BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Iowa Election Snafu: What Happens When IT And Cybersecurity Best Practices Are Ignored

Following
This article is more than 4 years old.

The wireless application that malfunctioned during the Iowa caucuses this week is a shining example of what happens when information technology (IT) and cybersecurity best practices and standards are ignored by the leaders of organizations. 

By way of background, there are well established best practices and standards for developing software systems. This is known as the systems development lifecycle (SDLC) and includes the business case for the system, the specifications for the application – which should include privacy and security considerations, the development of the software, the testing of system functionality and security, user acceptance, implementation of the system, maintenance, and finally, retirement of the system. The Iowa app appears to have skipped or been deficient in most of these steps through implementation.

There are best practices for secure code development, such as those set by the Open Web Application Security Project (OWASP) and the Institute of Standards and Technology’s (NIST) guidance on Systems Security Engineering and its Secure Software Development Framework.  These best practices should have been applied to the development of the Iowa app, which would have included peer reviews of code, periodic code scans, and the testing of security features.   

The Iowa app was developed by a Colorado company called Shadow. The app was supposed to be used to report caucus precinct results to the Iowa Democratic Party (IDP). Although the app failed dramatically (some users couldn’t even complete installation) and created havoc in reporting Iowa caucus results, the situation highlights the importance of this geeky stuff called IT and cybersecurity best practices and standards. 

The Role of Management

It also shines a light on what happens when management does not understand the importance of these best practices and standards when making IT decisions, especially those with the potential for widespread impact (like an election). In this case, “management” applies to both Shadow, regarding the development of the app, and to the Iowa Democratic Party leaders who chose to use the it. 

Notably, the IDP declined to accept an offer of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to test the app. Although The Washington Post reported that Troy Price, chairman of the IDP, said the party’s “systems were tested by independent cybersecurity consultants,” it is unclear whether he meant the app or Iowa election systems, and no security report has been released.  The Post also noted that the testing of the app was intentionally delayed until mid-January in an attempt to keep it away from potential hackers, and very little training was provided on how to use the app.

None of this is consistent with best practices.  Cybersecurity experts have been quick to point out that the app appears to have been rapidly developed and screen shots that have been shared in the media show that the software was updated on January 24, January 30, and February 1 – three days before the Iowa caucuses, indicating it was not thoroughly tested and ready for production implementation.

The Washington Post also reported that the app was not rolled out via an app store, which means security protections on phones may have had to be bypassed to allow installation. Instead of using an app store, where security on the app would have to be vetted, the app was released via TestFairy and TestFlight, testing platforms for mobile phones that allow a bypass of normal installation and report back issues to developers.  When users tried to use the app, key functionalities, such as installation and authentication, failed.   

It is not known whether the mobile app would transmit the caucus results to the Iowa party headquarters encrypted – or whether the results would be transmitted over wireless networks in clear text, leaving them vulnerable to compromise. Since many software development and security best practices were clearly ignored, it is unlikely that the app encrypted the caucus results before transmission.

The leaders who chose this app ignored warnings and concerns. The Washington Post reported that Senator Ron Wyden (D-Ore) repeatedly tried to get information about the app from the Democratic National Committee and was stonewalled. Vice reported that Gregory Miller, co-founder of the Open Source Election Technology Institute, warned the Iowa Democratic Party not to use the app weeks ahead of the caucuses. The Nevada Democratic Party had planned on using the app, but it has since changed its mind.  

So, here we have a picture that is typical all over America. Heads of organizations make technology decisions without understanding what they are doing.  To be sure…they do not need to know coding or the technical guts of a system, but they do need to know enough to make good decisions about the products they are buying and implementing. It doesn’t matter if it is the head of the IDP or the chairman or CEO of a company; cyber risks need to be managed. In this case, it meant that IDP leaders needed to ensure that Shadow had adhered to best practices and standards for IT development and cybersecurity and that the app was thoroughly tested, user acceptance was complete, deployment was via approved app stores, and personnel were trained. 

Election Security: Paper versus Technology

Election security is multi-faceted. The Iowa election debacle raises our awareness about how state political officials can undercut the integrity of our elections through their failure to appreciate the risks associated with the use of technology. “What happened in Iowa is what happens when mobile technology is involved in elections,” notes Harri Hursti, a former hacker and one of the world’s foremost experts on election security.  “The rushed approach to use this app – or any technology that has not been carefully developed, tested, and vetted by the research community — puts our election process at risk; it is an example of why election technologies should be open for review.” 

Hursti is one of the founders of the Voting Village, an independent group of researchers who gathered for the third time at the 2019 DefCon conference in Las Vegas and demonstrated a wide array of vulnerabilities in the election process. The foreword by Senator Ron Wyden to their DefCon 27 Voting Machine Hacking Village 2019 Report noted that:

The volunteer hackers and security researchers at the Voting Village are contributing tremendously to public understanding of how easy it is to hack our elections. Whether it is e-poll books, paperless voting machines, or ballot marking devices that print unverifiable barcode ballots, far too much of the equipment that American democracy depends [on] is fundamentally insecure.

The researchers that participate in the Voting Village are devoted to highlighting the vulnerabilities in election equipment used in the U.S. and globally and to serve as a resource to those involved in improving the integrity and security of voting systems and processes. The problem is no one fixes the vulnerabilities that they find. The Report pointedly states:

And, once again, Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room in ways that could alter stored vote tallies, change ballots displayed to voters, or alter the internal software that controls the machines….However, it is notable – and especially disappointing – that many of the specific vulnerabilities reported over a decade earlier…are still present in these systems today.

Hursti sums it up rather succinctly by stating, “Quite simply, most of the technology in our election process cannot be trusted.”

The National Academies of Sciences, Engineering, and Medicine’s Securing the Vote report recommends that voter-verifiable paper ballots be used everywhere by 2020. Paper ballots or paper voting receipts provide a physical trail that can be reviewed. Paper ballots or paper voting receipts are integral to election security because they provide a physical trail that can be followed if there is any question about the outcome of an election, or more generally, for audits. 

So, the hackers, researchers, scientists, and engineers all agree…paper is favored over electronics for elections in 2020. That would not be the case, however, if the management of the companies making and using this equipment and the election officials and political leaders who are selecting it and deploying it demanded that these technologies be developed, deployed, and maintained in alignment with best practices and standards for IT and cybersecurity. 


Follow me on TwitterCheck out my website