Oversight

IG slams FBI's 'subjective' approach to cyberthreats

broken lock

The Justice Department's inspector general has concluded that the FBI's current process for prioritizing cyberthreats is based on subjective decision-making and, as a result, might not accurately identify the most pressing threats.

Every year, the FBI conducts a Threat Review and Prioritization process to determine the most severe and significant threats so officials can prioritize resources for combating cyberattacks. In compiling its report, Justice's Office of the Inspector General examined this process from fiscal 2014 to 2016 by interviewing 40 FBI officials, some of whom sharply criticized the subjective nature of the TRP process.

One FBI official said it was based on a "gut check," while others called it "vague and arbitrary." The assistant director of the bureau's Cyber Division was quoted as saying decisions on threat prioritization can be based on the "loudest in the room."

The report states that the approach can lead to a misallocation of agency resources and recommends that assessments instead be supported by "an algorithmic, objective, data-driven, reproducible and auditable" process.

In addition to the input from FBI officials, the OIG noted that the TRP criteria included terms such as "greater," "moderate" and "minimal" without defining the qualifications for each threshold.

The report acknowledges that the FBI developed the Threat Examination and Scoping (TExAS) tool to support its assessments with data-driven analysis. Although the OIG notes its potential, the widespread application of TExAS has been hindered by a lack of written policies and procedures defining who should input data and how the data should be used in the TRP process.

Additionally, auditors said the fact that the process takes place only once a year means the FBI cannot respond to emerging threats in a timely fashion.

The report also notes that the FBI cannot currently track the time agents spend on individual cyberthreats because the Time Utilization and Recordkeeping system organizes work by case classification rather than threat.

The OIG recommends that the FBI expand its use of algorithmic, data-driven methodology to assess and prioritize cyberthreats, including documenting the policies governing the use of such methodology and updating the results of the threat-ranking tool every 30 days.

The OIG also recommends developing a recordkeeping system to track the time agents spend by threat.

FBI officials concurred with both recommendations.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.