In short, the Cyber Range is to the digital age what the Bikini Atoll — the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb — was to the nuclear age. But once the tests at Bikini Atoll demonstrated to the world the awesome destructive power of the bomb, it became evident to the United States and the Soviet Union — and other nuclear powers — that the risks of a nuclear exchange were simply too high. In the case of cyberattacks, where the results can vary from the annoying to the devastating, there are no such rules.

The Deterrence Conundrum

During the cold war, if a strategic missile had been fired at the United States, screens deep in a mountain in Colorado would have lighted up and American commanders would have some time to decide whether to launch a counterattack. Today, when Pentagon computers are subjected to a barrage, the origin is often a mystery. Absent certainty about the source, it is almost impossible to mount a counterattack.

In the rare case where the preparations for an attack are detected in a foreign computer system, there is continuing debate about whether to embrace the concept of pre-emption, with all of its Bush-era connotations. The questions range from whether an online attack should be mounted on that system to, in an extreme case, blowing those computers up.

Some officials argue that if the United States engaged in such pre-emption — and demonstrated that it was watching the development of hostile cyberweapons — it could begin to deter some attacks. Others believe it will only justify pre-emptive attacks on the United States. “Russia and China have lots of nationalistic hackers,” one senior military officer said. “They seem very, very willing to take action on their own.”

Senior Pentagon and military officials also express deep concern that the laws and understanding of armed conflict have not kept current with the challenges of offensive cyberwarfare.

Over the decades, a number of limits on action have been accepted — if not always practiced. One is the prohibition against assassinating government leaders. Another is avoiding attacks aimed at civilians. Yet in the cyberworld, where the most vulnerable targets are civilian, there are no such rules or understandings. If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker’s power grid if that would also shut down its hospital systems, its air traffic control system or its banking system?

“We don’t have that for cyber yet,” one senior Defense Department official said, “and that’s a little bit dangerous.”