The threat of cyber attacks garnered a lot of publicity a few years ago. Hacks provide hostile actors with a powerful and convenient intelligence tool. Cyber attacks can be undertaken from the relative safety of an offshore platform without jeopardizing one’s own assets or risking being discovered and arrested. It also affords the perpetrators a degree of plausible deniability.
However, hacking is not the only tool available to a capable actor such as an intelligence service, advanced criminal group or a well-funded corporate operation. Should one of them really want to get its hands on a specific piece of information, there is a host of espionage tools at their disposal.
It is important not to ignore the threat posed by non-hacking threats from those operating outside of a targeted facility. This is what GRU officers are believed to have been doing when they attempted to hack into the wireless data network of the Organization for the Prohibition of Chemical Weapons using equipment they placed in a parked car near the OPCW headquarters. Information obtained from a laptop later recovered from the car indicated that the GRU had used the same equipment in a similar attack against the World Anti-Doping Agency after it banned Russian athletes from international competitions including the 2016 Summer Olympics and the 2018 Winter Olympics.
Other types of external technical threats can include equipment, such as parabolic microphones and laser listening systems, as well as international mobile subscriber identity-catchers. IMSI-catchers can be used to track cell phones and grab the IMSI information. In some cases they can even intercept calls. The most commonly known IMSI-catcher is perhaps the Sting Ray system. It is widely used by law enforcement agencies.
Cell phones, computer systems and tablets can all be infected with malware that permits hostile parties to control microphones and cameras remotely
Human intelligence is another potent tool. Recruiting a source inside the targeted organization who has access to the desired information can be very effective. Nowadays, almost everyone carries several potential spy devices. Cell phones, computer systems and tablets can all be infected with malware that permits hostile parties to control microphones and cameras remotely turning them into clandestine audio or video collection platforms.
An engineer at Apple’s autonomous vehicle division, for example, was caught this year sharing sensitive information with the company’s Chinese competitors. He had used his smart phone to take photos displayed on his computer monitor that could not be downloaded or transferred outside of the system by other means.
Bugs are still frequently used. Some types of valuable information is not available in a digital format. What is said at board meetings or business negotiations can be of interest to not only competitors and state actors, but also to criminals.
Because of this, venues for important meetings are often bugged. Conducting periodic technical sweeps of the homes and offices of key executives, as well as any corporate facilities where sensitive research and development takes place, is also strongly advised.
Bugs can be purchased and installed into a number of common office items including electrical outlets, power strips and chargers, as well as lamps, clocks and smoke detectors. Spy shops and bug manufacturers can even build an audio or video device into a custom item, such as a specific piece of art or furniture. In addition to TSCM sweeps to ensure no devices have been placed, it is therefore also important to monitor anything brought into areas where sensitive discussions are conducted, such as furniture or decor. It is also important to limit the number of people with access to such areas and to heavily vet those who are to be given access, including construction, renovation or cleaning crews.
Advances in technology have resulted in very small bugs and covert recorders that are exceptionally cheap and easy to obtain. Many bugs that are available online or at spy shops today are as good or better than those used in government intelligence operations 20 years ago.
The mass-produced and accessible nature of these bugs means that they are used by a wide variety of actors, making it difficult to trace them back to a specific perpetrator upon being discovered. In some instances, the bugs are regarded as disposable and are installed with no intention of ever being recovered, making it all the more challenging to gather sufficient evidence to charge a suspect. In others, a host country government or a foreign government can be involved, meaning that prosecution is very unlikely.
The lack of court cases and media reporting pertaining to bugging thus camouflages the magnitude of the problem especially when compared to high-profile hacking cases. As a result, far more resources are now being devoted to combat hacking than to combat bugging. This, of course, is not to say that protection against cyber attacks should be ignored. But I do recommend that technical security counterintellgience measures be seen as an equally critical component of a robust information security programme.
The writer is a news anchor