TEMPEST
TEMPEST, which is both a U.S. government acronym for Telecommunications Electronics Material Protected from Emanating Spurious Transmissions and an abbreviation of Transient Electromagnetic Pulse Emanation Standard, defines the counterintelligence standards developed to protect secure data transmissions from electronic espionage. Although the program’s actual requirements are classified, it is widely known that TEMPEST sets strict limits on signal radiation from data handling electronic equipment. While the scope of published TEMPEST information focuses on physical equipment, such as monitors, printers, and devices that contain microchips, the term is commonly used to describe efforts throughout the field of emissions security (EMSEC), which — according to the Alliance for Telecommunications Industry Solutions (ATIS) — is defined as, “The protection resulting from all measures designed to deny unauthorized persons information of value that might be derived from intercept and analysis of compromising emanations from other than crypto-equipment and telecommunications systems.”
It was determined that transmissions could be detected through the open air from a significant distance by listening to the emissions from a cable in the early 1900s and, in 1918, the U.S. Army hired American cryptologist Herbert Yardley and the members of Black Chamber, a cryptographic organization Yardley founded, to develop methods to detect, intercept, and exploit combat telephones and covert radio transmitters. Those actions are amongst the first that can be classified as falling under the TEMPEST mission of protecting signal transmission through cabling and other communications equipment; however, the code-word TEMPEST wasn’t used until the 1960s.
Although the detailed requirements of the TEMPEST program are classified, the program is known to govern the transmission, reception, and testing of signal emanations and to categorize electrical and electronic cabling, devices, and systems as RED and BLACK, with RED media dedicated to handling unencrypted classified information, including national security information (NSI), and BLACK media dedicated to handling properly encrypted NSI and unclassified data. Basic RED/BLACK requirements and criteria were declassified in 1995 as the National Security Telecommunications and Information Systems Security Advisory Memoranda (NSTISSAM) TEMPEST/2-95. In addition, NSTISSAM TEMPEST/1-92 offers declassified information about laboratory test requirements for compromising emanations from electromagnetic media, but redacted all sensitive information, leaving many actual emission limits and test parameters classified.
However, even without more complete publicly available parameters, TEMPEST is known to have served as a model for many other governments’ equivalent programs. For instance, the North Atlantic Treaty Organization (NATO) equivalent is AMSG 720B. In the UK, the Government Communications Headquarters (GCHO), the equivalent of the United States’ National Security Administration (NSA), administers an equivalent program, and in Germany, the National Telecom Board administers their equivalent to the TEMPEST rating program, but the names of the standards supplied by the government remain classified.
TEMPEST-Approved Information Security Measures
While there is only one U.S. TEMPEST standard, there are three U.S. levels of NSA encryption level approval. Type 1 is acceptable for use in classified or controlled cryptographic equipment and may refer to assemblies, components, or other items endorsed by the NSA for securing telecommunications and automated systems for the protection of classified U.S. government information. This equipment is also subject to restrictions in accordance with the International Traffic in Arms Regulations (ITAR). Type 2 encryption is for equipment, assemblies, and components used in the transmission of non-classified but sensitive information, and Type 3 implements an unclassified algorithm registered to the National Institute of Standards and Technology (NIST) for use in protecting unclassified sensitive or commercial information.
U.S. TEMPEST certification can apply to both individual pieces of equipment and to complete systems in a network environment, and there are separate TEMPEST testing procedures for equipment in a laboratory and for systems in the field. Both field and laboratory TEMPEST tests include all system components, and field tests extend testing to include any and all network cabling used to transmit secure data. TEMPEST emission control standards for equipment and cabling, combined with data encryption and other security systems, provide adequate information security (INFOSEC) measures but, because of the program’s stringent requirements, long offered the government few options for the physical layer security required to protect classified network data cables.
TEMPEST-Approved Physical Security Measures
One effective cabling solution capable of providing the physical layer security that TEMPEST requirements dictate is the use of fiber optic networks. Fiber optic cabling provides added protection due to the fact that optical
 64