While corporate IT departments are focusing on a new wave of data security threats, including WannaCry, an even bigger threat looms and nobody is addressing it.
I'm talking about the rules around laptops, tablets and smartphones during business travel.
The new risk of air travel data exposure is coming in two forms. First is a laptop ban. The other is a policy of smartphone data extraction.
The looming laptop ban
The likelihood of a catastrophic, draconian laptop ban is higher than you think -- and the security risks, graver. Let's first dig into where this threat is coming from.
I'm writing this column from Morocco, one of the countries targeted in a laptop ban instituted by the U.S. Department of Homeland Security (DHS) in March. Laptops are banned in carry-on bags on U.S.-bound flights originating from 10 major airports in Dubai, Egypt, Jordan, Kuwait, Morocco, Qatar, Saudi Arabia and United Arab Emirates. (The UK implemented a similar, but more limited, ban.)
Laptop bombs in the cabin are considered far more dangerous than those in the baggage compartment. If laptop bombs are designed to be detonated manually, they can be mass-produced and built in a way that more easily evades security detection.
Laptop bombs to be detonated remotely in the cargo hold are harder to build and easier to detect with security X-ray machines because they need timer or remote-detonation wiring and other components, which can be seen.
The current ban is minor. It's just a few airports. And business travelers can still bring their laptops, albeit in checked bags. But the data-exposure risks associated with future bans are very high.
Earlier this month, U.S. officials held urgent meetings with European counterparts to discuss a wider ban of laptops on flights originating in Europe because of reportedly solid intelligence that ISIS is building laptop bombs that can evade airport security.
President Trump even controversially "held talks" on the risks posed by laptop bombs with the Russian foreign minister and Russian ambassador to the U.S.
Under a broader ban, it's possible that (as with the current ban) travelers would be allowed to pack laptops and tablets into checked luggage. This is problematic because knowledge that checked bags probably contain laptops would spawn a new criminal industry to steal bags, or steal laptops from bags.
(On a business trip to Mumbai India, the airline "lost" my checked bag. When it was eventually found and delivered to my hotel room, it was "locked" with plastic cable ties and wrapped in plastic wrap. When I opened it, there was a camera-shaped hole in my clothing where I had packed my camera. Checked-luggage theft happens.)
Here's the graver issue for business travelers that nobody is talking about: The more likely outcome is that in the near future laptops and tablets will be banned from both carrying on and checked luggage.
The reason is that accidental lithium-ion battery fires are statistically probable when lots of passengers are carrying multiple devices.
In the past, these have mostly occurred in passenger cabins and been contained by fast-acting flight crews with fire extinguishers. The FAA reported 33 cabin fires caused by personal electronic devices last year. (Some were in use, others were not.)
Had such fires broken out in a baggage compartment instead, they might not have been extinguishable -- causing damage (and potential crashes) for 33 aircraft.
Passenger-plane cargo holds do have fire suppression systems that use halon gas fire extinguishers. But these are no match for a process called thermal-runaway, which can happen with battery fires that result in temperatures exceeding 1,400 degrees fahrenheit.
An FAA report published two years ago said that "the uncontrollability of lithium battery fires can ultimately negate the capability of current aircraft cargo fire suppression systems, and can lead to a catastrophic failure of the airframe."
That's why U.S. airline passengers are required to carry loose batteries in carry-on bags, and why last year the UN's International Civil Aviation Organization (ICAO) banned shipments of lithium-ion batteries as cargo on passenger flights.
Carrying lots of battery-powered devices in the baggage compartment is extremely dangerous. And since the widespread conveyance of laptops and tablets in checked bags would lead to near-certain aircraft destruction, it will not be allowed.
What we're actually facing is a total ban on traveling with laptops and tablets. And it could happen with little warning.
For the current ban, the government gave airlines 96 hours notice. The next ban could be immediate if it's based on intelligence of an imminent threat -- or actual events.
Four months ago, a laptop bomb on a flight from Mogadishu to Djibouti that passed successfully through airport security was detonated in flight. It blew a hole in the plane, and the bomber was sucked out. Pilots were able to land the plane safely. Had the explosion happened at cruising altitude, rather than during ascent, it would likely have killed all on board.
A more successful attack, especially one involving say, a flight from Europe to America, would likely trigger such a ban immediately and globally. In other words, we may be one explosion away from a complete ban on laptops on airplanes.
Enterprises are totally unprepared.
The coming smartphone crisis
Even fewer people are talking about what's possible with smartphones and business travel.
Smartphone-using business travelers learned about the longstanding legal right by U.S. customs officials to search smartphones earlier this year. In February, news reports circulated that a U.S.-born NASA scientist named Sidd Bikkannavar returning home from a trip to South America was forced to unlock his phone by U.S. Customs and Border Patrol agents.
(Technically, passengers can refuse to provide PIN codes or passwords, but agents are authorized to detain them if they do so.)
The phone was government-issued and may have contained NASA secrets or even national security secrets. NASA specifically instructed Bikkannavar to never share the phone's passcode. He did share it, and agents took it away for 30 minutes, but Bikkannavar doesn't know what information was extracted -- or what agents did with that information.
DHS secretary John Kelly has since said that he's interested in foreign visitors being forced to give up not only passcodes to unlock phones but also passwords to social media accounts. That way, agents can check not only public posts, but private ones and who someone is following as well.
Some blame the Trump administration for the aggressive stance on smartphone unlocking, but this position has been evolving for two years. Homeland security experts realized that the terror watch list wasn't working, and needed a better way to identify bad guys. They believe extracting data from smartphones is the key, and the department has been amassing technical tools for quickly extracting data at borders and airports.
As with the laptop ban, the policies and practices of border agents around extracting data and forcing passwords on smartphones could change overnight, given an imminent threat.
Understanding the implications
The way for responsible corporations to think about business travel with mobile devices is twofold.
First, Constitutional (Fourth Amendment) protections against searches and seizures are suspended at the border. Each border crossing or customs passing-through represents the exposure of whatever company data is accessible on smartphones to government searches without a warrant or probable cause. No criminal charges, no active investigation, no suspicion is required for U.S. border authorities to extract any and all data from smartphones. The protection of that data in the hands of DHS is also unknown. Multiple government agencies have been hacked and data stolen over the past few years.
Second, anything the U.S. does, other countries can do, too. For example, the tools used to extract data from mobile devices are available on the open market and can be used to steal company secrets in countries with state-sponsored corporate espionage under the ruse of counterterrorism.
Most of the reports about laptop bans and smartphone access focuses on airline chaos, cancelled trips and the violation of personal privacy. But these problems pale in comparison to the risk to company data.
In the absence of a solid plan, employees and executives will craft their own solutions, which are likely to be insecure. They'll carry easily compromised thumb drives and hard drives. They'll leave laptops at home and use insecure public terminals abroad. Or they'll cooperate at airports for personal expedience, handing over laptops and voluntarily unlocking smartphones and providing passwords.
Urgent action needed
If you take away anything from this column, it's this: Immediate action is needed to address the risk to company data posed by fast-changing rules and norms around air travel.
The issues to be addressed are:
- A plan if emergency bans are placed on traveling with laptops. (This solution may include shipping cloud-based Chromebook-type laptops to travelers abroad, along with secure access to company data in a way that is not stored on the device.) This is a good policy even before any ban is implemented.
- An immediate policy for removing the ability for anyone, including the user, to access key data or compromising information from all devices, especially smartphones. (Get used to the phrases "border mode" and "travel mode." The ability to suspend access to or remove data from a device may be built into phones like "airplane mode" is, or provided as a third-party product or service -- in fact, such products are just now beginning to emerge. For now, you'll have to roll your own solution. People can be detained indefinitely for not providing passwords and PIN codes, but they cannot be held if they themselves have no possible access.)
These issues will likely involve purchasing, software development and additional training. You don't have much time. When the rules change, they'll change fast. And they'll put data at risk.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.