Where things get scary is when they do. A Stuxnet-style attack on a power station or a successful and deadly shutdown of the power grid would fall into the category of "use of force" - and that means the nations are in an armed conflict.
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), established in 2008, has responsibility for maintaining and improving NATO's cyberwar defences. The Tallinn manual has no official status - CCDCOE's website calls it "not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity" - but it is the most important attempt to fit cyberattacks into the conventions of just war.
Once that happens anything goes: while the Tallinn manual emphasises the need for diplomatic responses to acts of force, the response depends very much on the scale and severity of the attack. An attack with real-world consequences is likely to be met with real-world weapons.
Under the Tallinn Manual, the perpetrators would be legitimate targets even if they were civilians. Rule 29 says that civilians "forfeit their protection from attacks for such time as they do so participate." As Mother Jones reports, that doesn't mean NATO can send drones "to take out Anonymous hackers who they find annoying" - but it does mean that in a conflict hackers who might not consider themselves soldiers would be targeted as such.
That's assuming you can identify the perpetrators, of course. In most cases, attacks' origins are carefully disguised - so for example the Stuxnet worm that attacked Iranian nuclear facilities was discovered in early 2010, but it wasn't until mid-2011 that believable reports of its origins began to circulate.
The Chinese authorities claim that the US is the aggressor and that claims of Chinese cyber-attacks are being exaggerated or invented for political gain. Hu Xijin, editor-in-chief of Beijing's Global Times, says that "we feel that you are shouting about [us] as an excuse for establishing an internet army." Some conspiracy theorists go further, alleging that recent attacks such as Iranian hacks on US energy providers are false flag operations - that is, faked by the US.
Time to talk
The parade of claims, counter-claims, vehement denials and heated allegations is horribly familiar. As security expert Bruce Schneier writes, "we're in the early years of a cyberwar arms race. It's expensive, it's destablising, and it threatens the very fabric of the internet we use every day."
Schneier - and many others - argue that the best way to solve the problem is to have international treaties that "stipulate a no-first-use policy... we could prohibit cyberattacks against civilian infrastructure; international banking, for example, could be declared off-limits".
Such treaties wouldn't be perfect. Enforcement would be a problem: it's hard enough to find weapons of mass destruction, let alone trace electronic weapons. But there's an even larger problem, and that's getting the major powers to agree on them in the first place. While the US has accepted the Tallinn Manual, Russia has rejected it: it wants cyber-weapons banned altogether.
Meanwhile, China's official response to US requests for international agreement is that the US is having a laugh. According to China Daily, which often speaks on behalf of the Chinese authorities, "it is bizarre that Washington can continue to pose as the biggest cyberespionage victim and demand others behave well" in the light of Edward Snowden's revelations: "Washington is trying to dictate the rules for global cyberdomain, which is a public space".
US president Obama and his Chinese counterpart Xi Jingping met in July to discuss the issues, but failed to reach any agreement. International cyberwar treaties appear to be a long way off.