Organizations create a standard set of protective tools, such as encryption, firewalls, anti-virus software, intrusion-detection systems, and two-factor authentication. However, threat actors still may penetrate these defenses due to a vulnerability or misconfiguration. When that occurs, should companies be allowed to crash the servers that are attacking them or delete data that has been stolen from them off their adversaries' computers? This concept of engaging in "active defense"often considered a cybersecurity euphemism for offenseis not permitted by the Computer Fraud and Abuse Act (CFAA) in the United States and its counterparts in other countries. These laws effectively make it illegal for people to access computer systems that do not belong to them without permission from the owners. But some cybersecurity professionals and even lawmakers say that the time has come to carve out an exception to this blanket ban: companies should be permitted to infiltrate external networks in the name of active defense. Should active defense be permitted?