Though problematic, authorizing industry victims to counterattack may prove a good stop-gap measure to remove the political risk of government intervention while still creating deterrence.
With the Cyber Intelligence Sharing and Protection Act (CISPA), we're in a political tug-of-war over who should lead the security of our digital borders: should it be a civilian organization such as the Department of Homeland Security (DHS), or a military organization such as the Department of Defense (DoD)? I want to suggest a third option that government need not be involved--a solution that would avoid very difficult issues related to international humanitarian law (IHL) and therefore reduce the risk of an accidental cyberwar or worse. This option models itself on the (admittedly controversial) "Stand Your Ground" law that's rooted in our basic right to self-defense, and it authorizes counter-cyberattacks by private companies, which have been the main victims of harmful cyberactivities by foreign actors to date.
First, as a nation of law, we may not be ready yet for government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved issues with IHL, also known as the laws of war which include Geneva and Hague Conventions as well as binding rules established by the International Committee of the Red Cross. For instance, IHL requires that we take care in distinguishing combatants (such as military personnel) from noncombatants (such as most civilians) when we use force. Yet containing any cyberattack to lawful military targets is perhaps impossible today; even the Stuxnet worm against Iranian nuclear facilities has infected more than 100,000 private, civilian computers worldwide, including in the US. Any cyberattack would likely go through civilian infrastructure; for example, the Internet is not owned by the military, in the case where that's the delivery channel for the attack. If civilian programmers were to be involved--let's say the government enlists the help of Google or Microsoft employees in designing a cyberweapon--then those computer scientists and engineers may transform into legitimate targets for retaliation in either a cyber or kinetic (i.e., bullets or bombs) war.