One day in the summer of 2003, Shawn Carpenter, a security analyst in New Mexico, went to Florida on a secret mission. Carpenter, then thirty-five, worked at Sandia National Laboratories, in Albuquerque, on a cybersecurity team. At the time, Sandia was managed by the defense contractor Lockheed Martin. When hundreds of computers at Lockheed Martin’s office in Orlando suddenly started crashing, Carpenter and his team got on the next flight.

The team discovered that Lockheed Martin had been hacked, most likely by actors affiliated with the Chinese government. For several years, operatives tied to China’s military and intelligence agencies had been conducting aggressive cyberespionage against American companies. The problem hasn’t gone away: in 2014, the Justice Department indicted five hackers from the People’s Liberation Army for stealing blueprints from electrical, energy, and steel companies in the United States. Keith Alexander, the former National Security Agency director, and Dennis Blair, the former director of National Intelligence, recently wrote in the Times that “Chinese companies have stolen trade secrets from virtually every sector of the American economy.”

Examining the Orlando network, Carpenter discovered several compressed and encrypted files that were awaiting exfiltration, “rootkits” that the hackers had used to cloak their intrusions, and malware—malicious software—that appeared to be “beaconing” to a server in China. Carpenter’s manager had long encouraged him and his team to act as if they were “world-class hackers” themselves. In order to determine what the culprits might have taken, Carpenter proposed “hacking back”—getting into the thieves’ computer networks without authorization. To his frustration, officials at Sandia feared that doing so might invite additional attacks or draw attention to the original breach, and neither outcome would be good for business. More important, hacking back is against the law.

Any form of hacking is a federal crime. In 1986, Congress enacted the Computer Fraud and Abuse Act, which prohibits anyone from “knowingly” accessing a computer “without authorization.” The legislation was inspired, oddly enough, by the 1983 film “WarGames.” In the movie, Matthew Broderick plays a hacker who breaks into the Defense Department’s network and, by accident, nearly starts a nuclear war. Ronald Reagan saw the film and was terrified, as were other politicians, who vowed to act.

Carpenter’s team scrubbed malware from Lockheed Martin’s computers, and flew back to Albuquerque. But Carpenter, a lean, excitable man who speaks in tangent-filled bursts, wasn’t ready to move on to other projects—he wanted to keep chasing the criminals. At home, he quietly continued his investigation. Every night, once his wife went to bed, Carpenter drank coffee, chewed Nicorette, and schemed about ways to outwit the hackers.

He decided to build a trap for them, by creating government files that appeared to belong to a contractor who was carelessly storing them on his home computer. The files were “honeypots”—caches of documents that fool hackers into thinking they are inside a target’s system when they are actually inside a replica. Carpenter stocked the honeypots with intelligence documents—they were all declassified, but that wouldn’t immediately be clear to a reader—and created fictitious search histories for his made-up contractor. “A lot of configuration was done to make it all look real,” he told me.

Soon after his project went live, Carpenter noticed that visitors were hacking in to steal the documents. He trailed them as they left. He thought that doing this might be risky, and not trivially so: violations of the Computer Fraud and Abuse Act can lead to prison sentences of up to twenty years. “I had a fairly decent understanding of the law,” Carpenter said. “But I knew I had no intent for financial gain. And I was pissed that they were stealing all this shit and nobody could fucking do anything.”

In the years since Carpenter went after the hackers, the legal prohibitions on hacking haven’t changed. But now, in the wake of enormous cyberattacks on such companies as Uber, Equifax, Yahoo, and Sony—and Russian hackers’ theft of e-mails from the Democratic National Committee’s server—some members of Congress are trying to pass a significant revision of the Computer Fraud and Abuse Act. The changes would permit companies, and private citizens, that are victims of cybercrimes to hack back.

By some estimates, ninety per cent of American companies have been hacked. At a cybersecurity conference in 2012, Robert Mueller, at that time the director of the F.B.I., said, “There are only two types of companies: those that have been hacked and those that will be.” Government agencies, such as the N.S.A. and the Department of Homeland Security, are responsible for defending government networks. But private companies are largely left to defend themselves on their own.

For help, the private sector is increasingly calling on the cybersecurity industry. Many of these firms are staffed by former N.S.A. employees. Some firms view themselves as masons, helping clients build stronger walls; others see themselves as exterminators, hunting for pests. Many cybersecurity firms offer what is called “active defense.” It is an intentionally ill-defined term. Some companies use it to indicate a willingness to chase intruders while they remain inside a client’s network; for others, it is coy shorthand for hacking back. As a rule, firms do not openly advertise themselves as engaging in hacking back. “It’s taboo,” Gadi Evron, the C.E.O. of Cymmetria, a honeypot developer, said. Yet Cymmetria’s vice-president of operations, Jonathan Braverman, told me that most major cybersecurity companies “dance at the limits of computer trespassing every single day of the week.”

Shawn Carpenter, the Sandia employee, was determined to help illuminate a dark world that seemed to be undermining U.S. interests. And, as he later told Computerworld, “the rabbit hole went much deeper than I imagined.”

Chasing the hackers was difficult, in part, because the Internet enables anonymity. Encryption, virtual private networks, and pseudonyms shroud the identity of even benign users. Hackers can further thwart efforts to identify or catch them by leapfrogging from one “hop point” to another. If hackers in Bucharest want to steal from a bank in Omaha, they might first penetrate a server in Kalamazoo, and from there one in Liverpool, and from there one in Perth, and so on, until their trail is thoroughly obscured. Jason Crabtree, the C.E.O. of Fractal Industries, a cybersecurity company in northern Virginia, said, “The more that someone wants to prevent attribution, the more time they’ll invest in making it difficult to know where the attack came from.” A sophisticated hacker, he said, might hop as many as thirty times before unleashing an attack.

Carpenter was aware of such tricks, and so he didn’t like stepping away from his computer at night. Whenever the hackers—who worked when it was daytime in eastern China—were online, he tried to be online, too. He began sleeping just a few hours a night, and in May, 2004, after ten months of investigation, he finally cracked the case. He followed the hackers to a server in South Korea, then used a “brute force” application that kept guessing at the server’s password until it landed on the right one, allowing Carpenter to hack in. On the server, he found beacons and other tools, in addition to several gigabytes’ worth of stolen documents—the equivalent of millions of pages—relating to sensitive U.S. defense programs. Among them were blueprints and materials for two major Lockheed Martin projects: the F-22 Raptor, a stealth fighter plane commissioned by the Air Force, and the Mars Reconnaissance Orbiter, which was launched by nasa in 2005. Finally, Carpenter discovered that the South Korean server was merely a hop point—and when he followed the trail to the end he arrived at the gateway of a network in Guangdong, China.