A Russian sports official earlier this year estimated that as many as 2 million people would flock to the country during the World Cup, the month-long celebration of soccer—or football, fine—that kicks off today in Moscow. If you’re one of them, have fun! But also maybe leave your laptop at home.
Yes, traveling to and between Russia’s 11 World Cup host cities should provide marvels aplenty. But it’s important to remember that Russia, by and large, is a nightmare land of digital debauchery. If you’re a journalist, activist, politician, celebrity, or other high-profile figure, you’re at decent risk of being targeted by surveillance. And even if you’re just a fervent Finland fan, indiscriminate cybercrooks run rampant.
That may sound like hyperbole, but it’s also official guidance from the top counterintelligence official in the United States. “Anyone traveling to Russia to attend the World Cup should be clear-eyed about the cyberrisks involved,” William Evanina, director of the National Counterintelligence and Security Center, said in a statement this week. “If you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you—make no mistake—any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cybercriminals.”
A little perspective is healthy here. You won’t get hacked the minute you set foot in Moscow, as an NBC report prior to the Sochi Olympics in 2014 implied. But things do work, as they say, a little differently over there.
“There’s a baseline level of untargeted cyberattack type stuff that happens in Russia, Ukraine, nearby places,” says Ryan Lackey, founder of ResetSecurity. “That ambient background level is fairly high, which also is cover for whenever there’s a targeted attack. So you’ve got an increased risk versus a lot of other locations.”
Fortunately, some common sense steps should help you navigate the various dangers that might present themselves. And they start before you ever board the plane.
‘I would analogize it to walking down a dark alley in a big city.’
Jake Williams, Rendition Infosec
The first rule of traveling to any potentially hostile nation: If there’s a device you don’t absolutely need, you should leave it behind. “Travelers should decide whether they can reduce the amount of digital information that they carry across the border,” leads off the EFF’s “Digital Privacy at the US Border: Protecting the Data On Your Devices,” a guide created in response to increased device searches there. The advice applies to Russian borders, as well.
For most people, that means ditching your laptop. It’s generally easier to live without one for a stretch of time than a smartphone. They’re also more likely to house desirable information, especially if it’s your work rig. And it’s more tempting to use public Wi-Fi with your laptop, which gets to the second-most important piece of advice: Don’t use public Wi-Fi.
“Public Wi-Fi is almost always unencrypted. That means that any eavesdropper, any bystander, can listen in on your communications,” says Jake Williams, founder of Rendition Infosec. Attackers can also use those public connections to pull off a so-called man-in-the-middle attack, in which they redirect your browsing request to a malicious website of their choosing. “From that point, via the browser, they can run malware on the machine,” Williams says.
That can and does happen stateside, but again, Russia operates on a whole other level. “The networks that you connect to while you’re there are going to be much more hostile than the networks you connect to in the US. In the US you can connect your laptop to a hotel network and have a pretty reasonable expectation that nothing bad is going to happen,” Lackey says. “There’s a lot of cases of networks that are either monitored, or serving traffic, or man-in-the-middling, or anything else over there.”
‘The networks that you connect to while you’re there are going to be much more hostile than the networks you connect to in the US.’
Ryan Lackey, ResetSecurity
As for your smartphone, you can pick up a disposable, prepaid burner once you’re situated in Russia if you think you might be specifically targeted. Otherwise, just make sure to keep your mobile device on your person at all times, stay off Wi-Fi, and use common sense when browsing. Lackey also recommends logging out of any sensitive accounts before you land, and staying logged out until the return trip.
Whatever device you bring, enable full-disk encryption wherever possible. Modern Android and iPhones provide that feature by default, but make sure you’re using fingerprint detection and a six-digit PIN. On Macs, you can turn it on using FileVault by going to System Preferences > Security and Privacy, while Windows PCs can go to the Start menu, enter encryption, click Manage BitLocker, then Turn on BitLocker.
It all might sound a little paranoid. But if you’re a journalist, or work for an NGO, or have even a little bit of celebrity—athletic, political, or otherwise—consider these steps a bare minimum. Even if you’re not, they’re good hygiene. Russia’s myriad cybercriminal gangs care more about your bank account than your notoriety; high-end hotels near the World Cup venues will act as flames for digital-delinquent moths.
“I would analogize it to walking down a dark alley in a big city,” Williams says. “Obviously there are people who are at a higher risk in that situation, but everyone’s taking an additional risk by taking that route.”
So again, enjoy the games! Try the borscht, cheer for Iceland. But also make sure that your devices are buttoned up, so that you can leave with your digital life fully intact.