The most significant debate regarding the applicability of international humanitarian law to cyber operations involves interpretation of the rules governing cyber “attacks”, as that term is understood in the law. For over a decade, the debate has been a binary one between advocates of the “permissive approach” developed by the author and a “restrictive approach” championed by those who saw the permissive approach as insufficiently protective of the civilian population and other protected persons and objects. In this article, the author analyses that debate, and explains a third approach developed during the Tallinn Manual project. He concludes by suggesting that the Tallinn Manual approach best approximates the contemporary law given the increasing value which societies are attributing to cyber activities.