PopVote: Assessing the Risks of DDoS

100%

PopVote: Assessing the Risks of DDoS (A)

Before the twenty twelve cyber-attack, we thought the system should be OK, but the attackers were so strong. We didn't expect that type of attack. It was fear. What if stronger attackers came? We did not have enough knowledge and resources to fight the cyber-war.

PopVote, launched in twenty twelve, immediately became the target of a serious distributed denial of service attack. PopVote was the electronic voting system used by the Public Opinion Programme at the University of Hong Kong. Jazz Ma, the IT manager of POP and architect of PopVote, had expected some form of cyber-attack on the e-voting system and had prepared accordingly. The scale of the DDOS attack, however, was completely unexpected. The university's Information Technology Services department, which oversaw the IT infrastructure and support services of POP, immediately suspended the Internet connection to PopVote to protect the integrity of the university's Internet infrastructure. This had a significant impact on POP's other operations. Internet services to POP, including basic e-mail and the Computer Assisted Telephone Interview System, resumed only two days later.

Clearly POP would have to better protect itself against cyber-attacks if it was to use the PopVote system in the future. After spending six months to systematically improve the system, POP successfully used an updated PopVote for a small-scale voting event on one January twenty fourteen. But the real test would come in June twenty fourteen, when PopVote was to be used to conduct an electronic vote sponsored and organized by the protest group Occupy Central, which had received significant public attention. Occupy Central and the vote were politically controversial. Robert Chung, director of POP, and Jazz expected massive cyber-attacks. They had to assess all possible security threats and consider possible solutions to ensure the vote could be conducted successfully.

Robert Chung established POP in nineteen ninety-one as part of the Social Sciences Research Centre, the Faculty of Social Sciences of the University of Hong Kong.

POP used telephone, street intercept, and online surveys to collect and study public opinion on topics of interest to academics, journalists, policymakers, and the general public. It published poll results and research reports, such as quarterly reports on the popularity of the top-ten political groups in Hong Kong. Twenty full-time staff people worked for POP in twenty fourteen, including seven in senior positions. Normally, they handled about eight to ten projects at the same time.

Jazz was the IT manager of POP. He obtained his first degree in electronic engineering and computer science from the Chinese University of Hong Kong and his master's degree in electronic commerce and Internet computing from the University of Hong Kong. Before joining POP, Jazz had worked for the Hong Kong Federation of Youth Groups as a systems analyst for three years.

When Jazz joined POP in twenty twelve, he had two full-time IT subordinates. His first task was to help improve the Computer Assisted Telephone Interview System. POP used telephone surveys as its key survey tool. Telephone interviews were normally done by part-timers in the evening after all the IT staff had left the office. With an average of fifty pollsters using the phones on a typical evening, a system failure could cause significant damage.

By twenty fourteen, the POP's IT department had grown from three to four full-time staff, which included a system analyst, a programmer, a web developer, and Jazz. In addition to Computer Assisted Telephone Interview System, the department was responsible for Pop Vote, the main POP website, and an online public opinion platform.

We are a public opinion research institution emphasizing data accuracy, not an IT company. Most of the data held in the system are not confidential, and some survey results and sample data are available on our website. We are not too concerned with data breach, unless the data are related to personal privacy. Anyway, a system can't be one hundred percent secure.

HKU had provided the network infrastructure for POP's IT systems, until PopVote suffered from the cyber-attack in twenty twelve. Since the network resources required to withstand the attacks were enormous, the Pop Vote platform was outsourced to Amazon Web Services, while other internal systems remained within the HKU ITS network.

Pop Vote

The version of PopVote used for the voting on twenty-three March twenty twelve was developed by Jazz with the help of two full-time developers and one part-time developer in less than three months. When designing the system, they wanted to ensure that the system was available during the event period, would prevent duplicate votes, and would verify the voter's identity.

Twenty-three March twenty twelve Vote

Cyber-Attacks and Responses

Off-site Voting

On-site Voting

Press Conference

Reflections on the Twenty-third March Voting

April twenty thirteen to December twenty fourteen: Improving the System

twenty fourteen New Year Vote

Reflections on the twenty fourteen New Year Voting

EXHIBIT ONE: DDoS ATTACKS

The diagram below shows a system's vulnerable points prone to DDoS attacks.

EXHIBIT THREE: POPVOTE SYSTEM DESIGN

EXHIBIT FIVE: IT ADVISORY GROUP

EXHIBIT SEVEN: TIMELINE FOR MAJOR EVENTS

Anti-DDoS Service Providers

Cloud Computing

Overview

The document details the risks associated with cyber-attacks on the PopVote electronic voting system used by the University of Hong Kong, outlining the attacks' impact and the strategies adopted to enhance system security for future events.

Key Points

1PopVote faced unexpected DDoS attacks during its launch phase in 2012
2Immediate suspension of the internet connection was needed to protect university infrastructure
3Significant resources were allocated to enhance the system's security after the attacks
4PopVote successfully conducted an updated voting event in January 2014
5Lessons from the attacks have led to ongoing discussions about e-voting security improvements.

Details

Authors: Kai Lung Hui, Minyi Huang, Ping Fan, Anthony Lai
Category: Government and Policy

PDF
Policy on the AI Exponential
This document discusses the rapid advancement of AI technologies and the challenges they pose to existing political and legislative frameworks, emphasizing the need for timely and effective regulation to address emerging risks and opportunities.
PDF
Unclear by Design: Strategic Ambiguity in Ireland's Military Neutrality Policy
This paper examines the strategic use of ambiguity in Ireland's military neutrality policy, exploring how the Irish government articulates this policy to preserve flexibility and manage competing expectations both domestically and internationally.
PDF
From Middle Power to Great Power: A Path Forward for Canada
This paper argues that Canada must adopt a more realist foreign policy in response to a changing international environment, moving away from its traditional middle power status towards a more independent and powerful global stance.
PDF
Guidelines for the Motu Proprio Review of Mergers and Acquisitions in Digital Markets
This document provides guidelines issued by the Philippine Competition Commission for the review of mergers and acquisitions in digital markets, aimed at ensuring competition and preventing anti-competitive practices.
PDF
PHILIPPINE COMPETITION COMMISSION
This document outlines the guidelines for the motu proprio review of mergers and acquisitions in digital markets by the Philippine Competition Commission, detailing legal justifications, indicators for potential competition issues, and examples of transactions that may require review.