Is "Hackback" Official US Cybersecurity Strategy?

schneier.com · speckx · 18 hours ago · view on HN · news
quality 7/10 · good
0 net
Tags
apple dos google microsoft wordpress
Is "Hackback" Official US Cybersecurity Strategy? - Schneier on Security Search Powered by DuckDuckGo Blog Essays Whole site Subscribe Home Blog Is “Hackback” Official US Cybersecurity Strategy? The 2026 US “ Cyber Strategy for America ” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone. But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” This sounds like a call for hackback: giving private companies permission to conduct offensive cyber operations. The Economist noticed (alternate link ) this, too. I think this is an incredibly dumb idea : In warfare, the notion of counterattack is extremely powerful. Going after the enemy­—its positions, its supply lines, its factories, its infrastructure—­is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty. Both vigilante counterattacks, and preemptive attacks, fly in the face of these rights. They punish people before who haven’t been found guilty. It’s the same whether it’s an angry lynch mob stringing up a suspect, the MPAA disabling the computer of someone it believes made an illegal copy of a movie, or a corporate security officer launching a denial-of-service attack against someone he believes is targeting his company over the net. In all of these cases, the attacker could be wrong. This has been true for lynch mobs, and on the internet it’s even harder to know who’s attacking you. Just because my computer looks like the source of an attack doesn’t mean that it is. And even if it is, it might be a zombie controlled by yet another computer; I might be a victim, too. The goal of a government’s legal system is justice; the goal of a vigilante is expediency. We don’t issue letters of marque on the high seas anymore; we shouldn’t do it in cyberspace. Tags: cybersecurity , hackback , hacking , national security policy Posted on April 1, 2026 at 12:57 PM • 6 Comments Comments Andy • April 1, 2026 1:22 PM I smell new government contracts for large software and networking companies, to “unleash the private sector “. While such privatizing contracts are normally a good idea, the current political and economic climate makes me doubt how well the contracts will be defined. Bob Paddock • April 1, 2026 1:29 PM “The accused has the right to defend himself, to face his accuser,…” If my accuser is a automatic traffic camera how do I demand access to the source code and schematics to audit both the hardware and software? Outside of this blog, not many people have the experience and credentials to do it. Doug • April 1, 2026 2:45 PM “We don’t issue letters of marque on the high seas anymore; we shouldn’t do it in cyberspace.” Trump Administration : Here, hold my beer. Jon • April 1, 2026 3:17 PM No, we just blow up random boats on the grounds that they “might” be carrying drugs. No lulz :-| • April 1, 2026 4:42 PM The real shame is that if a hacker can make it look like someone else did it, then the forces of hack-back can be manipulated into striking an uninvolved party. Morley • April 1, 2026 5:22 PM So, companies are left with the fallout should anything go wrong from the hackback, and he can avoid responsibility. That checks out. Subscribe to comments on this entry Leave a comment Cancel reply Blog moderation policy Login Name Email URL: Remember personal info? Fill in the blank: the name of this blog is Schneier on ___________ (required): Comments: Allowed HTML 
    1.  Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/ Δ ← A Taxonomy of Cognitive Security Sidebar photo of Bruce Schneier by Joe MacInnis. Powered by WordPress Hosted by Pressable About Bruce Schneier I am a public-interest technologist , working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School , a board member of EFF , and the Chief of Security Architecture at Inrupt, Inc. This personal website expresses the opinions of none of those organizations. Related Entries Microsoft Xbox One Hacked Jailbreaking the F-35 Fighter Jet Claude Used to Hack Mexican Government Israel Hacked Traffic Cameras in Iran Hacked App Part of US/Israeli Propaganda Campaign Against Iran Featured Essays Four Ways AI Is Being Used to Strengthen Democracies Worldwide The CrowdStrike Outage and Market-Driven Brittleness How Online Privacy Is Like Fishing How AI Will Change Democracy Seeing Like a Data Structure LLMs’ Data-Control Path Insecurity AI and Trust The Value of Encryption The Eternal Value of Privacy Terrorists Don't Do Movie Plots More Essays Blog Archives Archive by Month 100 Latest Comments Blog Tags 3d printers 9/11 A Hacker's Mind Aaron Swartz academic academic papers accountability ACLU activism Adobe advanced persistent threats adware AES Afghanistan AI air marshals air travel airgaps al Qaeda alarms algorithms alibis Amazon Android anonymity Anonymous antivirus Apache Apple Applied Cryptography More Tags Latest Book More Books
← Back to stories