Descriptions and Framing Questions

(Note: The order of topics, particularly on Monday, is subject to change)

 

1. Sources of Instability in Cyberspace and the Role of Norms in Responding to Them.

The panel provides an overview of the institutions, policies, politics and technologies that enable open and secure cyberspace, and threaten it. It will respond to questions such as:

  • What is the composition and character of the current regime complex in cyberspace?
  • Does this complex of agents, institutions, practices and norms provide or allow sufficient stability for the beneficial development of cyberspace?
  • How do activities in cyberspace affect or reflect international (in)security?
  • What have the interest in and discussion of cyber norms and confidence building measures contributed to cyberspace stability?
  • What challenges do the dynamic developments in ICT and their persisting vulnerabilities create for governance and order in cyberspace?
  • What might be the future model of cyberspace governance?
Back to top | Back to agenda

2. Norms for International Responses to Globalized Cyber Threats.

This panel looks at new global patterns of cyber threats and different international responses by state and non-state actors. The scope includes norms, principles and agreements that can enable cooperation among national CERTs, international cooperation versus cyber crime and intellectual property theft, capacity building, export controls on certain cyber technologies. Possible framing questions include:

  • How have changes in the global distribution of agents and targets of cyber attacks affected the need for international cooperation among states and important non-state actors in the ICT sector?
  • How might states' emphasis on their rights to exploit or control cyberspace affect possibilities of cooperation among non-state actors against cyber threats?
  • What changes in norms and laws would enable global ISPs, ICT vendors and cyber security firms to deal more effectively with cyber threats?
  • Is there a role of international organizations focused on cyber capacity building or on coordination of cyber defenses?
  • What are the norms for cooperation among national CERTs and what additional norms can enhance their cooperation and effectiveness in responding to cyber threats?
  • Can voluntary agreements on export controls of cyber technologies, e.g., the Wassenaar Arrangement, have any effect on proliferation of threats to open and secure cyberspace? What considerations would prompt such agreements, impede them or restrict their scopes?
Back to top | Back to agenda

3. Norms and Practices to Balance Data Protection and Security Needs.

In pursuit of their national security, some states exploit telecommunications for mass surveillance and target the data stores of large transnational service providers. Although these practices are conceptually different from blocking and filtering information flows, both types involve contests between the interests of states, on one side, and the desires of publics or individuals, on the other side. This panel focuses on when and how balances between competing sides might be possible and on norms that might guide their achievement. Of particular concerns are norms and practices that preserve or enhance global ICT interoperability, specify a minimum standard of privacy and reasonably constrain state agencies' pursuits of security interests. Some possible questions are:

  • Is political consensus or at least agreement on balancing the trade-offs possible, and how might it be reached?
  • Under what conditions is it legitimate for state agencies to block, filter, monitor or criminalize access to certain information flows, and can there be a broadly accepted global norm for any such conditions?
  • What would be the effect on state security practices of the widespread adoption of encryption and anonymity that could be revoked in particular cases or circumstances, given legal authorization?
Back to top | Back to agenda

4. Trusting the Globalized ICT Supply Chain: Norms for Better Practice.

This panel focuses on building a trustworthy technology plane commensurate with pervasive and ever deepening reliance on ICT across modern societies. Unsustainable growth in malicious exploitation of ICT vulnerabilities and historic intelligence debacles have driven a decline in confidence in cyberspace and highlighted longstanding weaknesses in ICT architectures. Growing awareness of cyber risks has reinforced trends towards technology sovereignty, especially in sectors critical for security or relevant to data protection. Within this international context of accelerating cyber insecurity and eroding international security architectures, political challenges include policy trade-offs between offense and defense, early warning and surprise, law enforcement and privacy, and, for low legitimacy states, open/secure communications and censorship/surveillance. This panel will discuss technology options, requirements, and norms aiming towards higher assurance ICT globally, defensible architectures at all levels, and better technical enforcement of law and policy, for example, in the area of data protection.

  • Challenge: What are the trends for trust in cyberspace and the supply chains that support it?
  • Solution: How can customers reliably check or verify the security guarantees of ICT products (e.g., cryptography, host architectures, networking equipment), services, or infrastructures that they depend on, whether directly or indirectly through intermediaries?
  • Technical Architecture: What levels of trust and supporting technology moves are needed for cloud computing, critical infrastructure operators or globalized ICT producers?
  • Strategy: Can market mechanisms alone drive assurance higher fast enough or does government policy need to address security-relevant policy tradeoffs, technology shortfalls, market failures, risk allocation, and public goods dilemmas?
  • Implementation: It is there a role for open source (e.g., crypto, secure operating systems) in driving market mechanisms and in raising information assurance levels internationally?
  • Recommendations: In the context of strategic technical competition among major ICT powers, what actions should states or private actors take in areas of capacity building, technical norms, or international agreements to shape incentives so that markets deliver reliably trustworthy ICT products, infrastructures, and services?
Back to top | Back to agenda

5. Norms Applying to Cyber Fueled Conflicts Below the Level of Armed Attack.

This panel identifies norms and practices which by mitigating the effects of cyber exploits and attacks whose levels do not rise to use of force or armed attack. Such norms would reduce risks of escalation and could include:

  • states and global ICTs assisting states victimized by DDoS and other disruptive attacks (e-SOS);
  • no attacks on national CERTs when they are responding to cyber attacks,
  • international bodies', such as the WTO or states' allowing class action suits to be brought by private sector or civil society entities who have suffered intellectual property theft or denial of information rights.
Back to top | Back to agenda

6. Norms for Protection of Critical Infrastructure.

The scope includes norms and practices for state and industries that can reduce risks for critical information infrastructure (CII), e.g., telecommunications, and ICS and SCADA based infrastructures, e.g., power grids. Some of the questions are:

  • What are the threats to these critical infrastructures, how extensively might the damage be to target countries?
  • What duty do countries have to implement best practices for critical infrastructure protection and share threat data?
  • What would be the impact of global adoption of certain security standards or frameworks, like the NIST Cyber Security Framework, for managing risks to infrastructure.
  • What conflicts and considerations at the international and domestic levels would impede such adoption?
  • Is there need for a special regime to protect nuclear reactors from cyber threats and would the IAEA or another international agency be the appropriate aegis?
  • What implications do norms and practices for the protection of critical infrastructure have for the acceptability of activities with might target infrastructure, such as attacks, prepositioning malware, malware development, reconnaissance?
Back to top | Back to agenda

7. The Forms and Norms of Cyberwar.

The panel focuses on the use of cyber technologies in military operations, the roles of military organizations in protecting digital organizations, the challenges to international security that these may introduce, and norms that can reduce their risks. These are some possible framing questions:

  • How does the revolution in military affairs (RMA) integrate information and communications technologies (ICT) into modern military campaigns as an enabler or target?
  • What precedents have been set by use of cyber weapons in military or sabotage operations, e.g., Russia against Estonia, and Georgia; US and Israel Stuxnet operation against Iran?
  • What is the "full spectrum" of CNE and CNA? What might be coming beyond what we have seen?
  • Is there a qualitative cyber arms race and is it destabilizing?
  • What are the respective implication of passive and active (preemptive) cyber defense for international security and stability?
Back to top | Back to agenda

8. The Possibility of Deterrence Structured by Norms.

The panel's focus is on potential norms and shared definitions that could make deterrence more practicable in cyberspace and reduce likelihoods of misperceptions, miscalculations and unwanted escalations. Questions can include:

  • Are there natural breaks in the full spectrum which can be reinforced by norms and shared definition?
  • Can the Law of Armed Conflict (LOAC), by specifying redlines, help shape deterrence strategies and control of escalation?
  • Can the attribution puzzle be sufficiently solved by strategic attribution, i.e., attributing attacks and exploits to actors according to their known attributes and characteristic types of attacks? Or might making strategic attribution a normal practice lead actors to sign their malware?
  • Are there normative grounds for the private actors' practice of deterrence, through "hack backs" or other responses?
  • What cyber responses outside of the cyber domain might be justified sanctions to cyber exploits and attacks and how might these be calibrated as proportional to the provocation?
  • How might norms or the threat of collectively sanction retaliation change the calculation of agents considering cyber exploits or attacks on another state or non-state actor?
Back to top | Back to agenda

9. Governance and New Institutions for Cyberspace.

The panel focuses on norms and principles for the governance of the Internet, in the context of challenges to the present regime, including demands by states for greater control of cyberspace, perceived needs for new organization(s) to monitor Internet infrastructure, the United States' loss of moral leadership for the Internet and impending changes in ICANN's relationship to the US government, and initiatives to redefine multi-stakeholder model. Among possible framing questions:

  • Is the present system of Internet governance sustainable? Can it accommodate the different norms and interests of its new users in the global East and South, while preserving openness and interoperability?
  • Or what rough beast, its hour come round at last, / Slouches towards Bethlehem to be born?
  • Since major cyber powers have agreed in the 2013 GGE report that states should take the leading role in cyberspace governance, what are the appropriate roles for the private sector, particularly the large, transnational service providers and ICT vendors, and for civil society organizations, such as CERTs?
  • Who or what will supervise ICANN's administration of the Internet after the Dept of Commerce contract expires?
  • What might the impact of Net Mundial, the meeting on multi-stakeholder governance, be on notions of governance going forward?
Back to top | Back to agenda

Untitled Document