I think pretty much every security professional should take this one point to heart - you can't force anyone to do jack - click your heels together, look in the mirror, deny it for as long as you want... but it is so true. But don't cry about it. Figure a way around it.
Getting back to the question, here are my three things I would do as Cybersecurity Czar:
- Promote and engender industry support for Software Safety Data Sheets and/or Software Facts Labels, the former providing a mechanism for inline protection by host intrusion prevention and the latter providing software details to assist humans in recognizing and assessing risk factors of the software they are evaluating.
- Create a lab, or promote existing labs for use in validating the strength and weaknesses of various software applications and platforms. The lab would consist of enough systems (VMs, likely) to allow for single variable manipulation for controlled experiments. This lab could test the veracity of each individual configuration setting or patched vs. unpatched systems, etc.
- Create secret backdoors in software and a secret universal monitoring program for the federal government. (Ooops, guess I blew the "secret" part, and some may also suggest I am too late, anyway).
- Since number 3 is really a joke (you did get that, right?), I have another option - find a stronger way for universal identification and authentication other than using social security numbers. Push the industry towards a better solution by publishing all SSNs.
(*sung to Beyonce's "If I were a boy" - here's hoping Hoff or Shrdlu strut their stuff and flesh this one out! Maybe that's what it takes to find a cybersecurity czar who will stick around -> Beyonce singing about it... Btw, I really don't get the song, but maybe that is the point... ;-))