For travellers doing business in China, the risk of mobile devices and computers being targeted for corporate and military espionage has become a very real threat.
Travellers have identified machines left in hotel rooms having been accessed and key-loggers sometimes installed. Mobile phones have been accessed and tampered with in the same way.
Incidents like these have become part of a general escalation in cyber-attacks by the Chinese on a range of targets but spurred on by China’s insatiable desire to accelerate the growth of its industrial, scientific and military capabilities.
The risk has been acknowledged across the board with head of MI5, Sir Jonathon Evans, recently warning universities in the UK that they were high-risk targets of Chinese cyber-attackers seeking research secrets. Companies with employees travelling to China have already started taking a variety of precautions.
As with all matters relating to security, the challenge is to be restrictive enough to keep corporate assets and secrets safe, but not so restrictive as to prevent the employee from doing any useful work.
The principal threats that have been identified start with laptops and mobile devices left in hotel rooms. Through a variety of means, they can be infected with key-loggers and spyware. Of course, it is not just the information on the devices themselves that is at risk. Once the attackers have usernames and passwords then the employee’s corporate networks are also potentially at risk.
Even without physical access to the machines, connecting to any network, whether it is the phone network or the hotel’s wireless network, poses multiple risks. Surveillance again may yield usernames and passwords but also more importantly from a Chinese security aspect, information about what their own citizens may be doing.
There are a variety of strategies to mitigate, but not entirely obviate, the risks. Leaving aside the option of not taking any device to China and avoiding all electronic communication, there are some basic strategies that can be employed:
1. Start with a clean slate
Phones and laptops can be imaged specifically for the trip with no corporate data and then re-imaged after their use.
2. Use secure mail services
Access to email should always be via SSL or via a VPN. There are a number of VPN services that can be used, although there is no guarantee that these services have not been compromised in some way. Use of corporate VPNs should be avoided unless it has been established with limited access to the full corporate network. VPN access may be blocked on hotel networks or through China’s “firewall” and so it may not be possible to always rely on this as the sole means of communication.
3. Stay near to your gear
If possible, devices should be kept with the traveller at all times, although unless the device is a tablet, carrying a laptop around would not necessarily be convenient. An alternative approach is to use a device, laptop or Chromebook, that can run a distribution of the Linux operating system (such as Ubuntu) from an SD card or a USB memory stick. This enables the owner to remove the card and carry that with them. A remote desktop could be accessed if it was necessary for the user to use Windows for example.
4. Use encryption wisely
Encrypting sensitive data or using the operating system's built-in disk encryption is a possibility but suffers from the drawback that if key-loggers are installed, attackers may obtain access to passwords for the encrypted files.
5. Disable Java, Bluetooth and keep security software up-to-date.
Ultimately, it is always safer to assume that someone may have accessed information on, or transmitted from, a computer or mobile phone whilst in China and so if there is anything sensitive to communicate, doing it digitally should be avoided.
On a final point, whilst, China is not the only country where these measures might apply, it is the main country that has the means and motive to carry out surveillance at this scale.