Last month on March 23rd, The Economist declared “America tells private firms to ‘hack back’”. This is how that magazine interpreted the new White House Cyber Strategy released on March 6, 2026. The media has been questioning what the new strategy authorizes. “Hack back” is not a new idea, as it emerges every few years, along with references to “taking the gloves off” in cyberspace. Yet, the new US strategy signals a more permissive legal framework for the private sector. But, what are the guardrails?
A commercial cyber intelligence client once asked me: “Is it legal if I run this hacker tool and scan the entire IP range for one European nation and one Gulf state overnight and check in the morning how many networks are susceptible to compromise?” That provocative question was asked in 2016 by an open-source threat hunting company. So clearly, legal questions about cyberspace aggressiveness for vendors have persisted.
After retiring from my Army JAG career, where I first practiced national security and cyberlaw, I published a piece in Forbes in 2014, “Deputizing the Cyber Posse: The Next Frontier of Public-Private Partnership”. The article described models and methods to engage in cyber operations within legal bounds. However, there has never been a freedom to operate granted to the private sector that created an exception to the Computer Fraud and Abuse Act (18 USC Section 1030). Put simply, Section 1030 still functions as a bar to indiscriminate “hack back” operations by the private sector.
And yet, why did Google create its Cyber Disruption Unit, and what activities will it pursue? Also worth noting: Anthropic has limited its rollout of Mythos over concerns for attack AI misuse. This comes after Anthropic revealed in the fall a Chinese hacking group’s exploitation of Claude Code to automate hacking. There should be no doubt that hacking, aided by AI, is destined to be even more commonplace than we already understand.
THE CFAA: THE LAW THAT DIDN’T MOVE
The Computer Fraud and Abuse Act prohibits unauthorized access to computer systems, full stop. While the NDAA has chipped at the edges – by authorizing defense contractors to perform certain cyber functions in support of government operations – it has not created a freestanding private sector right to go hunting.
This is the central tension the new White House strategy has not yet resolved. Pillar One of the strategy calls for the United States to “unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” That is a policy aspiration of considerable ambition. But aspiration is not authorization. The CFAA is a federal criminal statute. A White House strategy document does not amend it.
The media’s “hack back” framing, while attention-grabbing, conflates two distinct concepts: the political will to empower the private sector, which the strategy clearly signals, and the legal architecture to do so lawfully, which the strategy conspicuously does not supply.
GOOGLE’S MOVE: READING THE SIGNAL
Google’s announcement of its Threat Disruption Cyber Unit, introduced at the RSA Conference by Sandra Joyce, VP of the Google Threat Intelligence Group, is the most significant private sector response to this strategic environment yet seen. The unit’s stated mandate is explicitly proactive: not merely to detect and report threats, but to infiltrate, disrupt, and dismantle the infrastructure of cybercriminal organizations and malicious non-state actors.
Microsoft’s Digital Crimes Unit, using intellectual property protections derived from its operating system software and civil litigation procedures, championed botnet takedowns as far back as 2011 with its Rustock botnet takedown. However, collateral damage on innocent third-parties generated criticism in 2013 with Microsoft’s Citadel botnet takedown. Hence, a lesson learned that is over a decade old is that indiscriminate aggressiveness can have brand impact consequences.
Google and other vendors must be legally circumspect to scope target sets within legal boundaries. White House cybersecurity official Sean Cairncross clarified publicly that Google’s unit should not be characterized as a “hack back” program. It operates, he emphasized, within legal frameworks, leveraging AI and structured protocols for prevention and disruption rather than retaliation.
That clarification is itself instructive. The White House wants the private sector to act more aggressively. It simultaneously needs that action to be legally defensible. The gap between those two imperatives is not a contradiction, it is a design challenge. And it is a design challenge that demands cyber lawyers at the table, not as an afterthought following the operation, but as architects of the framework preceding it.
THE POSSE NEEDS A SHERIFF
The recent Stryker incident illustrates precisely what is at stake. Iran-linked group Handala, widely assessed as a hacktivist persona operated by Iran’s Ministry of Intelligence and Security, claimed to have wiped more than 200,000 devices across Stryker’s global operations, disrupting order processing, manufacturing, and shipping at one of America’s largest medical device companies. The FBI issued a formal alert. The US government took down Handala’s websites. Palo Alto Networks’ Unit 42 was engaged in the forensic response.
That is the threat environment the new strategy is responding to: Nation-state actors, operating through deniable proxies, targeting civilian critical infrastructure with destructive effect (healthcare in the Stryker attack). Yet, it quickly becomes a slippery slope if attack and counterattack become the norm.
But consider the operational reality. Had a private firm preemptively disrupted Handala’s infrastructure before the Stryker attack, under what legal authority would it have acted? Against what standard of attribution confidence? With what oversight, what rules of engagement, and what recourse if the disruption operation caused collateral damage to third-party systems? The CFAA does not answer these questions. Neither does the new strategy.
This is the core lesson of the Wyatt Earp analogy I drew in 2014, and it bears repeating: Earp did not ride out as a lone vigilante. He obtained federal authority, assembled a structured posse, and operated within – if at the outer edge of – a recognized legal framework. The power of that model were not the guns. It was the badge. Private sector cyber operators need the equivalent of a badge: a defined licensing or authorization regime that specifies scope, oversight, rules of engagement, and accountability.
WHAT LAWFUL “DISRUPTION” ACTUALLY LOOKS LIKE
So what can private sector actors lawfully do today, in this more permissive strategic environment? The answer is more nuanced than the “hack back” headline suggests, and considerably more actionable than the CFAA’s blunt prohibitions imply.
Passive intelligence collection and network monitoring on systems an entity owns or is authorized to monitor remains entirely lawful and underutilized. Threat intelligence sharing – feeding adversary TTPs, infrastructure indicators, and attribution data to government partners – is not only lawful but actively encouraged by the strategy and by existing ISAC frameworks. Coordinated takedown operations, conducted in partnership with law enforcement and pursuant to civil legal process (as Microsoft’s Digital Crimes Unit has demonstrated for years through court-authorized seizures of malicious infrastructure), represent a proven and scalable model. And defensive deception (e.g., honeypots, and attribution traps deployed on one’s own network) is a lawful strategy.
The strategy’s reference to AI-enabled cyber tools to “detect, divert, and deceive threat actors” points toward a category of active defense that operates below the CFAA’s prohibition threshold. Deception is not unauthorized access. Diversion is not intrusion.
THE CALL
Twelve years ago, I argued that the Cyber Posse concept had come of age. That the threat environment had outpaced what law enforcement alone could address, and that a licensed, structured, legally supervised private sector role in cyber operations was not only possible but necessary. That argument has aged well.
The Cyber Posse is, in principle, a very good idea. Whether it becomes a lawful and effective one depends on what happens next: specifically, whether Congress, the executive branch, and the private sector can construct the legal scaffolding (the badge, the rules of engagement, the oversight regime).
The posse is assembling. The question is whether the law will ride with it.The author is a retired Army JAG Corps Lieutenant Colonel who advised US Army cyber operations commands and served as Legal Advisor to US-CERT at the Department of Homeland Security. He exclusively practices cyber law and advises clients on data protection, digital identity, and cybersecurity strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]