The SEC (before it was neutered) may be a better model. It's a group of hackers that investigates government and industry infrastructure for problems. They can warn parties if they find an issue, and if the issue isn't fixed, this group could bring civil, and maybe even criminal, proceedings against the parties.