In our previous article, we explored how the cybersecurity professional’s role as guarantor clashes with classic scenarios such as unauthorized access. However, in my professional and academic experience, I often encounter an even more insidious gray area: when the victim of an attack decides to counterattack.
While the first article outlined the scope of general liability, this second intervention seeks to explore the criminal risks associated with so-called active defense. The desire to identify the aggressor or neutralize the threat at its source is technically understandable, but legally it conflicts with the fundamental principle that the monopoly on the use of force belongs exclusively to the State.
Many operators invoke Article 52 of the Criminal Code, believing that repelling a cyber attack with a counterattack is always legal. The procedural reality is much more complex, as self-defense requires the presence of a present danger of an unjust offense and a strictly proportionate response.
The moment a security analyst decides to target an attacker’s system to disable it, they risk exceeding the scope of the defense mechanism. If the attack has already occurred and the action is in retaliation or to recover data, the requirement of the threat being present is missing, transforming the defense into unauthorized access or arbitrary exercise of one’s rights, or worse, aggravated IT damage.
Active defense techniques range from simple advanced monitoring to the installation of beacons or traps designed to track the attacker. Criminal prosecution arises when these measures go beyond the perimeter of a system.
Inserting tracking code into a stolen file that, once opened by the attacker, reveals the attacker’s geographic location or technical data, could constitute the crime of unauthorized access to a computer system. In this scenario, the security professional technically becomes a hacker in the eyes of the law since he or she introduces a tool into another person’s system without the owner’s consent, regardless of whether that owner is themselves a criminal.
The recent legislative reform of 2024 introduced significant restrictions on the possession of tools designed to disrupt or damage computer systems. Anyone who decides to implement counterattack strategies (hackbacks) to paralyze an attacker’s servers exposes themselves to the new and more severe penalties for damaging public utility systems if, by mistake or traffic bounces, the attack affects sensitive infrastructure.
Italian lawmakers have clarified that threat management must be handled through institutional channels such as the National Cybersecurity Agency and the police force. Any private “digital policing” initiative not only lacks legal protection but can be interpreted as worsening systemic damage.
The management of cyber ransoms deserves a separate discussion, where active defense is intertwined with the risk of aiding and abetting. Law 90 of 2024 has increased penalties for cyber-extortion, placing the CISO or consultant in a very delicate position. Actively participating in a negotiation or facilitating the payment of a ransom without informing the judicial authorities can expose the professional to charges of money laundering or obstruction of justice. Protecting corporate assets can never justify conduct that violates the duty to cooperate with the State, especially when the attack originates from entities subject to international sanctions.
Legal protection for a security professional is achieved not through technical strength but through methodological precision. The correct defense strategy must be limited to containment within its own perimeter (honeypots, sandboxes, network isolation), avoiding external offensive projections. Every action taken during the incident response phase must be documented in an unalterable event log that can be used in court to demonstrate the absence of malicious intent.
As a professor of computer criminal law and, above all, as a lawyer, I always emphasize one point: the best active defense is impeccable passive documentation demonstrating how every maneuver was dictated exclusively by the technical need to preserve the integrity of one’s own or the client’s data.
The modern professional must be able to distinguish between what is technically possible and what is legally sustainable in a courtroom. The growing complexity of threats must not become a pretext for procedural shortcuts that would jeopardize the technician’s career and personal freedom. True excellence in our field is measured today by the ability to neutralize the offense while strictly remaining within the confines of the Criminal Code.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
