The "Working from China" Problem

Companies restrict work laptops and remote access from countries they consider risky, particularly China. Where does a travel policy like this come from?

Companies debate how much risk actually exists, how to define the problem to begin with, and how much can actually be done to mitigate anything at all. Let’s talk about it so you can helpfully contribute to the discussion at your own employer.

First, the problem!

It always starts this way: An employee at a young company wants to do remote work from their devices in another country, and is inevitably escalated as an issue when that country happens to be China.

A co-worker inevitably says: “We wouldn’t have allowed this at $former_company!”

Then, everyone brings up anecdotes about how their previous company handled corporate equipment through China. Approvals, burner laptops, and other identity management tricks are typical.

In my professional experience, China is almost always the country that kicks these conversations off. So, let’s talk about China first while simultaneously discussing why we should discuss China first.

Why is China brought up when discussing remote work policies?

While I’m sure that there is often an underlying phobia in discussions about China, there are some objective data points that make China a perfect example to drive policy discussion. China has documented advisories of network, intrusion, blackmail, privacy & freedom, and detainment risk scenarios. Other countries can share them.

These are not exclusive to China, but China has a reputation in the USA for touching on all of them.

🛜 1. Network: First, China is notable for operating the great firewall with a long history of actively interfering with network traffic within the country.

This isn’t unique to China; Syria, Kazakhstan, Egypt, and Tunisia have interfered with their egress in the interests of politics, and a discussion in these policies is that many others might do this too.

There are variations on network based attacks found in other countries, a great example here is DarkHotel.

The actor’s offensive activity can be tied to specific hotel and business center Wi-Fi and physical connections, some of it is also tied to p2p/file sharing networks, and they have been known to spear-phish targets as well. (link)

The threat model demonstrated by DarkHotel is not exclusive to any country and simply demonstrates itself as a potential threat from transit hubs. The novel part of this threat is that exposure comes while directly connected to hostile networks, rather than a threat actor that is usually further remote.

⛓️‍💥 2. Intrusions: China, of course, has a long and globally reported history from private and government sources of Chinese government intrusions into foreign companies.

Intrusion risk isn’t unique to China, as APT groups and the desire to intrude on foreign organizations have been labeled all around the world.

😵 3. Blackmail / Coercion: China is accused of manufacturing compromising situations among travelers (Students, Professors, Researchers) by the FBI.

🙈 4. Privacy and Freedom: Personal or corporate property protections do not exist within China’s laws when national security is invoked. These laws are vague in scope but specific in purpose. The result is powerful and invasive laws: Remote and on-site inspections are boldly allowed without ambiguity, require no heads-up notification, and only require a vague cause to initiate.

Privacy risks aren’t unique to China. Privacy and individual property rights vary across the globe.

The simple fact is that your employer’s view may be that that fundamental property ownership of a device becomes unclear while traveling, which makes it irresponsible to bring an authenticated device into certain countries.

🚨 5. Detainment: Unjust and arbitrary detainment during travel through China occurs enough to warrant a broad travel advisory.

Detainment risk isn’t unique to China, as other countries unjustly detain foreigners as well.

…But do these things ever actually happen?

Travel risk conversations almost always start the same way at every company I’ve ever discussed this with. At some point, someone asks for data. But, incident data is sparse on this topic.

It becomes difficult to impose a policy on these risks if you can’t share stories about them firsthand. Most people have never experienced a co-worker’s laptop being compromised from a trip to China or elsewhere.

This is why travel risk scenarios are fantastic examples of Knightian Uncertainty. Simply put, Knightian uncertainty involves risk decisions when you’re stuck without the data.

While each the individual factors discussed are not unique to China… China checks all of the boxes. China has objectively demonstrated the infrastructure, state resources, laws, and opportunity to target travelers legally to gain access to their employers if they want to. The scenario is objectively possible, so the risk is on the table and worth worrying about.

Though, I’m still unaware of any public report in which China intruded on a US company in these very specific ways listed above*. Knightian uncertainty applies here because we assess these risks based on the structure of the threats and supporting facts rather than counting the observable occurrences of it happening.

So, why are we so low on data?

First, a lack of statistical data could be because these incidents would occur in other countries where there is no obligation to report them to their adversaries. We only hear about this opportunistically, like from the DarkHotel analysis by a security company who shared it.

Second, attacks on travelers may be more complex to detect and investigate.

The forensic proximity involved with an attack changes overseas. Remote attacks (Email, Chat, SMS) often have obvious artifacts to unravel in an incident. Evil maid, man-in-the-middle, or local network exploit is much harder to discover, as it wouldn’t have a obviously logged hyperlink to click or a watering hole to visit that an incident response team could discover.

*If you know specific public cases where governments have snatched up devices and compromised foreign companies through their traveling employees, please tell me!

“Were they breached while traveling? ” creates a lot of work.

All suspected incidents while traveling spiral into a ton of work. An actual compromise is not always the most significant factor in creating these policies — it’s the high cost of triaging the incidents.

Incident response for remote access exploitation has a lot of well-explored incident response patterns, but potential exploitation involving physical access is an absolute nightmare.

For example: Assume an employee is asked to unlock their laptop in a transit hub, and loses visibility of their device for a short period.

This is a common!

What could have happened while it was out of sight? Are you comfortable with your ability to investigate this in a timely manner? The sort of investigation this scenario demands is far different from the typical triage of common, remote attacks.

So, companies often do a quick review for any recent malicious access and then trash a suspect device rather than getting stuck in a highly manual forensic investigation looking for some arcane Evil Maid attack. We hope the employee had backups. Otherwise, you’re doing piecemeal analysis of what files you can shuttle over, and you’d rather not do that twice.

Incidents escalate quicker when traveling and have more false positives. Without the policy, you kick off incidents every time an employee is asked to unlock their device in a transit area, or step aside from their luggage through an airport, or when they complain that their work laptop is acting weird after a trip somewhere spooky. Eliminating these mysteries is a chief reason a policy exists.

First, we have to decide where our restrictions come from. Then, we must consider individuals, hardware, and access for someone traveling.

Decide where a “Restriction” comes from.

There are a lot of dimensions to a restriction, and it should start with something objective. Here are the topics that you might want to consider:

• Sanctions: Is it illegal to do business in a particular country? Sanctions are in constant flux, and your legal team can’t be expected to monitor what is permitted. Legal (not security!) will likely produce a list from OFAC, EAR, and ITAR of countries based on their interpretation of the sanctions. But let’s be realistic: legal will probably Google it and copy-paste a list.
• Freedom, Privacy, Human Rights: We don’t make assumptions about fundamental property rights, unreasonable search and seizure, law enforcement capability, or a justice system from country to country. Some resources make attempts to index them.
• Travel Advisories: The State Department issues advisories for at-risk places. These also fluctuate often and may not advise on events that impose a cybersecurity risk, like random detainments or theft.
• Other Advisories: The FBI, the ODNI, and other government sources publish analysis.
• Other Risks: State-owned infrastructure may be reported to support censorship or other attacks without apologies.
• Proximity to Office: Your employer may be remote first, but employees can be tricky to investigate or terminate if they’re too remote. Some hiring policies require employees to be reasonably accessible to a physical office or around particular hubs. For security, this makes it easier to acquire a victim device or get a victim employee onsite for an investigation, like to obtain malware or insider threat if the employee cooperates.

Who and what will be traveling?

Figure out how much you care about individual travel in addition to the hardware or access that will be traveling. This may be in terms of role or privilege. There may not be a hardware discussion if you have a permissive device policy and devices are not part of authentication.

The principles you form will help you answer questions like:

“How about we disable my production access before I travel into a restricted country? Then can I bring my device?”

Maybe this tradeoff will be acceptable to you. Or maybe not. For instance, an engineer who likely has a bunch of locally stored intellectual property on their hardware might not be allowed to carry it into any restricted country. On the other hand, someone who does customer support with remote and restricted tools might have a more permissive policy where they can be temporarily disabled.

What capabilities can you offer?

You may plan to say yes or no to travel and call it a day. Getting to “Yes” may require a more sophisticated capabilities. Sometimes, restricted travel will need to happen, so you have to build the path to keep employees and data safe.

• Loaner Laptops: Some companies issue temporary hardware for travel. Similarly, you can also create user accounts designed for use while traveling with reduced access.
• Pre-Flight and Debrief: An email can be delivered to employees asking if anything consequential happened (Were you detained? Any devices stolen?). Additionally, you can ensure employees are aware of risks ahead of time and remind them where to call during travel if anything should occur.
• Lock-up during transit: You can arrange for hardware or identities to be locked/disabled until passage through transit hubs is complete and detainment risks are reduced.
• Centralized Travel Booking: All the modern corporate travel software supports some level of “Duty of Care,” which allows for checking for high-risk bookings automatically, or to give a heads up to your security team about high risk travel.
• Travel Security Support: Various global travel risk companies monitor international crises, keep tabs on employees' areas, help with boutique emergency travel, or provide physical security.

Lastly, how is this enforced?

It doesn’t do much good to have these policies if you aren’t ready to react to violations of the policy. Think through the scenarios you are anticipating with a travel policy, and then work backwards into the capabilities you’d need during incident response:

• Logs of authentication and activity for given sessions
• A confirmed and tested ability to remotely lock or wipe a device
• Alternative means of communication with a remote employee
• Hotline for employees to notify your company if detained
• Predetermined consequences for intentional violations of the policy

We’ve discussed a breadth of touchpoints on remote travel and security to consider when having employees travel to risky locations. With this in hand, you can more reasonably discuss the risks at your employer when the topic comes up.