By Ronald D. Elliott
We hope the recent incident involving a Russian diplomat lurking around State Department facilities intercepting electromagnetic signals from offices within those facilities won't be too quickly forgotten by Federal Government officials. Whatever the effects of this incident or the lessons learned from the tools and techniques employed, the expanded power of information technologies to detect and interpret electromagnetic emissions demands more attention to what is called the "TEMPEST" threat. This threat is increasingly serious to both public and private institutions due to the potential effects of surreptitious monitoring of unintentional signals emitted by electronic equipment used for the most routine tasks in offices and operation centers of government, academia and private industry.Though not widely understood by we laymen, most electronic devices used in the workplace and at home radiate some type of electronic "signal" that may be unintentionally modulated and propagated for varying (usually short) distances through electrical wiring, lights, phone lines, other building materials and even the air. Technical jargon sometimes used to describe this phenomena is "transient electromagnetic pulse emissions," but it is generally just called "TEMPEST," which is as vague as the phenomenon it seeks to describe. A Webster dictionary indicates that term represents a tumultuous environment which may represent the electromagnetic environment surrounding electronic equipment. By exploiting this phenomenon, criminals or adversaries may surreptitiously access information not intended for them, compromising the information without knowledge of the equipment operator. That is, thieves and spies are unintentionally given access to information they otherwise would not have been given. Though the information may not be protected by security classifications, it may be sensitive and be aggregated with other information to provide an unintended advantage to those possessing knowledge of the information to the disadvantage of our government or the private institution from which it was surreptitiously taken.
Though the TEMPEST threat has been recognized for many years, in 1994 a Joint Security Commission issued a report to the Secretary of Defense and the Director of Central Intelligence called "Redefining Security" which concluded that TEMPEST countermeasures inside our national boundaries were a "security excess" which should only be undertaken after approval by the most senior department or agency head. Though this recommendation had no effect on employment of TEMPEST countermeasures outside US borders, it excused Federal Government officials from devoting the attention increasingly needed to this threat.
The fact that electronic equipment such as computers, monitors, keyboards, printers, copiers and electronic typewriters emit electromagnetic signals has long been a concern of the US Government. However, the Joint Security Commission concluded that likelihood that an adversary government, terrorist or criminal would take the risk of getting close enough to intercept and identify the TEMPEST signals was highly unlikely within our borders. Though this may have been the appropriate conclusion six years ago, most of us acknowledge the great increase in power of computer and communications technologies during that time and also acknowledge the increasing likelihood of global "information warfare" as the scourge of the 3rd millennium.
Today, an eavesdropper using relatively inexpensive off-the-shelf equipment can monitor and retrieve classified or sensitive information as it is being processed in a government employee's office or home without the employee being aware that information is being revealed. Traditionally, the Federal Government installed shields and other electronic components or countermeasures in electronic equipment to reduce or counter the TEMPEST phenomenon. However, as a result of the Joint Security Commission report and other subsequent administration policies, investment in these preventive measures has diminished. During the same timeframe, the number of portable computers used by government officials (including military members) has increased by leaps and bounds (as it has in the private sector). But partly due to the recommendation of the Joint Security Commission, these portable (laptop and notebook) computer devices (and the ancillary equipment used with them) are not normally equipped with TEMPEST countermeasures. Thus, though the threat to government buildings may be lessened by having guards and fences keeping eavesdroppers at distances reducing the TEMPEST threat, portable devices are routinely taken home, to commercial sites and on trips without TEMPEST countermeasures. And military operations "in the field" typically involve thousands of portable electronic devices with TEMPEST vulnerabilities.
The resulting current situation is that increasingly powerful information technologies are enabling more threatening TEMPEST exploitation by criminals and adversaries while TEMPEST countermeasures have been decreased by the Federal Government while it distributes greatly increased numbers of devices that are not protected against "transient electromagnetic pulse emissions"!
It's time the Federal Government exploited the more powerful information technologies to apply it to shielding and other electromagnetic countermeasures, which can easily be included in electronic information processing equipment. These countermeasures can augment and/or enhance electronic equipment with components and interfaces that limit or mask unintended emissions. Were the Federal Government to take the lead in this area in funding the essential research and development and manufacturing techniques, as well as educational initiatives to increase awareness of the threat, benefits would accrue not only to improving national security protection but also to enabling private (individual and corporate) citizens of our Nation to be similarly protected.
Certainly, in the emerging era of escalating information competition and "warfare" portable computers used by members of our national security enterprise (military and civilian) ought to always be equipped with TEMPEST protection both inside our borders and when abroad. Though guards and other physical boundaries may diminish the vulnerabilities to TEMPEST of electronic equipment in our office buildings, such as those in the State Department Headquarters; the Federal Government ought to seriously consider additional investment in improving TEMPEST countermeasures in the "laptop" and "notebook" computers of its military and civilian employees engaged in national security activities. Relatively small investments can be expected to produce significant improvements in the protection of the sensitive information these government employees originate, use and exchange. We can also expect improved capabilities of computer manufacturers which result from these investments to contribute to similar countermeasures in the computers we in the private sector will buy for our own
use.