Cyberattack Defense: How Far Should Organizations Be Able To Go?

Scott Shackelford, Indiana University

The deluge of cyberattacks sweeping across the world has governments and companies thinking about new ways to protect their digital systems, and the corporate and state secrets stored within. For a long time, cybersecurity experts have erected firewalls to keep out unwanted traffic and set up decoy targets on their networks to distract hackers who do get in. They have also scoured the internet for hints about what cybercriminals might be up to next to better protect themselves and their clients.

Now, though, many leaders and officials are starting to think about stepping up their defensive activities, by taking more active measures. An extreme option within this field of active defense is sometimes called “hacking back” into an adversary’s systems to get clues about what they’re doing, shut down the attack or even delete data or otherwise damage an attacker’s computers.

I have been researching the benefits and drawbacks of various active defense options with Danuvasin Charoen of the Thai National Institute of Development Administration and Kalea Miao, an undergraduate Cox scholar at the Indiana University Kelley School of Business. We have found a surprising number and variety of firms – and countries – exploring various ways to be more proactive in their cybersecurity practices, often with little fanfare.

Getting active

These soldiers are learning to defend digital networks – but could that involve attacking too?
Mike Strasser, West Point Public Affairs

On the surface, it might seem like the proverb is right: “The best defense is a good offense.” The damage from cyberattacks can be enormous: In May 2017, a single incident, the WannaCry cyber attack, affected hundreds of thousands of systems around the world and caused more than US$4 billion in lost productivity and data recovery costs. One month later, another attack, called NotPetya, cost global shipping giant Maersk $300 million and reduced the company to relying on the Facebook-owned WhatsApp messaging system for official corporate communications.

Faced with this scale of loss, some companies want to step up their defenses. Firms with sophisticated technology systems know what’s needed to protect their customers, networks and valuable trade secrets. They also likely have employees with the skills to track down hackers and penetrate the attackers’ own systems. But the ethics and implications of justifying a cyberattack as defensive get very complicated very quickly.

It’s often unclear, for example, exactly who is behind an attack – uncertainty that can last for days, months or even years. So who should the hack-back target? What if a privately owned U.S. company believed that it was under attack from a firm owned by the Chinese government? If it hacked back, would that be an act of war between the countries? What should happen to repair corporate and international relations if the company was wrong and its attacker was somewhere else? Companies shouldn’t be empowered to start global cyber conflicts that could have dire consequences, but online and offline.

Of course, it’s also important to think about what might happen if other countries allow their companies to hack back against U.S. government or corporate efforts. More U.S. firms could fall victim to cyberattacks as a result, and might find little legal recourse.

Engaging with the law

At the moment, hacking back is illegal, in the U.S. and in many nations around the world. In the U.S., the Computer Fraud and Abuse Act makes it a crime to access another computer without authorization. Every member of the G-7, including the U.S., as well as Thailand and Australia, has banned hacking back. In 2018, more than 50 countries – but not the U.S. – signed an agreement that private firms based in their nations are not allowed to hack back.

However, supporters of active defensive tactics are pushing their message hard. The Republican Party’s 2016 presidential platform promised to ensure “users have a self-defense right to deal with hackers as they see fit.” In March 2018, the Georgia state legislature passed a bill to permit “active defense measures that are designed to prevent or detect unauthorized computer access.” Two months later, then-Gov. Nathan Deal vetoed it, at the urging of technology firms concerned about its “national security implications and other potential ramifications.”

Had it become law, Georgia’s bill would still likely have run afoul of federal law. However, lawmakers in Washington have also proposed letting companies engage in certain types of active defense. In 2017, U.S. Rep. Tom Graves, a Georgia Republican, proposed the Active Cyber Defense Certainty Act, which would let companies engage in certain active defense measures, including conducting surveillance on prospective attackers, provided that the firm informed the FBI first and that the action did not threaten “public health or safety.” The bill died and has not yet been reintroduced; it’s not likely to get far in the new Democratic House.

Active defense remains illegal in the U.S. and much of the world. But the bans are not being enforced at home or abroad.

Going global

Not every country has banned hacking back. Singapore, for example, has been permitting local firms to engage in active defense measures in an effort to prevent, detect, or counter specific threats to its critical infrastructure, including the financial industry. Other nations, such as France, do not wish to see the private sector out front, but are still keen to keep active defense as an option for governments.

The more countries allow active defense, the more likely everyone – in the U.S. and around the world – is to become a cyberattack victim. Instead of deterring attacks, aggressive active defense increases the possibility of the lights going out, or American voting machines returning inaccurate results.

Organizations can and should be encouraged to take passive defense measures, like gathering intelligence on potential attackers and reporting intrusions. But in my view they should be discouraged – if not prevented – from acting aggressively, because of the risk of destabilizing corporate and international relations. If the quest for cyber peace degenerates into a tit-for-tat battle of digital vigilantism, global insecurity will be greater, not less.The Conversation

Scott Shackelford, Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana University

This article is republished from The Conversation under a Creative Commons license. Read the original article.


THE CONVERSATION US launched as a pilot project in October 2014. It is an independent source of news and views from the academic and research community, delivered direct to the public. Our team of professional editors work with university and research institute experts to unlock their knowledge for use by the wider public. We aim to help rebuild trust in journalism. All authors and editors sign up to our Editorial Charter. All contributors must abide by our Community Standards policy. We only allow authors to write on a subject on which they have proven expertise, which they must disclose alongside their article. Authors’ funding and potential conflicts of interest must also be disclosed. Failure to do so carries a risk of being banned from contributing to the site. The Conversation started in Melbourne Victoria and the innovative technology platform and development team is based in the university and research precinct of Carlton. Our newsroom is based in Boston but our team is part of a global newsroom able to share content across sites and around the world. The Conversation US is a non-profit educational entity.​

DO YOU HAVE THE "WRITE" STUFF? If you’re ready to share your wisdom of experience, we’re ready to share it with our massive global audience – by giving you the opportunity to become a published Contributor on our award-winning Site with (your own byline). And who knows? – it may be your first step in discovering your “hidden Hemmingway”. LEARN MORE HERE


  1. I do not have sufficient knowledge in this area but only the awareness that aspects related to computer security are becoming an increasingly stringent requirement for companies. I believe it is a priority for CEOs to closely monitor developments in this matter.