IG slams FBI's 'subjective' approach to cyberthreats
In a new report, the Justice Department's inspector general says the FBI’s yearly process for prioritizing cyberthreats might not accurately identify the most pressing threats.
The Justice Department's inspector general has concluded that the FBI's current process for prioritizing cyberthreats is based on subjective decision-making and, as a result, might not accurately identify the most pressing threats.
Every year, the FBI conducts a Threat Review and Prioritization process to determine the most severe and significant threats so officials can prioritize resources for combating cyberattacks. In compiling its report, Justice's Office of the Inspector General examined this process from fiscal 2014 to 2016 by interviewing 40 FBI officials, some of whom sharply criticized the subjective nature of the TRP process.
One FBI official said it was based on a "gut check," while others called it "vague and arbitrary." The assistant director of the bureau's Cyber Division was quoted as saying decisions on threat prioritization can be based on the "loudest in the room."
The report states that the approach can lead to a misallocation of agency resources and recommends that assessments instead be supported by "an algorithmic, objective, data-driven, reproducible and auditable" process.
In addition to the input from FBI officials, the OIG noted that the TRP criteria included terms such as "greater," "moderate" and "minimal" without defining the qualifications for each threshold.
The report acknowledges that the FBI developed the Threat Examination and Scoping (TExAS) tool to support its assessments with data-driven analysis. Although the OIG notes its potential, the widespread application of TExAS has been hindered by a lack of written policies and procedures defining who should input data and how the data should be used in the TRP process.
Additionally, auditors said the fact that the process takes place only once a year means the FBI cannot respond to emerging threats in a timely fashion.
The report also notes that the FBI cannot currently track the time agents spend on individual cyberthreats because the Time Utilization and Recordkeeping system organizes work by case classification rather than threat.
The OIG recommends that the FBI expand its use of algorithmic, data-driven methodology to assess and prioritize cyberthreats, including documenting the policies governing the use of such methodology and updating the results of the threat-ranking tool every 30 days.
The OIG also recommends developing a recordkeeping system to track the time agents spend by threat.
FBI officials concurred with both recommendations.