printer friendly version

TSCM in the 21st century

When talking about security and risk management, cyber is the new buzzword. The authors Refsdal, Solhaug and Stolen in their book Cyber-Risk Management explain, “Due to cyberspace and its underlying infrastructure, people and organisations have access to more and better services than ever before”. They go on to say that cyberspace has introduced and “continues to introduce, numerous new threats and vulnerabilities.”

Steve Whitehead.

Many of these new threats and vulnerabilities can both be identified and countered with the appropriate level of technical surveillance countermeasures (TSCM) services. In addition to the cyber communication threats, we have seen a tremendous growth in surveillance-enabling technologies over the last decade. Devices operating on GSM, GPRS, UMTS, LTE, Wi-Fi and Bluetooth are found in every business and residence.

New technologies such as the Internet of Things (IoT) are rolled out on a daily basis without considering the technical surveillance threats that come along with these technologies. (IoT is the incorporation of electronics into everyday items that allows them to be connected to each other). IoT devices are deployed in the banking, financial, medical, agricultural, industrial, oil, gas and motor industries, to name a few.

In the May 2015 edition of this magazine, in the article ‘How eavesdropping-resistant is your organisation’, I wrote that risk managers, security professionals, information protection officers and facility managers need to understand the threat of modern technical espionage.

It is however equally and sometimes more important that those offering technical surveillance countermeasures (TSCM) services in South Africa themselves pay attention to key trends, new technologies and new threats, and adapt their service offerings accordingly to stay relevant. There is no longer space for outdated services, training or equipment when it gets to the safeguarding of sensitive information and data.

A snap survey during January 2017 among local TSCM service providers showed that there is reason for concern about the current levels of TSCM services offered in South Africa. There are only two companies in South Africa that can offer an up-to-date modern-day technical surveillance countermeasures service to corporate South Africa.

The role of TSCM in the cyber world

Charles Patterson, a TSCM professional from the US recently wrote: “where cyber and physical security almost meet is TSCM”. Patterson says, “Both cyber and physical security are necessary, but there is an area in between that neither one extends into. That is where TSCM sweeps are needed”.

J.D. LeaSure, director of the Espionage Research Institute International (ERII) (USA), has been talking for a number of years about this area that Patterson refers to and has named it Cyber TSCM. It extends beyond the traditional practice of TSCM. His presentation, ‘The Dragon in the Machine’ at the CBIA Business Counterintelligence Conference at the Kwa Maritane Bush lodge in September 2012 explained how an organisation’s data and Wi-Fi networks were exploited to steal corporate information, and the need for Cyber TSCM that goes beyond the traditional approach.

Since then, many TSCM service providers around the world have made the paradigm shift and are now offering Cyber TSCM surveys to counter the most modern threats. We are also seeing various strands of Cyber TSCM developing in different parts of the world.

Professional TSCM teams now offer a superior technical countermeasures service which incorporates additional services to identify how sensitive, classified and secret information as well as data could be intercepted, lost or stolen, no matter what the communications medium.

To be able to offer services on such a high level requires total commitment, a deep understanding of counterintelligence principals and a range of sophisticated equipment that covers a wide range of communication technologies. The size of a professional TSCM team has also increased, and a typical cyber TSCM team now consists of a minimum of four to five members.

What to expect from a TSCM service provider

Security and risk managers should expect high standards from their technical surveillance countermeasures (TSCM) service providers.

Proactive and regular TSCM surveys keep a company’s security one step ahead. It will ensure compliance with the King IV corporate governance requirements regarding information security risk management. King IV says technology governance and security have become critical issues. “Technology is now both the source future opportunities and of potential disruption.”

If listed companies do not conduct regular TSCM surveys of their sensitive areas, it could be argued that they do not take prudent and reasonable steps to safeguard their information against possible technical attacks. The same could be true if a company selects an outdated service provider who does not comply with the minimum accepted requirements regarding training, experience and equipment.

There are six easy tests to follow when selecting a Cyber TSCM service provider. The following which are adapted from some of my previous work can be requested during the initial contact with the service provider:

1. Enquire about and request proof of training in the field of technical surveillance counter-measures. Request proof of training at recognised TSCM training organisations as well as certification on the equipment;

2. Enquire about their equipment. Attacks occur on various levels and contrary to many claims, there is no quick fix or any special black box or briefcase containing gadgets that can detect all eavesdropping devices. Look for equipment names such as Oscor Blue/Green spectrum analysers, ANDRE and WAM near field detectors, Kestrel SDR, TALAN Telephone and Line Analysers, Orion and SB Non-Linear Junction Detectors (NLJD), GSM and Wi-Fi detection equipment, thermal imagers and network tools. If you do not see these then they do not have the latest and most modern equipment available in South Africa to service providers.

3. Enquire about the prospective service provider’s survey procedure and checklist and verify that they follow an action plan.

4. Membership of Professional Associations. There are only three associations in the world that cater for and recognise TSCM professionals. They are the Espionage Research Institute International (ERII) (USA), TSCM Institute (TSCMi) (UK) and Business Espionage Countermeasures South Africa (BECSA) (RSA). BECSA has a dedicated portal for trained and qualified local TSCM practitioners. These associations will gladly confirm and verify the status of a prospective TSCM service provider.

5. Written technical report, analysis and recommendations. On completion of the survey a report should be submitted detailing the tests conducted and the findings of the survey. The report should include a record of the signals found and analysed (including GSM, Wi-Fi, Bluetooth and narrowband IoT), telephone measurements obtained (including analogue, digital and VoIP) as well as other electronic and energy signals detected and evaluated. Procedures on the actions that should be taken if an eavesdropping device is found have to be discussed before the commencement of the survey.

6. Certificate of Quality. The service provider should carry calibration certificates or a certificate of quality regarding the equipment that they use during a survey on your premises. This certificate issued by the manufacturer or its representative should state the following:

• That the equipment is of the latest generation software and version;

• It is in proper calibration and operating procedures as defined by the manufacturer’s specifications and factory standards; and

• Has been tested at the manufacturer or its authorised representative’s facility within the past twelve (12) to eighteen (18) months. This is necessary to prevent that your premises are checked with old and outdated equipment.

Conclusion

TSCM is an important function. To counter technical surveillance threats in the cyber world is not an easy task. TSCM has become much more complicated and requires a whole new approach and an array of appropriate equipment, training and lots of new experience. We have reached a point where prospective service providers who did not keep pace with all the changes will simply disappear.

The demand for professional TSCM surveys will continue to grow as the technical threats escalate and the gap between physical and IT security widens.

TSCM is about risk management. Failure to implement an appropriate TSCM programme could lead to a risk of operation, disruption, intellectual property loss, public embarrassment and reduced trust in an organisation’s ability to protect its information.

Share this article:

Further reading: