JP Morgan Chase. Sony Pictures. Target. Anthem Healthcare. Fiat Chrysler.

All of these companies have been hit by high-profile cyber-attacks in the past 20 months, rattling the confidence of their customers and employees, and forcing them to spend more to improve their defences.

But for John Strand, these attacks have been great for business. A cyber security expert based in the remote Black Hills of South Dakota, Mr Strand specialises in a new approach to protecting companies from hackers known as ‘active defence’ — an aggressive alternative to simply relying on traditional passwords and firewalls.

After a spate of devastating cyber attacks, companies are seeking to use more aggressive tactics to neutralise the threat. But the law limits how far active defence can go

“It has been attack after attack after attack. My business has skyrocketed. I feel like I should send the Chinese a Christmas card saying thank you for a wonderful year,” he says.

Businesses such as Mr Strand’s use tactics to lure hackers into traps, or to trace their steps to discover the origin of an attack. But there are others who offer more controversial — and probably illegal — methods to ‘hack back’ against cyber criminals. Some quietly resort to such tactics, while others want to but are afraid of running afoul of the law. Legal or not, some say hacking back is necessary given the threat.

After a spate of devastating attacks, companies and governments are mounting a fightback to reinforce their defences, and find more active ways to neutralise the threats from attackers. But the technical advantage lies with the attackers, while legal and political considerations limit how far potential victims can go.

Some 46pc of US companies have raised their cyber security budgets in the past two years, with half saying they will spend more in the next two, reports the Ponemon Institute, a cyber security research centre.

“There is an unprecedented level of interest in active defence and frustration with the reactive approach,” says James Lyne, global head of research for Sophos, a web security specialist.

Using funds from the US Defense Advanced Research Projects Agency, Mr Strand helped create a set of 20 tricks and traps to thwart cyber criminals. Downloads of the Active Defense Harbinger Distribution kit have almost doubled in the past two months, to an average of about 500 a week. His ‘active defence’ sessions at the upcoming security conference Black Hat in Las Vegas have already sold out. There is a ‘huge spike’ in interest in active defence after each big cyber attack, Mr Strand says.

The onslaught of cyber attacks have shown how vulnerable every sector is, from banks to retailers, entertainment companies to healthcare providers. They want to bolster their defences to protect customer data, intellectual property and financial information that is the lifeblood of their business — and a treasure trove for hackers.

Mr Lyne showed how active defence techniques could be used to trace a hacker in a 2013 TED talk. He accessed cloud services used by a hacker group, found their phone numbers and used GPS information to pinpoint their office building. He was even able to find pictures of the hackers’ Christmas party.

But finding them was the easy part. “Despite the theft of millions of dollars, the cyber criminals haven’t been arrested and at this point possibly never will,” he says. “Most laws are national despite cyber crime conventions, while the internet is borderless and international by definition.”

Cyber security specialists categorise the main active defence tactics as the three A’s: annoyance, attribution and attack. Only two of the three A’s are considered above-board, however.

Annoyance involves tracking a hacker and leading him into a fake server, wasting his time — and making him easy to detect. A new generation of start-ups is specialising in building traps for data centres, including two Israeli companies, TrapX and Guardicore.

Attribution uses tools to trace the source of an attack back to a specific location, or even an individual hacker. The two most popular tools in Mr Strand’s kit are attribution techniques: the ‘honey badger,’ which locates the source of an attack, tracking its latitude and longitude with a satellite picture, and beacons, which are placed in documents to detect when and where data is accessed outside the user’s system.

But it is the third A — attack — that is most controversial. To ‘hack back,’ a company accesses an alleged hacker’s computer to delete its data or even to take revenge. Both of these steps are considered illegal.

Chris Hoff, security chief technology officer at Juniper Networks, is integrating elements of active defence into its products. “The dirty little secret is if there were no worries ethically and legally, everyone wants a ‘nuke from orbit’ button,” he says.

But there are serious legal worries about active defence. Many laws governing cyber security are designed for 1980s-era technology.

Instead, security lawyers have been forced to draw a line between what is legally acceptable ‘active defence’ and illegal ‘hacking back’ using a case that has little obvious relevance to the world of large-scale cyber attacks. However, some companies evade these restrictions in US law by putting cyber defence units in countries with few laws governing the internet. And some cyber security companies outside the US are also attacking hackers on behalf of their US clients, says David Cowan, an investor in security start-ups at Bessemer Venture Partners.

Until there is clear and coordinated international law, how far companies can go with active defence depends on “the number of lawyers they have and the size and maturity of their security team”.John Carlin, assistant attorney general for national security at the Department of Justice, admits the laws on active defence are not keeping pace with the rising number of attacks. “In cyber in general it is incredibly fast-moving technology and fast-moving policy change. Almost every issue we confront in cyber is an area where you are looking to clarify the law,” he says.

Published in Dawn, Economic & Business, August 3rd, 2015

On a mobile phone? Get the Dawn Mobile App: Apple Store | Google Play