FBI Fails at Prioritizing Cyber Threats, Report Finds

By Published on July 21, 2016

Subjectivity and sluggishness plague the FBI’s cybersecurity threat prioritization process, leaving room for bad actors to exploit national security weaknesses, according to a new Department of Justice (DOJ) Office of Inspector General (IG) report.

The FBI’s Cyber Division only conducts its Threat Review Prioritization (TRP) review once a year. Unnamed FBI officials in the report described using review techniques as a “gut check” that’s based more on the “loudest person in the room” than objective criteria.

“We found the criteria used in the TRP process are subjective and open to interpretation,” the IG said. “As a result, the FBI’s TRP process does not prioritize cyber threats using an algorithmic, objective, data-driven, reproducible, and auditable manner.”

“In addition, we found that TRP may not be agile enough to identify emerging cyber threats,” the IG added. “We believe that as cyber threats continue to increase in size and complexity, lack of objective, data-driven prioritization can hinder the FBI’s ability to effectively prioritize the most serious threats.”

The FBI claims protecting the U.S. against cyber attacks is its third priority, behind conducting counterterrorism and counterintelligence operations.

The FBI tried to address TRP’s subjectivity in 2012 by adding a second layer of cybersecurity threat analysis, a system called the Threat Examination and Scoping (TExAS) tool. TExAS has the potential to make the FBI Cyber Division’s approach to threats more objective, but the FBI hasn’t developed policies and procedures dictating who enters data into that second system, or how, the IG said.

“Since its implementation, the TExAS tool has been managed without documented policies and procedures detailing the roles and responsibilities for entering data about each threat,” the IG stated.

The IG also found the Cyber Division can’t determine how it’s allocating its resources to any given cyber threat.

“Without the ability to track the time agents spend by threat, the FBI cannot be sure that it is appropriately aligning its cyber resources to its highest priority threats, a vital capability for a threat-driven organization in the current cyber climate,” the IG said.

The IG said the FBI should use an algorithmic, data-driven, objective methodology to analyze and prioritize cyber threats, and use documented policies and procedures dictating who enters data and how. The FBI should also analyze its cybersecurity priorities at least every 30 days, instead of annually, the IG said.

 

Follow Kathryn on Twitter. Send tips to [email protected].

Copyright 2016 The Daily Caller News Foundation

Print Friendly, PDF & Email

Like the article? Share it with your friends! And use our social media pages to join or start the conversation! Find us on Facebook, Twitter, Instagram, MeWe and Gab.

Inspiration
The Habit of Nearness
Robert J. Morgan
More from The Stream
Connect with Us