Executive Digital Security on International Travel

State-sponsored cyber operations targeting senior executives during international travel are documented. The FBI’s private sector warnings on this are unambiguous. GCHQ’s National Cyber Security Centre (NCSC) has published guidance specifically targeting UK businesses travelling to high-risk jurisdictions. The threat is not confined to intelligence agencies: criminal organisations in several markets run targeted device compromise operations against executives who can be identified in advance through social media, conference agendas, or flight booking data.

The travel environment creates vulnerabilities that do not exist in a hardened office network. Understanding those vulnerabilities is the starting point for managing them.

Why travel creates specific digital risk

The controlled corporate network environment relies on managed infrastructure: enterprise firewalls, monitored endpoints, multi-factor authentication, and IT oversight of unusual access. International travel strips most of those protections away.

Executives travelling abroad connect to hotel WiFi networks that have no enterprise-grade security. They use airport lounge charging stations. They carry devices that contain months of email, documents, and credentials. They stay in hotels where room access is available to housekeeping staff, maintenance, and – in certain jurisdictions – state security services. They cross borders where customs authorities have legal power to inspect device contents.

None of this is true of a Tuesday afternoon in a monitored office. The risk profile for a senior executive’s device on a three-day trip to Beijing is fundamentally different from the same device on a Tuesday afternoon in a monitored office.

The clean device protocol

The most complete mitigation for high-risk jurisdiction travel is the clean device: a dedicated loaner laptop and phone issued specifically for the trip, containing no personal data, no saved credentials, and no persistent access to corporate systems beyond what is necessary for the specific meetings.

The clean device principle is endorsed by the NCSC UK, the FBI’s Counterintelligence Division, and the Canadian Centre for Cyber Security. It is standard practice in the pharmaceutical, defence, and financial sectors for executive travel to China, Russia, and other states with documented commercial espionage programmes.

On return, the device does not reconnect to corporate networks. It is wiped and reset. Any data produced during the trip is transferred via a controlled channel before the wipe.

For many organisations, the clean device requirement feels disproportionate for routine travel. The risk calculus shifts for executives who: are travelling during active M&A processes; carry board-level financial data; have roles in semiconductor, defence, pharmaceutical, or advanced manufacturing sectors; or are travelling to jurisdictions with documented state-level collection programmes. For those individuals, a clean device is a proportionate control, not an excessive one.

Hotel room risks

The hotel room is the primary physical attack surface for device compromise during travel. This is not speculation – Citizen Lab and others have documented hotel-based operations by state security services in multiple jurisdictions. The relevant risks are:

USB charging stations. Publicly accessible USB charging points – in hotel lobbies, airports, or conference venues – can be compromised to deliver malware or extract data during charging. This attack vector (sometimes called “juice jacking”) prompted the FBI’s Denver field office to issue a public warning in April 2023. Use a personal charger and wall socket, or a USB data-blocker if a wall socket is unavailable.

Room WiFi. Hotel WiFi is an untrusted network. All traffic over it should be treated as potentially observable. A corporate VPN encrypts traffic between the device and the corporate gateway. Note: consumer VPN services are a different product – several are blocked in China and Russia, and using an unauthorised VPN in China carries legal risk. Coordinate with IT security on approved VPN options before travel.

Physical access. In certain jurisdictions, housekeeping during documented diplomatic and corporate travel is a known vector for device access. Keeping devices in the in-room safe does not provide meaningful security against a determined state actor with access to the safe code. For high-risk stays, devices should not be left in the room unattended. If that is operationally impractical, a tamper-evident seal or tracking application that logs access can provide at least a detection capability.

Presentation equipment. Avoid connecting laptops to hotel presentation systems or AV equipment via HDMI or USB. Where a presentation must be delivered, use a dedicated presentation device or cloud-based delivery that does not require physical connection.

Border inspection authority

Border device inspection is a legally distinct risk from network-based compromise. Multiple governments have explicit statutory authority to inspect electronic devices at the border without the consent of the traveller and, in some jurisdictions, without a warrant.

US Customs and Border Protection (CBP) can search devices at a US port of entry without a warrant. The ACLU has documented cases in which CBP searched devices without cause. For returning executives who have travelled to high-risk jurisdictions, this means that sensitive data on a device crossing a US border is potentially accessible to a US government official regardless of encryption.

Chinese customs authorities have authority to inspect devices for “state secrets” and “prohibited material”. The definition of prohibited material is broad and discretionary. Russian FSB has documented authority over digital content, particularly anything touching communications with foreign entities or critical sectors.

The clean device protocol addresses border inspection directly: there is nothing on the device worth inspecting. For executives who cannot use a clean device, a pre-departure backup and wipe – reinstating data from backup on return – is a partial but impractical mitigation for most.

Mobile device risks

SIM swapping – in which an attacker convinces a mobile operator to transfer a phone number to a SIM card they control – is a documented attack method against executives. It provides access to two-factor authentication codes and can be used to compromise banking, email, and other credential-protected accounts. Using an authenticator application rather than SMS for two-factor authentication eliminates the SIM swap vector for protected accounts.

IMSI catchers (devices that impersonate legitimate cell towers to intercept calls and data) are used by state intelligence services in multiple P1 markets. They are essentially invisible to the end user. Encrypted messaging applications (Signal, or corporate equivalents) protect message content in transit even against IMSI capture, unlike standard SMS.

Integrating digital and physical security

A close protection team focused solely on physical threats without digital security coordination is running an incomplete programme. The advance survey for a high-risk city visit should include an assessment of the digital threat environment, not just the physical security of venues and routes. See our executive protection services for how integrated programmes are structured.

The briefing before departure should include the digital security posture alongside the physical itinerary. Operators should know whether the principal is carrying sensitive data and adjust their counter-surveillance and venue security posture accordingly. For the full secure communications protocol stack – encrypted messaging tiers assessed by threat level, hardware security keys, and E2EE tool selection – see our secure communications for executives guide. For executives involved in active deal processes, see our article on protecting trade secrets during international travel for the full operational picture. For technology executives facing specific digital-to-physical threat pipelines including doxxing, swatting, and smart home vulnerabilities, see our security for technology executives guide. For journalists, researchers, and media teams for whom digital security is inseparable from physical safety in hostile environments – including Citizen Lab-documented spyware threats, source protection, and border device protocols – see our security for journalists and media in hostile environments guide. For aerospace and defence contractor executives who travel internationally with ITAR-controlled technology concerns and face state-sponsored counter-intelligence collection risk at industry conferences – see our security for aerospace and defence contractors guide.

Sources: NCSC UK: Device Security guidance for overseas travel (2024). FBI Counterintelligence Division: China Threat Reports (2023). Citizen Lab: Dark Basin and related reporting. FBI Denver Field Office: USB charging warning (April 2023). ACLU: Border Search of Electronic Devices (2024).