RAND has a monograph out on cyber-wafare.
Basically, they think strategic offensive cyber-warfare isn't worth the effort; tactical offensive cyber-warfare is useful to assist conventional attacks; and defensive cyber-warfare is worth the effort.
That seems reasonable. I've long said that if cyber-attackers hit our homeland, why shouldn't our response be to JDAM the offenders in response? Blow up their computer complexes or hit their infrastructure?