What is TSCM means? Technical Surveillance Countermeasures and that’s a term used by the government. It’s used by professionals, people that you may contract out and also in-house.

 

Corporate executives normally think of the term counter surveillance, technical

security, technical counterintelligence, basically the question is – is information getting

out?, and that’s basically what we’re talking about with all of these terms.

 

First thing that we want to define is why counter surveillance. There are a lot of different

reasons. In government circles, law enforcement circles they often don’t understand why

there is a need for counter surveillance in the civil or business world. Walking around

the show today I found something that really addresses the issues quite well. This is a

post that I actually borrowed off of a booth from a company called Technical Intelligence

Group and it basically says that without its trade secrets the nation will die and the

bottom line is the most valuable thing really in this country is our economy and our trade

secrets, our new product developments, our new automobiles, our new cameras, our new

everything computers, technology. Technology is what drives this country and what

drives our economy. So any organization can look at specific things like our country

protecting military secrets, sensitive information. This a million instances but the basic

thing is how do you protect that sensitive information.

 

Before I put this chart up let me tell a quit story. This is actually a true story of course

the names are changed to protect the innocent. I like the story it sounds out the problem.

Basically there was a company, I’ll call it XYZ Company, they were the number 1

manufacturer in the world for their particular widget and about 3 years ago a private

investigator came to our company and said can you help us out? We’ve been contracted

to do a sweep by this XYZ Company. The private investigator said they want us to do a

sweep for them. We told them we could not do a sweep, we don’t know how to do a sweep, we don’t have any equipment. Please sell us the equipment, teach us how to do it and help us do the sweep. Well we did the best we could and to be honest with you they

actually did the very best job they could. They went and they did the sweep, they didn’t

find any bugging devices but when the sweep was over they were going to submit a

report back to the company and it was one little sheet and it said no electronic

surveillance devices were found. We looked at it before they sent it to the company and

we said wait just a minute you cannot give that to this company because when you went

into the sweep what else did you observe? When they went in basically they found that

in the parking lot there was a gate access but you needed nothing to get into the gate.

They had a reception area, they had badge access control but they didn’t check Ids.

Basically you say I’m John Doe I’m here to look at the computer network and the

receptionist would give you a tag and show you where the network server was. It went

on and on. There were security procedures throughout the company that were broken.

Because of all these broken company procedures there was really no point in actually

doing a sweep.

 

Normally when you think of surveillance countermeasures or TSCM you think of the real

technical part of it, specter analyzer, non-linear junctions detectors. But really there’s no

point in doing that if you don’t do all the other aspects of security correctly.

Information Loss – There’s two types of information loss. One we call a suspected loss

and one we call the confirmed loss. A suspected loss is basically based on your own

paranoia, you suspicion. Suspicion of CEOs, vice-president, and management whatever

the case may be. The other one is confirm loss the fact that you know another company

has stolen your trade secrets, your widget, your marketing idea, your financial

information, may your VIP sensitive information. They’ve stolen that information and

it’s obvious. The big difference in looking at suspected losses and confirm losses is that

in a suspected loss it may not be too late. It’s not necessarily too late at that point to start

implementing some countermeasures to protect your sensitive information. If it’s a

confirmed loss, it is too late by definition. That information is out, it’s already causing

your company, your VIP whoever it’s causing them serious problems and it can be a very

large financial problem. Another thing that is important to realize too is that everyone

always asks we do quite a few seminars and they say what are the statistics on

information that’s lost in this country? What’s the dollar value on it? Asis is actually

probably has one of the best reports out. They do it about every year or two. I don’t brief

that because it is available but I do recommend it. Two years ago in 1997 they estimated

that $250 billion was lost annually due to loss of sensitive information. The report in

1999 estimated only $50 billion. I don’t think that there was a big drop because they

actually also concluded that it was on the rise. The problem is that its not reported.

 

Companies don’t have procedures for reporting this information loss. Even if they had

those procedures, they don’t use those procedures. The main reason is it effective stock

prices. If it gets out that your business or your organization is losing sensitive

information, that information is being stolen; it can have dramatic affects on the financial

stability of your company. So it’s closely held, it’s protected and there is not good

information. I don’t have good statistics for you. But the writing can be on the wall.

The more valuable the piece of information, the greater the length that somebody’s going

to go to try and steal that information.

 

Technical Inspection versus Technical Security Evaluation. A technical inspection is usually what occurs when you think you’ve been bugged, you think somebody has watched you with a video camera and so immediately as a reactive response you have a sweep done, you contract a sweep team, you buy your own equipment. The other issue again these are our own definitions. I apologize if you use these terms in other ways in your organizations. I’m just trying to define it for the purpose of my presentation. But what we call a technical security evaluation is something that you do proactively. It’s something where you look at your entire organization. You look at the whole bottle of wax and see how are you protecting your sensitive information.

 

Technical inspections are typically internally focused and they’re on a believed or

identified threat. In other words you think somebody has videotaped me. Perfect

example is CEO or vice-president thinks his secretary has bugged him because she

always knows everything that’s going on. Well they always know what’s going on

anyway and half the time what you realize is that if you sit at the secretary’s desk and you

send someone to sit at the CEO or vice-president’s desk and talk, maybe because of the

air vents you can simple here what’s going on. Maybe there’s no magic to it, it’s just that

building or that situation allows that secretary to hear everything that’s going on.

These types of inspections typically look at one room; a very narrow concern and that

may not be where the problem is at all. In this case you inspect what you believe to be

the source of the information loss when in reality the information loss may be in a totally

different area. In the case of this company XYZ the situation was not that they were

being bugged it was that basically information could walk out of that place everyday and

no one really knew it. Incidentally to finish that story, it was kind of interesting. A very

thorough report was written, it went to the organization, all the way up the chain of

command to the CEO, came all the way back down, the response from that corporate

organization was but we spent money on badge access control, we spent money on video

cameras, we spent money on locked filing cabinets, we spent money on paper shredders

and all the things were not being implemented property. So they still missed the boat in

that situation even though the technical security professionals albeit a PI firm did the very

best job that they possibly could, given the situation. The problem at that point in our

opinion was basically the corporation was not recognizing the big picture of the problem.

 

A technical security evaluation basically we have broken it down into 6 areas. The first

area being a threat evaluation. This is probably the most important aspect of it. If you do

the threat evaluation, it really drives your evaluation of all these other areas of security.

So when we look at personnel security, information security, how’s is the information

stored, physical security, lay out of your building, can people come into your building,

acoustic leakage. The last two acoustic leakage and electronic leakage are the areas of

security that most professional sweep people get into. So our goal here is to basically

develop a layered approach to protecting your information security in these 6 areas.

Threat Evaluation is usually the most extensive process and it is important to sit down,

write these things down, give yourself an outline, a game plan, talk to your executives,

talk to the company professionals, if necessary talk to the engineers. Figure out what it is

you’re trying to protect. Why should you defend it? Is it a new product that you’re

developing for next year? Who’s the opposition or competition? What do we have that

they want or need? When do they need it? Is it a time critical asset? Do you need to

take that particular piece of information and put a time stamp on it and say in a year from

now its not going to matter? So we’ve got to protect it for at least that long and then

move it into some other aspect of the system. And where is it obtainable in our building?

How can it be leaked out? Threat evaluation why – every organization needs to evaluate

why for their own particular organization. It’s not something that an outside security

professional can actually do easily for you. Usually the security director in a particular

company or organization, they understand their security needs better than outside help.

Its so often I think that this is something that really has to be done by the security director

in the company itself.

 

Who you need to consider, who is your major opposition, who are your suppliers, who

has access to the building plans. It’s not just whose in competition but it’s who in your

building could possibly be a threat that you’re unaware of. Does the janitor take out the

trash of the sensitive information? Who has access to the computer network? One of my

favorite biggest concerns is the telephone system. Everyone always comes to us and says

we need some equipment because we think our telephone system is tapped. You start

asking them questions about the telephone system and you realize that they have a large

company, a large organization, the telephone system has a central PBX or KSU, its

basically a computer now that is the switch and all the lines are controlled by that one

switch and one of the first things you’ll learn is they want their lines checked to see if its

tapped but one of the first things you learn is that room is not secure that contains the

PBX. If you can have access to a telephone system, PBX or the control or the switch you

can rule the world. You can do anything in that building that you want to do. You can

basically use the built in microphone or speaker phone and basically bug any room in

that building without ever going there, where they outplace and a tap on the line without

doing anything just using the software to control the system.

 

What is the information you are trying to protect, what are the critical elements about that

information. Determine the monetary value of protecting that information. If you lose

the marketing plans for next year to your competitor and that competitor adopts that marketing strategy, how much is that going to cost your company? How many jobs is it

going to cost? And the situation in XYZ about six months after that sweep occurred, the

company had worldwide layoff in the thousands and they are no longer the number 1

widget maker in the world for their particular product.

 

So what is it you’re protecting – sensitive information, research and development,

proprietary or classified information, special operations, financial statements, could be

personal information about the executive, could be VIP protection, could be where are

the grandchildren of the CEO going to be to keep them from being kidnapped.

When is the information most vulnerable? When is the information available? When do

personnel have access to that information? How is the scheduling of meeting handled?

Does everyone in the company no exactly when a board meeting is going to be? Do they

know when your VIPs are going to be at certain locations?

 

Where is it all stored? Is it on floppy disk, is it on computers, is it on servers, is it on

hard drives, are you’re employees able to take that information home with them on their

laptop? Do you have a situation similar to what they had in Los Alamos where they lost

hard drives for a period of time. All of that trade secret information is important to your

company and it should be as important to your company as for example the national

security information that was on those hard drives that was lost in Los Alamos

Physical Security – do you have locks and controls, do you have perimeter alarms, do

you perimeter surveillance. All of this is a part of protecting your sensitive information.

 

Acoustic Security Evaluation – you need to look at your building and figure out how does

audio leak out of my building. Leaks out threw the ductwork and this room even if its

high, we have acoustic tile. Acoustic tile allows sound to pass up through the tile while

not giving very much reflection. That means just above that tile is a fantastic place to

bug this room. If you can get access to it you can plant a bug up there. Very difficult to

get up there. Maybe if I have access to the adjoining room the walls here don’t go all

above the ceiling but if I can get access even maybe a couple rooms over, if I’ve got a

good throwing arm and a bug, I can pitch it over here, I can drop it right on that ceiling

tile. I can bug this room without ever coming here. So you need to know what are the

physical security features of your room. Can you control those walls, can you prevent

people having access to the perimeter. Can you prevent people from having access to

that wall, that wall and that wall.

 

Acoustic leakage is something we call structure born audio. In this room I’m speaking

everything in this room that can vibrate with the sound of my voice will. So look at these

walls, they’re all paneled walls and yes they have some carpet on them. But that wall is

vibrating with the sound of my voice. If I put a contact microphone on that wall it’s

going to pick up the audio in here fantastic. It’s going to sound really good. You can

channel audio down ductwork.

 

Personnel Security Evaluation – Do you have background checks? Do you have

operational personnel that are hired from outside? Do you have support personnel that

come in? The company I talked about XYZ, they had a phone room that protected their

telephone communications and they had an outside contractor that had access to that

room and they did not know how many keys were out for that particular room. So an

outside company having access to their entire phone system.

 

Information Security Evaluation – How is sensitive information stored and distinguished.

The government has a very formal system. You’ve got confidential, secret, top secret.

All forms of classified information protection. It’s a good idea to do that in a business. It

can be quite cumbersome, it can create a lot of bureaucracy can also create a lot of flack

from the executives because it becomes a nuisance. Security is often a nuisance in

protective securitive information. But I don’t know how to solve that problem for you as