James Miller, the principal deputy undersecretary of defense, said the Pentagon has been working through a range of scenarios, in an effort to come up with rules of war that will work in an attack that can be launched from continents away in milliseconds, and routed through innocent civilians' computers by unknown assailants.
"I do not think we're going to have a single answer," Miller said during a speech at Ogilvy Public Relations. He said officials may just have to use their judgment because there are "a lot of gray areas in this field."
Miller said the Pentagon is trying to address the myriad of policy questions surrounding the issue, including when an attempt to steal sensitive data or attack a network rises to the level of aggression that must be answered.
Critics have long complained that defense officials have not yet detailed how and when the U.S. military should conduct electronic warfare, and what constitutes a cyber attack that requires retaliation. And they warn that the uncertain nature of the government's cyber warfare policies could lead them to being used hastily and ill-advisedly during a crisis.
Miller and other officials repeatedly warn that U.S. computer networks face persistent attacks, including complex criminal schemes, suspected cyber espionage by other nations, such as China, and possible terrorist probes seeking vulnerable systems or sensitive information.
But the nation's ability to protect its networks and respond to attacks is largely kept secret because of national security concerns and the government's slowly evolving cyber security plans.
While U.S. government officials will not disclose details of the U.S. policies on electronic warfare, or discuss offensive activities waged by any federal agencies, they acknowledge that they need more defined legal standards and laws of conduct for waging cyber war.
Lt. Gen. Keith Alexander, the head of the National Security Agency who was just confirmed to lead the military's new Cyber Command, told Congress in a recent hearing that the U.S. should counter cyber attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown.
In other comments, Miller said that as the number and sophistication of hackers and attacks grow, the U.S. must be prepared to continue to operate in a degraded environment. That could include infiltrated, damaged or non-working networks. Officials, he said, are working to build better defenses and make the systems more resilient.