DHS and deterrence: "complacency is being replaced by consequences."
US Secretary of Homeland Security (DHS) Kirstjen Nielsen addressed the RSA Conference and flashed some steel on behalf of the Administration. She called for international norms that might govern conduct in cyberspace and ameliorate the damage that full-scale warfare in that domain might bring about. Such norms remain to be developed. International cyber accords lag related areas of international law like the law of armed conflict and the law of the sea.
Most of her presentation focused on DHS and its mission to protect critical infrastructure. She called for increased cooperation among companies and Government agencies to meet the challenges of both cyber crime and international cyber conflict (Security Now).
Her talk, however, was by no means entirely diplomatic or even defensive. She warned foreign bad actors (and it was clear from context and current events that Russia is the bad actor principally on the US Government's mind) that they shouldn't believe they can strike at the US and its allies with impunity in cyberspace. "The United States possesses a full spectrum of response options—both seen and unseen—and we will use them to call out malign behavior, punish it, and deter future cyber hostility," she said (Department of Homeland Security).
Thus her presentation put down a clear marker: the US reserved the right to conduct offensive cyber operations in response to cyber attacks (CNET). These would be considered alongside other options: sanctions, prosecution, naming-and-shaming, and in certain circumstances kinetic operations.
It's worth noting that the US is neither alone nor first in putting down this marker. Sorely provoked by the Salisbury nerve agent attacks and evidence of battlespace preparation in its power grid, Britain had already warned Russia directly that Britain reserves the right to retaliate with cyberattacks (Geo TV).