TSCM THREAT ASSESSMENT GUIDE


INTRODUCTION

A viable TSCM Program is equally interested in Denial as well as Detection. Within limits, however, you cannot separate physical security from technical security. The following guide is intended to assist you in making the initial determination concerning the current ability of the physical security systems ability to keep the would-be penetrator from gaining entry into the target area which would allow them to introduce a technical surveillance device.

THE THREAT

Clandestine surveillance is nothing new. During its evolution, it has progressed from the the simple act of peering through bushes to the point where conversations were monitored from outside a building near a door or window or from hidden locations within a building.

  With the further development of electricity and electronics, the tasks became simpler. The telephone permitted conversations over long distances to friends, neighbors and business acquaintances. It also permitted the monitoring of conversations by everyone on the party line. Although it was insinuated that "Gentlemen don't listen to other Gentlemen's conversations", clandestine monitoring was coming into vogue. Initially, it was simply the monitoring of telephone conversations, but rapidly evolve into the planting of microphones in selected locations. Monitoring by microphones remained the primary, but in no way the only, means until the miniaturization of the tube and later the introduction of the transistor. At this point, it became possible to build a transmitter capable of being hidden in extremely small locations or packages. Integrated circuits and chips have reduced the size even more drastically, even to the point that the microphone and power supply may be the bulkiest portion of a very powerful and sophisticated clandestine RF transmitter.

WHAT IS THE THREAT?

The question you are probably asking is "What is the threat and how does it apply to me". You all have your own thoughts on how serious it is. By analyzing the different types of documented attacks initiated against governments, corporations and individuals in the past, you will see a pattern which indicates attacks come in one or a combination of the following basic methods:

  • The wire and mic
  • The RF transmitter
  • The physical security weakness

TELEPHONES AND THE MIC AND WIRE:

The ubiquitous telephone, like a waiter, is always there, but never really noticed. As long as you are able to get a dial tone and complete a call, you are happy and never question its loyalty. But, it IS always there. And it IS always capable of doing more than it was intended to do. Even coming from the manufacturer in its original box can't guarantee the instrument isn't defective and won't be passing audio while it is in the on-hook position.

  Assuming your telephone is operating properly when installed, there are a number of things which can be done to it in a very short period of time, a matter of minutes in most instances. The hookswitch , inside the instrument, can be attacked and bypassed through the simple task of bending the contacts so they are always making contact. Different types of electronic devices can be installed across the hookswitch-resistors, diodes, capacitors, and neon bulbs, for instance. The transmitter (mouthpiece) can be replaced with one that is in fact a transmitter, operating only when you are conversing. A transmitter can be hidden within the telephone, with a hookup to either the transmitter or the receiver (earphone), and connected to the incoming lines for power. This type installation would be operating at all times, not just when you are talking on the phone. Should the phone be permanently mounted to a desk or the wall, an induction coil could be hidden under or behind it. Going a step further, an induction device can be utilized on the telephone pair at any location between the point where the phone enters the wall and closer control is established at the main telephone plant. In addition, anywhere the cable pair is accessible, a tap of one sort or another can be effected, monitoring your conversations any time the phone is in use. If the information is important enough to warrant the expenditure, you may be monitored by intercepting microwave signals or even satellite signals.

  The mic and wire is nothing more than a variation of the telephone tap or monitor. The only difference is that the microphone and wire must be installed. HOWEVER, there may be instances in which existing wiring may be used and there may even be a suitable "microphone" already present. I'm talking about those instances where replaced wiring is not removed, only disconnected. The actual microphones may be as small as those used in hearing aids or as large as a wolfer type speaker. If it can be properly hidden, or it looks appropriate for the location, it is effective.

RF DEVICES:

Mention "bugs" and almost everyone instantly thinks of the olive in the martini or the device which can be hidden behind the lapel of a coat. Hollywood theatrics, perhaps, but definitely possible.

WHAT IS A "BUG"?

Essentially, it is a device utilized to transfer intelligence from one point to another and is usually considered to be RF transmitters of one sort or another. They may be designed to operate at any frequency range, at any power setting and in any modulation mode, depending on the requirements of the opposition and the circumstances of the situation. What this means is that if a short distance has to be covered with an RF signal, the transmitter could be operating as a simple low wattage, clear text, AM (Amplitude Modulated), lower frequency unit, or as a sophisticated 1/2 watt, crystal controlled, FM, (Frequency Modulated), Sub-carrier,VHF (Very High Frequency), or UHF (Ultra High Frequency) unit. Simply stated, the opposition has the advantage in that he may choose any number of frequencies, modulation, and power. You, on the other hand, don't know what his operating characteristics will be, whether he will be operating when you perform your checks, or whether you are even in the area of a target. But, EVERY survey must be performed as if there IS an operating device in your area.

  What will you be looking for in the way of a signal or signals.

  Everything!!!! You could be targeted by a signal which is AM amplitude modulation, FM frequency modulation, PAM pulse amplitude modulation, PPM pulse position modulation, spread spectrum, etc., and may be operating with signals that are composed of Sub-carrier modulation, Single side-band modulation, Double side-band modulation,etc.

  They may be operating almost anywhere in the frequency spectrum VLF very low frequency, LF low frequency, HF high frequency, VHF very high frequency, UHF ultra high frequency, Light spectrum, etc.

  Their intelligence might consist of Audio, Video, Data, etc.

  They may be hidden in Offices, Homes, Apartments, Vehicles, Aircraft, Public areas, etc.

  Information targeted may be Personal, Business, Travel, Meetings, R&D, etc.

  Although the information provided above may look overwhelming, the task can be handled if approached a signal at a time.

PHYSICAL SECURITY WEAKNESSES:

Where do you start and where do you stop. There is no clearly defined line. When evaluating an area during a survey, you will be interested in how the opposition could enter if they aren't approved personnel. Look at the doors and windows. Ask about personnel access restrictions. Are the locks and alarms acceptable. Specifically, when you are evaluating an area, you are interested in how someone may gain entry to a secured area or extract information from such an area. What you will be doing is performing an acoustical evaluation of the area to insure that conversations taking place within cannot be overheard from outside. Insure that the doors are flush with the facing at the top, bottom and sides. Walls should be solid all the way to the true ceiling-not stopping at, or above the false ceiling. All holes and openings in the walls should be sealed. All excess and unused wiring removed from the walls and the overhead. Remove speakers from the area, or insure there is a positive means of insuring they are disconnected. Remove phones, or provide them with a disconnect. Is there an alarm system and is it working properly for secure areas?

WHAT ARE THE MOST LIKELY TARGET AREAS?

Determining what areas are most likely to be "hit" will be decided by talking with security personnel as well as the manager or vice president in charge of operations. They may have decided the whole facility requires a TSCM survey when in fact only a few select areas need be examined. Primary interest should be those places where the information comes together-the executive areas, program managers, conference rooms, etc. We are looking for the apexes, because obviously, it is impossible to "bug" every room and phone in a large complex. In addition, management should be concerned with such areas as contract negotiations, executive personnel records areas and so on. In determining when the best time for a survey might be, consider immediately prior to any important happening, such as contract negotiations, product development or release, major financial happenings, anything that could have a strong bearing on the companys well being and continued success. That is not to say that intelligence is not gathered at times other than during those periods. Larger organizations may require a survey on a monthly basis or no more often than quarterly of semi-annually. If it is done on a recurring basis, the service should not be performed on a clockwork basis, but on a more random basis. A pattern should be avoided.

LIMITED SURVEYS AND MONITORS:

Limited surveys are those actions performed covering limited areas and/or time. Normally a limited survey would be performed on an area such as a conference room in which a sensitive meeting is to be performed. The meeting is generally scheduled to begin at a certain time and the TSCM technician may have only an hour or so to perform the major aspects of a physical examination with an in-place monitor to be conducted during the course of the conference. If that is the situation, one person should begin an RF examination while the other performs the physical portion. Under these conditions, nothing can be guaranteed, but an effort must be made to check ALL the obvious places first and work back to the less obvious. An hour is quite a bit of time when nothing more than a good physical is performed. You will be removing plug coverings and checking wall hangings. Furniture is examined to insure there are no added pieces of wood, insure that the seat bottoms have not been cut or ripped in such a manner as to permit the introduction of a recorder or a transmitter. Check the overheads for anything that appears unusual--extra wiring, boxes or packages, wood or concrete chippings, even pieces of wood or concrete which could be hiding a monitoring device. If possible, check the adjacent areas and the outside walls for similar items located near the walls of the secured area.

  When performing a monitor or an RF examination, write down all suspect signals and come back to them after you have completed a thorough examination of the spectrum. Unless something is not right, you shouldn't spend to much time on any one particular signal during the initial phase. If something is found, notify the proper person immediately. BUT, don't assume that is the only device that has been installed. There very well could be several more.

WHO SHOULD THE CUSTOMER SUSPECT:

Anyone associated with the activity could be a suspect. It may be a disgruntled employee "getting back at you", or outside elements, such as the opposition. It could be friendly or hostile governments, or terrorists. Don't disregard the criminal element planning a kidnapping or robbery. Anything and everything is possible.

HOW CAN ACCESS BE GAINED:

That may be the simplest part of the whole operation. Who really looks at maintenance delivery persons? How about the building custodians and repairmen? The char force has more opportunity than anyone else, with the possible exception of the night and weekend security force. Seduction may be the best way--we then have as suspects a spouse, secretary, or lover. The list can go on and on, but I'm sure you're getting the drift of the discussion.

  We have little control over these things; we MUST be aware that they are possible when evaluating an area. As you gain experience, you will get a feeling about what the potential problem may be and key on those areas.

Target Analysis

Remember, the choice of method of attack and, to a large degree, the device(s) chosen for employment will be dictated by the environment under attack. The Target Analysis should be as complete as possible and will influence the entire Option Sequence that follows.

  For example, if the Target Analysis shows us that a surreptitious entry, while necessary, will be extremely risky, the device chosen must be highly dependable and require little or no servicing. After all, we don't want to have to re-enter the target area just to change a battery or tape.

  Reverting to our true identity for a moment, as a Technical Surveillance Countermeasures specialist you will also perform a Target Analysis. If not, how can you make reliable estimates of the real threat? As you go over this outline, look at each point from the perspective of both the Opposition and the Countermeasures specialist.

Facility Exterior Characteristics

  1. Building Description
    1. Construction Material
    2. Number of Floors
    3. Shared or Dedicated Facility
  2. Adjacent Structures
    1. Proximity to Target Area
    2. Ownership/Occupancy
    3. Shared Utility Paths
  3. Traffic/Activity Patterns
    1. Vehicular Traffic Patterns
    2. Vehicular Approaches to Target Area
    3. Foot Traffic
    4. Target Operation Hours
    5. Times of Greatest Traffic Density
    6. Presence of Police or Guard Force
    7. Frequency of Patrols
  4. Facility Grounds
    1. Defined Physical Barriers
    1. Structural (fences, walls, road blocks, etc.)
      1. Type
      2. Height
      3. Condition
      4. Number of Entry/Exit Gates
      5. How Secured
      6. Alarms Employed
      7. Protective Lighting
        1. type
        2. adequacy
        3. spacing
        4. condition
      8. Access Procedures
      9. Visibility of Fence Line
      10. Patrol in effect (scheduled or random)
      11. Breeched
      12. Distance from Structure
      13. Presence of Trees or Shrubs
    2. Natural (rivers, other structures, terrain)
  5. Building Exterior
    1. Exterior Doors
      1. Number & Construction
      2. Hinge Pin Location and Modification
      3. Type of Locking Device
        1. Key Control
        2. When Last Changed
        3. Indication of Tampering
          (NOTE: These last three items are primarily of interest to Countermeasures persons)
      4. Condition
      5. Additional exit doors secured from interior
    2. Windows
      1. Number and Construction
      2. Protective Covering Employed
      3. How Secured
      4. Alarmed
      5. Security Type Glass Installed
      6. How Covered Inside
    3. Exterior Lighting
      1. adequate illumination of all areas
      2. All Openings (doors & windows) lighted
      3. Auxilliary Power Source Employed
      4. Lights Automatically Controlled
        1. how
        2. hours
      5. Type of Lights Employed
    4. Other Openings
      1. Manholes
      2. Utility entry to building
    5. Roof of Target Area
      1. Description & Construction
      2. Access
      3. Skylights
      4. Roof Hatches
      5. Fans/vents Protected
      6. Distance from Other Structures
      7. Frequency of Security Checks
    Facility Interior Characteristics
  6. General Characteristics
    1. Target Location within Building
    2. General Purpose of Facility
    3. Access Controls in Effect
    4. Normal Hours of Operation
    5. Acoustically "Hard" or "Soft" Target Room
    6. Number of Guards
    7. Shift Change Procedure
    8. False Ceilings
    9. Walls Joined to True Ceiling
    10. Types of Doors
    11. Alarms in Use
    12. Types of Locks
    13. Utility Paths
      1. cable troughs present
      2. telephone cabinets secured
      3. air conditioning vents protected
      4. pipes through target area
    14. Maintenance & Cleaning Practices

    Once all (or as much as possible) of this information is gathered and studied you are ready to select the best options and employ the most appropriate device.

    Selecting The Device

    In Section I, an Option Sequence was set forth leading us to the point where, based upon the intelligence gathered during the Target Analysis, we must now commit ourself to the selection of the device(s) upon which we must depend. Within this Section we are going to look at various methods of attack, that is, the device. We will not, at this time, begin to explore the esoteric electronics of the various devices. We will, however, examine the pros and cons involved with each selection. We will attempt to discuss these methods of attack in a broad way, weighing the advantages against the disadvantages.

    Early in this text it was said that the ideal method of eavesdropping was to be physically present during the discussion of interest. And still, we did not want to be detected; therefore our physical presence was ruled out. That is, unless we could somehow share the secret of Lamont Cranston (The Shadow). Well, lacking that talent, the next best thing to being there is to have placed the most basic of eavesdropping tools...the mic and wire run.

    The Mic & Wire Run

    Advances in technology have greatly altered this simple approach. Not only are microphones available today that are unbelievably small, but transmitting wire as thin as a single strand of hair from your head is available. It is virtually invisible to the eye and can be concealed in the cracks between the boards or tile on a floor or can disappear into the minute crack existing between the baseboard and the wall.

    Microphones, either directional or non-directional, are no longer cluges...extremely high fidelity microphones smaller in diameter than a pencil eraser are commonplace.

    So what are the disadvantages? Many! Microphone installations are not overly popular in that they require extensive access to the target area. It takes a great deal of time to properly install and conceal any microphone and, if one chooses to install the fine wire runs, great care must be exercised to avoid breaking the wires during the concealment process. Another disadvantage is that, unless one wants to run the transmission line into an RF Transmitter, install one or more line boosters, etc., the listening post must be relatively close by.

    There are other methods to employ the microphone as your eavesdropping choice, among these would be tying the transmission line from the microphone to some fortuitous path, perhaps excess wiring among the utility lines or, more commonly found, excessive and unused telephone wiring. Still, unless the listening post is nearby you will be forced to employ line amplifiers along the path.

    R.F. Transmitters

    By far the most popular choice of "bugging" is the RF transmitter. There are any number of potential frequencies available. The signal may be modulated in many many ways and combinations. Various esoteric techniques are possible, ranging from burst transmissions, to spread spectrum signals or swept frequencies. Simple frequency modulated or amplitude modulated signals might be "snuggled" with legitimate commercial signals; that is, transmitted at a frequency extremely close to the legitimate broadcast and at a signal level so weak in comparison that it is easily missed during any countermeasures effort. The transmitting devices available today can be easily acquired, simple devices such as "Wireless FM Microphones" or "Baby Sitters", both of which are legally sold over the counter in many electronics stores. They can also be extremely complex and easily concealable because of their small size. The device can be hidden in the barrel of a fountain pen, in some office artifact, within a block of wood made to appear as a part of the furniture. The ways in which to hide an RF Transmitter are virtually limitless.

    As I said, this is the conventional first choice. Still, they are not without problems. First, there is the need to limit the output of the device in order to make its detection as difficult as possible. When one reduces the output, the signal must still be strong enough to be received at the selected listening post. This means that one must carefully evaluate free space loss, building construction, atmospherics, etc. The necessary power to drive the device must be determined. Do you utilize batteries and have to service the device, or do you steal existing power?

    Carrier Current

    Again, this attack has certain advantages. You do not have to worry about providing power for your device since you will be employing the existing AC power lines within the target area. This approach has been used successfully in the past but is not frequently employed today. It is a rather easily detected attack, requires time to install and, of greatest concern, you must have your listening post very close by. The signal imposed on the house wiring will not easily couple across a transformer, requiring the listening post be set up on the same side of the transformer, usually within the building.

    Telephone Compromise

    Without doubt, the telephone represents the greatest threat to security (in terms of audio security) there is. To begin with, a telephone is generally found at or near the conversational center of the target area. It provides the would-be eavesdropper with all the necessary components (mic, power, transmission path, etc). One has the choice of performing any number of modifications to the instrument or tapping the lines. The difference being, of course, that if you elect to "tap" you are going to limit yourself to eavesdropping on on-going telephone conversations. By modifying the instrument you will be able to pick up in house conversations while the instrument is in an "on-hook" condition. The only disadvantages are that you must be able to establish access to the instrument and/or frame room.

    Other Attacks

    Let you imagination run wild...Laser attack? Light attack? The use of these will depend upon the Target Analysis you have accomplished. And, frankly, many of these attack methods, while technically possible, are not practical and/or give less than desirable results.

    THE TSCM APPROACH

    After wearing the "Black Hat" for a few minutes we can all see that their problems are as great as ours. What we need to examine now is our response to the threat. We will be looking at the various types of services offered, the philosophy or approach employed and the major problems we will encounter.
    TSCM Services
    Basically, four different types of services are available and are
    • TSCM Surveys
    • TSCM Monitors
    • TSCM Inspections
    • Pre-Construction Consultations
    TSCM SURVEYS: A full survey is, as the name implies, a maximum response. It incorporates extensive analysis and examinations of the target area. Basically we accomplish an R.F. Analysis or search, a thorough telephone system analysis, examinations of the walls, ceilings, floors, furnishings, etc., a target analysis, examinations of denial aspects (that is, how the physical and procedural security meet the threat), identification of all wires, cables, air ducts, pipes, etc. At the end of a full survey, we should know if anything is threatening the area and should be able to provide the "customer" with a detailed report for use in enhancing the overall security of the examined area(s).

    TSCM MONITORS: Frequently, a request for TSCM coverage of sensitive meetings, conferences, etc. is received. Whenever possible, you should visit the intended site of the meeting and perform a physical and limited electronic search of that area prior to the meeting. Then, throughout the conference you would conduct an ongoing R.F. Search.

    TSCM INSPECTIONS:This is, in fact, a limited form of Survey. If, for example, a new telephone system (or instrument) were to be installed within a sensitive area, you might be called in to examine that particular instrument or system. Your examinations would not be as thorough or as extensive as those performed during a TSCM Survey.

    PRE-CONSTRUCTION CONSULTATION: When plans are being made to build a new facility or improve an existing one, you may be called in to meet with the builder to discuss the needed technical security considerations and to make recommendations concerning the tasks at hand.

    THE SURVEY APPROACH

    A TSCM Survey can be divided into two major phases, the Non-alerting Phase and the Alerting Phase. Again, there is no great mystery involved in these phases, their names provide the description. In the Non-Alerting Phase you would accomplish those tasks that would not alert the potential eavesdropper to the fact a Survey was taking place. The reason for this is simple; if the device chosen is a switched device, that is, one that can be turned on or off from a remote location, and the eavesdropper hears your efforts he will simply turn the device off. Your chances of discovering the device will be drastically reduced.

    In the Non-Alerting Phase you will be accomplishing your target analysis and R.F. Analysis. Just about anything else you do can be considered to be alerting.

    Our reasons for accomplishing the TSCM activities are simple; we want to deny the opposition access to the sensitive areas. Failing this, we want to detect their activities as early as possible.