As a rule, the US tends to avoid international treaties to solve big international problem especially when it comes to war. But when it comes to cyber war, America might want to reconsider, according to Abraham Sofaer from the Hoover Institution.
"The basic idea that we have an edge is really dubious," Sofaer said.
Cyber warfare is the term used when one state tries to take down another state's internet infrastructure. The stuxnet worm intended to cripple Iran's uranium enrichment program is a much discussed example. Its hard to say when cyber "incursions" reach the threshold of "war," Sofaer says, because it can be almost impossible to identify the combatants.
"People can come up with things that we cant even think of," said Sofaer. "There are very bright Iranian kids, Chinese kids, Russian kids and they are being funded by their governments, I'm not suggesting that they are on their own. They are coming up with ways that threaten."
More developed countries like the US are more vulnerable to cyber attacks because they're more exposed. But so far there aren't any clear international alliances being developed to counter the threat.
"My sense is that its more like the wild west out there," said Kate Jastram, from the UC Berkeley Law School. "So I think its really critical as we move into cyber operations that we are clear about what boundaries are going to be put around this activity."
Cyberspace is an open field for military planners as well as lawyers. Lt. Col. Peter Hayden, deputy legal counsel for the Chairman of the Joint Chiefs of Staff, says that the defense department just told congress that it has officially moved beyond kinetic warfare, involving physical force.
"The department has the capability to conduct offensive operations in cyber space, to defend our nation, allies and interests," Hayden said. "If directed by the President, the Department of Defense will conduct offensive cyber operations in a manner consistent with the policy principles and legal regimes the department allows for kinetic operations, including the law of armed conflict."
The main debate now focuses on how to apply the existing body of international law on warfare and protecting civilians to cyber war.
"The important thing is that cyber attacks may have humanitarian consequences, so it is really fundamental that they are regulated by the law which already exists," said Anne Quintin, from the International Committee of the Red Cross.
Quintin says the humanitarian consequences of a cyber attack could include damage to infrastructure like power grids and toxic waste facilities. Many legal scholars wonder whether the word "attack" is even appropriate. Cyber "events" can range from hackers trying to infiltrate commercial or government computers for fun, to terrorists trying to cripple air traffic control systems.
And then there's the question of how bad the threat actually is. Some, like Abraham Sofaer from the Hoover Institution, contend that the cyber security industry has a strong interest in stoking fears about cyber "war".
"Because they want to hype the situation, create massive income for themselves, giving advice to companies and the government about how to protect themselves from this terrible war," Sofaer said. "I'm quite suspicious about the hype. And if you sit down and you make a list of how many real serious attacks we've had in the last decade, hey, it wouldn't exceed 10."
But don't tell that to Estonia or Georgia. Both former soviet republics suffered crippling attacks on their internet infrastructures in the last five years. All fingers pointed at Russia. But in cyberwar, there's no satellite photos of tanks or troop movements. Little can be done to prove whether a state has launched an attack.