The new approach would focus on reducing vulnerable areas in a company's digital security rather than actively deterring attackers, The Washington Post reported Monday.
The private sector needs to know who's targeting their computer networks and the ability to aggressively defend themselves, said Steven Chabinsky, who stepped down this month as the FBI's top cyber lawyer.
To do that, he said, businesses need a better relationship with law enforcement and the courts.
The current focus of the Obama administration and Congress to set security standards is useful only "in the margins," he said.
How far companies should go to protect data, including penetrating the invader's server to encrypt or delete stolen information, is at the center of the debate.
A company hacking the hacker could be violating state or federal laws against computer fraud or trespassing, said Stewart A. Baker, formally with the U.S. Department of Homeland Security.
Limits on what the government can do to help companies shield their digital property could lead to the rise of a "digital Blackwater," said former CIA Director Michael Hayden, referring to firms that contract to strike back at online intruders.
Integral to debates on how to deal with cyberattacks is the issue of collateral damage.
"The defense has to be done in a judicious way" to avoid unintended consequences, said Chabinsky.