The Expert's View with Jeremy Kirk

Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

The Iowa Caucus: No Hacking, But a Bungled Risk Matrix

In 2020, Best to Play It Safe With Technology and Elections
The Iowa Caucus: No Hacking, But a Bungled Risk Matrix
Photo: Phil Roeder via Flickr/CC

(For the latest update, see: Report: Iowa Caucus App Vulnerable to Hacking)

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

If Iowa's experiment with a new tabulation app during the Democratic caucuses is the warmup for the 2020 presidential election process, then we're in for a bumpy ride.

What happened in Iowa isn't a technology problem. It's a human problem, and one rooted in a failure to properly evaluate risk. 

But what happened there isn't a technology problem. It's a human problem rooted in a failure to properly evaluate risk.

Iowa's much-anticipated caucus results were delayed after a mobile app commissioned by Iowa's Democratic Party malfunctioned. The IowaReporterApp was designed to enable precinct and party officials to more quickly report caucus results.

A variety of problems reportedly emerged. Sometimes the app couldn't be downloaded. When it was downloaded, sometimes it wouldn't start or users couldn't log in. Connectivity problems also appeared to be an issue. But so far, there doesn't appear to be any evidence of hacking or other security issues.

The app was developed by Colorado-based Shadow Inc., which describes itself as a for-profit technology consultancy.

"We sincerely regret the delay in the reporting of the results of last night's Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers," says Shadow Inc. CEO Gerard Niemira in a statement on the company's website. "The goal of the app was to ensure accuracy in a complex reporting process. We will apply the lessons learned in the future, and have already corrected the underlying technology issue."

Fuelling Misinformation

One of the first news reports about the development of the app came from NPR, which reported on Jan. 14 that the Iowa Democratic Party planned to distribute the app to as many as 2,000 officials, who would download it on their personal smartphones.

At that time, it was unknown who developed the app and whether it had been adequately tested or even audited for security vulnerabilities. NPR reported that the Democratic Party didn't want to reveal more information for fear of helping hackers.

The "security by obscurity" approach is exactly the wrong one and rarely results in better security outcomes. And any application that has a role in election infrastructure should be open for inspection and audit by a wide community.

The message from computer security experts has been clear: Using the internet as a part of any sort of voting system is inherently dangerous.

Perhaps the most unfortunate aspect of Iowa's mess is that it's fresh fuel for the conspiracy theorists, whose outsized voices on social media sow intentional confusion. It's a crowd that looks for mistakes such as this one to cause doubt in democratic processes.

And that could discourage people from voting, tweets Matt Blaze, a professor of computer science and law at Georgetown University.

Shadow Inc. couldn't have chosen a worst name for itself, either.

Stakes Are High

But what's most concerning about the Iowa situation is that, despite heightened awareness around election security and interference over the last four years, leaders aren't making the right decisions about risk.

The first caucus of the 2020 election season isn't the time to hastily deploy a new app to deliver results. The stakes are too high to deploy something faulty. It's almost if Iowa's Democratic Party didn't ask itself, "What if this goes poorly?"

Luckily for Iowa, there's a tried and true fallback: paper. The caucus results were recorded on paper documents, which, once tallied, will provide reliable results.

The lessons of Iowa are already being acknowledged. The Nevada State Democratic Party had planned to use a similar version of the app made by Shadow Inc. for its Feb 22 caucus. On Tuesday, the party says it won't in light Iowa's problems.

That's the right decision, but one that has only been made in light of Iowa's woes. Let's hope the political parties and election officials haven't taken on other secret risks this election season.



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.