The FBI should restructure how it prioritizes and catalogues cybersecurity investigations, according to a new report from the Justice Department inspector general.
Rather than relying on instinct and experience to determine the severity of a cyber threat and then allocating resources based on that assessment to solve cases, Inspector General Michael Horowitz recommends the Bureau move towards more data-driven decision making — supported by custom data analytics software.
The FBI’s current, primary cybersecurity case assessment procedure is known as Threat Review and Prioritization, or TRP. The TRP provides guidance, annually, for the FBI’s operational divisions and field offices to reference when defining the level of threat and deciding on resources available to address a case.
The OIG audit, however, concludes that TRP is “subjective and open to interpretation” because, among other things, it does not define specific targets. For example, under TRP, what constitutes a “small business” is up for an agent to decide.
Because TRP is only updated annually the OIG believes this approach is not agile enough to respond to the rapidly changing threat landscape of the cyber arena. The current approach does not use “an algorithmic, objective, data-driven, reproducible and auditable” process, the report reads. As such, it ought to be augmented by another tool, Horowitz says, suggesting the bureau use the Threat Examination and Scoping, or TExAS, tool.
TExAS — which is already being used within the FBI though on a limited basis — is an in-development software platform. Agents answer 53 quantitative questions by inputting a numerical threat score for each into TExAS. The software’s algorithm then crunches the data to produce recommendations on appropriate threat classifications and necessary resources while also allowing for collaboration between multiple partners.
The FBI’s Cyber Division told the OIG that it plans to have Sentinel, the FBI’s main case management system, automatically update TExAS with available and appropriate data everyday beginning in fiscal year 2017. And applicable Cyber Threat Team, or CTT, field offices will also manually enter data every 30 days for information Sentinel cannot transfer.
The OIG audit looked at the FBI’s cybersecurity case procedure, classification and mitigation strategy between 2015 and 2016. Auditors interviewed 40 FBI officials. While critical of the TRP, the report also stated that the Bureau is taking positive steps to improve its in-house threat prioritization process.
In 2002, the FBI publicly stated that it considers protecting the homeland against cyber attacks to be its third priority, behind only counterterrorism and counterintelligence operations.