When you read the International Humanitarian Law work (or export control law, for that matter) in the area of cyber war and cyber-almost-war you get the feeling they are stuck in the 1940's but they are being very precise about it. Part of the difficulty of computers is that even from the very beginning everything was shrouded in the blackest of classified mist, to the point where the Brits didn't announce they had cracked Enigma with the earliest computers for thirty years, and then when they did, a lot of Germans did not believe them.
This means that after the war, Turing and others (c.f. Manhattan project, which was computationally expensive just like codebreaking) were left writing about computation engines they KNEW WORKED and KNEW WERE IMPORTANT but couldn't say why. And computation engines is more the word for electromechanical devices programmed by moving switches and cables around, until von Neumann and others designed architectures (and machines) with what we now know of as RAM.
|One Memory to Hold Them All|
The key thing in this architecture is that your code is also data in a very practical way. And to take it one step further, both map into a state-space and moving into the weirder parts of that state-space that do what the attacker wants is called "exploitation" (moving state-spaces has nothing to do with executing native code necessarily).
You can see Mike Schmitt and Jeff Biller in their recent paper, pull legal theory towards this reality. By recasting cyber capabilities as "communication of code" and hence indirect actions which cuts the cord to a lot of international law (some from 1907) that was obviously malformed when talking about iOS exploits.
This is a pretty major step for Mike Schmitt in particular, as the primary defender of the "We can make existing international law fit cyber if we just STRETCH IT LIKE SO" school of thought. In that sense, the paper is well worth a read even if we told you so.
As a bonus, here is the 4d4 Wassenaar export control language for "Intrusion Software" binary-simplified and graphed. Notice how the two items that define it are "can extract or modify data" OR "modification of execution to supply external instructions"? All computer programs do that. Essentially the only technical specficiation that makes any sense is "avoids AV" aka "covertness". It's this kind of regulatory nonsense that is more pain than it could possibly ever be worth but which is generated automatically when the law and regulatory communities are stuck in the 40s.