Foiling cyberspies on your business trips
The admonitions to business travelers headed to other countries should be familiar by now: Keep your laptop with you at all times. Stay off public Wi-Fi networks. Don’t send unencrypted files over the Internet.
But not all travelers are heeding them, and many are unaware of the foreign hackers and state-sponsored spies who are taking advantage of their lax security practices.
“There’s a difficult intersection between convenience and security,” said Samantha Ravich, who studies cyberenabled economic warfare at the Foundation for Defense of Democracies, which focusing on national security. It takes time to work abroad securely, and she said she would “often see executives hanging their head somewhat sheepishly when I ask who in
the room follows all the security protocols.”
The theft of technical product specifications, investment plans, research on mergers and acquisitions, marketing plans and other information can have consequences beyond loss of revenue and market position, Ravich told the Senate Foreign Relations Committee this year. She described potential large-scale effects of state-sponsored economic warfare, which, she said, could disrupt the delivery of items crucial for manufacturing, malware incidents that could disrupt travel and cyberattacks that could force companies to shut down their websites.
The problem of intellectual property theft is not new, but it is now much more widespread. “Placing listening devices in conference rooms, hotels and restaurants is traditional Espionage 101,” Ravich said. But with tools like tiny inexpensive cameras and microphones or compromised Wi-Fi networks, corporate or state-sponsored industrial espionage “can be done cheaply and at scale,” she said.
Microphones in a conference center, for instance, can be recording constantly, and those recordings can be fed into natural language processing software trained to flag certain words and report those conversations. “It’s not just a guy with headphones listening in the next room anymore,” Ravich said.
Communicating online overseas can be especially fraught, said Nicole Miller, a San Francisco consultant who helps companies communicate with employees and customers on cybersecurity issues. “Assume any data, any information you transmit can be taken by a hacker, nationstate or another business,” she said. “These are not pedestrian tools they are using. They are extremely sophisticated.”
Physical security of phones, tablets and laptops is as important as online protection, Miller said. “Don’t leave your laptop or papers in your hotel room when you go out,” she said. A hotel room safe should not even be considered secure.
Miller said she advises travelers to create complex passwords for their devices and all of their online accounts, to use two-factor authentication whenever possible and to avoid plugging other people’s USB drives or other external hardware into their computers.
Laptops should also be wiped clean of any data and software at the end of the trip, she said. “Your device could have been altered, your data could have been altered,” Miller said.
Stanford University and Microsoft are among educational institutions and companies that supply comprehensive precaution and instruction lists to their employees who travel abroad.
Maureen Sharma travels regularly to Asia as part of her work for Mullally International, a small product development company in Seattle. Some unsettling incidents, she said, have made her more cautious when she travels abroad.
“I often get more spam and strange emails that look like they are from me with attachments,” when returning from her business trips. Once, Sharma said, she received an email that looked as if it were from a Chinese factory she was working with, asking her to send the next payment to a new bank account. “Luckily, I called to confirm, because the factory had not sent that email,” she said.