Cyber Offense: How Far Can Private Organizations Go? | Lawfare

Facebook

LinkedIn

The upcoming main navigation can be gotten through utilizing the tab key. Any buttons that open a sub navigation can be triggered by the space or enter key.

Search Lawfare

Search

Advanced Search

Rajeev Raghavan

Jared Engelking

Grace Tang

Meet The Authors

Subscribe to Lawfare

A criminal hacking group is conducting phishing attacks, masquerading as an email company to steal user data and launch ransomware. The email company&rsquo;s security team has mapped the hackers&rsquo; infrastructure. The hackers have identified the command-and-control servers and a flaw in the ransomware deployment tools that could send decryption keys to victims. The company wants to launch a technical attack and take down the threat actors&rsquo; network. But there is a problem: Doing so could land the company&rsquo;s employees in federal prison. That tension—between what the private sector can technically achieve and what it is legally permitted to do—sits at the heart of a growing cybersecurity policy debate.<br>Over the past year, the Trump administration has beaten a steady drum calling for greater public-private cooperation against state and criminal cyber adversaries. Its March 2026 Cyber Strategy for America, for example, aims to &ldquo;unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.&rdquo; This line of thinking is not new. Since 2013, the private sector and thought leaders have suggested &ldquo;hacking back,&rdquo; &ldquo;cyber privateers,&rdquo; and &ldquo;letters of marque&rdquo; as a policy response to the exponential rise in cybercrime—extending authority to conduct cyber operations against threat actors from traditional government actors (such as the FBI, U.S. Cyber Command, and the intelligence community) to qualified private-sector entities. And, while National Cyber Director Sean Cairncross has said that the administration is not asking the private sector to conduct offensive cyber operations, he stressed the need to shape adversary behavior through collaboration.<br>But the line between cyber defense and offense is blurring fast. Organizations are constantly evaluating how to disincentivize threat actors from targeting them and their customers. Some are exploring how a more permissive, government-enabled cyber environment can help them operationalize—and potentially monetize—their cyber systems and threat intelligence, turning a traditional cost center into a profit operation. All of this falls under the broad and loosely defined banner of &ldquo;offensive cyber operations,&rdquo; encompassing everything from retaliatory &ldquo;hack backs&rdquo; to active defensive measures, threat intelligence gathering, and court-ordered seizures of attacker infrastructure.<br>Artificial intelligence (AI) is accelerating the cat-and-mouse game between threat actors and network defenders. Threat actors are increasingly leveraging AI to exploit vulnerabilities and augment their efforts with the click of a button. Anthropic&rsquo;s Claude Mythos, which has the ability to autonomously find and fix vulnerabilities in software, and similar models will become the minimum standard for secure software development and network defenders. Phishing and fraud detection, combing through gigabytes of logs for anomalies, predictive threat analysis, and behavioral baselining are all areas where AI has a distinct edge. When speed is the decisive factor in stopping an attack, agentic AI cybersecurity solutions promise to anticipate and respond far faster than any human defender.<br>The capabilities that fall under this broad umbrella—offensive, defensive, intelligence, and legal—each carry distinct risks that organizations must weigh. And the legal landscape is more complex than the heightened rhetoric might suggest.<br>The Hack Back Dilemma<br>What does &ldquo;hacking back&rdquo; actually mean? At its core, a traditional hack back refers to a victim retaliating by penetrating the attacker&rsquo;s systems through technical means. But the term has grown to encompass active defensive measures in which victims manipulate their own network environment to make it harder and costlier for adversaries to operate. Hack backs also include intelligence gathering actions, such as infiltrating criminal forums, assuming false identities, and even law enforcement-style activities, such as conducting controlled purchases to understand bad actors&rsquo; operations.<br>The Computer Fraud and Abuse Act (CFAA) is the primary U.S. anti-hacking law. It prohibits intentionally accessing a computer &ldquo;without authorization or exceed[ing] authorized access&rdquo; as well as &ldquo;knowingly caus[ing] the transmission of a program, information, code, or command&rdquo; to &ldquo;intentionally cause[] damage.&rdquo; In 2021, the Supreme Court narrowed the CFAA by ruling that using an authorized account for an improper...