It is often
thought that only governments are subjected to espionage. The exploits of
the CIA, KGB and other intelligence services are well known to readers and
movie goers around the world. Who hasn't seen a James Bond movie that
portrays the exploits of a spy's life as exciting and full of danger and
beautiful women. The armoury of electronic gadgets includes listening
devices no larger than a pin head that are capable of transmitting studio
quality conversations half way across the world. Fortunately this is not
quite the case in real life.
What is not widely publicized, is that commercial espionage is conducted
on a much larger scale than strategic espionage. Even government agencies
have been increasingly active in this area, since the apparent decrease in
the requirement for strategic espionage since the decline of the Cold war.
The vast resources of giants like the CIA and KGB have been unleashed upon
international commercial interests, where such activity is in the interests
of the state. Whilst the cost of wheat may not seem to be a secret that
requires the attention of James Bond, when one considers the monies,
involved in a world wide contract for the supply of wheat, I am sure that a
couple of martinis, stirred not shaken, and a fancy car, would be worth it.
The truth, of course, is not so fascinating. Like most public servants,
"secret agents" are subjected to the same frustration. Budgetary
restrictions and politics quite often restrict the activities of government
agents. On the other hand, commercial spies do not have as many
restrictions. When the existence or expansion of a multinational company is
threatened by an opponent, all stops will be pulled out to acquire
information to remove that threat. Thanks to the movies, a large number of
executives really believe in the "gadgets", and do not understand, or
appreciate the cost, time, and resources, required to gather the
Similarly, because of this belief in gadgets, the executive expects the
Countermeasures Officer to be similarly equipped with hi-tech devices that
will ferret out any attempt by the opposition to gather intelligence. This
equipment should allow for the inspection to be conducted at a time that is
convenient for the client rather than at a more effective time. It is rare,
that a Countermeasures Officer will be given the mandate to conduct the
required level of inspection. Unfortunately this usually results in a poor
inspection and a false sense of security. This is just as prevalent in
government circles as in the commercial world
1.2 What are they?
Countermeasures is a vague term and in my opinion an incorrect description
of the types of inspection required for a counter espionage operation.
However, it is far better than that other more often used term "De-Bugging".
I have been mistaken for the "Flick Man" on more than one occasion and the
term "Sweeper" seems to conjure up the image of a well dressed cleaner.
Electronic Countermeasures, or ECM for short, are those measures taken by
a security officer to detect and locate illicit intelligence gathering
devices. Intelligence gathering devices are not confined to listening
devices ("bugs") but include video, data, and other esoteric systems. To
detect such a wide variety of methods, electronic espionage requires more
than a black box with pretty lights and fantastic noises. It requires
knowledge, experience and, of course, the right equipment.
Electronic Countermeasures Inspections consist of:-
- Physical Searches
- Electronic Scanning of the RF Spectrum
- Electronic Scanning of Furniture and Fittings
- X-Ray and Thermal Imaging of Walls etc.
- Inspection and Testing of Communications Systems
- Inspection and Testing of Computer Systems
And a range of other specialist test procedures
1.3 Where do we get them?A number of
government agencies have their own Countermeasures Teams and some provide
services to other departments. Private individuals and companies do not
normally have access to these services and there have been occasions where
government departments have employed private firms to provide Countermeasure
1.3.1 Government Agencies
In-House Security Services
Some of our larger
institutions provide in-house security services and this can work very well
compared to out-sourcing. Security officers that are always on site have a
more intimate knowledge of the area and the behind the scenes' activities
that occur in such establishments. One of the problems that can occur in
such instances is that the security officer is not normally chosen for his
countermeasures' capabilities. Such appointments are normally made on his
ability as a security guard or as a private detective. It is rare that a
security guard will jeopardize his career by telling the Managing Director
that he has to pull his socks up and stop leaving, sensitive material all
over the desk. When this information comes from an outside consultant who
has been paid money for his advice, the pill is somewhat sweeter to swallow.
It is a lot easier to not re-engage a consultant than it is to sack an
employee for doing his job. If the security officer is not given the
opportunity to expand his knowledge and purchase the necessary equipment,
then the company could suffer from a false sense of security.
Large Security Firms
Most large security
firms can supply Countermeasure Services to their clients. In most cases,
the Countermeasures Officer is sourced from security consultancy firms
specializing in this form of service. Some large companies do have their own
capabilities, however, this is normally aimed at the less sophisticated end
of the market.
consultants specializing in Electronic Countermeasures are the main source
of Countermeasures Officers. These consultancy firms can be located by
perusing the phone book or other business advertising material. It is
strongly recommended that before you engage a firm, a cheek should be made
to ascertain the credibility of the firm. Most good security consultancy
firms advertise by word of mouth and personal recommendation.
1.3.5 Private Investigators
Investigators, like the large security companies, generally out-source their
Electronic Countermeasures Services, very few Private Investigators have the
expertise to conduct Electronic Countermeasures themselves.
1.4 Why do we need them ?
The main aim, of
any security measure, is to protect our assets. Electronic Countermeasures
are no different in this respect. Rather than protecting against physical
theft, Electronic Countermeasures inspections are designed to detect data
theft by covert means. The techniques used to conduct this theft are varied
and some will be discussed later. Whilst most companies prefer to keep the
fact that they have Electronic Countermeasures inspections conducted on a
regular basis, it could be argued, that it should be considered as a
deterrent to would-be eavesdroppers. You do not try to hide the fact that
you have locks or an alarm system guarding your valuables. In recent months
there has been an apparent increase in "bugging" operations being conducted
in the country's boardrooms. Whilst this is good for business it should
still be seen as an increase in the crime rate and, therefore, abhorred.
Whilst you may read about the occasional "bugging" in the papers, these are
only the tip of the iceberg. Most companies are reluctant to advertise that
they have suffered a data loss, as it may affect their business.
2.1 Identifying Risk
Risk analysis, is
arguably one of the most important parts to any Electronic Countermeasures
inspections. Without a properly conducted risk analysis, the Electronic
Countermeasures Officer is basically flying blind. Many firms engage an
Electronic Countermeasures Officer to "sweep" the office, and in many
situations, this c 4 office" may include numerous floors within a
multi-story building. It is doubtful, that the Managing Director really
meant for the "sweep" to include the mail room, stationary closet, etc.
Unscrupulous Electronic Countermeasures Officers will, of course, "inspect"
these areas, thus either increasing the amount of time taken, and therefore
the cost, or providing a less effective coverage of those areas that are at
real risk. At the initial interview the firm should discuss their reason for
requesting the inspection and attempt to identify particular high areas.
This will enable an Electronic Countermeasures Officer to formulate a
strategy that will provide the most effective inspection.
Material items are usually the first things that one thinks of when
investigating the need for security. A company normally employs the services
of a security firm to identify access points and provide security at those
points to prevent unauthorized access. Most good security firms accomplish
this task effectively and everybody is happy, for a time. Experience shows,
that with time, all security systems tend to become less effective due to
mismanagement, by both the security firm and the client. A good
Countermeasures inspection, should attempt to identify weaknesses in the
clients physical security. To place a listening device within the target
area, one has to be able to access that area. It is rather pointless to
conduct an Electronic Countermeasures inspection of an area, that does not
have sufficient physical security.
Company secrets, include any information that may cause loss or
embarrassment, should it fall into the wrong hands. Financial records,
company strategies, board meeting papers, share restructures, patents, etc.
The list goes on and on. All this information is normally available in a
number of formats, ranging from conversational to electronic data to paper
records, To obtain it the "spy" has a various avenues open to him.
To assist the Countermeasures Officer it would be useful if plans of the
premises and other such. relevant information were made available to him,
prior to the inspection. Interviews with personnel, that may have useful
information regarding the communications and computer systems, should also
be arranged at this time.
2.2 Methods of Intelligence
many ways of gathering intelligence about a target. Not all methods utilize
the more shadowy aspects of espionage. It is astounding the amount of data
that can be obtained from legal databases such as the Australian Securities
Commission, Electoral Rolls, etc.
Non-Invasive techniques of sorting through the paper re-cycling bin or
even sitting next to a group of employees at the pub, can gain an alert
"spy" a great deal of useful information.
Befriending an employee and "pumping" them for information, is a
technique used frequently by unscrupulous "agents". Once an employee has
provided sensitive information, blackmail techniques can be applied to gain
more information or even physical access to the premises. Of course, we
should not forget the oldest method of all, "money".
eavesdropping is usually tried as a last resort by professional agencies.
The amount of time and resources required to stage even a modest
eavesdropping attack is considerable. Electronic. eavesdropping is favoured
by those agencies who do not have the resources, or the experience, to apply
those human techniques mentioned earlier.
These agencies are usually not very experienced in the advanced
electronic eavesdropping techniques either.
Electronic eavesdropping methods can be divided into a number of
- Radio Frequency
- Optical Non-Access
are, by my definition, those techniques that use dedicated wires and
microphones to carry the data away from the target area. They can also be
comprised of a hidden tape recorder within the target area. Physical
searching is, in my opinion, the only method that will provide a reasonable
chance of success against this form of attack.
184.108.40.206 Radio Frequency
This method is used
extensively and in many different forms. The only common attribute is that
the devices all transmit a radio frequency signal of some type. If, active
at the time of inspection, and if, the Countermeasures Officer is using the
appropriate equipment, and if, he has the necessary level of expertise, then
he may detect these devices. 1 know that there seems to be an awfully large
number of "ifs", but nobody said that this job was easy.
Carrier devices are
a form of radio frequency transmitter but are usually of such a low
frequency that they require a more substantial transmission medium than thin
air. They commonly make use of power lines, telephone lines, and network
cables, but they have been known to also utilize water, gas, and sewerage
pipes. Try wrapping a sewer pipe around the antenna of your scanning
receiver. Commonly available devices in this category are the "Baby
Minders", available from most electronic suppliers.
I use this term to
describe the myriad of techniques that have evolved over recent years. In
the old days, it was possible to read a document or a computer screen from
an adjacent building with some degree of difficulty. With the advent of
miniature video cameras, you can now install the "eye" built into a roof
tile. This does not mean that you should discard the precaution of keeping
your sensitive information away from external prying eyes. Computers and
telephones can be "listened" to by the use of built in infrared transmitters
that are extremely difficult to detect.
This describes all
those methods, that can be applied against a target that cannot be
physically accessed. They include, laser microphones, shotgun microphones,
and tempest techniques. 1 do not propose to discuss these techniques in any
great detail, other than to say that they do work, are very resource
intensive, expensive to buy and operate, and extremely difficult to detect.
For these reasons, techniques of this type would normally only be used in
espionage operations, where the target is difficult and the possible gains
220.127.116.11 Other techniques
There are other
techniques that can be used and really the "spy" is only limited by his or
her imagination. The Countermeasures Officer has to continually upgrade his
knowledge base if he serious about protecting his client. I have seen too
many examples of "security experts" that either continue to base their
inspection techniques on old technology or, even worse, waste the client's
time and money by conducting inspections looking for impractical attacks.
2.3 The Inspection
2.3.1 Preparing for the Inspection
The target area
should not be prepared or altered from its normal condition. No
conversations concerning the inspection should take place in target offices,
or on target telephones. In the case of a real-time monitoring inspection,
the occupants of the target areas should not necessarily be aware of it
taking place. It is imperative, that no warning be given to eavesdroppers,
which may enable them time to remove or switch off listening devices. If
possible, the Countermeasures Officer should be given a briefing as to the
reason for the inspection ( routine or special ), and any other relevant
information, which may allow him to tailor the inspection to suit the
should the inspection take place?
should take place at a time, when it would be expected that a listening
device was going to be active. In the case of remotely activated devices,
this would occur during business hours and preferably during a meeting. It
is not always convenient, or practical, to conduct full inspections at these
times and, if possible, the inspections should be split so as to provide a
least number of people that know, the better the chance of catching the
eavesdropper off guard. It is not inferred, that staff members may actually
warn the eavesdropper. The possibility of someone discussing the intended
inspection in a target area is obviously increased as the number of people
"in the' know" increases. Certainly, it is normally a good practice for a
prominent person within the organization, to introduce the Countermeasures
Officer to the target area, and personnel, so as to demonstrate that the
Countermeasures officer has the backing of management for his inspection.
His cover may take the form of an office management consultant,
communications consultant, building inspector, etc. Anything that may
detract from his real purpose and yet allow him to conduct the inspection
form should it take?
18.104.22.168 Physical Searches
In the past, when
eavesdropping equipment was large and bulky, physical searches were a
practical method of locating the devices. However, in this age of
microelectronics and programmable equipment the chances of finding a device
is greatly reduced. The idea of dismantling a telephone handset whilst
almost mandatory in days of old, is fast becoming fraught with danger, given
the variety of hi-tech telephone systems available today. Power outlets,
telephone plugs, desk calendars, pens etc., containing listening devices,
are available over the counter in most "spy" shops around the world. Long
term installations, utilizing building structure and furniture, are nearly
impossible to examine without the use of techniques such as Thermal imagery,
X-ray, Non-Linear Junction detection, etc. A physical search, should also
encompass the surroundings including floors above, below, and opposite. Most
clients would not be in favour of exploratory dismantling of walls and
furniture, and would probably baulk at the idea of involving neighbours in
the inspection. Thus, the effectiveness of a physical inspection has been
dramatically reduced. This does not, however, mean that it should be
22.214.171.124 Electronic Scanning of the Radio Frequency (RF) Spectrum
of the RF spectrum, is a major part of the inspection. This can be conducted
in a number of ways and each Countermeasures Officer has his own favourite
method. Some use automatic "black boxes" that rapidly scan the RF looking
for the strongest signal, which, it assumed has to be coming from the target
area. In the CBD, or other high RF activity areas, these scanners invariably
lock onto signals other than those they should be finding. Some automatic
scanners utilize a form of acoustic signature, or self generated tones, that
are emitted into the target area, whilst the scanner locates and demodulates
RF signals. Should the scanner locate a signal modulated by a tone similar
to that being generated by itself, it assumes that there is some form of
transmission device within the target area. An alarm would be generated and
the Countermeasures Officer would then try to locate the transmitter. These
types of scanners usually work quite efficiently with minimal false alarms.
They will not work on some of the more sophisticated methods of modulation,
such as digitization, encryption, frequency hopping, and spread spectrum,
etc. To date, most professional Countermeasures Officers use spectrum
analysis as a tool, when dealing with high risk targets. Like physical
searching, an electronic sweep is only one part of a Countermeasures
126.96.36.199 Optical Scanning of the Environment
Where there is a
threat of optical attack from either laser, infrared, high power
photography, or CCTV then the Countermeasures Officer should scan the
suspect area with the necessary detection devices. Laser microphones do
work, however, they are usually employed when other avenues of access have
been denied. Most commercial companies like to place their most senior
people and meeting rooms where there is a good view. Sensitive government
meeting rooms are invariably located in the centre of protected premises. It
is possible that there may be a good reason for this. Perhaps the government
takes spying a little more seriously.
188.8.131.52 Electronic Scanning of Furniture and Fittings
furniture, fittings and structural architecture is difficult if the client
objects to destructive se . arch techniques. Managing Directors obviously
object to suggestions of cutting their brand new board room tables to little
pieces, so that one can be sure that there is not a listening device
contained therein. Scanning of these objects can be done electronically and
physically, and if conducted correctly, can have a fair chance of success.
Obvious information of changes to furniture or renovations to walls,
ceilings, etc., will assist the Countermeasures Officer in pinpointing
possible areas of interest.
184.108.40.206 X-Ray and Thermal imaging of Walls, etc.
are normally used as a last resort where other methods are not practical.
Modern day x-ray systems are relatively small, and safe, if used correctly.
They can be used to examine objects that have been identified by the
electronic scanning techniques, previously mentioned as being suspect.
Thermal imagery is not widely used and has limited use in commercial
220.127.116.11 Inspection and Testing of Communications Systems
With the ever
increasing advances in communications technology, the Countermeasures
Officer is hard pressed to stay abreast of his client's communications
systems. however, whilst the technology changes, the methods available to
the eavesdropper do not alter markedly. The object is to gather intelligence
from the communications system and transmit it to a remote site. Normally,
this can be achieved by accessing the communication carrier (cables) either
within the premises, or externally. If the connection is made externally,
then the chance of discovering the device is reduced, and, if conducted
professionally, nigh on impossible. If the connection is made within the
target premises, then there are methods, both electronically and physically,
of finding the device. Digital telephone systems, that digitize the audio,
from the time it leaves the handset, to the time that it teaches its
destination, are becoming the norm in the 'corporate world and are very
difficult to compromise. If the system is connected to the telephone
exchange via an ISDN network, then the security is about as good as you are
going to get commercially. This does not mean that the conversations cannot
be intercepted, only that the eavesdropper has to work harder and smarter.
18.104.22.168 Inspection and Testing of Computer Systems
There seems to be
an attitude that, whilst many corporations worry about "bugs" in the
boardroom, they do not appear to have any problems in letting their
"secrets" leave the premises in unprotected laptop computers. Numerous
companies bemoan the financial loss of company laptops and yet do not seem
to be concerned about the loss of the data contained on the hard drive. Most
large companies now run computer networks and, of course, all networks are
password protected. Sensitive data is always stored on the network drives
and never on the individual hard drives. It is human nature to distrust
others, and on numerous occasions sensitive data has been found on the hard
drives because of mistrust of the IT department. Company information is
entered into the computer system in a logical precise fashion, and
therefore, is worth more to the "spy", than mountains of audio tapes
recovered from listening devices. One unsecured disk could cause the
downfall of a company should it fall into wrong hands. Computer terrorism is
another facet that companies appear to overlook. This could range from
vandalism and deliberate sabotage, to extortion. There have been movies
illustrating the use of threatened viral infection, such as aids and
anthrax, in the pursuit of financial gain, but little on computer viral
infection. I, personally, have not beard of such attacks, however, I would
not expect such revelations to be forthcoming. It is common practice to pay
up and shut up in these situations. The Countermeasures Officer should
conduct an inspection of the computer system and network cabling to a
reasonable level. Co-operation and trust between the Countermeasures Officer
and the IT manager is almost mandatory, if this style of inspection is
likely to succeed.
At the end of the
inspection, the Countermeasures Officer should provide a report indicating
what was inspected, and what the result was. It is very difficult to prepare
a report saying that nothing was found, and you took an hour or more, not to
find it. However, Electronic Countermeasures inspections should be seen as
any other form of security measures. You can sometimes judge physical
security measures based on the lack of thefts given the level of risk.
Similarly, if your business is considered to be an attractive target, and
you have not be the subject of an eavesdropping attack, then perhaps the
Electronic Countermeasures inspections have produced their objective.
One-off inspections, are rarely effective, for more than the time taken to
do the job. For a company that requires protection on a regular basis,
inspections should be scheduled for times of greatest risk. The level of
inspection will depend upon the frequency of these inspections. Inspections
should occur at least once a month, and especially after renovations, and
equipment installation or maintenance. The Countermeasures Officer should
establish a communication channel with the client, that is based on
cooperation and trust. Understandably, this will take some time to
establish, however, it is an integral part of the Countermeasures strategy.
The more the Countermeasures Officer is treated as part of the team, the
easier it is for him to become aware of trends that may affect the security
of the client.
3.1 What can Electronic Countermeasures do for you?
Countermeasures should provide you with a better appreciation of your
security needs. Regular inspections, if conducted properly, and by the same
officers, will ensure a level of security adequate to the needs of your
company. The inspections will assess' your physical and personnel security
measures, and identify chinks in the Armour.
3.2 What can you do for yourself?
Most companies have
individuals that are responsible for some aspect of security. Larger
companies have Security Managers, Information Technology (IT) Managers and
Administration Managers. However, it doesn't require a full time position to
provide the level of security, that most companies need. Common sense and a
good security awareness program will go a long way to addressing those
needs. If the company personnel are encouraged to implement security
measures in their own work areas, such as document shredding, a clean desk
policy, challenging strangers in the office, etc, the need for additional
security measures will be reduced. This does not mean that you should not
conduct Electronic Countermeasures inspections, rather it simplifies the
work of the Countermeasures Officer, and therefore increases the
effectiveness of the inspection. It should be remembered that security
measures are most effective, when implemented from the top down. When
management is seen to be implementing security measures in their workplace,
the rest of the staff will follow.
All companies require some form of protection against the theft of
assets, including data, both verbal and materialistic. The question, of
whether Electronic Countermeasures is to be part of your protection
strategy, depends upon the level of risk. The answer to that question, is up
written by Graeme House
Article used with permission