One of my favorite scenes in the movie Karate Kid was where Mr. Miyagi is asked the best way to avoid a fight. He solemnly responded, “Don’t be there.” Agreed.
We who operate in the clearance world know we are challenged more than others. We hold information deemed by our respective governments to be sensitive, and therefore affecting our national defense. If we compromise it, whether wittingly or not, our country loses some of its safety. That’s why we go to tremendous efforts to protect that information, from selecting you to carry it, to someone else to make sure you do so safely and wisely.
Today’s news carries stories of supposedly an unheard-of method forĀ compromising cell phones. We’ve known for years that a USB stuck surreptitiously into a computer could suck it dry of information in no time. Further, phishing expeditions could get us to click on an apparent good link from a trusted source, but unwittingly allow malware into our computer or phone devices. These could exfiltrate loads of data immediately, or lie dormant for an extended period until unleashed on us by an adversary. That is, malware, computer or phone compromising software could be left alone by our adversaries until deployed at a time of their greatest advantage. They would sit there on our computers for years. They could either remain inactive, but unknown, or actively exfiltrating data. This stolen data, once collated and analyzed by an adversary, could establish line and block charts of how our organization, chemistry samples, or even our personalities interconnected. In any case, be it immediate theft, surprise attack, or long-term collection, our electronics are vulnerable and their defense is paramount. How best to protect ourselves in this new environment?
Considering Company Travel? Keep Your Cell Phone Safe
Travel is picking back up. Business travel carries cleared professionals far and wide, through countries of all stripes, both friend, adversary, or sometimes both. While we’ve spoken before about the many ways espionage can occur while our cleared personnel are abroad, a new threat has developed. In light of the increased option for virtual attendance, the best advice for many cleared professionals considering business travel may be: don’t be there.
Much speculation exists about the cell phone threat, as emphasized by the NSO Group’s cellphone spyware. The NSO Group has created a method of capturing cell phone data without any action on the part of the owner. It could simply target and gather the data contained on the phone. Admittedly, there has not been much follow up to this story, because of the myriad questions no one wants to answer. The initial stories suggest the capability was to be given to governments to break into closely guarded drug and organized crime phones. Is this what really happened, and was this intended good effort thwarted?
This is a concern that developed when a mysterious leak of 50,000 international cell phone numbers revealed that this Israeli based company sold a means of compromising phones without any action on the part of the owner. Supposedly, this capability was sold abroad to governments. Yet now some of those governments are accused by human rights watch groups of using the phone data thus compromised to effect arrests of peaceful demonstrators, investigative journalists, or others opposed to the government. In short, this capability sneaks into your phone, steals everything you’ve said, who you’ve said it to, and what links to others you and they might have.
BYOD vs. Burner Phone
This is a threat to our classified programs. How can we defend against it? We always advise when people travel abroad to leave their office computer at home. Take a clean computer without office data, so that information can’t be compromised. The value of clean computers abroad, (or for that matter at domestic conferences or visits) is that if it is compromised, they won’t get anything of value anyway. Also, this clean computer can be relatively easily checked upon return to see if malware exists inside it, surreptitiously deposited by an adversary abroad.
Yet now we are concerned about phones, too, based on recent threat information. As we often provide clean laptops for the company traveler, now we may need to provide a clean phone. Why place your government or corporate phones at risk if you don’t have to?
Cost is always paramount in any business venture, government or private. So consider whether sending your technicians or managers abroad without some protection against this new threat is worth the risk. Only you can decide, after consultation with your supporting specialists. Check too with your government technology advisors. They can get you started in the right direction.
When in doubt, leave it to the professionals to combat technical threats. But do what you can to minimize that threat where you can. When the chance comes to travel, and you wonder what to do about your official phone service which connects to your programs and personnel, leave it at home. Best defense? Don’t be there.
