Nigeria-trained attorney and cybersecurity analyst, Folashayo Abiodun has called for urgent legislative action to legalise limited hack back measures and empower companies against rising cyber threats.
In a statement sent to Daily Sun, she emphasised the need for clear legal frameworks that allow private organisations to actively defend their digital assets without violating existing laws.
According to Abiodun, the scale and cost of cyberattacks have reached a critical point, with US businesses losing between $2 billion and $400 billion annually to threats such as ransomware.
“Cyberattacks are no longer just technical issues—they are economic, legal, and national security concerns,” she said.
Citing high-profile cases like the Colonial Pipeline, Brenntag, Acer, and JBS USA attacks – some of which led to ransoms as high as $11 million or major operational shutdowns – Abiodun emphasised that passive defences like firewalls are no longer sufficient.
“The reality is, private companies are under siege, and the law still limits them to reactive postures. That needs to change,” she noted.
She pointed to the Active Cyber Defense Certainty Act (ACDC) as a step in the right direction.
The proposed legislation would permit companies, under strict oversight, to engage in narrowly defined countermeasures such as deploying beacons and honeypots – tools that help trace and understand attacks.
“The Act doesn’t advocate for blind retaliation, but for a controlled and accountable process where qualified defenders can assist in attribution and deterrence,” she explained.
The ACDC Act also stipulates mandatory FBI notification and oversight before any action is taken, and includes safeguards to prevent collateral damage, misuse, or harm to national security infrastructure.
Still, Abiodun acknowledges the risks associated with hack back.
“Critics rightly warn about mistaken identity or hitting innocent third-party systems, especially when hackers disguise their origins using hijacked infrastructure,” she said.
She added that legal ambiguity remains under statutes like the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA), laws that currently penalise even defensive unauthorised access.
Despite these concerns, she believes that limited, licensed action is necessary.
“We need a measured system where certified professionals can assist law enforcement in active defence. Cybercriminals are emboldened by inaction. We can’t afford to leave our commercial infrastructure undefended,” Abiodun asserts.
She further called for international cooperation and legal clarity for private cyber responders.
“The global nature of cyber threats demands that the law evolve. The status quo is unsustainable. If private entities are expected to guard critical infrastructure, then they must be equipped – not only with firewalls, but with the legal right to responsibly defend themselves.”
Abiodun is a seasoned attorney and cybersecurity expert who is transforming cyber defence through best legal practices.