This case study looks at the possible implications of taking sensitive or official information overseas via electronic devices and failing to report the intent to travel.
Themes covered include:
- advising of an intent to travel
- the national security risk of taking electronic media overseas
- evaluating the need to travel overseas with electronic devices.
Scenario – what happened
An upper level manager, Chris, and his lead negotiator, Taylor, get a last minute invitation to a three-day trade conference in a foreign country.
Neither of them intends to take or discuss protectively marked material and, as such, do not seek travel approval or a travel briefing from their CSO or the NZSIS before embarking.
Both Chris and Taylor plan to take their private and work electronic devices overseas with them, including their cellphones and laptops. Before leaving New Zealand, they delete information on the devices they consider sensitive.
The pair know there will be foreign delegates present at the conference so leave their devices in their hotel room in the room safe.
During their absence, foreign intelligence officers access their hotel room and install malware on their devices that will automatically log all activity conducted on the devices, even once Chris and Taylor have returned to New Zealand.
Additionally, the officers clone the hard drive of the laptops and recover not only deleted protectively marked documents, but also intellectual property and sensitive information pertaining to trade negotiations.
Lessons learned – what should have happened
Chris and John made three simple mistakes in this scenario.
They should have:
- advised their CSO of their intent to travel
Regardless of whether an individual is travelling in a private or official capacity or carrying sensitive or official material, certain staff with a security clearance must advise their CSO of their intent to travel.
All staff should advise their CSO of travel to identified high-risk countries.
The CSO will advise staff of their reporting requirements and the countries that have been identified as high risk. If travel is approved, then the CSO will assess whether a briefing is required.
- recognised the national security risk of electronic media
Electronic media taken overseas poses a risk to national security. Electronic media that has been used to process protectively marked or sensitive information must be protected to the same degree as paper-based information. The level of protection afforded must be equivalent to the highest level of protectively marked information ever placed on the media until it is sanitised.
See also the New Zealand Information Security Manual.
- thought more carefully about taking electronic devices overseas
Agencies and employees should evaluate whether they require the use of their electronic devices while overseas at all, as their use, even if personal and not protectively marked, poses a security risk. If the use of electronic devices overseas is absolutely essential it should be ensured every device has all current security patches and updates.
Agencies should have a current record of the location and authorised custodian of agency ICT equipment and official ICT devices should be checked by IT security upon return before it is used again.