This guest post is the second of an occasional series of guest posts by external researchers who have used the Bank of England’s archives for their work on subjects outside traditional central banking topics.
What can the Bank of England Archive tell us about cyber security? The answer is almost certainly more than you might expect. For my PhD thesis Computer Security in the UK Financial Sector, 1960-1990, I visited the Bank Archives in the interests of being thorough, fully expecting to have exhausted relevant folders within a matter of hours. How wrong I was. They turned out to be a treasure trove of detail on historical computer security and informed a key part of my research. One particular piece of fragmentary evidence offered a window into a particularly secretive and little-known surveillance mechanism which the Bank and intelligence agencies feared and which was known only by its NATO codename, TEMPEST.
A different form of radiation risk…
TEMPEST is the term used to refer to the electromagnetic radiation that leaks from computers. If captured, therefore, it can unknowingly provide compromising information about the data those machines are processing. Intelligence agencies have battled the risk that these emanations posed to confidentiality of information since the early Cold War. It was even the subject of perhaps the first ever cybersecurity feature on the BBC’s “Tomorrow’s World” programme.
The issue of TEMPEST first came onto the Bank’s radar in 1975, when Sir Alastair Pilkington, a director of the Bank, enquired to the Bank’s Audit Committee about the vulnerability of the its ‘computer configurations’ to ‘fraudulent use by persons of high intellect with a knowledge of electronic engineering’. He asked whether the Bank has considered employing the services of a ‘highly qualified technician’ to ‘examine ways and means of manipulating the systems in operation at the Bank for dishonest purposes’.
Fast forward two months and a Secret-classified document was issued in the Bank entitled ‘Security of Data’ which included a specific threat warning. Security, here, was defined as ‘measures necessary to protect the Bank from its information being “leaked” radiated or emitted from computer cables, outside telephone lines, VDUs [Visual Display Units, or computer monitors] or other peripherals.
The Bank had previously seen ‘little hazard’ in these areas because VDU emissions were only detectable within 300 yards. After all, the Bank’s computers operated amongst the ‘electronic “noise”’ of the City and the Bank’s premises itself – with thick external walls – provided a certain measure of protection. However, the ‘Security of Data’ memo described the seriousness of the matter:
We have been informed by a unit of the Ministry of Defence, in the strictest confidence, that equipment is available (capable of being operated from a mini-van) which could “home-in” on to a device and record data passing through it. The most worrying feature is that a display of data on a VDU could be picked up “in clear”.
Later that year, a Bank document explained that its representatives had been in touch with Air Vice-Marshal Foden, Director of the government’s Communications Electronic Security Group (CESG), to seek his opinion on the extent of the Bank’s problem. CESG is the UK government’s National Technical Authority for Information Assurance, based within Government Communications Headquarters (GCHQ) and since 2016 part of the National Cyber Security Centre (NCSC). CESG were most concerned that protocol was followed and as such the Bank were asked to ‘formally request the help of the Security Service [MI5] … [who] would then call on the C.E.S. Group for their technical assistance.’ It was suggested that the Bank should mention that Air Vice-Marshal Foden had, on receipt of their inquiry, steered them in the direction of the Security Service.
A further handwritten note from 24 July 1975 detailed how CESG who had asked the Bank for details to ascertain the level of risk faced: the volume of classified material involved; the level of classified material involved; the site of the equipment and the type of the equipment.
The security issue was also discussed at a further meeting of the Audit Committee on 24 July 1975, in which the Committee expressed its concern that the Post Office and manufacturers should ‘minimise the dangers of security leakages in computer configurations.’
What did the Bank do?
Despite its potential consequences, it seems that no satisfactory conclusion was reached in this specific instance.
Two years later, in January 1977, discussions between the Bank and the Security Service resulted in a suggestion that ‘protection might be afforded in the form of a box around’ VDUs. This suggestion, however, was rejected within the Bank on grounds of cost.
Come September 1978, however, the Computer Services Division (CSD) within the Bank continued to recognise the vulnerability they faced, and, seemingly rather frustrated, suggested that perhaps the ‘best thing’ was to ‘go round the course once again with the CESG.’
Lessons for the future
The Bank’s discovery of the TEMPEST threat, and their attempts to manage it, are instructive for understanding contemporary cyber security. Firstly, it highlights the balance that is required between using new technology to transform institutions and ensuring the security of the operations that such technology powers. Banks, for example, used computers to become more efficient and cut costs but had to ensure the confidentiality of customer information. Secondly, it demonstrates the evolving nature of threats to computer security and the need for a systematic process for identifying and managing new risks. In the case of TEMPEST, an individual at the Bank noted the new threat and investigations were made, but this was an ad hoc alert rather than a specific programme.
We are unable to tell from the archives what ultimately became of the TEMPEST issue in the Bank. More broadly, TEMPEST persisted as a computer security threat, part of an increasingly dynamic and evolving landscape of cyber security threats.
Banks must continue to be alert to emerging threats and face the relentless challenge of having to defend their computer networks against criminals who are continually innovating to identify new vulnerabilities.
This post was written whilst Ashley Sweetman was a PhD student in the Department of War Studies at Kings College London.
If you want to get in touch, please email us at firstname.lastname@example.org or leave a comment below.
Comments will only appear once approved by a moderator, and are only published where a full name is supplied. Bank Underground is a blog for Bank of England staff to share views that challenge – or support – prevailing policy orthodoxies. The views expressed here are those of the authors, and are not necessarily those of the Bank of England, or its policy committees.