Crossing borders with corporate data

Aaron Greene is a private consultant who will be graduating from the Norwich University MSIA program in June 2008. He recently wrote to me as follows:

"I read your article today about the case in Vermont. I have been particularly interested in the legal matters of this case, but you definitely provided a unique viewpoint that I think all of us in the information security field need to understand: don't take encrypted devices (including PDAs, USB drives, and other flash or disk memory) out of the country.

"I would like to know how you think this issue should be dealt with by organizations. It seems that advising people to not take company owned devices out of the country is not enough and that there needs to be a policy. I would imagine that there would need to be some exceptions to this policy, such as obtaining prior approval from company officials.

"Or would this be overkill? Some companies do so much business internationally that this would cause too much administrative overhead.

"I am currently doing some consulting work for a health system located on the southern tip of Texas at the Mexico border, so this really made me think of how many employees are probably taking company owned devices across the border. I understand that geographic location doesn't make much of a difference, but I have to say that your article really opened my eyes.... I can't believe I hadn't thought of this before, especially since I just completed the MSIA program! This might make a good discussion question!"

Here’s an updated version of my reply:

One approach is to segregate confidential information to encrypted external disk drives. The rule could then be that the portable computer can leave the country but that the encrypted disk drive cannot.

To access sensitive information, the users could enable a VPN to reach a server for files and a secure encrypted Web interface for their e-mail. Thus they would have little or no problem doing their work but low risk of having sensitive information divulged. However, even encrypted channels are potentially subject to intrusion in totalitarian dictatorships such as the People’s Republic of China (PRC), where, in my opinion, everyone should assume that all communications by foreigners are being monitored by government operatives at all times and act accordingly. When I led a delegation of security experts to China in 1994, I warned everyone on the trip never to discuss or transmit confidential information at any time while we were in the PRC.

The remaining risk is that the swap file, if any, could have fragments of cleartext. With sufficient RAM, however, virtual memory can be turned off, at least for the duration of the trip.

The question, as always, would be enforcement. Security fanatics (or clinically paranoid individuals) might cooperate, but I doubt that ordinary users would voluntarily go to the trouble.

Greene very kindly wrote back with a reference to an article by Ellen Nakashima of the Washington Post entitled “Clarity Sought on Electronics Searches.”

The author discusses several incidents in which U.S. border guards have seized company laptops from travelers and, in some cases, not returned them for extended periods. The article includes several specific recommendations similar to those I summarized above. I recommend that readers view the article themselves.

In my next column, I will enter express my opinion of the demand for decryption keys at the border.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.