Not defence, only reporting of incidents
At least that's what I got out of it:

If there was one issue the DHS did not have a satisfactory answer for -- at least as far as the reporters present were concerned -- it was the issue of whether the reporting of cybersecurity incidents should be made mandatory.

At a news conference announcing a series of vendor-sponsored surveys and studies that were described as "tools" to help "measure the cybersecurity health of the nation," Liscouski likened the challenge to dealing with a public health incident. After a reporter noted that during a public health emergency doctors would be required to report incidents, Liscouski said: "We've got the tool sets and the processes in place. Reporting, however, is going to be voluntary."

I think this is resonable. The comparrison with the requirement that doctors must report incidents is not applicable. They are treating members of the public and that should be reported. This would be like requiring patients to report on becoming ill, or requiring people to report domestic incidents or break-ins at their own houses. Sure we'd like to think they'd do that, and we should encourage them to do so, but it wouldn't be right to require it by law.

Simon Hibbs