Technical Security: Back to the Future

Stock image of a man in office clothes wearing can-headphones looking though the blinds of a window with a pair of binoculars while he a tape recorder operates in the foreground.

Back to basics: Physical security should have parity with cybersecurity to better avert malicious attacks. Image: Vadym / Adobe Stock


Technical security protects against an important range of threat vectors. It has been neglected by both business and government.

An interest in security, and in national security specifically, might well arise from a particular personality type, and significant exposure to security threats tends to reinforce these underlying traits. Thus, wariness, scepticism, distrust, and risk aversion are often more developed amongst the security minded. What distinguishes the security professional is the capacity to manifest these traits as drivers of creative challenge and problem-solving – which can, I intend, be directed to the underappreciated arena of technical security.

The Gap Between Cyber and Physical Security

Necessarily, the sharp end of security tends to focus on emerging threats that may demand immediate answers. Most of these are in the cyber domain, with a growing emphasis on sophisticated digital threats. For example, AI is currently receiving a lot of attention.

This focus is sharpened by an increasing level of concern on the part of strategic leadership in both industry and government regarding cybersecurity. The dominating model is of the ‘black-hat’ hacker remotely accessing, through vulnerabilities, information and systems with a view to acquisition, disruption, and possibly theft and extortion. The ‘malicious insider’ is a variant of this, perhaps taking advantage of privileged access and knowledge of processes and people. A yet more sophisticated view of cybersecurity includes ‘operational technology’ (OT) such as control devices and connected technology from within the ‘Internet of Things’.

Physical security is concerned with protecting sensitive facilities and assets from theft, damage, or interference. Personnel security assures the integrity and awareness of staff, focusing on the potential for dishonesty, actions counter to the interests of the organisation, or the risk of unwitting exploitation. The two can intersect when preventing servers, laptops, and mobile devices from being stolen, damaged, or compromised.

In setting out these classes of security concerns, we are, however, at risk of forgetting the very significant ‘grey space’ between them. This is, in large part, the arena of technical security. Technical security has been, and continues to be, I wish to argue, badly neglected. Despite the growing threat and the important engineering challenges that it gives rise to, it is not receiving the attention – or investment – it merits. This leaves room for bad actors.

Current Threats with Old-School Roots

To make the point directly: there is no use in securing access to meeting papers, controlling entry to the meeting room, and assuring the security behaviours of the attendees if there is a listening device present (or a laser microphone directed at the window). Similarly, no amount of endpoint security and access control can provide protection if there is a camera pointing at the computer screen. Indeed, much of the equipment being used – projectors, phones, printers, screens, network equipment, etc. – in most organisations is provided through insecure supply chains and may, as the result of malicious interference, possess hidden or ‘undesired’ functionalities.

quote
It is essential that security professionals pay far greater attention to technical security. This includes physical controls, RF monitoring and detection, hardware hardening, and regular technical surveillance countermeasure (TSCM) sweeps

Other technical security threats include RF (radio frequency) exfiltration, TEMPEST (the monitoring of electromagnetic emissions from devices), the exploitation of signals on power lines, and optical (or even thermal) methods for data egress. Some of these threats have, under the right circumstances, the capability of bridging even air-gapped systems and operating at considerable distances.

Many of these technical means can be used to facilitate cyber access and might leverage physical or personnel compromise. Thus, a technical attack can act as the tactical spearhead of a range of other attack methods.

Technical Security Merits Urgent Attention

Let us look at some key trends.

First, with improving cybersecurity tools and awareness, the cost of persistent, targeted cyber access is rapidly increasing and may, in any event, founder upon encryption both in transit and at rest. This makes technical security vulnerabilities look increasingly attractive to threat actors.

Second, the tools – and to some extent the knowledge – are increasingly available. Software-defined radios, small cameras and microphones, open-source hardware, and 3D printing provide low-cost, highly effective technical capabilities. High-end capabilities are available commercially if you know where to look. Similarly, the tradecraft associated with deploying technical attacks can be found in the public domain – again, if you know where to look (I will not make it easy for you!).

Third, previously complex processing tasks – such as extracting signals from ‘noisy’ environments – have been made much easier, not least by Machine Learning (or AI, if you prefer) but also by better software tools.

Subscribe to the RUSI Newsletter

Get a weekly round-up of the latest commentary and research straight into your inbox.

All these trends are exacerbated by the growing collaboration between hostile intelligence services and organised crime groups, particularly in the space between theft, disruption, and economic advantage.

It is essential that security professionals pay far greater attention to technical security. This includes physical controls, RF monitoring and detection, hardware hardening, and regular technical surveillance countermeasure (TSCM) sweeps.

There are some matters that require immediate attention from HM Government. The National Cyber Security Centre (NCSC) and the National Protective Security Authority (NPSA) are part of the UK Intelligence Community (UKIC) and have benefited from significant investment and leadership focus.

By contrast, the UK National Authority for Counter-Eavesdropping (UK NACE) – the technical security authority – is a component of FCDO Services. FCDO Services operates on an essentially commercial basis with a limited capacity for investment and technical leadership.

I assess UK NACE, as it stands, to be scarcely capable of keeping up with a rapidly changing technical field (despite the talent and dedication of those who work there). It is certainly not in a position to lead the broader UK security community in industry and business, championing technical security in the way that NCSC is doing for cyber, and NPSA (and before it CPNI) is doing for physical security. This imbalance must be addressed with urgency and strategic determination.

Much of this may seem, depending on your perspective and background, like ‘old-school spy stuff’ – bugs, cameras, and radios – and not on a list of current security worries. The reality is rather different. Sometimes, the past, reinvented, can be the future.

© Anthony Finkelstein, 2025, published by RUSI with permission of the author.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.


WRITTEN BY

Professor Sir Anthony Finkelstein CBE FREng DSc MAE FCGI

Distinguished Fellow

View profile


Footnotes


Explore our related content