Brian Hess & Jon Tran

The War in Ukraine: Guidelines for Businesses on Rapid Withdrawal from Conflict Zones and Contested Environments


Companies that were forced to adapt to the reality of COVID are now grappling with operating in and evacuating from war zones (e.g., Ukraine), in contested or hostile environments (e.g., Russia), or on the edges of a conflict zone which could spread regionally, without warning. In addition to being one of the worst humanitarian crises Europe has faced in decades, the war in Ukraine – including its second and third order effects – highlights how quickly the operational landscape can shift.

To assist organizations and their employees in planning for conflict zone withdrawal contingencies, The Chertoff Group has assembled these Guidelines for Safe Withdrawal. While these guidelines are intended to cover key planning considerations, they are not exhaustive, and organizations should be guided by the facts and circumstances of their particular situations.

A. Authority to Take Action

It should be clear who within the organization is accountable and has the authority to determine that the situation requires evacuation “ and absent that, other conditions whereby a local office can take action on its own. If practicable, organizations should establish a password or code that makes it clear that evacuation must be initiated. In a genuinely dangerous situation, you don’t want to lose time because of confusing communications.

B. Business & Employee Evacuation Considerations

Business Considerations
(NOTE: these measures should be contemplated prior to evacuation “ employees should not risk their lives to complete these tasks if danger is imminent)

  1. Physical documents “ Identify where sensitive documents (e.g., intellectual property, critical business information, organizational charts & sensitive employee information, etc.) are located and have a plan to collect or destroy those documents prior to evacuation.
  2. Business systems – If possible, backup information to cloud services or disk/tape for transport to non-affected areas. If making a hasty withdrawal, consider disabling or destroying computer systems, business-specific machinery, or other unique devices that the company would not want to fall into adversarial hands.
    A. Disable systems that may cause environmental or other catastrophic disasters, if left unattended.
    B. Invoke business continuity plans to transfer all other functions to a non-affected (or less affected) location.
  3. Establish a re-communications plan – Provide employees with a central contact number (e.g., headquarters, operations center, etc.) or central person to update status upon arrival to a safe location.
    A. Ensure employees (and family members, where applicable) are accounted for, when possible.
    B. Establish a communications frequency plan (i.e., contact must be daily, every three days, weekly, etc.).

Employee Considerations

  1. Safe havens – Plan primary and alternate(s) evacuation routes to friendly areas and specific locations. If possible, monitor local news sources to identify friendly evacuation routes. Contact local Red Cross representatives to assist with evacuations, if possible. Identify the mode of travel to those areas.
  2. Documents – Gather all important documents critical to establishing identity (i.e., passports, licenses, etc.), or other documents deemed vital or irreplaceable.
  3. Medicine –  Gather any critical medications needed for long-term care. Obtain iodine and water purification tablets, if possible, as water systems in affected areas may have parasites or other unfiltered contaminants in the water.
  4. Money – If possible, withdraw cash in local and regional currencies to assist with future housing, food, border crossings, facilitation payments etc., and to meet unexpected contingencies, where local government authorities may not be in charge. Expect and accept the need to pay bribes if it secures safe passage.
  5. Contact listings – Have a physical listing of important contacts (both personal and professional) in case digital mediums are lost or destroyed.
  6. Go-bag –                                                                                                                                              Create a go-bag with items needed to sustain 48-72 hours alone (non-perishable food, water, medicine, season-specific clothing, blankets/sleeping bags, hygiene items, localized maps, flashlights, extra batteries and cellular phone chargers, first aid kit, multipurpose tool, whistle, etc.).
    1. Each family member should have their own personal go-bag with individualized supplies.
    2. Pets, if taken, should also have necessary supplies.

C. Data Protection and Disconnection

  1. Preparation – To streamline the withdrawal process and limit unnecessary delays, companies should undertake the following preparatory measures:
    1. Ensure staff understand their roles and responsibilities in the event of a withdrawal decision
    2. Encrypt all data at rest
    3. Identify sensitive information and its location including proprietary data, account storage, password storage, network information storage
    4. Identify the physical location where your cloud data resides
    5. Where possible, look to script measures below and be ready to deploy in case of emergency
  2. Execute Forensic Delete – To ensure data is not available to unauthorized parties, overwrite all files with random data. As a common best practice, overwrite data with a 0 and then a 1 multiple times.
  3. Address Backups – Backup data to site outside conflict zone – ensure backups are physically located or moved to an unaffected (or less affected) location. Disable and destroy all local backup mediums in conflict zone.
  4. Account Management – Because stored authentication secrets (i.e., privileged credentials and associated materials) can be extracted and re-used for malicious purposes, delete these secrets to protect your authentication. Some examples of these are SSH certificates, API Keys, and password vaults. In addition, organizations should delete account and password databases. In Windows Active Directory the command is NTDS.dit. For Linux it is /etc/shadow or /etc/password
  5. Network Teardown – Companies should terminate active connections and network activity, including:
    1. Deactivate VPN connections: Turn off any VPN connections that are allowed in or out of your organization. This will ensure that no adversary can take advantage of these secure tunnels
    2. Delete Shared Keys: Many network devices rely on shared keys or shared keys stored as certificates to authenticate. Be sure to remove these so they cannot be reused.
    3. Delete Routing Tables: Routing tables stored on your network devices can provide insight into configuration of your network and networks you connect to. Be sure to delete routing tables to deny adversaries this information
    4. Delete Network Configuration: In the same vein as routing tables, configurations of your network devices can reveal your internal workings as well as your external connections. Deny this information to the adversary
  6. Notes for scripting – Order of operations and proper scripting will ensure that data is fully deleted.
    1. Order of Destruction matters: A common mistake is to set an entire drive to delete. This may delete OS files before deleting stored data. When OS files are deleted, it will stop the script. This will allow for forensic tools to easily recover data. A good rule of thumb is to destroy everything except for OS files starting with network storage
    2. A regular delete does not defeat forensic techniques: On many devices when you delete a file, the data itself is not removed. The pointer that tells an OS where the start and end of a file is removed, and that section is free to rewrite. If you only delete a file, the data is still forensically recoverable. Organizations should consider industry standard wiping tools like Microsoft SDelete.

Finally, The Chertoff Group urges all organizations to engage with relevant foreign affairs departments and embassies of their home country (e.g., the U.S. State Department in the case of U.S. organizations) and carefully follow their guidance as appropriate. We further recommend all U.S. employees register with the State Department’s Smart Traveler Enrollment Program (STEP) in advance to receive travel advisories and to provide the local Embassy or Consulate with your contact information for emergency alerts and accountability.

Contact for more information.


Let's Talk.

Let's explore ways we can help you manage risk or position for strategic growth.

202.552.5280 | Mon. – Fri. 8:00 AM – 5:00 PM EDT