So, all of the problems we just talked about are things that can go wrong on the voter's PC. They're client side threats. There's some equally worrisome problems that can happen on the server. The, the web server that the voting officials maintain in order to provide that web site and to accept the ballots that voters submit. Now the sad state of internet security is that both client side and server side threats are extremely widespread problems in other kinds of online applications. And, and, and both very hard to defend against. But I want to talk about some of the most important server side threats for voting today. So one threat and one of the easiest kinds of attacks to carry out is something called the denial-of-service attack. A denial-of-service attack just tries to knock the server offline, so that real users can't get to it. Or to make it so slow that real users go away. Remember those botnets we talked about at the end of the last segment? Well botnets can be used to commit a massive form of denial-of-service called the distributed denial-of-service or DDoS attack. This is where potentially thousands of infected computers on the internet just try to access the server at the same time, overwhelming it with traffic. These servers might try to reload that webpage as many times as they can, all the time, as long as the denial of service attack is going on. This kind of attack has become a popular form of hacktivism. And there tools like this. Something called the Low Orbit Ion Cannon. That are available to people to voluntarily take part in a denial-of-service attack, and use their home computer as part of a, a massive mob of machines attacking a particular site that has invoked the ire of the protesters. This kind of tool was used recently to attack websites of major credit card operations after those credit card operators stop doing business with the website Wikileaks. We've also seen examples of denial of service against elections online. One example from 2012 involved a party election in Canada. Where the National Democratic Party held an election that was partly interrupted by denial of service. Another kind of threat against the server side, is the threat of insider attacks. An insider attack is attacks by trusted people. Are as much or more of a threat in Internet voting as they are in other electronic voting systems like DRE voting. So, if the insiders include people who develop the, the Internet voting system. People who are running the systems for the elections. The election authority people who make other pieces of software, commercial off-the-shelf software for instance that's running on those machines. Insider attacks are particularly severe, particularly severe possibility with online voting because its not simply enough to set the system for election and, and then go away. Any online service has to be able to respond to attacks as they happen and so people have to be logging into these servers to monitor them, potentially to update things if new kinds of problem are discovered. All the time, there are new software glitches, vulnerabilities discovered in different kinds of server software. And so we have to update that software as soon as possible in order to prevent the attack from happening. With a, an online voting system we're faced with two possibilities. If an attack is discovered shortly before the election, we can either update the software and install new software that potentially hasn't been tested, hasn't been vetted for, kinds of flaws or, or, or, insider attacks embedded in it. Or we can, we can wait and not update the software, but then, we're running an election on something that's already known to be vulnerable. So we're, we're face with the we're face with an extremely difficult, perhaps impossible choice there. Since an online voting system has to count votes in secret like any other kind of voting system. This just further complicates defenses against insider attacks, since we can't be constantly monitoring the results as things are going on. From the voter's perspective with the simple online voting system of the, the model that, that we described at the earlier in this lecture there's just voters have to take the, the word of election authorities and the people who develop the server software that their votes are actually being counted. Another kind of threat is remote intrusion, and this is the sort of thing that is enabled by bugs, glitches, vulnerabilities as we called them in online server software. If there certain kinds of flaws in the software that's, that's serving the website then remote parties can get in. Attackers can access the servers. Potentially run software on them. Potentially change data on them. Steal data etcetera. In the context of voting this is really, really scary since the server is maintaining what is usually the only copy of the votes. Now, a particularly dangerous kind of server side intrusion is the result of something we call an advanced persistent threat, or APT. And what an advanced persistent threat is, is this is an attacker who is who is specifically targeting a particular a particular server or host. Now, to explain the distinction many attacks online are, are just the result of criminals looking for any vulnerable systems that they can find. They don't care if it's a server at, at a business or a machine in someone's home. They just want to infect a machine in order to enlist yet another member of their bot net army. An advanced persistent threat involves an attacker who's expending all of its resources to attack you. Now this kind of attack, if the attacker is well resourced can be extremely difficult to defend against. some evidence from recent years for this is that Google, the Pentagon, even the RSA, security company that makes those secure authentication tokens that you probably use at work. All of these have been compromised by advanced persistent threats and had valuable data stolen. So if companies like this, and organizations like the Pentagon, that have incredible security resources, and so much at stake, can't defend against advanced persistent threats, then what are the odds that an election authority can? I don't think they're very good. Some advanced persistent threats in recent years have are believed to have originated from foreign governments. And state sponsored attacks, are probably the scariest threat against internet voting systems. To give you one example. This is probably the best known state- sponsored attack. A piece of malware, that researchers discovered and named Stuxnet. Was found spreading around on the internet. But when researchers looked at it, they found that it was vastly more complex than almost any other piece of malware they had discovered to date. Furthermore, when they tried to figure out where in the world computers were infected, plotted it on a map like this, they found that the, the majority of the infections were located in computers in Iran. We later learned from, from leaks from the White House that Stuxnet was developed as a partnership between intelligence services in the U.S. And in Israel. And its purpose was to target and sabotage the Iranian nuclear program. This is one of the, the best documented instances we have to date of state-sponsored malware being used essentially for cyber warfare purposes. But you can imagine if the resources of the state could be directed to, to interfere with a national program like Iran's nuclear program then a covert operation sponsored by, by foreign governments to interfere with an election to change votes and influence national policies is well within the realm of possibility. And we just don't know how to defend against well-resourced advanced persistent threats in state sponsored attacks like this. The state of computer security is not developed to the point where we can reliably defend against them. So with all these threats, the, I, I think we need to put them in context a little bit, and, and look at a couple of comparisons. The first comparison I want to discuss is between internet voting and postal voting. How do the, the threat scenarios differ? If we vote by mail, is internet voting really that much more dangerous? Well, both of them suffer from some of the same problems. The same risks of coercion or vote buying that they create, because they provide such weak ballot secrecy protections. But internet voting has some aspects where it's, it's much more dangerous. Because attackers could target the centralized server that's collecting all of the votes. That's one point that they could get into. And, and change everything in the election. With the postal system possibly a large conspiracy within the postal office could open ballots and change votes. But this would be much more difficult to do without getting caught. Another distinction has to do with denial of service. With an internet voting system, it would be relatively easy to attack the servers and knock them offline for the period of voting. With the post office, and postal voting, it's very, very hard to make all of the ballot papers not be delivered without anybody noticing. Another distinction that I want to draw is between internet voting and online banking. Something I hear all the time is, I can bank online, why can't I vote online, this is the twenty-first century. Well, it turns out that voting and, and e-commerce are radically different problems, and in many ways, voting is a much more difficult security problem to solve. And that comes from that tension I, I talked about in the beginning, between integrity and the secret ballot. So with online banking we have a lot of protections involved that involve disclosing what it was you bought or how much money you spent or earned. These are things like receipts that might be sent to you saying what you bought. Credit card statement at the end of the month. A, a, a bank statement showing how much money is in your account. In addition to this on and back at the bank they're doing double ledger accounting with carefully controlled audits. They're keeping track of every dollar at all times. So, with voting. These protections just can't be implemented, because the election authorities aren't allowed to just have a list of every person and how they voted. We can't give you a receipt because that would just make vote a vote selling and vote buying that much easier. We can't we can't have the election authorities monitoring every transaction on the, the granularity of the, the votes on the ballot. Because that could be tied to the identity. So those kinds of protections just can't be implemented in voting because of the secret ballot. Another difference is, with online banking if there's fraud then odds are extremely good that you are going to notice. If someone's stolen your money, at, at, at some point, you'll go to buy something and there wont be any money left in your account. If the transaction won't go through. With internet voting, if someone has shifted votes from one column to another, we may never notice. So, for all of these reasons Internet voting is, is a much harder problem than online banking. But, guess what? Banks suffer many, many millions of dollars of fraud online every year. But, its just part of the cost of doing business to accept that these attacks take place. I don't know how much voting fraud is an acceptable, is acceptable in order to allow people to vote online. But I don't think most voters would think it was a very high amount.
