for real and lasting progress to be made.
The form and functioning of an ultimate international regime dealing with cyber attacks will depend largely on how the international community reacts to the particular circumstances at play. More likely than not, the international community will be more focused on the consequences of a computer network attack than in its mechanism. This does not put aside state responsibility, but instead focuses international attention first and foremost on the scale and targeting of IW to decide whether or not the attack has reached the level of an armed attack actionable under international law. Afterwards, attribution and state responsibility will have to be determined, as has been argued by using the Tadic standard rather than Nicaragua.
There is little likelihood that the international legal system will soon operate a coherent body of “information operations” law. More needs to be done to precisely define the criteria used to distinguish between normal transborder data flows from other cyber activities that may constitute a cyber attack.266 In some areas, such as the law of war, existing legal principles can be applied with considerable confidence once a cyber attack reaches the level of an armed attack. As far as active defense as self-defense – it is far from clear where the international community will come out.267 The main failings of existing international treaties that touch on cyber law are that most do not specify how the frameworks are morphed or fall out entirely during an armed attack, and many treaties do not include enforcement provisions. To the extent that cyber attacks are below the threshold of an armed attack, provisions of space law, nuclear non-
266 Joyner, supra note 15.
267 DOD, supra note 33.