Oversight

IG slams FBI's 'subjective' approach to cyberthreats

broken lock

The Justice Department's inspector general has concluded that the FBI's current process for prioritizing cyberthreats is based on subjective decision-making and, as a result, might not accurately identify the most pressing threats.

Every year, the FBI conducts a Threat Review and Prioritization process to determine the most severe and significant threats so officials can prioritize resources for combating cyberattacks. In compiling its report, Justice's Office of the Inspector General examined this process from fiscal 2014 to 2016 by interviewing 40 FBI officials, some of whom sharply criticized the subjective nature of the TRP process.

One FBI official said it was based on a "gut check," while others called it "vague and arbitrary." The assistant director of the bureau's Cyber Division was quoted as saying decisions on threat prioritization can be based on the "loudest in the room."

The report states that the approach can lead to a misallocation of agency resources and recommends that assessments instead be supported by "an algorithmic, objective, data-driven, reproducible and auditable" process.

In addition to the input from FBI officials, the OIG noted that the TRP criteria included terms such as "greater," "moderate" and "minimal" without defining the qualifications for each threshold.

The report acknowledges that the FBI developed the Threat Examination and Scoping (TExAS) tool to support its assessments with data-driven analysis. Although the OIG notes its potential, the widespread application of TExAS has been hindered by a lack of written policies and procedures defining who should input data and how the data should be used in the TRP process.

Additionally, auditors said the fact that the process takes place only once a year means the FBI cannot respond to emerging threats in a timely fashion.

The report also notes that the FBI cannot currently track the time agents spend on individual cyberthreats because the Time Utilization and Recordkeeping system organizes work by case classification rather than threat.

The OIG recommends that the FBI expand its use of algorithmic, data-driven methodology to assess and prioritize cyberthreats, including documenting the policies governing the use of such methodology and updating the results of the threat-ranking tool every 30 days.

The OIG also recommends developing a recordkeeping system to track the time agents spend by threat.

FBI officials concurred with both recommendations.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group