IG slams FBI's 'subjective' approach to cyberthreats

broken lock

The Justice Department's inspector general has concluded that the FBI's current process for prioritizing cyberthreats is based on subjective decision-making and, as a result, might not accurately identify the most pressing threats.

Every year, the FBI conducts a Threat Review and Prioritization process to determine the most severe and significant threats so officials can prioritize resources for combating cyberattacks. In compiling its report, Justice's Office of the Inspector General examined this process from fiscal 2014 to 2016 by interviewing 40 FBI officials, some of whom sharply criticized the subjective nature of the TRP process.

One FBI official said it was based on a "gut check," while others called it "vague and arbitrary." The assistant director of the bureau's Cyber Division was quoted as saying decisions on threat prioritization can be based on the "loudest in the room."

The report states that the approach can lead to a misallocation of agency resources and recommends that assessments instead be supported by "an algorithmic, objective, data-driven, reproducible and auditable" process.

In addition to the input from FBI officials, the OIG noted that the TRP criteria included terms such as "greater," "moderate" and "minimal" without defining the qualifications for each threshold.

The report acknowledges that the FBI developed the Threat Examination and Scoping (TExAS) tool to support its assessments with data-driven analysis. Although the OIG notes its potential, the widespread application of TExAS has been hindered by a lack of written policies and procedures defining who should input data and how the data should be used in the TRP process.

Additionally, auditors said the fact that the process takes place only once a year means the FBI cannot respond to emerging threats in a timely fashion.

The report also notes that the FBI cannot currently track the time agents spend on individual cyberthreats because the Time Utilization and Recordkeeping system organizes work by case classification rather than threat.

The OIG recommends that the FBI expand its use of algorithmic, data-driven methodology to assess and prioritize cyberthreats, including documenting the policies governing the use of such methodology and updating the results of the threat-ranking tool every 30 days.

The OIG also recommends developing a recordkeeping system to track the time agents spend by threat.

FBI officials concurred with both recommendations.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter


  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

  • Cloud
    DOD cloud

    DOD's latest cloud moves leave plenty of questions

    Speculation is still swirling about the implications of the draft solicitation for JEDI -- and about why a separate agreement for cloud-migration services was scaled back so dramatically.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.