Spy Balloons and TSCM- Do you have a Domain Awareness Gap?

The US military recently shot down a large “spy balloon” that had traveled across North America. This came as a surprise to some. Then shortly after they continued to find smaller “unidentified” aerial objects, shooting them down as well, possibly destroying some school science projects at the same time.

Why were these and previous similar threats not noticed? The Pentagon’s answer was that there was a “domain awareness gap”. That their way of saying “we didn’t think it was important and we actually weren’t paying much attention”.

Gen. Glen VanHerck, the commander of USNORTHCOM and the North American Aerospace Defense Command (NORAD), told reporters, “It’s my responsibility to detect threats to North America. I will tell you that we did not detect those [previous] threats, and that’s a domain awareness gap that we have to figure out.”

It seems they were focused on the more obvious military and intelligence concerns and ignored an area that quickly became a major international incident. Immediately following the incident with the giant spy balloon, the ensuing paranoia led to multiple $500,000 sidewinder missiles shooting down possible weather balloons.

When you first heard of the detection of the spy balloon, did you think “I’m glad this doesn’t affect my security department…”?

If so, you may be mistaken. There is clearly a “domain awareness gap” in information security. It is the role of TSCM, Technical Surveillance Countermeasures, to help fill that gap.

TSCM looks carefully and meticulously at the gaps in information security that exist between physical security, cyber security, and other areas.

A TSCM sweep is often requested AFTER an incident has occurred. At that point, the proverbial cat may be out of the bag. Information could have already been lost or intercepted and it may be too late to prevent a large scale incident from occurring.

Be Pro-Active

To provide proper security and avoid a domain awareness gap, TSCM inspections need to be deployed on a regular basis with periodic, pro-active sweeps.

The value of a proactive security sweep is significant. Once a proactive sweep is completed, the proficient TSCM team will report on many areas observed, including not just immediate threats, but also vulnerabilities that may lead directly to an information loss or a breach in communications security. The potential for information loss or compromise is present and awareness is needed.

Typical concerns we have come across:

an air vent that connects a confidential meeting room to a coffee break area
an assistive listening system that broadcasts analog unsecured audio from every meeting taking place
confidential documents left unprotected in a box labeled “to be shredded”, or worse “confidential documents go here”, while cleaning crews work around the office after hours.
office whiteboard, filled with financial data, facing another nearby building.
abandoned wires dangling from the ceiling that were connected to the paging speakers throughout the office. Connecting an audio amp to the wires allowed listening in to every office on that same floor.

These are a few examples that were not originally malicious in intent, but could easily be misused for eavesdropping and theft of confidential information.

Incident Response

The proactive security sweep also keeps the TSCM team as well as the security department prepared for responding to more defined security incidents.

As an example, a major client of ours had a significant day-time burglary of their offices. The perpetrator tail-gated around the building stealing credit card from various cubicles. They were able to review CCTV video and found he had also entered the CFO’s office, although nothing was taken from that office. The significant concern was that the credit card thefts may have been a cover for a more serious and sinister attempt to bug the financial offices. We were immediately called in to ensure that he had not planted any listening devices there. We had swept that office only a few weeks prior so we had complete documentation of our recent findings such as radio signals present, telecom device status, electric receptacle conditions, and more. The recent proactive sweep allowed our response visit be quicker and much more effective than if we had not been there previously.

There is also a significant deterrent factor. Employees and others need to understand that privacy and information security are a serious matter. Even though the exact dates and times of scheduled sweeps should remain confidential, the awareness that regular TSCM sweeps are performed is not necessarily a bad thing. Employees should realize that management takes the security of information and communications very seriously. That can help them develop a better awareness of information security.

“Unidentified Electronic Objects”

Sometimes suspicious devices or problems may show up in between regular sweeps. Having had regular inspections performed will help to quickly determine if something found was a security concern.

A client found a small electronic circuit board with what appeared to be a microphone on it lying on the floor of one conference room. Understandably concerned, they sent us a photo of the item. Reviewing notes from a previous sweep we were able to recognize the item as an ultra-sonic sensor that was part of the room’s multi-media display system. There were a number of these circuits mounted in the ceiling of the room and one of them had apparently fallen on the floor during recent maintenance of the system.

In another situation, a small radio device was found behind a potted plant in the executive hallway. It turned out to be a transmitter for an alert system for the executive dining room wait staff, but it caused concern when a staff member noticed it. We were able to assist with identification of the device since we were already aware of the system. It seems someone relocated the transmitter to provide better coverage.

Trade secret protection

An important issue often overlooked is that of trade secret protection. This may have serious legal implications. For any information to be considered a trade secret, it must meet certain criteria. One of the requirements is that to claim trade secret status, you must be able to demonstrate that security measures have been taken to protect that information. Trade secret theft is a very serious crime and can be prosecuted very differently than just mishandling of information. If someone is discovered leaking information that they gained by eavesdropping, they cannot be prosecuted for trade secret theft unless you are able to prove that appropriate security procedures were implemented. Conducting regular TSCM sweeps can demonstrate that the needed security measures to establish Trade Secret status were taken.

Budget

Everyone can generally agree that privacy is important. But for many in the corporate world, it can be challenging to articulate why money should be allocated to protect privacy in other than basic, commonly understood areas.

In today’s corporate arena, cyber security is recognized as one area that certainly needs funding. Physical security as well needs to keep access control, alarms, and camera systems up to date.

But could something be missing? There are significant areas that are not part of the cyber or the physical security domain.

Often we hear “Our budget is tight, so we won’t be scheduling any regular sweeps at this time. Maybe we can get it in the budget for next year…”

Consider how often you may go to the doctor or dentist for a checkup. You should not wait until you have a serious pain or injury, you should be having regular checkups whether you feel ill or not. If you are a competitive athlete, or perhaps you are in a higher health-risk category, then you would certainly be seeing your doctor frequently.

Similarly in the corporate world. If your company has high risk concerns, if you have a valuable brand or handle valuable information (or if your clients are in a high risk category – then you handle their information), or if there are special circumstances such as mergers, acquisitions, or leadership changes coming up, if you have recognized adversaries who would want to know your plans, or if you have employees or executives who may be planning a departure – perhaps to join a competitor, all of these would put you into a high risk category.

Conclusion

Scheduling regular TSCM inspections of high risk areas, offices, and conference rooms, should be standard security protocol. Overlooking TSCM creates the security domain awareness gap which can allow corporate espionage, loss of information, and other incidents to occur. They can become major problems and major expenses to deal with later. It is important to be able to catch and prevent them ahead of time.

TSCM should be an essential part of planning for every year. How often you schedule sweeps may depend on the level of threat and the level of confidentiality needed, but it should not be ignored. Postponing TSCM means that you are missing the areas that contain significant espionage threats. It may come back to bite you later. The C-suite, legal department, and corporate boards should be welcoming and even insisting on the relatively small expense of professional TSCM inspections. Don’t allow a domain awareness gap to exist in your information security protocols.