Yeah. Law enforcement cannot stop this. "Cyberwar" counterattacks won't work either.
"Draconian self-policing" (throttling/disconnecting infected downstream users) won't work against botnets whose DDoS traffic is effectively indistinguishable from legitimate traffic. End users won't disconnect infected devices that appear to be functioning normally. Government "cybersecurity" regulations will be misguided and ineffectual. Nothing will be done until the internet is unusable.
What can be done is, 1) Cutting back on unnecessary technology, integration, services, features, etc. 2) Keys instead of passwords. 3) Standard binary data formats that are less susceptible to serialization attacks than oddball/proprietary formats and the "web soup" of text formats embedded in one another. 4) Not just open source, but simple and understandable open systems all the way down to the transistor level.