In this Help Net Security interview, Gonçalo Magalhães, Head of Security at Immunefi, discusses the legal and ethical implications of hacking back in cross-border cyber incidents. He warns that offensive cyber actions risk violating international law, escalating conflicts, and harming innocent third parties. Instead, Magalhães advocates for legally sanctioned frameworks, such as bug bounty programs, to strengthen security without crossing dangerous lines.
How do international laws complicate the use of hacking back, especially in cross-border incidents involving actors in hostile or uncooperative jurisdictions?
The real issue is that cyber operations don’t respect borders, but laws absolutely do. If a company discovers they’re being targeted from servers in Russia, China, or North Korea, they could technically trace and respond to the attack but doing so may violate the sovereignty of that nation and potentially their own country’s laws.
In the US, the Computer Fraud and Abuse Act makes it illegal to access any computer without authorization, with no exceptions for defensive purposes. Similar laws exist globally. This means that even identifying your attacker by accessing their command-and-control server could technically make you a criminal. The Budapest Convention on Cybercrime (signed by 68 countries) reinforces these restrictions internationally.
This is why it’s important to focus on creating legal frameworks for defensive security operations, in addition to bug bounty programs and an arbitration system – a resolution system specifically for these security disputes – that provides legally sanctioned ways to improve security without crossing into offensive territory.
Are there any legal gray areas or loopholes that companies have tried to exploit when engaging in active defense tactics?
Attribution in cyberspace is incredibly complex because attackers use compromised systems, VPNs, and sophisticated obfuscation techniques. Even with high confidence, you could be wrong. Rather than operating in legal gray areas, companies need to operate under legally binding agreements that allow security researchers to test and secure systems within clearly defined parameters. That’s far more effective than trying to exploit ambiguities that may not actually exist when tested in court.
What are the core ethical concerns associated with hacking back, even when an organization can technically attribute the attacker?
Hacking back might entail using compromised infrastructure belonging to innocent third parties, targeting these victims’ systems, potentially causing more harm to innocents than the original attack caused to you. Then there’s the escalation problem. Cyber operations can quickly spiral out of control. What starts as an attempt to recover stolen data could trigger automated defenses, spread to connected systems, or provoke a more devastating counter-response.
There’s also the vigilante justice concern. When private entities take offensive action, they’re essentially appointing themselves as judge, jury, and executioner. This undermines the rule of law and international norms we’re trying to establish in cyberspace. If everyone hacks back, we create a digital wild west where might makes right. Bug bounties are a far better approach. That way, ethical hackers who could easily exploit vulnerabilities for profit instead choose to disclose them responsibly.
How do you distinguish between active defense, offensive cyber operations, and retaliation? Where’s the ethical and operational line?
Active defense, properly understood, involves measures taken within your own network perimeter, like enhanced monitoring, deception technologies like honeypots, and automated response systems that isolate threats. These are defensive because they operate entirely within systems you own and control.
The moment you cross into someone else’s system, even to retrieve your own stolen data, you’ve entered offensive territory. It doesn’t matter if your intentions are defensive; the action itself is offensive.
Retaliation goes even further. It’s about causing harm in response to an attack. This could be destroying the attacker’s infrastructure, exposing their operations, or launching counter-attacks. This is pure vigilantism and has no place in responsible cybersecurity.
What are the implications if a hack back damages infrastructure owned by another innocent party (e.g., a compromised server used by attackers)?
Legally, you’ve now committed a crime against an innocent party. It doesn’t matter that you were pursuing an attacker; you’ve violated computer fraud laws in potentially multiple jurisdictions. The innocent infrastructure owner can pursue both criminal complaints and civil litigation.
If you damage critical infrastructure, you could be liable for operational disruptions, lost revenue, and even loss of life.
There’s also the escalation risk. That “innocent” infrastructure might belong to a government entity, a major corporation, or be considered critical infrastructure. Your hack back could trigger international incidents, regulatory crackdowns, or retaliatory attacks from nation-states who view your action as an attack on their sovereignty.
This is why firms should focus on operating under frameworks that prevent these scenarios entirely, like scaling bug bounty programs that channel security efforts into authorized, constructive activities. When security researchers work within this framework, they’re protected legally, companies get stronger security, and innocent third parties are never put at risk. It’s a model that recognizes the designs of modern infrastructure and the shared responsibility we have to protect it.
