The practice of “hacking back,” also known as active defense, involves victims of a cyberattack taking offensive measures against their perceived attackers. Cybersecurity expert Bruce Schneier has publicly and repeatedly addressed this topic, outlining the significant risks and legal ambiguities involved. His analysis focuses on the practical dangers that arise when private entities, rather than government bodies, decide to launch their own cyber counterattacks.

Schneier’s position is based on several core problems inherent in offensive cyber operations conducted by the private sector. He emphasizes that these actions, while tempting for frustrated victims, are fundamentally different from other forms of self-defense and carry disproportionate risks of making a bad situation worse.

The Problem of Attribution

A central point in Schneier’s argument is the difficulty of accurate attribution in cyberspace. Attackers frequently route their operations through multiple compromised computers in different countries, making it nearly impossible for a victim to be 100 percent certain of the attacker’s true identity and origin. An attempt to hack back based on faulty attribution means the counterattack would target another victim. This action against an innocent third party could result in legal liability and severe technical damage to an uninvolved entity.

Risks of Escalation and Collateral Damage

Another major risk identified by Schneier is the potential for escalation. A company that decides to hack back might find itself in a conflict with an adversary who is far more skilled, better funded, or is a nation-state. A minor intrusion could escalate into a major cyber-battle that the company cannot win. Furthermore, counterattacks risk causing extensive collateral damage. Offensive cyber tools can be imprecise, and an attack launched against an attacker’s infrastructure could disrupt or destroy systems belonging to innocent individuals or businesses that were unknowingly part of a botnet or used as a proxy. Schneier has argued that such offensive actions are properly the function of law enforcement and the military, as they are equipped to manage these risks in a way that private companies are not.

Source: https://www.schneier.com/blog/archives/2025/11/on-hacking-back.html