Description | Session 1 | Session 2 | Session 3 | Session 4 | Session 5 | Session 6 | Session 7 | Session 8

Framing and Representative Questions

Framing and representative questions or cues for each of the sessions are listed below, along with the round table members who will address, some if not all of them during the first 45 minutes of each session.

During the last 45 minutes of each session, other participants are invited to ask any questions or offer comments and answers of their own. These questions were formulated by the respective round table moderators and their fellow members. In thinking about the questions and answers about norms for various aspects of cyberspace, round table members were asked to consider:


Session 1: Norms and their roles in international relations (Thursday, 9:00 – 10:30 AM)
Roundtable: Martha Finnemore (moderator), Joe Nye (co-moderator), Nazli Choucri, Paul Cornish, Chris Painter, Eneken Tikk

Questions with names of their “first responders” in parentheses:

  1. What do we mean by "norms" and why do we care about them? How are norms different from various legal instruments (both "hard" and "soft") as tools to shape behavior? How do they work together or conflict? (Finnemore)
  2. How do norms gain authority and spread, particularly among adversaries or those (initially) opposed? (Cornish)
  3. What are the comparative advantages of norms versus more binding agreements in addressing cyber concerns? Overview of current USG efforts. (I'm hoping Painter might weigh in on this.)
  4. How do other nations see the advantages or norms vs. other tools? Overview of efforts in diverse countries. (Tikk)
  5. What lessons can we learn from norm promotion efforts in other issue areas, particularly environmental protection? (Choucri)
Download/print questions (pdf)

Back to top  |   Back to schedule


Session 2: Norms for Military Operations in Cyberspace (Thursday, 10:45 – 12:15 )
Roundtable: Chris Demchak (moderator), Jack Goldsmith (co-moderator), Suleyman Anil, Charles (Chuck) Barry, David Mussington

  1. Can norms for the militaries effectively operate in a world in which attribution is hard across large volumes of attackers and cyberspace pathways, and clearly defined bad behavior thresholds are currently difficult to establish? What is the relationship between norm development and enforcement, on the one hand, and the legal removal of the anonymity of bad actors on a global scale, on the other.
  2. Can international norms be achieved in a world of clashing national interests? Can, for example, the USG/DOD expect to embed norms that reflects its interests (e.g. government espionage OK, disruption of content filtering OK, commercial espionage bad, attacks on civilian infrastructure bad, etc.), or must the norms reflect the interests of other nations as well? What might this compromise position look like if (a) only state level adversaries are considered, and if (b) the wider global cyber environment of high volume uncontrolled non-state actors are taken into account?
  3. How feasible today is the widely proposed norm of state responsibility for attacks emanating from a nation, regardless of attribution? How would such a scheme be implemented under current circumstances? How different would these feasibility and implementation assessments be if a process of building borders in cyberspace (cyber Westphalia) were well along?
  4. What are the international norms that govern global cyber operations at the moment and how have they originated? Do other nations with a significant offensive cyber-capability take legal norms as seriously as the USG, and if not what are the consequences?
  5. To what extent is the role of the military limited only to external threats with a kinetic potential clearly definable in operational redlines or conflict thresholds or does any nation's military have obligation to ensure national security by monitoring, alerting, or possibly disrupting external intrusions by bad or wicked actors into critical nonmilitary societal sectors? For example, how and to what significance do the innovations and for-hire aspects of international cybercrime contribute to a nation's decline in critical cybered systems resilience such that defense institutions need be involved proactively?
  6. Need militaries be restructured for conflict in a heavily cybered world, and, if so, how? How do these recommendations change if the globe's cyberspace is relatively unfenced as it is today, or if the world has progressed far in erecting the building blocks of national borders in cyberspace?
See also Jack Goldsmith’s response to the NYTimes story on the aborted cyber attacks in Libya.

Download/print questions (pdf)

Back to top  |   Back to schedule


Session 3: Cybercrime (Thursday, 1:00 PM – 2:30 PM)
Roundtable: Steven Chabinsky (moderator), Corey Dvorkin, Marc Goodman, Duncan Hollis, John Savage

  1. What's happening now? The Council of Europe Convention on Cybercrime goes further than any other international code between nations (adopted or proposed) in harmonizing national cyber crime laws, requiring the collection and preservation of digital evidence, and fostering cooperation in criminal investigations involving computer data. Still, the cybercrime problem keeps getting worse. Some would argue that the COE Convention demonstrates that norms between nations are not a significant part of the cybercrime solution. Others would defend the Convention, stating that it simply needs to be more widely adopted and expanded in certain ways.
    • As a general proposition, how much of the cybercrime problem do you believe can be addressed through norms between nation states if the underlying attribution problem (excuse?) is not resolved first through technology and standards?
    • Would it make a difference if China and Russia, and every other country for that matter, ratified the Convention?
    • The Convention tends to be a very reactive approach to cybercrime -- the event occurs, and investigations receive international assistance. How can we make norms that are more preventive?
    • The Convention focuses on identifying and catching criminals, but does not focus on identifying cybercrime techniques with a focus on cooperation in changing architectures or standards; should that be added?
  2. Are governments as important as they think they are? Or, will the private sector solve this without us?
    • Current norms focus on government to government communications and investigations. Should governments be focused instead on developing, enlisting, and enabling industry, NGOs, and citizens to help investigate cybercrime on a real-time basis and forward information appearing to pertain to the commission of a crime across borders without legal process?
    • Should governments focus on agreeing to norms amongst intermediaries, whether individual ISPs or groups like the Forum of Incident Response and Security Team/FIRST) for the rapid sharing of information, the denial of certain criminal activity occurring on their systems, the passage of investigative information across the chain of a transaction, and the establishment of duties of care and assistance?
    • What are appropriate government responses when a nation state denies assistance?
      -- Should there be a duty to assist individuals as well as nation states (e-SOS?)
      -- Is transborder search and seizure without host country approval both necessary and a non-starter?
    • What are appropriate private sector responses when their own country or another denies assistance? Will the private sector resolve this without governments? Are we going to see a rise in cyber vigilantism/hackbacks (and, if so, will host nations prosecute them? Is it time to bring back Letters of Marque?
  3. How can cooperation become more agile and meaningful, whether between governments or the private sector in quickly identifying cybercrime and deterring the criminals?
    • A 24x7 network is a good start, but it's still a slow bottleneck. What other mechanisms can you envision that operate as effectively as criminals?
    • What additional confidence building measures might be effective between nation states, systems administrators, or academicians that can help better shape these efforts?
  4. With regard to technologies, business practices and cultural understandings that can help reduce cybercrime.
    • Can studies of the spam value chain identify choke points that allow cooperating governments to shut down the spam activity? If so, what norms naturally follow from this observation?
    • Concerning the theft of intellectual property by individuals or organizations, can we identify the self interests of nations where these crimes occur that would encourage the nations to stop the theft? What norms would follow from this? An example might be that we should not permit our citizens to hack into international payment systems.
    • Cybercrime can involve theft of Internet traffic for commercial espionage, for example. What norms can we state on this subject?
    • Some cyber attacks, such as shutting down electric power generation on the East Coast for several days by malicious individuals, would not rise to the level of a serious nation-state cyber attack but they would be crimes. What norms can we state that would protect nations against such attacks?
Download/print questions (pdf)

Back to top  |   Back to schedule


Session 4: Political, Military and Industrial Espionage (Thursday, 2:45 – 4:15 PM)
Roundtable: Catherine Lotrionte (co-moderator), William (Bill) Studeman (co-moderator), Nigel Inkster, Sean Kanuck

Stimulating Words and Phrases:

Non-War Cyber Warfare Objectives
Theft of IP, Proprietary Info, Industrial/Cml Espionage, State-Sponsored Espionage, Business Intel, Reverse Engineer, Pilfer, Criminal Grand Theft, Counterfeiting, Infringement of --- Secrets, Proprietary Info, Tangibles, Actual IP, competitive products/info, etc. Targets (Counter-force/value)
Notion of Acceptable Behaviors as Norms (Ours and/vs. Theirs) Weaponization of Cyber
Obligations to Protect or Secure Destroy
Reporting Data Breaches/Accountability/Liability Deny
What is Legal/Illegal Degrade
Documenting Losses (Forensics; Damage Assessments) (and vis Liability) Disrupt
Acting on Losses (Ranges of Recourse short of War) Deceive
Rewards/Profits for Invention and Innovation Usurp/Control
Going Beyond Theft to Contaminate/Set Future Conditions Corrupt
Attacking back in Peacetime Collect/Steal
Roles, missions and responsibilities of Gov’t and Non-Gov’t Organizations/ Public and Private Sectors/Courts Sabotage
  Prepare the Battlefield
  Loss of Trust
  Loss of Resilience
  Ride-out, Restore, Repair, Reconstitute, Reporting, Retaliate

Some notional round table questions:
  1. Does (Big) Cyber Conflict generally conform and map into the current normative wartime Laws of Armed Conflict (LOAC) and peacetime domestic and international law as currently written?
  2. How is Peacetime Theft of IP done by a State/State Sponsored Patriot from a norms point of view legally different then State sponsored Espionage?
  3. Discuss possible ranges of normative types of recourse and responses against countries who pervasively engage in theft of IP?
  4. Since Cyber is a new and evolving field, what is the status of aligning EU and U.S. data breach reporting approaches, and how could these relate to corporate liability and marketplace concerns?
  5. Since cyber conflict in peace and war is a new and poorly understood threat spectrum, discuss whether we can expect any new/different other future norms for cyber? Could there ultimately be arms control-like engagements and negotiations re use of cyber that have norms implications?
  6. Why isn’t it a norm to aggressively pursue low to mid-end criminals, hackers, DDOS, owners and renters of BOTNets, criminals/privateers, and to cooperate on solutions which better help with attribution and prosecution of such criminals?
  7. Could forms of active defense and attack-back become an accepted norm area, and under what conditions?
  8. Could it be an acceptable norm that one country can justify cyber attacks in peacetime against other countries because their State does not like the policies and behavior of the target State?
Download/print questions (pdf)

Back to top  |   Back to schedule


Session 5: Trusted Technology Foundations & Supply Chain (Thursday, 4:30 – 6:00 PM)
Roundtable: Patrick Lincoln, SRI CS (co-moderator), John C. Mallery (co-moderator), Karl F. Levitt, David Mussington (for Mitchell Komaroff), Ralph Wachter

  1. Defense Dominance: How can the balance between attack and defense be shifted in favor of the defender?
  2. Defensive Coordination: How can like-minded countries improve their collective cyber defense?
  3. Threat Mitigation: How can we create resilient mechanisms that incentivize large actors to enforce higher hygiene within their administrative zones and cooperate more readily in threat mitigation?
  4. Supply Chain Integrity: How can we improve trust in the supply chains for ICT equipment and its deployments in cyber-enabled societal systems?
  5. Resilient Trust: How can we develop greater trustworthiness in cryptographic infrastructure, computer hardware, software, networking, cloud computing, mobility, enterprise architectures, or other societal applications?
  6. Disaster Relief: What is the duty of state and incentives non-state actors to provide assistance when a country is suffering a cyber disaster or significant incident whether due to physical or logical disruptions?
  7. Capacity Building: How can the capacity of developing countries be raised so they can enjoy the benefits of the information society and better prepared to participate in collective defense against malicious actors?
Download/print questions (pdf)

Back to top  |   Back to schedule


Session 6: Defensive Coordination: Normative Basis for Public-Private Partnerships (Friday, 9:00 – 10:30 AM)
Roundtable: Melissa Hathaway (co-moderator), Greg Rattray (co-moderator), Andrew Cushman, Rex Hughes, Michael Sechrist

  1. What are exemplar Private-Public-Partnerships? What makes them successful or models for others to follow?
  2. How do we achieve better global learning about what does and does not work related to defensive collaboration and understand the requirements (if any) for a global level operational coordination for specified activities (ala the World Health Organization)?
  3. There are dozens of PPP in the United States and 100s world-wide; how do we consolidate these PPPs? What are some of the impediments to the PPP (e.g., regulation, law, policy)?
  4. How can governments empower these actors with legitimacy for appropriate actions (such as activities to identify and eradicate botnets) as well as better coordinate public-private operational response (beyond information sharing)?
  5. Who should have the lead in a Private-Public Partnership? How do we incentivize/encourage participation?
  6. How do we include the range of private sector and NGO players active in cyber defense in the norms setting effort?

A slide from the recent European Network and Information Security Agency report on Public Private Partnerships can help facilitate further questions:

Download/print questions (pdf)

Back to top  |   Back to schedule


Session 7: Internet Freedom and Global Information Society (Friday, 10:45 – 12;15 PM)
Roundtable: Ron Deibert (moderator), Adriane Lapointe, Michele Markoff, Rafal Rohozinski

  1. To what extent will an international agreement on cyberspace weaken existing multi stakeholder frameworks that govern the internet? How will civil society's interests be include (or not) in a state-led process of cyberspace governance?
  2. What is more important: securing the Internet to preserve public confidence ( which extends to policing, commercial viability, and national security), or preservation of openness as a global public good that is in line with the norms of liberal democratic societies? How do we strike that balance appropriately?
  3. What are some of the unintended consequences of the Internet Freedom promotion agenda?
    • Can we control the ways in which tools and techniques that are promoted as part of this agenda are used? Do we care?
    • What are the policy risks of funding/supporting Internet freedom NGOs? The Wikileaks/Tor example.
    • How can states promote Internet Freedom without it being seen as a vehicle for narrow national interests?
    • In what ways has the promotion of Internet Freedom caused blowback, or the development of more effective and elaborate Internet control methods and policies (e.g. in Iran and China?)
  4. In those areas where there is broad agreement on appropriate infringements to speech online (e.g., Child Porn), what are the best mechanisms (filtering versus?) and processes (oversight?) to follow in order to restrict speech?
  5. To what extent do Internet intermediaries and the private sector as a whole contribute to cyber norms?
  6. How do the growing liabilities placed on Internet Intermediaries in democratic countries (e.g., on data and traffic retention; geolocation information; lawful access) set norms for acceptable practices that undermine Internet freedom worldwide? What type of oversight should there be on processes of intermediary liability?
  7. It would be useful to distinguish between existing norms and the norms we’d like to advocate—we are of course not working in a vacuum. Particularly given the multi-stakeholder nature of the internet, we need clarity, too, about whom we expect to comply with these norms of behavior: citizens/consumers/individuals, and industry as well as governments, will be interested parties when it comes to norms development, and may all be encouraged to adhere to them in some fashion, though that may not be our primary consideration at this workshop. Norms—and their outcomes—will presumably differ at the individual vice national/industry levels (e.g., the consequences of anonymity/lack of authentication).
  8. How do norms get promoted/socialized in a multi-stakeholder context?
  9. To what extent might the norms characteristic of the open-source community be a useful starting place for discussion?
  10. What kind of norm might allow nations to protect life and property from crime associated with social-networking-linked criminal events like flash rioting without compromising—and in addition, without allowing others to reasonably argue that they have compromised—norms associated with freedom of speech/association/access to information? How does one frame a new norm on this situation so as to distinguish clearly between actions taken to inhibit violent or economic criminal activity and actions taken to inhibit what some other governments define as criminal disruptive speech activity?
  11. Tolerance of internet content critical of the government varies from government to government consistent with tolerance for other, non-virtual forms of dissidence or free speech. The current norm is that government policy regarding virtual free speech/freedom of association is consistent with policy on human rights in the non-virtual world. How do we manage cyber norm development in this arena without changes in the underlying value systems of all parties? Does “cyber norm development” inherently equal social change?
Download/print questions (pdf)

Back to top  |   Back to schedule


Session 8: Norm Life Cycle (Friday, 1:15 – 2:45 PM)
Roundtable: Roger Hurwitz (co-moderator), Michele Markoff (co-moderator), Yurie Ito, Jan Neutze, Karl Rauscher, Panayotis Yannakogeorgos

  1. What are the opportunities for the USG and western democracies to exercise soft power and build moral capital with regard to cyber norms, particularly that of openness of the Internet. Given the concern of many regimes, even some in western democracies, e.g., Italy, regarding information security, what strategies are available for promoting such a norm? Are there needs to prioritize the norms the US and allies want to promote?
  2. If there are deep differences across nations in conceptualization and terminologies for cyberspace – one thinks for instance of the vigorous Chinese reaction to the US labeling cyberspace a domain – what are the chances of agreement on any behavioral norms other than narrow technological ones?
  3. Based on recent activities at the UN and other international fora, are there potential cyber norms on which most states would agree? Can these be meaningful grounds for leveraging more extensive agreements? Or are we likely to see limited interoperability, increased fragmentation, and competing information orders?
  4. A recent study by Simon Reich and our own round table member Pano Yannakogeorgos emphasizes the importance of non-state actors in articulating and evangelizing new global norms. Are there such actors in the cyber domain capable of filling this role? What other conditions do you think are needed for the development of a global cyber norm -- limited as it may be? What differences have you seen between East and West in they way potential cyber norms or rules are adopted, and will these differences constraint development of global norms for cyber.
  5. If we understand organizational models and practices as norms, are there lessons to be learned from the growth and communication of east Asian CERTs? In what ways, if any, have these CERTs learned practices from one another? Has there been any circulation of personnel among them? Has one CERT trained personnel of other CERTs?
  6. Why does the US avoid ITU led cybersecurity initiatives, preferring to open parallel diplomatic processes?
  7. Can we – the US and other “like minded” states -- take at face value pronouncements by Russia, China and other countries for security and normative regulation of cyberspace?
Download/print questions (pdf)

Back to top  |   Back to schedule