The Iowa Caucus App and Nevada: A Cybersecurity Perspective
Many people see electronic voting machines as unreliable. Tales of the machines switching votes abound, considering that one vote can decide an election -- and the balance of power in a legislative body -- every vote ought to be seen as vital.
Now we’ve had our own homegrown problem in the debacle of reporting the caucus results after using the Iowa caucuses app. With the 2020 Nevada Democratic Caucus taking place on Feb. 22, many are hoping not to see a repeat of Iowa.
The Iowa caucuses app was a preventable disaster
If you’ve been reading ISACA SmartBrief on Cybersecurity, you’ve been learning about just how problematic that app was. The mistakes were so egregious that the state party chair resigned and one of the states that funded the app -- Nevada, which holds probably the second-most-notable presidential caucus in the country -- decided not to use it after all.
First, ignoring the fact that the app wasn’t able to do the one thing it needed to do -- report data accurately -- it didn’t work properly on all precinct chairs’ devices.
In addition to the app’s nonfunctionality, ProPublica reports that the app was highly hackable, allowing “vote totals, passwords and other sensitive information [to be] … intercepted or even changed, according to officials at Massachusetts-based Veracode, a security firm that reviewed the software at ProPublica’s request. Because of a lack of safeguards, transmissions to and from the phone were left largely unprotected.” Other cybersecurity professionals were similarly unimpressed, with one noting that a hacker could change data on the servers.
“With all the attention that’s supposed to be going into election security, it’s shocking that code with this problem made it into production,” said University of Michigan computer science professor and security firm chief scientist J. Alex Halderman.
Why were coding issues such a problem for the smartphone app? Because the app was tested internally, not externally.
“This method is sometimes dubbed ‘security through obscurity’, and while there are instances for which it might be appropriate, it is a fragile method, especially unsuited to anything public on the internet that might invite an attack.”
The app also wasn’t easy for users to test: Users had to download multiple apps from the app stores to test the Caucus app, which was too hard for many of them to do.
Furthermore, NBC News reported talking to at least six managers who said training was insufficient.
The process behind the app led to disastrous results. Naturally, Nevada voters are hoping that their caucuses do not succumb to the same pitfalls.
Warning signs for the Nevada Caucus
Concerns about the Nevada caucuses surfaced when news broke that the state had been planning to use Shadow’s mobile application, which was used for Iowa’s caucuses. Two weeks later, those concerns remain, even though officials say they are not using the same app.
In Iowa, precinct chairs couldn’t even load the app on their mobile devices. In Nevada, caucus leaders can’t download the app on their tablets: “They were supposed to show us the app but they ended up spending the whole day trying to download the app,” [said Nevada Caucus volunteer Seth Morrison]. “Most people in the room could not.”
“We understand just how important it is that we get this right and protect the integrity of Nevadans’ votes,” wrote Nevada State Democratic Party Executive Director Alana Mounce, as reported by NPR. “We are confident in our backup plans and redundancies.”
“But it’s not clear exactly how security issues are being vetted,” The Washington Post reported, adding that a “spokeswoman for the Department of Homeland Security said in an email that the agency is in touch with the Democratic National Committee and the Nevada State Democratic Party and ‘will continue to provide any support they request.’”
Furthermore, just as happened in Iowa, volunteers in Nevada are reporting technical problems with the Google Form the state party is using in lieu of the nonfunctional Iowa app.
“Volunteers in some precincts [on Saturday during early voting] reported technical issues,” The Washington Post reported, including problems with the Google Forms-based registration that led some sites to switch to paper. State party officials blamed those issues on high turnout, not technical problems.”
Those volunteers may not have been trained well, The Hill reports, which isn’t their fault. “Mounce noted in [a] memo that 3,000 volunteers would undergo a ‘robust training program’ to prepare for the caucuses, though according to CNN, many precinct volunteers had not yet seen the iPads they will use with one day to early voting.”
The Hill report also noted that former election official David Levine said he’s concerned that party officials aren’t accustomed to training volunteers on new technologies. “It’s a tough process to do in such a short period of time with volunteers,” Levine explained.
Key facts about the Google Form and the Caucus process were unknown as of last week, The American Prospect reported, including:
“the difference between the failed app and the new tool”
“who made [the new tool]”
“how the results will be transferred from caucus sites to the state party for official counting”
“whether the party has enough resources and volunteers to run the caucus sites with all of its complexities.”
It would be one thing if Nevada officials were using the technology in only limited instances, such as is happening with voting for the Wisconsin Supreme Court and a conservation board in Washington. But instead, precinct chairs en masse will be using iPads purchased by the Nevada State Democratic Party, though with paper backups.
It is difficult to arrive at a conclusion that bears measurable optimism for Nevada. After Shadow’s mobile app broke, Nevada scrambled to make an electronic tool to facilitate caucusing -- a noble endeavour, although some reports suggest that the technology at hand and lack of training in Iowa may mar this year’s Nevada process as well. Perez, the election technology expert who noted the “ignorance of basic project management” in Iowa, issued this warning regarding Nevada:
“Very much like Iowa, this sounds like a tremendous amount of information coming relatively late in the game for fallible human beings in a complex environment. And that creates risk for another process breakdown.”
If you’ve enjoyed this take on the security implications of the Iowa caucus app, subscribe to ISACA SmartBrief on Cybersecurity for more cybersecurity news five days a week. For more informative news coverage, you can subscribe to any of SmartBrief’s 275+ free newsletters.