Governments want to keep vulnerabilities secret so they can hit the enemy, but the enemy has the same equipment and setup as ours. If you increase resistance to attacks locally, the same happens remotely.

So the decision to be made is, what's more important: Our offensive capability, or our defensive capability? It's a zero sum equation, but with a twist: Every offensive action creates a corresponding signature which can be used to increase defense against that action next time. Effective surveillance increases the chance of detection and remediation. So the tipping point is the ratio of exploitable vulnerabilities (think of this as army size) each party possesses. If you have more than your enemy by a considerable margin, your enemy is unlikely to attack. Conversely, if you don't have sufficient resources to discover and refine vulnerabilities and the intelligence capabilities to know where to use them (and when), your best response is to form alliances with others, so that when a vulnerability is used on their infrastructure, they share their surveillance with all parties; thus creating a force multiplier in favor of defense.

I guess my point is that the problem can be framed using conventional military tactics, rules of engagement, etc.; But I would hesitate to equate it to military action. Otherwise you wind up in a legal quagmire: That would be turning that guy who keeps trying to run Reaver against my router to hack his way onto my network into an enemy combatant or a private citizen into an arms dealer for having a copy of TrueCrypt.

The difference is that cyberweapons inherently exploit fixable weaknesses in existing infrastructure (assuming the government isn't just inserting backdoors, which they may be doing, but they are also doing much more). The more widely they are used, the greater the pressure to fix those weaknesses and implement better security practices. Given that criminals are going to use those weaknesses even if every single government stops, that means they have fewer and fewer exploits and avenues to exploit, which is good for everyone.

It's more like a rat infestation than nuke testing. Sure, it's annoying, but the more of the bastards you get, the faster you can patch all the holes they are coming through (and the more rat poison to stop the stragglers).

Your saboteur just "poured sugar" into the tank of every HMVV, jeep, tank, and vehicle on the eve of your invasion on the base nearest to your entry point. The defender is going to have a mighty hard time forming an effective defense with no mechanized infantry and armor. Even harder if the power grid and water pumps suddenly go down in a major city that necessitates the Army's assistance in supplying and policing the area (most countries armies double as disaster relief too). Oh, and factor in that the communication relays are suddenly transmitting garbage and white noise.
To add insult to injury, you now have the blueprints of their newest tanks, so even if they manage to clean out the turbines and get them running again, your gunners will know exactly where to shoot to take them out in one hit, and you know exactly how long their air superiority fighters can stay in the air, how high they can climb how fast, etc.
And for a final "Fuck you", your hackers broke into the enemy's central bank's network, along with a few other major banks in his country, and 'diverted' most of the country's funds, including all the foreign currency stockpiled on the central bank's accounts, to you a day or two after the first shot rang out, so the state as a whole is left penniless and unable to pay its army.

As a wise man once said, "Knowing is half the battle". Infrastructure is good 25% or more, so you're left with 25% at most that constitutes military might. Far fewer casualties on your side, and possibly fewer on the target side as well if the leaders recognize early on that they have lost the war before the first shot was fired (since they can't mount a proper defense due to the chaos and lack of funds). Cyberwarfare can certainly kill, but it need not do so, for the objective is to cripple the target so the army encounters less resistance.

They could be made to kill people. Your local hospital is probably still running WinNT/2k on a lot of their equipment. Think of all the trouble one could cause for a nation if you infected their hospitals. Talk about a terror attack...

Military doctrine states very clearly that the best weapons do not kill people at all. The best weapons will cause damage that takes people off line, so that your killers have less targets to deal with. This is why your first targets in a war are the command and control centers, radio towers, and major transit routes. The first targets are never a "Kill". This is also why the 5.56mm round is designed to wound, not kill (by no means does this mean that the round does not kill, however the size and shape are designed to do do damage without killing. If we intended to kill the round would be much larger and heavier).

In the case of espionage, this is much more complex. Gaining information on movements and targets, locations of C&C, and lastly impersonation. How many of those statements released by Egypt's leaders, or Libya's leaders were really from them? That last game is played much more often than you would guess.