Like everything created by humans, code has flaws. One major way to defend against potential problems brought on by the flaws is testing an app before you use it. Unfortunately, it seems like the Iowa Democratic Party did little in the way of testing the app it used to track results from the Iowa caucuses, wreaking havoc on the tenuous Democratic presidential-nominating process.
“The situation in Iowa makes the average voter’s confidence in the election process worse than before,” said Ron Gula, a former National Security Agency (NSA) white hat hacker who now invests in startup cybersecurity firms. “Whether or not they might believe the Russians hacked the election before, this is another thing that will make them go ‘wow, we really don’t trust this.’ It’s not a great situation for voter confidence in general.”
A low-tech solution
This was a screw up on a state level, a state that happens to hold a lot of significance for U.S. democracy. “The situation with Iowa’s caucus reveals the risks associated with technology, in this case with a mobile app, but more importantly that there needs to be a low-tech solution in order to recover from technological failures — no matter the cause,” said Marian K. Schneider, president of Verified Voting, in a statement to Digital Trends.
Verified Voting is a voting accuracy nonprofit that works to eliminate or reduce the use of systems that “cannot be audited or secured, such as internet voting.” Schneider noted it was lucky that Iowa kept paper records of the vote. “It’s clear that mobile apps are not ready for prime time,” she said.
Wikipedia founder Jimmy Wales expressed as much online.
I predict the most important outcome of the Iowa ballot-counting debacle is enhanced public understanding of why old fashioned paper ballots are still the most secure and transparent way to vote.
— Jimmy Wales (@jimmy_wales) February 4, 2020
“Moving from analog to online voting practices has ushered in a digital age of delayed democracy that’s all but secure,” said Damien Mason, digital privacy advocate and tech expert at the U.K.-based ProPrivacy, in a statement to Digital Trends. “Instead of questioning whether we are ready for internet-based voting technology right now, we should begin asking whether we ever will be. Will voters ever have confidence in a process that exposes itself to the same security issues and malicious intervention as the rest of the internet?”
Even software engineers warn against the idea that using software is good for, well, anything, much less something as delicate and important as recording people’s votes.
I've worked professionally in software for 18 years and I can say with certainty that you should not use software for anything
— Stephen "????” Woods (@ysaw) February 4, 2020
Hacking isn’t the big problem
Iowa officials were quick to assert that the app had not been hacked, something Gula said he found surprising. “You have to have good security to rule out that it wasn’t a hacker,” he told Digital Trends. “I’m surprised they said it so quickly.”
It seems that the problems with the app had more to do with functional bugs than with latent problems waiting to be exploited. The Iowa Democratic Party reportedly paid $60,000 to a company called Shadow, Inc. to develop the app last November.
“The fact that the app was done quite fast and there weren’t many tests done, it could be that we were lucky it was a functional bug,” said Asaf Ashkenazi, chief operating officer at the cybersecurity company Verimatrix. “What would be more scary would be if there was a bug that’s being exploited to change the application. Then you could change the results and the vote count without doing much. We’d like to think that this is a unique case where apps are released without testing and with no protection, unfortunately, from what we see, this is more of the norm.”
Any process can be hacked, said Gula, even paper ballots. So the move toward more electronic voting didn’t bother him too much. Indeed, as the Iowa caucus debacle was unfolding, Washington state announced it would be expanding online voting options for military and overseas voters, according to PRI’s The World. West Virginia is also pushing to allow disabled voters to use their smartphones to cast their ballots, according to Ars Technica.
What Gula said he’s concerned about is whether state and county legislators will have the budget to create properly secured apps for voting, and whether some kind of national mandate would standardize voting across the country, thus actually making it easier for hackers to get into the systems.
“We don’t have discipline as a society to have good enough cyber hygiene to cast electronic votes securely,” said Gula. “Your average state and local reps just don’t have the resources to invest. In general, as a country, we’re not ready.”
The good news is that people at least realize that these problems exists. Moving forward, perhaps lawmakers can help raise better awareness of voting security. “Voting is a state’s rights issue, they each have their own way of doing things securely,” Gula said. “It looks like they messed up this time.”
