What countries are at highest risk of espionage on personal devices?
Assuming you have a basic level of Cyber Security measures e.g. ecrypted hard drives, decent user name and password rules, encrypted VPN tunnels etc. I would say there are a number of issues to consider.
- Content on the laptops - is this commercially sensitive, nationally sensitive, any export controls applicable. Effectively who would be interested in the data and what skills / resources do they have at their disposal?
- Your business - what it is you do and how that can be seen in different cultures - are you at risk of industrial, national espionage or from hacktivism.
- The legality of your "standard" IT Security Solution in the country of destination - I believe some countries (especially middle east) have a big problem with encryption and prohibit any encrypted communications.
- Your level of risk acceptance based on the country of destination. E.g. do you mind if the US authorities exercise their right of search of your device and would you be happy to provide any decryption codes to the border staff before the laptop is taken away for investigation?
A multinational company I work closely with all laptops have HDDs which are high level encrypted and where remote access is authorized it is via VPN but only with RSA tokens has a list of "home" countries where standard laptops can be taken, this is essentially all the countries the company has a major presence (except USA). Outside of that the user "should" contact IT and obtain a loan laptop there are 2 levels "amber" and "red" based on Security advice on the country of destination.
"Amber" is for relatively friendly countries where for business purposes a clean laptop is taken (so a fresh internal build) with only files needed for the business trip are taken, these can connect via vpn back home and essentially work similar to the traveler's normal laptop. The issue here is to minimize risks from data loss, export offenses etc, whilst maintaining a good level of access
"Red" is for particularly risky countries where data intercept is to be expected these include China, Russia or where encrypted VPNs are banned in law. These laptops are very basic with fresh installs of base windows with basic office software, public email, internet access and only approved files may be loaded on to them (e.g. pre-cleared presentations), these "red" devices have no way of 'phoning home' and will be wiped on return and once being marked as a "red" laptop they will remain "red" until they are finally shredded (literally).
I have heard some organizations which have a process in place to counter the risk of border security searches e.g. in the US by having a process where the device is encrypted before travel and critically the user does not know the decryption code so is unable to login. That is only disclosed once the traveler gets through immigration the process is printed and the traveler can show that to immigration staff and apparently that gets round the right to search non US citizens, but not being a lawyer I'm not sure how true this is.
Does this make any real difference?
I mean, is the goal of this question to build a list of countries where you need to be secure, and other where it is not necessary because people out there are all nice?
I think that if you need to secure your data and infrastructure, you need to secure it the same way no matter if the attacker is a Chinese, an American, and Iranian or an Eskimo. I simply would not trust unknown people.
So, if you really want a list since this is what this question is about, IMHO it would be something like:
- Friendly: The inside of the company.
- Hostile: The rest of the world.
The Financial Action Task Force has always maintained a list of Non-Cooperative Countries or Territories (NCCTs), often referred to as the FATF Blacklist.
The countries are added to the blacklist because they are perceived to be non-cooperative in the global fight against money laundering and terrorist financing.
At the moment -- http://www.fatf-gafi.org/countries/#high-risk -- you can see that Afghanistan, Bosnia and Herzegovina, Ethiopia, Iran, Iraq, Laos, North Korea, Syria, Uganda, Vanuatu, and Yemen are on the blacklist.
I agree with the others that these countries aren't Internet-hostile and that any country can be considered hostile when it comes to hardware (such as laptops during travel). However, many banks or other financial-services companies can (and do) block the FATF-blacklist listed countries at their routers and firewalls. Getting money and other financial assets into and out of these countries is going to be difficult any way that you look at it, whether over the Internet or not.
Here are two articles that I typically reference for travelers:
- https://20kleague.com/best-practices-travel-security/
- https://www.entrepreneur.com/article/286411
In addition, you sometimes do see cybersecurity or e-crime information available in the OSAC Crime and Safety reports (from the US Department of State) -- https://www.osac.gov/pages/contentreports.aspx?cid=2