So, before U.S. leaders set about responding to the SolarWinds hack, they should articulate how it differs from the things that we sometimes do—why the Russians deserve punishment and we don’t. (I’m not saying that there is no distinction or cause for retaliation—only that, if there is, our leaders should be clear about what it is, in their own minds and in statements justifying their action.)

The remarkable thing is that, more than 60 years after the invention of the internet, more than 35 years after the first presidential study warning of computer vulnerability, and more than 20 years after the first known foreign attacks on U.S. computer networks, no one in a position of power has drawn the distinction between cyberespionage and cyberattack—nor has anyone struck a clear definition of cyberdeterrence or delineated what kinds of cyberattacks the government should try to deter and, if necessary, respond to.

It’s also troubling that, after all this time, the U.S. government has done such a scattered, incomplete job of patching its security holes. If we’re going to start retaliating in kind to cyberattacks as a matter of policy (or even if we’re not), we need to get more serious about beefing up our defenses. The latest defense authorization act adopts half of the 52 recommendations put forth by a congressionally appointed commission on the subject. It’s a start.