Retaliatory attacks launched by companies without strong technology skills or judgment could lead to considerable collateral damage, he said.
"A nation has sovereign privileges in the use of force. Companies do not," argued Lewis, who chaired a committee that developed a set of cybersecurity recommendations for President Barack Obama during his first term.
Companies should focus more on shoring up their defenses, rather than on retaliation, said John Pescatore, director of emerging security trends at the SANS Institute. "The idea has no business or security merit, which is why even though it comes up every five years or so, it never gets adopted."
At the end of the day, a company that cannot adequately defend itself is hardly likely to be in a position to launch an effective counterattack, he said.
"Think about it. If you can't protect yourself in the first place, putting your resources towards retaliation means less resources on protection -- and more attacks against you. Not a smart mix," Pescatore said.
Richard Stiennon, principal at security consultancy IT-Harvest, agreed that companies should avoid the temptation to take on cyberattackers directly. "The realm of cybercrime and cyber espionage is already a free for all. Adding well meaning but easily misguided corporate efforts would be a disaster," Stiennon said.
"It is frustrating that there are no cyber police you can call when you are attacked," he noted. The best that a company can do is to quickly determine the nature of an attack, the likely source, and the likely data target. Then, it must take steps to enhance its own security.
"Take an attack as a penetration test you did not have to pay for. Learn from it and grow your defenses," he said.
Sign up for Computerworld eNewsletters.