(This post is guest post by ENEA)
On the streets of Hong Kong, a notable trend is emerging in response to mobile-based cybersecurity concerns. Individuals and employees are increasingly adopting ‘burner phones’ – secondary mobile devices used to discreetly handle sensitive communications and transactions. This is no quirky tech trend however, it reflects increasingly widespread concerns about the ability of network operators to protect against intrusions, exfiltration of data, and exploitation of unauthorized access by threat actors.
The Changing Face of Cybersecurity in Hong Kong
The advent of such concerns brings with it a new level of complexity for companies – and individuals – doing business in Hong Kong. This has had a notable impact on how companies, both local and international, structure their own data security and privacy policies. The challenge lies in navigating this new terrain where the lines between safeguarding individual privacy, company data confidentiality, and national security appear increasingly blurred.
The Emergence of ‘Burner Phones’ as a Defensive Measure
The growing use of ‘burner phones’ in Hong Kong is a direct response to the heightened cybersecurity awareness in the region. These secondary devices, typically less advanced than a user’s primary smartphone, are being adopted as a practical measure to safeguard sensitive information. The rationale behind this trend is clear: in an environment where the risk of data breaches is perceived to be high, having a separate device can provide not just an additional layer of security but a way to avoid or at least to minimize the exposure of personal and company data to unauthorized access by not having to connect those devices, which present direct gateways to such data for attackers, to local network services at all. This practice is not just limited to tech-savvy individuals, but is increasingly being seen as a necessary precaution by businesses concerned about protecting their client data and proprietary information.
But this isn’t just a question of good security housekeeping. It underscores a broader crisis of confidence in the ability of network operators to protect against sophisticated cyber threats. In this context, the humble ‘burner phone’ has emerged as a symbolic and practical tool for individuals and organizations striving to exercise control over perceived risks to digital privacy, data confidentiality and personal security.
The Challenge of Securing Mobile Networks
The unique nature of mobile network security presents a distinct challenge that sets it apart from conventional cybersecurity. In mobile communications, threats and vulnerabilities exist at a network level, often beyond the control of individual users or businesses. The European Union Agency for Cybersecurity (ENISA) has long pointed out that individuals are largely powerless in protecting themselves against such threats, as the attacks and resultant data leakage occur within the providers’ core networks. This situation places a significant portion of the responsibility for cybersecurity on the shoulders of the network providers, rather than the end-users.
ENISA says, “One important factor to mention is that in most cases, the subscriber cannot do too much in order to protect themselves from these risks. As most of the attacks are developed at the providers’ level (as both SS7 and Diameter are protocols functioning within the providers’ core network), the possible actions available for subscribers are very limited (e.g. encryption). Most of the security work has to be done at the providers’ level.”
ENISA isn’t alone in this perspective. For instance, the new US National Cybersecurity Strategy highlights that too much responsibility for cybersecurity has historically been placed on individual users. Similarly, Australia’s Cyber Security Strategy emphasizes the need to block cyber threats before they may reach end users. These strategies indicate a growing recognition of the need for a more proactive approach by network operators and governments to resource protection at the network level against unauthorized access by threat actors.
In this context, the growing adoption of ‘burner phone’ usage not merely as informal practice but as a matter of policy is a cry for help amid a crisis of confidence in mobile network security.