b"<html>\n<title> - CYBERSECURITY: THE PIVOTAL ROLE OF COMMUNICATIONS NETWORKS</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n       CYBERSECURITY: THE PIVOTAL ROLE OF COMMUNICATIONS NETWORKS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n             SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 7, 2012\n\n                               __________\n\n                           Serial No. 112-123\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n\n77-040 PDF                WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\n\nJOE BARTON, Texas                    HENRY A. WAXMAN, California\n  Chairman Emeritus                    Ranking Member\nCLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nJOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York\nMARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey\nGREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\nMIKE ROGERS, Michigan                ELIOT L. ENGEL, New York\nSUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas\n  Vice Chairman                      DIANA DeGETTE, Colorado\nJOHN SULLIVAN, Oklahoma              LOIS CAPPS, California\nTIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania\nMICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois\nMARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas\nBRIAN P. BILBRAY, California         JAY INSLEE, Washington\nCHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin\nPHIL GINGREY, Georgia                MIKE ROSS, Arkansas\nSTEVE SCALISE, Louisiana             JIM MATHESON, Utah\nROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina\nCATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia\nGREGG HARPER, Mississippi            DORIS O. MATSUI, California\nLEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin \nBILL CASSIDY, Louisiana              Islands\nBRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida\nPETE OLSON, Texas\nDAVID B. McKINLEY, West Virginia\nCORY GARDNER, Colorado\nMIKE POMPEO, Kansas\nADAM KINZINGER, Illinois\nH. MORGAN GRIFFITH, Virginia\n\n                                 _____\n\n             Subcommittee on Communications and Technology\n\n                          GREG WALDEN, Oregon\n                                 Chairman\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\n  Vice Chairman                        Ranking Member\nCLIFF STEARNS, Florida               EDWARD J. MARKEY, Massachusetts\nJOHN SHIMKUS, Illinois               MICHAEL F. DOYLE, Pennsylvania\nMARY BONO MACK, California           DORIS O. MATSUI, California\nMIKE ROGERS, Michigan                JOHN BARROW, Georgia\nMARSHA BLACKBURN, Tennessee          DONNA M. CHRISTENSEN, Virgin \nBRIAN P. BILBRAY, California             Islands\nCHARLES F. BASS, New Hampshire       EDOLPHUS TOWNS, New York\nPHIL GINGREY, Georgia                FRANK PALLONE, Jr., New Jersey\nSTEVE SCALISE, Louisiana             BOBBY L. RUSH, Illinois\nROBERT E. LATTA, Ohio                DIANA DeGETTE, Colorado\nBRETT GUTHRIE, Kentucky              JOHN D. DINGELL, Michigan\nADAM KINZINGER, Illinois             HENRY A. WAXMAN, California (ex \nJOE BARTON, Texas                        officio)\nFRED UPTON, Michigan (ex officio)\n\n                                  (ii)\n\n\n\n\n\n\n\n\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Greg Walden, a Representative in Congress from the State of \n  Oregon, opening statement......................................     1\n    Prepared statement...........................................     4\nHon. Marsha Blackburn, a Representative in Congress from the \n  State of Tennessee, opening statement..........................     6\nHon. Anna G. Eshoo, a Representative in Congress from the State \n  of California, opening statement...............................     6\nHon. Doris O. Matsui, a Representative in Congress from the State \n  of California, opening statement...............................     7\nHon. Lee Terry, a Representative in Congress from the State of \n  Nebraska, opening statement....................................     8\nHon. Cliff Stearns, a Representative in Congress from the State \n  of Florida, opening statement..................................     8\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, opening statement...............................     9\n    Prepared statement...........................................    11\n\n                               Witnesses\n\nJason Livingood, Vice President, Internet Systems Engineering, \n  Comcast Corporation............................................    13\n    Prepared statement...........................................    15\n    Answers to submitted questions...............................   102\nEdward Amoroso, Chief Security Officer, AT&T Services, Inc.......    34\n    Prepared statement...........................................    36\n    Answers to submitted questions...............................   106\nDavid Mahon, Chief Security Officer, CenturyLink.................    48\n    Prepared statement...........................................    50\n    Answers to submitted questions...............................   110\nJohn Olsen, Senior Vice President and Chief Information Officer, \n  MetroPCS Communications, Inc...................................    56\n    Prepared statement...........................................    58\n    Answers to submitted questions...............................   114\nScott Totzke, Senior Vice President, BlackBerry Security Group, \n  Research in Motion.............................................    67\n    Prepared statement...........................................    69\n    Answers to submitted questions...............................   118\n\n \n       CYBERSECURITY: THE PIVOTAL ROLE OF COMMUNICATIONS NETWORKS\n\n                              ----------                              \n\n\n                        WEDNESDAY, MARCH 7, 2012\n\n                  House of Representatives,\n     Subcommittee on Communications and Technology,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:04 a.m., in \nroom 2123 of the Rayburn House Office Building, Hon. Greg \nWalden (chairman of the subcommittee) presiding.\n    Members present: Representatives Walden, Terry, Stearns, \nShimkus, Bono Mack, Rogers, Blackburn, Bilbray, Bass, Gingrey, \nScalise, Latta, Guthrie, Kinzinger, Eshoo, Doyle, Matsui, \nBarrow, Christensen, DeGette, Dingell, and Waxman (ex officio).\n    Staff present: Ray Baum, Senior Policy Advisor/Director of \nCoalitions; Nicholas Degani, FCC Detailee; Neil Fried, Chief \nCounsel, Communications and Technology; Debbee Keller, Press \nSecretary; Katie Novaria, Legislative Clerk; Andrew Powaleny, \nDeputy Press Secretary; David Redl, Counsel, Communications and \nTechnology; Roger Sherman, Democratic Chief Counsel, \nCommunications and Technology; Jeff Cohen, FCC Detailee; Shawn \nChang, Democratic Senior Counsel, Communications and \nTechnology; Hadass Kogan, Democratic Legal Fellow; and Kara Van \nStralen, Democratic Special Assistant.\n\n  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. We will call to order the Subcommittee on \nCommunications and Technology for a hearing on ``Cybersecurity: \nThe Pivotal Role of Communications Networks.'' I want to thank \nour witnesses for being here this morning. We look forward to \nyour testimony and are very appreciative of your taking the \ntime to be here to help educate us so we can do the right thing \nin terms of assisting you all, particularly the security \nnetworks or the cyber networks.\n    Back in October, the House Republican Cybersecurity Task \nForce appointed by the Speaker recommended that the committees \nof jurisdiction review cybersecurity issues. This subcommittee \nhas embarked on a series of hearings to heed that call and to \nget a complete picture of the cybersecurity challenges that our \nNation faces.\n    In our February 8 hearing, we examined threats to \ncommunications networks and the concerns of the private sector \nsecurity firms helping to secure those communications networks. \nThat hearing provided us with valuable information and even \nsome potential solutions.\n    This hearing continues our subcommittee's review of \ncybersecurity issues with a focus on the steps that network \noperators have taken to secure their networks and any \nrecommendations that you all might have on how Congress can \nhelp, actually help in those efforts.\n    As we heard in the February 8 hearing, threats to \ncommunications networks have come a long way in a very short \nperiod of time. Before coming to Congress, I spent 22 years as \na radio broadcaster, and as a small businessperson, I had to \nworry about securing our own communications network, but those \nwere simpler times. In modern communications networks of all \ntypes, cybersecurity has become a pressing concern. In our \nFebruary 8 hearing, we had a dizzying array of new \ncybersecurity threats discussed like supply chain \nvulnerabilities, botnets, and Domain Name System spoofing.\n    On the brighter side, we were also told during that hearing \nabout several potential solutions to make communications \nnetworks more secure. This is why I have asked a number of my \ncolleagues to serve as the Communications and Technology \nCybersecurity Working Group. The working group is a bipartisan \nteam of six subcommittee members, led by Subcommittee Vice \nChair Lee Terry and Subcommittee Ranking Member Anna Eshoo, \nthat will look into some of these potential solutions and the \nlegal and regulatory impediments to securing communications \nnetworks against cyber threats. With an eye toward incentive-\nbased approaches, the working group looks to facilitate \ncommunication among private sector companies and the public \nsector on a variety of topics, including DNSSEC adoption, \nsupply chain risk management, and a voluntary code of conduct \nand best practices for network operators.\n    Now, in this hearing, we are privileged to have five \nwitnesses that represent parts of the commercial network to \nguide us through the complex cybersecurity issues that you each \nface. Network operators own, maintain and operate most of the \ninfrastructure that makes up our communications networks. Their \nmanagement of the wires, the towers, the base stations, the \nservers and the wireless handsets that are integral parts of \ncommunications networks put these companies on the front lines \nof cybersecurity. I want to know what cybersecurity services \nand educational initiatives are being aimed at your consumers, \nwhat steps are being taken to secure the core components that \nmake up our communications networks, and what affirmative steps \nnetwork operators have taken to secure the supply chain and to \nprevent cyber attacks.\n    I would also expect to hear what you think the appropriate \nrole of the Federal Government is to combat cyber threats. Are \nFederal laws and regulations helping or hindering information \nsharing? Are there cybersecurity solutions that your company \nhas identified that would prevent cyber attacks, but would run \nafoul of existing laws? How can the Federal Government incent \nnetwork operators and other members of the private sector to \ninvest and innovate in the cybersecurity arena? And coming off \nof our prior hearing on February 8, how do we make sure that we \ndon't put things in statute that cause misallocation of your \ncapital and make you less nimble in this extraordinary cyber \nthreat environment. So I look forward to your testimony today.\n    [The prepared statement of Mr. Walden follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Walden. I would yield time to Ms. Blackburn.\n    Mrs. Blackburn. Thank you, Mr. Chairman. Welcome to all of \nyou, and we are deeply appreciative of your time for being \nhere.\n    I think one of the things that----\n    Mr. Walden. Could you get a little closer to your \nmicrophone?\n    Mrs. Blackburn. I certainly can. I am a mother. I can \nalways talk louder. That is right.\n\nOPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF TENNESSEE\n\n    The GAO report that mentioned we have seen a 650 percent \ngrowth in cyber attacks over the past 5 years, I think that \nthat caused a lot of people to, you know, sit up and take note \nof what might be happening out there, because you look at the \nattacks, you look at what that equates to an effect on the \neconomy. Chairman Bono Mack and I are working on introducing a \nbill, the cybersecurity bill here in the House, similar to \nsecure IT from the Senate, and I think the concepts we are \nviewing are not to be overly prescriptive and to kind of work \noff the first principle of ``do no harm'' and have a good, \nbroad conversation in this. I would love to hear you all talk a \nlittle bit about government networks and the importance you \nthink and responsibility you think government has in securing \nits own networks and system. I would love to also hear a little \nbit from you about incentive-based security and how we approach \nthat.\n    With that, I yield back.\n    Mr. Walden. I thank the gentlelady for her comments and now \nrecognize my friend from California, Ms. Eshoo, for an opening \nstatement.\n\n OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Ms. Eshoo. Thank you, Mr. Chairman, and welcome to all of \nthe witnesses and thank you for being here today.\n    As the title of today's hearing suggests, our \ncommunications networks are part of the backbone of our \nNation's critical infrastructure. From electricity generation \nto financial service and transportation, we depend on our \ncommunications networks for nearly all aspects of our daily \nlives. Yet as was highlighted during our first cybersecurity \nhearing, our networks remain vulnerable to attack.\n    In particular, there are three areas I would like to hear \nmore about from our witnesses today. First, as we discussed in \nlast month's hearing, the FCC chairman is currently proposing a \nvoluntary ISP code of conduct as a way to alert consumers when \na botnet or other malware infection is discovered. So today's \nwitnesses will be on the front line in ensuring such best \npractices are effectively implemented and obviously I think \nthat you are going to talk about that, and I look forward to \nit.\n    Second, I would like to hear more about your views on the \nsupply chain security. I continue to have really grave concerns \nstemming from my 8 years that I just recently completed at the \nHouse Intelligence Committee about the implications of foreign-\ncontrolled telecommunications infrastructure companies \nproviding equipment to the U.S. market. In 2010, I wrote to the \nFCC chairman asking for a better understanding of the FCC's \nauthority to address these challenges and what kind of \ntransparency requirements should be placed on companies seeking \nto sell telecommunications infrastructure equipment to U.S. \nnetwork providers.\n    Third, I would like to learn more about any unique \nchallenges in securing mobile networks. As more data is \ntransmitted wirelessly, we need to look closely at how these \nnetworks are secured to ensure they don't become the entryway \nto the broader network.\n    So today's hearing is an important aspect of our \nsubcommittee's work on cybersecurity. Again, I want to thank \neach one of our witnesses for being willing to testify today to \nbe instructive to us, and I want to thank the chairman for the \nspirit of cooperation around this issue. Usually there are some \nDemocratic witnesses that are called and Republican witnesses. \nThat is not the case today. So this is something that rises \nabove that, and I look forward to working with the entire \ncommittee so that we not only better understand the \ncybersecurity challenges facing communications networks but \nwhat steps we can take to secure them and thereby strengthen \nthe country.\n    I would like to yield my remaining time to Representative \nMatsui.\n\nOPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Ms. Matsui. Thank you, Ranking Member Eshoo, for yielding \nme time. Mr. Chairman, thank you for holding today's hearing, \nand I want to thank the witnesses for being here today.\n    There is no doubt that cyber attacks are real and continue \nto pose significant threats to several aspects of our economy, \nand Mr. Chairman, I am pleased that you and Ranking Member \nEshoo formed a bipartisan cyber working group so that we can \nappropriately explore our subcommittee's interest to enhance \nour Nation's efforts against a cyber attack.\n    There are a variety of issues that we may explore. \nCommunications networks are one of the many areas that our \nNation must protect and ensure safety and soundness. Advancing \nIP-based technologies and public safety communications heighten \nthe concerns for cybersecurity. It would be important that data \nis protected from a PC or a cell phone in transit to cloud \nstorage, particularly as more and more Americans send personal \ninformation to the cloud.\n    I also believe that our subcommittee will have the ability \nto further promote information sharing on cyber threats. \nSecuring the supply chain will be of high importance so that \ntech components remain secure through their manufacturing and \ndistribution processes. Among others, I believe that R&D \nincentives could encourage industry to explore ways to better \naddress and defend against malware and botnets.\n    Again, I thank the chairman for holding today's hearing. I \nlook forward to working with my colleagues on ways that this \nsubcommittee can encourage greater protection against cyber \nthreats. I thank the witnesses for appearing today.\n    I yield back the remainder of my time.\n    Mr. Walden. I thank the gentlelady for her comments.\n    I will now recognize the vice chairman of the committee, \nMr. Terry, for opening comments.\n\n   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF NEBRASKA\n\n    Mr. Terry. Thank you, Chairman, and let me start by saying \nthat I believe that most of my colleagues on this committee \nshare my optimism that a collaborative, active cyber defense \ncapability is actually achievable. There might be a few \ndifferences in opinion on what needs to be done to reach this \ngoal, but through the bipartisan conversations like those \ntaking place in the working group and public hearings like \nthis, we are getting closer.\n    In reading through the written testimony provided by \ntoday's witnesses, I noticed a common threat throughout. As Mr. \nAmoroso eloquently says, ``Quite simply, innovation is \ninconsistent with standardization.'' I agree wholeheartedly \nwith our witness, and in my opinion, I find this to be the most \nvital guiding principle in considering how to enhance our \nNation's cybersecurity. In fact, as I continue to dig deeper on \nthis issue, I become more convinced that any sort of \nlegislative effort to provide overbroad regulation or \ncertification regimes will surely come with unintended \nconsequences. Instead, ISPs should have the flexibility to \nrespond to real-time security threats in a manner that \nminimizes delay and maximizes their ability to innovate as they \nstrive to protect their consumers and their network.\n    A couple of things I believe that we can do to help reach \nthe goal of collaborative active cyber defense capability are, \none, remove the current barriers in place that prevention \ncommunication networks from sharing cyber threat information \nwith the government agencies and also with the private sector \nentities. Provide adequate liability protection in order for \nthe sharing of cyber threat information is second.\n    Again, I thank our witnesses for joining us today, and \nshall I yield to Mr. Stearns.\n\n OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF FLORIDA\n\n    Mr. Stearns. I thank my colleague.\n    My colleagues, I think the consistent message from our \nwitnesses today is that the private sector has very strong \ncommercial incentives to invest in and maintain robust \ncybersecurity. In fact, each of our witnesses today has \ndescribed unique and thorough approaches to protecting their \nown networks. These examples demonstrate that one-size-fits-all \nlegislation is not the appropriate solution to cybersecurity \nthreats. Moreover, because these threats change every day, \nindustry must be provided the flexibility to respond quickly to \nan attack.\n    Therefore, I believe that prescriptive top-down government \nmandates are not only unnecessary but they simply will not \nwork. Instead, government should seek to improve information \nsharing and consumer education. We also should work to \neliminate outdated regulations that have created unintentional \nbarriers toward ensuring the security of our networks.\n    So I look forward to our witnesses today and I thank you, \nMr. Chairman, for this great hearing.\n    Mr. Walden. Are there any other member seeking time on our \nside? If not, the gentleman yields back his time and I \nrecognized the gentleman from California, Mr. Waxman, for an \nopening statement.\n\nOPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Waxman. Thank you very much, Mr. Chairman, and I \nwelcome our witnesses as well.\n    I am pleased that that the subcommittee is looking at this \nissue of cybersecurity. This is our second hearing. Every week \nwe learn of a new cyber breach or vulnerability, so it is vital \nthat we are paying attention to this question.\n    Like the smart grid, which was the topic of our last \nhearing by the subcommittee on Oversight and Investigations, \ncommunications networks are highly vulnerable to cyber attack. \nThe potential for severe disruptions are high because \ncommunications networks are the common thread to all critical \ninfrastructure sectors.\n    In fact, the public safety legislation that was just signed \ninto law exemplifies these concerns. Under the new law, first \nresponders will be relying on broadband communications networks \nto secure the safety of life and property. That will strengthen \ntheir ability to protect the public, but only if the networks \nare protected from cyber attacks.\n    Today, I look forward to continuing our discussion of the \nsecurity threats faced by mobile devices and the proper role \nfor this subcommittee in ensuring cybersecurity. Our witnesses \ntoday represent a broad cross-section of Internet service \nproviders, as well as a handset manufacturer. This should \nfurther help our understanding of what risks threaten \ncommunications networks, what companies are doing to mitigate \nthese risks, and what the subcommittee might do to assist you \nin these efforts.\n    I believe the Federal Government has an important role to \nplay in ensuring the cybersecurity of the Nation's \ncommunications networks. One important Federal role is \ndeveloping practices that will keep the Internet safe. The \nFCC's upcoming release of its cyber best practices report, \ndeveloped by the well-regarded Communications Security, \nReliability and Interoperability Council, such a long name that \nis reduced to CSRIC, will provide valuable guidance to industry \nand our subcommittee.\n    I understand the chairman is planning a third hearing with \ngovernment agencies. I commend him for this series of hearings \nand look forward to what our witnesses have to tell us.\n    And finally, I want to join in thanking you, Mr. Chairman, \nfor organizing a bipartisan working group to study cyber \nthreats and inform the subcommittee of its findings. This is a \ngood opportunity for subcommittee members and staff to work \ntogether on an issue of common concern. I look forward to \nhearing back from the working group and exploring with the \nsubcommittee potential further actions.\n    Thank you for the hearing. I thank all the witnesses for \nbeing here. I look forward to the testimony. Yield back.\n    [The prepared statement of Mr. Waxman follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Walden. The gentleman yields back his time. I thank you \nfor your comments. We have a lot of big brains on this \ncommittee and we are going to need them all to protect America, \nso thank you to the members who have agreed to serve on that \nworking group.\n    Gentlemen, we are delighted to have you here today. We will \nstart with Mr. Livingood. We appreciate your being here, Vice \nPresident, Internet Systems Engineering from Comcast \nCorporation. Thank you for being here. Just a friendly \nreminder, being an old radio guy: Pull these microphones very \nclose and make sure the button is lit and you will be good to \ngo.\n\nSTATEMENTS OF JASON LIVINGOOD, VICE PRESIDENT, INTERNET SYSTEMS \n    ENGINEERING, COMCAST CORPORATION; EDWARD AMOROSO, CHIEF \n   SECURITY OFFICER, AT&T SERVICES, INC.; DAVID MAHON, CHIEF \n    SECURITY OFFICER, CENTURYLINK; JOHN OLSEN, SENIOR VICE \n       PRESIDENT AND CHIEF INFORMATION OFFICER, METROPCS \nCOMMUNICATIONS, INC.; AND SCOTT TOTZKE, SENIOR VICE PRESIDENT, \n         BLACKBERRY SECURITY GROUP, RESEARCH IN MOTION\n\n                  STATEMENT OF JASON LIVINGOOD\n\n    Mr. Livingood. OK. Thank you very much, Mr. Chairman, \nRanking Member Eshoo and members of the subcommittee for \ninviting me to discuss some of the work that Comcast is doing \nto protect consumers and cyberspace. We appreciate the \nsubcommittee's interest in this issue and its willingness to \nhear the perspective of someone like me, an engineer working in \ncybersecurity and other technical Internet issues every day.\n    I serve as Vice President of Internet Systems Engineering \nat Comcast, and I am the Engineering Leader in charge of our \nresidential high-speed Internet service. I currently serve on \nan FCC CSRIC working group, on ICANN's Security and Stability \nAdvisory Committee, on the Broadband Internet Technical \nAdvisory Group, and am a member of the board of trustees of the \nInternet Society. I am also an active contributor of the \nInternet Engineering Task Force, or IETF.\n    At Comcast, we take cybersecurity issues seriously, and we \nknow that our customers are very concerned about security. We \nstrive to provide them with the best, fastest and most secure \nInternet service possible, and our engineering team devotes \nsignificant time, energy and investment to constantly update \nand refine our cybersecurity efforts.\n    One such threat that we focused on comes from malicious \nsoftware called a bot. Bots run on an end user's computer \nwithout their knowledge and are controlled remotely. Bots are \nused to conduct identity and credit card theft, denial of \nservice attacks, steal user names and passwords, and send spam. \nIt is important to understand that a person need not \nconsciously do something like download an app to become \ninfected. Sometimes they can be infected just by visiting a Web \nsite.\n    To counter bots, we developed a system called Constant \nGuard. This customer-facing system first detects botnet \ntraffic, notifies end users of infection such as sending them \nalerts in their web browser, and provides them with tools to \nremove those infections.\n    Another area of threat is to the Domain Name System, which \nis a foundational and extraordinarily important and critical \npart of the Internet. The Domain Name System, or DNS for short, \nis responsible for basically translating names like Comcast.com \ninto IP addresses, which are the addresses used to connect and \nroute traffic across the Internet. So it is extremely \nimportant. But a vulnerability in the DNS can permit an \nattacker to inject a fake answer into the DNS. An attacker, for \nexample, can then direct traffic destined to a site such as a \nbanking Web site to computers that they control, perhaps to \ncollect login and financial information, but the address in the \nuser's web browser still appears correct.\n    The long-term fix is to implement DNS security extensions, \nor DNSSEC for short. This involves someone doing two things. \nFirst, cryptographically signing the domain names that they own \nand then Internet service providers validating those signatures \nbefore connecting a user to that site. This is basically akin \nto your bank keeping your signature on file and checking the \nsignature on your check against that before cashing your check.\n    It is important to note that DNSSEC was developed via an \ninternational multi-stakeholder process at the IETF and will \nrequire adoption across the entire ecosystem such as by banks, \nweb browsers, software companies and cloud services, not just \nISPs. I am pleased to report as part of Constant Guard, Comcast \nwas the first ISP in the United States to fully deploy DNSSEC \nin January.\n    But it is important to understand that no open and \nmassively interconnected network can ever be completely and \ntotally secure. While there is no perfect solution to security, \nthat does not mean that there are no good solutions, so our \nfocus has been quite simply to roll up our sleeves and get to \nwork chipping away at the security threats day in and day out, \nquickly learning and adapting. We are working within the \nindustry and on a global basis to combat the key threats and to \nprotect our customers the best that we can and also to help \nthem protect themselves. There are powerful incentives to take \nstrong and effective measures to ensure network security and \nsafety. Our consumers want assurance that the networks that \nthey are using are safe and secure, and we have strong reasons \ntherefore to invest capital and resources into cybersecurity \nsafeguards. The same is of course true for other network \nproviders. We all have powerful incentives to take actions \nnecessary to secure our substantial investments in our \nnetworks.\n    Policymakers can help these efforts by removing legal \nuncertainties that can inhibit collaboration while preserving \nand strengthening this flexibility that providers have to \ndevelop the best solutions for each of our networks. As one of \nthe members said a moment ago, there is no one-size-fits-all \nsolution, so flexibility is key, and it is important because \nthe threats change as rapidly as they do. Flexibility will help \nto ensure that we can continue to focus on security and \ninnovation rather than compliance and regulation.\n    Thank you.\n    [The prepared statement of Mr. Livingood follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    \n    Mr. Walden. Thank you, sir. We appreciate your comments and \nwe will get back to you with some questions on the specifics of \nwhat those uncertainties are in the law.\n    We now are delighted to have Dr. Edward Amoroso with us. He \nis the Chief Security Officer for AT&T Services, Inc. Doctor, \nwe are glad to have you here. We look forward to your comments.\n\n                  STATEMENT OF EDWARD AMOROSO\n\n    Mr. Amoroso. Great. Thanks. Hi, everybody. I am Ed Amoroso. \nI have spent my entire adult life in cybersecurity. In fact, \neven as a teenager, my dad was a computer scientist so I was \nlogging onto ARPAnet when I was a little kid. So I have been in \nand around this forever. I started work at Bell Laboratories \nand found that I was actually a pretty good hacker, and have \nbeen doing so ever since and now I am the Chief Security \nOfficer, so I kind of come at this with very practical \nperspective on threat.\n    There are three things I want to share with you that I \nthink are observations that might help you as you develop \nlegislation, and they are based on empirical day-to-day, you \nknow, dealings with security issues with our mobility network \nand our wireline network and the entire Fortune 1000 and lots \nof different countries we deal with, so I do that all day long \nand I wanted to share.\n    And the first one is about innovation. We are being out-\ninnovated by our adversaries is basically the case. I mean, I \ndon't know if you have ever bought a piece of furniture and \ntaken it home and admired the handiwork in the furniture. That \nis what we do with malware that is being developed by \nadversaries. It is so good and so well crafted that we marvel \nat how far the adversary has come. These are not script kiddies \ndoing dopey things. And these are pretty good. I don't know if \nany of you watch 60 Minutes, if you saw the Stuxnet piece. That \nis an incredible piece of computer science, that worm. So I \nthink we need to recognize that whatever we do collectively as \na Nation, we need to figure out a way to incent companies and \nuniversities and government agencies to innovate in this area. \nIf we don't, we are going to be in trouble because I will tell \nyou, and I bet everybody on the panel here would agree with me, \nthe best state-of-the-art security protections that any one of \nus can put in place will not stop a determined adversary in \n2012. That is a fact, so we need to do something to get ahead \nof that, and the way you do something is, you innovate. We need \nto do something to get ahead of it, and part of the problem \nwith sort of prescripting an answer to everyone, hey, we are \nall going to do the following, is it would be like every NBA \nteam publishing their defense and saying this is what we are \ngoing to do. Guess what? You think the adversaries don't read \nyour legislation? You think they don't look and see what we are \nall going to do? I mean, you lay it out and you say OK, I will \nstep around these things that you are doing. I mean, that is \njust a practical issue in cybersecurity. This is not, you know, \nthe kind of thing where, you know, we can all kind of do \ncommonsense stuff and it will fix it. There is a million things \nin our lives where if we all go back to the basics and do a set \nof commonsense things that will make things better. We all live \nour lives that way. Cybersecurity doesn't work that way. We are \ndealing with an adversary. So the first issue is innovation.\n    The second is infrastructure, and I think everybody also at \nthis table would agree that complexity in infrastructure is the \nbiggest problem for cybersecurity. When things get way too \ncomplicated, we can't keep track of it. It becomes almost \nimpossible to protect something that has become so big and \ncomplicated that you can't get your arms around it, and part of \nthe problem with things like DNSSEC and others, which clearly \nhave benefit--I mean, I certainly agree with a lot of the \npoints that were made--but they add complexity. Like the way to \nthink of DNSSEC is, you know when you do a commercial and at \nthe end you say I am such-and-such and I approved this \ncommercial, that is DNSSEC. I mean, it is essentially the \nserver attesting to the fact that here is a signature that I am \nwho I am, but if somebody is breaking in to and owns that \nserver, the signature is meaningless. It doesn't do any good. \nAnd I would say empirically, I see a lot more break-ins to DNS \nservers than forged, you know, different types of protocol \nresponses and so on. So I think what we need to keep in mind as \nwe develop legislation that when we add complexity, when you \nadd things that we need to keep track of, do this, do that, \noverlay this, add this new thing, add that new thing, the \ncomplexity can be very stifling. You know when DNSSEC was first \nproposed? Decades ago. Right. This is not something that was \ndreamed up last week. We have been working on adding \ncryptography to Internet protocols forever, and the reason we \ndon't have them today is because they are unbelievably \ncomplicated to run. They do add some benefit but they have side \neffects. It would be like bringing a senior citizen to the \ndoctor with five ailments and the doctor says well, I am going \nto give you medicine for one of them but it has side effects. \nThat is DNSSEC. It does have benefit, it has side effects, it \ndoesn't fix everything, so that is the second.\n    The third and last issue I want to raise is software. At \nthe root of every cyber attack, every problem I have ever dealt \nwith in my entire career is bad software, and I think that it \nneeds to be addressed. The discipline of software engineering, \nthe profession of writing software is one that is a complete \nmess right now. And I am a professor at the Stevens Institute \nof Technology. I have been teaching in the computer science \ndepartment there for 22 years. I teach software engineering, \nteach computer security, that kind of thing, so maybe blame me, \nbut the bottom line is that youngsters and even professionals \ntoday cannot write a non-trivial piece of software that is bug-\nfree and those bugs are the way our adversaries get into our \ncompanies. We open up Web sites because we have no choice. Are \nwe going to close the Web site down? It is there and the \nsoftware powering that has vulnerabilities we don't know about. \nI bought it, I install it, I test it, everything is great, but \nsome adversary finds an open door that I don't know about, that \nthe manufacturer doesn't know about, and they dance right in. \nBad software is a fundamental problem here, and I think it \nneeds to be addressed, probably through the educational system. \nThanks.\n    [The prepared statement of Mr. Amoroso follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Walden. Thank you. We appreciate your comments and we \nwill back to you with questions as well.\n    Now we are joined by Mr. David Mahon, Chief Security \nOfficer for CenturyLink. Thank you for being here. We look \nforward to your comments.\n\n                    STATEMENT OF DAVID MAHON\n\n    Mr. Mahon. Chairman Walden, Ranking Member Eshoo and \nmembers of the subcommittee, thank you for the opportunity to \ntestify on this important topic.\n    CenturyLink, a tier one backbone provider, provides \ncommunication services to over----\n    Mr. Walden. We are having trouble hearing you. Is that \nlight lit up there, and you really have to get really close.\n    Mr. Mahon. Chairman Walden, Ranking Member Eshoo and \nmembers of the subcommittee, thank you for the opportunity to \ntestify today on this important topic.\n    CenturyLink, a tier one backbone provider, provides \ncommunication services to over 14 million homes and businesses \nin more than 37 States and around the world. Our services \ninclude voice, broadband, video entertainment and data, as well \nas fiber backhaul, cloud computing and managed security \nsolutions. Our customers range from the most basic voice and \nInternet customers to the largest Fortune 500 companies and \nlarge government agencies. As Vice President and Chief Security \nOfficer for CenturyLink, I am responsible for all corporate \nsecurity functions including information security.\n    Before joining CenturyLink, I worked for over 30 years with \nthe FBI and was responsible for investigative teams and \nprograms related to target attacks on the Internet, computer \nsystems and networks exploited by terrorist organizations, \ncriminal and intelligence operations of foreign governments, \nwhite-collar crime investigations, and crisis management.\n    The cyber threat is real and serious. Our networks and \nthose of our customers are the targets of thousands of \ncybersecurity events daily from simple port scans probing \nnetwork defenses to sophisticated attacks. CenturyLink and our \ncustomers invest significant resources in ongoing efforts to \nkeep those assets secure. CenturyLink uses an overarching \ngovernance, risk and compliance framework to ensure \ncybersecurity threats are addressed enterprise-wide. As \nstewards of the Internet infrastructure, CenturyLink's programs \non cybersecurity fall into several general categories: \nprotecting the customer, protecting our core networks and \nproviding managed cybersecurity and secure communication \nservices.\n    We have worked extensively with our industry peers, \npartners in government and other stakeholders to strengthen our \ncollective defenses against cyber attacks. From our CEO's \nparticipation on the President's National Security \nTelecommunications Advisory Committee to my security team's \nparticipation in key organizations such as DHS's Communication \nSector Coordinating Counsel and the FBI's Domestic Security \nAlliance Council, we conduct risk assessments, information \nsharing, incident response planning and participate in \ngovernment-sponsored cybersecurity exercises.\n    In addition, CenturyLink's CEO, Glen Post, chairs the FCC's \nCommunications Security, Reliability and Interoperability \nCouncil, which is working on voluntary best practices for \nbotnet remediation, Domain Name System Security, Internet route \nhijacking, and other emerging issues unique to the \ncommunications industry.\n    More can and should be done, but carefully. Public-private \npartnerships have yielded significant progress in the last few \nyears by building a framework of collective defense and \ncooperation and helping us understand the cyber threat. As many \nof you have pointed out, we are entering into a new era of \ncybersecurity threats where our adversaries have become more \nsophisticated and determined, and the need to collectively step \nup our game is more acute.\n    We are particularly encouraged by legislation like H.R. \n3523, the Cyber Intelligence Sharing and Protection Act, and \nsimilar provisions in Senate bills that could clarify and \nenhance cyber-related public-private information sharing.\n    As communication providers, we see a number of areas where \nCongressional action can make valuable improvements to our \nNation's cybersecurity process such as improving information \nsharing, market-based incentives and gap analysis, improving \nthe Federal Government's cybersecurity posture, and expanded \nresearch and development.\n    Shifting to a mandated-based approach would be \ncounterproductive. We strongly caution against the traditional \nregulatory approach based on government mandates or performance \nrequirements. Because our network is the one central asset of \nour business, CenturyLink and our industry peers already have \nthe strongest commercial incentives to invest in and maintain \nrobust cybersecurity. There is neither a lack of will nor a \nlack of commitment to do this among the major communications \nproviders.\n    At its best, cybersecurity is a dynamic, constantly \nevolving challenge best done in a collaborative partnership. At \nits worst, cybersecurity can devolve into a checklist exercise \nand diverts resources away from effective protections into \nexpensive compliance measures that may be already outdated by \nthe time they are implemented. We have the most knowledge of \nour network systems and databases, and we understand the most \neffective and efficient ways to protect these assets.\n    We commend the members of the Energy and Commerce Committee \nfor their interest in improving the Nation's cybersecurity and \nfor the deliberate process the committee is undertaking to find \nthe right mix of incentives and elimination of legal barriers. \nCenturyLink has strived to be a constructive partner in this \neffort, and we will continue to do so. Thank you.\n    [The prepared statement of Mr. Mahon follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Walden. Thank you, sir. We appreciate your testimony, \nand now we will move to Mr. John Olsen, Senior Vice President \nand Chief Security Officer for MetroPCS Communications. \nWelcome, and we look forward to your comments.\n\n                    STATEMENT OF JOHN OLSEN\n\n    Mr. Olsen. Thank you, Chairman Walden and Ranking Member \nEshoo. It is an honor to appear before you and your colleagues \ntoday. I am the Senior Vice President and Chief Information \nOfficer for MetroPCS Communications. I have nearly 30 years of \nIT experience, and I am responsible for our IT networks.\n    MetroPCS is a leading provider of unlimited wireless \ncommunication services for a flat rate with no annual contract. \nWe sell our services through our own retail stores and \nindependent MetroPCS dealers to retail consumers. We do not \nsell through business-to-business sales channels or to the \ngovernment.\n    Our communications networks use four well-known and \nestablished network vendors: Alcatel-Lucent, Ericcson, Cisco \nand Samsung. We also purchase handsets from well-known and \nestablished vendors. These vendors are not our primary network \nvendors, which mitigates the risk that an embedded handset \nthreat is able to exploit vulnerabilities in our network.\n    Our communications networks utilize security measures \nsimilar to other carriers. We have also adopted measures both \nphysical and logical to protect these networks. We have four IT \nnetworks which are critically important to our business. As we \nwill discuss in more detail, we have voluntarily undertaken a \nnumber of cybersecurity measures to protect our IT networks, \nboth physical and logical.\n    Security of these critical networks is very important to \nMetroPCS. We maintain a comprehensive, holistic, risk-based \ninformation security program built on industry best practices \ncovering people, process and technology. We use a combination \nof hardware and software services. Our security program \ndirectives are driven by a formal governance function and \ninclude, among other things, centralized policy management, \nsecurity awareness, training, and internal and third-party \nmonitoring, physical protection, threat identification and \nvulnerability management as well as intrusion prevention.\n    We are particularly focused on security at the perimeter of \nour IT networks and use multi-level security technologies to \nprevent unauthorized access to our IT networks from both inside \nand outside our company. We conduct and we have third-party \nvendors conduct regular network security audits and penetration \ntests and have standardized on a single provider or all network \nequipment. Further, our IT networks are broken up into segments \nwith firewalls between critical segments. Our 24/7 monitoring \nefforts, which are augmented by our cybersecurity partners, can \ngenerate hundreds of thousands of potential cyber threat alerts \na day but result in just a handful of real threats, which we \naddress immediately. While we cannot say definitely we have \nnever had a cyber intrusion, we are not aware of any \nsignificant cyber intrusions or cyber attacks that have been \nsuccessful at disrupting our IT or communication networks.\n    In addition, we have also adopted a number of other \nmeasures to protect our customer information such as encrypting \nhard drives, installing virus and malware software, and for a \nmode access requiring two factor authentication. We also \nconduct background checks, segregate duties of personnel and \nlog all access and changes to critical systems. MetroPCS has \nalso implemented numerous physical security measures such as \ncard key and biometric access.\n    Our staff also maintains vendor-specific and industry-\nrecognized certifications and regularly participates in vendor-\nsponsored symposiums, industry summits and conferences. We are \ninvolved in these groups, not because we are required to but \nbecause they are a valuable source of information and best \npractices.\n    MetroPCS does not believe that regulation is required or \nwarranted at this time, particularly for carriers that do not \nprovide services to government or local public safety \norganizations. Carriers are already well incented to protect \ntheir networks, and this is particularly true for month-to-\nmonth service providers like MetroPCS. If we do not provide the \nlevel of protection our customers want or demand, they can \nterminate service without penalty and can activate service with \na competitor. Governmental regulations and private sector \ncertifications such as PCI also force providers to invest in \nthe appropriate tools and practices to detect and deter cyber \nthreats.\n    Market forces are better suited to respond to constantly \nchanging cyber threats. If regulations are considered, MetroPCS \nurges that these requirements be flexible and tailored to the \nthreat. Regulatory compliance can be particularly burdensome \nfor carriers who compete by providing an affordably priced \ndifferentiated service for consumers.\n    Unfortunately, even voluntary obligations can evolve into a \nmandate on industry. We support voluntary industry efforts, \nindustry standard bodies, enhanced governmental consumer \neducation and the FCC's cybersecurity stakeholder efforts along \nwith government sharing of cyber threat intelligence including \na national central clearinghouse. Finally, no carrier should be \nliable for using such information.\n    Thank you again for the opportunity to testify and I look \nforward to any questions that you may have.\n    [The prepared statement of Mr. Olsen follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Walden. Thank you, Mr. Olsen. We appreciate your \ncomments today and we will back to you with questions as well.\n    Now we will turn to our final witness on the panel this \nmorning, Mr. Scott Totzke, Senior Vice President, BlackBerry \nSecurity Group, Research in Motion, RIM. Thank you for being \nhere and we look forward to your comments.\n\n                   STATEMENT OF SCOTT TOTZKE\n\n    Mr. Totzke. Chairman Walden, Ranking Member Eshoo, members \nof the subcommittee. Thank you very much. My name is Scott \nTotzke. I am the Senior Vice President of BlackBerry Security \nat Research in Motion, and I am pleased to be here to talk to \nyou on the topic of cybersecurity.\n    RIM revolutionized the mobile industry when we introduced \nthe BlackBerry in 1999, and today our products and services are \nused by millions of customers around the world. There are more \nthan 630 carriers and distribution partners in 175 countries \nthat offer BlackBerry products and services to our customers. \nMore than 90 percent of the Fortune 500 customers are \nBlackBerry customers today, and we have a longstanding \nrelationship with the U.S. Federal Government including \nCongress, the Department of Defense and the Department of \nHomeland Security.\n    Mobile communications face similar security risks as non-\nmobile communications. Several of the same types of threats and \nattacks that have existed in traditional computing platforms \ncan impact smart users today, and as the power, ubiquity and \ncomputing capabilities of smartphones have increased over the \nlast few years, the threat matrix continues to evolve \nexponentially. Most users have yet to realize the applicability \nof both the existing and emerging threats to what is \nessentially a smaller and more mobile computing platform that \nthey already have at their home or office.\n    An effective and comprehensive mobile security solution \nmust therefore provide protection by proventing unauthorized \naccess to the smartphone and its data, to protect the data in \ntransit over the wireless network and to protect the corporate \nnetwork using features that are built into the platform. While \ntechnology vendors can provide components of these solutions, \nit is equally important that as a mobile technology industry, \nwe help government, enterprises and consumers better understand \nthe risks involved with all types of online activities.\n    For our part, RIM focuses on designing secure and efficient \nsolutions for enterprises and consumers. RIM has a history of \nintegrating security features into its products and firmly \nbelieves that security technologies are an important foundation \nfor a digital economy. RIM has built security features in that \nallow for data to be encrypted and protected from unauthorized \naccess, to limit and control access to information on the \nsmartphone by third-party applications, and to remotely erase \nsensitive information in a case where a phone is lost or \nstolen. These controls can all be centrally managed by the \nBlackBerry Enterprise Solution, which is designed to give large \nand small organizations the ability to balance individual and \nenterprise use of BlackBerry smartphones while protecting the \nprivacy of their corporate and employee information.\n    RIM also believes that there needs to be more focus on \nsecurity testing and certification that establishes a baseline \nfor technology vendors. Without an established baseline to \nproperly gauge the security of a product or a network, it is \ndifficult to make informed decisions. Vendors that work to \ncertify their mobile solutions through trusted validation \nprograms provide assurances to governments and consumers who \nwould otherwise be unable to verify the security of the claims \nbeing made by the vendor.\n    BlackBerry products and solutions have already received \nmore security accreditations globally than any other wireless \nsolutions, and our consumers value this level of transparency \nwhen it comes to protecting their information. We feel that \ngreater adherence to security standards like FIPS would help \ncustomers better understand their personal and professional \ninvestments in protecting their information.\n    Lastly, this panel has raised a number of concerns \nregarding two extremely important points related to the \nevolution of security and technology in the mobile industry \nthat I would like to address. The first concern is related to \ninformation sharing. While there is increased competition \nbetween vendors, there is also an increasing degree of \ncommonality in the components used by many desktop and mobile \nplatforms. This directly translates into an evolving risk of \ncross-platform vulnerabilities, creating a level of shared risk \nthat increases the need for vendors to work together to \nresponsively disclose and address these concerns. This also \nmeans that programs such as RIM's information sharing program \nneed to fully engage with public sector entities such as the \nUS-CERT to ensure timely and bidirectional flow of security \ninformation.\n    The second issue raised here is related to supply chain \nsecurity and the impact it can have on the security and \navailability of networks. A product that has been modified or \ncreated in an authorized manner could pose security risks to \nthe customer's information and to the overall posture of RIM's \nnetwork, our carriers' networks or our customers' networks. RIM \nhas been working for several years to embed network security \nelements directly into the silicon of our products and in all \naspects of our manufacturing process to ensure that only \nauthentic products are allowed to obtain network services. We \nbelieve that this combination of hardware security, operational \nsecurity and manufacturing, facility security, software \nsecurity, network security work together to mitigate many of \nthe concerns about knockoff products or products that have \notherwise been tampered with, impacting the security of our \ncustomers' information. We support the subcommittee's efforts \nto raise awareness of this wide-reaching impact in respect to \nsupply chain-related security issues.\n    Chairman Walden and members of the subcommittee, I would \nlike to thank you again for the opportunity to provide RIM's \nperspective on these critical issues.\n    [The prepared statement of Mr. Totzke follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Walden. Mr. Totzke, thank you very much for your \ntestimony. All of you, thank you very much. We appreciate your \nbeing here.\n    I am going to lead off with questions. So Dr. Amoroso and \nMr. Olsen, you say in your testimony that you routinely track \nthreats to your networks. I assume you all do that. How can we \nfacilitate information sharing among network providers of such \ninformation while protecting consumers' privacy and companies' \ncompetitively sensitive data?\n    Mr. Amoroso. I think the big debate has been between \ngovernment and industry, right, that has been the big issue. \nLike if I go to a security conference and some hacker whispers \nto me that there is a signature that I should be looking at, \nthen I scribble it down, run back to my op center and put it in \nplace. If a government individual does that, then I can't put \nthat in the network because we would be operating as a branch \nor an agent of the government or something like that. So that \nseems to me a little silly, like that is something that \nprobably ought to be addressed.\n    Mr. Walden. That is the kind of specific issue we are \ntrying to drill down to here. Can you give us something more \nspecific? Where does that show up? Do you know statutorily?\n    Mr. Amoroso. Oh, yes. I mean, like the United States \nintelligence agencies and law enforcement agencies regularly \nsee different types of signatures that we don't look for. We \nare not in law enforcement. We are providing service to \ncustomers. We don't chase that sort of thing down. We chase it \nto the point where we can stop it, and that is it, but like \nintelligence groups will really dig down deep and see something \nthat we don't. For them to share that, particularly if it is \nclassified or something is awkward and it is stilted. And I \nknow in my own company whenever I get involved in something \nlike that, there is more lawyers involved in the discussion \nthan there are people in this room right now. So, you know, it \nis almost like we are disincented to even bother. So I don't \nthink it is so much whether, you know, between different groups \nwe share because, frankly, we kind of do. The Internet wouldn't \nwork if we weren't sharing constantly.\n    Mr. Walden. But are there any prohibitions? If you spot \nsomething, if you go to that conference and a hacker says look \nfor this signature, is that something that Mr. Olsen, Mr. Mahon \nand others should be looking for as well on their networks?\n    Mr. Amoroso. I am sure they do.\n    Mr. Walden. And then is there a way you can share that \ninformation with them or are there impediments to that kind of \nsharing?\n    Mr. Amoroso. I mean, we all buy services from a lot of the \nsame companies that do that. You know, we pick companies that \ndo a really great job of that. I buy from three or four \ndifferent companies that provide about the same intelligence \neverybody else is going to get. You know, it is pretty good, \nyou know, and they are incented to make sure it is pretty \nuseful because I pay them every month for it.\n    Mr. Walden. And do the customers. And so I guess the \nquestion then is, there is not a problem sharing information \nback and forth?\n    Mr. Amoroso. Sometimes there is, right?\n    Mr. Walden. Is that a problem we should address? We are \nlooking for barriers.\n    Mr. Amoroso. I mean, here is the classic example. AT&T had \nan exclusive on the iPhone for some period of time, so I put a \nbunch of people down in New York City, PhDs right out of school \nand I told them find ways to filter attacks being aimed at \niPhones, that will really help our customers, and they worked \nreal hard and we came up with some, and once other carriers got \naccess to the iPhone, do you really think I would want to give \nthem, you know, the fruits of the work that we are doing? Their \nincentive is to do it as well and, you know, compete with us, \nand I would like my customers to say hey, I am going to stay \nwith AT&T because they are really investing in doing protection \nand our competitors say the same thing, and we innovate that \nway. That is kind of--that is a case where, you know, it is not \nnecessary for me to share. The market is going to force our \ncompetitors to want to catch up or for me to catch up to \nsomebody else. That is the right balance between, I believe, \nall of us. But between government and industry, I think the \ninformation sharing should be more free.\n    Mr. Walden. Thank you, Doctor.\n    Mr. Olsen, do you want to comment on that?\n    Mr. Olsen. Thank you, Mr. Chairman. At MetroPCS, besides \nour internal controls and our internal systems, we also have \ncybersecurity partners, so securing monitoring firms that we \nuse to monitor our network and our systems 24 hours a day. \nThose firms do share information between them, but if I believe \nI understand your question, there is not a central \nclearinghouse for that information for the folks that are \noutside of those security companies to easily share \ninformation. So if Mr. Amoroso recognizes a threat or is told \nabout a threat in his network, there isn't a central place \nwhere he could notify other companies or other carriers even in \nthe same industry that this threat is out there and we should \nrespond to it.\n    Mr. Walden. And is there an incentive? Because I almost a \ndisincentive to do that. If you have done the research, you \nidentify the threat, you protect your customers, why do you \ntell other iPhone----\n    Mr. Amoroso. I don't know that it is a disincentive. Keep \nin mind that when we advertise or broadcast that there is a \nthreat we are worried about, you are telling the bad guys too, \nright? I mean, so it is a little--it would be a little weird to \nbe too open about what you are concerned with. So I kind of \nlike the existing model. I mean, I think that there are \ncompanies that do this. We evaluate them, and when the \nintelligence looks pretty good, we buy it.\n    Mr. Walden. All right. My time is expired.\n    We will turn now to the gentlelady from California, Ms \nEshoo.\n    Ms. Eshoo. Thank you to all of the witnesses. Excellent \ntestimony.\n    First to Mr. Livingood, I think it is really terrific that \nyou are the first ISP in North America to fully implement the \nDNSSEC as you noted in your testimony. How do we encourage \nother ISPs to follow your lead? What would be--just quickly. I \nhave a whole series of questions.\n    Mr. Livingood. So I think on that question regarding DNSSEC \nadoption by other providers, I think it is important to keep in \nmind one thing, which is, it is not just about network \noperators, it is about banking sites, it is about other Web \nsites, software developers. A lot of people have to implement \nDNSSEC to make it work in the ecosystem. But specific to \nnetwork operators, I would say that there is actually already a \nlot of that interaction going on already. You know, one of the \nbeautiful things about the way that the Internet has worked and \nis successful is, there is a lot of these multi-stakeholder \nconsensus-based organizations that groups get involved in. One \nof them in fact happens to be one of the CSRIC working groups \nthat I am on, and they will be coming out with a recommendation \nsoon, and a number of our companies participate----\n    Ms. Eshoo. When will that be?\n    Mr. Livingood. I think that it is due today, the \nrecommendations.\n    Ms. Eshoo. Oh, good. You never know on government time. \nCongress has an extensive network to ensure the security of our \nmobile devices and the network that they run on. I experienced \nthis firsthand last year when I traveled abroad as part of a \nCongressional delegation, and my device became infected during \nthe trip, and the device never left me. I mean, I practically \nslept with the thing under my pillow. It never was out of my \npurse. It was never left in the hotel. But nonetheless it was \ninfected. The good news is, because of the proactive measures \nin place, the threat was detected prior to being reactivated in \nthe House network. So as a company, what steps do you take to \nensure that your customers, particularly those in smaller \norganizations, adhere to the same proactive security measures? \nAnd I guess my question is to Mr. Totzke, to Dr. Amoroso--I \nlove your name, Amoroso--and Mr. Olsen.\n    Mr. Totzke. Thank you, Congresswoman. I will go first. I \nmean, we provide a comprehensive list of guidelines for \nconfiguration of the device so our administrators have white \npapers and information they can access on the Web site, and our \ngoal is to make sure that your administrator, your IT \norganization that looks after your device if it is a BlackBerry \ndevice has full control over that device at all times, so there \nis a comprehensive set of policies, more than 500 of them, that \nan administrator can send to control all aspects of the \nplatform including preventing access to information or \ndisallowing you the installation of software on the device. So \nwe try and do that. As I think will be a common thread here, \nthere is a lot of education in this industry. Security is a \ncomplex set of decision-making things that we have to do on a \ndaily basis and a lot of risk that is really difficult for \npeople to understand. We are trying to offer as much \ntransparency and help to our customers through publication of \nstandards and best practices and forums like this.\n    Ms. Eshoo. As I understand, one way to prevent potential \nbotnet activity is to isolate and block IP addresses that pose \na threat. Do you all have the technology to do this today, and \nif so, has it been effective?\n    Mr. Amoroso. I can comment. I mean, we have the technology \nto block but it doesn't work, so, you know, we can certainly--\nwe do try. We try real hard. Botnets all of your PCs being \ninfected. That is what it is. Like we have made the mistake in \ncomputing of turning every person in this room into a Windows \nsystem administrator. That is what you do part time when you \nare not legislating. So that model is wrong, and most of you \ndon't do a very good job of it, nor do I. I bet people at this \ntable, we would shrug and say we probably don't do it well \neither. So we have distributed the responsibility massively and \nthat risk----\n    Ms. Eshoo. Is that what causes the complexity that you just \ndiscussed?\n    Mr. Amoroso. Well, it is billions of people around planet \nEarth with PCs that are improperly protected, so it is a piece \nof cake to build a botnet. We watch botnets, you know, new ones \nevery day, ones that are 50,000, 100,000 botnets we don't even \nbother naming. We just say oh, there is another one. We track \nthem and just try to contain it. So it is not a matter of \nblocking the IP addresses, because we would be blocking you. \nYou probably wouldn't like that. ``Sorry, you can't get on the \nInternet today. Why? It looks like you have a botnet.'' We \nwould just shut the whole Internet down if we did that.\n    Ms. Eshoo. In my opening statement, I mentioned the issue \nof supply chain and the security that I think really needs to \nbe brought to that. First of all, do you share these concerns \nabout the supply chain, and if so, what do you think would be \nthe appropriate role for us to play in addressing it? I think \nit is a serious issue. Our telecommunications network that we \ncame to more fully appreciate after our country was attacked \nwas the system that we relied on. If we didn't have that, I \ndon't know what we would have done. So I think that--and there \nare constant things that keep coming up relative to the supply \nchain. So I welcome any comments on that.\n    Mr. Totzke. So I will answer that from a device \nmanufacturer's standpoint. You know, this has been a concern \nfor RIM for the decade-plus that I have been there. We have to \nunderstand where we get our components from, where we \nmanufacture the devices, and when we started, it was real easy \nbecause we just made everything in our factory and it was all \nunder our control and you grow into a global entity, you deal \nwith outsourced manufacturing and kind of distributing that \ncapability around the world with different partners. So it \nbrings into question, you know, are you actually manufacturing \nthe product you think you are making or are you getting \nsomething that is whole and intact. We have really focused on \nunderstanding what we can do to secure our products in the \nmanufacturing process as well as the parts that come in. So for \nsome of our strategic vendors, we are actually doing \nserialization and embedding kind of cryptographic elements in \ntheir silicon before it gets to us, and then our manufacturing \nprocess goes through a verification of every tool along the \nline, checking with RIM head office to say are you allowed to \nactually perform this operation, and the combination of \nhardware and software, so the embedded certificate is in the \nsilicon. The hardware checking that the software hasn't been \ntampered with is used to authenticate the device to get \nBlackBerry services. So we know that a device hasn't been \ntampered with and it has been manufactured by RIM and it is \nintact when you first turn it on, and that authentication \nprotects our network, our carrier partners' network and your \nnetworks, and is that hardware, software and network layer all \nworking together to ensure the integrity of the BlackBerry \nservices that we provide to our customers.\n    Ms. Eshoo. Thank you.\n    Mr. Walden. Thank you.\n    We will now turn to the vice chair of the committee, Mr. \nTerry, for questions.\n    Mr. Terry. Thank you, and with my 5 minutes and five \npeople, I want to ask you all the same question, and that is in \nregard to the fact that you are the interface. If I want to \nhave an Internet experience, I have to hire one of you. So what \nare you doing to provide me services that will protect at least \nto some extent from botnets and viruses or attacks to my \ninformation and my computer? And we will start from left to \nright, my left to right, Mr. Livingood.\n    Mr. Livingood. Sure. Thank you. So I think we all have \nsomewhat similar, you know, capabilities. It is a multilayered \napproach. There is not any one thing that is going to solve it. \nSo it is sort of, you know, like an onion. There is lots of \nlayers, and it is everything from intrusion protection that is \nat the edge of a network to things that provide denial-of-\nservice attack, you know, mitigation when you see those things \nto botnet intelligence systems that detect botnets and start to \nnotify customers--I mentioned that in my opening statement--and \nthen to notify customers, and there are also a number of things \nthat we all do and we do in particular to educate customers, to \nhelp them understand what things they need to secure in their \nnetwork, the software they need to manage, gets them the \nsoftware that they need to secure their network and their \ncomputers. So it is a multilayered approach.\n    Mr. Terry. Mr. Amoroso?\n    Mr. Amoroso. That was exactly what we do, same thing. There \nare a lot of different products and product names. I mean, I \nwill tell you the one thing we don't do, and that is, we didn't \nsell you the computer, we didn't sell you the operating system \nthat runs on the computer and we didn't help you select what \ntype of software to put on there, and increasingly the ISPs are \ngetting dragged into that, and it is a difficult situation \nbecause, you know, a lot of times people will say ISP, you \nknow, I got something wrong with my PCs, you guys are sitting \noff in a cloud somewhere watching, you should figure out how to \nfix my PC, and that is something all of us struggle with.\n    Mr. Mahon. We do all a number of very similar things, I \nthink, in the ISP world, you know, to protect particularly \nresidential customers. I think you have heard the spyware, the \nanti-virus, parental controls. We all have education and \nawareness, you know, places on our Web site, our home page \nwhere you can go to. We have a botnet notification program. In \nfact, if your computer does become a bot on a botnet, we have a \nmethod to notify you and then facilitate you cleaning up your \nhome device.\n    Mr. Terry. Mr. Olsen?\n    Mr. Olsen. I think there is a lot of commonality in the \napproaches that we are all taking. One of the distinctions that \nI made in my opening comments regarding our cybersecurity \npartners I think is really important. These are people that are \nfocused, that their full-time job is cybersecurity. They are \nlooking for threats all the time and they have hundreds, if not \nthousands, of customers that are feeding them information and \nthey are seeing real-time threats go through many companies. So \na threat that might hit one company, they are aware of before \nmany of us would see that. So I think that information sharing \nin that cybersecurity industry is really critical and it is \nsomething that we value.\n    Mr. Terry. All right. Mr. Totzke, you may have already \nanswered this question when you were talking to Ms. Eshoo.\n    Mr. Totzke. Yes. So certainly the embedded security \nelements are part of that but beyond that, you know, we have \nuser- and administrator-controlled security that lets our users \ndictate what level of protection they want to put into the \nplatform, and we do have services available to consumers and \nenterprises that allow for on-device encryption of data, remote \nbackup, remote restore, the ability to remotely lock and wipe \nthe device so you can deal with this eventuality as a mobile \ndevice that is going to be lost or stolen or left in a taxicab, \nso we give you the capability out of the box to deal with any \nof those eventualities.\n    Mr. Terry. Good. I appreciate that. I guess the last 47 \nseconds I am going to give to Mr. Amoroso. Should the \nresponsibility be on the ISP providers to have a system to \ndetect viruses as they enter into your network before they get \nto my computer?\n    Mr. Amoroso. If we knew how to do that reliably, I would \nhave been trying to sell you that years ago. It is a very \ndifficult thing to detect viruses and malware. Sometimes we can \nkind of pick it up, and we do notify, just like the rest of \nthem. I call 100 to 1,000 people very week. The problem is, if \nI really knew what to tell them, knew exactly how to fix their \nPC, I would call everybody. Why just restrict it to the ones \nthat happen to notice active malware? We would tell everyone. \nThe problem is, there isn't a person in this room that can tell \nyou how to clean malware off your PC other than reimage your \ncomputer. You know, that is the best we can do.\n    Mr. Terry. Can't we just tell you to stop it?\n    Mr. Amoroso. I wish I knew what--you know, here is the \nreason we can't stop it. I don't know if you are familiar with \nthe concept of an encrypted tunnel, but when you visit a Web \nsite and see https, that means there is cryptography between \nyou and the Web site and everybody says oh, that is really \nsecure, you should look for that. The reality is, every hacker \nin the world knows to make sure they are pushing their malware \nthrough that encrypted tunnel because none of us can see it. So \nwe can sort of block the Web site but they hide the malware in \nplaces we can't see. That is where anybody would go.\n    Mr. Terry. Well, it is such a fun issue to deal with.\n    Mr. Amoroso. Here is what--when we pick up malware, it is \nthe equivalent to somebody falling over and having a heart \nattack on the table, and we all go, that is rapid response to \npreventive care. You fell over, you had a heart attack, I \npicked that up. That is easy. It is picking up the stuff that \nisn't easy, and that is why it is difficult for us to build \nreliable services that will detect malware because it is \nhidden. Any hacker would do it that way.\n    Mr. Walden. Thanks.\n    Mr. Doyle, you are up next.\n    Mr. Doyle. I think we ought to just call him Dr. Sunshine.\n    Mr. Totzke, I want to ask you about Federal workers. As you \nmight know, the White House is currently working on a national \nmobility strategy to determine how the employees of the Federal \nGovernment are using their mobile devices, and they are going \nto decide, for example, whether all agencies can bring their \nown devices to work much like many private sector employees do. \nNow, we don't of course advocate to prescribe one particular \ntype of phone for everyone to use in the Federal Government but \nwhat security issues do you foresee that might come up as a \nresult of this if we allow all Federal workers to use their own \nmobile devices and how do you think device manufacturers can \nmake sure that the data that is on the phone of Federal \nworkers, especially in sensitive agencies, remains secure?\n    Mr. Totzke. So as you move to more of a heterogeneous \nenvironment where you bring your own device for what we call \npersonal liable, individual liable devices, one of the \nchallenges you face is that the security of platforms is going \nto vary based on the vendor and the posture and the features \nthat they built into that. So getting a consistent view of \nsecurity and how you are protecting your information is \nprobably one of the issues. There are, you know, kind of \nliability and discovery issues in more of a corporate context--\nwho owns the information, who owns the intellectual property if \nyou have to go through any kind of a litigation, maybe not so \nmuch in the case of a Federal Government employee, and then how \ndo you protect the information on the device, which I think is \nprobably one of the more important ones. You know, there is a \nlevel of encryption built into BlackBerry to encrypt all of \nthat data at rest, whether that is personal data or government \ndata, and that is one of those that can be enforced remotely. \nBut as we look at how we go into a bring-your-own device \nscenario, you know, the biggest concern that I have is this \nlack of a standard bar for protecting information, and what I \nwould be most concerned about is sort of a race to the lowest \ncommon denominator so we have three or four competing \nplatforms, so in order to allow everything we are going to \nreduce our security requirements to the bare minimum, which I \nthink is the wrong thing, especially at the government level.\n    Mr. Doyle. Thank you.\n    Mr. Livingood, given the concerns outlined by Dr. Sunshine \nabout implementing the DNSSEC, can you outline for us why \nComcast made the decision to begin using DNSSEC and whether you \nthink it has had the intended benefits that you hoped it would \nhave?\n    Mr. Livingood. Sure. Well, you know, the intended benefits, \nit is a long-term game there. I think one of the challenges \nwith DNSSEC adoption was that you needed some critical mass for \npeople to start signing their names, for people to build \nsoftware to do that, and we felt like we could play a role in \nleading the industry in creating that critical mass. So, you \nknow, that is part of the reason that we did it. I think the \nreason, you know, at root why we did that is, when the Kaminsky \nvulnerability came out in 2008, it fundamentally scared the \nheck of us. If our customers couldn't be sure that when they \nwent to BankofAmerica.com it was that Web site, that scared us \nbecause then, you know, they are less likely to use the \nInternet, they are not going to care as much about higher-speed \nservices and so on, and that is incredibly important to us. So \nto have a way--we all certainly had a short-term fix to that \nbut to have a long-term fix to that we thought was incredibly \nimportant, and DNSSEC appears to be that one, and we are \npleased to help lead the way and create that critical mass to \nhelp adoption.\n    Mr. Doyle. Thank you.\n    And just in closing, Dr. Amoroso, I have enjoyed your \ntestimony and it makes us all realize how much work we all have \nto do together to face this problem that certainly there is no \neasy answer to. But I want to thank all the panelists for your \ntestimony today. It has been very enlightening.\n    I will yield back, Mr. Chairman.\n    Mr. Walden. Mr. Doyle, thank you very much, and we will go \nnow to Mr. Shimkus for 5 minutes.\n    Mr. Shimkus. Thank you.\n    I kind of want to build a little bit on what my friend Mike \nDoyle mentioned, but I want a different perspective, because it \npopped in my mind when he talked about Federal workers. Where \nare you finding your cyber warriors today from? In other words, \nwhere are they coming out of? Are they coming from private \nuniversities? Are they coming out of the military? Briefly, the \ncutting-edge new people who are helping you do this stuff, \nwhere are they coming from?\n    Mr. Livingood. So I will start. I think it is a variety of \nplaces, and I would say, you know, there is a need for more \neducational focus not just in cybersecurity but ICT generally, \nbut we find people in a variety of ways. Some are former \nmilitary service members, former law enforcement. Others are \njust Linux system administrators that are interested in \nsecurity. Others are, you know, former childhood hackers or \nsomething like this, and they are interested in it. So it is a \nvariety of things.\n    Mr. Shimkus. But is there a college path? I mean, can you \nget IT training in the business schools or computer science \nclasses?\n    Mr. Amoroso. I would like to comment. So I have been \nteaching at Stevens for 22 years. I teach this semester. If you \nlooked at my class in 1990, you would see something that would \nlook like a typical college class. I went to Dickinson, \nPennsylvania, so pretty--a mix of kids. My class today at \nStevens is about 98 percent foreign nationals, and I have got \nabout 65 in the classroom, and almost all of them have the \nintention of leaving the country when they complete their \nmaster's or PhD because they see bigger opportunities \nelsewhere.\n    Mr. Shimkus. Well, and that kind of segues, and if you all \nwant to jump in, you can real quick, but I don't want to forget \nthe aspect of compensation for people entering the private \nsector versus the government sector. There is this debate on \nsalary compensation. I don't know where it is. I mean, we have \nthe same issues about bringing in the best and the brightest, \nbut if we are not compensating them for what the private market \nbears, then there is another thing. Does anyone want to jump \nin?\n    Mr. Totzke. Just on where we source. So there is certainly \nout of the education system, out of the military and \nintelligence, we find some people kind of moving into private \nindustry. The most talented guy on my team is a high school \ndropout, and so I think using the education system as a bar \ndoesn't really help identify the best talent. He would be one \nof the top recognized kind of hackers and researchers in the \nworld. So it varies, and I don't think you can actually teach \nsomebody to be a hacker. There is sort of if you want to be a \nresearcher in that area, there is an ingrained mentality you \nare either born with or not, so it is not like I am teaching \nsomebody a trade like programming and getting to a level of \nsophistication in developing software. Being an attacker is a \nmuch different mindset.\n    Mr. Shimkus. Right. Thanks.\n    You know, the debate on the Senate side, and this is how \nyou provide is, what happens if the Federal Government requires \nyou to follow a new government security standard? What happens \nto you? That is the debate on the Senate side legislatively. \nOne has a government-imposed standard. One is really, I think, \nletting you guys fight the battle yourselves. So does anyone \nwant to jump in?\n    Mr. Amoroso. I will offer just a brief point. My guess is, \nanything you can write down that you can think of as kind of a \nbest practice is already being done here, and the things that \nwe are back at the shop worrying about now are things that are \nnot on your list, like as an example, we talked about botnets. \nYou know when I saw the first botnet? Remember Y2K? We were \nbuilding the Y2K White House communications fusion center, and \nwe were worried that we were going to get DDoS'd for one day. \nThat would be really bad if you are knocked out one day and \nmiss the millennium change. You can't really move that date, \nright? So we were completely freaked out by botnets then and we \nhave built--a lot of people in this room, we have built ways to \nsteer traffic around and fix it and now we have a service and \nwe moved on to the next thing.\n    Mr. Shimkus. Yes, and let me put a final challenge out \nbecause I do agree, how do we incent innovation in this area, \nwhich is part of the opening statements. Incentivizing usually \nmeans government money here or government tax credits. You \nknow, that is all kind of persona non grata right now in this \nnew world in which we live in, so I would ask you to help us \nwrap around about this, and maybe it is easing regulatory \nburdens. Maybe there are things we can do that are not a \ndollar-cents component but tax credits, things like that. It is \nvery difficult to do in today's environment. I will just throw \nthat out.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Walden. I thank the gentleman.\n    And with the committee's indulgence, Doctor, could you just \nexplain DDoS?\n    Mr. Amoroso. I am sorry. That stands for distributed denial \nof service. Here is how it works. When my voice talks to all of \nyour ears, it is one thing to many ears and it works great if \nyou are all quiet and you listen, your ears work. But if you \ncould bounce my voice off your ears to him, it would sound like \nyou are all shouting at him, right? My voice to all of your \nears and then you reflect it back, that is a denial-of-service \nattack. We hit all your PCs and then tell all your PCs to shout \nthis way, and boom, it all comes and it sounds like this big \nattack and it clogs the pipes and knocks them out. That is how \nit works.\n    Mr. Walden. All right. Thank you, Doctor.\n    Now we go to Ms. Matsui.\n    Ms. Matsui. Thank you, Mr. Chairman, and this is all \nchallenging and frightening at the same time here, and I do \nappreciate all of your testimony.\n    I want to go into another area here. As we look into \ndeveloping industry best practices standards for ISPs, should \nISPs' own cloud services be included as well as other cloud \nproviders or do you think because that technology is newer, it \ncould be better for cloud providers to consider forming their \nown best practices to secure data in the cloud? I would like \nMr. Mahon and Dr. Amoroso to answer that, please.\n    Mr. Mahon. Well, first of all, we are already talking to \nthe cloud providers, and some of us in fact are cloud \nproviders. So I do think that the conversation is well \nunderway. We are very familiar with the challenges, and if you \nreally think about it, the term ``cloud'' is a rather generic \nterm that is probably misunderstood. It can mean a number of \ndifferent things for a different type of customer, and so \ntherefore I would say we continue to include them in the \nconversation as we have everyone else, so to speak, at the \ntable as partners and the solutions that you are looking for \nare really going to have to be integrated across a very wide \nplatform. So therefore I would say that you would want to keep \nthem in the conversation.\n    Ms. Matsui. OK. Thank you.\n    Mr. Amoroso. So my mother has a PC at home that at this \ninstant I am sure is like attacking China or something. It is \nnot administered properly and she has got, you know, a big \ntower with Verizon FIOS, the whole thing. She doesn't need \nthat. She would be better much served to have a cloud provider \njust take care of all of that for her, and she should just be \nusing, you know, some appliance to hit the Internet. The reason \nshe doesn't is because there is software on the PC that she \nwants to be able to use that hasn't been put in the cloud. So \nin general that concept is a more secure concept than my mom \ntrying to do it administration. So I think cloud in general is \na more secure model than the one we have now.\n    Ms. Matsui. Oh, OK. That is good to know.\n    Dr. Amoroso, given your expertise in this area, what are \nthe differences between securing wired and wireless \ncommunications networks and how can these differences be \naccounted for in any type of cybersecurity initiatives?\n    Mr. Amoroso. Well, they are pretty big, right? The \ndifferences are significant. You know, if we had 3 hours, I \ncould take you through the whole thing, but I will give you one \nexample. Remember when--I am guessing most of you remember when \ncomputer security was just don't put an infected floppy in your \ncomputer. Remember that?\n    Ms. Matsui. Yes.\n    Mr. Amoroso. And it was like don't put software on your \nmachine that you don't know where it came from. It seemed like \nperfectly good common sense, right? What do we do every single \nday on app stores? You know, we are downloading stuff, I don't \nknow who wrote that, I don't know where it came from but boy, \nit sure looks pretty cool, I think I will download it to my \ndevice. That is something we are going to have to address from \na security perspective. That is the big difference between \nwired and wireline.\n    Ms. Matsui. OK. I am also thinking that so much of what we \ndo is wireless, so much we do within our homes is wireless, and \nyet it is just so easy to do it that most people don't think \nabout it at all, and I am concerned that we are not thinking as \nbroadly as we should be thinking as far as some of the personal \nuse, and I think it came about here with Mr. Doyle's too and \nthe government area too. But it is so easy to be carrying \ntablets and different cell phones around, and for me, the part \nthat is really to me quite frightening is that nobody knows \nwhat they don't know, and we are looking at you and you are \nsaying too that there is a lot of things you don't know too, \nand we look upon you as experts, and I am hoping that we can \nbuild in some incentives here with sort of a sharing of \ninformation that goes beyond some of your commercial type of \nconcerns. Because I am looking ahead, this is even getting more \nand more complicated as we develop more tablets and smartphones \nand whatever that we are losing control of the cybersecurity \naspect of it, and the software aspect, I think you brought up, \nDr. Amoroso, is really important, the education facet of that, \nand actually kind of building our principles and standards into \nthat too.\n    So that is just a comment, and I really do appreciate your \nbeing here, and I think I am learning more and more every time \none of you opens your mouth, so thank you very much for being \nhere.\n    Mr. Walden. Thank you for your comments.\n    We will go now to Ms. Blackburn for 5 minutes.\n    Mrs. Blackburn. Thank you all so much, and I tell you what \nI think I am going to do is just ask my question, then if you \nall want to respond or respond in writing, that would be \nwonderful.\n    First of all, going back to something that Mr. Shimkus \nsaid, I would like to hear from each of you, and you can say it \nnow or send it to me, what you are seeing as the disturbing \ntrends and what is kind of the next thing out there. I would \nlike to know that. I would like to get an idea of how much of \nyour cost of doing business is beginning to center around the \ncybersecurity issues.\n    In your testimony, several of you have mentioned in one way \nor another either in response to the questions or testimony \nfear that the Federal Government could end up being more of an \nimpediment than a facilitator in bolstering some of the \ncybersecurity efforts. I would like for you to speak to what \nyou are concerned that we might do and then what we are not \ndoing that we should be doing and hear from you in that vein \nwith your consumers, I would appreciate knowing what you are \ndoing to educate them. I think that one of the things that \nhelps us as we work through the process is being certain that \nconsumers are educated, so if I could get that bit of \ninformation.\n    And then when we look at the hacker attacks that are out \nthere, some of the anonymous attacks, some of those, there is \none in the news today, I think there are five people that they \nare bringing forward on charges. What kind of government-\nimposed performance requirements would help keep pace with some \nof the technological evolution that you are seeing in these \ncyber attacks? And if we were to do a government top-down sort \nof structure to try to deal with cyber enemies, would that be \ngiving a signal to that cyber enemies? Is that kind of too much \ninformation for them to be able to work around?\n    So those are the questions that I would love to hear from \nyou on--the trends, the costs, what we are doing, what we are \nnot doing, dealing with consumers, how you are educating them \nand then looking at the attacks, the cautions you would give to \nus there, and with that, anyone that wants to respond?\n    Mr. Livingood. Sure, I can go first, and I will try to be \nquick so that others can answer. In terms of the positive \nthings that government can do, I think making information \nsharing easier, there are a number of things there to help. I \nthink that government has a role to play in education, whether \nthat is PSAs or other kinds of education for, you know, end \nusers, for citizens. I think there is also an opportunity to \nhelp incent or fund additional R&D. I know that NIST and other \ngroups try to do research and security and other Internet \nfutures. I think there is more than can be done there that is \nimportant.\n    And in terms of things to be careful of or be aware of, I \nthink it is to be aware of mandates and be careful of mandates. \nI think we don't want to be focused on checklists and \ncompliance. We want to be focused on innovation and the threats \nof tomorrow, not sort of the threat today.\n    Mrs. Blackburn. Thank you. Anyone else?\n    Mr. Olsen. Well, I could just make two comments. Several of \nthe questions and comments today mentioned incentives. I can \ntell you as an IT professional, we are heavily incented to make \nsure that we are protecting not only our internal resources but \nall of our partners that are interconnected with our systems. I \nthink one of the things that is a little scary so far is, we \nmonitor all of our customer service channels, our call centers, \nstores, Web site, and we are not seeing a lot of requests from \nour customers concerning their own security of their handsets \nand devices. So I think education is certainly going to be \nimportant. I think there is just not a general awareness in the \nconsumer population how big an issue this is.\n    Mrs. Blackburn. OK.\n    Mr. Mahon. Maybe a comment more around why it is so \ndifficult to regulate this arena. We have been speaking here \nrather generically about mobile devices and cybersecurity \nthreats, but it is a much broader problem depending on what \ncategory you are looking at and because there are multiple \ncategories of threat actors trying to be--finding a solution in \na prescriptive way is very difficult. If you think about who is \ncoming at you and why they are coming at you, you could have a \nnation-state coming at you for all sorts of reasons. They could \nbe coming at the Federal Government for military reasons, but \nthat same nation-state could be coming after a corporation for \nintellectual property, everything from understanding that that \nintellectual property is not just a 50,000 corporate \nenvironment, it could be in a 50-person law firm doing your M&A \nactivity for you. So you have that broad landscape if you are \nlooking at nation-states.\n    If you are looking at criminal activity, sure, you have \nwhat used to be the script kiddy doing something that was \nrelatively harmless and maybe at best you have hired them today \nas your network administrator if they grew up, but on the other \nhand, you have organized crime looking at more broadly the \nworld and how does it make money. If you look at the recent FBI \ninvestigation of the DNS-changer malware that infected hundreds \nof thousands of computers, then you can take a look at your \nanonymous and others that are more hactivists trying to make a \npoint, and then you come down to your insider threat in your \ncompanies that are doing it to you.\n    So if you think about that landscape and the data that they \nare after, they are after it for sometimes different reasons. \nWhen you try to put a regulatory overlay on that, it is very \ndifficult to put us in a position to respond to those kind of \nfour broad categories, and then at the same time make sure we \nhave our checklist compliance programs going. Thank you.\n    Mrs. Blackburn. Thank you. Yield back.\n    Mr. Walden. The gentlelady is yielding back and now \nrecognize the gentlewoman from the Virgin Islands, Dr. \nChristensen.\n    Mrs. Christensen. Thank you, Mr. Chairman. Good morning, \neveryone. Thank you for being here.\n    I have a couple of questions. Let me begin with Mr. \nAmoroso. You suggest in your testimony that Congress define the \nroles of the various executive branch agency in cybersecurity. \nWhere do you see the FCC as an independent agency playing a \nrole?\n    Mr. Amoroso. Well, I don't--I mean, I don't think there is \nan agency right now that is in a good position to come in and \nsolve a problem that we can't solve ourselves. I mean, if it \nreally was the case where you could write out these five things \nthat we should all be doing and for whatever reason--\nnegligence, ignorance, whatever--we are not doing it, then you \nreally do need somebody in government to shake us, you know, \ninto action. The problem is that we don't know what it is that \nyou should be telling us we should be doing. That is why we are \npointing to innovation as the key. So it is almost kind of a \nmoot question, whether it should be DHS or FCC or whomever \nbecause I am not really sure what they should be telling us. \nThat is the problem. And there are some things, like I said, I \nam part of the team trying to make recommendations. I am not--\nyou know, I don't want to lead you to believe that we are just \nkind of punting. It is such a hard problem. But I would just \nsay from an agency perspective, if there was an obvious set of \nthings that should be done right now, I am kind of thinking the \ngroups that are here would be doing it. You know, we are \nincented to do that. That is the problem. So I hope that \naddresses the question.\n    Mrs. Christensen. OK. Yes, thank you for that answer.\n    Mr. Livingood, you mentioned that Comcast is an active \nparticipant on the FCC's Communications Security, Reliability \nand Interoperability Council. So could you just describe for us \nhow you envision the council's contributing to the improvements \nin cybersecurity, especially with respect to the types of \nattacks that the council is addressing--botnets, Internet route \nhijacking, the main name fraud, et cetera?\n    Mr. Livingood. Sure. There are a number of working groups. \nI am on one. One of the folks that works for me, Mike here, is \na chair of one of them, and they focus on things like the \nsecurity of the routing infrastructure, DNSSEC and a whole \nrange of other things, and I think that, you know, that is a \nprocess that works pretty well. People voluntarily get involved \nand they work together on what they think the current best \npractices are, and that is a process that repeats regularly \nevery year so that it is not static and it is not sort of--you \nknow, in 2008, we came up with some best practices and that is \nwhat we are still focused on. It is something that gets renewed \nand refreshed all the time and so we can look at every new \nthreat as it comes out, and that is one of many places that we \nall work together. You know, there are lots of others--the \nNorth American Network Operators Group, Message Anti-Abuse \nWorking Group and a whole range of others, other acronyms that \nI could go on for minutes about. But I think groups like that \nare good because they are consensus-based, they are voluntary \nand they are focused on best practices and really current \nissues.\n    Mrs. Christensen. And while your customers are mainly using \nyour service for in-home computers, they also use the WiFi \nnetworks and cellular networks to access Comcast email and \nother Comcast video products, so how do you continue to ensure \nthe same cybersecurity protections you develop for your core \nservices extend to these uses as well?\n    Mr. Livingood. So a number of our security protections are \nthings that a customer can download and install on their device \nlike their home computer, but we have a bunch of things that \nare on our network like our Constant Guard system, which is a \nbot intelligence and other security threat system, and that is \nthere for customers that might just be bringing a device into \ntheir network, maybe it is a friend that is visiting their \nhouse and they are on their WiFi network and they happen to \ntalk, say, a botnet, you know, we will see those kinds of \nthings. And so, you know, we can alert customers to that. So \nwhether they have installed software that we have provided on \ntheir device or not, we still have tools in the toolbox to \nidentify that and help them--you know, tell them about it and \nhelp to solve it.\n    Mrs. Christensen. Mr. Amoroso, you stress the need to \nfoster informations sharing, and we have talked about that a \nlot here between the government and private industry as well as \namong private companies. What protections do you think are \nnecessary to protect civil liberties and consumer privacy, and \nwhat do you believe would be the reasonable boundaries to \nliability protections and antitrust exceptions?\n    Mr. Amoroso. Well, the issues you raised are the reason we \nhave those impediments now because, I mean, I am an American, I \nwant civil liberties, I want all those things, so that is the \ncurrent state, that we have swung the pendulum in the direction \nof making absolutely certain that we are protecting civil \nliberties. That is a good thing. So the question is, how do we \nsomehow preserve those liberties and also allow all of us, you \nknow, to know if there is some malware thing. I really think we \nhave to figure that one out. I am not sure I can give you a \nreal good answer on how we do it, but I think it has to be a \npretty high priority because the motivation, everybody's shakes \nand goes yes, if there is not malware, there is not really a \ncivil liberties issue, Comcast should know that blah, blah, \nblah is a problem and they can code that into their system.\n    So somehow we just have to maybe get the lawyers out of the \nroom and come up with some kind of a commonsense approach. But \nthat is the reason, all the things you listed. That is why we \ncan't take those signatures today.\n    Mrs. Christensen. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. Walden. Thank you, Dr. Christensen.\n    Dr. Amoroso, you should have seen the people shake behind \nyou when you said get the lawyers out of the room.\n    Let us go to Mr. Bass from New Hampshire.\n    Mr. Bass. Thank you very much, Mr. Chairman.\n    I have a couple questions for Mr. Livingood, but before I \nask those questions, can I ask a mobile or smartphone question \nfor dummies? Is there a difference in cybersecurity issues \nbetween an iPad or a smart device like this and a laptop or \ndesktop computer? Make it quick, because I want to ask some \nother questions. Can anybody answer that question for me?\n    Mr. Amoroso. Well, there is probably a firewall between \nyour PC at work or something on a wired land so we can do more \nfiltering and policy control. With your wireless, you go direct \nto us, to the ISP, and we have been incented and led, you know, \nparticularly in Washington, push the packets, don't look at \nthem, don't do anything, God forbid you impose any kind of \npolicy or filtering, so we do nothing, so your connection from \nwireless is directly to the Internet whereas your wired \nconnection probably has some IT group at work.\n    Mr. Bass. So is this unit here exposed to bots and--is \nthere a cybersecurity issue associated with my iPad?\n    Mr. Amoroso. I don't know what you are connected to, but \nyes.\n    Mr. Bass. Well, let us say I am connected to Comcast, which \nis what I am connected to.\n    Mr. Livingood. Yes, there sure are those issues and, you \nknow, I think those are a new class of device, and a lot of the \nhackers and other criminals, they are very focused on return on \ninvestment. They are focused where the biggest platforms are \nand so the more that those devices get out there, the bigger \ntarget that makes and so they will see, OK, I can spend a \ncouple of days developing this and I have got a few million \ndevices. So you will start to see more and more of those \nthings, and depending upon the tablet that you have, some are \nmore vulnerable at the moment than others, but, you know, that \nis something that a lot of Americans are buying and so that \nwill be the next threat. It will be those type of devices.\n    Mr. Bass. Who is responsible? Is Apple responsible for this \nor are you?\n    Mr. Livingood. Well, I think it is a variety, so I think \nwith that device, Apple plays a role. With the Android devices, \nGoogle plays a role. And then all the software vendors that \nmake the apps that go on that play a role. But there is also a \ncomponent of customer education, and I am sure over time, you \nknow, just in the same way that we have software that runs on \nPCs to provide security, you know, that is going to start to \ndevelop and evolve for tablets and provide that extra level of \nsecurity as well. We are at the early stages of that adoption \ncurve.\n    Mr. Bass. And the same is true for BlackBerry, right?\n    Mr. Totzke. Well, I mean, all of the tablets are going to \nhave different risks and different threats, and we look at it \nin terms of how we protect our platform. But the theme that I \nkeep hearing over and over, and I think it is one that this \ncommittee has really highlighted, is the need for education, \nright, and when you talk about computer security, one of the \ninevitable comparisons is to driving a car, right? We don't let \npeople drive a car without a license but we let them get on the \ncomputer, connect to the Internet and download software without \nreally understanding what those risks are, and that piece of \neducation--I am not suggesting we license people to use a \ncomputer but we do need a level of sophistication and education \nin how we inform people of risks that they have when they \nconnect a device.\n    Mr. Bass. Fair enough. I just want to ask a couple \nquestions about the Constant Guard Protection Suite. I note in \nyour testimony, Mr. Livingood, on page 6, it says ``At Comcast, \nwe understand that securing cyberspace is a complex task'' and \nso forth. ''Education, prevention, detection, remediation and \nrecovery are the core objectives of our anti-malware efforts.'' \nDoes Comcast require its customers to download the Constant \nGuard Protection Suite, and if not, how is the customer going \nto know that it exists and how are you going to notify them \nthat they have a problem?\n    Mr. Livingood. So it is not required that a customer \ndownload that to use our service. You know, they just have to \nhave normal Internet connectivity to do that. But we do a lot \nto make customers aware of that and to incent them to download \nit both before they have an issue and after. So before they \nhave an issue, you know, when they are installed, they are \ngiven a lot of information about the things that are available \nfor them and they are given links to that and so on. When they \nget a welcome email from us when they sign up for service, we \nare reiterating that for them. And we do a lot of things on our \nWeb site and other places to promote the fact that these are \navailable. Certainly after they have an issue and we notice it, \nwe drive them to a remediation portal, and that is one of the \nfirst things that we recommend that they download is that suite \nand we take a number of other steps. So we do a lot of \neducation upfront. We do a lot when they come on. We call it \nonboarding when they come on as a customer. And we do things \nwhile they are a customer to keep reiterating that and then \nafterwards.\n    Mr. Bass. Real quick. It is limited to Windows operating \nsystem, correct? How long has it been around?\n    Mr. Livingood. That protection suite is pretty recent. I \nthink that is a little bit more than a year. That is a \nsupplement to a larger anti-virus and security suite that we \nhave had for many, many years that is----\n    Mr. Bass. And real quick, because I have run out of time. \nWhat business incentives, if any, did you get or did you have \nin developing and offering this service?\n    Mr. Livingood. Well, we view it in two ways. Number one, \nthere is a competitive incentive if we can be seen as having \nmore security features or more secure than the next guy, \nsomeone chooses us as their ISP rather than someone else, but \nthe other thing is that customers when they come on board as a \ncustomer used to tell us that the two reasons were price and \nspeed, and today, it is price, speed and security. So customers \nare very aware increasingly so, not aware as they need to be \nbut very aware these days about security. They ask about those \nthings when they call us up to order service. And so we view it \nas a competitive feature that we need to add, and that is why \nall of the things that we are doing as part of Constant Guard, \nDNSSEC and other things, are important to us.\n    Mr. Bass. Thank you, Mr. Chairman.\n    Mr. Walden. Thank you.\n    Now we go to Chairman Dingell for 5 minutes.\n    Mr. Dingell. Mr. Chairman, thank you.\n    Gentlemen, we have much to do in little time, so I am going \nto try to ask questions that you will answer yes or no to \nstarting now with Mr. Livingood. Gentlemen, you all seem to be \nin agreement that imposing new Federal cybersecurity \nregulations on industry would stifle innovation and harm \nindustry's ability to protect consumers from cyber threats. Is \nthat correct, yes or no, starting with you, Mr. Livingood.\n    Mr. Livingood. Yes, I am concerned about that.\n    Mr. Dingell. Mr. Amoroso?\n    Mr. Amoroso. Yes.\n    Mr. Dingell. Sir?\n    Mr. Mahon. Yes.\n    Mr. Dingell. Sir?\n    Mr. Olsen. Yes.\n    Mr. Totzke. Yes.\n    Mr. Dingell. Now, gentlemen, let us assume for a moment \nthat the Congress will pursue the no-regulation path in this \nmatter and instead facilitates greater information sharing \nabout cyber threats between industry and the government. Would \nthat be your collective preference? Yes or no.\n    Mr. Livingood. Yes.\n    Mr. Dingell. Sir?\n    Mr. Amoroso. Yes.\n    Mr. Mahon. Yes.\n    Mr. Olsen. Yes.\n    Mr. Totzke. I would agree.\n    Mr. Dingell. Gentlemen, thank you. In that case, would the \nCongress need to consider granting exemptions to the antitrust \nlaws and the Federal Trade Commission Act in order to allow the \ncompanies to share cybersecurity information amongst \nthemselves? Yes or no.\n    Mr. Livingood. Yes.\n    Mr. Amoroso. Yes, I think that is correct.\n    Mr. Mahon. Yes.\n    Mr. Olsen. Yes.\n    Mr. Totzke. I unfortunately can't comment on that.\n    Mr. Dingell. Very good. Now, gentlemen, similarly, do you \nbelieve that a safe harbor provision should be created in \nstatute to permit companies to share serious cyber threat \ninformation with government agencies without fear of class \naction or other lawsuits being brought against them? Yes or no.\n    Mr. Livingood. Yes.\n    Mr. Amoroso. Yes.\n    Mr. Dingell. The reporter doesn't have a nod button, sir, \nso you have to say yes or no.\n    Mr. Mahon. It is a yes.\n    Mr. Dingell. Thank you.\n    Sir?\n    Mr. Olsen. Yes.\n    Mr. Totzke. I am afraid I can't comment on that. I don't \nknow.\n    Mr. Dingell. Now, gentlemen, my last several questions have \nbeen premised on a no-regulation scenario wherein the Congress \nadopts legislation to promote information sharing between \nindustry and government. Would you please submit for the record \nwhat enforcement tools you believe the Federal Government would \nhave in this scenario to ensure that industry is adequately \nguarding and being guarded against cyber threats? I am asking \nto make a submission there for the record because of the \nshortness of time.\n    Now, gentlemen, let us assume that the government would \nhave some role in promoting cybersecurity in the private \nsector. If the Federal Government were to require the \npromulgation of cybersecurity standards, should such standards \npreempt State laws? Starting with you, Mr. Livingood, yes or \nno?\n    Mr. Livingood. Yes. It is easier to have one standard.\n    Mr. Amoroso. Yes, I don't know. I am not sure. I haven't \nreally thought that one through.\n    Mr. Dingell. And you, sir?\n    Mr. Mahon. Yes.\n    Mr. Dingell. Sir?\n    Mr. Olsen. I will have to agree with Dr. Amoroso. I haven't \nreally considered that.\n    Mr. Totzke. Yes, and I can't comment on that either.\n    Mr. Dingell. Now, gentlemen, I have read with some interest \nin Mr. Olsen's testimony that, and I quote, ``the ongoing \nevaluation or MetroPCS's security program is based on periodic \ninternal and third-party assessments and auditing.'' Would your \nrespective companies object if such audits were government \nmandated? Yes or no.\n    Mr. Livingood. No, we already provide all those things \nalready. We already do that.\n    Mr. Amoroso. I think we would object, yes.\n    Mr. Mahon. We would object.\n    Mr. Dingell. You would object?\n    Mr. Totzke. Yes, we would.\n    Mr. Dingell. All right. And then let me come back and ask \nyou to explain that, if you please?\n    Mr. Totzke. Yes, we would probably object but we do this \nanyway. We always do that.\n    Mr. Dingell. Now, those who have indicated no, would you \nplease explain briefly?\n    Mr. Amoroso. I can explain. When you write a law, we do \npaperwork, so I take people away from doing their day-to-day \nwork to sit and do work. We have an ops lab, and one of our \nfavorite things to show people in the ops lab is along one of \nthe walls, we have got about a mile's worth of ring binders and \nthey always say there is the government paperwork followed by a \nlot of sort of chuckling laughter, but it is true. You know, we \ndo have a great of paperwork that we fill out, you know, when \nwe are dealing with different Federal groups or Sarbanes-Oxley \nor whatever. There is a lot of paperwork, so I am just \nsuggesting that if we are already doing it and government comes \nin and says I need you to fill out this compliance checklist, \nyou are taking people away from the work to do paperwork. That \nis why we would object.\n    Mr. Livingood. Very quickly, if I can just make a note very \nquickly. I think this is dangerous sending an engineer \nsometimes, but I am told that we might have objections. We \nwould object and have the same concerns.\n    Mr. Dingell. Gentlemen, thank you.\n    Mr. Chairman, thank you for your courtesy.\n    Mr. Walden. Mr. Chairman, thank you for your questions. I \nthink you got to the heart of the matter quickly.\n    We now turn to the chairman of the House Intelligence \nCommittee and a very important member of our subcommittee, Mr. \nRogers.\n    Mr. Rogers. Thank you, Mr. Chairman. Thanks for having the \nhearing. Thanks to the witnesses as well.\n    I think one of the big problems that we run into in this is \nthat we haven't really sounded the alarm bell. I think in all \nof the circles of people who look at this every day, all the \nsecurity shops, the IT security shops across America, they know \nwhat the problem is. Average users don't see it, and that is \nwhy there is no hew and cry, I think, yet about how we get this \nfixed. But I appreciate all your comments today.\n    You talked, each of you, about the importance of \ninformation sharing and keeping it as clean and simple as you \ncan. Talk about how that would work. So if we bring the folks \ntogether, we are sharing the government secret sauce with you \nall and you are sharing back malicious ware that maybe the \ngovernment is not aware of, talk about how fast this is. There \nis a lot of talk about civil liberties, and I think people have \nthis visual that people are reading emails, some guy named Bob \nin Cleveland is reading everybody's email to find this \nmalicious software. It is not how it works. As a matter of \nfact, if that happens, it is a miserable failure. Can you talk \njust a little bit about how you envision that that would with \nthe sharing arrangement, real time, no regulatory, all \nvoluntary? Can you talk about that quickly?\n    Mr. Amoroso. Yes, I would be happy to. First of all, I want \nto compliment you on your legislation. I think that there is \nsome real nice elements in the work you have done. First of \nall, real time, absolutely. Independent auditable, I think is \nimportant so that somebody can come in and look a the way this \nis done, but it also has to be controlled like blasting it out, \nyou know, over the Internet would be a really bad idea but I \nthink you need the balance, right, this real time but also the \nability to come back and look at the process, make sure it is \ntransparent without, like I said, exposing it to our \nadversaries. That is the right way to do it.\n    Mr. Mahon. There is also different levels of sharing by \nindustry. I think you have to look at how you do your risk \nassessments on each category that I previously described but \nthere is also right now a very good example out there of what \nis working well, and that is the defense industrial base pilot \nthat is going on, and that particularly is supporting defense \ncontractors and DOD, but you can expand that to the financial \nservices industry and other industries.\n    Mr. Rogers. And just for clarification, when we talk about \nreal time, I have seen numbers as high as 100 million a second, \nthe packets of information flying around. So if this is going \nto work, the malicious source code has to be compared at an \nincredibly fast rate. Can you talk about that from an \nengineering perspective? Anyone?\n    Mr. Livingood. So I think one of the challenges is trying \nto do any kind of pattern matching. A lot of the malware that \nwe see and have seen for a number of years is sort of what is \ncalled polymorphic where it changes. Every individual, you \nknow, instance of it is different from the next so a lot of \nstuff changes. It is not like it is with anti-spam where you \ncan match on a few key words or a file attachment and know, you \nknow, that is it, that they target and flag it that way. So you \nneed to come up with ways, and a number of us have systems like \nthis and there are others that are in development that can do \nthis on a wider basis, but that is the very challenge that you \nare getting at, which is doing that in real time. It is \nincredibly difficult and you are at the edge of computer \nscience at that point.\n    Mr. Rogers. Which is why I think many of you have told us \nbefore the legislation was written, be careful about the \nregulatory scheme. If we slow you down, if we give you another \nrow of books down your mile-long hallway there, it doesn't \nwork. I mean, we already have outdated what you are trying to \naccomplish in the room, and this is a value added not only for \nyou but for the government, is it not? The government also gets \nbenefit from the protection of all of your great work in the \nprivate sector, correct?\n    Mr. Livingood. That is correct, and there are two things \nthat I think that raises that are interesting. One is, by the \ntime that a very prescriptive law would be written, by the time \nthat ink was dry, the threats would have moved on and so you \nhave got to be able to be flexible. The other is that we all \nneed to have, you know, with our software developers and \nsecurity specialists, you know, they need to be hard at work in \na room, not with half a room full of lawyers with them slowing \nthem down and asking questions about, you know, why are you \ndoing this and that. They need to be at work every day trying \nto solve this problem.\n    Mr. Rogers. And I have to say for the record, this may be \nmy favorite panel of all time since I have been in Congress. \nNever so often have a group of engineers belittled lawyers at \nthe table. You have warmed my heart today. We have faith that \nwe are moving forward.\n    I wish we had time to talk about all the issues. I am very \ncurious about how you would fix the programming issue, a huge \nproblem for us as we move forward. We didn't talk about \nexfiltration, which is very difficult for any of you to catch, \nwhich I would argue right now is the single greatest threat to \nour economy moving forward, aside of the things that we know \ntoday.\n    Mr. Walden. Would the gentleman yield?\n    Mr. Rogers. Yes.\n    Mr. Walden. Could you outline exfiltration?\n    Mr. Rogers. Sure. It is--we know that nation-states today \nare engaged in getting on to your network lurking. They will be \nthere for a very long time. You don't know it. Your system \nadministrators don't know it. These folks can't catch it. \nSometimes the government--a lot of times the government can't \ncatch it either. And then they will latch on to that \nintellectual property that is on everybody's computer today, \nall those designs, everything that is of value to that company, \nand at the right time at the right speed, they latch on to it \nand run like heck through your network and take it back. And we \nknow a country like China, who is investing in this as a \nnational strategy to exfiltrate intellectual property and then \ndirectly use that intellectual property to compete against \nUnited States businesses, and unfortunately, it is happening at \na breathtaking pace, breathtaking pace, and what is concerning \nis, these folks are looking for malicious software that is \ndisruptive or theft-oriented. This is very sophisticated, as \nsophisticated as any you will see, and incredibly hard to \ndetect, and they really don't want to break anything. They want \nto get in and steal it without you knowing it, and that is what \nis so troubling about it.\n    Hundreds and hundreds of thousands of jobs are lost every \nyear for the theft of that intellectual property that is being \nreprogrammed commercially against U.S. companies. This is as \nbig a problem as I have ever seen and it is one of the many \nthings that keeps me up at night, Mr. Chairman, so thanks for \nletting me explain it, and it is something we didn't really get \ninto today because that is really not the focus of what they \ncan even watch. So that is why this information sharing I think \nis so important. It would help American businesses by the \nFederal Government having information and being able to \nidentify that code, share it with the right partners. It is \namazing what we would be able to stop.\n    Mr. Walden. With the indulgence of the committee members, \nperhaps given the importance of that topic you could each if \nyou have anything you want to add on that area, and then we \nwill go to Mr. Stearns and Mr. Gingrey. Does anybody want to \ncomment on that?\n    Mr. Amoroso. I will. It is called advanced persistent \nthreat, and he has got it exactly right. It is somebody \ntargeting any of you, like we know the folks that you run \naround with, we can craft a fake email that looks pretty \nrealistic, point you to one of these Web sites that establishes \na tunnel. It drops a remote access tool on your PC. You know \nhow you log in when you do remote access from work or from \nhome, wherever you are doing it? This is the hacker now doing \nremote access to you. You are now the server, and once they are \non, they can troll around your PC, your network and so on, and \nthe intellectual property theft has become significant. It is \nprobably the number one thing I bet all of us, you know, when \nwe go back, we talk about bot nets here and we talk about DNS, \nbut that is not what we deal with when we go back to the \noffice. We are dealing with APT, which is kind of our point, \nright? We are ahead of the discussions here, things that we \nhave been dealing with in the past and the things we deal with \nnow are probably things we will be here testifying about 5 \nyears from now, so that is an issue.\n    Mr. Totzke. And just to echo Dr. Amoroso, the advanced \npersistent threat, I mean, these are remarkably sophisticated \nadversaries. They are slow. They are patient. They will lurk on \nyour network for years. And, you know, I came from our Canadian \nheadquarters. We had a large company go out of business, \nNortel, and part of the attribution of that is loss of their \nintellectual property to a foreign State-level adversary, you \nknow, siphoning secrets right off their network.\n    So when you look at that, this is a serious concern. As Ed \nmentioned, 5 years from now, you will probably be looking at \nthat. That is how advanced they are. It is great that you are \nlooking at it now, Congressman, because the threat is real, it \nis persistent today, and as you stated, it is a threat to jobs \nand it is an economic threat to the United States and \nelsewhere.\n    Mr. Walden. Thank you.\n    Mr. Rogers. Thank you, Mr. Chairman, and just for the \nrecord, I want to thank Mr. Mahon for his 30 years of FBI \nservice as well. Thank you for all the time you have put on the \ntarget, sir. Thank you.\n    Mr. Mahon. Thank you.\n    Mr. Walden. You would think Rogers was a former FBI agent \nhimself.\n    Let us go to Mr. Stearns now.\n    Mr. Stearns. Thank you, Mr. Chairman.\n    Let me take my questions a little bit along the lines that \nmy colleague from Michigan talked about when he talked about \nadvanced persistent threat. Dr. Amoroso, when you did your \nopening statement, you were speaking quite eloquently in \ntalking about malicious software, malware, you talked about, \nand you painted this picture that the malware itself you were \nimpressed how well it was developed, put together, and you sort \nof alluded to the fact that it was almost not unpenetratable \nbut it was to the point you were respectful of it and were not \nsure we were keeping up. Is that my interpretation of what you \nsaid?\n    Mr. Amoroso. That is exactly right. We are definitely not \nkeeping up. We are trying. But think of the dizzying pace of \ninnovation that you see out in Silicon Valley, right? I mean, \nnew things every day. The hacking and the malicious adversary \ncommunity, they are moving at the same pace so the job we have \nis, we have got to keep up, and you would say hey, guys, you \nbetter be ahead of them like not even enough to just kind of \nkeep up, you better be ahead. So we are always going to be sort \nof biased.\n    Mr. Stearns. So you are saying you are always catching up?\n    Mr. Amoroso. Let us go faster. We have to innovate. We have \nto go faster.\n    Mr. Stearns. Is that true, you think you are always \ncatching up then? That is what you implied to me by saying the \nrespectability you had for this malware.\n    Mr. Amoroso. Yes.\n    Mr. Stearns. Is this true for adware, spyware, grayware, \nall these others? Is it also applicable to that too?\n    Mr. Amoroso. Yes. APTs are the best, right? I mean, APT, \nthis exfiltration point that the Congressman spoke about, that \nis the elite kind of attack vector in 2012.\n    Mr. Stearns. OK.\n    Mr. Amoroso. Spyware, maybe not so much.\n    Mr. Stearns. Now, with the malware, who are these people \nthat are doing this specifically? Can you name them?\n    Mr. Amoroso. I can't. I am not law enforcement. You might--\n--\n    Mr. Stearns. Is there anybody on the panel--when Dr. \nAmoroso talked about this malware so respectfully and how \neloquently it is put together, can anybody tell who we are \ntalking about?\n    Mr. Mahon. I think if you take a look at the most recent \ninvestigation conducted by the FBI on the DNS malware, you will \nsee that was a group of individuals operating out of Estonia \nthat basically sent malware to individuals in various forms in \nemails, and you clicked on it and it infected your computer in \na way that it directed you when you went out to do a DNS-type \nsearch, you were looking for, I don't know, Amazon.com or some \nother company, you really went to their servers and their own \nservers were actually embedded in various locations in the \nUnited States.\n    So these are organized crimes. They have figured out how to \ncapitalize on the money you can make with the malware.\n    Mr. Stearns. Are these people, for example in Estonia, are \nthey part of a mafia, underground, an organization that is \nlarger that just in Estonia, without you revealing any----\n    Mr. Mahon. These are no longer just individual hackers. \nIndividual hackers are out there but now they have actually \nformed themselves into types of federations to work together.\n    Mr. Stearns. Across the world?\n    Mr. Mahon. You can do it across the world. There are a \ncertain hacking groups you can join and be a member from \ndifferent countries.\n    Mr. Stearns. So it is like a fraternity? You say I am a \nmember of the Estonia----\n    Mr. Mahon. Estonia just seems to be a hotbed right now, I \nthink because of how the economy is run over there.\n    Mr. Stearns. Anyone else?\n    Mr. Livingood. If I could add to that, I think it is \nactually pretty interesting. This is a very large and very well \norganized underground economy. They are specialized. They have \nsome people that write tools, other people that rent access to \nbot networks so you can rent botnets by the hour. You can tell \nthem where you want people--where you want the bots to be, what \nkind of computers, you know, payment network mechanisms between \nthese parties. So it is very sophisticated and, you know, if \nyou think about from a criminal standpoint, it is a lot easier \nto get a return on investment on this type of thing than it is \nto go out and do physically oriented sort of crimes, and the \nscale is so much larger. These are folks that operate across \nborders internationally and there is just an enormous amount \nof, you know, economic incentive for them to do it, and it \nunlike APT, at least in some respects, this is primarily an \neconomic crime. APT is focused certainly on economics but more \non intellectual property or embarrassing companies. This is all \nabout the money.\n    Mr. Stearns. Well, I guess, Mr. Mahon, is there a \npossibility that we have terrorists involved with this that are \npart of Estonia? The terrorists could go to this group or this \nfederation across and are using them? Is that----\n    Mr. Mahon. Absolutely. Terrorists use these types of \nschemes for funding. Number one, they need funding for their \noperations. And number two, they use it just as a \ncommunications system. They know they are being looked at. So \nthe ways they need to communicate are surreptitiously in a \nmanner that they can't be intercepted, so they use these types \nof technologies to communicate with one another, but they have \nto fund their operations.\n    Mr. Stearns. I guess the basic question is, and this is \nprobably the premise of understanding what this hearing is all \nabout, what could we as legislators on this subcommittee or the \nfull committee or Members of Congress, what can we do to make \nit easier for you to operate and at the same time give you the \nwherewithal to compete and what should we not do? What should \nwe do and what should we not do? And just as a closing \nstatement, Mr. Livingood, if we could just go down the panel \nand each give what we should do and what we should not do, that \nwould be helpful.\n    Mr. Livingood. Sure, of course. I think what you should do \nis help make information sharing easier, remove those \nimpediments. I think also there is a role for government to \nplay in education, whether that is PSAs or other things, to \nraise awareness about security issues, and I think that there \nare R&D types of things through agencies that you can help fund \nto focus on this.\n    I think what you should not do is focus on mandates and \ncompliance. That enables us to focus instead on innovation.\n    Mr. Amoroso. That sounded good. I would exactly repeat \nthose comments. I will add one additional, and that is that you \ndo have some influence around the Federal procurement process, \nso a lot of times we see procurements come out and we scratch \nour heads and say don't you think there ought to be, you know, \nlike through GSA there is this MTIPS program, a lot of us are \nMTIPS vendors. There ought to be more business. There isn't. So \nI would recommend that that procurement process ought to be the \nmost secure process in the entire world.\n    Mr. Mahon. You know, I would echo what both of them said \nand just add the importance of information sharing. We have \nlimited resources. We conduct risk assessments when we are \ntrying to decide on impacts and probability of events based \nupon the information we have at the time. If a government \nagency or another carrier has additional information and we \ndon't factor that into our analysis, we are really misaligning \nour resources and how we develop our countermeasures.\n    Mr. Olsen. I think there is a lot of commonality among the \npanel here on what we would like to see. I think just add a \nlittle bit to the information-sharing area. I think the Federal \nGovernment has access to information through various agencies \nthat are watching the country's cyber borders and we have seen \nin our company the vast majority of reconnaissance scams and \nattempts to gain access are coming from China and Eastern \nEurope, and I think the Federal Government would be in a good \nposition to monitor and provide more information on that.\n    Mr. Totzke. Going last, I get to say I agree with everybody \nelse on the panel here, especially I want to hammer that \ninformation sharing from government to industry. The purview \nthat intelligence agencies have and that you have in terms of \nwhat you see is much different than what we see. So my team \nworks with Dr. Amoroso's team on areas of commonality between \nRIM and AT&T where we think we have issues that need to be \naddressed that impact the security of our customers but we \ndon't necessary get that feedback from the government about \nwhat do you see that we need to be aware of, and if there is \nanything I could ask for, it is a more transparent, more real-\ntime information-sharing mechanism to let industry know what \ngovernment knows so we can act to protect out networks and by \nextension protect your information.\n    Mr. Walden. Thank you.\n    Mr. Gingrey, thanks for your patience as we have gone \nthrough the hearing. You are the last----\n    Mr. Gingrey. Mr. Chairman, you took the words right out of \nmy mouth. I think you are exacting the last measure of patience \nout of the last member to ask a question, but I moved down here \nearly in the hearing, as all of you know, because I couldn't \nhear very well, even though the chairman said speak right into \nyour microphones, but I am glad I did move down close because I \nknew it was going to be interesting and I know that all five of \nyou are experts who were going to have a lot of useful \ninformation to present to us, and quite honestly, after 2 hours \nof this, I am trying to figure out a way to beat these guys, \nand the only thing I can think of is an opportunity to invest \nin these hacking operations. I don't guess that would be legal, \nbut if it were, I think that would probably be one of the best \nways for us to win. Thank you all very much.\n    Let me ask a couple of specific questions, and maybe this \ncuts a little bit to the chase of one of the main reasons why \nthe chairman is holding this hearing, and each one of you, \nplease, starting with Mr. Livingood, answer this for me. Do you \nbelieve the FCC has enough cybersecurity expertise to allay the \nconcerns that some industry stakeholders have with the \nCommission? If they do choose to impose cybersecurity \nregulations on you guys, on the network providers, do you have \nenough confidence in their expertise to do that, Mr. Livingood?\n    Mr. Livingood. So I don't know the answer to that. You \nknow, we work with a lot of folks at the FCC and enjoy doing \nthat. They have a lot of expertise. Whether they have enough \nhere, I think that is a tough question. I don't know the \nanswer.\n    Mr. Amoroso. I have said earlier, I don't think there is \nany agency that has the right expertise to do that. If we knew \nwhat the answer was, we would be doing it, so I don't think it \nis a knock on any one particular agency. I just don't think \nthere is any agency that has that capability right now.\n    Mr. Gingrey. Mr. Mahon?\n    Mr. Mahon. And I would agree with Ed. The answer is no. But \nI don't think anyone does, and I think that is the importance \nof collaborative relationships. You do need to bring people in \nfrom all sorts, the Federal arena as well as the private \nindustry area to work together due to the evolving nature of \nthe threats in this arena.\n    Mr. Gingrey. Mr. Olsen?\n    Mr. Olsen. Yes, it is an important question, but I would \nhave to agree with Mr. Livingood. I don't know whether they do \nor not.\n    Mr. Gingrey. Mr. Totzke?\n    Mr. Totzke. Yes, I don't actually know either. I think what \nyou are hearing here, and it is common amongst the panel, is \nthe defender job, the job that we are trying to do to protect \nyour information, is exceptionally hard and it is actually much \nmore difficult than being on the other side.\n    Mr. Gingrey. Yes, speaking of hedge funds.\n    Let me go back to Mr. Olsen. In your formal testimony that \nyou gave, you talked about the clearinghouse. I would like to \nknow a little bit more about that specifically, and do you \nthink that would be helpful? And maybe you could elaborate a \nlittle bit more on that.\n    Mr. Olsen. I think there is really two aspects to that. One \nis where the Federal Government is sharing with private sector, \nwith industry, what they are seeing as far as threats, and I \nmentioned a little while ago about the threats from outside the \nUnited States, so I think that is a critical component. The \nother is where companies should share, private companies could \nshare information on threats that they are seeing and that \nclearinghouse would have to be sponsored by somebody, and I \nthink the Federal Government is really the right place to do \nthat.\n    Mr. Gingrey. And I think you addressed also in your \ntestimony the hold-harmless provision that would be necessary \nto share that information so that you wouldn't be subject to \nlawsuits and that sort of thing.\n    Mr. Olsen. Yes, sir.\n    Mr. Gingrey. I have got a little time left. I have one more \nquestion then. The Internet is currently transitioning from \nthis Internet provider v4 to v6 addressing. Does that process \ncreate any new cybersecurity issues, and will transitioning \nalone solve any cybersecurity issues that currently exist? Does \nthe process of transitioning present opportunities to resolve \nexisting cybersecurity issues? We will start with Mr. Livingood \nand just go down the line.\n    Mr. Livingood. Sure. I think, you know, we have been a \nleader in IPv6. You know, I think that all of those issues that \nexist in the current Internet and IPv4 simply carry over to \nIPv6. It is just a new form of addressing. You know, that being \nsaid, because it is a new form of addressing a new technology, \nyou are introducing new things into the ecosystem. To Dr. \nAmoroso's point earlier, it is a complex ecosystem. When you \nchange something, it can have unintended consequences. And so \nit is something that you have to keep an eye on and make sure \nthat you are not introducing any new vulnerabilities. But I \nthink if there were any, it is simply because, you know, some \nsecurity that worked great in IPv4 might not have all the same \nfeatures.\n    Mr. Gingrey. Dr. Amoroso?\n    Mr. Amoroso. Every device on the planet running v6 in \ntheory would be addressable, would be routable, and that is a \npretty dangerous situation, so for all of us, we have to figure \nout how to architect security protections around that. So I do \nhave some concerns about the v6 transition.\n    Mr. Gingrey. Mr. Mahon?\n    Mr. Mahon. Yes, the architect and engineering teams are \nstill working through this, but as they have said, you have \nlegacy systems being married up with new evolving technology, \nand whenever you do that, you are going to have things evolve \nas you begin to deploy it.\n    Mr. Gingrey. Mr. Olsen?\n    Mr. Olsen. I think from a protection standpoint, I think it \nis a step ahead, but the bad guys are out there working just as \nhard as we are to find another way around that, so as soon as \nwe make an advancement in technology, they are right out there \nkeeping pace with us.\n    Mr. Gingrey. And finally, Mr. Totzke?\n    Mr. Totzke. And this just, as Ed said, expands the attack \nsurface and by doing so increases the risk, so we have new and \nunknown risks that we are going to have to figure out how to \nmitigate.\n    Mr. Gingrey. Mr. Chairman, thank you for your generosity of \nthose 45 extra seconds, and I will yield back.\n    Mr. Walden. Actually, you got close to 49. Thank you, Mr. \nGingrey, for staying and participating.\n    I want to thank all of our witnesses and all the folks \nbehind them who I am sure played some role, but we really \nappreciate your insights. It is very helpful in our effort. \nObviously, we are trying to do the right thing and you are out \nthere fighting the battle every day, and we don't want to get \nin your way. And so we may be back to you with our working \ngroup digging a little deeper on some of these issues and \ngetting as specific as possible. We hope to look out too at \nsome of the other types of networks and small providers. I \nmean, you obviously represent major providers or a \nrepresentation of them. We are also wondering about the weakest \nlink, which might be small ISPs and how do they deal with this \nand do they have the same sorts of capabilities to fight back.\n    Anyway, I deeply appreciate your willingness to be here \ntoday and share your knowledge with us. We are better for it.\n    So with that, the Subcommittee on Communications and \nTechnology stands adjourned.\n    [Whereupon, at 12:13 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                                 <all>\n\x1a\n</pre></body></html>\n"