States currently endorse three different positions concerning the international wrongfulness of cyber operations that penetrate computer systems located on the territory of another state but do not rise to the level of a use of force or prohibited intervention. The first position is that such low-intensity cyber operations are never wrongful, because sovereignty is a principle of international law, not a primary rule that can be independently violated. The second is that low-intensity cyber operations are always wrongful, because sovereignty is a primary rule of international law that is violated by any non-consensual penetration of a computer system located on the territory of another state – what has been called the “pure sovereigntist” approach. And the third position is that although sovereignty is a primary rule of international law, low-intensity cyber operations are internationally wrongful only insofar as they cause some kind of physical damage to the territorial state or render its cyber-infrastructure inoperable – what has been called the “relative sovereigntist” approach. This article provides a comprehensive analysis of these three positions on low-intensity cyber operations. It begins by discussing why sovereignty is a primary rule of international law, not simply a principle from which specific primary rules can be derived. It then argues that the pure-sovereigntist position has a stronger foundation in general international law than the relative-sovereigntist position. And finally, it explains why a variety of policy considerations favor pure sovereignty over either sovereignty as a principle or relative sovereignty.