Subjectivity and sluggishness plague the FBI’s cybersecurity threat prioritization process, leaving room for bad actors to exploit national security weaknesses, according to a new Department of Justice (DOJ) Office of Inspector General (IG) report.
The FBI’s Cyber Division only conducts its Threat Review Prioritization (TRP) review once a year. Unnamed FBI officials in the report described using review techniques as a “gut check” that’s based more on the “loudest person in the room” than objective criteria.
“We found the criteria used in the TRP process are subjective and open to interpretation,” the IG said. “As a result, the FBI’s TRP process does not prioritize cyber threats using an algorithmic, objective, data-driven, reproducible, and auditable manner.”
“In addition, we found that TRP may not be agile enough to identify emerging cyber threats,” the IG added. “We believe that as cyber threats continue to increase in size and complexity, lack of objective, data-driven prioritization can hinder the FBI’s ability to effectively prioritize the most serious threats.”
The FBI claims protecting the U.S. against cyber attacks is its third priority, behind conducting counterterrorism and counterintelligence operations. (RELATED: Hundreds Of Organizations Worldwide Fail At Cybersecurity)
The FBI tried to address TRP’s subjectivity in 2012 by adding a second layer of cybersecurity threat analysis, a system called the Threat Examination and Scoping (TExAS) tool. TExAS has the potential to make the FBI Cyber Division’s approach to threats more objective, but the FBI hasn’t developed policies and procedures dictating who enters data into that second system, or how, the IG said.
“Since its implementation, the TExAS tool has been managed without documented policies and procedures detailing the roles and responsibilities for entering data about each threat,” the IG stated.
The IG also found the Cyber Division can’t determine how it’s allocating its resources to any given cyber threat.
“Without the ability to track the time agents spend by threat, the FBI cannot be sure that it is appropriately aligning its cyber resources to its highest priority threats, a vital capability for a threat-driven organization in the current cyber climate,” the IG said.
The IG said the FBI should use an algorithmic, data-driven, objective methodology to analyze and prioritize cyber threats, and use documented policies and procedures dictating who enters data and how. The FBI should also analyze its cybersecurity priorities at least every 30 days, instead of annually, the IG said.
Send tips to email@example.com.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact firstname.lastname@example.org.