Craig McDonald Jan 28, 2022 3:21:36 PM 8 MIN READ

Should private companies be allowed to hit back at the hackers?

hacking the hackers - 1200x628-01

There has been much discussion recently about the merits of private companies going on the offensive against cybercriminals. Some think it’s long overdue, while others fear a digital wild west, with cyber vigilantes running untethered. Current laws in the US largely limit companies to playing defense, with federal laws against invading someone’s computer. However, some specialist cybersecurity firms say that they can pursue criminals without launching their own attacks. The question is though, should they? Most cybercrimes in the US fall under the Computer Fraud and Abuse Act, a 1986 legislation that prohibits unauthorised access of computer systems. The law effectively places offensive cybersecurity actions solely in the hands of the federal government.

However, with the rapid rise in cyber attacks impacting entities globally, the question arises as to whether it’s perhaps often too late for businesses by the time the law effectively deals with cybercriminals. A case in point is with a ransomware incident, which when suffered by an organisation can cause severe business disruption, a loss of finances and bring to a halt business operations, with businesses often having to run against time to pay a ransom whilst trying to tend to the dire collateral damage caused. Businesses are stuck with the dilemma, whether they should pay the ransom (with no guarantee of resolving the situation) or wait. Often, the impact of the attack has already caused significant damage for a business by the time lawmakers come into the picture. It’s a complex issue, yet one that is relevant as we witness the rise of cyber attacks, and the importance of cyber resilience as we move forward. Some industry veterans on the other hand ponder whether private-sector operators could reduce the collateral damage and political instability, and how interventions might disrupt law enforcement or military operations” (James Rundle, Wall Street Journal). Read more here:

My LinkedIn network consists of industry professionals and business leaders, well-versed in cybersecurity, so I was curious to know their opinion on whether the private sphere should play the offensive and strike back at the threat actors. Here are the results:

hacking the hackers - poll - 1200x628-01

  • 33% of voters opted for a strong ‘No, leave it to the lawmakers,
  • Nearly half (47%) took the tit-for-tat approach, and voted ‘Yes, go offensive if you can’, and
  • 19% thought it was complicated and provided insightful reasons as to why below.

The results are quite interesting, perhaps reflecting the urgency with which private companies would seek to save their businesses versus the warnings and penalties imposed by authorities, urging them to let law enforcement and the relevant agencies do their job. It’s a multi-layered, complex issue indeed, and the comments left below reveal the complicated nature of ‘hitting back at hackers’ with great insight and food for thought, with ethical and philosophical reasoning coming into play.

Here’s a brief selection of the comments:

“Well, I think we should flip this question and ask what happens in the physical world? Are companies allowed to hunt down criminals or do they have to follow due processes to report a crime and let the law enforcement do its job? At the same time, do companies hire security people and put in security systems to protect and reduce risk? Do they insure themselves against those risks? The answer you are looking for is in all of those questions”.

“100%. The way I see it is the audit risk model and reducing the audit risk by putting in controls in place. Vigilante stuff can damage a brand and it’s not worth it. Being vengeful doesn’t pay off”

“Mahatma Gandhi’s quote: “An eye for an eye will leave the whole world blind”. I hope you got my opinion that it should not be allowed”.

“The risk of causing collateral damage to others is very high since attackers often use compromised infrastructure of their victims to launch and amplify attacks. Attribution is hard enough for government agencies, so I do not trust that a manager of a business with a bruised ego will show the restrain required before demanding retribution against the wrong target”.

“I think it’s more complicated than just a strike back and doing so could create a lot of new dangers that we don’t even know yet. The attackers tend to have more motivation and resources than the defenders in the first place”.

“Only go offensive if hacking is your line of business. I.e., white hackers with government support and backing. However, some hackers may have more experience and research-based methods not known to the wider audience, so there is a chance that there would be ongoing repercussions. Many businesses don’t want to deviate from their principal line of business, depends on how many attacks they have experienced”.

“Hackers typically use stolen systems anyway. Hacking back without damaging third-party systems as collateral is very hard. Instead of private companies going on the offensive against cybercriminals, maybe we should better train and pay our law enforcers. It’s their job. And vote in law makers”.

“The answer is simple. Imagine this had nothing to do with the cyber world. How would you answer? Nothing changes”.

The Risk(s) of Striking Back

Looking at the issue from a bird’s eye point of view, the majority view express a need to leave it to the lawmakers and the complexity involved when private companies strike back. Businesses taking matters into their own hands results in too many variables and unknown risk factors. The former director of the NSA and US military’s cybersecurity branch, Keith Brian Alexander, supports that private companies should not be allowed to hit back at the hackers; “If it starts a war, you can’t have companies starting a war. That’s inherently a governmental responsibility, and plus the chances of a company getting it wrong are fairly high”, citing the 2014 attack on Sony involving North Korea as an example and the potential for nation-state combat with consequences far beyond a hack.

So where should we draw a compromise, if any? One thing is for sure, the public and private sphere’s need to continue to work closely together to ensure effective solutions for entities impacted by a cyber attack, and businesses need to commit to upping their cyber resilience. Plus, the legislation must keep evolving with the ever-changing landscape to keep everyone safe, and the adversaries at bay.

Keeping businesses protected  


Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid being hit by phishing, ransomware, BEC and other zero-day threats in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.  


No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard. 


Talk to us

MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants. 

Australian partners, please call us on 1300 30 65 10 

US partners call 1888 848 2822 

UK partners call 0 800 404 8993 

We’re on Facebook,Twitter and LinkedIn. 

Keep Informed with Weekly Updates