“Nobody Goes There Anymore, It’s Too Crowded”: Election Officials’ Responsibility for Handling Denial of Service Attacks


[Image courtesy of TVRage]

As Opening Day approaches, I’m always looking or an excuse to quote Yogi Berra and this is the perfect opportunity … plus it’s a better picture than an Internet voting terminal!

Over the weekend, Canada’s New Democrats (NDP) conducted a vote for a new leader. The vote was conducted online so that registered party members could vote both in person at the NDP convention site and remotely from home computers or smartphones.

Sometime during the second round of voting, the system slowed considerably, and eventually it became known that the system had likely been the target of a “denial of service” (DoS) attack aimed at clogging the the system and thus preventing (or at least discouraging) voters from casting ballots. The NDP, its vendor and consultants have identified two IP addresses that appear to have been the source of the attack and are investigating now.

The results of that investigation are still forthcoming, but in the meantime I wanted to focus on a discussion I saw online yesterday about whether and how NDP and its vendor should have prepared for the possibility of a DoS attack.

One point of view likened a DoS attack to bad weather on Election Day – an event that could hinder voters and which election officials know is possible, but are essentially powerless to predict or prevent. This point of view suggests that DoS events should be subject to the contractual doctrine of force majeure (aka “acts of God”) like weather or natural disasters that are often used to explain and excuse non-performance under a contract.

The other, contrary view was that while the DoS attack itself was outside the control of the NDP and its vendor, the fact that their system was susceptible to such an attack is something that should have been taken into account in advance. Given that a similar attack in the “real world” would require hundreds or thousands of voters to show up simultaneously at polling places and deliberately slow down the system – an enterprise that (unlike an online attack) would create huge numbers of co-conspirators and potential prosecution witnesses who could help uncover and punish the perpetrators.

I confess I’m far more sympathetic to the latter view. While I firmly believe there are some things (like turnout) that are completely outside the control of election officials, the choice of voting system – and the accompanying risk of bad acts – brings with it a responsibility to consider the “threat model” that accompanies that choice.

After all, Yogi Berra’s observation is funny because it’s true … crowds can make anything unpopular. Knowing that – and hardening any system against “bad guys” using crowds to hinder voting – is something that election officials should do regardless of what voting system they employ.

4 Comments on "“Nobody Goes There Anymore, It’s Too Crowded”: Election Officials’ Responsibility for Handling Denial of Service Attacks"

  1. John McCarthy | March 27, 2012 at 8:47 am | Reply

    Excellent summary Doug!

    I also agree with your conclusion that hardening any system against “bad guys” using crowds to hinder voting – is something that election officials should do regardless of what voting system they employ.

  2. Indeed. If an election official implements a new method of voting with obvious, likely and nearly unstoppable attacks, they must be held partly responsible for the consequences of their choices. DoS attacks are already widely used by a variety of attackers against all kinds of targets, from other elections (Hong Kong, Estonia, and the NDP themselves previously) to businesses and even entire countries.

    A DoS attack can also be used to do more than just lower turnout. By careful selection of when to attack and which intermediate networks to attack, the attacker can affect some types of voters more than others, and thus influence the outcome.

  3. I also agree with your conclusion. As a sign of how unprepared both the NDP and the vendor Scytl were, people who were physically at the convention were unable to vote during the DoS attack, because the only option for them was to vote online. In other words, one obvious step that could have been taken – but wasn’t – was to have paper ballots available at the convention as back-up in case there was a DoS attack.

  4. Election administrators and election system manufacturers have a clear duty to protect against known (or reasonably expected) failure modes. And DoS attacks are routinely listed as a major concern re internet voting, so this was/should have been an expected failure mode.

    It’s not clear what weight Scytl and NDP gave to the risk/likelihood of a DoS attack but no matter what I can’t see how they could reasonably squeeze the DoS event within the force majeure doctrine. That’s a stretch and I’m not sure that anyone at Scytl or NDP has actually made this sort of argument…

    In this case the election administrator choose to deploy a voting system with a known vulnerability, susceptibility to DoS attacks. And the system was in fact attacked and the usability of the system was adversely affected. While everyone will agree that the NDP experience fell well short of the ideal, it’s hardly analogous to an unpredictable earthquake/tsunami combo knocking out an election facility.

    That said, I don’t see DoS attacks as fatal to the long term future of internet voting. The most obvious solution for near-term implementations of internet voting may be to (1) offer a paper system in parallel and (2) restrict internet voting to early voting. By not allowing IV within the last 24-72hrs an effective denial of service attack (say targeting a 3 week early voting period) becomes much more expensive. Scytl/NDP could also throw more hardware at the problem but it seems much cheaper to scale the attack side by increasing the size of the botnet than it does to add servers, so they might not see a very good ROI on that front.

    And… this just addresses the DoS issue – there are other security/administrative concerns, as have been well documented by Barbara and others, that need to be fully considered in the policy decision of how to best serve voters/citizens. This doesn’t rule out internet voting as a viable solution, it simply re-states the obvious: that any potential election system must be evaluated in the context of the overarching policy goals, clear standards and in comparison with competing systems.

Leave a comment

Your email address will not be published.