The lowly DDoS attack is still a viable threat for undermining elections

Written by

Scenes like what happened to Florida’s voter registration site on Oct. 6 has played out over and over again: A system goes down, and questions fly.

Was there a cyberattack, specifically a distributed denial-of-service (DDoS) attack meant to overwhelm a website site with traffic, knocking it offline? Could there have been too many legitimate visitors rushing to the site to beat the voter registration deadline — that surged past what the system could handle? Or, was it something weirder, as in this case, like pop singer Ariana Grande urging fans on Twitter to register to vote?

Florida’s chief information officer eventually blamed misconfigured computer servers.

The incident, though, was one of several over the course of the past month that exposed ongoing anxieties about how cyberattacks, accidental outages and other technical failures could upend a polling place, or even an election.

Few, if any, election security experts would rank the relatively antiquated technique of DDoS attacks as one of the top couple threats, particularly compared to ransomware or disinformation. Still, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security on Sept. 30 issued a warning about DDoS election threats. And Google,  in an Oct. 16 report, said it was watching government-backed hacking groups build their abilities to conduct large-scale DDoS attacks in recent years.

“It’s definitely still a tool leveraged by some of the adversaries we’re most worried about,” like Russia, said John Hultquist, senior director of threat analysis at FireEye’s Mandiant Threat Intelligence. “It’s definitely a tool that’s within the toolkit of a number of suspects of interfering with our elections.”

Often the answer to whether a DDoS attack brought a site down is, “no,” as the Florida incident showed. A suspected 2018 DDoS attack in Knox County, Tennessee during its mayoral primary likewise turned out to be a red herring, NBC News reported.

Technical outages have afflicted numerous states beyond Florida this year, though, including Illinois, Pennsylvania and
Virginia. Such delays, whatever the cause, stand to hamper voter turnout, even if they don’t affect the integrity of the vote itself.

“What you don’t want to happen is for somebody to do a DDoS attack or hacking attack where they prevent people from getting basic information about where they can vote, or voting hours,” said John Graham-Cumming, chief technology officer for Cloudflare.

So far, Cloudflare hasn’t seen signs of a major DDoS attack, nor any other kind of attack tied to the 2020 election for that matter, said Graham-Cumming, whose company provides defenses against DDoS attacks and other election threats to 260 state and local websites across 30 states.

In recent years, though, Mexico, the Netherlands and the U.K. have endured election-related DDoS attacks on election- and political campaign-related websites, from political parties to voter information sites. An alleged DDoS attack roiled a South Korean mayoral election in 2011.

In the U.S., security researchers said DDoS attacks struck the websites of both presidential candidates four years ago.

“Election officials across the country have been working to harden their systems against these types of attacks and others since 2016,” said Elizabeth Howard, senior counsel for the Democracy Program at New York University’s Brennan Center for Justice. ‘While some states are better prepared than others, because election security is a race without a finish line, this work is ongoing across the nation.”

Beyond voter information portals and registration sites, prime DDoS targets include election night results websites and communications between boards of elections and polling locations. DDoS attacks against them might be primarily aimed at voters’ imaginations.

“The days just before and after Election Day are a likely time for our adversaries to launch efforts intended to undermine confidence in the integrity of the electoral process,” said Matt Masterson, a senior adviser at CISA, referring to a category of tools that includes DDoS attacks.

Electronic poll books could be disabled to delay voters’ ability to hand in their ballots, said Dan Wallach, a computer science professor at Rice University. That’s less of a threat this year, however, given the massive early voting numbers. A delay of a few hours at one polling location might not mean as big of a disruption when many voters aren’t waiting until Election Day.

Finding out who’s behind a DDoS attack is harder than for some other attack methods, Hultquist said, because they often rely on a dispersed army of zombie computers. The attackers are often layers removed from their victims, said Carlos Morales, vice president and general manager of Arbor Cloud, a Netscout DDoS mitigation service. They’re also comparatively rudimentary.

“It’s a fairly cheap if clumsy attack. A DDoS attack, for a sophisticated actor, it’s a relatively easy thing to deploy,” said David Becker, executive director of the nonprofit Center for Election Innovation & Research. “It can be a relatively low-risk, high-reward way to diminish voter confidence.”

But “if it were that easy we’d be seeing a lot more of it,” said Will Adler, senior technologist in elections and democracy at the Center for Democracy and Technology, which offered a DDoS field guide in 2018. And Kunal Anand, chief technology officer of Imperva, said that DDoS attacks can still require the attackers to harvest significant information about their target.

Florida’s voter registration incident spurred some experts to wonder how prepared election officials are for the massively larger amount of traffic a nation-state’s DDoS attack would bring, but many said election administrators have come a long way.

Howard and others cited Ohio as one of the states with the most advanced preparations for DDoS attacks.

“Under Secretary LaRose’s leadership Ohio has taken extensive steps to become a national leader in election security,” said Maggie Sheehan, a spokesperson for Ohio Secretary of State Frank LaRose. “Included among those steps are our mandates for DDoS protection for both our office and the county boards of elections.”

Said Masterson: “While election officials have taken numerous steps to increase the security of these sites, they also understand that these systems aren’t perfect, sometimes things break or could be targeted by bad actors.

“But it’s important to remember the election experience is designed to ensure that technology isn’t a single point of failure and there are measures in place to ensure you can vote and your vote is counted correctly,” he said.