Description | Panel 1 | Panel 2 | Panel 3 | Panel 4 | Panel 5 | Panel 6 | Panel 7 | Panel 8

Framing and Representative Questions

Framing and representative questions or cues for each of the sessions are listed below, along with the round table members who will address, some if not all of them during the first 45 minutes of each session.

During the last 45 minutes of each session, other participants are invited to ask any questions or offer comments and answers of their own. These questions were formulated by the respective round table moderators and their fellow members. In thinking about the questions and answers about norms for various aspects of cyberspace, round table members were asked to consider:


Panel 1: Evolution of Western Internet Governance: Norms, Values, Interests, Models & Institutions
(Thursday, 9:00 - 10:30)

Chair: Ron Deibert.
Panel members: Joseph Nye, Harvey Rishikof, Michael Walma, Rex Hughes, and John Savage.

Evolution of Western Internet Governance: Interests, Values, Norms and Institutions addresses origins and rationales of US and liberal democracies’ international strategies, the multi-stakeholder model and issue of Internet freedom agenda and pushback to it.

[Updated as of Sept. 11, 2012] Questions guiding panel prepared remarks:

  1. What are the norms, values, rules, and principles that have traditionally formed the core of "Western" or "liberal democratic" Internet governance? From where did these norms, values, and principles emerge and why? How do they compare to the norms, rules and principles that prevail in Internet (and cyberspace) governance today? What technological, political (policy), and economic developments are posing challenges to those norms and values?

  2. How did norms evolve in other domains (like sea, air and space), and what can we generalize from that about the evolution of norms in cyberspace?

  3. What role, if any, did US power and influence play in the construction of the Internet governance regime? Assuming US primacy to be in relative or actual decline (an open question in itself) how will that regime be affected?

  4. What should be the role of national governments in cyberspace governance, relative to other stakeholders?

  5. Are there contradictions between rhetoric and practice in the US and allied governments' promotion of "Internet Freedom"? Can those contradictions be reconciled?

  6. Liberal democratic governments share, broadly speaking, a preference for an open and secure commons (or some other metaphor) for cyberspace. What are they doing to promote that shared vision internationally? Are they doing enough? In what venues? Are they succeeding? If so, where?

  7. In what ways is a rising East Asia evolving alongside or within the Western model of Internet Governance?
Download/print questions [PDF]

Read panel summary [PDF]

Back to top  |   Back to schedule


Panel 2: Alternative Models and Challenges Posed by States to Western Governance
(Thursday, 10:45 - 12:15)

Chair: Nigel Inkster; co-chair: Pano Yannakogeorgos.
Panel members: Chris Bronk, Tim Maurer, James Mulvenon, and Rafal Rohozinski.

The current model of multi-stakeholder Internet governance is coming under challenge from many directions. The aim of this panel is to examine the attitudes of key stakeholders to the status quo; analyse the motives of those seeking change; consider the implications of alternative governance proposals; and examine whether a more appealing narrative can be developed to support the status quo or something close to it.

Questions guiding panel prepared remarks:

  1. What are the key elements of Russian and Chinese policies on Internet governance and what are the drivers for these policies? How congruent are they?

  2. Assuming there is broad congruence on a common set of objectives, how will these states pursue their aims? What are the strengths and weaknesses of their position(s)?

  3. How would an Internet governed under this model operate and what would be the strategic implications for the West if such a model were to prevail?

  4. Can we talk of a common “G77” position on Internet governance and if so what are its main constituents?

  5. Are the drivers for G77 approaches political, economic or a combination of both? Can the status quo be modified to address their concerns and if so, how?

  6. Can the USA and the “like-minded” construct a positive narrative for the multi-stakeholder governance model - or is it condemned to fight a war of attrition?

  7. To what extent can the norms of a decentralised multi-stakeholder model of Internet governance be extended to the emerging Internet of IPv6 and the Internet of things?
Download/print questions [PDF]

Read panel summary [PDF]

Back to top  |   Back to schedule


Panel 3: The Applicability of International Law to Cyberspace & Characterization of Cyber Incidents.
(Thursday, 13:00 - 14:45)

Co-chairs: Catherine Lotrionte, Eneken Tikk-Ringas

Discussion Points

‘Cyber security’ and the acceptable behavior of state and non-state actors in ‘cyberspace’ has become one of the centerpieces of international and national security talks. Calls for new legal instruments have been placed with international organizations by some states while others call for application of existing legal frameworks.

The core statement of this panel is that there is no ‘cyber’ framework per se from a legal perspective. There is, however, a substantive body of legal principles and norms, international and regional, to address different implications of uses of ICTs, such as how we establish and maintain relevant infrastructures, protocols and content; how we defend personal, corporate, national and international interests pertaining to uses of ICTs and how we balance interests involved under the contemporary paradigm of ‘security’. Addressing ‘the law of cyber security’ therefore means addressing different legal authorities, instruments, concepts and practices some of which can and some of which cannot be applied simultaneously and all of which involve prerequisites to their applicability. Furthermore, these need to be addressed with the different national legal interpretations from various countries.

This panel will address legal principles, instruments and concepts applicable to uses of ICTs and the consequences of such use that do not rise to the threshold of ‘use of force’ and ‘armed attack’, thresholds to the applicability of the international laws related to conflict management to be addressed by the next panel. This panel will outline already existing normative approaches to telecommunications, crime/law enforcement, electronic transactions, privacy, espionage, etc and explain and discuss the relevance of such frameworks from state responsibility and government-level decision-making/strategy development perspective

The panel starts with a "legal threshold map" that would offer an outline of the main existing legal concepts and respective legal areas/thresholds/standards to get oriented in the applicability of already existing norms. The panel then outlines and discusses remedies available for pursuing one’s interests in the cyber domain and resolving conflicts under the legal frameworks applicable to international telecommunications, data processing, computer-related crime and addresses the challenges related to balancing and co-applying such frameworks and concepts.

It further elaborates on the law of state responsibility and how this area of law could be applied to cyber incidents. The discussion will focus on the incentives and considerations behind decisions to rely or not to rely on the existing legal instruments and the nature of the ‘gaps’ of implementation of law.

The panelists will address:
  1. The practical vs. political need for and rationale behind the requests for new international legal instruments (e.g. the Russian and Chinese initiatives of the Code of Conduct, Draft Convention of Information Security and the UNODC cyber crime treaty initiative);
  2. A ‘legal’ versus a ‘policy’ assessment of an incident and the choice of responses and remedies;
  3. Categorization of cyber incidents under existing legal thresholds;
  4. Identifying (potential) gaps in existing legal instruments and practice to be filled in by other normative (including non-binding) frameworks.
Download/print questions [PDF]

Read panel summary [PDF]

Back to top  |   Back to schedule


Panel 4: Law of Armed Conflict (LOAC) and Rules of Engagement (RoE) in Cyberspace
(Thursday, 15:00-16:45)

Chair: Duncan Hollis.
Panel members: Amy Gordon, Eric Jensen, Neil Rowe, Hardin Tibbs, and Jody Westby.

As militaries increase their presence in cyberspace, significant questions have emerged over (a) how the existing Law of Armed Conflict (LOAC) applies to military cyber activities, (b) what rules of engagement (RoE) militaries will adopt for those activities, and (c) whether new LOAC rules are necessary to deal with critical infrastructure’s reliance on cyber-based systems. The panel will explore whether and how the LOAC applies even where it contains no cyber-specific rules. It will also examine the relative gaps and challenges that exist in translating into the cyber context the LOAC’s three main principles – necessity (allowing only acts necessary to accomplish legitimate military objectives); distinction (requiring militaries to distinguish between civilian and military objects and to only direct operations against military objectives); and proportionality (prohibiting force in excess of what’s necessary to accomplish military objectives.

Questions guiding panel prepared remarks:

I. Applying the Law of Armed Conflict (LOAC) to Cyberspace
  1. Can the LOAC apply? As a general matter, how strong is the consensus that the LOAC applies to incidents and operations that militaries undertake in cyberspace?
    a. What are the implications of China’s apparent resistance to applying the LOAC to cyberspace? Do they have any credible legal arguments that exempt them even though the LOAC is presumed to apply to all new methods and means of using force?

    b. Can we apply the LOAC with any degree of certainty to military operations in cyberspace where there is so much uncertainty on questions of legal thresholds (which is the focus of Panel 3)?

    c. How does the technical attribution problem impact the LOAC’s application? Presumably, the LOAC will both constrain and facilitate how militaries behave in cyberspace. But, without technical attribution, can victims ever invoke the LOAC where the exact perpetrator may remain anonymous, and where it’s difficult to know if the attacker is a State, an entity under a State’s “effective control”, a non-State actor, or one or more individuals?


  2. How does the LOAC Apply? Assuming the factual and legal thresholds for applying the existing LOAC rules are surpassed, how should States and their militaries translate the existing LOAC into cyberspace?

    a. What is the Tallinn manual and how does it seek to answer this question? What is the best case for the manual’s impact on the development of cyber-specific LOAC norms? Is it a Lieber Code for cyber? Conversely, what is the worst case scenario for its impact? Could it lead to conflicting assumptions about the relevant permissibility of certain cyber operations or generate unintended escalation of conflicts?

    b. Should the Tallinn manual be the exclusive vehicle for translating the existing LOAC to cyberspace? Should other vehicles be considered alongside this effort such as legal negotiations or allowing state practice to set the standards for behavior?

    c. What are the most pressing “open questions” about the existing LOAC’s application to cyberspace? Of the three main principles for how military operations must be conducted – distinction, necessity and proportionality – which one needs the most attention and why? Are there other LOAC rules that deserve similar (or greater) priority – such as those on combatants, neutrality, or blockades?

    d. Who will hold non-state actors accountable for LOAC breaches and how will they do so?

    e. Can we actually identify how the LOAC applies in practice -- for example, assuming the LOAC applied to Stuxnet (admittedly, a debatable proposition) is there any degree of certainty as to its consistency with those rules?
II. Developing Rules of Engagement (RoE):
  1. Can States develop effective RoEs in the cyber environment where the technological capacity and application may not be known and, even if known, is subject to near constant evolution?

  2. Should cyber-RoEs be developed in the usual classified fora? What is gained by keeping such RoE’s classified? What costs or risks are associated with keeping them secret?
III. Proscribing Attacks on Cyber-Based Critical Infrastructure and the Potential for Other New Rules
  1. Is a proscription of cyber attacks on critical infrastructure covered by the existing LOAC? If not, should the LOAC be elaborated to include such a proscription? Which critical infrastructure, if any, warrants protection and in what order of priority (electrical grids, telecommunications networks, banking and financial systems, oil and natural gas delivery systems, etc.)?

  2. How would a proscription of attacks on cyber-based critical infrastructure be implemented, assuming anonymous actors might still desire to pursue such attacks? Is legal deterrence possible in the absence of catching those who violate the proscription?

  3. Is there a need to revise current legal standards to ensure they do not limit State action in responding (whether unilaterally or collectively) to some such cyber catastrophe. Are there lessons from other domains (such as the debate over the Global Initiative against nuclear terrorism) that might inform this inquiry?
Download/print questions [PDF]

Read panel summary [PDF]

Back to top  |   Back to schedule


Panel 5: Norms For Security, Resilience And Supply-chain Integrity In Core Telecommunications Infrastructure
(Friday, 9:00 - 10:45)

Chair: John Mallery.
Panel members: Philip Hallam-Baker, Patrick Lincoln, David MacMahon, and Michael Sechrist.

This panel identifies the threats to the core infrastructure, the requirements for its trustworthiness, and the elements of a technical strategy for assuring them. It considers what division of labor among public and private sectors can implement the possible strategies at domestic and at international levels. It then recommends actions that states and private actors can undertake to secure their core telecommunications infrastructures.

Questions guiding panel prepared remarks:

  1. Threat: What is the threat model (attack vectors and consequences) for core national telecommunications infrastructures?

  2. Security Architecture: What are the requirements for a trustworthy national telecom core?

  3. Strategy: What are the elements of a technical strategy for assuring the telecom core trustworthiness (availability, integrity and confidentiality)?

  4. Implementation: What is division of labor between public and private actors to implementation these policy goals?

  5. International Dimension: What aspects of international telecoms infrastructure (e.g., physical hardware or logical operations) require collective action for their protection to assure stable operations of international networks?

  6. Recommendations: What actions should states and private actors undertake in order to secure their core telecommunications infrastructures?
Download/print questions [PDF]

Back to top  |   Back to schedule


Panel 6: Cyber Security Awareness and Norm-development: Practical issues for Engaging Critical Private Actors
(Friday, 11:00 – 12:30)

Chair: Chris Demchak.
Panel members: Greg Rattray, Andrew Cushman, Rafal Rohozinski, and Bill Studeman.

Given the massive role played by private firms in most westernized democracies' national critical infrastructures, it is more effective for the nation's resilience and socio- technical- economic long-term well-being if these key private actors voluntarily and collectively collaborate in ensuring the whole system's cyber security.

To date, there is much talk but poll after poll suggests limited conviction across the majority of key major private firm leadership that cybersecurity is a major problem for them and their firm, let alone for the national system surrounding them. Consistently, a significant proportion of senior respondents in surveys deny knowledge that their firm has been compromised, that their bottom line is being harmed or should be modified to serve the well-being of e whole system, or that they need do more than hire outside cyber security firms to do anything more collective or unusual. (See a recent poll by Countertack).

This panel investigates how concern for the well-being of the whole national system can be made evident to, relevant for, and actionable by the major private actors. The private sector's daily practices and internal norms about cyber security are cumulatively critical for the cyber well-being of all democratic societies. A secure, national cyber future depends on the coordinated, collective willingness, knowledge, and actions of private actors in concert with public institutions.

Questions guiding panel prepared remarks:

  1. Framing: How can the C-suite and top managers of businesses in critical infrastructure and strategic economic sectors be motivated to respond to critical national security challenges?

  2. Analyzing: How can enterprise cyber security be reformulated as a value proposition for customers and a profit center for firms that enhance return on investment?

  3. Instantiating: What technology changes are necessary to enable firms to better defend their operations and intellectual property with positive side effects of enhancing national resilience?

  4. Monitoring: What innovative approaches can help forge effective public-private partnerships to overcome the cyber defense public goods dilemmas?

  5. Consequence Recognition: How can national progress be measured for reducing systemic cyber risk, enhancing cyber resilience, or mitigating strategic economic losses?

  6. Recommendations for Actions: In what programs could democracies internally and externally distribute fairly and effectively the burden of systemically ensuring cyber security for themselves and their wider community of like-minded nations?
Download/print questions [PDF]

Back to top  |   Back to schedule


Panel 7: Alternative Lenses and Models for International Norms and Governance
(Friday, 13:15 – 14:45)

Chairs: Roger Hurwitz, Alexander Klimburg.
Panel members: Martha Finnemore, Yurie Ito, Sarah McKune, and Emilian Papadopoulos.

This panel explores the possibilities, possible contents and levels of impact of norms initiatives by or for non-state actors, including private sectors, civil society, cyber security practitioners and even loosely organized individuals. Such interested third parties may include IGOs that develop a supra-national interest in stabilizing and maintaining cyberspace.
  1. What is the logic for regional cybersecurity alliances in the supposedly borderless world of cyberspace? Do such alliances have interests and constituencies that in some sense transcend those of the individual member states? May there be some recognition that the notion of a “common problem” is that of a shared problem, because of interdependence, more than each state having the same problem?

  2. Are norms and best practices at the operational level, e.g., an ethos of cooperation among national CERTs, a basis for influencing practices and potential norms at state and international security policy levels? Alternatively, to what extent is cooperation and trust at operational levels put at risk by behaviors of state actors?

  3. The private sector, especially ICT vendors, Tier 1 carriers and major online services have considerable roles in shaping cyberspace. As a group, their interests and drivers might conflict with those of states. What freedom might some have for an initiative that sets out their own norms of use and misuse of cyberspace? What effect could this have?

  4. NGOs and other members of international civil society (INGOs) typically have an interest in the free flow of communication. Some have been targets of cyber attacks by state actors, and some have received material aid from other states. What norms, e.g., export controls on surveillance and filtering technologies, might they advocate? Can they align with some states in promoting these norms, while not losing independence of state interests or their credibility? What might be appropriate forums for pursuit of their interests?

  5. What has been the success in other domains and issues of interested third parties developing their own norms and getting state actors to adopt some? What conditions enable success and which block it. Is the abolition of the slave trade a relevant example or the more campaign against land mines? Or might the limited success of the environment movement be more relevant?

  6. A decade ago, Chris Kelty wrote about “recursive publics” in cyberspace, i.e., online groups that discussed and created/ maintained the online conditions that allowed them to discuss and create/maintain the online conditions… They were norm entrepreneurs, after a fashion, but perhaps possible only in the cottage industry phase of cyberspace. Can such loosely organized groups still help shape cyber norms?
Download/print questions [PDF]

Read panel summary [PDF]

Back to top  |   Back to schedule


Panel 8: Cyber Futures and Directions for Global Engagement
(Friday, 15:00 – 16:45)

Chairs: James Lewis, Joe Nye.
Panel members: Ron Deibert, Amy Gordon, Kristin Lord, and Jamie Saunders.

This panel's topics include managing competition in a dynamic international system, the impact of strategic choices on cyber futures, the strategic engagements of major cyber powers, the roles of the UN in promoting cyber norms.
  1. Have we in any sense reached a turning point in the pursuit of norms that could help stabilize cyberspace? Is there perceptible movement toward convergence of some minimal set of norms to that end?

  2. Given that this workshop and others have proposed norms for many areas and issues in cyberspace, how should they be prioritized? Which are the most important for state actors to pursue?

  3. Are the current forums of norms discussions, particularly the GGE and regional forums, such as the OSCE and ARF, the best for reaching agreements on norms? Or given that they have global scope, might more progress toward stabilizing norms be made in bilateral and mini-lateral talks?

  4. What have been the long term effects of negotiated norms in other norms, viz., the sea, air and space, and what lessons for cyber can be learned from them?

  5. What research is needed regarding the cultivation and technological support of cyber norms? How might such research relate to actual negotiations?

  6. How can China, Russia and G77 countries be brought into future workshops of this sort?

  7. What message can this workshop send to Budapest2012, the international cyber conference, next month and to other future conferences?
Download/print questions [PDF]

Back to top  |   Back to schedule