Audit of FBI Cyber Threat Program Details Strengths and Weaknesses

Audit of FBI Cyber Threat Program Details Strengths and Weaknesses

Follow Jerod on Twitter.

WASHINGTON (NSP) — An audit of the Federal Bureau of Investigation’s Cyber Threat Prioritization by the Office of the Inspector General revealed the agency has most recently relied on “gut checks” when determining the priority of a cyber threat.

The Office of the Inspector General’s report focused on an annual process the FBI undergoes to establish what it deems to be the most severe and substantial threats. The process, known as Threat Review and Prioritization (TRP), helps the FBI direct the allocation of resources for threats it deems to be severe.

The OIG focused on fiscal years 2014 through 2016, according to the report.

In October of 2012 the FBI launched it’s Next Gen Cyber Initiative in response to an OIG report in 2011 which showed faults in the Bureau’s investigative practices when it came to cyber security. During the implementation of this new initiative, crimes such as child pornography and internet money laundering was transferred to the Criminal Investigative Division so the Cyber Division could focus solely on intrusions.

In 2015 the FBI implemented its Cyber Threat Team model, which aided in making sure that multiple field offices were not working on the same cyber threat unknowingly.

However, the audit discovered that the TRP process for prioritizing threats was “subjective and open to interpretation” and “does not prioritize cyber threats in an objective, data-driven, reproducible, and auditable manner.” The OIG also stated their concern with the TRP only occurring once a year, meaning the FBI may fall behind new trends and threats.

The Cyber Division developed the Threat Examination and Scoping tool (TExAS) in order to remedy this problem but the OIG found use of the tool to be “uneven because the FBI has not established permanent written polices and procedures” on how to use TExAS.

The TExAS system uses largely objective data and algorithms to prioritize cyber threats and give FBI agents a view of the “cyber landscape,” according to the report.

The FBI uses standardized criteria in order to give a threat level to a specific threat but the OIG found they were “inherently subjective.” One FBI official told the OIG the prioritization of threats was a “gut check” while another official told them the TRP is “vague and arbitrary.” The Cyber Division Assistant Director told the OIG the assessments can be based on the “loudest person in the room.”

The OIG had provided an example of how this subjectivity impacted the ranking of a threat in 2016 but the section was entirely redacted.

The TExAS tool is not as subjective as the TRP, according to the report. TExAS uses an algorithm and a series of 53 weighted questions. Furthermore, each answer must be supported by a document “demonstrating the underlying rationale for the answer.” This gives a more objective approach to prioritizing threats being investigated by the bureau.

The TExAS tool also has the ability to incorporate intelligence from other agencies including private industry and foreign partners.

However, FBI officials told the OIG that inputting data, a lack of clearly defined roles and responsibilities has contributed to the differences in results from TRP and TExAS.

Another problem the bureau is facing is that it currently does not have an adequate way to track the resources allocated to each cyber threat, according to the report. The FBI’s current record keeping system is unable to track agents’ efforts on a specific threat. This means that the FBI cannot ensure that resources are being applied to threats appropriately, according to the report.

The FBI told the OIG they are “working on a solution,” to the time keeping problem.

The OIG recommended that the FBI use an “algorithmic, data-drive, and objective methodology and prioritization of cyber threats,” and “develop and implement a record keeping system that tracks agent time utilization by threat.”

The FBI concurred with both recommendations and told the OIG they are working on implementing the new procedures and policies.

The budget for the Cyber Division of the FBI for FY 2016 is $75.3 million, which it receives directly from the Department of Justice, according to the report.

The whole report can be read here.

Follow Jerod on Twitter.