> That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around.

That's a rather crude analogy which misses the major dangers of vigilante hacking. A better analogy is allowing private guards to shoot you on suspicion of you having stolen their money based only on a claim that the money found in your wallet might be theirs.

To understand the problem, think of vigilante justice where some person/group assumes the roles of police, judge and executioner, circumventing due process which is due for a reason.

What happens if a corp doesn't like what you have on your website, spoofs some logs as if coming from it and then hacks the site to disable your ability to communicate?

Well, in that case you're toast. You may go to the judge, pay lawyers and waste your life on lawsuits fighting against a corp with a lawful reason to hack you because if this becomes law, you will be guilty until proven innocent - that's very costly and hard to do. Your chances of successful will be virtually zero meaning the corps get a license to silence you with impunity.

Most APTs companies are already dealing with are either directly state-sponsored or state-permitted as has been seen with tr fairly common Cyrillic, Simplfied Chinese, and Hebrew keyboard checks that have become fairly common in offensive payloads, so the division you are making has been nonexistent for decades.

This is just a tacit admission of a practice that has been occurring under the radar for years now.