IGF 2019 WS #341 Roadmap for confidence building measures (CBM) in cyberspace

Organizer 1: John Hering, Microsoft
Organizer 2: Jamal Edwards, Microsoft
Organizer 3: Camille François, Graphika

Speaker 1: Kaja Ciglic, Private Sector, Eastern European Group
Speaker 2: Nikolas Ott, Intergovernmental Organization, Intergovernmental Organization
Speaker 3: Alissa Starzak, Private Sector, Western European and Others Group (WEOG)
Speaker 4: Kerry-Ann Barrett, Intergovernmental Organization, Latin American and Caribbean Group (GRULAC)
Speaker 5: PABLO CASTRO, Government, Latin American and Caribbean Group (GRULAC)

Additional Speakers
  • Sithuraj s/o Ponraj, Director, International Cyber Policy Office,  Cyber Security Agency of Singapore 
  • Caroline Greer, Head of European Public Policy, Cloudflare
  • Camille Gufflet, Cybersecurity Policy Officer, European External Action Service (EEAS)

Camille François, Private Sector, Western European and Others Group (WEOG)

Online Moderator

Kaja Ciglic, Private Sector, Eastern European Group


John Hering, Private Sector, Western European and Others Group (WEOG)


Panel - Auditorium - 90 Min

Policy Question(s)

What would characterize effective confidence building measures to develop trust and reduce tensions in cyberspace? How should confidence building measures in cyberspace mirror those used in conventional domains of conflict and in what ways should they differ? What role can other stakeholder groups play in helping states both develop and implement confidence building measures for cyberspace?


GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals

Description: This session will take an expansive look at confidence building measures (CBMs) in cyberspace. An accelerating arms race between nations in the “fifth domain of conflict” – cyberspace – is likely to continue unabated without the imposition of meaningful processes and dialogues meant to reduce tensions and promote trust among competing and even allied countries. Such activities can mirror traditional approaches to confidence building in other conflict domains, including diplomatic engagements, information sharing, and technology exchanges, but might also involve innovative new approaches unique to cyberspace – including focusing on cooperative cybersecurity capacity building. The development of confidence building measures for cyberspace will need to leverage a diversity of perspectives, including those who have a knowledge of the technology and challenges posed by cybersecurity, as well as those who understand the nuances of statecraft that make such CBMs effective in other domains of conflict and interstate competition. To this end the panel will gather speakers to represent government perspectives and those of intergovernmental organizations, as well as speakers to share insights from civil society, academia and the technology industry. The session format will allow speakers to present their respective points of view as it relates to the potential of CBMs in cyberspace, as well as the opportunity to challenge and respond to one another on which approaches might be most effective. Importantly, the session will help educate those attending the session on this emerging area of cyber diplomacy and leave ample time for questions directly from those in attendance to the panelists. Agenda: • 5 minutes – Opening remarks from moderator setting the stage for the discussion, highlighting the current state of affairs as it relates to the pursuit of confidence building measures between states in cyberspace and letting those attending the panel know that a substantial amount of time will be saved for questions in the later portion of the session. • 25 minutes – Opening remarks from panelists sharing their perspectives on the major opportunities and challenges in establishing effective confidence building measures in cyberspace, and the ability of various stakeholder groups to support or hinder these efforts. • 30 minutes – Moderator asks pointed questions to respective speakers about avenues for advancement in this space and highlighting where there seem to be obstacles to further progress. Speakers will respond both to direct questions as well as to one another, representing both their individual and stakeholder perspectives as it relates to the positions of others. This portion of the session will identify points of agreement and divergence for those in attendance. • 30 minutes – Those attending the session, in the room or remotely, will be welcomed to ask direct questions of the speakers and share differing perspectives related to the development of confidence building measures in cyberspace. Once again, speakers will be encouraged to both address the questions that are asked as well as to respond to the answers provided by their colleagues.

Expected Outcomes: This session will provide important learnings and highlight significant opportunities for those in attendance from all stakeholder groups seeking to find ways to improve the cybersecurity ecosystem through meaningful actions to promote trust and increase capacity among states in cyberspace. For representatives from nations still establishing a posture on these issues, this session will highlight the various forums and opportunities for multilateral, regional and bilateral engagements pursued by other nations to advance their interests and build relationships in this space. For countries that have already been active in cyber diplomacy in recent years, this dialogue will provide an opportunity for them to share their insights and learn from others about what could be innovative new approaches to building trust and establishing cooperative relationships with governments and other stakeholders to reduce tensions and increase security online. For representatives from other stakeholder groups, including industry and civil society, the panel discussion will serve to illuminate the current status of an emerging and critically important policy space, as well as highlight the ways in which other stakeholders can contribute to government efforts at cyber diplomacy.

The moderators will work to ensure that the discussion at the outset of the session highlights the current state of play in the issue space and then prompt speakers to actively engage with and respond to one another. Moderators will also keep the timing of the discussion on track to allow for a half hour of audience questions at the end of the session, which they will make attendees aware of at the outset to promote thoughtful questions and comments in response to speakers. The onsite and online moderators will work together to make sure audience questions are taken from a diverse collection of session attendees, both on site and online.

Relevance to Theme: Amidst the current atmosphere of escalating tensions between nations in cyberspace, resulting in the development of increasingly sophisticated cyberweapons, it is more important than ever that nations pursue effective confidence building measures (CMBs) to establish trust and promote greater stability online. The economic and social benefits brought by increased connectivity are at risk in the face of an arms race between competing nation states that threatens to envelop innocent users, critical infrastructure and other private entities as collateral damage. CBMs for cyberspace may reflect similar efforts to promote stability in traditional domains of conflict – air, land, sea and space – but will also need to take into account the unique challenges of building trust in a non-physical domain where attacks and capabilities are hidden. To inform this discussion, the session’s panel will draw on the experiences of those with a diversity of perspectives and multidisciplinary backgrounds in cybersecurity technology and policy, as well as those with backgrounds in other areas of statecraft, to explore how different stakeholder groups can cooperate to help implement CBMs that support stability in the online ecosystem.

Relevance to Internet Governance: The challenge addressed in this proposed session is how to proactively and intentionally coordinate actions to create systems and structures that build trust between nations and reduce suspicions and tensions in cyberspace, leading to a meaningful reduction in the number and severity of threats online. This discussion cuts to the core of a number of internet governance challenges and inherently requires engagement by a range of stakeholders to explore how such confidence building measures should be designed and implemented – based on established norms and expectations – to protect a safe and secure internet.

Online Participation

The online moderator will manage remote participation in the session via the Official Online Participation Platform, ensuring that those who are virtually attending the panel discussion are able to view/listen throughout its entirety, and that they are actively included in the question and comments portion from session attendees.

1. Key Policy Questions and Expectations
  • What would characterize effective confidence building measures to develop trust and reduce tensions in cyberspace?
  • How should confidence building measures in cyberspace mirror those used in conventional domains of conflict and in what ways should they differ?
  • What role can other stakeholder groups play in helping states both develop and implement confidence building measures for cyberspace?
2. Summary of Issues Discussed

Panelists from government, industry and civil society, from Europe, Asia and the United States discussed the importance of developing meaningful confidence building measures (CBMs) to reduce tensions and mistrust in cyberspace, and the potential for escalatory consequences. While all panelists agreed on the importance of such efforts, there were different priorities emphasized and approaches presented.

From the outset, the representative from industry shared the challenges associated with being a digital service provider caught in the midst of geopolitical conflict in cyberspace, and without the relationships or infrastructure necessary to engage with governments and other actors in the issue space. The representatives from the EEAS highlighted how CBMs in cyberspace should seek to leverage the principles of CBMs in other domains. Meanwhile, the representatives from OSCE and Singapore emphasized the need to build trust not only between nations, but across stakeholder groups as well.

3. Policy Recommendations or Suggestions for the Way Forward

There was particular emphasis during the workshop about the importance of including further discussions of CBMs in multistakeholder forums like IGF. In addition, panelists noted the need for cybersecurity CBMs programs to expand beyond national and regional efforts, as the challenges themselves are truly transnational and require engagement from countries across the globe.

4. Other Initiatives Addressing the Session Issues

The representative from EEAS explained how Europe was working to adapt the principles of traditional CBMs to the cyber domain. The representative from Singapore walked through programs being implemented across the ASEAN region that focused on providing ongoing, multi-year training to build up the capacities and understandings of target communities in nations across the region. The representative from OSCE explained how they deployed teams to the field to provide CBM trainings to officials in their member states.

5. Making Progress for Tackled Issues

Panelists seemed to be in agreement that progress on CBMs can be difficult to track with particular metrics. They recognized that it is straightforward enough to measure how many trainings are given, programs implemented, and register feedback, but truly understanding the impact of the resulting trust and understanding is difficult to capture. However, despite these challenges, panelists noted the importance of being able to continue to adapt and adjust programming based on the needs of respective countries and organizations, to continue expanding them to additional stakeholders, and to keep pace with innovations in the threat environment.

6. Estimated Participation

50 onsite, unclear online. Roughly half of those onsite were women.

7. Reflection to Gender Issues

While the panel was gender balanced, gender as an issue area did not feature prominently in the discussion.