Why You Need TSCM Now More Than Ever

Our baseline level of suspicion about the security of data and communications is very high these days. Are smart devices recording conversations and conveying them to marketers? Are encrypted communications apps truly secure from state-affiliated intrusion? Are our corporate networks compromised by hackers? This newfound interest in information security is a good thing, but amidst all the new risks we should not forget that the tried-and-true approaches to spying — especially the use of electronic surveillance devices — are more of a threat than ever. Just ask the former CEO of German drug maker Stada, who confirmed in 2017 that his personal vehicle was bugged amidst contested takeover discussions.

This case and others highlight not just the corporate infosec dangers posed by electronic surveillance devices but also the indirect costs to the victims, who lose valuable time worrying about eavesdroppers and may have justified anxiety about their physical security as well. In order to mitigate this risk, corporate security leaders are increasingly recognizing the need for comprehensive technical surveillance countermeasures (TSCM) programs. TSCM involves the detection and potentially the neutralization of unwanted electronic surveillance devices. Experts conduct comprehensive inspections, or “sweeps”, of buildings, rooms, vehicles and other places where devices may be lurking.

TSCM has long been part of the asset protection arsenal, but several trends suggest it is now more necessary than ever:

Cheap, accessible surveillance devices are proliferating: The surveillance device market is booming, with the number of consumer surveillance devices sold in 2019 expected to be more than double the number recorded for 2018. U.S. consumer spending on surveillance cameras alone – just one of the many types of devices now on the market – is expected to reach $4 billion in 2023, an increase from the $2.1 billion recorded in 2018. With rapid improvements in technology, the previously prohibitive cost to getting one’s hands on surveillance devices is becoming less of a barrier with the introduction of a plethora of low-cost, yet relatively sophisticated, devices that can easily be purchased via most major online retailers. The proliferation is democratizing access, once the reserve of specialized intelligence and security entities, enabling a whole new class of threat actor to leverage powerful technology that can be turned against corporations, their assets, leaders, and personnel.

Corporate espionage is booming: The U.S. economy loses up to $600 billion per year as a result of stolen intellectual property, according to a 2017 report to Congress. Corporate espionage is a growing illicit market, with indicators suggesting an upward trend for the foreseeable future. In California’s Bay Area, home to Silicon Valley’s tech powerhouses, economic espionage and the theft of trade secrets have been rising sharply over the past two decades and in the last five years indictments have increased by 45% compared to the previous five years.

Insider threats are on the rise: Industry research from the cybersecurity world indicates insider threats have been on the rise in tandem with the use of a broader range of devices by employees, the deployment of cloud-based systems, and increasing accessibility to malicious technology. As Verizon’s 2019 Data Breach Investigations Report highlights, insider threat incidents have been increasing in the last four years and 34% of recorded breaches were perpetrated by insider actors, often for monetary gain. Although these incidents are typically not physical in nature, violations of information security policies in the cyber world can act as a stepping stone toward physical security violations, including through the use of electronic surveillance.

Business travel is expanding: In an increasingly globalized market context, long-distance business travel is becoming an unavoidable necessity. Industry data indicates that there are 445 million business trips per year, with forecasts showing further growth over the coming years. With the potential for travel to unfamiliar locations, emerging markets, and countries with varying standards of privacy rights, state security oversight, and organized criminal elements, the prospect for corporate travelers and executives to be targeted by electronic surveillance measures has never been greater. Such targeting can take the form of compromised conference or hotel rooms, vehicles, or even personal clothing, luggage, and electronic devices that have been left unattended for any period of time.

Establishing an effective TSCM program for your organization requires consideration of several key elements. Expertise is critical, and TSCM strategies require the deployment of in-house or outsourced TSCM specialists with extensive backgrounds in the detection of the latest electronic surveillance devices. Knowledge about current deployment and exploitation tactics used by threat actors is crucial as well. A TSCM program also needs to utilize state-of-the-art technology. Individuals conducting sweeps must use both top-of-the-line radio frequency (RF) analyzers as well as other instruments that can detect abnormalities in electrical currents, phones, Voice over Internet protocol (VOIP) systems, and electronics generally. Finally, a TSCM program must be highly mobile. Whether it’s a conference room for a high-stakes meeting in Singapore, an executive’s home in the French Riviera, or a vehicle to be used by a senior corporate leader in Mexico, TSCM teams need to have the capacity to conduct sweeps at the drop of a hat in a variety of global contexts.

Daniil Davydoff, CPP, is Director, Research Management and Operations at Eurasia Group and director of social media for the World Affairs Council of Palm Beach. He has been published by ASIS International/Security Management, Risk Management Magazine, The National Interest, The Carnegie Council for Ethics in International Affairs, Foreign Policy and RealClearWorld, among other outlets. His views do not reflect those of his company.

Daniil Davydoff can be contacted on LinkedIn or at davydoff@eurasiagroup.net

Ra Tiedemann-Nkabinde is a global security intelligence analyst at AT-RISK International. He earned his PhD in finance and religion at the University of Cape Town. His views do not reflect those of his company. He can be contacted on LinkedIn or at rtiedemann@at-riskinternational.com

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?