However, Rebecca Herold, an information security, privacy, and compliance consultant who goes by the name "The Privacy Professor," stands with those who say the best defense is simply better defense. Layered security, she said, will make it difficult enough for hackers to look elsewhere.
There could be multiple unintended consequences of retaliation, she said. "Becoming what I call a boomerang cyber attacker in response to being attacked could end up doing your own systems, your data and reputation harm, not to mention innocent victim systems," she said. "The bad guys, if they're smart, will lead you to other networks, not their own."
Herold said businesses focused on getting revenge on hackers "end up taking resources away from important business activities and will likely leave gaps in security elsewhere." "Plus," she said, "networks are now so complex, and consist of so many components, that a lot can go terribly wrong if an organization starts trying to have automated defensive cyber attacks on attackers. Many would likely end up being the Barney Fife of the cyberworld, shooting themselves in their own cyber foot and having their digital bullets taken away by regulatory oversight agencies after bad things have happened."
Herold said also that counter attacks wouldn't deter hackers. "If hackers know you will counter attack, that would likely attract more harmful types of hackers who are looking for the thrill of a conquest and subsequent bragging rights," she said.
Patrick Lin still argues that weakness is more of an invitation to hackers than a show of strength. "Perhaps some hackers will take [a counterattack] as a challenge, but they're not so much the rational adversary, who is motivated by profit," he said. "Just as some hackers and muggers may strike back harder if the victim resists or fights back, this minority group shouldn't drive policy that's otherwise reasonable and potentially more helpful than not."
In the case of modern-day pirates, Lin argues that allowing commercial ships to countrerattack has not caused an escalation of conflict, "and it's hard to see why it would."
"Why shouldn't ships be able to defend themselves against pirates?" Lin said.
He agrees that letting law enforcement handle crime is best. "But in the case of cyber, there is no reliable law enforcement, and there isn't even an 'authority' we can appeal to," since there is a continuing debate in Congress over whether the Department of Defense or Department of Homeland Security should oversee cyber security laws.
Cyber attacks on industry amount to "a potential powder keg, and something is going to happen if government doesn't intervene and establish law," Lin said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.