Cyberespionage has received even greater attention in the wake of reports of persistent and brazen cyberexploitation of U.S. and Canadian firms by the Chinese military. But the recent disclosures about NSA surveillance programs have made clear that a national program of cyberdefense of private firms’ intellectual property is politically infeasible. Following the lead of companies like Google, private corporations may increasingly resort to the use of self-defense, hacking back against cross-border incursions on the Internet. Most scholarship, however, has surprisingly viewed such actions as outside the ambit of international law. This Note provides a novel account of how international law should govern cross-border hacks by private actors, and especially hackbacks. It proposes that significant harm to a state’s intellectual property should be viewed as “transboundary cyberharm” and can be analyzed under traditional international legal principles, including the due diligence obligation to prevent significant harm to another state’s territorial sovereignty. Viewing cyber espionage within this framework, international law may presently permit states to allow private actors to resort to self-defense as proportionate countermeasures. By doing so, this Note offers a prescription for how states might regulate private actors to prevent unnecessary harm or vigilantism while preserving the right of self-defense.