On Jan. 12, at the exact moment President Obama was delivering a speech calling for stronger cybersecurity laws, a group sympathizing with the Islamic State of Iraq and Greater Syria (ISIS) hacked into the U.S. Central Command’s Twitter feed and posted messages like “American Soldiers, we are coming, watch your back. ISIS.”
Just days before, a man who calls himself the Jester hacked an al-Qaeda propaganda website and put up satirical cartoons from the French newspaper Charlie Hebdo along with the words Je Suis Charlie.
Coming seven weeks after the Sony hack reminded us all of our digital vulnerability, this tit for tat shows the immense challenge of preventing and prosecuting cybersecurity crimes. Should those who attacked Centcom’s Twitter feed be punished? If so, how? And by that measure, should the Jester be punished as well?
In the Wild West of cybersecurity law, those are not idle questions. Every year, hackers steal roughly $300 billion worth of information, from intellectual property to classified state secrets, according to a 2013 study by the Center for Strategic and International Studies. Very few of those hackers are ever punished. That’s in part because most law-enforcement agencies are too slow to respond. More-nimble private companies and individuals, meanwhile, face murky legal questions when they go on the offensive–actions that are known in the cyberworld as hacking back.
The result, explains Jon Huntsman, a former ambassador to China and an expert on cybersecurity, is that hackers often act with impunity. “There’s no penalty, no pain for hackers,” he says.
Strictly speaking, hacking back is illegal. The 1986 Computer Fraud and Abuse Act makes trespassing onto networks a prosecutable offense. Yet it happens all the time, and law enforcement often turns a blind eye. Trickier still are attacks that have popular support. The Jester, for example, has never been prosecuted. Instead, he has become a folk hero and even lent his old laptop to the International Spy Museum in Washington.
But others, including Admiral Michael Rogers, the director of the National Security Administration, warn that hacking back comes with major risks. What if a company accidentally attacks an innocent bystander or a nation-state, sparking a diplomatic incident or dragging the U.S. into a cyberwar? “This is a really complicated, really slippery slope,” Rogers said at a January conference.
Since the Sony hack, Obama and a dozen members of Congress have called for new cybersecurity laws to encourage companies to share data about cyberthreats. The proposals won’t clarify the rules on hacking back, but they could help prevent the next big breach. And in an increasingly connected world, every step will help.
This appears in the January 26, 2015 issue of TIME.