Is “Hackback” Official US Cybersecurity Strategy?

The 2026 US “Cyber Strategy for America” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone.

But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” This sounds like a call for hackback: giving private companies permission to conduct offensive cyber operations.

The Economist noticed (alternate link) this, too.

I think this is an incredibly dumb idea:

In warfare, the notion of counterattack is extremely powerful. Going after the enemy­—its positions, its supply lines, its factories, its infrastructure—­is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty.

Both vigilante counterattacks, and preemptive attacks, fly in the face of these rights. They punish people before who haven’t been found guilty. It’s the same whether it’s an angry lynch mob stringing up a suspect, the MPAA disabling the computer of someone it believes made an illegal copy of a movie, or a corporate security officer launching a denial-of-service attack against someone he believes is targeting his company over the net.

In all of these cases, the attacker could be wrong. This has been true for lynch mobs, and on the internet it’s even harder to know who’s attacking you. Just because my computer looks like the source of an attack doesn’t mean that it is. And even if it is, it might be a zombie controlled by yet another computer; I might be a victim, too. The goal of a government’s legal system is justice; the goal of a vigilante is expediency.

We don’t issue letters of marque on the high seas anymore; we shouldn’t do it in cyberspace.

Tags: , , ,

Posted on April 1, 2026 at 12:57 PM10 Comments

Comments

Andy April 1, 2026 1:22 PM

I smell new government contracts for large software and networking companies, to “unleash the private sector “. While such privatizing contracts are normally a good idea, the current political and economic climate makes me doubt how well the contracts will be defined.

Bob Paddock April 1, 2026 1:29 PM

“The accused has the right to defend himself, to face his accuser,…”

If my accuser is a automatic traffic camera how do I demand access to the source code and schematics to audit both the hardware and software? Outside of this blog, not many people have the experience and credentials to do it.

Doug April 1, 2026 2:45 PM

“We don’t issue letters of marque on the high seas anymore; we shouldn’t do it in cyberspace.”

Trump Administration : Here, hold my beer.

Jon April 1, 2026 3:17 PM

No, we just blow up random boats on the grounds that they “might” be carrying drugs.

No lulz :-| April 1, 2026 4:42 PM

The real shame is that if a hacker can make it look like someone else did it, then the forces of hack-back can be manipulated into striking an uninvolved party.

Morley April 1, 2026 5:22 PM

So, companies are left with the fallout should anything go wrong from the hackback, and he can avoid responsibility. That checks out.

finagle April 2, 2026 6:02 AM

This is just ratification of current behaviour. Cloudflare are doing DOS on internet users already and telling their customers the legitimate traffic they block is hostile. Microsoft and Google are doing this in the email space, blocking email from domains that are not hosted with big tech.

fib April 2, 2026 9:17 AM

Hack back may feel justified, but it’s usually illegal, technically unreliable, and strategically risky. Attribution is uncertain, attackers often hide behind innocent systems, and retaliation can escalate the situation or backfire legally. In practice, you’re far more likely to harm yourself than the attacker.

Scott April 2, 2026 12:29 PM

The letters of marque comment is on the nose (was going to say mark, but wanted to avoid the pun0. Minus the intent, what is the appreciable difference between this and swatting?

Clive Robinson April 2, 2026 6:38 PM

@ fib, ALL,

With regards,

“Hack back may feel justified, but…”

It’s all of what you say and worse.

Those who see no wrong in it are all to often those who subscribe to the,

“Might is Right” Idiocy of “The King Game”.

They tend to work on the most primitive of “lizard brain thinking”. Something I suspect increasing numbers of people are seeing in certain types of leader that is unfortunately becoming more prevalent. It almost always has a very poor outcome for those who advocate for it and likewise those on the receiving end.

Because “Hack Back” when all is said and done is a “Weapon of Domination” as well as actually being a rather pernicious form of terrorism.

But it is also something that “feeds on it’s self” like “a beast that is never sated” it in effect calls out to be fed more and more blood.

Hence we see the “vigilantly effect” build up in quite predictable often ritualistic ways.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.