Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action.
Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems.
In the past, companies that have been attacked have mostly focused on repairing the damage to their computer networks and shoring them up to prevent future breaches.
But as prevention is increasingly difficult in an era when malicious software is widely available on the Internet for anyone wanting to cause mischief, security experts say companies are growing more aggressive in going after cyber criminals.
"Not only do we put out the fire, but we also look for the arsonist," said Shawn Henry, the former head of cybercrime investigations at the FBI who in April joined new cyber security company CrowdStrike, which aims to provide clients with a menu of active responses.
Once a company detects a network breach, rather than expel the intruder immediately, it can waste the hacker's time and resources by appearing to grant access to tempting material that proves impossible to extract. Companies can also allow intruders to make off with bogus files or "beacons" that reveal information about the thieves' own machines, experts say.
Henry and CrowdStrike co-founder Dmitri Alperovich do not recommend that companies try to breach their opponent's computers, but they say the private sector does need to fight back more boldly against cyber espionage.
It is commonplace for law firms to have their emails read during negotiations for ventures in China, Alperovich told the Reuters Global Media and Technology Summit. That has given the other side tremendous leverage because they know the Western client company's strategy, including the most they would be willing to pay for a certain stake.
But if a company knows its lawyers will be hacked, it can plant false information and get the upper hand.
"Deception plays an enormous role," Alperovich said.