As attacks on private-sector critical cyber infrastructure increase in frequency and sophistication, affected companies must adapt. How can companies better work with government during an attack? With respect to self-help, is retaliation permissible? Where is the line between passive defense and questionable active counter measures?