In late January of this year, the Middle East was the scene of unprecedented and rapid political and social changes that took the most mature businesses and industries by surprise, and left them virtually paralyzed. Not even the most sophisticated and knowledgeable secret intelligence agencies predicted the massive scale social uprisings that emerged throughout the region.
It is worth analyzing business continuity strategy in Egypt because it witnessed what was probably the first international incident ever recorded of a government using the internet “kill switch,” as well as the ripple effect of the consequences resulting from the decision. Additionally, as Egypt is the second largest economy on the African continent following South Africa and it has the most diversified economy in the region by United Nations standards; therefore, the impact on diversified businesses is clearly visible and not
How It Happened
After days of continuous anti-government demonstrations that used the Internet and social networks such as Facebook and Twitter as coordination platforms, the former administration decided to cut the Internet just minutes before midnight on January 27, 2011 with the hope of preventing protesters from using their communication tools. Minutes later, it was confirmed that there was no Internet connectivity whatsoever across the entire country. What was once deemed technically impossible was proven to be technically
possible. In such authoritarian countries, much of the physical telecommunications infrastructure is under the direct ownership and control of the government.
We saw firsthand the catastrophic impact of the government’s impulsive decision. Imagine a country or a modern business deprived “overnight” of emails, VoIP services, e-commerce, online conferencing, web-browsing, running a corporate website or even seeking remote online support. This unprecedented situation lasted for five consecutive business days.
Companies working in the IT outsourcing industry were among the first to be affected. The direct loss in revenue for those five days is estimated at $90–$120 million USD, which does not include lost business opportunities and possible SLA violations and lawsuits. Another example is the banking sector. Several national and multinational banks announced key services such as international money transfer and online banking were unavailable or unreliable. With the national ATM network shutdown and the standalone ATM machines vandalized, millions of bank customers resorted to standing in long queues in front of their local bank branches.
Very few companies appeared to be unaffected and resilient. Some companies survived due to exercising solid BC plans yet others were sustained just because of pure luck. One major mobile operator provides a good example of a company that survived the disruption. This company’s actions demonstrated effectiveness of having a solid and comprehensive business continuity plan in place.
On January 27, the BCP was triggered by the government cutting off the Internet. Then, the crisis management team (CMT) met and activated the disaster recovery plan (DRP) to safely shut down the local IT services and focus on securing the physical assets, data centers, key cellular towers, and power generation stations, from sabotage and perhaps the unsafe street conditions.
Initially, the customer call center was bombarded with calls complaining about difficulties using communication services like mobile Internet, Blackberry, international calls. Although the customer service representatives tried to explain the situation to callers, they soon realized it was a national problem.
On January 29, the government announced a national state of emergency and a curfew was enforced. Furthermore, all the mobile operators in the country received orders from the government to shut down all mobile communications including voice and SMS services as a last attempt to cripple the demonstrators’ communications. Due to a provision in the mobile regulatory license agreements signed with all the mobile operators, companies had to comply. This decision proved to have significant costly and negative
corporate image implications that later left those companies with no option but to embark on massive damage control and PR campaigns.
At this stage, the CMTs ordered the shutdown of the customer call center and landlines, activated the internal call tree and ordered all staff to remain at home until further notice. After receiving confirmation that all headquarters and branch offices countrywide had been evacuated and locked, the CMT started the crisis
communication plan which had to deliver several messages to international media and foreign stock markets where the company is listed.
On the IT side of the disruption, the DRP of this company was designed to mitigate the risk of total and complete loss in connectivity by developing a replica of its web services hosted in Europe, as well as by signing with a prominent cloud-based
managed services provider to manage the security and availability of the corporate emails for its 5,000 users in the cloud. This managed service had a provision that allowed them to save drafts of undelivered emails “in the cloud” for up to seven days. Once the former president and his administration announced his resignation, the Internet was back online and the employees’ mailboxes were flooded with week-old emails, certainly a better situation than an empty mailbox and angry customers.
On the other hand, entities such as the Egyptian stock exchange (egyptSE.com), which appeared to be online and reachable throughout the Internet blackout, proved to be on a single and fairly
small ISP in terms of market share. It is unclear if it survived the former government’s decision by coincidence, as the Stock Exchange is one of its few subscribers. On the other hand, it could be that the ISP was purposely spared because of the Stock Exchange and that the other few subscribers were incidental beneficiaries.
Based on available information, nearly 80 percent of the businesses in Egypt did not list the scenario of a national Internet blackout as a strong possibility and were therefore unprepared. The remaining 20 percent of companies were well-prepared with alternative and varied means of international communication, such as satellite connectivity “VSAT” and companies that do not exclusively rely on the Internet for business.
The most advanced secret intelligence agencies in the world, such as the US Central Intelligence Agency (CIA), did not anticipate this revolution. The United States Secretary of State Hilary Clinton described the Egyptian government as “stable” after three days of events. Interestingly, none of the traditional risk assessment methods available or practiced in most of the companies in Egypt would have predicted the risk of a major political overhauling and social uprising.
The event was the world premiere of a government using the Internet kill switch, coupled with a nationwide mobile communication blackout. It simply caught everyone off guard. However,
corporate risk experts should have learned from their previous experience in 2008 when there was a major Internet services disruption due to human error when an undersea Internet cable was cut.
The failure to anticipate this major incident in the corporate risk matrix was impermissible. Perhaps the only companies that continued operation throughout the disruption were those with rigorous, dynamic, and active risk assessment practices that learned from the 2008 events and translated those lessons into viable disaster scenarios.
One key observation is that companies that used cloud computing were noticeably more resilient and capable of working around this disruption because of the flexibility and availability offered by cloud computing infrastructure.
Many small to mid-sized businesses with traditional BC and DR plans found that their plans had many shortcomings in regard to this particular situation, as there was a dependency on modern technology. Ironically, many companies could not activate their call trees since mobiles and SMS were unavailable and disseminating a message to the branch offices across the country was nearly impossible.
Even companies with expensive disaster recovery sites (located over 100 miles away) had problems activating the DRP due to the complete and prolonged loss in connectivity and the inability to seek technical support from partners or vendors, including industry blue chip companies.
The recent events emphasized how modern businesses really depend on technology and, particularly, the Internet. These events also provided the unfortunate reminder that we take these modern technologies for granted.
1 Internet Kill Switch
2 Hillary Clinton comment on the events on the 28th
3 Undersea cable cut
Omar Sherin holds a bachelor of science degree in computer engineering, with more than 10 years of professional information systems security, resiliency and SCADA security experience. He is a member of the OWASP organization leaders board and a voting member on the IEC/ISA-99 standard for critical infrastructures security. He has worked for several multinational firms in the oil and gas sector, and he is a certified ISO27001LA, CEH, and a CBCP.