Q. How often do you find bugs or other surveillance devices?
A. There are two types of Technical Surveillance Countermeasures (TSCM) inspections used to find bugs: business and government level sweeps, and residential sweeps for private individuals. The find rate depends upon the type of sweep.
My firm mainly conducts electronic surveillance detection sweeps for the bugs and surveillance devices found in businesses and government, so let’s start here.
With business and government organizations, the opposition’s focus is on getting hot information, in all its forms. Corporate espionage, industrial espionage, call it what you will. There is no one spy tool of choice used to find bugs. Electronic surveillance plus hundreds of other tradecraft techniques are available for the opposition to employ. The average residential sweep doesn’t need to take this into account. More on that later.
Pro-active Due Diligence Sweeps to Find Bugs in Business and Government
Regularly scheduled, due-diligence, technical information security surveys rarely turn up electronic surveillance bugs. Don’t be surprised. Typically, organizations using these services already have a high overall security profile. They are “hardened targets.” For those clients, the benefits of incorporating TSCM into their security program include…
- Having a known window-of-opportunity when something is found.
- Identifying decayed security hardware which no longer works as expected.
- Identifying security policies which are no longer being followed.
- And, becoming aware of a variety of otherwise unseen security issues.
Emergency Sweeps to Find Bugs in Business and Government
Discovery statistics on our “emergency TSCM sweeps” varies from year to year. These are the sweeps commissioned because electronic surveillance is suspected. We find bugs and other electronic related compromises are found in about 2%-5% of these sweeps. The overall success rate in solving these cases, however, is very high. It is just that the answer to most of these emergency sweeps involve non-electronic methods, which we also seek out…
- Poor or lapsed security practices.
- Poorly designed, installed, or decayed-effectiveness security hardware.
- Human element: key control, un-shredded confidential wastepaper, big mouths, etc.
A holistic TSCM inspection can solve most of these emergency cases, no matter how the loss was incurred.
Solving these organizational emergency cases requires more than the standard TSCM bug sweep. Add-on skills and experience include: corporate investigations, alarm system design, computer forensics, and information security management to name a few.
Residential Bug Sweeps – Often Find Bugs
When it comes to residential and matrimonial bug sweeps, the find rate for locating bugs and surveillance devices is quite a bit higher. This makes sense. The eavesdroppers’s focus is narrow. They want to intercept:
- conversations and/or video voyeurism images,
- and/or determine the location of a specific person.
Electronic surveillance is the tool of choice, whether it be audio/video bugs or computer/smartphone spyware. Personal privacy is the loss most associated with private individuals, unlike business espionage, where intellectual property is also targeted.
Solving cases for private individuals is relatively easy, for a number reasons:
- The spy is usually a do-it-yourselfer, an amateur, or someone with limited tradecraft skills.
- The victim has a good idea who is doing the spying, and their capabilities.
- Inexpensive, easy to obtain, and easy to find bugs are most often used.
- Locations for placement of bugs, taps, spy cameras and trackers are limited.
- Having a personal stake in this type of surveillance, spies often tip their hand as a show of power.
Private investigators and TSCM providers who handle residential and matrimonial bug sweep cases don’t charge very much for their services. However, the good ones can quite successful find bugs and GPS trackers. The phonies just talk fast, wave a wand, take the money and run. It pays to interview several vendors and get a few recommendations, before hiring anyone.
The lower-than-corporate fees they charge are due to:
- Lower overhead for running their businesses.
- Their detection gadgets are basic, dated, or borrowed from their day job.
- Insurance (if any) is not up to corporate standards.
- Continuing education expenses are low.
- No extras, like written reports or information security surveys.
Some of this is understandable. The private individual market they serve can’t support, nor does it need, the sophisticated level of detection required by businesses and government agencies.
Even with these limitations, the honest low budget level TSCM inspectors are quite successful. They often do find bugs and trackers of the consumer-grade variety.
Business and Government Level TSCM Technical Investigators Who Find Bugs
Professional security consultants who specialize in business and government-level TSCM are not a dime-a-dozen. They invest heavily, and continually in: sophisticated instrumentation, professional certifications, and advanced (and continuous) training. Their overhead includes: an office staff, trained Technical Investigators, licensing, insurance, instrument calibration, and an annual Carnet so they can travel Internationally for their clients.
Security directors know the stakes are very high, hence the adage… “It’s not all about the money. It’s about what you get for your money.”
These corporate executives are charged with protecting corporate assets. This type of information security requires a security consultant with a depth of experience, and knowledge of: information management, corporate investigations, complex security systems, and yes… high-level Technical Surveillance Countermeasures.
Benefits of Quality TSCM
In all eavesdropping, espionage and voyeurism attacks there are two main goals:
- Get the goods.
- Don’t get discovered.
So, obviously, if you don’t actively inspect for eavesdropping, espionage and voyeurism attacks you won’t know you’re under attack.
Organizations, unlike private individuals, don’t have a choice about conducting pro-active TSCM bug sweeps. Having their pockets picked is not an option. This is why TSCM is such an important element of their security programs.
The benefits of a Technical Information Security Survey (enhanced TSCM) for them include:
- Increased profitability.
- Intellectual property protection.
- A working environment secure from electronic surveillance invasions.
- Advance warning of intelligence collection activities (spying).
- Checks the effectiveness of current security measures and practices.
- Document compliance with many privacy law requirements.
- Discovery of new information security loopholes, before they can be used against them.
- Help fulfill legal the requirement for “Business Secret” status in court.
- Enhanced personal privacy and security.
- Improved employee morale.
- Reduction of consequential losses, e.g. information leak can spark a stockholder’s lawsuit, activist wiretaps, and damage to “good will” and sales.
The benefit list is really longer, but you get the idea.
There are some excellent private individual and corporate-level TSCM consultants out there. Pick the right one for your needs and it is almost certain your privacy and security concerns will be resolved in a cost-effective manner. You can begin your search here, or here, or learn more about how to evaluate a TSCM provider, here.
Kevin D. Murray CPP, CISM, CFE, CDPSE is a business counterespionage consultant and TSCM specialist with over four decades of experience.
Murray Associates is an independent security consulting firm, providing eavesdropping detection and counterespionage services to business, government and at-risk individuals.
Headquartered in the New York metropolitan area, a Murray Associates team can assist you quickly, anywhere in the United States, and internationally.