There you are, minding your business as a nation state when Iranian geeks hack the networks of hundreds of your universities, rip off more than $3 billion worth of research AND leak the latest season of Game of Thrones. If you’re Washington, you respond by issuing felony charges and financial sanctions against the Iranian hackers and…

Wait, that’s it? Surely the US has the capability to inflict significant damage on state and non-state actors alike in cyberspace. But when it comes down to it, as my pal Kevin Allison explains, it’s harder for the US to pull the cyber-trigger than you’d think.

First, there’s no Geneva Convention for cyberspace at the moment. Without global agreement on the distinction between online behavior that is merely bad and what’s truly unacceptable, it’s difficult to determine proportionality in the cyber realm. Does large scale IP theft, for example, demand the same response as hacks or disruptions of critical infrastructure?

Second, unlike, say, lobbing a few cruise missiles at an airbase, cyberattacks and counter-attacks don’t have a neat geography. If those Iranians used servers in Dubai, does striking back at them entail an attack on Iran or on the UAE? Abu Dhabi will be keenly interested in your answer.

Third, cyberattacks are tough to control with precision. If your counterattack spreads beyond its intended target, it can cause collateral damage — including to friends and allies.

So while the US certainly could inflict an awful lot of pain on the Iranians, or any other cyber-attackers, hackers, or crypto-unsavories, the reality is that in most cases doing so is a lot messier and riskier than it seems.