Opinion

JUSTIN SHERMAN & KAMRAN KARA-PABANI: Turmoil of Iowa caucus highlights cybersecurity concerns

Saturday, Feb. 8, 2020 -- There is no public evidence yet that the voting app was hacked or that hacking has anything to do with the delayed results from the Iowa Democratic caucuses. Yet, true to form, that hasn't stopped politicians and others from spreading unfounded claims that threaten faith in our election process.

Posted Updated
Democratic Race Is in Turmoil as Iowa Results Are Questioned
EDITOR'S NOTE: Justin Sherman is a Duke University senior and Fellow at the Duke Center on Law & Technology at the School of Law. Kamran Kara-Pabani is a Duke sophomore and cyber policy researcher at the Sanford School of Public Policy.

Turmoil, not any trending among the Democratic presidential contenders, was the most prominent results of the Iowa caucuses – the first head-to-head contest of 2020 campaign season.

It wasn’t because voters couldn’t decide; Iowa Democratic Party officials blamed a “coding issue” in a new mobile app used for the first time to report caucus results. Meanwhile, social media was abuzz with talk of possible technical failures, hacking issues and more interference in the American democratic process.

The Iowa breakdown underscores several issues: the real potential for voting apps to be hacked in elections shows they’re not the panacea some might hope; and misinformation about hacking and interference, spread online, can undermine confidence in election results.

Voting apps like the one used in Iowa are intended to hasten the reporting of election results rather than actually record votes. The mobile app at play in Iowa was, according to the New York Times, shoddily constructed and inadequately tested in less than two months by Shadow, a for-profit company that has created similar technology for the Nevada Democratic primary (though Nevada officials have said they won’t use the software).
Technologies dealing with election data should be among the most tested and secure as states like North Carolina push to digitize various ballot and election processes. North Carolina has some measures in place, such as requiring the use of paper ballots in elections to produce an auditable paper trail. But the state’s decision to approve new touchscreen voting machines has been criticized given a lack of testing. An October 2019 Department of Homeland Security report also found security flaws in key election computer systems in Durham County, though it did not find evidence Russian hackers broke into them.
The app used in Iowa was not appropriately tested for security vulnerabilities and may have been open to a breach. Regardless, only one day after irregularities in caucus results reporting were discovered, the Iowa Democratic Party announced that “this is not a hack or intrusion.” It is unclear how they reached this conclusion, especially given that it typically takes more than 200 days to identify a breach.
There was only limited publicly available information about the app in the first place; Iowa party officials even encouraged that its name be withheld from officials in the precincts in which it was used, further shielding it from scrutiny. Moreover, that secret helped fuel misinformation and sowed distrust amongst the public regarding the integrity of Iowa Caucus results.
The app performs poorly in areas with spotty connectivity, potentially making it more difficult for those particularly in rural areas to report election results. The notion that tech is a silver-bullet solution to structural election challenges is wrong.

There is no public evidence yet that the voting app was hacked or that hacking has anything to do with the delayed results. Yet, true to form, that hasn’t stopped politicians and others from spreading unfounded claims that threaten faith in our election process.

President Donald Trump’s reelection campaign manager suggested on Twitter that the process was “rigged.” There were false conspiracy theories circulating on Twitter, as the Washington Post’s Joseph Marks has reported, that Hillary Clinton’s 2016 campaign manager built the app.

Legitimate risks of foreign interference in U.S. elections exist. Some of these are cybersecurity-related, like Russian information hacking-and-dumping operations. Other election interference risks are not cybersecurity-related, like President Trump’s efforts to coerce Ukrainian officials to investigate a political challenger’s son.

Jumping to conclusions is dangerous. It can undermine confidence in U.S. electoral processes. Foreign adversaries can further capitalize on distrust and discord. None of us should want that.

Copyright 2024 by Capitol Broadcasting Company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.