"The inherent geography of this domain – everything plays to the offense. There's almost nothing inherent in the domain that plays to the defense."
I'm not sure I get the premise, of course there are things that can be done to improve defenses, not that the government is doing them necessarily.
First of all, no critical systems should use unencrypted traffic, these should be secured through VPNs.
No critical systems should use security by obscurity, which is all too prevalent in proprietary control applications.
The entire network needs more redundancy, in particular critical services should not be in control of one entity (read "government" or organization) which could become infiltrated or compromised.
Software mono-cultures are devastating in the field due as they enable attacks which are massively scalable. Sourcing components from a single vendor should be discouraged.
Critical systems and security practices need to be audited by third parties.
The right time to build up defenses is now, before an incident occurs. However we know that motivation is rather unlikely until afterwards. Given this reality, it's important to have a plan on how to best react after the fact when preventable attacks are successful to minimize damage.