Bejtlich said that there is a key distinction between cyberattacks on government systems and those against commercial interests.
"The problem for the U.S. is that it is suffering attacks upon government, military, and intelligence systems, all considered traditional espionage targets and 'within bounds,' while it is suffering attacks upon commercial industry, considered by the U.S. and allies as 'out of bounds,'" he explained.
Governments have always reserved the right to respond to traditional espionage, but Bejtlich said those responses have been based in the physical world rather than in cyberspace—deporting identified spies, declaring certain embassy personnel as persona non gratas, ending joint events, etc. Bejtlich said that to deter China and other states from stealing American national security information, the U.S. will likely implement a mix of punishments.
Read MoreThe $400 billion threat to global business
Libicki said that it is plausible that the OPM attacks motivated a sense that something had to be done, even though the government positions the response as only a defense of commercial interests.
"The Chinese and Russians do not make such hard and fast distinctions," Libicki said. "Instead of arguing, 'Yes, we spy on commercial companies and that's OK,' they simply deny carrying out cyber espionage on anyone." Libicki said this approach makes it difficult to talk about norms for cyber espionage that would legitimize some targets and de-legitimize others.
Such responses may not appear as proportional to the scale of the Chinese attack on OPM, such as hacking into a Chinese government entity of equal importance and housing similarly sensitive information. But experts warn that the risks of a more potent response may, in effect, represent a new era of mutual deterrence, with computer rather than missile code the key weapon.
"If you point to foreign policy, the biggest failures occur when you assume the other nation is using the same template and tactics," said Jack Devine, former acting director of the CIA's overseas operations and currently president of The Arkin Group, an international risk consulting and intelligence firm. "They might do something crazy back and you end up in a world of escalation."
Devine said that a proportional hacking response could ultimately harm U.S. strategy. Since the U.S. is assumed to be conducting regular surveillance within the networks of foreign countries, a public display of retaliation could compromise efforts already in place meant to obtain critical information from foreign governments.
"I would hope there is a great deal of dormant activity that we are doing to breach their networks, but we should also not feel comfortable," Devine said. "At the policy level, you would not want to compromise a great capability just to even the score by hacking back."