By Joseph Marks
Caucus goers check in at a caucus at Roosevelt Hight School, Monday, Feb. 3, 2020, in Des Moines, Iowa. (AP Photo/Andrew Harnik)
The biggest security lesson from last night's Iowa caucuses: It doesn't take a hack for technology to undermine confidence in an election.
The spectacular failure of a mobile app that was supposed to forward caucus results last night -- which are still not out, as of this morning -- is a striking example of how faulty technology can spark questions about election results and create an opening for misinformation and conspiracy theories.
“These kinds of technical issues and operational delays play right into the game plan of malicious actors,” Maurice Turner, an election security expert at the Center for Democracy and Technology, told me. “[They] can leverage these small facts and turn them into viral misinformation messages speculating about hacking or corruption being behind the irregularities.”
The Democratic Party have surged its focus on cybersecurity to combat foreign interference by Russia or other actors that U.S. intelligence officials warn may seek a repeat of 2016. While an Iowa Democratic Party spokeswoman insisted the app “did not go down and this is not a hack or an intrusion,” the technical snags largely achieved the effects officials have long sought to avoid.
Even candidates questioned whether the results were tainted: Vice President Joe Biden's campaign complained about “considerable flaws” in the reporting system and demanded an explanation of the app’s quality controls before any results were released publicly.
Social media was abuzz with claims of intentional sabotage by party leaders. Brad Parscale, the manager for President Trump’s reelection campaign, suggested without evidence on Twitter that the process was “rigged.” He said later in a formal statement that “Democrats are stewing in a caucus mess of their own creation with the sloppiest train wreck in history.”
And conspiracy theories were circulating: One prominent falsehood was that former Hillary Clinton’s 2016 campaign manager Robby Mook was responsible for building the app that cratered – a rumor that had no basis in reality and that Mook quickly denied on Twitter. (The app was actually built by a company called Shadow that’s affiliated with and funded by ACRONYM, a Democratic digital nonprofit group, Huffington Post’s Kevin Robillard, Amanda Terkel and Molly Redden reported late last night.)
Sorry, folks. I did NOT have anythjng to do with building the Iowa caucus app. I dont know anything about it, had no role in it, and dont own a company that makes mobile appa. Please contact @iowademocrats with questions about it.— Robby Mook (@RobbyMook) February 4, 2020
Democratic officials had even game planned for a similar breakdown and planned out possible responses including seeking help from the Department of Homeland Security, my colleague Isaac Stanley-Becker reported. Instead, the night descended into chaos with caucus leaders waiting hours to deliver results by phone and texting and even tweeting pictures of their tallies.
The night also highlighted serious security and transparency failures by the Iowa Democratic Party, which insisted its app was secure but refused to disclose the vendor that created it or what security vetting it had gone through.
“The use of an untested app here was an extremely risky proposition from the start,” Matt Blaze, an election security expert at Georgetown University, told me. “Any complex new software system like this can at best be expected to have bugs and glitches when it’s rolled out. The use of the Internet and general mobile phone platforms also greatly increases the exposure to tampering and disruption by malicious actors.”
As Lawrence Norden, director of the Election Reform Program at New York University’s Brennan Center for Justice, put it: “Macy’s doesn’t roll out its new cash registers on Black Friday and it feels like that’s what happened here.”
The app was cobbled together over the past two months after Democratic National Committee officials balked at a plan for caucus participants to call their votes in by phone, the New York Times’s Nicole Perlroth reported. It was never tested at a statewide scale. And it could have been even worse. Up until August, Iowa Democratic party officials were planning to allow party members to actually vote remotely on a mobile app before the national Democratic party forced them to reverse course over security concerns.
One silver lining is that Iowa caucus sites all have paper records of their voting totals. So it’s likely the party will be able to ultimately tally and release accurate results from those records. It just might take a long time.
“I don’t think there’s any question about the accuracy of the results or that they’re going to get it right. But they’re under a magnifying glass right now,” Norden told me. “If there’s a choice between getting the results right and getting them quickly, it’s far more important that they get them right and they seem to be doing everything they can to get them right.”
Still, the Iowa debacle should also give ammunition to election security hawks advocating for paper ballots, which they say are the only way to ensure the integrity of a vote if hackers compromise election technology or if it goes haywire.
Paper records have surged in states since 2016 but Republicans in Congress have balked at mandating them. About 10 percent of Americans will vote without a paper record in November, according to the most recent estimate from the Brennan Center for Justice.
From David Levine, the elections integrity fellow at the Alliance for Securing Democracy:
1/ While the new voting app and challenges with transmitting results get a lot of attention, it's worth noting that the Iowa Democratic caucuses are also for the first time using presidential preference cards for each voter to create a paper backup system. https://t.co/67CQ8eAXvK— David Levine (@davidalanlevine) February 4, 2020
Iowa shows how technical errors can “can cause doubts that independently undermine confidence in results,” said Nathaniel Persily, Co-Director of Stanford Cyber Policy Center:
As I and others have been arguing, the technology involved beyond the polling place — including, in particular, the election night reporting system— can cause doubts that independently undermine confidence in results.— nathaniel persily (@persily) February 4, 2020
That said, who even needs election interference to mess with a caucus if the app simply doesn't work to begin with?— Ben Collins (@oneunderscore__) February 4, 2020
Waiting for Iowa caucus results reminds me of waiting for verified news on the night of the Iranian missile attack almost a month ago – ripe environment for disinfo.— Josh Rudolph (@JoshRudes) February 4, 2020
We need to be patient and let officials and professional reporters do their job.
I'll start by going to bed now.
i did not know about this iowa caucus voting app until tonight but holy lord it's scary to think about the security of the results entrusted to a smartphone app https://t.co/MYe4dPAtYM pic.twitter.com/q7PDsbPUI7— Charlie Warzel (@cwarzel) February 4, 2020
Live look at the Democrat Party doing 'quality control' pic.twitter.com/YCiJIeiYry— Team Trump (Text TRUMP to 88022) (@TeamTrump) February 4, 2020
PINGED, PATCHED, PWNED
Woman typing on a laptop keyboard, making a secure payment on line. (iStock)
McAfee found that nearly 50 percent of county election websites in 13 battleground and early primary and caucus states don’t have the most secure level of encryption – indicated by an HTTPS at the left of the web address. That makes it would be far easier for hackers to break into those sites and seed them with misinformation.
More than 80 percent of those counties aren’t using a government-supplied web domain that ends with the .gov suffix, McAfee found. That means there’s no clear indication for voters that they’re looking at a real county election website and not a phony site scammers set up to mislead them.
Hackers could use those vulnerabilities to depress turnout in some caucuses and primaries and raise doubts about the results. They could even send targeted emails linking to a phony site to people likely to vote for a particular candidate to hurt that candidate’s chances.
Even if that effort didn’t change an election’s outcome, it could sow anger within the Democratic party and damage voters’ faith in the democratic process, McAfee Chief Technology Officer Steve Grobman told me.
Those results are only slightly improved from November, when McAfee tested county election websites in a smaller number of swing states.
CIA headquarters. (Carolyn Kaster/AP)
The prosecution alleges Joshua Schulte, a disgruntled former CIA employee, leaked 8,000 pages of secret material to WikiLeaks to get revenge against his former employer. The “Vault 7" leak came a year after a separate trove of NSA hacking tools were leaked by a mysterious group called Shadow Brokers.
Schulte's defense lawyers have unsuccessfully argued that the Espionage Act charges are vague and overly broad. But the case could still be difficult to prosecute because the CIA will be wary of revealing even more information about its hacking operations, Rebecca Davis O'Brien at the Wall Street Journal reports.
Schulte's lawyers will argue that Schulte acted in the public interest to reveal how the government hacked into commercial technologies, Jeff Stone at CyberScoop reports.
House Republican Conference chair Rep. Liz Cheney (R-Wyo.). (J. Scott Applewhite/AP)
“Huawei equipment is absolute poison — providing them access to any aspect of a 5G network compromises the integrity of the entire system and will result in network data being sent back to Communist Party leaders in Beijing,” wrote the lawmakers led by Rep. Michael McCaul (Tex.), the top Republican on the House Foreign Affairs Committee. The lawmakers added they hope the United Kingdom will “reverse course.”
The resolution was also sponsored by GOP Reps. Liz Cheney (Wyo.), Ted Yoho (Fla.), Michael R. Turner (Ohio) and Mike Gallagher (Wis.). Cheney, a member of the House Armed Services Committee, has also pushed for legislation that would cut intelligence sharing with nations that allow Huawei into their 5G networks.
Similar legislation was introduced in the Senate, though it's unclear if the White House is on board with the drastic measure. Secretary of State Mike Pompeo assured British leaders last week that relations between the two countries are “not at risk” because of the U.K.’s decision.
The logo of Chinese technology firm ZTE. (Mark Schiefelbein/AP)
ZTE says it is fully compliant with U.S. export controls and has improved its cybersecurity, the company told the agency in a filing submitted yesterday. The company says it has more than 1,500 security specialists and a cybersecurity committee chaired by senior management.
Huawei also challenged the FCC, calling the national security risk label a “campaign by certain government officials, including members of Congress, to single out Huawei for burdensome and stigmatizing restrictions, put it out of business in the United States, and impugn its reputation here and around the world.”
In addition to banning telecoms that accept federal funding from buying ZTE and Huawei equipment, the FCC is weighing a decision that would force wireless broadband providers to remove and replace equipment from the companies.
— More cybersecurity news from the public sector:
PRIVATE KEY— Cybersecurity news from the private sector:
THE NEW WILD WEST— Cybersecurity news from abroad:
- New America’s Open Technology Institute will host an event titled “Privacy’s Best Friend: How Encryption Protects Consumers, Companies, and Governments Worldwide” on Feb. 4 at noon.