Last week, you completed and submitted Part 1 of your

Supporting Business Continuity Through IT

Yaina Delgado

Master of Business Administration, Walden University

WMBA 6030: Managing Business Information Systems

Professor Thomas F. Brantle

February 11th, 2024

1

Part 1:Identify and Evaluate Cybersecurity Risks

2

Introduction to PopVote and Cybersecurity

PopVote Overview:

Online platform for gathering public opinions, run by the Public Opinion Programme (POP) at the University of Hong Kong.

Significant tool for civic engagement, allowing citizens to participate in electronic voting on various issues.

Significance of PopVote

A pioneering initiative facilitating civil referendums and online voting.

Aims to enhance democratic participation and promote inclusivity in decision-making processes.

PopVote, is an innovative initiative brought to life by the Public Opinion Programme at the University of Hong Kong. Beyond being a mere platform, PopVote is a trailblazer, redefining civic engagement through electronic voting. It's not just about casting votes; it's about fostering a sense of empowerment among citizens, breaking down geographical barriers for democratic participation.

3

Cont..

DDoS Attacks on PopVote:

Experienced serious Distributed Denial of Service (DDoS) attacks during critical events.

DDoS attacks aimed at disrupting the electronic voting system and compromising data integrity.

Cybersecurity Risks: Infiltration of DDoS attacks poses a significant cybersecurity risk.

Potential compromise of voter data and system integrity.

.

Now, let's delve into the challenges. Despite its noble mission, PopVote faced a formidable adversary – Distributed Denial of Service (DDoS) attacks. These attacks, occurring during critical events, were not just technical glitches; they posed a significant threat to the integrity of the electronic voting system, raising red flags about data security and system reliability. Join us as we navigate through the intricacies of these cybersecurity challenges, exploring the risks of infiltration, potential data compromise, and the financial implications associated with mitigating these cyber threats

Risk Mitigation Before New Year Vote (2014)

Engagement with IT Advisory Group: POP established the IT Advisory Group, comprising volunteers with expertise, to enhance the design and security of the electronic voting system.

System Rewrite Using Python: Recognizing the need for a more scalable and secure system, POP undertook the rewriting of the PopVote system using Python, a language known for its efficiency and functionality.

Implementation of Secure Hashing: To address security concerns, POP adopted more robust hashing techniques, including the addition of random salts before hashing, increasing the difficulty of unauthorized access.

Transition to Cloud Server (AWS): To handle increased network traffic and potential DDoS attacks, the system was moved to a cloud server (AWS) with integrated firewall capabilities.

Modular Design Approach: POP implemented a modular design, breaking down the system into subsystems with distinct functionalities, enhancing manageability and minimizing the impact of attacks on the entire system (Advices on the Security Concerns of the PopVote System | HKCERT, n.d.).

As we geared up for the New Year vote in 2014, POP adopted a multi-faceted approach to risk mitigation, collaborating with the IT Advisory Group, leveraging advanced technologies, and implementing strategic design changes.

Engaging with the IT Advisory Group proved instrumental. Comprising dedicated volunteers with IT expertise, the group played a pivotal role in enhancing the design and security of our electronic voting system. Their insights and recommendations provided valuable perspectives on potential vulnerabilities and risk mitigation strategies.

Recognizing the need for a more robust system, we decided to rewrite the PopVote system using Python. This lightweight and efficient language not only addressed performance concerns but also provided a more secure foundation for handling web requests.

Security enhancements were further amplified by the implementation of more robust hashing techniques. Adding random salts before hashing, coupled with iterative hashing processes, significantly increased the system's resistance to potential breaches.

In response to the escalating risk of DDoS attacks, we made a strategic move to transition our system to a cloud server, specifically AWS. This not only accelerated data handling but also introduced an integrated firewall to counteract potential attacks.

A modular design approach was adopted to ensure the system's resilience. Breaking down the system into subsystems with distinct functionalities not only improved manageability but also minimized the impact of potential attacks on the entire system.

These pre-event preparations showcase our dedication to mitigating risks comprehensively, ensuring the integrity and reliability of the electronic voting system during the critical New Year vote in 2014.

5

Ranking Vulnerabilities

DDoS Vulnerability: Ranked highest due to the frequency and severity of DDoS attacks. Potential to disrupt voting processes, leading to loss of voter confidence and compromised election outcomes.

Weaknesses in System Architecture: Vulnerabilities stemming from outdated or poorly designed system architecture. Increases susceptibility to cyber threats, hindering system performance and data security.

Insufficient Security Measures: Lack of robust security protocols and measures to counter cyber attacks. Leaves the system vulnerable to exploitation, jeopardizing voter data integrity and system availability.

Inadequate Disaster Recovery Plan: Limited preparedness for recovering from cyber attacks or system failures. Puts business continuity at risk, potentially resulting in prolonged downtime and loss of critical data (Olson, 2014).

Let's delve into the heart of our cybersecurity concerns by examining the ranked vulnerabilities within the PopVote system. At the top of our list is the DDoS vulnerability, which rightfully claims the spotlight due to its disruptive potential. With frequent and severe DDoS attacks, the system faces a grave threat, risking not only operational disruptions but also undermining voter confidence and the integrity of election outcomes.

Following closely are weaknesses in the system architecture, highlighting vulnerabilities arising from outdated or poorly designed infrastructure. These architectural flaws serve as breeding grounds for cyber threats, compromising system performance and data security. Moreover, the inadequacy of security measures further exacerbates our vulnerabilities, leaving the system susceptible to exploitation and compromising voter data integrity.

Lastly, our concerns extend to the adequacy of our disaster recovery plan. A lack of preparedness in this aspect poses significant risks to business continuity, potentially leading to prolonged downtime and loss of critical data. As we navigate through these vulnerabilities, it's imperative to prioritize our efforts based on their potential consequences and impacts on business continuity

6

Risk Mitigation Before New Year Vote

Real-time System Monitoring: Developed a platform for real-time system monitoring, empowering staff to respond swiftly to unusual network traffic.

Integration with Security Service Providers: Enhanced security by integrating the system with security service providers' equipment for improved monitoring and real-time threat blocking.

Verification Process Enhancement: Improved off-site voting verification process, maintaining mobile messaging verification with closer cooperation with SMS service providers (Nicholson, 2023).

Firstly, we implemented real-time system monitoring, providing our staff with a tool to respond promptly to any abnormal network activities. This proactive approach ensured a swift response to potential threats, contributing to an overall resilient system.

Additionally, we bolstered our security infrastructure by integrating with security service providers. This collaboration not only improved our monitoring capabilities but also enabled real-time blocking of potential threats, adding an extra layer of defense against cyber-attacks.

Our continuous efforts to refine the off-site voting verification process included maintaining the mobile messaging verification method. We worked closely with SMS service providers to ensure a secure and efficient verification process for off-site voters.

These measures collectively showcase our dedication to a secure and reliable electronic voting system during the New Year vote in 2014

7

Evaluation of Risk Mitigation Plan

Strengths:

Modular Design: Implementation of modular designs with over 40 servers enhanced system flexibility and minimized the impact of attacks on individual subsystems.

Cloud Server Integration: Migration to AWS cloud servers facilitated faster data handling and offered integrated DDoS protection through firewalls (PopVote: Assessing the Risk of DDOS (C) ^ ST32C, n.d.).

Weaknesses:

SMS Verification Delay: Users faced delays during SMS verification, impacting the overall voting experience.

Limited Overseas Participation: Restriction to HK local networks limited overseas citizen participation (Nicholson, 2023).

The risk mitigation plan implemented before the New Year vote in 2014 exhibited both strengths and weaknesses.

On the positive side, the adoption of modular designs, distributed across more than 40 servers, fortified the system's ability to manage usage allocation. This modular approach ensured that an attack on one subsystem wouldn't cripple the entire system, enhancing overall system resilience.

Furthermore, the integration with AWS cloud servers brought multiple advantages. It not only facilitated faster data handling but also provided integrated DDoS protection through firewalls, adding an extra layer of defense against cyber threats.

However, challenges persisted. Users encountered delays during SMS verification, affecting the overall voting experience. Additionally, the limitation to HK local networks restricted overseas citizen participation, posing a challenge to the system's inclusivity.

8

Conclusions

Enhanced Cooperation: Establishment of the IT Advisory Group for future improvements and redesign.

Preparation for Paper Ballots: Acknowledgment of the importance of paper ballots for emergency use and public confidence.

The experiences and challenges encountered during the New Year vote in 2014 paved the way for valuable lessons and considerations for the future.

Post-event reflections led to the establishment of the IT Advisory Group, a dedicated team of volunteers tasked with enhancing cooperation and contributing to the continuous improvement and redesign of the PopVote system.

Additionally, recognizing the need for preparedness, the decision was made to prepare paper ballots in advance for emergency use. This precautionary measure not only ensures business continuity during disruptions but also caters to citizens unfamiliar or skeptical about e-voting.

These lessons and proactive measures reinforce our commitment to a secure, resilient, and inclusive electronic voting system

9

Part 2: Risk Control Strategies for Business Continuity and Disaster Recovery

[Template Notes: A script is not needed for this page. Be sure to delete this information in brackets.]

10

References

Advices on the security concerns of the PopVote System | HKCERT. (n.d.). https://www.hkcert.org/blog/advices-on-the-security-concerns-of-the-popvote-system

Kaun, A., & Treré, E. (2018). Repression, resistance and lifestyle: charting (dis)connection and activism in times of accelerated capitalism. Social Movement Studies, 19(5–6), 697–715. https://doi.org/10.1080/14742837.2018.1555752

Nicholson, P. (2023, November 2). Five most famous DDOS attacks and then some. A10 Networks. https://www.a10networks.com/blog/5-most-famous-ddos-attacks/

Olson, P. (2014, November 20). The largest cyber attack in history has been hitting Hong Kong sites. Forbes. https://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-cyber-attack-in-history-has-been-hitting-hong-kong-sites/?sh=2de3392638f6

PopVote: Assessing the Risk of DDOS (C) ^ ST32C. (n.d.). HBR Store. https://store.hbr.org/product/popvote-assessing-the-risk-of-ddos-c/ST32C

11

image1.jpeg

image2.png

image5.jpeg

HBP Product ID: ST32A

UST032/A/1608

KAI LUNG HUI MINYI HUANG PING FAN KE ANTHONY LAI

PopVote: Assessing the Risks of DDoS (A)

Before the 2012 cyber-attack, we thought the system should be OK, but the attackers were so strong. We didn’t expect that type of attack. It was fear. What if stronger attackers came? We did not have enough knowledge and resources to fight the cyber-war.

Robert Chung, director of Public Opinion Programme1

PopVote, launched in 2012, immediately became the target of a serious distributed denial of service (DDoS) attack [see EXHIBIT 1 for background on DDoS]. PopVote was the electronic voting system used by the Public Opinion Programme (POP) at the University of Hong Kong. Jazz Ma, the IT manager of POP and architect of PopVote, had expected some form of cyber-attack on the e-voting system and had prepared accordingly. The scale of the DDoS attack, however, was completely unexpected. The university’s Information Technology Services department (HKU ITS), which oversaw the IT infrastructure and support services of POP, immediately suspended the Internet connection to PopVote to protect the integrity of the university’s Internet infrastructure. This had a significant impact on POP’s other operations. Internet services to POP, including basic e-mail and the Computer Assisted Telephone Interview System (CATIS), resumed only two days later.

Clearly POP would have to better protect itself against cyber-attacks if it was to use the PopVote system in the future. After spending six months to systematically improve the system, POP successfully used an updated PopVote for a small-scale voting event on 1 January 2014. But the real test would come in June 2014, when PopVote was to be used to conduct an electronic vote sponsored and organized by the protest group Occupy Central, which had received significant public attention.2 Occupy Central and the vote were

1 Robert Chung, interview by Hui Kai Lung, Jeroen van den Berg, Ke Ping Fan, and Huang Minyi, Hong Kong, 23 September 2014.

2 “Hong Kong votes in unofficial democracy referendum,” BBC News, 20 June 2014, http://www.bbc.com/news/world-asia- china-27936340, accessed 8 September 2014.

Dr Minyi Huang, Ping-fan Ke and Anthony Lai prepared this case under the supervision of Professor Kai-lung Hui solely as a basis for class discussion. The authors may have disguised certain data to protect confidentiality. Cases are written in the past tense; this is not meant to imply that all practices, organizations, people, places or facts mentioned in the case no longer occur, exist, or apply. Cases are not intended to serve as endorsements, sources of primary data, or illustration of effective or ineffective handling of a business situation.

Inquiry on ordering and permission to reproduce the case and its materials, write to [email protected] or visit cbcs.ust.hk

© 2015 by The Hong Kong University of Science and Technology. This publication shall not be digitized, photocopied or otherwise reproduced, posted, or transmitted without the permission of the Hong Kong University of Science and Technology.

Last edited: 16 August 2016

This document is authorized for use only by Yaina Delgado in Managing Business Info Syst-Spring 2024 at Walden University (Canvas), 2024.

HKUST Business School Thompson Center for Business Case Studies

politically controversial.3 Robert Chung, director of POP, and Jazz expected massive cyber-attacks. They had to assess all possible security threats and consider possible solutions to ensure the vote could be conducted successfully.

Public Opinion Programme of the University of Hong Kong

Robert Chung established POP in 1991 as part of the Social Sciences Research Centre, the Faculty of Social Sciences of the University of Hong Kong.

POP used telephone, street intercept, and online surveys to collect and study public opinion on topics of interest to academics, journalists, policymakers, and the general public. It published poll results and research reports, such as quarterly reports on the popularity of the top-ten political groups in Hong Kong. Twenty full-time staff people worked for POP in 2014, including seven in senior positions [see EXHIBIT 2 for POP’s organizational chart]. Normally, they handled about 8 to 10 projects at the same time.

IT Department

Jazz was the IT manager of POP. He obtained his first degree in electronic engineering and computer science from the Chinese University of Hong Kong and his master’s degree in electronic commerce and Internet computing from the University of Hong Kong. Before joining POP, Jazz had worked for the Hong Kong Federation of Youth Groups as a systems analyst for three years.

When Jazz joined POP in 2012, he had two full-time IT subordinates. His first task was to help improve the CATIS. POP used telephone surveys as its key survey tool. Telephone interviews were normally done by part-timers in the evening after all the IT staff had left the office. With an average of 50 pollsters using the phones on a typical evening, a system failure could cause significant damage.

By 2014, the POP’s IT department had grown from three to four full-time staff, which included a system analyst, a programmer, a web developer, and Jazz. In addition to CATIS, the department was responsible for PopVote, the main POP website, and an online public opinion platform (POPCON).

We are a public opinion research institution emphasizing data accuracy, not an IT company. Most of the data held in the system are not confidential, and some survey results and sample data are available on our website. We are not too concerned with data breach, unless the data are related to personal privacy. Anyway, a system can’t be 100% secure.

Jazz Ma, IT manager of POP4

HKU had provided the network infrastructure for POP’s IT systems, until PopVote suffered from the cyber-attack in 2012. Since the network resources required to withstand the attacks were enormous, the PopVote platform was outsourced to Amazon Web Services (AWS), while other internal systems remained within the HKU ITS network.

3 M. Yan, “June 22 poll is a political fraud by ‘Occupy’ heads,” China Daily, 6 June 2014, http://www.chinadailyasia.com/opinion/2014-06/06/content_15138863.html, accessed on 8 September 2014.

4 Jazz Ma, interview by Hui Kai Lung, Jeroen van den Berg, Ke Ping Fan, and Huang Minyi, Hong Kong, 23 September 2014.

ST32A UST032/A/1608 PopVote: Assessing the Risks of DDoS (A)

2

This document is authorized for use only by Yaina Delgado in Managing Business Info Syst-Spring 2024 at Walden University (Canvas), 2024.

HKUST Business School Thompson Center for Business Case Studies

PopVote

The version of PopVote used for the voting on 23 March 2012 was developed by Jazz with the help of two full-time developers and one part-time developer in less than three months. When designing the system, they wanted to ensure that the system was available during the event period, would prevent duplicate votes, and would verify the voter’s identity5 [see EXHIBIT 3 for PopVote system design].

23 March 2012 Vote6

Voting Arrangements

On 8 February 2012, HKU POP held a press conference to announce its first e-voting event to be held on 23 March 2012. To promote the event, it built a PopVote website and started a promotion campaign using a Facebook page, video clips, posters, flyers, and banners.

The targeted voters were Hong Kong permanent residents7 aged 18 and older. To familiarize the public with PopVote and online voting in general, POP conducted two phases of public testing, from 16 to 20 March and on 21 March, respectively. The first phase was a performance test to check the system’s stability and responsiveness by allowing those people who were interested in testing to enter the system and vote once per hour. The second phase was a functional test conducted by staff to ensure the different functionalities of the system worked as required.

Voters could choose between off-site and on-site e-voting. If voting off-site, participants could vote through the PopVote website or mobile applications8 between 00:00 and 20:00 on 23 March. They had to follow the instructions on the screen by entering their HKID9 and mobile numbers and declaring their eligibility to vote by ticking a box on the screen. After submitting this information, they would see a telephone number displayed on the screen. They were given three minutes to send a blank SMS to the given telephone number for verification. If successful, they could enter the voting interface to cast their votes.

To vote on-site, voters had to visit a designated polling station between 09:00 and 21:00 on 23 March. Station staff used voters’ HKID cards to verify their identities and entered their HKID card information into the system. Voters could then proceed to voting booths where they could vote electronically. The e-voting system in polling stations was installed with a log-on mechanism, which allowed only station staff to log on to the e-voting system right before the polling stations started running, using an ID and password provided by POP.

To avoid double-voting, the online system displayed the message “duplicated vote” if a voter’s HKID card number or mobile number had already been registered and used for voting, no matter whether the previous vote was done off-site or in a polling station. If a voter cast his or her first vote off-site, the system

5 Jazz Ma, Winnie Lee and Robert Chung, “PopVote: A Revolution in Gathering Opinions in Hong Kong,” World Association for Public Opinion Research (WAPOR) 66th Annual Conference, Boston, May 14-16, 2013.

6 This voting event was named by the event organizers “3.23 Civil Referendum.” 7 HK permanent residents refers to those who were born in Hong Kong or continuously live in Hong Kong for no less than

seven years, no matter whether they have Chinese nationality or not. 8 Mobile applications had iOS and Android versions. 9 HKID refers to Hong Kong Identity Cards. All Hong Kong residents aged 11 or over are required to register for an identity

card that contains their name, date of birth, residency status, photo, and a unique identification number.

ST32A UST032/A/1608 PopVote: Assessing the Risks of DDoS (A)

3

This document is authorized for use only by Yaina Delgado in Managing Business Info Syst-Spring 2024 at Walden University (Canvas), 2024.

HKUST Business School Thompson Center for Business Case Studies

allowed the voter to vote again in the polling station to replace the previous vote, using the same HKID card. POP believed that on-site voting was the most reliable voting method.

Several measures, such as a virtual keyboard and a Secure Sockets Layer (SSL) connection, were used to protect voters’ personal information. Data were also hashed and encrypted to prevent hackers from obtaining voters’ HKID numbers. All processed data were stored only in the system, and all personal information was destroyed after the 23 March vote.10

The system had four servers, two cloud and two physical. All of them were located on the HKU campus and protected by the security facilities of HKU ITS. HKU’s external network was equipped with a firewall and an intrusion detection and prevention system. The system used the Linux platform. Th