The disclosure that Russia was responsible for penetrating the unclassified e-mail system used by the Joint Chiefs of Staff should be disconcerting. Unfortunately, many accounts of cyberattacks these days seem to produce yawns. A major Hollywood studio discovered its computers ruined; a sensitive U.S. government trove of personnel information was stolen; corporate secrets were hacked and used for insider trading; major retailers and a health care provider were looted of customer data — yet the U.S. has been complacent and lazy in responding.

The attacks on the private sector have been unrelenting, and the onslaught against Sony Pictures Entertainment, discovered in November, which President Obama blamed on North Korea, seemed to ignite a new determination in Congress to act. The House passed legislation and, before the August recess, the Senate seemed poised to consider a bill that would facilitate sharing information between government and business about malware on the private networks. The bills are no panacea, and privacy concerns remain an issue, but progress was evident before the recess. Hopefully, momentum won't be lost this autumn.

At the same time, signals from the Obama administration about responding to the theft of some 22 million sensitive records from the Office of Personnel Management (OPM) are ambivalent. This was the largest cyberattack on the U.S. government in history, giving those who stole the data, probably Chinese spies, access to confidential questionnaires used in applications for government security clearances. According to a report in the New York Times, administration officials want to retaliate but have not settled on how: whether economic sanctions, public protests or a retaliatory assault in cyberspace. The officials are also justifiably concerned about escalating a conflict with China.

A debate over how to respond to the OPM theft highlights some of the hard choices facing the U.S. in this new era of digital conflict. Among the most important questions: How can the U.S. deter others from such rampant assaults?

Doing nothing is not an acceptable option. The U.S. needs to give cyberattackers real pause and a credible threat of certain retaliation, one that can be seen in public as well as felt in private. So far, it does not appear to exist. And the attackers are not so lazy.

FROM AN EDITORIAL IN THE WASHINGTON POST