Lessons from Egypt: What Can Businesses Do If the Government Shuts Down the Internet?Published February 08, 2011 in Arabic Knowledge@Wharton
Egypt's popular revolt was actively fueled by social media, leading some in the media to call it the 'World Web War I.' The Hosni Mubarak regime raised the stakes when it cut off internet and network access to the country's 88 million citizens on January 27 before restoring it five days later..
Even though in the past other countries have blocked access to parts of the Internet, no one has ever cut off mobile networks and Internet links almost entirely. "We have never seen a country as connected as Egypt completely lose Internet connectivity for such an extended period," said Craig Labovitz, chief scientist at Arbor Networks, on the company's security blog.
The Google Transparency Report is an interactive tool that provides information about traffic to Google's services around the world. The tool visualizes disruptions in the flow of information. A dramatic drop in the chart indicates Egypt's Internet cutoff started on January 27.
Before this turmoil, Egypt had ambitions of becoming an IT hub. Major high tech companies such as IBM, Cisco Systems, Wipro and Google have facilities in the country. To attract IT companies, the government made major investments to develop a high-tech industrial park, which now employs 28,000 workers, outside Cairo. Egypt has also become increasingly wired. Internet penetration increased from less than 1% to more than 20% of the population during the past decade. The growth in mobile subscribers has followed a similar curve. Egypt has more than 70 million subscribers, many with 3G smartphones.
But the Internet blockade probably cost the country some US$90 million, according to the Organization for Economic Cooperation and Development, which notes that telecommunications and Internet services account for between 3% and 4% of Egypt's GDP. Egypt's 'kill-switch' act came as a surprise to many, but not to Bill Gates, Microsoft co-founder and chairman. "It's not that hard to shut the Internet down if you have military power where you can tell people that's what's going to happen," said Gates in a recently published interview. "Whenever you do something extraordinary like that you're sort of showing people you're afraid of the truth getting out, so it's a very difficult tactic, but certainly it can be shut off."
Some of the reactions were predictable. News reports said Cisco, HP, Wipro, Infosys and Google had either closed down their offices or evacuated their employees from Egypt. Others, however, were entrepreneurial and innovative. For every wall that the Mubarak regime created to shut down communication, citizens came up with ways to break through them.
After the disruption, Egyptians used everything from technical solutions like 'TOR proxies' (which can offer anonymity and bypass network filters) and ham radios to old dial-up modems and used them to connect to the outside world since landline telephone service was not affected by the crisis.
The tech world joined in as well. Google and Twitter collaborated and put together a "speak-to-tweet service" which put a voicemail left on international number provided by Google as a Twitter message on Google's Speak2tweet Twitter account.
Egypt's Internet access returned five days after the initial cutoff, posing questions about its future. "This will have a major impact on Egypt's ambitions to become a global sourcing and support destination," says Gurpreet Dhillon, professor of information security at Virginia Commonwealth University. Dhillon spoke with Arabic Knowledge@Wharton about the risk and implications to online security and the IT industry in view of the developments in Tunisia and Egypt.
An edited transcript of the conversation follows.
Arabic Knowledge@Wharton: In view of Egypt's 'kill-switch' approach to popular protests, are we looking at changes in off-shoring risk management, or simply crisis management?
Gurpreet Dhillon: The recent geopolitical situation in countries such as Tunisia, Egypt and Yemen present interesting challenges for businesses. These could relate to the use of information technology (Facebook, Twitter or Cloud Computing) or the safety of employees, but there is an urgent need to think about business continuity. In the past, similar situations have been witnessed in India, following the Mumbai bombings in 1993, in the Philippines following the ouster of Ferdinand Marcos, and the ongoing Internet filtering and blockage imposed by China. Interestingly, the common thread that runs through all these countries is their aspiration to provide IT solutions to the world. Today, India and the Philippines are indeed major IT outsourcing destinations. Until last week, Egypt aspired to be the "new India". Xceed (the IT arm of Telecom Egypt) for instance, has established a large outsource call center with some 1,200 agents. The facility was touted as the largest call center facility in Southern Mediterranean region. Similarly, Tunisia had been marketing itself as a destination of choice for the French market.
Arabic Knowledge@Wharton: What should businesses do to ensure continuity of services?
Dhillon: The answer to this question is complex. On April 10, 1992, a massive Irish Republican Army truck bomb exploded in London's financial district. The explosion brought a large number of financial companies to a standstill and was a wake-up call for a lot of businesses to seriously consider disaster recovery planning as an important aspect of their strategic thinking.
The situation today is similar and reminds businesses of the inherent risks of extensive reliance on information and communication technologies. Such reliance may be in the form of 'Software as a Service' or 'Service Oriented Architectures,' so that when a rogue regime pulls the plug, businesses come to a standstill. Alternately, an Internet-kill switch of sorts could terminate landline-based Internet services.
Clearly business continuity via satellite-based Internet connectivity and virtual private networks (VPN) could be an option. However, in a quest to cut costs businesses frequently overlook the necessity for such a facility. Typically most major IT outsourcing players do use satellite-based services, particularly in India, but that has been more because of necessity rather than business continuity, as exemplified by the occurrences in Egypt. In India, a lack of good quality and monopolized Internet access prompted software services firms such as Infosys, Wipro and others to invest in alternative technologies. However, the opening up of the market and a large number of independent service providers has resulted in complacency. This is more so with respect to the middle- and lower-tier outsourcing vendors.
To reduce the threats to business posed by a rogue government, companies should have a crisis strategy aimed at keeping business going and providing support to their infrastructure in case of a disruption. A company should decide what to outsource, and what to keep in-house, ensure key operational systems are backed up if they are outsourced, and try to keep good relations with the authorities whom they are dealing with.
A company should also analyze and prepare for known threats, decide on the crisis responsibilities for its employees, and have a network and protocols for communicating decisions. Undertaking crisis practice runs also helps a company be prepared for a real-life situation.
Arabic Knowledge@Wharton: The crisis in Egypt has again raised questions about outsourcing work to developing countries. How do companies decide which locations are safe and what work should be outsourced?
Dhillon: Outsourced work needs to be classified into four kinds of activities -- research and development, strategic, key operational and supportive. Sending "supportive work" overseas is perhaps the easiest and least risky. This might include things like payroll management, certain accounting tasks, coding and billing, and so on.. Key operational activities are a little more difficult to offshore. From an information technology perspective, ERP systems [Enterprise Resource Planning, a process of integrating business management with technology] could be an example of key operational systems. Since the organization usually depends on such systems for their daily operations, any disruption would have an adverse effect. Over the past several years there has been a growing trend to offshore complete business processes, but that increases the risks. If a company is going to move some of its activities overseas, it is important to consider contingency plans and work through various scenarios, given the prevalent economic and geopolitical climate.
Arabic Knowledge@Wharton: What does this mean for the viability of cloud computing?
Dhillon: Cloud computing is here to stay. However, back-up and recovery aspects have not completely been addressed. I think the industry and the cloud service providers will mature with time. The bigger players, for instance, have gotten their act together.
Arabic Knowledge@Wharton: What can businesses do to counter volatile situations that can adversely impact support services and business operations?
Dhillon: Crisis management is important. In such situations it is important for companies to define high-impact and low-impact processes and also think through their probability of occurrence. Excellent contingency plans are needed for 'high likely impact' and 'high probability of occurrence' incidents. 'Low probability of occurrence' and 'high likely impact' situations are also of a serious concern. In such cases a sort of an adaptive strategy is needed. This will prompt firms to re-think the risks they face in other regions.
Arabic Knowledge@Wharton: We understand the U.S. is considering an Internet-kill switch.
Dhillon: Under the Communications Act of 1934, the President had broad sweeping powers to shut off any wired or radio communication network in the event of war or threat of war. The proposed, 'Protecting the Cyberspace as a National Asset Act' introduced by Sen. Joe Lieberman broadens the definition of threats to include cyber-threats. While Lieberman's proposed bill has come under criticism, particularly in light of Egypt's shutting down of the Internet, in reality the bill forces private service providers to come up with a means of managing critical digital networks in case of a "bad" event. In that sense, Lieberman's bill seeks to legislate what may be considered best practices in the industry. Indeed it is prudent for service providers to come up with contingency and disaster recovery plans in case something untoward occurs.
The debate around the Internet-kill switch and the recent incidents in Egypt make it essential to address certain fundamental issues pertaining to free speech, democracy, and security. The issue was also raised right after the WikiLeaks revelations, besides many other instances in history, such as the publication by The New York Times of the Pentagon Papers. And it goes back to the age-old contention: How far should we permit government restrictions on freedom of speech in favor of security? Unfortunately, there is no absolute answer or black-and-white line.
In Egypt for instance, the government tampered with the DNS (a system dealing with readable web addresses and numerical IP addresses). The government thought that by "killing" the Internet they would be able to squash the protests, particularly since there would be poor or unreliable information flow; however the opposite transpired. A similar situation is being presented in Pakistan, following the assassination of the Governor of Punjab; the Pakistani government has ordered all ISPs to block all websites propagating an anti- Islam agenda. It remains to be seen, however, what impact curbing online freedom of speech will have on democracy.