When is a cyberattack an act of war?

On the night of Oct. 11, Defense Secretary Leon Panetta stood inside the Intrepid Sea, Air and Space Museum, housed in a former aircraft carrier moored at a New York City pier, and let an audience of business executives in on one of the most important conversations inside the U.S. government.

He warned of a “cyber Pearl Harbor,” evoking one of the most tragic moments in American history, when Japanese bombers unleashed a devastating surprise attack on a U.S. naval base in Hawaii on Dec. 7, 1941, killing 2,402 Americans and wounding 1,282 more. President Franklin D. Roosevelt called it “a date which will live in infamy” as he asked Congress for a declaration of war.

Sixty years later, another surprise attack killed almost 3,000 people when al-Qaeda terrorists flew two jetliners into New York’s twin towers. Panetta cited the Sept. 11, 2001, strikes, too, warning that the United States is in a “pre-9/11 moment,” with critical computer systems vulnerable to assault.

We all know what an act of war looks like on land or sea, and by evoking two of the most searing attacks in our modern history, Panetta was trying to raise a sense of urgency about the threat in a new domain made of bits and bytes zinging between servers around the world.

But what does an act of war look like in cyberspace?

And perhaps more important, what does the U.S. government do when cyberattacks fall short of that — assuming it can identify the perpetrators in the first place?

What about something like Shamoon, the nickname for a virus that wiped data from 30,000 computers at Saudi Arabia’s state-owned oil company in August, affecting business operations for two weeks? Panetta called that assault, along with a similar strike on Qatar’s RasGas, “probably the most destructive attack” on the private sector to date. Another U.S. official declared it a “watershed” moment, beyond the troubling but all-too-familiar thefts of data and disruption of Web sites.

Unlike the Japanese planes at Pearl Harbor, the virus had no telltale markings that gave away its origins. The U.S. intelligence community has privately concluded that the invader was sent by Iran, though some security experts outside the government say they have reason to believe that Iran was not the perpetrator.

If Tehran is responsible, what was its motive? In the view of intelligence officials, it was striking back for sanctions; for the Saudi kingdom’s implicit support for an oil embargo; and for the damage done to Iran’s nuclear program by Stuxnet, the nickname for a cyber-sabotage campaign by the United States and Israel to slow the country’s pursuit of a nuclear weapon by damaging almost 1,000 uranium-enrichment centrifuges.

The Shamoon attack on Saudi Aramco did not cause enough physical damage to rise to what international law experts call an armed attack. But what if something like it happened to several energy companies in the United States and it could be traced conclusively to a foreign government or a terrorist group? How much damage, pain and fear would need to result before national security officials would say, “We can’t let this go unanswered”?