failure. can you talk about how you envision that would work with the sharing arrangement, realtime, no regulatory, all voluntary? can you talk about that quickly? >> first of all, i want to the compliment you on your legislation. i think there's nice elements in the work you've done. first of all, realtime, absolutely. independently auditable i think is important so somebody can look at the way this is done. but it also has to be controlled, like blasting it out over the internet would be a

really bad idea but i think you need to balance, ride, this realtime but also the ability to come back and look at the process, make sure it's transparent without exposing it to our adversaries. that's the right way to do it. >> there's also different levels of sharing by industry. you have to look at how you do your risk assessment on each category that i previously described but there's also right now a very good example of what's working well and that's the defense industrial based pilot going on. that particularly is supporting defense contractors and d.o.d. but you can extend that to the financial services industry and other industries. >> anybody else? >> just for clarification, when we talked about realtime, i've as high as 100 million a second, right, packets of information flying around so if this is going to work, right, the malicious source code has to be compared at an incredibly

fast rate. can you talk about that from an engineering perspective, anyone? anyone? >> i think one of the challenges is trying to do any kind of pattern matching. a lot of the malware we've seen for years is sort of what's polymorphic or it changes, every instance of it is different from next. a lot of stuff changes. it's not like anti-spam ware, you can match on a few key words or file attachment. so you need to come up with ways and a number of us have systems like this and others are in development that can do this on a wired basis but that's the challenge you're getting at, doing it in realtime is incredibly difficult and at the edge of computer science at that point. >> many of you told us be careful about the regulatory scheme. if we slow you down, if we give you another row of books down

your hallway there, it doesn't work. we already have outdated what you're trying to accomplish in the room and this is a value added not only for you but for the government, is it not? the government also gets benefit from the protection of all your great work in the private sector, correct? >> that's correct. and there are two things that raises that are interesting. one is, by the time that a prescriptive law would be written, the ink was dry, the threats would have moved on. so you have to be flexible. the other is that we all need to have with our software developers and security need to be, they hard at work in a room not with a room full of lawyers with them them down, asking them why are you doing this or that. they need to be hard at work every day. this may be my favorite panel of all time since i've been in congress, never so often have a group of engineers belittled lawyers at the table. you have warmed my heart today that we have faith that we're

moving forward. i wish we had time to talk about all the issues and i'm very curious about how you would fix the programming issue. huge problem for us as we move forward. we didn't talk about exfiltration which is difficult for any of you to catch which, right, would argue right now is the single greatest throat -- threat to our economy moving forward aside from what we know today. >> could you outline exfiltration? >> sure. we know that nation states today are engaged in getting on to your network, lurking, they'll be there for a long time, you don't know it, your system administrators don't know it, these folks can't catch it, often the government can't catch it, either and they'll latch on to that intellectual property that is on everybody's computer today, everything of value to that company and at the right time at the right speed, they

latch on to it and run like heck through your network and take it back and we know a country like china who is investing in this as a national strategy to exfiltrate intellectual property and directly use that intellectual property to compete against united states businesses and unfortunately it is happening at a breathtaking pace, breathtaking pace. and what's concerning is these folks are looking for malicious software that's disruptive or theft oriented. this is very sophisticated and incredibly hard to detect and they really don't want to break anything. they want to the get in and steal without you knowing it and that's what's so troubling about it. hundreds of hundreds of thousands of jobs lost every year for the theft of that intellectual property being reprogrammed commercially against u.s. companies. this is a big a problem as i have ever sewn and one of the things of the many that keeps me

up at night, mr. chairman, so thanks for letting me explain it and we didn't get into it today not the focus what have they can even watch. so that's why this information sharing i think is so important. it would help american businesses by the federal government having information, being able to identify that code, share it with the right partners, amazing what we would be able to stop. with the indulgence of the committee members, perhaps, given the importance of that topic, if you have anything you want to add to that area, we going to mr. stearns, mr. gingrey. does anyone want to comment? >> it's called advanced persistent threat and he's got it exactly right, it's somebody targeting any of you. we can craft a fake email that looks pretty realistic, point you to one of these websites that establishes a tunnel. it drops a remote access tool on

your p.c. you know how you log in when you do remote access from work or from home or wherever you're doing it, this is a hacker now doing remote access to you. you're now the server and once they're on, they can troll around your p.c., your network, and the intellectual property theft has become consistent. it is probably the number one thing i bet all of us when we go back. we talk about botnets and d.n.s. but that's not what we deal with when we go back to the office. we're dealing with a.p.t., which is kind of our point, right, we're ahead of the discussions here, things that we've been dealing with in the past and the things we deal with now are properly things we'll be here testifying about five years from now so that is an issue. >> and to echo dr. amoroso, the advanced persistent threat, these are remarkably sophisticated adversaries. they are slow and patient and will lurk on your system for

years. we had a large company go out of business, nortel, and part of the attribution of that is loss of their intellectual property to a foreign state level adversary, ciphering secrets off their network. when you look at that, this is as serious concern -- five years from now you'll probably be looking at that. that's how advanced they are. it's great that you're looking at it now, congressman, because the snret -- threat is real, it's persistent today and a threat to jobs and the economy. >> thanks him for his 30 years for f.b.i. service, as well. thank you for all the time you put on the target, sir. >> you would think rogers was a former f.b.i. agent himself. let's go to mr. stearns now. >> thank you, mr. chairman. let me take my questions a little along the lines that my from michigan talked about when he talked about advanced persistent threat. dr. amoroso, when you did your opening statement, you were

speaking quite eloquently, talking about malicious software, malware, you talked about. and you painted this picture that the malware itself, you were impressed how well it was developed, put together and you were not sure if we were keeping up. is that right? >> that's right. we're not keeping up. we are trying. and think about the dizzying pace of innovation in silicon valley. new things every day. the hacking and malicious adversary community, they're moving at the same pace so the job we have is we have to keep up and you would say you better be ahead of them so we're always

going to be sort of biased. >> you're saying you're always catching up. >> we have to innovate and go faster. >> is that true, you're always catching up? >> that is absolutely true. >> that's what you implied to me when you showed respect for the malware. is this true for all these others, is it applicable to that, too? >> a.p.t.'s are the best. the exfiltration point that the congressman spoke about, that is the elite kind of attack vector in 2012. spy ware, not so much. >> with the malware, who are these people doing this specifically? can you name them? i can't. i'm not in law enforcement. you might have -- >> is there anyone on the panel, when dr. amoroso talked about this malware so respectfully and how eloquently it's put together, anybody tell me who we're talking about? >> i think if you look at the

most recent investigation conducted by the f.b.i. on the d.n.s. malware, changer malware, you'll see it was a group of individuals operating out of estonia that sent malware to individuals in various forms and emails and you clicked on it and it infected your computer in a way that it directed you when you went out to do a d.n.s. type search, you were looking for amazon.com or some other company, you went to their servers and their own servers were embedded in various locations in the united states so these are organized groups. they've figured out how to capitalize on the money you can make with the malware. >> are these people in estonia, are they part of a mafia? underground? an organization that's larger just in estonia without you revealing any -- these are no longer individual hackers. individual hackers are out there but now they've actually formed themselves into types of federations to work together.

>> across the world? >> you can do it across the world. there are certain hacking groups you can join and be a member from different countries. >> so it's like a paternity? you say i'm a member of the estonia hacker group. >> estonia seems to be a hotbed right now because of how the economy is run over there. >> anyone else? >> if i couldad toad that, i think it's pretty interesting. this is a very large and very well organized underground economy. they are specialized. we have some people that write tools, other people that rent access to botnet networks so you can rent botnets by the hour. you can tell them where you want the bots to be, payment network mechanisms between these parties so it's very sophisticated and if you think from a criminal standpoint it's easier to get a return on investment this type of thing it is than it is to do physically oriented crimes and the scale is so much larger. these are folks that operate across borders internationally

and there's enormous amount of economic incentive for them to do it and it's primarily unlike a.p.t., this is primarily an economic crime. a.p.t. is focused on economics but more on intellectual property. this is all about the money. >> well, i guess mr. mahon, is there a possibility that we have terrorists involved with this that are part of this estonia -- terrorists could go to this group or this federation and are using them? >> terrorists use these type of schemes for funding. they need funding for their operations. and number two, they use it as a communication system. they know they're being looked at so the ways they need to communicate are surreptitiously in a manner they can't be intercepted and they use these technologies to community with one another but they have to fund their operations. >> the basic question comes down and this is the premise or understanding of what this hearing is all about, what could

we, as legislators on this subcommittee or full committee or members of congress, what can we do to make it easier for you to operate and at the same time give you the wherewithal to compete and what should we not dot? what should we do and what should we not do? just as a closing statement, mr. livingood, if we go down the panel and give what we should do and should not do? >> i think what you should do is help make information sharing easier, remove those impediments. i think also there's a role for government to play in education, whether that's p.s.a.'s or other things to raise awareness about security issues and i think there are r&d things through agencies you can help fund to focus on this. i think what you should not do is focus on mandates and compliance. that enables us to focus instead on innovation.

>> that sounded good. i would exactly repeat those comments. i'll add one additional and that's that you have influence around the federal procurement process, right. so a lot of times we see procurements come out and scratch our heads and say, boy, don't you think there ought to be through g.s.a. there's an emtips program, a lot of us are emtips vendors, there ought to be more business, there isn't. i would recommend that procurement process ought to be the most secure process in the entire world. i would echo what both of them said and add the importance of information sharing. we have limited resources. we conduct risk assessments. risk assessments when we're trying to decide on impacts and probability of events based upon the information we have at the time. if a government agency or another carrier has additional information, and we don't factor that into our analysis, we're really misaligning resources and

how we develop our counter measures. >> i think there's a lot of commonality among the panel on what we'd like to see. to add to the information sharing area, i think the federal government has access to information through various are watching the country's cyber borders and we've seen in our own company the vast majority of reconnaissance scans and attempts to gain access are coming from china and eastern europe and i think the federal government would be in a good position to monitor and provide on that.rmation >> going lastly, i agree with everybody else on the panel here, especially hammering the information sharing from government to industry. the purview that intelligence agencies have and at a state level in terms of what you see is much different than what we see. my team works on dr. amrosa's

team on areas of commonality where we think there are issues to be addressed that impacts security to our customers but we don't get the feedback from the government as far as what you see that we need to be aware of i would ask for a more transparent, realtime information sharing mechanism to let industry know what government knows so we can act to protect our network and by extension protect your information. >> thanks for your patience. you're the last -- >> you took the words out of my mouth. i think you are exacting the last measure of patience out of the last member to ask a question but i move down here early in the hearing as all of you know because i couldn't hear very well even though the chairman said speak right into your microphones but i'm glad i did move down close because i knew it was going to be interesting and i knew that you, all five of you, experts were going to have a lot of useful

information to present to us and quite honestly, after two hours of this, i'm trying to figure out a way to beat these guys and the only thing i can think of is just an opportunity to invest in these hacking operations. i don't guess that would be legal but if it were, i think that would be one of the best ways for us to win. but thank you all very much. let me ask a couple of specific questions and maybe this cuts a little bit to the chase of one of the main reasons why the chairman is holding this hearing. each one of you, please, starting with mr. livingood, answer this for me. do you think the sec has enough cyber security expertise to allay concerns with the commission if they choose to

impose cyber security regulations on the network providers. do you have enough confidence in their expertise to do that? mr. livingood? >> i don't know the answer to that. we work with folks at the fcc and they have a lot of expertise. have enough here, that's a tough question. i don't know the answer. >> i don't think there's any agency that has the right expert tease do that. if we knew what the expert was, we would be doing it. i don't think it's a knock on any one particular agency but i think any agency that is capability right now. >> i would agree with ed. the answer is no but i don't think anyone does and i think that is the importance of collaborative relationships. you do need to bring people in from all sorts of the federal arena as well as private industry arena to work together, do just the evolving nature of threats in this arena. >> mr. olsen? >> it's an important question i'd have to agree with

mr. livingood, i don't know whether they do or not. >> mr. totske? >> i don't know, either. think what you're hearing here and it's common amongst the panel, the defender job, the job to protect your information is, exceptionally hard and it's actually much more difficult than being on the other side. >> speaking of hedge funds. let me go back to mr. olsen and your formal testimony that you gave. you talked about the clearing house. i would like to know a little bit more about that specifically and do you think that would be helpful and maybe you could elaborate on that. >> i think there's two aspects to that. one is where the federal government is sharing with private sector, with industry, what they're seeing as far as threats and i mentioned a little while ago about the threats from outside the u.s. so i think that's a critical component. the other is where companies could share -- private companies onld share information threats they're seeing and that clearing house would have to be

sponsored by somebody and i the federal government is the right place to do that. >> and i think you addressed also in your testimony the hold harmless provision that would be necessary. >> absolutely. >> to share that information. so that you wouldn't be subject to lawsuits. >> yes, sir. >> i've got a little time left. one more question, then. the internet is currently transitioning from this internet provider v4 to v6 addressing. does that process create any new cyber security issues and will transitioning alone solve any cyber security issues that currently exist? does the process of transitioning present opportunities to resolve existing cyber security issues? starting with mr. livingood? >> we've been a leader, all of

the issues that exist in the current internet and ipv4 carry over to ipv6. it's just a new form of addressing. that being said, because it's a new form of addressing and a new technology, you're introducing new things into the ecosystem to. dr. amoroso's point earlier, it's a complex ecosystem and which you change something, there may be consequences so you have to make sure you're not introducing new vulnerabilities but if there were any, it's simply because some security tool that worked great in i-pv4 might not have all the same features. >> every device on the planet running v6 in theory would be addressable, would be routable, and that's a pretty dangerous situation. so for all of us, we've got to figure out how to architect security protections around that so i do have some concerns about the v6 transition. >> mr. mahon? >> the architect and engineering teams are working through those

but as they've said, you have legacy systems being married up with new evolving technology and whenever you do that, you're going to have things evolve as you begin to deploy it. >> mr. olsen? >> i think from a protection standpoint, i think it's a step ahead but the bad guys are out there working just as hard as we are to find another way around that so as soon as we make an advancement in technology, they're right out there keeping pace with us. >> finally, mr. totske? >> and this expands the attack surface and increases the risk so we have new and unknown risks to mitigate. >> mr. chairman, thank you for the generosity of those 45 extra seconds and i yield back. >> you got cleared to 49. but glad to help. thank you, mr. gingrey, for participating. i want to thank all of our witnesses and all the folks behind them who played some role. we appreciate your insights. it's very helpful, in our effort, obviously, we're trying to do the right thing and you're fighting the battle every day

and we don't want to get in your way so we may be back to you with our working group digging a little deeper on some of these issues and getting as specific as possible. we hope to look out, too, at some of the other types of networks and small providers. you obviously represent major provider