Safe to talk?

Instances of illegal monitoring or ‘bugging’ of high level corporate meetings and conversations are reported in the national press on a regular basis these days, illustrating the fact that covert surveillance is a real and growing threat.

In spite of such damning and considerable evidence, it’s highly surprising that many executives still seriously undervalue the importance of spoken information within their organisation. A sensitive document is subject to a good deal of security with restricted circulation, password-protected computer files and physical security to prevent unwanted access. However, the contents of such a document will be discussed freely in a meeting without any thought being given as to who might be listening in.

There are any number of reasons why an organisation will suffer from an electronic eavesdropping attack. Competitors will want to find out about new product developments, launch plans, pricing policies and many other equally important operational areas. In the financial world – particularly during times of acquisition, merger, hostile bids and flotations – information is absolutely vital. Internal organisational power struggles will often lead to the bugging of meetings.

Recent reports suggest that covert listening attacks are taking place in all areas of commerce, penetrating the pharmaceutical sector, software design teams, high street stores and airlines. It’s not only competitors who crave information – the media, disgruntled employees, suppliers, customers and blackmailers are all on the look out for information that will give them an advantage.

The consequence of such breaches of security is simple. Loss of revenue. A recent UK Department of Trade and Industry report – the ‘Information Security Breaches Survey 2004’ – estimates the average cost of a serious security incident at £10,000. For larger corporate concerns the cost extends to anything between £65,000 and £190,000. The same report also states: “In 2004, 68% of UK businesses suffered at least one malicious breach. For bigger companies this figure rises to 91%.”

An open invitation to listen

There’s no doubt that electronic listening devices – more commonly known as ‘bugs’ – are actively being used throughout the world (‘A clean sweep’, SMT, April 2002, pp30-32).

While specialist manufacturers offer devices costing many thousands of pounds, cheaper systems are also available for as little as £30 or £40. They cover a wide range of technologies and methods, listing miniature wired microphones and through-wall microphones among the ranks.

Many use a wireless system employing a wide range of frequencies and different modulation methods. The mains and other cables can be used to transmit audio information using systems that are similar to baby monitors.

More advanced monitoring teams may use recording devices instead of real-time transmitters. Old-fashioned analogue tapes have been replaced by digital audio tape, MiniDiscs and solid-state digital recorders. Some devices are now capable of recording many hours of conversation, encrypting and compressing the information and transmitting it to a receiver in a short burst on receipt of a remote command signal.

Although ‘Sweep Teams’ have access to highly experienced and well-trained operators with sophisticated equipment, they’re expensive to hire and will not always be readily available. During those times between sweeps, companies are laid wide open to surveillance attack

Detection can be made more difficult by using legitimate radio systems such as DECT telephones, GSM mobile phones or wireless LAN (802.11) as the transmission medium.

Ensuring secure meeting areas

British Standard BS 7799-2:2002 ‘Specification for Information Security Management’ (‘BS 7799: what can it do for you?’, SMT, April 2004, pp49-50) sets a suitably high standard for information security management systems. It emphasises “the need to establish policy and objectives for information security” and proposes a “Plan-Do-Check-Act-style model”.

Although dealing primarily with computer security, Section A8.7.7 of BS 7799 states: “Policies, procedures and controls shall be in place to protect the exchange of information through the use of voice...” The challenge is there, then, but not every organisation is railing against the threat of eavesdropping.

Traditionally, most companies aware of the electronic eavesdropping threat employ external specialists – usually referred to as ‘Sweep Teams’ – to carry out routine searches or ‘sweeps’ of their premises for listening devices. Such teams work for specialised companies who have highly trained staff and an expensive array of detection equipment. Typically, at a cost of a few thousand pounds they’ll move into a company’s premises of an evening, or over an entire weekend, and use various types of detection device to seek out the different threats that may have been placed on site.

Although ‘Sweep Teams’ have access to highly experienced and well-trained operators with sophisticated equipment, they’re expensive to hire and will not always be readily available. During those times between sweeps, companies are open to surveillance attack.

Measures can be taken to ensure strict access control to key meeting areas, while regular physical checks such as looking for disturbances in ceiling tiles or locating tell-tale loose wiring might be carried out. However, professional eavesdroppers intent on electronic surveillance use many sophisticated methods and equipment that reduces any disturbance of the target area to a minimum. Thus the aforementioned measures are likely to be relatively ineffective.

A better detection methodology is needed. Any given organisation might decide to acquire its own surveillance device detector(s). The advantage of doing so is that such devices will then always be available, even on a daily basis. And there’s only a one-off cost, which should please your Finance Director no end!

Surveillance detectors explored

Although dealing primarily with computer security, Section A8.7.7 of BS 7799 states: ‘Policies, procedures and controls shall be in place to protect the exchange of information through the use of voice...’ The challenge is there, then, but not every organisation is railing against the threat of eavesdropping

The surveillance device detectors offered by specialist companies cover a range of detection methods, and include broadband detectors, scanning receivers and electronic device detectors. Each of these types of detector has its own strengths and weaknesses. To carry out an effective sweep it’s fair to say that all would need to be used in turn.

Broadband detectors do have the advantage of being very fast, providing an instant response to any radio frequency (RF) activity in the area, but they cannot identify specific signals and are alerted by all sorts of RF – both innocent and suspicious.

To interrogate signals and identify if they really are due to a bug requires somewhat more sophisticated scanning receivers that can tune into a wide range of radio frequencies and allow the operator to listen and identify specific signals. These work well while there’s a signal to interrogate, but modern bugs may be deactivated remotely until they’re needed and may not be transmitting a signal.

Pinpointing these inactive, dormant devices requires an electronic device detector capable of locating concealed electronics by using a form of harmonic radar.

The integrated approach

In reality, the next advance in search equipment involves the integration of complementary detectors in one device that will offer more information than if the end user were to deploy each detector in isolation. A search tool offering a number of integrated detectors has many advantages. Reduced cost – when compared with purchasing all the detectors individually – is one of them.

Faster sweep times is another benefit to the end user. While carrying out one physical sweep of an area, an integrated unit can perform several types of electronic search. Presenting the information from all detectors at the same time will render a more complete image of the detected device.

An integrated detector solution works in a far more intuitive way, much as we humans use all of our senses to identify and locate things. A suspicious signal picked up by one detector can be reinforced or discounted by readings from the other sensors, or a device that would be missed completely by one detector will be picked up by one or more of the other sensors.

Integrated search tools bring technical expertise within easy reach of non-technical users, offering a professional device to combat the threat posed by eavesdroppers. Security managers should now be using their own high integrity bug detectors to ensure that meeting rooms are areas where it’s ‘safe to talk’.