TSCM – Quality Assurance

by

Verrimus has been offering quality assurance testing of TSCM teams for over a year now. The uncomfortable fact of the matter is that the vast majority of companies offering TSCM service are utter frauds. I’m aware that this is an extremely hard line to take and commit to writing, but I’m very passionate about the TSCM industry and maintaining a level of service in the industry that is professional and fit for purpose, so I’m happy to take that line.

Now, there’s no point in me beating on about how the industry is full of cowboys without quantifying and qualifying my claims. This is what I aim to do in this document.

It’s important to firstly understand how the TSCM industry has got into this mess in the first place. The lack of legislation and licensing is an obvious place to look first. This lack of control of a security service has a hugely detrimental affect on the industry. Not least because it allows any individual or company to offer and supply TSCM services without any checks on their qualifications, experience or even criminal background checks.  That has to be the first major area of concern….

TSCM is a service in which the service provider is given trusted access to a clients most sensitive areas, often unsupervised. These areas are where a clients most critical information is created, stored and communicated. An unvetted service provider in these areas actually creates risk.  Now, there will be people reading this that do not consider this a risk. But giving a criminal or person willing to work against the Police unrestricted access to critical and sensitive information is a very real risk.

In research carried out by an independent market research company, a sample of 18 UK companies offering TSCM services were approached by the Mystery Shopper with an implied task which was a request to carry out work against UK Law Enforcement agencies. Some companies approached in the market research were happy to discuss the fact that the customer (mystery shopper) could be seeking the services as they wanted to discover if they were under surveillance from a law enforcement organisation.

 

  • One company, in an attempt to reassure the caller that they would undertake a task ‘against’ a law enforcement organisation provided prison numbers of their operators.
  • One company stated that they were happy to work for anyone, explaining that all of their operators were ex-Police and that Police devices are the hardest to find, but because they were ex-police, they knew where to look for them.
  • 17 Companies were happy to undertake work against law enforcement agencies.

 

Only one company stated that they would not be involved in the task if the Police were the threat.

The full market research undertaken is available in a separate report, so I don’t want to creep into that here.

So….Lack of legislation and licensing brings the problem of unvetted individuals having access to critical information areas and systems. Okay, lets assume the individuals in the TSCM team are vetted. Does that mean they are competent? Because they have an ex-police or military background, does that mean they’re competent?

No, absolutely not. TSCM is not a general skill taught in the police or military, not even in special forces units or technical surveillance units. An operator’s ‘cap badge’ or prior service has no bearing on capability in the TSCM realm.

In research conducted, from 30 TSCM teams around the world, the following statistics were gleaned:

 

  • 92% did not understand properly the reality of the technical surveillance threat in 2018
  • 85% had no formal training in the equipment they used
  • 95% had no operational TSCM training

 

This level of general non-competence is truly shocking. Over 90% of companies are providing a service that they are not actually capable of delivering to a level which is fit for purpose.

The vast majority of the 30 teams mentioned above went to great lengths to use a long list of equipment to promote their ‘professionalism’.  Notwithstanding, over 80% of them had no actual training in the equipment, most of the equipment they used was obsolete or unfit for purpose. This is not surprising though as over 92% had no understanding of modern threat. Countermeasure can only be effective if the threat is understood. If you didn’t know what a bullet was, you couldn’t design a bullet proof vest.  A very simplistic comparison, but the technical complexities of the threat as it exists in 2018 are exactly that, technical and complex.

I suppose we are getting to the crux of the matter now…Quality Assurance

Notwithstanding all of the above, the crunch comes when a TSCM team is hired to secure an area for a client. That crunch being:

 

  • ‘Can they effectively carry out a TSCM survey to effectively detect, identify and pinpoint locate a viable attack.’ ‘
  • Can they effectively identify anomalies capable of being exploited by an attacker.’
  • ‘Can they effectively plan and give mitigation advice to allow a client to mitigate existing vulnerabilities.’.

 

There…3 simple questions.  Simple to anyone who is properly trained and experienced in TSCM.  The first issue of quality assurance comes in the service procurement. The person charged with procuring the service has no knowledge of TSCM so cannot reasonably be expected to procure a service which is fit for purpose. That’s a fact. So in most cases, any hope to actually receive a service fit for purpose is dammed at the point of procurement.

How can an organisation properly procure TSCM services? It takes 2 days to train a person to understand threat and countermeasure enough to properly procure TSCM as a service from a 3rd party, and the cost is less than 25% of the average TSCM survey.  That should be the first step any organisation takes in countering a perceived threat. Not just googling a bug sweeper and going for the best price surely? It sounds like common sense versus ridiculous reactionary actions, but in the 18 years I personally have been in this industry, the vast majority of taskings I’ve received have been reactionary actions. It never fails to surprise me, hence why I designed and wrote the TSCM Procurement module that Verrimus offers all of its clients.

The actual TSCM survey itself is the next Quality Assurance blockage.  How can a service recipient be sure the actions carried out ‘on task’ are fit for purpose and will ensure any attack or vulnerability is actually countered?  Well the unfortunate reality is that without proper professional assistance that level of assurance just isn’t possible. Nor am I going to explain in a document which will be made public, how we can assure against that for a client. But…It’s sufficient to say that the header image of this document is proof that not only is Verrimus more than capable of delivering that Quality Assurance but also, that even the most trusted TSCM teams are not always capable or honest.

The image was covertly taken by Verrimus during quality assurance of a team. Basically, it shows 2 TSCM Operators working in a boardroom, the person on the left (1) working on equipment, the person on the right (2) laying on the floor chilling out and chatting to the other operator.  The team didn’t even detect that they were being surveilled, which let’s face it is the whole reason they are there. To detect technical surveillance attacks.  Essentially, any client hiring this particular team would have spent valuable budget and been left still under attack, presuming they were safe.  The worst security stance to be in.

Verrimus has undertaken a number of these Quality Assurance tests for organisations using TSCM teams. Over the past 12 months Verrimus has carried out numerous such tests, with the majority of service providers being found to be providing a service unfit for purpose.

 

  • >60% of viable attacks missed
  • >90% of vulnerabilities missed
  • >90% of historic sign missed

 

Each one of these teams delivered a report to the instructing client that the area surveyed was ‘Free From Threat’.

All of these misses were due to one or more of the following factors:

 

  • Lack of understanding of threat
  • improper or no operational procedures
  • Improper or lack of proper equipment
  • Improper use of equipment

 

In more than one case, team members actually spent more time on their personal mobile phones than engaged in technical surveillance counter measures!

This is the reality of the standard of TSCM service being provided and procured today. Hundreds of individuals and teams with no vetting, no training, no proper equipment being hired by unsuspecting clients with insufficient knowledge of threat or countermeasure to enable them to properly procure the service.

  

The core of the problem is now so deeply imbedded that the service is now creating more risk than it mitigates.

The industry is unregulated and no legislation is currently planned to legislate and regulate it.

It’s a grim fact, but not without intervention from service users to properly equip themselves to Quality Assure the service they procure, the risk is on them…