Company IDs 10,000 computers behind 'malicious' cyber-attack on NDP
A "sophisticated" Internet attack that threw the NDP's weekend leadership convention into turmoil was caused by a professional who used more than 10,000 computers worldwide to slow online voting to a crawl — a revelation that's raising questions about the vulnerability of political parties that have adopted similar voting systems.
According to Scytl Canada, the company hired by the NDP to conduct the vote, the attack was an attempt to crash or slow down the voting website by "saturating servers with bogus external communications requests" and making it difficult for legitimate users to access the site. In the world of cyber-security, it's know as a distributed denial of service attack.
"We deeply regret the inconvenience to NDP voters caused by this malicious, massive, orchestrated attempt to thwart democracy," general manager Susan Crutchlow said in a statement.
"We are proud, however, that our robust system, which is used by many governments around the world, repelled this attack, did not crash, and completed its mission of giving all NDP members who wished to vote the opportunity to do so securely."
The company maintains the attack in no way compromised the sanctity of the vote — in other words, no ballots cast by bona fide NDP members were "added, subtracted or changed."
Scytl indicated governments, banks and credit-card companies are often targeted in such attacks, which are commonly perpetrated by "political or economic opponents."
Crutchlow, however, said there's no evidence to suggest the Conservatives or Liberals are behind the attack — which is the first of its kind that the Barcelona-based multinational has reported in 17 years of conducting secure electronic voting.
The company said it has identified more than 10,000 IP addresses behind the "hundreds of thousands of false voting requests to the system."
The "network of malevolent computers," or "botnet," behind the attack involved computers around the world, although most of them were located in Canada.
Crutchlow said it "appeared to be very sophisticated." According to the company, "the required organization and the demonstrated orchestration of the attack" suggests it was "a deliberate effort to disrupt or negate the election by a knowledgeable person or group."
Scytl has launched a forensic investigation to locate the source. Once it's complete the results will be given to the NDP and it'll be up to the party to decide whether to pursue a criminal investigation.
NDP spokeswoman Sally Housser refused to speculate on who might be behind it, noting the party may never know since "the people who can perpetrate these types of things are pretty good at hiding their tracks."
Queen's University computer security expert David Skillicorn agreed.
For about $70 a day, he suggested, anybody can "rent a botnet" and have thousands of zombie computers around the world bombard a website on their behalf with relative anonymity. Finding the person who paid the individual who controls the thousands of computers is "almost impossible" and investigators are often up against "jurisdictional issues."
"I think most people would be surprised by how cheap and easy it is," he said, adding these types of attacks are becoming increasingly more common, but are relatively easy to defend against if companies and organizations are prepared for them.
He said most people have no idea when their computer has been taken over by a botnet and is engaging in cyber-mischief, but individuals can protect themselves by running anti-malware software and keeping their computers up-to-date.
Skillicorn believes both electronic and online voting systems have "huge holes" and that "nothing beats paper votes" at the end of the day.
The Liberal Party stated Tuesday that it was "not involved" in the attack against the NDP. Noting the party recently adopted a similar one-supporter-one-vote leadership system, spokeswoman Sarah Bain said officials would examine the weekend incident for "lessons to be learned."
The Liberals are poised to elect a new leader at some point between March and June 2013, but Bain said no decisions have been made yet about how supporters will vote.
"We have not necessarily said we would go to an online vote," she said, adding it could be handled strictly through mail-in ballot or at meetings in each riding. "We're looking at all the options."
The Conservative Party did not respond to requests for comment Tuesday, but Public Safety Minister Vic Toews raised the weekend incident during a Commons committee meeting.
He said parliamentarians should be concerned about the attack on democracy by online hooligans, especially as governments and groups look at moving to online voting.
The Tories rejected the idea of a hybrid system dubbed "balanced leadership" at its June convention, but the topic is certain to come up again as former Canadian Alliance members favour something closer to one-member-one-vote.
Housser said any changes to the NDP's one-member-one-vote system would be decided by the party's federal council, but that the NDP is "happy" with the status quo.
Besides, having just elected Thomas Mulcair, she added, the next leadership convention is some time off.
The slowdown during Saturday's vote prompted the NDP to extend the amount of time allotted to voting twice on the second round ballot and again on the third and fourth ballots.
It meant New Democrats didn't find out who their new leader was until around 9:30 p.m. ET.
While voter turnout was low — only about half the NDP's 131,000 members voted in advance, online or from the convention floor — officials have insisted it wasn't related to the slowdown.