While many potential targets are military, a country’s power grids, financial systems and communications networks can also be crippled. Even more complex, nonstate actors, like terrorists or criminal groups, can mount attacks, and it is often difficult to tell who is responsible. Some critics have said the cyberthreat is being exaggerated by contractors and consultants who see billions in potential earnings.

One senior American official said that officials quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief.

A possible exception would be in cases of narrowly targeted tactical strikes by the military, like turning off an air defense system during a conventional strike against an adversary.

“There are very, very few instances in cyberoperations in which the decision will be made at a level below the president,” the official said. That means the administration has ruled out the use of “automatic” retaliation if a cyberattack on America’s infrastructure is detected, even if the virus is traveling at network speeds.