Why Companies Shouldn’t Try to Hack Their Hackers

Proposed legislation in the United States would make it legal for businesses and individuals to “hack back.” Sometimes called counterstrike, hack back is a term for when an organization takes offensive action to pursue, and potentially subdue, cyberattackers who have targeted them. Proponents of hack back argue that the same principle should apply as that which allows homeowners to defend themselves against an intruder, even if it harms them. But for several reasons, such an authorization could cause even more damage and have unintended consequences. To start, it’s very difficult to identify cyberattackers. Innocent people could instead be targeted. Even if the source of the attack is properly attributed, it’s difficult to isolate harmful actions. After all, computer systems are interconnected. It’s also hard to understand the attacker’s motivation and determine a proportional response. Furthermore, hack back would require expensive tools and expertise that could put some companies at an extra disadvantage. Finally, the implications of damaging computer systems across borders raises regulatory and legal nightmares. Legitimizing vigilantism by legalizing hack back would be a step back given the substantial risks and dubious benefits.