The Iowa Caucus: No Hacking, But a Bungled Risk MatrixIn 2020, Best to Play It Safe With Technology and Elections
(For the latest update, see: Report: Iowa Caucus App Vulnerable to Hacking)
See Also: Creating a Culture of Security
If Iowa's experiment with a new tabulation app during the Democratic caucuses is the warmup for the 2020 presidential election process, then we're in for a bumpy ride.
What happened in Iowa isn't a technology problem. It's a human problem, and one rooted in a failure to properly evaluate risk.
But what happened there isn't a technology problem. It's a human problem rooted in a failure to properly evaluate risk.
Iowa's much-anticipated caucus results were delayed after a mobile app commissioned by Iowa's Democratic Party malfunctioned. The IowaReporterApp was designed to enable precinct and party officials to more quickly report caucus results.
A variety of problems reportedly emerged. Sometimes the app couldn't be downloaded. When it was downloaded, sometimes it wouldn't start or users couldn't log in. Connectivity problems also appeared to be an issue. But so far, there doesn't appear to be any evidence of hacking or other security issues.
The app was developed by Colorado-based Shadow Inc., which describes itself as a for-profit technology consultancy.
"We sincerely regret the delay in the reporting of the results of last night's Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers," says Shadow Inc. CEO Gerard Niemira in a statement on the company's website. "The goal of the app was to ensure accuracy in a complex reporting process. We will apply the lessons learned in the future, and have already corrected the underlying technology issue."
One of the first news reports about the development of the app came from NPR, which reported on Jan. 14 that the Iowa Democratic Party planned to distribute the app to as many as 2,000 officials, who would download it on their personal smartphones.
At that time, it was unknown who developed the app and whether it had been adequately tested or even audited for security vulnerabilities. NPR reported that the Democratic Party didn't want to reveal more information for fear of helping hackers.
The "security by obscurity" approach is exactly the wrong one and rarely results in better security outcomes. And any application that has a role in election infrastructure should be open for inspection and audit by a wide community.
The message from computer security experts has been clear: Using the internet as a part of any sort of voting system is inherently dangerous.
Perhaps the most unfortunate aspect of Iowa's mess is that it's fresh fuel for the conspiracy theorists, whose outsized voices on social media sow intentional confusion. It's a crowd that looks for mistakes such as this one to cause doubt in democratic processes.
And that could discourage people from voting, tweets Matt Blaze, a professor of computer science and law at Georgetown University.
Again: the big risk of what happened in Iowa is not that the final outcome will be wrong; that's very unlikely given the paper records at precincts. The big risk is that it will appear— matt blaze (@mattblaze) February 4, 2020
"rigged" and discourage people from voting. How it's handled and reported now is critical. 1/
Shadow Inc. couldn't have chosen a worst name for itself, either.
Was Deep State LLC not available?— Soccer Thoughts (@_SoccerThoughts) February 4, 2020
Stakes Are High
But what's most concerning about the Iowa situation is that, despite heightened awareness around election security and interference over the last four years, leaders aren't making the right decisions about risk.
The first caucus of the 2020 election season isn't the time to hastily deploy a new app to deliver results. The stakes are too high to deploy something faulty. It's almost if Iowa's Democratic Party didn't ask itself, "What if this goes poorly?"
Luckily for Iowa, there's a tried and true fallback: paper. The caucus results were recorded on paper documents, which, once tallied, will provide reliable results.
The lessons of Iowa are already being acknowledged. The Nevada State Democratic Party had planned to use a similar version of the app made by Shadow Inc. for its Feb 22 caucus. On Tuesday, the party says it won't in light Iowa's problems.
NV Dems Statement on the Iowa Caucus: pic.twitter.com/Yyf6ArV4ie— NV Dems (@nvdems) February 4, 2020
That's the right decision, but one that has only been made in light of Iowa's woes. Let's hope the political parties and election officials haven't taken on other secret risks this election season.