A structured framework to evaluate the risks and benefits of authorizing private companies to “hack back.”
As the scale and sophistication of cyber threats from state and criminal actors grow, U.S. officials are reevaluating the long-standing policy that reserves offensive cyber operations as an exclusively governmental function. In this new Lawfare research report, we examine the risks and benefits of expanding private-sector participation in such operations. Rather than endorsing a specific policy change, we present a structured framework to guide a focused discussion among policymakers.
The framework is built on three interdependent factors. First, it requires defining clear policy objectives, such as augmenting government capacity or disrupting adversary infrastructure. Second, it addresses the scope of authorized activities, clarifying what actions are permissible, who may be targeted, and where they may be attacked. Finally, it tackles the complex legal and liability considerations, including the potential legal authorities for such actions and the unresolved question of who bears responsibility when operations harm innocent third parties.
By systematically addressing these questions, we aim to help policymakers clarify goals and mitigate the significant risks of escalation and diplomatic fallout before altering the rules of cyber offense.
You can read the paper here.
– Sezaneh Seymour, Brandon Wales, Published courtesy of Lawfare.
