Breach, Threat Intelligence, Data Security, Network Security, Security Strategy, Plan, Budget

Spy vs. spy: Laptop is the espionage goldmine

If an item is physical, it is often thought of as ‘absolute' ownership: If you see it, it is secure and if it is ‘locked up' it is secure. That's false in the 21st Century, particularly with laptops, which make valuable data constantly portable. One simple step may bulletproof your corporation against industrial espionage, particularly at hotels.

Is CI a threat or not? You decide

In a world where a trained professional can determine many things from a mere walk through any global area, the data held in a specific employee's possession on a laptop or in a cell phone could hold the key to the larger picture, which an opposing black ops industrial espionage detail aims to piece together.

While fictional, one recent Golden Globe-nominated movie (Duplicity) puts the role of competitive intelligence (CI) departments out for display. The slow-motion sequence of two suit-clad CEOs of competing firms having a fistfight in front of their private jets sets the tone of what can often be impersonal, but effective.

Don't be surprised if the spy happens to work for a nation-state, either: MI6 and GRU resources have stated that economic espionage was a charter of their organizations at least through the 1990s.

Since the Deputy SecDef's admission recently that USB drives were used as the hostile intelligence agent's vector of malware, it is important to consider that even though you may physically have the laptop, the contents either may have been sifted or modified by malware:

WASHINGTON – The Pentagon says a foreign spy agency pulled off the most serious breach of Defense Department computer networks ever by inserting a flash drive into a U.S. military laptop.

The previously classified incident took place in 2008 in the Middle East and was disclosed in a magazine article by Deputy Defense Secretary William J. Lynn and released by the Pentagon Wednesday. The Pentagon did not say what nation's spy agency was involved.

He said a ‘malicious code' on the flash drive spread undetected on both classified and unclassified Pentagon systems, ‘establishing what amounted to a digital beachhead,' for stealing military secrets.

In this business trip from hell war story, familiar to all business travelers, not bringing a laptop may have resulted in 100 percent chance of no compromise. The only cost: boredom.

Read the full list of Laptop counter-intelligence measures at Securing Our eCity

Lost in translation: Cybersecurity

While working 10 years ago as a wireless engineering tech in San Diego for a Canadian wireless company, our newly negotiated partnership with a Taiwanese firm had stipulated a mandatory training session for their engineers. We had the ability to provide a webinar, which was rejected. At the very last minute, I was sent to fulfill the contract since corporate partner training was my responsibility.

After a 14-hour flight, I arrived in Taiwan – not speaking and barely reading a lick of Mandarin. I was picked up at midnight by my host company's ‘best man,' whisked down the dark freeway and deposited at the entry to my hotel, which was to be my home for three days.

Just like Bill Murray in Sofia Coppola's film Lost in Translation, there were several things which left me disoriented: no reading material in my native language, and worse, no internet access at the hotel I would be staying at. Topping it off, the television offered only three channels, all Taiwanese.

Threat intelligence: Increasing awareness

I had deliberately decided not to bring a laptop for three reasons. It seemed to be more trouble than it could have been worth with power cords, there was no compatible wireless standard, and the top of my list – being conscious of the risk factors my personal laptop could have posed for the company.

I happened to be the central testing resource for more than 200 software vendors who wanted to partner with our hardware solutions, which spanned the four top commercial wireless spectrums – CDPD, GSM, Ricochet, and CDMA.

My laptop was a goldmine and I knew it. Therefore, I didn't bring it along. All this resulted in my being bored to death for about a week, including the flight back out. What it avoided: my laptop data being compromised. Further information, which led to my choice, was the pre-departure briefing that informed me that this company may really want more details than I could give them. My product manager confided he wasn't sure what they really were after with a mandatory live meeting.

Therefore, I copied the data I needed onto several CDRs and, as a backup, I uploaded the data into my offsite email. The meeting went as planned and I never worried about a laptop, although my hosts were surprised I hadn't brought one. I assured them that my Palm V was all I needed – even though the power adapters I brought wouldn't work!

In recent Spy vs. spy articles, we took a look at the six questions in our counter-intel corporate traveler checklist:

Counter-intel corporate traveler checklist

  1. What role does this traveler have?
  2. Where is this person heading?
  3. Who are they visiting with?
  4. What information can they completely leave behind?
  5. What information must they have to perform their duties?
  6. What sensitive projects or information may they need to access while they are traveling?

Read the full list of Laptop counter-intelligence measures at Securing Our eCity

Three rules to laptop security

Rule One: You'll never lose what you don't bring.

The first rule of counter intelligence that was placed before me in military technical training was that you can't lose what you don't have. Therefore, our highly classified notes, notebooks and workbooks were locked up daily. We held the information in our heads and didn't take notes back to study. Building crib notes for cheating in this environment meant breaching national security.

Not passing meant not flying. A lot didn't pass – not able to memorize the content or because of security violations of one sort or another. A risk of capture course, known as SERE, effectively locked down even the information in our heads.

Nothing on your laptop is worth your life - but you'll never lose what you don't bring.Compare this to SERE: nothing more invigorating than a week-long desert evasion course complete with bad guys and prison camp guard towers to provide the elements required for Kirkpatrick's third to fifth training evaluation of counter intelligence. Again, not passing meant not flying. Most of us passed: some with broken wrists, ribs and arms.

Rule Two: It's easier to think security about tangible items than those which aren't visible.

The key point of the story is this: even 20 years ago a lot more people passed the hardest physical security challenges than passed the intellectual challenge of my technical school's security protocols. The physical was easier to relate to than the mental or intangible because that's human nature.

Rule Three: See Rule One – you'll never lose what you don't bring.

One lesson from SERE which I can share is that we all learned the valuable lesson of sanitizing ourselves prior to any combat operation – leave everything not mission-related behind. Everything of interest to an opposing force was anything personal or anything operation-related.

It is the tough balance between minimizing corporate exposure which fulfills counter-intel checklist step four: What information can the traveler completely leave behind?

Consider that the status quo dynamic of always bringing on a business trip a laptop chockfull of competitive information may not be the best idea and may need to change. Realize that this is a hard change to implement and even harder to justify to those senior executives who are used to a laptop.

Read the full list of Laptop counter-intelligence measures at Securing Our eCity

More Spy vs. spy and cyber espionage from SC Mag:

  1. Spy vs. spy: Easy cell phone policy for corporate travelers
  2. Spy vs. spy: Two traveler tools under $10
  3. Spy vs. spy: Hotels and business travelers
  4. Cyberespionage: Raids from afar 
  5. Software/hardware assurance: Supply subversion

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.