The recent takedown of Dyn DNS services, which caused major websites and services to become unavailable to many millions of users in Europe and North America, showed just how disruptive a distributed denial of service (DDoS) attack can be.
With the US presidential election fast approaching, it also raised the question of how denial of service attacks could impact the country’s voting process on November 8th.
To be clear, we’re not talking about another mega attack preventing the vote from taking place. Given the dispersed nature of the election, such a scenario is highly unlikely. In the words of FBI Director James Comey responding to the possibility of a cyberattack on Election Day:
“The beauty of the American voting system is that it is dispersed among the 50 states, and it is clunky as heck.”
That said, our concern is with several realistic scenarios in which DDoS attacks could be used to suppress voter turnout, simply by making it harder for people to reach the polls.
With voters from both major parties displaying record high apathy, such attacks could inconvenience them just enough that they decide to sit this one out.
#1 – DDoS Against Carpooling Websites
The most likely attack scenario on our list involves DDoS perpetrators attacking the websites of organizations that set up carpools or free rides for voters to get to their polling stations.
The inability to get to a polling station on Election Day is among the most common excuses for not voting—especially true in areas of the US that lack sufficient public transportation. To add to the problem, polling stations have closed across the country; voters in a number of areas now need to travel farther than years past to cast their ballots.
In response, many organizations across the US, including nonprofits, community centers and churches, are organizing carpooling services. Their corresponding websites are perfect targets for DDoS perpetrators looking to depress voter turnout, because:
- They are unlikely to withstand even a small-sized attack. Most of these sites could be taken down with a run of the mill DDoS-for-hire (booter) service.
- Their localized nature enables offenders to launch highly targeted attacks, selectively targeting either conservative or liberal communities.
The most alarming situation would be a coordinated assault targeting multiple carpool websites in specific regions of a swing state, such as Ohio or Pennsylvania.
#2 – DDoS Against Websites that Help Locate Your Voting Station
Another situation involves attacks against websites that voters use to locate their polling stations. This scenario is considered less likely to impact the election, as there are a variety of sites, both governmental and private, providing this information simply by entering in a home address. Still, it’s often among the last things checked by voters before heading out to cast their ballot.
The fear is that a DDoS assault targeting one or more of these sites would prevent voters from knowing where their polling stations are located. For apathetic voters, this might be the excuse they need to simply stay home.
It’s a sentiment shared by Adam D’Angelo, CEO of Quora, who recently sent out the following tweet:
Last Friday’s attack should be enough evidence. Print out directions so you can vote/campaign without internet. https://t.co/aWruxEqMK8
— Adam D’Angelo (@adamdangelo) October 31, 2016
Notably, such attacks are not without precedent. Five years ago, during the 2011 South Korean by-election, two DDoS assaults were launched against the websites of the National Election Commission and one of the candidates. They were timed to bring down both sites during the morning hours, precisely when voters were thought to be checking where to cast their ballots.
#3 – DDoS Against Online Voting Platforms
Finally, it’s important to consider the potential impact of a DDoS attack targeting online voting platforms.
Currently, five states—Alabama, Alaska, Arizona, Missouri and North Dakota—allow some form of voting via a web-based portal. A DDoS attack targeting the portals would almost certainly block certain voters from casting their ballots, thereby potentially influencing the final outcome of the election.
That said, a number of factors would limit the impact of such an assault. For example, of the five states only Alaska allows all eligible voters to cast their ballots electronically.
The other four states only let members of the military and citizens based outside the country vote electronically. Missouri further limits eligibility to only military members serving in “hostile zones.” Alabama’s electronic voting system was just introduced this year, and only for the primary election.
While electronic voting is still in its infancy, expansion in future elections may become a target for DDoS offenders and should be closely monitored.
The Problem of Voter Apathy
The effect of these three scenarios is further compounded by a lack of enthusiasm among voters, which is particularly high in this election. Hillary Clinton and Donald Trump both suffer from dismal approval ratings (44% and 33% respectively), making them the two least popular presidential candidates in recent history.
Meanwhile, approximately 15% of voters remain undecided—about 10% higher than at this point in the 2012 election. While this may indicate that voters are still trying to decide which candidate best represents their interests, a more likely scenario is that they are trying to decide which one is the lesser of two evils.
Given the data, it’s no wonder both campaigns are engaging in intense “get out the vote” drives to ensure as many of their constituents as possible get to the polls on November 8th. At the same time, a DDoS attack inconveniencing voters may be all that is needed to cause them to stay home.
If you run an online voting platform or website that helps locate a polling station or carpools to get people to the polls, we will provide a free Incapsula account through the elections to keep your website safe. Please fill out the Contact Us form. This offer is valid till November 8, 2016.
Try Imperva for Free
Protect your business for 30 days on Imperva.