What they need to do is set up a small group, even an offshoot of the national guard or the FBI, that has authorization to look for vulnerabilities in private sector networks, but not exploit for gain or use shellcode that intentionally reads or tampers with persistently stored code or data in any way.
There does not need to be any "command" structure to order companies to do things. The only ordering around I could tolerate would be for specific industries (like internet-connected finance services), when notified of vulnerabilities, if they did not then act to fix those security holes.