Should the private sector conduct “hack back” operations against cyberattackers? An ethical dilemma: cyber self-defense or cyber vigilante?

Recent cyber ransomware attacks against certain sectors of the U.S. critical infrastructure and key resources (CIKR) show just how vulnerable the ICS and SCADA—industrial control system and supervisory control and data acquisition—is to being held captive and manipulated by malicious cyber actors. The ransomware attacks against the Colonial Pipeline Company forced a six-day shutdown of the main pipeline that supplied fuel on the U.S. East Coast, causing public concern and increased fuel prices. Beyond questions of whether private sector companies have expertise to hack back or the ability to ascertain attribution of the attacker(s), the core issue we should consider: is it ethical for the private sector to hack back against cyberattackers? Those who advocate private sectors’ right to hack back would compare the actions to the right of self-defense. While those who oppose the private sector from conducting hack back operations would link the actions to be more akin to vigilante actions in the physical domain which are actions involving enforcement, investigation, and punishment without legal law enforcement authority. This research would benefit private sector owners and operators of CIKR, U.S. government policymakers, and academic researchers interested in ethical issues at the intersection of technology and cyberspace. This project would propose to research and examine the ethical considerations of private sector hack back actions in cyberspace by asking: 1) are there differences between cyber domain and physical domains that make hack back operations ethical in cyberspace? 2) are hack back operations akin to self-defense or vigilante actions?