According to a recent article, Google appears poised to engage in more proactive cyber operations to defend its interests, as well as other American entities, from hostile threat actors. Per the report, the company intends on establishing a “disruption unit” in the near future whose purpose would be akin to the U.S. Cyber Command’s defense-forward operations where a special team would proactively seek to impact the activities of cyber threat actors and groups. The idea of embracing a more proactive position in trying to counter, or at least, reduce the volume of state and nonstate cyber malfeasance is consistent with the United States government’s embrace of such tactics as an alternative to more defensive measures that have largely been criticized for being too slow and reactive to adequately address the speed with which contemporary cyber attacks are occurring.

Nevertheless, despite the legal questions and policy questions that remain with respect to this decision, it is clear that Google’s emphasis on more aggressive actions in cyberspace is telling and raises several questions with respect to the extent of what these activities might look like, as the difference between “active defense” and “hacking back” can be confusing and often times overlapping, depending on the criteria used to define them. Active defense could employ less belligerent tactics such as setting up decoys and environments meant to lure in and deceive threat actors to make it more difficult for them to carry out attacks, whereas hacking back could imply more impactful operations designed to destabilize or destroy a threat actor’s operational infrastructure, devices, and/or systems. A “disruption unit” might try to operate somewhere in between the two, though there is no clear indication of what its operations would look like.

The murky waters of cyber operations grow murkier still when considering the U.S. government’s potential role, whether through tacit approval, direct oversight, or quiet complicity, in activities straddling the line between active defense and outright hack-back.. This is important as there is a chance that there will be instances where activities may cross over the line one way or another, perhaps bringing an incident intended to be more surreptitious to the public and inviting scrutiny and consequences. There has been substantial debate over whether private companies should be allowed to hack back. And while Google has made no claims that the disruption unit will engage in actually hacking back, there is little question that the company’s vast technical capacity, scope, and reach to do so, putting state and nonstate adversaries on notice and shifting their calculus of concern. More disconcerting is the fact that whatever activity Google’s team pursues, authorization of any type of retaliation by a company with suspected ties to the government would not exist in a vacuum. It would establish a precedent that foreign companies could, and likely would, emulate, potentially leaving U.S. organizations in the crosshairs.

If the idea that other foreign companies would follow Google’s lead and develop similar teams for similar purposes seems far-fetched, history tells a different story. International cyber policy has demonstrated repeatedly that once a leading nation state takes a controversial step, others soon follow. A prime example came in the wake of Edward Snowden’s 2013 disclosures about the NSA’s surveillance programs. U.S. justification for broad digital monitoring was echoed abroad: China, Russia, and even European governments like France and the United Kingdom used similar concerns to rationalize their own expansive surveillance initiatives. What was initially painted as a unique national security requirement by one country has quickly paved the way for others to replicate under the same rubric of concern, regardless of how it’s deployed.

A similar argument can be made with respect to the deployment of Stuxnet that targeted Iran’s nuclear program and the deeply held suspicions that the United States partnered with Israel to deliver the first cyber weapon. While states may have conducted offensive cyber operations in the past, up until that point they remained largely in the background and cloaked under a thick veneer of plausible deniability. However, the combination of sophisticated technical and human interaction pointed to state involvement, thereby ushering in the precedent that states “could” engage in such activities, whether thinly or more rigorously veiled. Since Stuxnet, states have been tied to more aggressive cyber operations such as distributed denial of service attacks against major financial institutions, destroying the computer systems of major oil companies, disrupting energy companies and manipulating water facilities.

Applying the same rationale to private sector organizations, especially those with transparent and/or suspected relationships with governments, and there is the strong potential that adversaries perceive Google’s disruption unit as a way for the United States to leverage the power of its private sector to assist its interests. If so, then they may take the opportunity to recruit their own private sectors to follow suit in a similar capacity and approve retaliation outside their sovereign borders in kind. A recent joint government advisory identified three Chinese companies suspected in supporting the hacking conducted by SALT TYPHOON actors against critical infrastructure targets, further reinforces this concept. While that activity has primarily been exploitative in nature, it is easily amplified to escalate from network exploitation to network attack. Compounding matters is that unless generally accepted rules to such actions, it seems that only knowledge of a potential impending attack is the only criteria justifying such retaliation, ostensibly allowing private sector organizations to conduct attacks against any real or potential target it believes to be a threat. In a domain already congested with state, cybercriminals, and proxies operating freely, adding another dimension does not help codify norms of behavior as much as further relaxes them.

From surveillance to offensive acts in cyberspace, history has shown that once lines are blurred, others undoubtedly follow. The most likely outcome would be heightened cyber volatility in which global companies, by virtue of their prominence and global exposure, absorb the brunt of foreign retaliation the extent of which may bring in their respective governments into the mix, escalating threats rather than reducing them.  For policymakers, the lesson is clear: hack back is not a technical debate; it is a geopolitical signal. Allowing Google to cross that line risks setting in motion a chain of global behaviors that will make American businesses less safe, not more secure.