Is it wrong for victims of cyber-crime to hack back?

Department of Homeland Security (DHS) researchers use advanced modeling and simulation equipment as they work on the DHS Control Systems Security Program (CSSP) in this handout photo taken April 28, 2010 at the Idaho National Laboratory in Idaho Falls, Idaho.

Image: REUTERS/Chris Morgan/Idaho National Laboratory

Patrick Lin
Director, Ethics and Emerging Sciences Group, California Polytechnic State University (Cal Poly)
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Justice and Law is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Justice and Law

Is it wrong to hack back - to counter-cyber-attack when you’ve become a victim?

The presumed answer is yes. In the US alone, the Department of Justice calls hacking back “likely illegal”; the Federal Bureau of Investigation “cautions” victims against it; and White House officials call it “a terrible idea.”

But none has clearly declared it illegal. The law has not caught up with technology here - whether in the US or other geographies - and we don’t have a test-case in court yet. In the meantime, we can look toward ethics for guidance, which surprisingly might permit hacking back.

If cyber-attacks are a law enforcement issue, the usual solution is to let the authorities handle it. They’d work to capture the suspects, put them on trial, and punish them if found guilty. To circumvent this process seems to be vigilantism, which threatens the rule of law and therefore civil society’s foundation.

But when cyber-attackers continue to elude identification - forget about capture and prosecution - does it still make sense to defer to the authorities? Help is not on the way. For instance, the FBI said this about ransomware, or malicious software that locks down a user’s system until money is extorted. “To be honest, we often advise people to just pay the ransom," they said.

If the wheels of justice are systematically stuck, then it may not be vigilantism to take action against your attacker. Part of our social contract to create and abide by government is to give up our natural powers to take justice into our own hands, in exchange for a more reliable and fair legal system. Arguably, our obligation to defer to law enforcement is suspended, on this particular issue of cyber-attacks, if they can’t uphold their end of the bargain.

Anyway, your right to self-defense is basic and does not go away, even when help is on the way. In a home robbery, for example, it’d be reasonable to defend your family while waiting for the police, since a lot can happen in the several minutes in between.



But what if you can’t identify the attacker? What if he’s really an innocent person who accidentally stumbled into your house or was co-erced? This is a popular concern; hacking back might target innocent people, since attribution or identification is so difficult.

For instance, in a distributed denial of service or DDoS attack, if you knock out the computers that were unwittingly hijacked and used to swarm against your system, are you attacking “innocent” computers, and is that bad? Their owners aren’t malicious and didn’t agree to this use, though they may be negligent in not updating anti-malware defenses.

Well, we don’t need to establish guilt before we can act against an urgent threat, or else it’d always be too late. All that we need to know, at that moment, is that the person is a threat to others, culpability aside.

Even the police aren’t expected to ascertain an attacker’s identity and motives before using force. A bank robber or suicide bomber could really be a co-erced victim himself, whose kidnapped family would be killed if he did not carry out the crime or terrorist act. Yes, it’d be regrettable to use force against innocent people, but sometimes even lethal force is justified and reasonable.

Another worry with hacking back is that it may escalate a conflict: it may invite retaliations, further mayhem, and collateral damage. But this is too broad an objection, as any case of self-defense could be accused of the same provocation. This seems to be victim-blaming, similar to faulting a mugging or rape victim for additional injuries sustained as a result of fighting back.

Critics also worry that hacking back may destroy evidence needed for prosecution of the initial attack. Putting aside a lack of reliable prosecution against cyber-attackers in the first place, this objection also could be victim-blaming: it’s reasonable to resist a mugging, rape, or other criminal acts, even if that might destroy evidence of the crime.

This ethical analysis is just a sampling of a bigger discussion we just published in a new report. Even if we look at cyber-attacks as a military problem (since many attacks come from overseas) or public health problem (like fighting against a virus outbreak), there could be other reasons to think that hacking back is ethical.

If so, the next step is to take another look at the legality of hacking back, as both law and ethics may have been prejudged hastily on this subject. At a time when we need more options when responding to cyber threats, and when we’re still grappling with the cyber domain conceptually, it may be premature to take any reasonable options off the table.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Tinder Swindler: How 'romance fraud' became a multi-billion dollar cybercrime

Robin Pomeroy and Sophia Akram

May 24, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum