Over the weekend, Canada’s New Democrats (NDP) conducted a vote for a new leader. The vote was conducted online so that registered party members could vote both in person at the NDP convention site and remotely from home computers or smartphones. Sometime during the second round of voting, the system slowed considerably, and eventually it became known that the system had likely been the target of a “denial of service” (DoS) attack aimed at clogging the the system and thus preventing (or at least discouraging) voters from casting ballots. The NDP, its vendor and consultants have identified two IP addresses that appear to have been the source of the attack and are investigating now. The results of that investigation are still forthcoming, but in the meantime I wanted to focus on a discussion I saw online yesterday about whether and how NDP and its vendor should have prepared for the possibility of a DoS attack.
One point of view likened a DoS attack to bad weather on Election Day – an event that could hinder voters and which election officials know is possible, but are essentially powerless to predict or prevent. This point of view suggests that DoS events should be subject to the contractual doctrine of force majeure (aka “acts of God”) like weather or natural disasters that are often used to explain and excuse non-performance under a contract.
The other, contrary view was that while the DoS attack itself was outside the control of the NDP and its vendor, the fact that their system was susceptible to such an attack is something that should have been taken into account in advance. Given that a similar attack in the “real world” would require hundreds or thousands of voters to show up simultaneously at polling places and deliberately slow down the system – an enterprise that (unlike an online attack) would create huge numbers of co-conspirators and potential prosecution witnesses who could help uncover and punish the perpetrators.