There's explicitly addressing what we call “hack back” or active measures.
I did question the Canadian Armed Forces. They directed me to the document “Strong, Secure, Engaged”. Alex probably knows more about this too. There's a spot in there where it does say that with the right level of authorization we can hack back. The reality is that we're going to have to hack back. It's not really negotiable anymore.
Of course, it becomes a definitional question. I was told at one point that the United States government was looking at physical facilities in Russia that might possibly be victims of an attack. We do know the U.S. government put a virus in printers that went into Iraq and so on. It's going on out there.
I don't think we have a clear policy on it. I think we need to know. I've realized for security reasons that they may not want to be forthcoming about when they actually do it. It seems to me, from what I've been able to find as a civilian, that they are not clear on when they can use active measures.