International law applies in cyberspace, too. States are basically in agreement on this. How existing international law can be applied to cyberspace is discussed with reference to two specific areas: the right of (military) self-defense and international humanitarian law.
The right of self-defense applies only in the event of an armed attack. To reach this threshold, a cyberattack would need to cause physical damage comparable to the consequences of a conventional armed attack. Prof. Dr. Robin Geiss points out that, in this context, it is debatable how one should classify a hacker attack on major financial centers, for example. Furthermore, the origin of cyberattacks is often obscure. Yet any act of self-defense that complies with international law requires clear identification of the attacker.
Concerning the applicability of international humanitarian law, there are no doubts as long as cyberspace is “only” used as a medium for attacks on physical targets (e.g. military installations). But it gets more complicated when hardware and software are themselves the targets of attack. There is a fundamental problem here, in that large parts of cyber infrastructure are dual-use objects, i.e. they can be used both for civilian and military purposes. A general legal classification of dual-use objects as legitimate targets would open up almost unlimited scope for digital warfare, and therefore increase the risk of incalculable impacts on civilians and civilian infrastructure.
Consensus prevails on the fundamental applicability of international law in cyberspace. But there is considerable need for clarification beyond the purely military dimension. This is particularly true with regard to the already acute problems of surveillance by intelligence services, industrial espionage and cybercrime.