Regarding cyber attacks, if four-year-old malware is what they have handy, then that's what they'll use. It is arguably better to use something off-the-shelf than a bit of custom-coding that might be traceable to given state actor. However, cyber security pundits - not unlike terrorism pundits - have this way of projecting their own expectations on various perpetrators, and if a perpetrator's act fails to live up to those expectations? It must not have been a real cyber attack.

This may be especially true when the pundit in question has a demonstrable bias against government efforts to protect against cyber attacks.

Meanwhile, the real issue is attack attribution. If you cannot rapidly attribute an attack to a source, then you cannot retaliate against that source. And if you cannot retaliate, you have little in the way of deterrence. This is pretty much the current position of the United States. Retaliation is a straightforward affair. If we need a counter-strike capability based on botnets, then we shall have botnets poised and ready. But rule one is you don't shoot anyone who doesn't need killing. At the risk of celebrating the obvious, behind every cyber attack there are people. Perhaps governments, or criminals, or maybe even genuine terrorists, but people all the same. And in order to deal with the attribution issue, we are likely to look for a technological fix to what is actually a problem of human intelligence (HUMINT, as in sources, not intellect, as in smarts).