Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

The Iowa Caucus: No Hacking, But a Bungled Risk Matrix

In 2020, Best to Play It Safe With Technology and Elections
The Iowa Caucus: No Hacking, But a Bungled Risk Matrix
Photo: Phil Roeder via Flickr/CC

(For the latest update, see: Report: Iowa Caucus App Vulnerable to Hacking)

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

If Iowa's experiment with a new tabulation app during the Democratic caucuses is the warmup for the 2020 presidential election process, then we're in for a bumpy ride.

But what happened there isn't a technology problem. It's a human problem rooted in a failure to properly evaluate risk.

Iowa's much-anticipated caucus results were delayed after a mobile app commissioned by Iowa's Democratic Party malfunctioned. The IowaReporterApp was designed to enable precinct and party officials to more quickly report caucus results.

A variety of problems reportedly emerged. Sometimes the app couldn't be downloaded. When it was downloaded, sometimes it wouldn't start or users couldn't log in. Connectivity problems also appeared to be an issue. But so far, there doesn't appear to be any evidence of hacking or other security issues.

The app was developed by Colorado-based Shadow Inc., which describes itself as a for-profit technology consultancy.

"We sincerely regret the delay in the reporting of the results of last night's Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers," says Shadow Inc. CEO Gerard Niemira in a statement on the company's website. "The goal of the app was to ensure accuracy in a complex reporting process. We will apply the lessons learned in the future, and have already corrected the underlying technology issue."

Fuelling Misinformation

One of the first news reports about the development of the app came from NPR, which reported on Jan. 14 that the Iowa Democratic Party planned to distribute the app to as many as 2,000 officials, who would download it on their personal smartphones.

At that time, it was unknown who developed the app and whether it had been adequately tested or even audited for security vulnerabilities. NPR reported that the Democratic Party didn't want to reveal more information for fear of helping hackers.

The "security by obscurity" approach is exactly the wrong one and rarely results in better security outcomes. And any application that has a role in election infrastructure should be open for inspection and audit by a wide community.

The message from computer security experts has been clear: Using the internet as a part of any sort of voting system is inherently dangerous.

Perhaps the most unfortunate aspect of Iowa's mess is that it's fresh fuel for the conspiracy theorists, whose outsized voices on social media sow intentional confusion. It's a crowd that looks for mistakes such as this one to cause doubt in democratic processes.

And that could discourage people from voting, tweets Matt Blaze, a professor of computer science and law at Georgetown University.

Shadow Inc. couldn't have chosen a worst name for itself, either.

Stakes Are High

But what's most concerning about the Iowa situation is that, despite heightened awareness around election security and interference over the last four years, leaders aren't making the right decisions about risk.

The first caucus of the 2020 election season isn't the time to hastily deploy a new app to deliver results. The stakes are too high to deploy something faulty. It's almost if Iowa's Democratic Party didn't ask itself, "What if this goes poorly?"

Luckily for Iowa, there's a tried and true fallback: paper. The caucus results were recorded on paper documents, which, once tallied, will provide reliable results.

The lessons of Iowa are already being acknowledged. The Nevada State Democratic Party had planned to use a similar version of the app made by Shadow Inc. for its Feb 22 caucus. On Tuesday, the party says it won't in light Iowa's problems.

That's the right decision, but one that has only been made in light of Iowa's woes. Let's hope the political parties and election officials haven't taken on other secret risks this election season.



About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.