Surveillance systems can track the locations of cellphone users and spy on their calls, texts and data streams. The Washington Post has reported on such systems that are being turned against travelers around the world, according to security experts and U.S. officials. The summer season highlights the need to take extra precautions when traveling.

When traveling anywhere in the world, for business or pleasure, citizens need to be aware of and alert to looming physical and cybersecurity threats.

To elaborate on expert security tips, strategies and advice for traveling this summer, we presented several questions to The Chertoff Group, a global security advisory firm that enables clients to navigate changes in security risk, technology and policy. Chris Duvall, Senior Director at The Chertoff Group, offers insights into cybersecurity concerns, physical security precautions, and recommends digital resources/apps for consumers while traveling.



Q: How are security risks – physical and digital – changing? Why are threats greater today than five years ago?

The exponential number of headlines over the past few years is a strong indication that both physical and digital risks are evolving and increasing

Duvall: The exponential number of headlines over the past few years is a strong indication that both physical and digital risks are evolving and increasing. The scope, severity and complexity of physical and cyber risks are increasing and becoming more dangerous and destructive. This is especially true for those traveling outside the U.S.

On the physical side, threat actors are actively seeking “soft targets” – public events, social settings, mass audience venues, etc. – to communicate their message, sow chaos and inflict catastrophic harm.

On the digital or cyber side, we have seen a shift from “thrill hacking,” to an increase of “hacking as a business” (through credential compromise and ransomware), to an increase in “hacking for harm” - with the rise of “nuke ware” and ransomware without a clear financial motivation.



Q. What specific precautions should a traveler take to protect their calls, texts and data streams from being spied on?

Duvall: When traveling abroad, we recommend to our clients that their personnel and executives should practice good internet and social media hygiene. Some best practices include:

  • Avoid using public Wi-Fi services—unless you use private VPN service for encryption
  • Increase the privacy setting on your technical devices
  • Disable location identifiers on apps
  • Create a new (unlinked) email for internet correspondence
  • Consider purchasing international MyFi devices to decrease the risk of getting your personal identification information (PII) or protected healthcare information (PHI) stolen 
  • Use temporary (i.e. burner) phones to protect your data and your contacts


Q. What cybersecurity concerns are likely to impact travelers? Are the threats greater outside the United States or in any specific parts of the world?

Significant precautions should be taken to protect personal electronic devices (PEDs) and the data connected to PEDs

Duvall: The international cybersecurity landscape has grown increasingly dynamic, with threats posed by government authorities (in some countries), terrorists, insurgents, and criminals, requiring travelers to be proactive and vigilant. U.S. citizens, particularly executives of U.S.-based technology companies, must be aware that they are considered high-value targets for nation-state intelligence services and criminally-motivated bad actors. Many countries will go to great lengths and expense to acquire and exploit proprietary information from U.S.-based companies, and views U.S. executives visiting the country as “soft” targets of opportunity. As such, significant precautions should be taken to protect personal electronic devices (PEDs) and the data connected to PEDs. The tactics, techniques and procedures (TTPs) utilized by bad actors are often covert and nearly undetectable by the affected person.

Threat actors routinely access, monitor and utilize Wi-Fi networks at hotels and in public spaces to compromise target devices. Other targeting methods include luggage searches, extensive questioning, and unnecessary inspection and downloading of information from personal electronic devices.

There are numerous, high-risk countries for which the U.S. Government warns travelers to be wary of mobile malware, mobile device privacy attacks and hot spots for mobile botnets. The U.S. Department of State has the most recent and up-to-date list. For example, the U.S. Government has investigated numerous incidents in which U.S. travelers’ PEDs (personal and company devices) have been compromised by Russian authorities while transiting Russian airports, left unattended in public spaces and in travelers’ hotel rooms.

	Protect your personal information and travel itinerary as much as possible
When traveling to an unfamiliar place, research your destination to understand the local roads and transportation, geography, local roads, culture, etiquette and laws


Q: What physical security precautions should a traveler take?

Duvall: Here are some useful precautions:

  • When traveling to an unfamiliar place, research your destination to understand the local roads and transportation, geography, local roads, culture, etiquette and laws.
  • Protect your personal information and travel itinerary as much as possible.
  • Limit the amount of jewelry worn, cash, credit cards and electronic devices carried while traveling.
  • Avoid staying on the ground floor of a hotel. Consider choosing a room on the 2nd through 7th floors as these rooms may be more difficult to break into than those on the ground level, but still able to be accessed by fire/emergency response equipment.
  • Never answer your hotel room door for anyone until you’ve determined who they are, why they are at your door, and if it is necessary for you to open the door to interact with them.
  • Carry a rubber door stop/wedge with you to install on the room side of the door before you go to bed.
  • Vary your patterns and routines when venturing out in to a new location, do not become predictable.
  • Politely decline offers of food or drink from strangers (If you do accept beverages, ensure that they are in sealed containers and that there is no evidence of tampering).
  • Never discuss your itinerary, personal, business or other sensitive information where others can hear you.


Q: How can companies be proactive in protecting their business travelers?

Companies should educate their employees on the importance of maintaining good internet hygiene while traveling abroad

Duvall: When traveling on business, companies should provide their employees with clean computers and cell phones before departure. Upon return, the company should immediately wipe the computer clean to prevent any malicious threats from penetrating the company’s internal, cyber-infrastructure. Additionally, companies should educate their employees on the importance of maintaining good internet hygiene and recommend their employees disconnect from social media platforms while traveling abroad. Some general tips to recommend to your employees when traveling abroad include:

  • Register in the Smart Traveler Enrollment Program (https://step.state.gov/step/)
  • Visit Travel.State.Gov to view travel related information specific to the country or countries you’re visiting, including local US Embassy or Consulate contact information, as well as current travel advisories and alerts.
  • Always leave a copy of your transportation and hotel itinerary and driver’s license (or passport if traveling internationally) with a family member or trusted friend.
  • Always use a baggage tag with a protective cover
  • Avoid using public Wi-Fi services


Q: What digital resources and/or apps might a traveler benefit from (and how)?

Duvall: The Chertoff Group recommends researching the below travel-related Apps before departing on a trip:

  • TravWell: This app provides destination-specific vaccine recommendations, a checklist of what you need to do to prepare for travel, and a customizable healthy travel packing list. The app can store travel documents, keep records of medications and immunizations, and set reminders to get vaccine booster doses or take medicines.
  • My TSA: This app provides real-time updates on airport delays. It includes how long security lines are at various airports; information about what you can and cannot bring onto an airplane; and a frequently-asked question list, including new advanced imaging technology.
  • Border Wait Time: The app provides estimated wait times and open-lane status at land ports of entry, which may be particularly helpful when in an area with multiple crossings.
  • Mobile Pass: The Mobile Passport app speeds you through U.S. Customs and Border Protection at (1) cruise port and (24) airports


Q: As a security expert, what’s your best advice for travelers?

Duvall: At the end of the day, travel security is not rocket science. Simply put, travelers need to:

  • Be aware and situationally alert at all times.
  • Be aware and situationally alert to the location of your luggage and carry-ons at all times.
  • Don’t access unknown, unsecured or public Wi-Fi if at all possible.
  • Turn off “auto connect” features and institute stringent privacy controls as much as possible.
  • Try to “blend in” – you don’t have to try to look like a local but travelers should avoid gaudy and expensive attire wherever possible.
  • Use your common sense – if an offer, invitation or opportunity seems to good to be true... it probably is.
Download PDF version

In case you missed it

How To Move From Crisis Response To Crisis Management
How To Move From Crisis Response To Crisis Management

Governments and corporations face crisis events every day. An active shooter terrorizes a campus. A cyber extortionist holds a city for ransom. A hurricane washes away a key manufacturing facility. Not all critical events rise to the level of these catastrophic emergencies, but a late or inadequate response to even a minor incident can put people, operations and reputations at risk. Effective Response Plan In 2015, for example, the City of Boston experienced several record-breaking snowstorms that forced the city to close the subway system for three days. The extreme decision cost the state $265 million per day and was largely attributed to a lack of preparation and an inadequate response plan by the transportation department. The reputation of the head of the transportation department was so damaged by the decision she was forced to resign. Being able to better predict how the storms would impact the subway system’s aging infrastructure – and having a more effective response plan in place – could have saved the state hundreds of millions of dollars (not to mention the transit chief’s job). A comprehensive critical event management strategy begins before the impact of an event is felt and continues after the immediate crisis has ended. This full lifecycle strategy can be broken into four distinct phases – Assess, Locate, Act and Analyze. Assessing Threats For Prevention Security teams might have complained about not having enough intelligence data to make accurate predictionsIdentifying a threat before it reaches critical mass and understanding how it might impact vital assets is the most difficult challenge facing security professionals. In the past, security teams might have complained about not having enough intelligence data to make accurate predictions. Today, the exact opposite might be true – there is too much data! With crime and incident data coming from law enforcement agencies, photos and videos coming from people on the front line, topics trending on social media and logistical information originating from internal systems it can be almost impossible to locate a real signal among all the noise and chatter. Being able to easily visualize all this intelligence data within the context of an organization’s assets is vital to understand the relationship between threat data and the individuals or facilities in harm’s way. Social Media Monitoring Free tools like Google Maps or satellite imagery from organizations like AccuWeather, for example, can help understand how fast a storm is closing in on a manufacturing facility, or how close an active shooter is to a school. Their usefulness, however, is limited to a few event types and they provide only a very macro view of the crisis. Data from building access systems, wifi hotspots, corporate travel systems, among others, can be used to create a profile Critical event management (CEM) platforms, however, are designed specifically to manage critical events of all types and provide much greater visibility. Internal and external data sources (weather, local and national emergency management, social media monitoring software, security cameras, etc.) are integrated into these platforms and their data is visualised on a threat map. Security teams can quickly see if there are actual threats to the organizations or communities they are protecting and don’t lose time trying to make sense of intelligence reports. The more they can see on a ‘single pane of glass,’ the faster they can initiate the appropriate response. Locating A Threat Once a threat has been deemed a critical event, the next step is to find the people who might be impacted – employees/residents in danger, first responders and key stakeholders (e.g., senior executives or elected officials who need status updates). Often, this requires someone on the security team to access an HR contact database and initiate a call tree to contact each person individually, in a specific hierarchical order. This can be a time-consuming and opaque process. There is no information on the proximity of that person to the critical event, or if a person has skills such as CPR that could aid in the response. Ensuring ahead of time that certifications, skill sets, or on-call availability is included with contact information can save valuable time in the middle of a crisis response. Going even further, data from building access systems, wifi hotspots, corporate travel systems, among others, can be used to create a profile of where a person just was and where he or she might be going in a CEM platform. This information can be visualized on the threat map and help determine who is actually in danger and who can respond the fastest. The emergency response then becomes targeted and more effective. Security teams can quickly see if there are actual threats to the organizations or communities they are protecting Acting And Automating The third step is to act and automate processes. If there is a tornado closing in on a town, for example, residents should not have to wait for manual intervention before a siren is activated or a message sent out. Organizations can build and execute their standing operating procedures (SOPs) fully within a CEM platform. Sirens, alarms, digital signs and messages can all be automatically activated based on event type, severity and location. Using the tornado example, an integration with a weather forecasting service could trigger the command to issue a tornado warning for a specific community if it is in the path of the storm. Summon Security Guards Warning messages can be prepared in advance based on event type so there is no chance of issuing a misleading or unclear alert Warning messages can be prepared in advance based on event type so there is no chance of issuing a misleading or unclear alert. All communications with impacted individuals can be centralized within the platform and automated based on SOP protocols. This also includes inbound communications from first responders and impacted individuals. An employee confronted by an assailant in a parking garage could initiate an SOS alert from his or her mobile phone that would automatically summon security guards to the scene. Conference lines can also be instantly created to enable collaboration and speed response time. Additionally, escalation policies are automatically engaged if a protocol is broken. For example, during an IT outage, if the primary network engineer does not respond in two minutes, a designated backup is automatically summoned. Eliminating manual steps from SOPs reduces the chance for human error and increases the speed and effectiveness of critical event responses. Analysis Of A Threat Looking for ways to better prepare and respond to critical events will not only improve performance when similar events occur again It’s not uncommon for security and response teams to think that a critical event is over once the immediate crisis has ended. After all, they are often the ones pushing themselves to exhaustion and sometimes risking life and limb to protect their neighbours, colleagues, community reputations and company brands. They need and deserve a rest. In the aftermath of a critical event, however, it’s important to review the effectiveness of the response and look for ways to drive improvements. Which tasks took too long? What resources were missing? How many times did people respond quickly? With a CEM platform, team performance, operational response, benchmarking data and notification analysis are all captured within the system and are available in a configurable dashboard or in after-action reports for analysis. Continuously looking for ways to better prepare and respond to critical events will not only improve performance when similar events occur again, but it will also improve response effectiveness when unforeseen events strike. Coordinate Emergency Response Virtually every organization has some form of response plan to triage a critical event and restore community order or business operations. While many of these plans are highly effective in providing a structure to command and coordinate emergency response, they are reactive in nature and don’t account for the full lifecycle of a critical event – Assess, Locate, Act and Analyze. Whether it’s a large-scale regional emergency or a daily operational issue such as an IT outage, a comprehensive critical event management strategy will minimize the impact by improving visibility, collaboration and response.

Questioning The Wisdom Of The U.S. Ban On Hikvision & Dahua
Questioning The Wisdom Of The U.S. Ban On Hikvision & Dahua

I have been thinking a lot about the U.S. government’s ban on video surveillance technologies by Hikvision and Dahua. In general, I question the wisdom and logic of the ban and am frankly puzzled as to how it came to be. Allow me to elaborate. Chinese Camera Manufacturers Reality check: The government ban is based on concerns about the potential misuse of cameras, not actual misuse. Before the government ban, you occasionally heard about some government entities deciding not to use cameras manufactured by Chinese companies, although the reasons were mostly “in an abundance of caution.”  Even so, I find the targeting of two Chinese companies – three if you count Hytera Communications, a mobile radio manufacturer – in a huge government military spending bill to be a little puzzling. I can’t quite picture how these specific companies got on Congress’s radar. The government ban is based on concerns about the potential misuse of cameras, not actual misuse What level of lobbying or backroom dealing was involved in getting the ban introduced (by a Missouri congresswoman) into the House version of the bill? And after the ban was left out of the Senate version, was there a new wave of discussions to ensure it was included in the joint House-Senate version (with some minor changes, and who negotiated those?). It all seems a little random. Concerns For The U.S. Furthermore, the U.S. ban solves neither of the two main concerns that are generally used as its justification: Concern: Cybersecurity. The U.S. ban “solves” the issue of cybersecurity only if both of the following statements are true. No security system that uses a Hikvision or Dahua camera or other component is cybersecure. Any system that does not use a Hikvision or Dahua camera or other component is cybersecure. What level of lobbying or backroom dealing was involved in getting the ban introduced into the House version of the bill? The ban ignores the breadth and complexity of cybersecurity and instead offers up two companies as scapegoats. Our industry has sought to address cybersecurity, and the one principle that has guided that effort is that cybersecurity is an issue that must be addressed by manufacturers, consultants, integrators and end users – in effect, everyone in the industry. Cybersecurity does not begin and end with the manufacturer and banning any manufacturers from the market does not ensure better cybersecurity. Concern: “Untrustworthy” Chinese companies. Hikvision and Dahua are only two Chinese companies. Any response to concerns about whether Chinese companies are trustworthy would need to cover many more companies that manufacture their products in China. Australian TV recently claimed that “All Chinese companies pose a risk. Because of Chinese laws, there is a requirement for companies to be engaged in espionage on behalf of the state.” Even if one embraces that extreme view, the logic fails when only two companies are targeted. One source told me that 60 to 65 percent of the global supply of commercial video cameras are manufactured in China, so it’s a much bigger issue than two companies.The Chinese government has much more effective ways of conducting espionage than exploiting security cameras And is U.S. security at risk unless or until it is cut off from more than half of the world’s supply of video cameras? Even Western camera companies manufacture some of their cameras and/or components in China. Why name only two (or three) companies, only one of which has ties to the Chinese government? If the goal of the U.S. ban was to address the possibility of cybersecurity and/or espionage by the Chinese government, shouldn’t there be other companies and product categories included? Clearly, video surveillance is not the only category that has the potential for abuse. The Chinese government has much more effective ways of conducting espionage than exploiting security cameras. Global Response To U.S. Ban And now that the U.S. ban has been passed, how is the ban being misused to justify a new level of alarm about Chinese companies? Australian television effortlessly made the leap from “software backdoors” to a concerted and organized effort by the Chinese government to use cameras to be the “number one country for espionage.” And it’s not just about government facilities: “Even on the street, [cameras] have the potential to inadvertently contribute toward Chinese espionage activity by providing real-time information about the situation on the ground,” says the Australian TV report. If all Chinese companies pose a risk, why is the U.S. government targeting specific companies rather than all Chinese companies? If all Chinese companies pose a risk, why is the U.S. government targeting specific companies rather than all Chinese companies, or at least those with electronics or computer products that could be used for espionage? What about the espionage potential of the 70% of mobile phones that are made in China? What about other consumer electronics such as PCs or smart TVs? How many government facilities that are eliminating Dahua and Hikvision cameras have employees who use iPhones or use other electronic equipment from China? Artificial Intelligence & IP-Over-Coax Also, consider the impact of the ban on business. Hikvision and Dahua have had many successes in the video surveillance market, including in the U.S. market. They have added value to many integrators and end user customers. They have been on the forefront of important trends such as artificial intelligence and IP-over-coax. And, yes, they have made technologies available at lower prices.Cybersecurity issues have plagued several companies in the industry, not just Hikvision and Dahua Cybersecurity issues have plagued several companies in the industry, not just these two, and both Hikvision and Dahua have worked to fix past problems, and to raise awareness of cybersecurity concerns in general. Is a U.S. ban on two companies an appropriate response to a series of geo-political concerns that are much bigger than those two companies (and bigger than our entire market)? Should two companies take the brunt of the anti-Chinese backlash? Video Surveillance Cameras Is the video surveillance market as a whole better or worse for the presence of Hikvision and Dahua? Is it up to the U.S. government to make that call? In some ways, thoughts of Chinese espionage are a sign of these uncertain political times. Fear of video surveillance is perfectly congruent with long-standing anxieties about “Big Brother;” suspicion about China taking over our video cameras just rings true at a time when Russia is (supposedly) controlling our elections. But should two companies be targeted while broader concerns are shrugged off?

Why Customers Should Buy Products And Services From SMBs
Why Customers Should Buy Products And Services From SMBs

In 1973, a brilliant economist named E.F. Schumacher wrote a seminal book titled ‘Small Is Beautiful:’ taking an opposing stance to the emergence of globalization and “bigger is better” industrialism. He described the advantages of smaller companies and smaller scales of production, highlighting the benefits of building our economies around the needs of communities, not corporations. In almost every industry or market that exists in the world today, you're likely to find a difference in size between companies. Whether it’s a global retail chain versus a small family-owned store, a corporate restaurant chain versus a mom-and-pop diner or a small bed and breakfast versus a large hotel chain — each side of the coin presents unique characteristics and advantages in a number of areas. Disparity In Physical Security Industry Customers are drawn to products and services from large enterprises as the big names typically imply stability This disparity very clearly exists in the physical security industry, and differences in the sizes of product manufacturers and service providers could have important implications for the quality and type of the products and services offered. All too often, customers are drawn to products and services from large enterprises, as the big names typically imply stability, extensive product offerings and global reach. And that's not to say that these considerations are unwarranted; one could argue that larger companies have more resources for product development and likely possess the combined expertise and experience to provide a wide range of products and services. But the value that a company’s products and services can bring isn’t necessarily directly related to or dependent on its size. In an age where the common wisdom is to scale up to be more efficient and profitable, it’s interesting to pause and think about some of the possible advantages of small- and medium-sized businesses (SMBs). Typically, “small” companies are defined as those with less than 100 employees and “medium” with less than 500. Providing Social Mobility  Schumacher argued that smaller companies are important engines of economic growth. Indeed, according to the Organization for Economic Cooperation and Development (OECD), a group of 36 member countries that promotes policies for economic and social well-being, SMBs account for 60 to 70 percent of jobs in most OECD countries. Importantly, SMBs provide resilience in that there are often large economic and social impacts when big companies fail. Smaller companies are better for regional economies in general, as earnings stay more local compared to big businesses, which in turn generates additional economic activity. SMBs are also better at providing social mobility for disadvantaged groups by giving them opportunities and enabling them to realize their potential. Smaller companies are often more innovative, bringing to the market novel technologies and solutions such as Cloud, analytics, AI, and IoT New Companies Introduce New Technologies There's no denying the role of start-ups when it comes to innovation. In the security industry, many new technologies (e.g. Cloud, analytics, AI, IoT) are first brought to the market by newer companies. In general, smaller companies’ products and services often have to be as good or better than others to be competitive in the marketplace. They are therefore often more innovative, bringing to the market novel technologies and solutions. And these companies are also more willing to try out other new B2B solutions, while larger companies tend to be more risk-averse. Customer Service Aside from the quality of products and services, arguably one of the most important components of a security company’s success is its ability to interact with and provide customers the support that they deserve. Smaller companies are able to excel and stand out to their customers in a number of ways: Customer service. Customers’ perceptions of a product’s quality are influenced by the quality of support, and smaller manufacturers often possess a strong, motivated customer service team that can be relatively more responsive to customers of all sizes, not just the large ones. A superior level of support generally translates into high marks on customer satisfaction, since customers’ issues with products can be resolved promptly. Flexibility. SMBs have a greater capacity to detect and satisfy small market niches. While large companies generally create products and services for large markets, smaller companies deal more directly with their customers, enabling them to meet their needs and offer customized products and services. And this translates to adaptability, as SMBs become responsive to new market trends. By having a pulse on the market, smaller companies have much more flexibility in their supply chain and can adjust much faster in response to changing demand. Decision-making. Smaller companies are much more agile in decision-making, while larger enterprises often suffer from complex, tedious and lengthy decision-making processes. Communication is easier throughout SMBs, as smaller teams enable new ideas to flow and can solve problems faster. Job Satisfaction Employees working for SMBs connect more directly with the company's goals and objectives, which in turn increases motivation and job satisfaction Employees working for SMBs connect more directly with the company's goals and objectives, which in turn increases motivation and job satisfaction. SMBs are also generally more connected to local communities and participation in community activities leads to a greater sense of purpose. Additionally, SMBs have a much smaller impact on the environment, which is increasingly becoming an important consideration for today’s employees and customers. Though Schumacher's book takes a much deeper dive into the large global effects of scale on people and profitability, the general impact of a company’s size on its products and services is clear. It’s important for all players in the security industry to remember that the commitment and dedication to product quality can be found in businesses of all sizes. Ensuring Safety Of People, Property And Assets Large manufacturers may catch your eye, but small business shouldn’t be forgotten, as they can offer end users a robust set of attributes and benefits. While all security companies are aiming to achieve a common goal of providing safety for people, property and assets, smaller businesses can provide extensive value when it comes to driving the economy, innovating in the industry, providing quality employment and offering superior customer service.