Recent reports that Russia hacked into the emails of Democratic Party officials to interfere with the U.S. presidential election have rightly set off alarm bells around Washington about the need for improved digital defenses. But while attention has focused on that and numerous other government breaches, the private sector has been facing a cybersecurity crisis of its own.

Despite spending more than $75 billion on security last year, more than three-quarters of Fortune 500 companies were breached. Yet the government has treated these attacks as private issues, forcing companies to develop their own cyber defenses and preventing them from legally responding to attacks. This leaves American businesses dangerously vulnerable and in need of a way to legally retrieve stolen data and deter future attackers. It’s past time that Washington provided such tools.

It’s easy to find examples of cyberattacks on private sector companies causing widespread damage. The recent Mirai bot, which launched a coordinated attack on major Internet companies, made significant portions of the internet, including popular sites such as Twitter, Spotify and Reddit, inaccessible to many on the East Coast. A string of cyberattacks and hacks in the past few months—against the Democratic National Committee, Democratic Congressional Campaign Committee and Yahoo, among others—have revealed the emails, phone numbers and documents of private individuals, inflicting reputational and even political damage. Such breaches can also be quite lucrative for groups like the Carbanak criminal gang; the dramatic rise of ransomware incidents demonstrates that billions of dollars are at stake. Finally, the theft of intellectual property also poses a major problem for business, ranging from the steel industry to defense contractors to health care.

Despite these numerous cyberbreaches, the U.S. government does not have a cohesive policy for how companies can legally respond to such attacks. While policymakers have advanced a number of cyberpolicy directives and strategies in the past year, these are mostly reactive documents and do little to proactively address the cyberthreats facing American companies; they fail to lay out the range of potential government responses that would help begin to formulate a credible deterrence.

Given the lack of real government action and the financial and reputational risk, the private sector is understandably dissatisfied with its limited ability to respond to these growing threats. That private companies want tools to fight back against attackers is not only reasonable, it’s logical; such responses would be not just for retribution, but to take back or delete what was stolen.

But so-called “hacking back”—or, at the risk of oversimplifying, actively accessing external networks without permission—is currently interpreted as illegal in the U.S. under the 1986 Computer Fraud and Abuse Act. Because of this law, private entities either must sit idly by once breached or take matters in their own hands and hope they aren’t caught.

Despite all of this, by many accounts, vigilantes are already hacking back. Federal prosecutors have seen instances in which companies determine the source of the hack and delete the stolen data. Alternatively, companies may also hire hackers to carry out offensive operations abroad on behalf of the company. For instance, following the 2013 digital attacks against U.S. banks, the Iranian servers used to conduct the attacks were disabled, sparking an FBI investigation into whether U.S. banks were responsible. To date, little is publicly known about the results of the investigation, but the lack of a public indictment may imply acquiescence to this kind of retaliatory behavior, if it occurred.

Some companies pursue a different policy abroad than they do domestically. For instance, RSA, a cybersecurity firm, has reportedly insulated its Israeli division, enabling analysts there to pursue different, more proactive policies that allow them to digitally respond directly to cyberattacks more than they could in the U.S. Google also launched a counterattack in response to Operation Aurora, a series of attacks linked to China-based advanced persistent threat groups but were unable to prove their case with the necessary certainty.

This increased desire to hack back has largely been made possible through the rise in open source software which has dramatically increased the accessibility of many offense-based tools. While many are intended for strengthening defenses via penetrating testing, these tools could also be used by companies for hacking back. All of this points to an increasingly lawless domain, with companies hacking companies, criminal groups or even governments.

For all companies’ enthusiasm to hack back, such actions can be very dangerous. In fact, a 2015 poll revealed that 82 percent of security experts advise against it. For one, it’s still very difficult to properly attribute a hack, with false positives, deception and technical challenges that lead to uncertainty that the counterattack is properly targeted. And even when you have identified your attacker, it takes significant resources to conduct a retaliatory offensive campaign. Nation-states devote years to such an attack, whereas most companies lack the means to make such an investment, and even if they did, the company risks unleashing the nation-state’s full capabilities back against them.

More broadly, hacking back could also spark an international incident, quickly escalating from the hack of one organization to a larger campaign that draws in foreign governments. Moreover, a counterattack that occurs within the cyber domain does not necessitate a same-domain digital response, but could unleash the whole arsenal of statecraft options. Finally, even if an organization succeeds in retrieving stolen data, it is highly unlikely that it will obtain the only copy. Most attacker infrastructure rapidly changes, and the stolen data are quickly gathered and copied. Instead, these kinds of attempts to enter external networks are more likely to be the equivalent of shaking a hornet’s nest and could actually escalate attacks against the organization.

Given the tremendous challenges, risks and downsides to hacking back, the government must step in to police the Wild West of cyberspace. What could such policies look like? Perhaps the most frequent suggestion borrows from the 14th-century letters of marque in the form of cyber warrants in which the government would issue a license to an organization enabling them to retaliate. This idea has gained greater prominence this year, especially in response to recent Russian attacks. However, letters of marque carry similar risks to hacking back; in fact, they fell out of favor specifically for their escalatory effects.

Instead of licensing private entities, other experts advocate legalizing hacking back through the creation of a cyber militia or cyber mercenaries. Sen. Sheldon Whitehouse, for instance, has called for a cyber militia in the wake of game-changing attacks this year, including the physical attack on Ukraine’s electric grid. Similarly, another option is the creation of specific organizations—possibly associated with the government—that can be contracted by the private sector to retaliate in response to an attack.

There are also recent examples of corporations partnering with the government to respond to cyberattacks. For instance, in 2013, Microsoft and the FBI together took down botnets responsible for over a half-billion dollars in fraud. Such a policy could be streamlined and made more accessible, allowing more businesses to work with the government in the cyber realm.

Absent a coherent framework that formalizes how the private sector can counter the diversity of threats and attacks in the digital domain, reactionary responses—especially illegal hack backs—are going to become only more prevalent. Such actions risk escalating into international crises, putting America’s economic and national security at risk.

But right now, the private sector has few other options to respond to cyberattacks. That’s why Washington must formulate a coherent government strategy. Until then, the lawlessness will continue.

Dr. Andrea Little Limbago is the Chief Social Scientist at Endgame, where she researches and writes extensively on the intersection of technology and geopolitics in cybersecurity.

Authors: