The Justice Department takes the stance that a company is most likely breaking the law whenever it gains access to another computer network without permission. At a panel hosted by the American Bar Association, John Lynch, chief of the computer crime and intellectual property section of the Justice Department’s criminal division, said that usually, when his office determines that companies have gone outside their server to investigate a perceived attacker, his first thought is, “Oh wow — now I have two crimes.”

There are, however, other ways to fight hackers that are both legal and effective, said Mr. Stutzman of Red Sky Alliance. His firm, for example, profiles attackers by keeping their pictures, phones numbers and other personal data on file. He is also an advocate of software that tags sensitive documents so that if they are stolen they self-destruct or transmit an alert to the owner.

Most security companies say the main objective should be raising the cost to hackers. CloudFlare, for instance, has developed a service called Maze, which it describes as “a virtual labyrinth of gibberish and gobbledygook” designed to divert intruders to bogus data and away from useful information. Other companies create bottlenecks to route attackers through security checkpoints.

It is fairly common for law firms to have their email read during negotiations for ventures in China, said Dmitri Alperovitch, a founder of CrowdStrike, a company that investigates hackers. So if a company knows its lawyers will be hacked, planting decoys can give them an upper hand, he said.

This month CrowdStrike unmasked a secret cell of cyberthieves linked to the Chinese Army that had stolen millions of dollars’ worth of data from military contractors and research companies, often by hiding its attack software in emailed invitations to golfing events.

Samir Kapuria, vice president of Symantec’s Cyber Security Group, recounted how his company helped a major manufacturer create bogus blueprints of a valuable product with a traceable but harmless flaw and left it hidden in its servers. When the manufacturer later found the planted blueprint for sale on the black market, he said, Symantec was able to help trace the leak to its source, fire the subcontractor and save the manufacturer tens of millions of dollars.

But there can also be unintended consequences when planting false information, said Dave Dittrich, a security engineer at the University of Washington. He offered a theoretical example in which a company intentionally inserts flaws into a faked vehicle design. “If someone plants false information to be stolen and used, and this results in the death of any innocent human beings,” he said, “there could be a good case made that the entity who planted the fake data is acting in a negligent and unjustifiable manner.”

In general, Mr. Kapuria of Symantec prefers a philosophical approach toward thwarting the legions of cybercriminals, describing the fight as “Cyber Sun Tzu — when the enemy is relaxed, make them toil; when full, make them starve; when settled, make them move.”