A three-year study concluded that the U.S. has no clear policy about how it might respond to a cyberattack.
