Technical surveillance counter-measures, or TSCM, as the term is almost always abbreviated, is still a rather misunderstood outlier in the worlds of executive protection and enterprise risk management.
For starters, unless they’re Five Eyes alumni, few people understand what the heck the TSCM acronym even stands for. Once you fill in the blanks and tell them we’re talking about technical surveillance counter-measures, most folks are only more confused. If you start giving some practical examples of some of the things that TSCM experts actually do, the confusion lifts (or moves to a higher level) and they say “Ahh, I get it. Bug sweeping!”
Well, yes: Bug sweeping is an important part of TSCM. But, no: proper TSCM is about much more than bug sweeping. Pigeonholing good TSCM practitioners as bug sweepers is a little like framing executive protection as bodyguarding: while semantically in the same ballpark, the connotations carry a lot of baggage that get in the way of understanding. The AS Solution blog has, since we started it, tried to clear up some of those misunderstandings about executive protection. In this blog, we’d like to resolve some misconceptions about TSCM that we often run into, and, perhaps more importantly, call attention to why we think TSCM should play a bigger role in enterprise security risk management in general and executive protection in particular.
So, what is TSCM, anyway?
Put simply, technical surveillance counter-measures are meant to discover and stop the eavesdropping efforts of inquisitive bad guys by using a range of tools and processes. Organizations deploy TSCM and associated services against covert surveillance and other types of espionage and information loss.
TSCM audits and associated services address all kinds of audio and video surveillance, from electronic (e.g., listening devices, cameras, etc.) to software (e.g., data loss), and human social engineering (e.g., following people and if eliciting information from them) using a range of technical and procedural tools.
In addition to simple “bug sweeping”, it is essential that TSCM take place in close cooperation with the client – and requires the active participation of decision makers within the client organization. Companies must review areas of their business where privacy and confidentiality are paramount and where unauthorized surveillance could contribute to considerable financial or reputational damage. The risk profile of these areas will dictate the level and frequency for TSCM and associated services and the implementation of mitigating solutions. Regular reviews of these areas should be undertaken and the programs protecting them adjusted accordingly. Only once a decent understanding of relevant risks has been established, and only with the right support from TSCM experts, should a framework of TSCM policies and procedures be designed and agreed on.
Ensuring a dynamic policy that covers all areas associated with TSCM is important for operational readiness. This also involves working with and training parts of the client organization, for example through scenario training, crisis management, containment strategies, and emergency call out procedures. All of the above and more must be set up and regularly reviewed to keep pace with evolving threats and to enable the company to make informed decisions regarding acceptable risk levels.
As in so many other areas of security, while technology matters, people and how they act matter even more. Promoting awareness throughout relevant parts of the organization regarding the risks of economic espionage and the techniques used (even if these awareness-raising activities aren’t necessarily “technical”) is one of the most effective methods to combat the loss of confidential information.
Why should executive protection and enterprise security risk managers care about counter surveillance, technical or otherwise?
Because the kinds of surveillance bad guys engage in can lead to bad things and are precursors to bad deeds. At the very least, covert surveillance constitutes a terrible invasion of privacy. But physical attacks, reputational damage, competitive end-runs, and financial losses all can and do start with surveillance of the victim, too. Such surveillance thus represents a credible and serious threat to people, organizations, profits, and brands. That’s why some of the most comprehensive executive protection, physical security, and event risk mitigation programs include human surveillance counter-measures: people watching out for other people who are observing the principal, the principal’s family, the event venue, the HQ entrance or whatever else to discover vulnerabilities. That’s why some of these programs also include technical surveillance counter-measures.
TSCM, when done well – and when an integrated element of overall personal or enterprise risk mitigation – deploys technical counter surveillance to discover other kinds of threats and then stop them. Yes, this includes finding the electronic bug behind the painting in the boardroom and destroying it (or feeding it false information, or putting our surveillance on it, to see who collects it, or…). But it also includes looking into the vulnerabilities that allowed whoever it was that planted and used the bug to do so in the first place. How could that happen? What could be done to prevent such threats, and plug up the organization’s exposure to them? Asking these questions – and developing answers to them – are key elements of risk mitigations through TSCM audits.
This is where the Chief Risk Officer, executive protection practitioners, and TSCM experts should all start and continue their conversations: Ultimately, understanding the threats of ill-intentioned surveillance and the principal’s or organization’s vulnerabilities to them enables decision makers to discover, evaluate, and mitigate risk. And what organization doesn’t want to do that? Umm…
What kinds of threats do TSCM experts actually discover and thwart?
Most people who work with risk mitigation will nod at the above in dutiful if bored agreement (if they haven’t nodded off already). Where things get interesting for a lot of folks is when the spy comes in from the cold and the gizmos come out of the bag.
There are, of course, a lot of “wow” stories about bugs, starting with “The Thing” from the early days of the Cold War to DARPA-funded cyborg bugs (yes, that kind of bug) to new worries about the IoT or using something as ubiquitous as Apple AirPods and an iPhone to eavesdrop on conversations. These are all real-world examples of the kind of Spy -vs – Spy technological arms race that, depending on your perspective, can seem either silly or serious but are often entertaining.
In our real world, where we carry out TSCM for a number of organizations all over the globe, we also run into some pretty strange things. You haven’t read about any of this because that’s the way it’s supposed to be (part of a good TSCM strategy is containment – we’ll get to that later), and the examples below are, of course, mashed-up and anonymized. We include them here to underscore the fact that this is not just the stuff of spy novels and gadget lust. Every day, there are bad guys out there deploying simple means as well as cutting-edge tech to conduct surveillance of corporations and high net worth individuals. Here are just a few examples:
- A covert audio listening device, using cellular technology, was discovered behind a painting in the boardroom of an international financial institution. Investigation showed the battery could have lasted for over 48 hours of active eavesdropping and for weeks on standby.
- A software company reported multiple staff members approached outside the working environment and asked a similar range of seemingly innocuous questions. After the company implemented a hotline for concerns of this type of attack, the links between these questions and their new product were discovered.
- A TSCM inspection team happened to be in the building on the day the CEO of a financial company received a gift in a cardboard box. The box, found in the CEO’s deskside trashcan, contained a hidden RF listening device.
- An international data center discovered a 4G modem connected directly into the back of several servers. Only a cyber TSCM inspection with 4G detection equipment could discover this particular attack. Real-time cellular, Wi-Fi & Bluetooth detection and location equipment have since been installed.
- An executive at a large international M&A company was found to be using an iPhone charger that contained a cellular listening device. This simple attack was carried out by swapping the original charger with the bugged one, and charged up every time the target used it.
- An unauthorized vehicle-tracking device was detected within the engine bay of a senior executive’s chauffeured vehicle.
- A TSCM sweep at a hotel/conference center regularly used by international companies for board meetings revealed GSM listening devices built into power outlets in meeting rooms.
Beyond all the interesting ways bad guys conduct technical surveillance remains the unhappy fact that these methods yield successful results. Breaches of fiduciary responsibility enabled by poor protection of sensitive and confidential information can cost dearly. Corporate brands valued in the billions can take hits that eliminate shareholder equity very concretely and very negatively. Personal reputations can suffer enormously.
Why do organizations fail to include effective TSCM in their risk management strategies?
Like executive protection, TSCM is not for everyone. Deployment of both should always be based on a clear-eyed evaluation of the probability and likely impact of discernible risks. Hard questions about costs, benefits, and value add should always be asked. Prior to procurement decisions, methods and processes must be reviewed and compared critically by people who can distinguish between packaging and product.
With that said, we believe TSCM is relevant for far more organizations than are currently utilizing it. We have no statistical evidence for this estimate but based on our combined experience, our best bet is that fewer organizations that should have TSCM policies actually have anything that we would consider prudent.
We’re not thinking about small and medium-sized companies here, although TSCM could very well be quite relevant some of these, too. We’re talking about listed corporations that file 10-K forms disclosing risk every quarter, that spend a lot on all kinds of security, that have more than a few people working full-time on risk management and governance, and that contribute a good share of the estimated USD 124 billion spent on IT security annually.
Why aren’t companies using TSCM as much as they could and probably should? Part of the problem is awareness of what TSCM is and understanding of what constitutes best practices. It’s not a concept that’s on every CSO’s mind, and truth be told, those of us who provide TSCM services have not been very good at explaining what it is or what its potential benefits are. For a variety of reasons, victims of hostile technical surveillance rarely make public the fact that they have been compromised or lost valuable information.
Another reason is that responsibility for TSCM easily falls between two or (many) more chairs in most organizations. There are a lot of possible stakeholders. There’s not always any obvious owner. Those who could be impacted by events that TSCM could have prevented or should have a say in how and where TSCM should be handled are many and varied. The partial list includes facilities, security, IT, executive protection, risk and compliance, R & D, marketing, sales, the board and the C-suite, legal, finance…the list could go on. Whereas executive protection is clearly focused on one or a few principals, potential beneficiaries of TSCM are all over the org chart. This is basically wherever super-sensitive information (on quarterly earnings, new products, legal proceedings, mergers and acquisitions, someone’s opinion of someone else – you name it) whose divulgence could be harmful is being discussed, sketched on a whiteboard, documented, or stored. That’s potentially a lot of places and contexts. TSCM will definitely be relevant in many a corporate headquarter, but might also be pertinent at a tradeshow, the offsite resort where the board meets, the CEO’s car, living room… You get the picture. The problem is that no one person in the corporation can be expected to get the entire TSCM picture.
Finally, another reason effective TSCM remains elusive for most corporations is that TSCM is a niche expertise that depends on skills that are just not that common. Not only does the TSCM provider have to know how to navigate the ever-changing corporate ecosystems of vulnerability and stakeholder interests. Just as importantly, TSCM providers need near-constant refreshment of some admittedly very nerdy technical skills. Even if a procurement department does get tasked with finding a TSCM vendor, it’s no simple job to evaluate how TSCM “experts” do their thing. There is no certification, no industry oversight, no way for non-experts to distinguish between good TSCM and the more theatrical varieties that unfortunately pass in many circumstances. For one thing, although there are providers in a number of countries, regions, and cities, there are not a lot of them. For another, it might appear that an ex LEO or even Five Eye expert knows his or her stuff, but the technology the bad guys have access to is ever evolving – just as it is for the good guys. Doing a bug sweep with gear that was cutting edge 15 or even five years ago might well reveal some nasty surprises. Then again, it might not. And that’s a problem.
If you think TSCM is hard now, just wait until 5G rolls out
Another predictable problem is TSCM and 5G. The fifth generation of wireless networks bumps what’s possible to do with mobile phones into quite another league. The volume of data that can be transferred way faster than 4G is taking a quantum leap and will soon be possible all over the place at 100 gigabits a second. Communication will be near instantaneous, with latency down to one or two milliseconds. The big carriers and phone producers are jostling for position. Consumers worldwide are ready. Cloud providers are licking their chops. Gamers can’t wait. And security risks will abound – including concerning TSCM.
This is not just about Huawei and national security or politics, although that’s also a very interesting can of worms. It’s also about TSCM experts keeping up with the bad guys in the never-ending technological arms race we referred to above. Have you talked to your TSCM provider lately? Are they ready for 5G?
We hope to follow up this blog with a few more where we dig further into how corporations can establish good TSCM strategies and make better TSCM decisions. Until then, ping us on social media or shoot us a mail with any questions or comments.