- What unique information security challenges does China present to a traveling executive when compared with other countries?
You have to understand that you are not in a free state; you could be constantly monitored, both your physical movements and all communications. Your electronic devices might be accessed, again either physically or electronically, to steal information you have, or inject malware to gain remote access to your devices, and/or infect your organization’s network when you return.
Never leave your phone, tablet, or laptop unattended. If you happen to be targeted (which may depend on who you are, your nationality, your company, your business purpose, etc), you will have people with eyes on you at all times, and they may enter your hotel room, open the safe where you leave your laptop, and copy the hard drive. If you are at lunch, and have your phone on the table, you might be distracted while someone takes your phone and quickly downloads data from it and then returns it when you turn around. Be aware if anyone, particularly pretty women if you are male, show assertive interest in you. They are just a distraction to give someone else time to access your devices.
While this is not the reality for all Western business travelers, it is in the range of possibility if you are visiting for a business purpose that could be considered to put China at a disadvantage.
- What unique information security challenges does China present to companies’ corporate networks based in China?
Your network traffic might be monitored, there might be listening devices in your office, and cellular connections might also be eavesdropped on. Don’t store any intellectual property, or sensitive or competitive information on the local network in China, use a remote desktop to access platforms in Western territories, only store critical information outside of China.
There is great risk of insider threat, as locals may be under direction of the State to gather information. Keep servers in a secure room, with strong access control, as even cleaning or utility staff might be under direction of the State to collect information.
If you bring in a lot of computing equipment into the country, to build a datacenter or server room for example, be prepared to be harassed by “officials” who will show up unannounced and want to audit that you have specific components and demand to see that they are present. Sometimes they will ask you to show them larger computing or network devices; sometimes it might be really small network adapters or phones. They do this under charter that they want to make sure you didn’t re-sell the equipment; but likely, this could be a distraction technique for someone to visually map the building, enumerate what is in server room, and look for information sitting around the office.
Finally, have a procedure in case of a “Dawn Raid,” where Law Enforcement or Military will show up unannounced one morning, and need to collect servers or other paperwork and devices as evidence for a claim against your company. They will show up with a team of armed agents who will take computers, file cabinets, and even walk out with your systems. This is a very inconvenient event.
- What is a common information security mistake made by travelers to China that could be avoided with better preparation?
You will not have access to the entire Internet, and where you do browse is monitored. So it’s important to setup a VPN before you travel. The Great Firewall of China (GFC) will block IPsec VPNs, and many known SSL VPN services. Setting up an SSL VPN termination point, either through a service, or on your own will help you get unfettered access to the Internet when you are in country. If you try to setup something after you are there, or just pick a popular VPN service, it won’t always work, and when it does you’ll only get access for a few minutes until it shuts down. Which is very frustrating.
Second, Google and Gmail are natively blocked by GFC. People come to rely on these so much they forget how tough it is to work without them. Getting the VPN setup before you go will make sure you stay connected.
- What are some common phishing or exploitation techniques used by Chinese State actors?
They use similar techniques to other actors and there is a wealth of phishing templates to use from very simple to very advanced. They will escalate which malware they use, depending on the sophistication of the target. They will start basic, to see if it’s caught, then use something unique, and only save zero-day exploits for the most advanced, or important targets. They are less concerned with attribution, and they will come from obviously Chinese networks. That is why some people think Chinese hackers aren’t that advanced, because it was the basic attack that compromised the victim.
- What are some information security best practices an executive should always consider ahead of travel to China?
Best practices for travel to China aren’t much different from what you should normally be doing anyway: keep systems and applications current and with the latest patches. Use strong passwords, and use different passwords for each application; train users on how to be safe.
Use of encryption could be a challenge, as technically it’s illegal to have encryption on your devices; but they won’t call you on it unless you give them a reason to or they generate a reason to. So it’s best to not encrypt; therefore, don’t store anything that you need protected; rely on paper and physical control for that. Also, remember all cellphone and telephone conversations are monitored.
- What would you recommend to do if you suspect your information security has been compromised during your trip?
It depends on if you have the resources (or business need) to learn what happened to compromise the device or not. If you don’t care, or don’t have anyone to do forensics on the device, then turn it off, don’t use it for the rest of the trip, and destroy or replace the hard drive when you return. For mobile devices, you might do the same, and do a factory reset, or just destroy the device if you can.
If you want to collect evidence: put mobile devices in airplane mode, keep them charged until you return, then give it to a forensics team to gather evidence and indicators and determine if the device can be wiped and reused, or if it needs to be destroyed. For laptops, put in sleep mode to save memory, and do a similar forensics process when you return.
If you need to use these devices while you are there, make a risk based decision whether knowing the device is not trusted matters to what you are doing, or purchase a burner phone while there. If it is critical that you need a device for your work, consider bringing backups that you leave off until you need to use them.
- In your work with clients, have you observed changes in the threat dynamic presented by Chinese actors over time when compared with non-Chinese actors?
Like most threat actors, the Chinese are only as good as they have to be to accomplish their job. Many organizations that have been compromised by Chinese hackers say that they weren’t that sophisticated. This is more a statement of the victim’s security posture. The more secure you are, the more the actors will escalate to achieve their goal. If you are wide open and not monitoring your network well, they will be sloppy, hurried, and leave a lot of tracks. If you have good controls, and are actively monitoring, then they will be patient, stealthy, and very advanced. Also, they care less about hiding where they are coming from; they have been more blatant about coming from Chinese networks. I’m not sure if they are doing it to let the victim know who they are dealing with, or they know there is little consequence to them if discovered.
- What is the worst case of someone’s information security being compromised during a trip, to China or elsewhere, you have observed in your career?
Someone I knew, who was a CTO of a company, told me how he was actively followed throughout his trip within a large city in China. Every day, when he returned to his hotel room, he could tell that more than one person looked through his drawers, bags, and the room safe. He always had someone watching him, and those spies would regularly walk by his table at restaurants, if they couldn’t be sat at a table near him. They were obviously listening to his conversations. At the restaurant, or coffee shops, they attempted to take his phone off the table, or his laptop bag from the floor by his feet, when he was distracted. One day he returned to his hotel early and two pretty Chinese ladies stopped him in the lobby attempting to engage him to “practice their English.” He insisted he was in a hurry to get to his room, and when he looked back at them before the elevator doors closed, they were hurriedly and anxiously on their phones, looking at him– likely notifying whomever was sweeping his room that he was coming up.
Rick Doten is Chief, Cyber and Information Security for Crumpton Group in Arlington, Virginia. Rick provides strategic guidance for large company CISOs, and sometimes acts as surrogate CISO for companies who want to improve the IT security and risk management programs.