Meeting Announcement for the Commission on Enhancing National Cybersecurity

The National Institute of Standards and Technology (NIST) published a meeting notice in today’s Federal Register (81 FR 20367) for the initial public meeting of the Commission on Enhancing National Cybersecurity. The meeting will be held on April 14^th, 2016 in Washington, DC. The Commission was established by Executive Order 131718.

The Meeting

The agenda for this meeting includes:

• Review Executive Order and Commission Charter

• Discuss proposed scope of work

• Discuss work plan for addressing scope of work

• Informational briefings

• Commission timeline

• Public comment

There will be a 15-minute public comment period at this meeting with speakers selected on a first-come-first-speak basis. Written comments are also solicited. Written comments may be submitted via snail mail to:

Commission Executive Director,

Information Technology Laboratory,

100 Bureau Drive, Stop 8900,

NIST, Gaithersburg, MD 20899-8900

Commentary

I pretty much ignored the EO establishing this commission since there was no mention of control system security in the EO. There are multiple mentions of IT, data security and of course the ever present ‘privacy’ is mentioned in multiple places. There are even brief mentions of internet of things and the cloud. But no mention of control systems.

I am now even more disappointed in the implementation of this Commission. First the late notice for this meeting. I’m pretty sure that NIST would have done a better job if they were really running things, but they are just the support agency here. I have not seen any details about the appointments of the Commissioners, but I would expect that they are all busy folks that had difficulties getting schedules coordinated for this initial meeting. That, unfortunately, bodes ill for how much work the Commission will actually get to do. To be sure, the largest amount of the work will be done by staff, but the Commissioners will have to drive, coordinate, and guide the development of the report. If they are too busy to meet, that focus will be lacking.

Next, this looks like a 20^th Century Commission looking at a 21^st Century Problem in the way this meeting is set up. There is no mention of a web cast of the meeting. There is no electronic method of comment submission mentioned. The notice reports that NIST has information about this Commission posted on their Computer Security Resource Center web site, but as of 10:00 pm EDT there is not a single mention of either the Commission of this meeting on that site.

This Commission looked like it was supposed to be President Obama’s cybersecurity capstone, with the final report due out December 1^st with a response from the President due by January 15^th. If that was the purpose, and this meeting is any indication of the type work we can expect to see from this commission, then the capstone will be made of soap stone.