Our colleague Ashley Deeks has just published "The Geography of Cyber Conflict: Through a Glass Darkly," as part of the Naval War College's volume of International Law Studies on the geography of war.
The U.S. government has said it deems jus ad bellum and jus in bello rules as applicable in cyber, and Harold Koh's 2012 speech at U.S. Cybercommand started to unpack how it might apply those rules to cyber situations. That remains the most detailed U.S. government articulation on this issue, but it still just scratches the surface of some very difficult questions.
One significant U.S. government claim in the non-cyber context has been that it can use force in another state's territory against a lawful target where that state is unwilling or unable to suppress the threat itself, and Ashley's article on that "unwilling or unable" standard is must-reading in the field. In this piece, Ashley notes that the U.S. government presumably would apply this same test in the cyber context, but it has said nothing publicly about how it would do so. Ashley explores what it might look like to apply the unwilling/unable test in the face of several different types of cyber activity, such as if a state or non-state armed group launched a cyber "armed attack" against the United States via a third state's territory, or if a state or non-state actors in an armed conflict with the United States launched attacks from a third state.
Ashley makes an interesting argument that applying the unwilling/unable test in the cyber context highlights the importance of a victim state's relationship with the "territorial" state, which affects the victim state's willingness to reveal information about attacks and the territorial state's willingness to reveal its own technological capabilities. I think she's right that often-discussed features of cyberspace -- anonymity, difficulty in attribution, geographic disinhibitions, and speed of actions -- make this an important set of issues to consider, especially if the United States truly is committed to analogizing existing rules to the cyber context.