Enjoyed the article. The relationship between foreign policy/deterrence and cyber is an interesting one and needs to be considered. Further, the "naming and shaming" should definitely continue.
However, the statement that "If businesses are not expected to protect themselves against ICBMs, then how are government-sponsored cyber attacks any different ..." can be a bit of a mismatch. A cyber attack, even if done by a foreign nation state, may be very similar to an involved cyber attack from a (non-governmental) criminal group. Would one expect the government to protect against the criminals?
Certainly, government and business need to work together, but there's only so much government can do. A company's network is private property and (just like a house or a business) government agents can't enter it without either a warrant or a request from the owner. Yes, it is important for government to assist in protecting against nation state actors, but (barring major legal changes) they can only do that if the company gives them permission and access to do so. It's (relatively) easy to determine that inbound missiles are coming from country X -- it's much harder to tell where inbound cyber attacks are coming from with certainty.
More information about text formats