By any reasonable definition of "state of war", a state of war exists between Israel and Iran and has for a long time. The only reason it's not official is that since 1979 Iran has not recognized the existence of Israel at all, and hence can't officially declare war on an entity which it claims does not exist.
Iran is far enough away from Israel that it would be difficult for Israel to actually project power there. The distance from Tiberias (northeast of Israel) to Ahvaz (southwest Iran) is ~780 miles. If you go to Tehran instead of Ahvaz, it's 930 miles. An F-16 has a combat radius of 340 miles. An F-15 can do ~1000 miles. An F-35 has a combat radius of ~700 miles. You can do mid-air refueling, but doing it at scale in a situation like the 6-day war is not simple either. As far as I know, Israel does not operate dedicated long-range bombers.
It's easy for people in the US to forget the effects of distance like this, because the US approach to this situation would involve parking a carrier group or three (which Israel doesn't have) off Iran's coast in the Persian Gulf, using those to suppress air defenses, and then using those and strategic bombers (which Israel also doesn't have) to strike ground targets.
Or put another way, fear of Israel's military sure hasn't prevented Iran funding Hezbollah, which would generally be considered an act of war in itself given that Hezbollah then uses those funds to fire rockets and artillery into Israel.
If cyberattacks counted, the US would be at war with China and Russia. I bet there will be a treaty eventually, and I have some fears on what secondary restriction it will place on the internet.
A treaty that is unenforceable (ie no one can observe the outcome) is as good as no treaty. You can't really attribute most cyberattacks and if you automatically assume it is country x, then country y in conflict with country x will rush into attacking you.
Oh, they could make it enforceable, but I don't think anyone would really like the resulting version of the internet except bureaucrats who crave power over all things.
You see some politicians mention that all software developers should be licensed, and we see companies requiring signed code to allow it to run on platforms. Licenses for servers happen in some places. Its all little step, but a few more gets you a locked and licensed computing network.
Aside from the questions of whether Israel and Iran are already at war or incapable of becoming at war, it's worth noting there's no real clarity around what defines an 'act of war' in the first place.
Historically, 'casus belli' just describes an action which justifies a state of war. Nations can cite whatever they want, although self-defense is generally the most defensible basis. In that sense it's a permissive concept; it does not force a country to become "at war". So something like the shooting down of a warplane (e.g. a Russian plane over Syria, by Turkey) is clearly inter-military violence, but the injured party can (and did) elect not to declare war. As far as Iran's response here, that's probably the extent of the matter: they don't want to use this as casus belli, so they won't.
More recently, I know of three other definitions for an "act of war" which are potentially relevant.
1. Most nations have laws which use the term, for instance to prohibit citizens from doing business with adversaries. These are often quite narrow - the US definition (18 U.S. Code § 2331 4) would go unmet by this incident because it was not armed conflict. I don't know the Iranian or Israeli internal definitions, but with the array of sanctions and other boundaries already in place they're probably irrelevant. (And internally at least, Iran can't actually be at war with something it doesn't acknowledge to be a state.)
2. The United Nations Charter, since both Iran and Israel are signatories. This relies on the term 'force', not acts of war, and is deeply unclear about what constitutes force. Resolution 2625 states "armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements, are in violation of international law".
Reading narrowly, this is pretty clearly "other interference against its economic elements", but the next clause of that resolution would render most sanctions, economic espionage, and other common practices illegal acts of war and so it's widely ignored. There have been rumblings about the status of cyberattacks, but there's definitely no settled law on that matter yet.
3. The Hague and Geneva Conventions, since both are signatories. It could constitute an act of war creating wartime-status obligations to personnel or an undeclared act of war violating the "Convention relative to the Opening of Hostilities".
As far as the declaration statute, I don't see any sign of what constitutes a "state of war", and I suspect that in 1907 it was considered obvious. As far as "prisoner of war" status and other restrictions like lawful surrender, the people spreading the exploit are debatably governed if they're members of a military, but not otherwise governed as a militia or volunteer corps.
---
Given all that, I'm reasonably sure there's no international law yet governing cyberattacks. Attacks which have death tolls or directly interact with weaponry could presumably be governed by their consequences, in the same way that non-electronic sabotage would. But in terms of economic and other nonviolent consequences, it's an open question.
The UNC could certainly be used to rule them acts of war in the same sense that smashing up factories or killing crops would be, but such an interpretation could potentially also apply to stealing schematics or wiretapping trade delegations, which have historically not been considered acts of war.
There are some pretty good analyses of this question out there, but most end up at "we dunno yet". It'll probably be a question up for debate and further treaties within the next decade or so, and the result will likely be a function of how such attacks have been used so far.
>"It is striking to me that Prime Minister Netanyahu must go back to an Iranian report of a March 2016 ballistic missile test to make his point about malign Iranian intentions," said Greg Thielmann, a former foreign service officer and Senate Intelligence Committee staffer who is now a board member at the Arms Control Association.
>He suggested that the Hebrew lettering may have been "a one-time event, and not necessarily authorized in Tehran." The botching of the text may suggest that the gambit was ad-hoc "sloganeering" by the Islamic Revolutionary Guard Corps, "rather than an explicit policy dictated from the top," Thielmann said.