7

When co-workers travel internationally for business there seems to be risk of bringing a regular work laptop to some countries: the risk is that the government might try to spy on the dta stored on your device.

The one's that immediately come to mind is China / N Korea.

Is there a list of countries where this risk is highest? Is there a list of countries where it is recommended to take a 'burner laptop'? I am hoping for a list that is relevant to a US-based business.

D.W.
  • 98,420
  • 30
  • 267
  • 572
pzirkind
  • 707
  • 6
  • 12
  • 2
    Not sure if there's a specified list but if you are creating a list of your own you can add Russia to it – nd510 Mar 23 '17 at 20:04
  • 6
    I'm assuming that you are from the US? You should explicitly state that, as it seems relevant. It would also help narrow down your question if you could specify what risks you are worried about (customs reading data from your hardware or installing keyloggers), and what position you have (the answer is probably different when you are a software dev, a security researcher, a US diplomat, or the US president) – tim Mar 23 '17 at 20:09
  • 7
    I don't think this is a good question because it can only be answered with speculations and generalizations. – Arminius Mar 23 '17 at 21:21
  • 16
    For every other country in the world, the USA would be on the top of such a list :-) – Bergi Mar 23 '17 at 22:53
  • 5
    @Bergi for the USA as well. Maybe even more so. – Amani Kilumanga Mar 24 '17 at 00:33
  • 4
    All of them? Do you really think there's any country where the national intelligence services don't conduct electronic surveillance on visitors, citizens, or both? Pervasive government surveillance is a fact of modern life. You need to refine your question with what threat you're worried about - corporate espionage, official discrimination (or worse) based on personal beliefs or "lifestyle", etc. – HopelessN00b Mar 24 '17 at 02:06
  • 2
    For travel the US appears to be much, much worse than China at present. – Spehro Pefhany Mar 24 '17 at 10:05
  • 2
    Not long ago a guy from NASA had to provide access to his electronic devices while entering his country… he was American. Just assume someone might try to search your electronic devices and act accordingly wherever you go. There are no safe countries per se. Personally, I don't take any particular measures when traveling within the EU (except Britain), but US, China, Middle East… that's a different story and I wouldn't want to have any sensitive info on my devices if going to those less privacy-friendly locations. – Daniel Mar 24 '17 at 14:40

3 Answers3

23

Assuming you have a basic level of Cyber Security measures e.g. ecrypted hard drives, decent user name and password rules, encrypted VPN tunnels etc. I would say there are a number of issues to consider.

  1. Content on the laptops - is this commercially sensitive, nationally sensitive, any export controls applicable. Effectively who would be interested in the data and what skills / resources do they have at their disposal?
  2. Your business - what it is you do and how that can be seen in different cultures - are you at risk of industrial, national espionage or from hacktivism.
  3. The legality of your "standard" IT Security Solution in the country of destination - I believe some countries (especially middle east) have a big problem with encryption and prohibit any encrypted communications.
  4. Your level of risk acceptance based on the country of destination. E.g. do you mind if the US authorities exercise their right of search of your device and would you be happy to provide any decryption codes to the border staff before the laptop is taken away for investigation?

A multinational company I work closely with all laptops have HDDs which are high level encrypted and where remote access is authorized it is via VPN but only with RSA tokens has a list of "home" countries where standard laptops can be taken, this is essentially all the countries the company has a major presence (except USA). Outside of that the user "should" contact IT and obtain a loan laptop there are 2 levels "amber" and "red" based on Security advice on the country of destination.

"Amber" is for relatively friendly countries where for business purposes a clean laptop is taken (so a fresh internal build) with only files needed for the business trip are taken, these can connect via vpn back home and essentially work similar to the traveler's normal laptop. The issue here is to minimize risks from data loss, export offenses etc, whilst maintaining a good level of access

"Red" is for particularly risky countries where data intercept is to be expected these include China, Russia or where encrypted VPNs are banned in law. These laptops are very basic with fresh installs of base windows with basic office software, public email, internet access and only approved files may be loaded on to them (e.g. pre-cleared presentations), these "red" devices have no way of 'phoning home' and will be wiped on return and once being marked as a "red" laptop they will remain "red" until they are finally shredded (literally).

I have heard some organizations which have a process in place to counter the risk of border security searches e.g. in the US by having a process where the device is encrypted before travel and critically the user does not know the decryption code so is unable to login. That is only disclosed once the traveler gets through immigration the process is printed and the traveler can show that to immigration staff and apparently that gets round the right to search non US citizens, but not being a lawyer I'm not sure how true this is.

SCH
  • 246
  • 1
  • 2
  • 7
    I would not like the job of carrying an encrypted drive into a risky country that I don't have the key to. It sounds like a good way to get disappeared, either by customs that don't believe you don't have the key or by your company by surprising you with some bad data. – daniel Mar 24 '17 at 00:01
8

Does this make any real difference?

I mean, is the goal of this question to build a list of countries where you need to be secure, and other where it is not necessary because people out there are all nice?

I think that if you need to secure your data and infrastructure, you need to secure it the same way no matter if the attacker is a Chinese, an American, and Iranian or an Eskimo. I simply would not trust unknown people.

So, if you really want a list since this is what this question is about, IMHO it would be something like:

  • Friendly: The inside of the company.
  • Hostile: The rest of the world.
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • 5
    I don't know... can you really trust the people inside of your company? – childofsoong Mar 23 '17 at 21:19
  • 9
    @childofsoong: That's precisely what I was thinking when I chose to write *friendly* instead of *trusted* :). While there ought to be various level of trust in a company, I expect a company to not be an hostile environment to itself, otherwise IT security may be the least of the issues... – WhiteWinterWolf Mar 23 '17 at 21:48
  • That's a very good point! – childofsoong Mar 23 '17 at 23:47
4

The Financial Action Task Force has always maintained a list of Non-Cooperative Countries or Territories (NCCTs), often referred to as the FATF Blacklist.

The countries are added to the blacklist because they are perceived to be non-cooperative in the global fight against money laundering and terrorist financing.

At the moment -- http://www.fatf-gafi.org/countries/#high-risk -- you can see that Afghanistan, Bosnia and Herzegovina, Ethiopia, Iran, Iraq, Laos, North Korea, Syria, Uganda, Vanuatu, and Yemen are on the blacklist.

I agree with the others that these countries aren't Internet-hostile and that any country can be considered hostile when it comes to hardware (such as laptops during travel). However, many banks or other financial-services companies can (and do) block the FATF-blacklist listed countries at their routers and firewalls. Getting money and other financial assets into and out of these countries is going to be difficult any way that you look at it, whether over the Internet or not.

Here are two articles that I typically reference for travelers:

In addition, you sometimes do see cybersecurity or e-crime information available in the OSAC Crime and Safety reports (from the US Department of State) -- https://www.osac.gov/pages/contentreports.aspx?cid=2

WalyKu
  • 145
  • 5
atdre
  • 18,885
  • 6
  • 58
  • 107