Adding to the already mile-long list of reasons why the United States should never adopt a centralized online voting system, widespread internet outages on Friday serve as yet another example of how the U.S. election system benefits from keeping it old school.
High-profile security breaches targeting politicians and alarms raised by the U.S. intelligence community over the possibility of an election day disruption by a malicious foreign actor have already led some states to engage in war-game-like exercises against their own election systems. But denial-of-service attacks, like the one experienced by millions in the U.S. on Friday, is a very different animal from the threat of infiltration that keeps lawmakers up at night.
The attack primarily targeted Dyn, a company that operates Domain Name System (DNS) servers for a wide rage of valuable online companies. The attack meant that people trying to access affected URLs—like twitter.com or paypal.com, among many others—couldn’t do so.
Amazon, Twitter, and a host of other companies saw significant downtime on Friday, starting on the East Coast and spreading across the U.S., an occurrence many experts warn could become commonplace unless traditional architectures supporting the web are improved.
Long lines and laziness have been suppressing voter turnout since democracy was invented.
“This is a reminder of how effective an attack on one can be an effective attack on many,” said Steve Grobman, chief technology officer for Intel Security. “An attacker seeking to disrupt services to multiple websites may be successful simply by hitting one service provider such as this, a DNS provider, or providers of multiple other Internet infrastructure systems.”
The idea of creating a centralized online voting system to enable Americans to vote electronically has been roundly dismissed as bad by government and private industry experts alike. It is also very enticing, perhaps because at first blush it feels only natural to evolve in that direction. We file our taxes, renew our driver’s licenses, and can even buy toilet paper with a simple swipe of the finger—so why not vote?
The election would look very differently after all if one could simply whip out a cellphone and cast a ballot: Long lines and laziness have been suppressing voter turnout since democracy was invented. But, as noted by Motherboard this week, previous attempts to construct internet voting systems have not gone as well as planned. It took a group of University of Michigan students roughly 36 hours to gain full control of a voting system designed by the District of Columbia’s Board of Elections & Ethics.
However, most cybersecurity expert say that applying the KISS principle—or ”keep it simple, stupid”—is the greatest defense Americans have against the type of “rigging” frequently raised this election season. The 50 states, plus the District of Colombia, all run their own election operations; and further, most votes are first collected at the county level. This decentralized format, while it has a lot of moving parts, would be ostensibly impossible to subvert with a computer from the other side of the planet.
The vulnerabilities that do remain are likely to be found in states that no longer offer paper ballots for voting. More than half of the country uses a Direct Recording Electronic (DRE) system to record votes, which stores the results on hard drives. While most generate a printout too, in a handful of states, including Nevada, Louisiana, and South Carolina, there’s no paper trail whatsoever—nothing to compare in audit in the event concerns about tampering are raised.
The type of distributed denial-of-service (DDoS) attack experienced on Friday could still wreak havoc on election day. Most news organizations pull their results from a small collection of sites on election night, for example. “Think about the chaos you could cause if you get one TV network calling the election for one candidate, and another network calling the election for the other,” Professor Herbert Lin of Stanford University noted in a CNN report last week.
“If you intent is to sow doubt and uncertainty, at least in the short term, affecting the media reporting could be really problematic.”