In an era of increased awareness of the need for information security, an often neglected area is the information contained in meetings or conversations, particularly in cases of tenders, mergers or restructuring meetings. New technologies are arising such as secure teleconferencing facilities specifically to cater to this need - however the missing piece to the puzzle is the security both in the office and home to electronic surveillance, or eavesdropping.
Many security professionals know of the insecurity of GSM and fixed-line telephone infrastructure, and the possibility that their conversations can be monitored by external parties - however with the advent of cryptographic telephones and encrypted VoIP, it can potentially be easier to put a covert listening device on a targets premises than intercept their calls. This form of surveillance is commonly known as 'bugging', and the best defence is use of specific Technical Surveillance Counter-Measures, or TSCM.
TSCM is the professional use of counter-intelligence equipment and tactics to prevent the introduction or continued use of covert surveillance devices or the use of existing equipment, wiring or fixtures to obtain access to sensitive audio or video.
Once dismissed as needing the resources of a government to develop and use, 'bugs' are now cheap, and can be easily procured over the internet, avoiding strict import/export laws, and putting sometimes extremely sophisticated technology in the hands of 'average' consumers. A device worth just $80 purchased on the internet could operate on its internal power supply for days if using batteries, and indefinitely when running from an external source.
TSCM is a complex field - very few companies advertising their ability to find 'bugs', have sufficiently capable training and equipment, leaving their clients with a false sense of security. As such, corporations are in a difficult position: They could use existing in-house staff with basic equipment to perhaps 'get lucky' and find a device, or they could find a professional TSCM team to conduct a thorough inspection for greater peace of mind.
However, an inspection is similar to a network penetration test in that it must be backed with increased awareness within the business itself to be effective. Otherwise the discovery of a surveillance device could lead to ineffective security procedures such as using a different office extension for sensitive calls, or using a mobile instead of a landline.
Instead, in today's environment what is needed is a competent person within an organisation (we call them "TSCM first responders") with knowledge of the buildings layout and facilities to act as initial point of contact and providers of awareness for TSCM activities. Due to the issues involved these persons are best suited to persons from the IT Security department or similar area of responsibility.
In further articles we will provide an introduction for security professionals to the sort of information needed for TSCM first responders, including the various methods of electronic surveillance, technologies used, typical methods of deployment and what to do if you suspect electronic surveillance.
Les Goldsmith is a TSCM Specialist and director of ESD Australia, a counter-intelligence service provider to government and corporate clients throughout the Asia-Pacific region.