Is “Hackback” Official US Cybersecurity Strategy?

The 2026 US “Cyber Strategy for America” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone.

But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” This sounds like a call for hackback: giving private companies permission to conduct offensive cyber operations.

The Economist noticed (alternate link) this, too.

I think this is an incredibly dumb idea:

In warfare, the notion of counterattack is extremely powerful. Going after the enemy­—its positions, its supply lines, its factories, its infrastructure—­is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty.

Both vigilante counterattacks, and preemptive attacks, fly in the face of these rights. They punish people before who haven’t been found guilty. It’s the same whether it’s an angry lynch mob stringing up a suspect, the MPAA disabling the computer of someone it believes made an illegal copy of a movie, or a corporate security officer launching a denial-of-service attack against someone he believes is targeting his company over the net.

In all of these cases, the attacker could be wrong. This has been true for lynch mobs, and on the internet it’s even harder to know who’s attacking you. Just because my computer looks like the source of an attack doesn’t mean that it is. And even if it is, it might be a zombie controlled by yet another computer; I might be a victim, too. The goal of a government’s legal system is justice; the goal of a vigilante is expediency.

We don’t issue letters of marque on the high seas anymore; we shouldn’t do it in cyberspace.

Tags: , , ,

Posted on April 1, 2026 at 12:57 PM12 Comments

Comments

Andy April 1, 2026 1:22 PM

I smell new government contracts for large software and networking companies, to “unleash the private sector “. While such privatizing contracts are normally a good idea, the current political and economic climate makes me doubt how well the contracts will be defined.

Bob Paddock April 1, 2026 1:29 PM

“The accused has the right to defend himself, to face his accuser,…”

If my accuser is a automatic traffic camera how do I demand access to the source code and schematics to audit both the hardware and software? Outside of this blog, not many people have the experience and credentials to do it.

Jon April 1, 2026 3:17 PM

No, we just blow up random boats on the grounds that they “might” be carrying drugs.

No lulz :-| April 1, 2026 4:42 PM

The real shame is that if a hacker can make it look like someone else did it, then the forces of hack-back can be manipulated into striking an uninvolved party.

Morley April 1, 2026 5:22 PM

So, companies are left with the fallout should anything go wrong from the hackback, and he can avoid responsibility. That checks out.

finagle April 2, 2026 6:02 AM

This is just ratification of current behaviour. Cloudflare are doing DOS on internet users already and telling their customers the legitimate traffic they block is hostile. Microsoft and Google are doing this in the email space, blocking email from domains that are not hosted with big tech.

fib April 2, 2026 9:17 AM

Hack back may feel justified, but it’s usually illegal, technically unreliable, and strategically risky. Attribution is uncertain, attackers often hide behind innocent systems, and retaliation can escalate the situation or backfire legally. In practice, you’re far more likely to harm yourself than the attacker.

Scott April 2, 2026 12:29 PM

The letters of marque comment is on the nose (was going to say mark, but wanted to avoid the pun0. Minus the intent, what is the appreciable difference between this and swatting?

Clive Robinson April 2, 2026 6:38 PM

@ fib, ALL,

With regards,

“Hack back may feel justified, but…”

It’s all of what you say and worse.

Those who see no wrong in it are all to often those who subscribe to the,

“Might is Right” Idiocy of “The King Game”.

They tend to work on the most primitive of “lizard brain thinking”. Something I suspect increasing numbers of people are seeing in certain types of leader that is unfortunately becoming more prevalent. It almost always has a very poor outcome for those who advocate for it and likewise those on the receiving end.

Because “Hack Back” when all is said and done is a “Weapon of Domination” as well as actually being a rather pernicious form of terrorism.

But it is also something that “feeds on it’s self” like “a beast that is never sated” it in effect calls out to be fed more and more blood.

Hence we see the “vigilantly effect” build up in quite predictable often ritualistic ways.

Rontea April 3, 2026 10:40 AM

The proposed endorsement of private-sector hackback represents a profound misalignment with foundational principles of both domestic and international law. Authorizing private entities to conduct offensive cyber operations effectively deputizes corporations to act as instruments of state power, without the constitutional or statutory safeguards that regulate governmental action. Such a regime risks violating due process by allowing retaliatory measures absent judicial oversight, while also inviting misattribution and escalation with foreign sovereigns—a scenario fraught with serious diplomatic and security consequences. Moreover, hackback erodes the presumption of innocence, as alleged perpetrators may suffer punitive cyber measures without adjudication. In short, the privatization of cyber retaliation is not merely imprudent policy; it is antithetical to the rule of law and threatens the very legitimacy of the legal framework it purports to defend.

ResearcherZero April 4, 2026 5:39 AM

The added danger of attacks on civilian infastructure, apart from the obvious harm to civillians, is the encouragement of reprisals. With the capabilities of cheap and mobile modern weapons like drones, any group or nation can launch attacks easily and against targets almost anywhere in the world that that their forces can reach.

Nation states can cripple regional supply lines. Transport, industrial facilities and terminals are typically unguarded and not designed to weather physical attack.

In the UK it has been reported that cyber attacks are a frequent part of operation for industry. Government and big business is unprepared for the current environment where 80% of manufacturers reported an incident in the last year.

Trump has asked for $1.5 trillion in 2027 for the defence budget and a 10% cut to other domestic spending. This indicates an increase in hostilities, with declining security, worsening economic conditions and very poor value for money spent.

‘https://www.theregister.com/2026/04/01/uk_manufacturer_cyberattacks/

On top of this, Trump has fired and reassigned tens of thousands of people working in national security and cyber defense positions, while also cutting the budgets and programs for those who remain.

Those charged with defending against reprisals are working with an arm tied behind their backs. States and local governments do not even have the resources required to defend against cyber attacks!

https://thehill.com/opinion/white-house/5727430-weakening-us-security-trump/

Clive Robinson April 4, 2026 6:24 AM

@ ResearcherZero, ALL,

It’s a fraught subject because attacking any civilian infrastructure is a “war crime”

Claiming “reprisals” is something that has to be proved to quite a high level and normally should be not just well documented in advance, but approved at the highest levels in the political not military arm.

Oh and the “first strike argument” is bogus and unlawful.

A UK Barrister with experience in this area takes us through it in an interesting non confrontational way,

https://m.youtube.com/watch?v=IqdPicAuUT4

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.