Admiral Michael Rogers, who took over as head of the NSA last April, said that there may be times when the US could go beyond a cyber response.
"Because an opponent comes at us in the cyber domain doesn’t mean we have to respond in the cyber domain," Rogers said, at a forum at George Washington University on Monday. "We think it’s important that potential adversaries out there know that this is part of our strategy. The whole goal is you do not want to engage in escalatory behavior."
In March, Rogers also told Congress that offensive strategies need to be expanded alongside an already robust defense.
"[W]e’ve also got to broaden our capabilities to provide policymakers and operational commanders with a broader range of options," he told the Senate Armed Services Committee.
"Private security researchers over the last year have reported on numerous malware finds in the industrial control systems of energy sector organizations. We believe potential adversaries might be leaving cyber fingerprints on our critical infrastructure partly to convey a message that our homeland is at risk if tensions ever escalate toward military conflict."
In his talk on Monday, Rogers was discussing the economic sanctions placed on North Korea in response to the hack on Sony Pictures. He said these kinds of measures were important to let adversaries know when they'd crossed a "red line."
"The whole world was aware that Sony Corporation had suffered an offensive act that destroyed data as well as destroyed hardware," he told the forum on cybersecurity issues.
"What concerned me was, given the fact that this is a matter of public record, if we don't publicly acknowledge it, if we don't attribute it and if we don't talk about what we're going to do in response to the activity… I don't want anyone watching thinking we have not tripped a red line, that this is in the realm of the acceptable."
The economic sanctions against North Korea target 10 individuals and three entities. They were announced after the US determined that North Korea was behind the Sony hack, in which thousands of employee emails and personal information of employees and their families were leaked. North Korea has consistently denied involvement.
Successful deterrence, Rogers explained, involves letting potential cyber attackers know that they will "pay a price" for any cyber battle they wage that "will far outweigh the benefit."
When asked whether conventional weapons could be used in a possible response to a cyber attack, Rogers emphasized: "It's situational."
"What you would recommend in one scenario is not what you would recommend in another."
In February 2015, US Director of National Intelligence James Clapper said Russia, China, Iran and North Korea represent major threats to US cybersecurity.
Criminal activity online is broadly estimated to cost the United States $100 billion annually, more than any other country, according to a report released in 2014 by the Center for Strategic and International Studies.