Welcome to this week’s edition of Cyber Motion, tailored for cybersecurity business leaders. In this newsletter, you’ll find practical strategies, cutting-edge insights, and fresh thinking designed to help your security-focused brand break through a crowded market. My goal is to equip you with the tools and ideas needed to thrive amid shifting threats, buyer skepticism, and evolving industry standards.
– Tobias
Not yet a subscriber? Sign up here.
INSIDE THIS EDITION
Hack back or hack job?
Creeping toward info-sharing renewal
Poor AI security oversight rules the day
BEST OF THE WEEK
Federal Cyber Information-Sharing Bill Renewal Inches Forward
The Cybersecurity Information Sharing Act (CISA) is up for renewal, extended through 2035 under its new name—WIMWAG. Recent updates aim to modernize threat-sharing protocols but still face political gridlock. Great reminder: cooperation always wins over isolation. (WSJ)AI Is Taking Over Cybersecurity—But Businesses Still Know the Risks
A new study shows 73% of organizations now lean on AI for cybersecurity—but only 1 in 3 properly integrates human oversight. If you’re investing in AI, double down on training and transparency; otherwise, you’re running automation without guardrails. (TechRadar)Cybersecurity Complexity and the Channel
Mounting tool complexity is turning MSPs into strategic partners—not just vendors. As environments fragment, partners who simplify, offer automation, and guide strategic security will become your greatest leverage points. (IT Pro)
THE DEEP DIVE
Letters of Marque Don’t Belong in Cyberspace
The Temptation to Strike Back
It’s an easy sell: if cybercriminals attack you, hit them back. Congress is flirting with that idea through the so-called “hack back” bill, which would allow private companies to retaliate directly against attackers.
Supporters liken it to the “letters of marque” that once authorized private ships to attack enemy vessels. In practice, privateering was chaotic, hard to control, and often escalated conflicts. The harsh reality was a far cry from that “pirates of the…” movie franchise you’ve likely seen. We stopped doing it for a reason.
Now, policymakers are considering bringing it back. But digitally this time.
What’s on the Table
The current proposal, sometimes framed as the “Scam Farms Marque and Reprisal Authorization Act,” would give companies authority to disrupt or retaliate against attackers. Even Google has floated the idea of a “disruption unit” to prepare for this possibility.
On the surface, this looks like empowerment. In reality, it’s outsourcing offensive cyber operations to the private sector, but with no guarantee of control or accountability.
Why Hack Back Sounds Attractive
Proponents highlight a few appealing points:
Deterrence. If attackers fear retaliation, maybe they’ll think twice.
Intelligence. Hack back could reveal attacker infrastructure or methods.
Speed. Governments move slowly; private actors could act faster.
These arguments have surface logic. They make hack back sound like a bold, no-nonsense strategy. But bold without precision is reckless.
However, I have a less flattering opinion on why this is broadly appealing. The real reason that hitting back sounds good is because it seems like something straight out of a movie or the video game Cyberpunk 2077. In short, this seems like the tough, sexy thing to do.
Where It Falls Apart
Here’s where the reality check comes in:
Attribution is unreliable. Attackers hide behind layers of compromised servers. Hack back risks striking innocent systems.
Escalation is inevitable. As Lawfare points out, once the U.S. normalizes offensive private cyber actions, adversaries will feel justified doing the same. The result is a dangerous cycle of retaliation.
Governance is absent. There’s no clear oversight framework to prevent abuses or mistakes. Turning private companies into cyber combatants invites chaos.
Collateral damage is likely. Bystanders (read: small businesses, universities, ISPs, even individuals) will likely get caught in the crossfire.
This isn’t targeted defense. It’s more like tossing grenades into a crowded room.
The Privateer Problem
History offers a cautionary tale. Maritime privateers blurred the line between legal action and piracy. Ships went rogue. Neutral parties were attacked. International tensions escalated.
Digital privateering would be faster, harder to track, and even more difficult to control. Once normalized, it sets a precedent that undermines stability and increases risk for everyone.
Now, think about this. What happens when a major U.S. company knocks a university offline because its weak security made it a link in an attack chain? What if a small business becomes the target simply because its servers were hijacked? And what about your own home router, punished by an automated reprisal system while the real attackers walk away untouched?
Smarter Alternatives
Rather than deputizing corporations to fight their own cyber wars, we’d be far better off focusing on:
Improved detection and attribution. Without clarity, retaliation is meaningless.
Structured public-private collaboration. Governments should handle offense. Companies should focus on resilience.
Global norms and regulation. Instead of unilateral hack back, build frameworks that reduce escalation risk.
Investment in resilience. Stronger systems recover faster and make retaliation less tempting.
The Bottom Line
Hack back might sound tough and cool, but it’s a recipe for chaos. It risks legitimizing vigilante cyber wars, normalizing escalation, and putting innocent companies and people squarely in the line of fire.
As cybersecurity marketers and leaders, we have a role to play here: making it clear that real defense comes from clarity, collaboration, and resilience rather than from handing out digital letters of marque.
Privateering didn’t work on the high seas and it won’t work on the internet either.
Stay sharp,
Tobias
LOOKING FOR MORE?
Feedback or questions—reach out directly at [email protected].
Need help with your marketing strategy? Register for a 90-minute strategy call with me.
Looking for a fractional CMO? Visit The Chief Marketer to learn more about my fCMO services.