As a general matter, international humanitarian law is up to the task of providing the legal framework for cyber operations during an armed conflict. However, two debates persist in this regard, the resolution of which will determine the precise degree of protection the civilian population will enjoy during cyber operations. The first revolves around the meaning of the term “attack” in various conduct of hostilities rules, while the second addresses the issue of whether data may be considered an object such that operations destroying or altering it are subject to the prohibition on attacking civilian objects and that their effects need be considered when considering proportionality and the taking of precautions in attack. Even if these debates were to be resolved, the civilian population would still face risks from the unique capabilities of cyber operations.