The review was conducted as part of the administration's efforts to define rules of engagement for cyberattacks, much the same as it has done in creating rules governing drone strikes, officials told The New York Times Monday.
Nearly all of the cyberattack capabilities would need to be ordered directly by the president, though some could be carried out by the military -- such as using a cyberattack to disarm a nation's anti-aircraft weapons prior to an American airstrike.
The legal review comes as several prominent U.S. newspapers and private companies have been the target of cyberattacks and hacking, including the Times, The Washington Post and The Wall Street Journal, all of which were the target of attacks emanating from China.
The United States is only known to have initiated a pre-emptive cyberattack once, when it inserted destructive computer code into machines operating nuclear reactors in Iran. The attack's planning began under President George W. Bush but Obama took over management of the operation and eventually gave his approval to deployment of the cyberattack, in conjunction with Israel.
Administration officials said Obama was specific in that he ordered the cyberattack be narrowly focused, only targeting Iran's nuclear facility and not larger infrastructure such as power grids or hospitals.
Such larger attacks are possible, however. Given the mass impact such an attack could have on civilian populations, much like overwhelming airstrikes or a ground invasion, the administration saw a need to clarify just how and when such military Internet operations could be deployed.