The Importance of Tempest Standards

ACADEMIC INCUBATOR — During Trump’s first impeachment trial in 2019, Republican lawmakers accessed the Sensitive Compartmented Information Facility—or SCIF, in layman’s terms—that Rep. Adam Schiff and others were using for secret depositions. The media was quick to decry the act as jeopardizing national security. But first, they had to explain to the general public what a SCIF even was. are often wholly ignorant of what those doors are made of. This ignorance of TEMPEST technology standards represents a far greater threat to classified information than the few disgruntled politicians who attempted to storm Rep. Schiff’s SCIF.

---

The Cipher Brief’s Academic Incubator Program partners with national security-focused programs from colleges and Universities across the country to share insights from the next generation of national security leaders.  The views expressed are those of the authors.

---

TEMPEST refers to Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions, for which the National Security Agency has certain technology specifications. It is this technology, when paired with adequate policy, that shields all sorts of classified information from eavesdropping or other forms of interception. It is also this technology which sadly seems to be little known among a rising generation of intelligence officers. That needs to change. To correct our course, three things need to happen: First, everyone involved in national security needs to understand the history and importance of TEMPEST technology and the standards derived from it. Second, people must see that the high cost of TEMPEST shielding does not outweigh the benefit. Third, those who are educated about the history, importance, and cost of TEMPEST standards have to hold their leadership accountable for failing to live up to them.

Understanding the Importance and History of TEMPEST Technology Standards

First and foremost, TEMPEST standards are a policy framework regulating the use of certain technologies, such as computers, and the environments in which they can be used, such as SCIFs. If the standard is kept, it secures electronic and acoustic information from interception. Thus, these standards are very important when processing and discussing classified information.

Second, the history of how these standards came to be shows just how important they are. During the Second World War, Bell Telephone discovered the problem: electronic signals could betray information as it was encrypted, but it was determined that little could be done to stop it. The CIA rediscovered the problem (as it literally was forgotten) in 1951 and devised the first “radiation policy” by 1953, but the Soviets were already perfecting these surveillance methods. In 1952, a bug so strange it was simply called “The Thing” was discovered inside the U.S. Seal hanging inside the American Ambassador’s study. It was first placed in 1945.

By 1958, a set of standards–the first true TEMPEST standards–had been published. These built on what we now call the RED/BLACK concept, developed in 1956 by the U.S. Naval Research Laboratory. The standards were adopted by the UK and Canada by 1959. Getting people to comply with these strange standards, however, proved challenging. Secretary of Defense McNamara tried spurring compliance with a directive in 1964, but the new policies–even if their importance was understood–proved difficult to implement. The NSA did not finish their implementation until 1966, and they were among the first to do so. Then, for over a decade, all seemed calm. It appeared that the problem was solved.

It was not. On 25 March 1985, the media broke another story about a highly sophisticated bug found in the Moscow embassy, and the investigation into it. That investigation, Project GUNMAN, revealed that the Soviets were able to intercept the plaintext of typewriters remotely. These bugs used magnetometers to convert the mechanical energy of keystrokes into magnetic disturbances, which were relayed via radio frequency to nearby listening posts. The earliest bug was placed in 1976, going undetected for nearly a decade.

The subsequent briefings of American officials were met with astonishment and anger, but it is difficult to say how effective the Soviet’s surveillance methods were. Eric Haseltine, the former Director of Research at NSA, concluded in his book The Spy in Moscow Station that the USSR did not have resources to waste on unproductive projects, especially not over an eight-year period. As a result, it is reasonable to assume that these technical exploits must have proven substantially useful.

However, as time goes on the lessons learned from the Second World War, “The Thing,” and Project GUNMAN have receded into the past. What is growing, unfortunately, is the number of uninformed American students as they join the intelligence community. Haseltine himself lamented that American information security focuses heavily on computer science – not physics. Even many American security experts are ignorant of certain technical attacks, such as radar flooding or microphonic exploits, immediately recognizable to our Russian counterparts. If the importance and history of TEMPEST technologies is not emphasized in information security and technology education, the United States will forever overlook an entire facet of its defense.

TEMPEST Shielding is Worth the Cost

Unfortunately, those unaware of the benefits of TEMPEST shielding will almost certainly reel at the cost. But TEMPEST certainly passes any cost-benefit analysis.  As David Boak, an expert on telecommunications security, forewarned: “Some of what we still hear today in our own circles, when rigorous technical standards are whittled down in the interest of money and time, are frighteningly reminiscent of the arrogant Third Reich with their Enigma crypto machine.”

That warning was issued around 1973, years before Project GUNMAN, and TEMPEST shielding has not become any cheaper. The exact price is classified, but some reasonable assumptions can be made. For example, Adamo Security, a company specializing in the construction of SCIFs, recommends that the customer estimate a cost of 1,000 dollars per square foot for a facility of 200 square feet.

Thus, construction of a single SCIF the size of a closet could easily come with a price tag of 200,000 dollars. Now imagine a single conference room. And then understand that this estimate does not yet include associated costs such as testing or accreditation to approve its use. This estimate also fails to factor in additional constraints, such as needing a construction crew of vetted American citizens, significantly affecting timely construction.

With such a hefty price tag, in addition to delays, it is reasonable to assume that a future policy maker (or a current one) ignorant of the necessity of TEMPEST shielding may very well decline such a project in the interest of time and money. Such a declination could be at a serious – albeit esoteric – detriment to national security. Because of this, the NSA has standards in place surrounding these facilities. That does not mean people using the facilities follow the standards.

Leadership Must be Held Accountable.

Those professionals understanding the history and importance of TEMPEST standards, and that the benefits outweigh the costs, should not hesitate to share their knowledge with others. Likewise, they should not hesitate to hold their leadership and their co-workers accountable for maintaining a secured facility. Complacency is something we cannot afford.  

Unfortunately, there is substantial evidence that such complacency exists. The NSA makes public a list of those companies which have had their TEMPEST certifications suspended or revoked for failing to comply. The process for suspension or revocation is also outlined in the National Counterintelligence and Security Center’s recent TEMPEST specifications leaving little room to doubt that complacency is a continuing problem.

The cost of obtaining these certifications initially is very high, so it stands to reason that only two possibilities exist as to how these managers failed to comply with procedures and requirements. First, they simply failed to maintain the facilities in the interest of time and money, as Boak warned of. Or, second, those using these facilities were simply ignorant of the importance of TEMPEST standards, which the failing of American information security education would likely lead to. It is also possible that both causes worked in tangent.

Whatever the case may be, people have proven fallible. As Shakespeare said in his play, The Tempest, what is past is prologue, and if individuals have grown complacent in the past, they will again in the future – especially if no one around them knows to warn them of the dangers of their complacency. We must emphasize the history and importance of TEMPEST standards in our education so future policy makers understand its benefits when confronted with its costs. And we must have professionals today help correct the course we are on already by holding all of their colleagues accountable. Policy enforcement alone is not enough.

Peer Reviewed by: Matthew Fay,  PhD Candidate, George Mason University

Find out how your University’s national security program can join The Cipher Brief as an Academic Incubator partner.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief