Passive Defense only works for so long. Eventually if you want this to stop then companies and governments are going to go on the offensive. Either position has it’s advantages and disadvantages.
The second for me, seems to be the one more fraught with unintended consequences. Mainly for the Law-abiding user on ‘net’ services.
So far these cyber attacks have not been officially recognized as ‘legitimate’ warfare. In the past it "hasn't hit" general public in their purse, in their welfare.
But I wholeheartedly agree with your “Passive Defense only works for so long.” statement.