There were a number of big stories in Canadian politics at the end of March. In the technology files, there was significant buzz about the Distributed Denial of Service (DDoS) attack against the online voting system used by the NDP to elect their new leader. I wrote Welcome to Cloud(y) Politics and Can cloud politics truly scale for the population? as part of the election reporting I did for iPolitics.

In case you’re unfamiliar with what a DDoS is… it’s like a coordinated traffic jam on all roads leading to a particular destination. A protest that clogs multiple roads in and out of a city’s downtown is like a DDoS. Traffic can’t move. People are late but their homes and workplaces are unchanged.

The last we heard on this matter was the NDP was investigating and would consider involving police. That was over four months ago.

Deliberate attack used more than 10,000 computers to issue 10,000,000 abnormal requests

I spoke with NDP Acting National Director Chantal Vallerand yesterday to find out where things stood. Ms. Vallerand shared a summary report, the key points of which are:

  1. Each of more than 10,000 suspicious IP addresses generated as many as 1,000 requests per minute to the voting system. That works out to roughly ten million abnormal requests occupying the voting system and thus interfering with legitimate voting activities.
  2. Most of the attacking computers were located in Canada, though some were located around the world.
  3. The required organization makes it clear the attack was deliberate. In fact, the pattern of activity suggests the attackers were also following media reports about each round of voting – suspending attack activities between rounds and increasing them during voting.

Provider’s quick response ensured integrity of vote

Perhaps the most important part of the audit report by Price Watherhouse Coopers confirms the integrity of the vote was not compromised. DDoS attacks are about interfering with and interrupting access to systems, not corrupting data in transmission or storage. Though it’s unclear how many people gave up trying to vote through the online systems, the number of successfully completed votes suggest anyone who wished to vote had the opportunity to do so.

The breakdown of successful votes indicates roughly 10,000 voters per ballot during the Convention, 40,000 on-line and 15,000 advanced votes through postal mail.

Ms. Vallerand credits the quick response of voting service provider Scytl for ensuring the leadership voting was successful. She was uncertain of the technological remedies, though she was clear Scytl’s prompt recommendation to extend the length of voting in each round played a crucial role in ensuring the vote was successful.

The combination of the auditor’s certainty in the quality of the vote and Scytl’s counsel that the high cost of an investigation and the uncertainty of finding the perpetrator has convinced the NDP to notĀ investigateĀ further or pursue criminal charges.

Voter interference is technology agnostic

This event has illustrated something very important: when it comes to voting, no technology is immune to voter interference; no technology is perfect. If it’s important to an individual or group to prevent people from exercising their democratic right to go to the polls, they will find a way. And, as much as a technology cheerleader as I am, online systems are much easier to target.

I commend the NDP for accepting the outcome of the vote and deciding time and money is better spent elsewhere. Still, they (perhaps) unwittingly prove why online voting systems make attractive targets for complex DDoS attacks — with the right response teams, they will essentially remain consequence-free crimes.