RSA Conference 2020 – San Francisco – It was an impressive claim. "Implementing the Perfect Travel Laptop Program" was on the sign at the door of the conference room at RSAC and the attendees at the morning session were buzzing with anticipation. Then Brian Warshawsky, JD CCEP, manager of export control compliance at the University of California Office of the President took the stage.
"There's really no such thing as a perfect travel program," he said.
Well, alrighty, then.
There is such a thing, he said, as a very good travel program. And the key to that very good program is balance. With that, Warshawsky began laying out the factors that must be balanced in the creation of a travel laptop program.
First, he said, "Business travelers must understand they have no inherent right to privacy while traveling, and that most network operators conduct at least superficial surveillance." That awareness means security professionals within an organization should perform triage on the data and systems that employees want to carry, especially when the destination is international.
Warshawsky said that governments' willingness to take data as it comes into and out of the country on electronic devices means that organizations need to ask themselves a series of questions about the data.
- Is the data and information contained with the device worth more than the device itself?
- What are the local laws in the country being entered?
- What is the result to both the individual and the organization if all data on the device were compromised or released?
- What is the effect of device encryption?
He pointed out that these are the foundational questions and must be asked not only about the countries of origin and destination, but of every country that will be a transit point on the trip. Warshawsky gave London's Heathrow Airport as one that is infamous as a midpoint in international travel. Many connections, he said, require changing terminals, which requires going through a security checkpoint, at which point officials can demand access to files on devices.
Many organization think that full-device encryption will be enough to protect all on-device information from prying eyes, Warshawsky said. It's important to remember, he reminded the audience, that on-device encryption is only as strong as the individual carrying the device. When local authorities threaten to imprison an employee until they supply the device password — or until the authorities can crack the device — it may not take long before the device is unlocked, decrypted, and completely duplicated into local servers.
In addition to potential human weakness, Warshawsky said that organizations must be aware that very strong encryption might be illegal to carry into certain nations. Part of the compliance review for a travel program must include answering the question of whether the information on the device, and the technology used to protect it, can legally be carried out of the country. The penalties for getting this wrong, he pointed out, can be severe for both employee and organization.
The Risk-Based Approach
To properly assess the risk of a trip, there are five questions that must be asked in the process:
- What is on the device?
- Who owns it?
- How is it being used and secured?
- Why is it needed overseas?
- Where will it be located and for how long?
The question of what is on the device is especially critical when an employee is going to give a presentation at an international conference: While the presentation itself will likely have been vetted and approved by both management and corporate legal, supporting documents brought along for follow-up conversations might easily be outside organizational guidelines, national law, or both.
Ask the Questions
Before travel begins, Warshawsky said there should be a formal, documented series of steps the traveler must take.
- Pre-travel briefings
- Pre-travel surveys
- Net forms
- Signed acknowledgement forms
- Travel letters
- Data and hardware classification
The surveys, he said, are especially important for answering questions around what information is absolutely required for the trip, whether there are workable alternatives to carrying the information on a device, and making plans for using or transferring the information in any nation that might outlaw VPN use.
Ultimately, he said, travelers should only carry data that they (and their organizations) are willing to see compromised. Travelers must be fully briefed on limitations on their rights at international crossings and on the laws applying to data in every country they will visit or transit. The point of all this is to enable and support international travel, but to do so in a way that is legally compliant at every step of the trip.