Hack Back: Illegal but Ethical?

This paper discusses the ethical and legal implications of private sector "hack back" operations against cyberattackers. With the Sony incident and the Colonial Pipeline Company incident as the backdrop, we open issues of cyber defense versus cyber- vigilantism. The paper includes discussion of state-sponsored attacks, ransomware, and the societal impacts that result. We discuss the legal aspects of technology in a global context. In the context of cyberattacks, the concept of self-defense raises questions about whether hack back operations can be considered a legitimate form of protecting oneself or one's organization from harm caused by cyberattackers. We address the classification of hack back as a cyber-vigilante action, where individuals or organizations take justice into their own hands without legal authority. We ecognize that successful hack back actions require expertise and attribution. Thus, questions arise: Does the victim have the necessary technical expertise to effectively and safely conduct hack back operations? And, can the victim accurately identify and attribute cyberattacks to the correct attackers, given the complexities and potential for misidentification in cyberspace?