The quickest way to launch the cyber equivalent of a nuclear war is for the targets of cyberattacks to try to \u201chack back\u201d against their tormentors.Or, maybe not.The debate over that has raged for decades, with a majority of security experts arguing that the difficulties of attribution and the dangers of escalating retaliatory counterattacks make hacking back a losing proposition.But what if it didn\u2019t involve trying to corrupt or destroy an attacker\u2019s network? What if it wasn\u2019t exactly \u201ckinder,\u201d but was a bit \u201cgentler,\u201d involving intermediate-level responses like so-called \u201cnaming and shaming\u201d of perpetrators, or blocking access to U.S. markets of foreign companies that benefit from cyber espionage?A recent paper by father and son, Jeremy and Ariel Rabkin, titled\u00a0"Hacking Back Without Cracking Up," seeks to make that case \u2013 that it is not only possible to hack back (what some call taking \u201cactive defense\u201d measures) without prompting a catastrophic cycle of retaliation, but necessary given that annual losses to American businesses from criminal hacking were estimated at $100 billion two years ago and has increased since then.They cite former National Security Agency (NSA) head Gen. Keith Alexander\u2019s declaration in 2012 that the cybertheft of U.S. intellectual property is,\u00a0"the largest transfer of wealth in world history," as evidence that the status quo is unacceptable.Even more compelling, they say, is that government has not demonstrated the ability to protect private-sector intellectual property.They contend that passage last year of the Cybersecurity Information Sharing Act (CISA), \u201cvaguely refers to\u00a0\u2018defensive measures\u2019 but neither authorizes nor prohibits actual hack-back tactics. In brief, more talk, no more action.\u201dThis, they wrote, has apparently left the Obama administration, \u201cintellectually exhausted by its effort to assure everyone it is taking\u00a0the problem seriously \u2013 without offending anyone.\u201dThe father and son go to considerable lengths to distance themselves from supporting lawless, Wild West-type counterattacks by proposing that the response be done not by the victims, but by hired professionals \u2013 forensic cyber experts with government-approved law enforcement certification, so the retaliation will be measured and much more likely to be against the actual perpetrator.They cite the cybersecurity firms CrowdStrike and Mandiant, which in 2014 \u201couted\u201d different hacking groups affiliated with China\u2019s People\u2019s Liberation Army.The senior Rabkin, a professor at George Mason School of Law, and his son, a software engineer at Cloudera, liken it to a retail store hiring security guards, who have some law enforcement authority against shoplifting or other criminal acts.In a\u00a0podcast interview with Stewart Baker, former NSA general counsel, former assistant secretary for policy at the Department of Homeland Security (DHS) and now a partner at Steptoe & Johnson (and an outspoken hacking back advocate), they argued that merely exposing perpetrators could be an effective deterrent \u2013 perhaps even spur the federal government to more aggressive action.\u201cYou might say this isn\u2019t going to have a big effect on China or Russia or Iran,\u201d Jeremy Rabkin said, \u201cbut it\u2019s worthwhile if it just raises the profile of these concerns to the government.\u201d\u201cIf a company could say, \u201cWe know who\u2019s doing this. Here are their names and addresses. By the way, here\u2019s his sister, his girlfriend, here\u2019s his mother \u2013 you now have all this information and you put it on a website. I think it would be harder for government to shrug this off in the way that it has,\u201d he said.You might say this isn\u2019t going to have a big effect on China or Russia or Iran, but it\u2019s worthwhile if it just raises the profile of these concerns to the government.The two say that besides exposing foreign hackers\u2019 personal information, the U.S. government could take other measures short of cyber retaliation \u2013 denying travel permits, denying access to the U.S. banking system, imposing commercial sanctions on firms that do business with the hackers or even suing companies that get trade secrets from hackers.They say they know their proposal is not a \u201cpanacea,\u201d but they say it is a starting point.The timing of their paper is interesting, to say the least, since it was published by the Hoover Institution about a month before Wikileaks published a trove of emails from the Democratic National Committee (DNC) \u2013 an event that has even outspoken opponents of hacking back calling for the U.S. government to impose some kind of retribution against the hackers who stole the documents.Russian hackers are widely suspected, although that is still being debated.Whoever did it, hacking back opponents like Bruce Schneier, CTO of Resilient Systems, have called for retaliation. In a blog post, Schneier called it, \u201can attack against our democracy,\u201d and said the U.S. should confront the perpetrators and, \u201cmake clear that we will not tolerate this kind of interference by any government.\u201d He did not specify how he thought the U.S. should make it clear.However, calling for government to retaliate against a state-sponsored attack is not an endorsement of the private sector doing the same thing, even at a \u201cmoderate\u201d level.Dmitri Alperovitch, cofounder and CTO of CrowdStrike, even though his firm\u2019s outing of a Chinese hacking group was cited in the Rabkins\u2019 paper as an example of what they advocate, was brief and blunt. \u201cCrowdStrike does not hack back and does not support such activities,\u201d he said.Robert M. Lee, cofounder and CEO of Dragos Security and a former U.S. Air Force cyber warfare operations officer, was also unconvinced. He first objects to the use of the term \u201cactive defense\u201d when describing hacking back. \u201cActive defense is not hacking back,\u201d he said. \u201cIt's a misunderstanding in the community that's been pushed out by media reports and isn't the actual strategy.\u201dCrowdStrike does not hack back and does not support such activities.Lee, who has\u00a0lectured and\u00a0written extensively on securing networks and teaches a SANS course on active defense and incident response, contends that the reason so-called \u201ctraditional defense\u201d is failing is because, \u201cwe don\u2019t do traditional defense.\u201dHe argues that security begins with architecture and what he calls passive defense, and said that, \u201cif you don\u2019t know your network, there\u2019s no way to defend it. The adversary is going to learn what you have, but if you already know that, you\u2019re two steps ahead of them. I\u2019m not saying it\u2019s easy, but it\u2019s doable.\u201dBeyond that, he said the \u201ccycle of active defense\u201d involves the use of threat intelligence, asset identification and network monitoring, incident response and threat and environmental manipulation.This, he has written, may involve counterattacks, but, \u201conly inside the defended area and against the capability, not the adversary.\u201dHe likened it to ICBM defense, where the goal is to destroy missiles, not people or cities.Beyond all that, however, he said hacking back, \u201cis an extremely inappropriate usage of resources. It doesn't return a lot of value.\u201dAriel Rabkin, in an interview, said while he agrees that good architecture improves security, the reality is that it would be very expensive to fix the security flaws in large systems.\u201cIn many cases, changing the architecture of a computer system means rewriting it entirely,\u201d he said. \u201cThis is very expensive, takes a long time, and incurs all sorts of additional technical risks.\u201dThe cost of a hack back, he said, \u201cdoes not depend on the complexity of the system being defended. It depends on the intruder's level of talent and the robustness of their systems. As a result, there should be some crossover point where it becomes cheaper to hit back than to strengthen one's passive defenses.\u201dBut Anthony Di Bello, director of strategic partnerships at Guidance Software, said he thinks it is both infeasible and very risky to \u201cdeputize\u201d expert civilian security vendors to hack back against suspected attackers.He acknowledged that the U.S. government has accused hostile nation states (China, North Korea, Iran) of specific attacks, but said he doesn\u2019t think the private sector has that kind of capability, and should not be given law enforcement powers.\u201cGetting attribution down to the level of identifying a specific individual? I don\u2019t believe many, if any corporations have the technology or skillsets to do that in a repeatable, defensible manner,\u201d he said. \u201cIt\u2019s way too easy for attackers to spoof the source of their attacks.\u201dAnd he said the escalation risks from hacking back don\u2019t need to be violent to be damaging. \u201cIt could result in strained trade relations, disrupt other political negotiations that are ongoing or introduce a lack of trust in technology that my country exports,\u201d he said.He agreed that government should do more to deal with cyber crime, but said he still believes that, as is the case with other types of crime, private citizens can\u2019t take the law into their own hands.\u201cIf I found evidence that a specific person broke into my house yesterday, am I able to go to that individual\u2019s place of residence and take action? No. I must engage the relevant law enforcement agency,\u201d he said.