President Obama's creation of a cyber security "czar" with a broad mandate to protect the nation's computer networks marks a step long overdue, and is a good start. But the announcement, and his cyber security policy review, leave unanswered how we're really going to address the problems of cyber crime and cyber war. These problems are spinning dangerously out of control.

Cyber criminals now operate in a sophisticated virtual underworld, a sort of computerized version of Prohibition.

At the recent World Economic Forum in Davos, cyber crime against business was estimated to cost the global economy $1 trillion per year. Individuals suffer, too: Identity theft on the Internet is rampant. Cyber extortion ("pay us or we'll shut down your organization's Web site") has become a global protection racket. Any information that's otherwise difficult to get -- ranging from e-mail addresses of potential Viagra buyers to national security secrets -- has value on the virtual black markets run by cyber-crime organizations.

The national security threat from espionage and cyber war is growing. In March, researchers uncovered a vast electronic spying operation that had infiltrated computers (including the Dalai Lama's) across 103 countries. The U.S. government admitted that both Russian and Chinese hackers have broken into secret computer systems in the Pentagon. In what looked to be the first cases of real cyber war, Russia is widely believed to have disabled vital computer systems during disputes with the former Soviet republics of Estonia and Georgia.

What's most troubling is that most attacks now are launched from virtual networks of thousands of infected computers -- including possibly yours. Cyber security is no longer somebody else's problem. Now it's everybody's concern.

The Bush administration paid lip service to cyber security and left key positions unfilled or underfunded. So it's refreshing to see President Barack Obama taking the issue seriously and promising a cyber-czar office that can truly coordinate things.

At present our efforts get muddled in an alphabet soup of agencies and plans. Agencies responsible for pursuing cyber crime -- just one aspect of cyber security -- include the Secret Service, the FBI, the Federal Trade Commission and a special office in the Justice Department. Meanwhile the National Security Agency has been fighting a turf battle with the Department of Homeland Security over who should "run" the nation's cyber-security efforts. It's good that the first section of the recently released policy review is titled "Leading From the Top."

Otherwise, though, the president's initiatives seem to break little if any new ground. Building partnerships between the government and the private sector, encouraging innovation in security technologies, increasing public awareness of the threats and risks -- all of this is necessary, but it's already been said, many times. Mr. Obama's plan is the fourth such presidential cyber-security initiative over the last 10 years. (During the Clinton administration, I helped to draft the first.) If plans were progress, we'd be in great shape.

What we need most, along with better coordination among government agencies, are real incentives for action in the private sector. The software we all use is full of vulnerabilities (defects that let hackers do their dirty work), and though there are ways of writing much better software -- Carnegie Mellon University's Software Engineering Institute offers proven methods -- few software companies have adopted them. Internet service providers could do a number of things to help make network operations more secure, but many don't. Many big end-user firms, like government offices, give short shrift to cyber security.

Our previous "national plans" have been laissez-faire, relying on the private sector to take care of such business voluntarily. That has to change.

One step that can help is tort liability: letting software producers, network operators and others be held liable for damages due to their security lapses. Tighter procurement practices by government and wider availability of cyber insurance, conditioned on best practices, could also help raise security standards.

Finally: The Internet is global, and so is the cyber underworld. The United States can't get control of security problems on its own. But it can take the lead in creating better international systems for Internet management and policing.

President Obama has at least put cyber security high on his agenda, but what matters now is what's done. To keep on doing what hasn't worked should not be an option.