Here is a bit of reading from 2002 that is still relevant today.
Michael N. Schmitt wrote an article called "
Wired warfare: Computer network attack and jus in bello" [
pdf], where he explored what the international humanitarian law has to say about CNA. It should be required reading for all of us cyber conflict researchers, as sooner or later we will have to tackle with showing how our theories work (or not) in the framework of existing laws. And the article shows, that lawyers' concerns are often a bit different from what we might expect.
As an anecdote, I found it very funny when Richard Nixon's head (President of Earth in Futurama), faced with a legal obstacle, says something along the lines of: "Well, I know a place where the Constitution doesn't mean squat!" and the camera zooms to the Supreme Court. [from memory, so it may be a little inaccurate]
For those who are a unsure what
jus in bello means, he provides a definition:
"... that body of law concerned with what is permissible, or not, during hostilities, irrespective of the legality of the initial resort to force by the belligerents."
With that clear, let's move on. He quickly analyzes whether the international humanitarian law applies to CNA at all and finds that yes it does, if it can be classified as 'armed conflict'. That, in turn, requires that 'armed forces' are engaged in the conflict. However, the link between CNA and armed forces is not very strong, so he analyzes the contradictions in the text of the law and its application to conclude that:
"... humanitarian law principles apply whenever computer network attacks can be ascribed to a State are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable."
Obviously, the biggest problem here is the attribution. Cyber is very much a silent service when it comes to taking credit for the really complicated and high profile attacks. Government A could very well pull off a 'cyber war' and remain anonymous. Better yet, make it look like it came from Govt. B.
Since direct injury and death is presumably difficult to reach with cyber, let's discuss the other two. Would financial loss be enough to evoke the damage criteria? If so, how much loss are we talking about? Does destruction only apply to physical objects or is information also on the menu? What if an attacker drops all tables in the national registry of [CLASSIFIED] and manages to mess up the backups as well? The truth is out there...
Schmitt follows a trail of deductions similar with the 'armed conflict' with the concepts of 'targeting' and 'attack' in the law. He also touches the classification of targets to combatants and military objectives, civilians and civilian objects, as well as dual use objects. He discusses targeting economic systems (stock market, banks etc) as military targets and once again returns to the threshold of 'injury, death, damage or destruction'.
The civilian section includes an interesting bit about contractors or civilians who perform cyber attacks. He points out that those civilians (and contractors) with an official tie to the military could still be targeted and could be considered prisoner of war (because they are 'accompanying the armed forces'), if captured. On the other hand, if civilians launch the attack and they do not have an official connection, they would be 'illegal combatants' (who may still be attacked). This is only in case where the cyber attacks are severe enough to pass the threshold mentioned above.
Unfortunately his section on dual use objects is relatively short. I think the dual use category is extremely important in cyber context, as one could argue that most systems could potentially be dual use (Internet, for example, can serve as a backup communication system for the military and it is most likely going to be the main battlefield of cyber conflict). This is definitely one aspect that merits further study.
He shows that the legal framework actually supports cyber attacks over kinetic in some cases, such as shutting down dams and nuclear power stations (which you should not do with kinetics).
He analyzes several aspects of CNA targeting, including discrimination, distinction, proportionality, collateral damage, incidental injury and perfidy. I think the difference between a perfidy and a ruse is what would often get IT guys in trouble.
Overall, he covers a lot of ground and to my knowledge, there is still no better, definite answer on what is and is not allowed in cyber space. As always, read the paper for full info.