The biggest security lesson from last night's Iowa caucuses: It doesn't take a hack for technology to undermine confidence in an election.
The spectacular failure of a mobile app that was supposed to forward caucus results last night -- which are still not out, as of this morning -- is a striking example of how faulty technology can spark questions about election results and create an opening for misinformation and conspiracy theories.
“These kinds of technical issues and operational delays play right into the game plan of malicious actors,” Maurice Turner, an election security expert at the Center for Democracy and Technology, told me. “[They] can leverage these small facts and turn them into viral misinformation messages speculating about hacking or corruption being behind the irregularities.”
The Democratic Party have surged its focus on cybersecurity to combat foreign interference by Russia or other actors that U.S. intelligence officials warn may seek a repeat of 2016. While an Iowa Democratic Party spokeswoman insisted the app “did not go down and this is not a hack or an intrusion,” the technical snags largely achieved the effects officials have long sought to avoid.
Even candidates questioned whether the results were tainted: Vice President Joe Biden's campaign complained about “considerable flaws” in the reporting system and demanded an explanation of the app’s quality controls before any results were released publicly.
Social media was abuzz with claims of intentional sabotage by party leaders. Brad Parscale, the manager for President Trump’s reelection campaign, suggested without evidence on Twitter that the process was “rigged.” He said later in a formal statement that “Democrats are stewing in a caucus mess of their own creation with the sloppiest train wreck in history.”
And conspiracy theories were circulating: One prominent falsehood was that former Hillary Clinton’s 2016 campaign manager Robby Mook was responsible for building the app that cratered – a rumor that had no basis in reality and that Mook quickly denied on Twitter. (The app was actually built by a company called Shadow that’s affiliated with and funded by ACRONYM, a Democratic digital nonprofit group, Huffington Post’s Kevin Robillard, Amanda Terkel and Molly Redden reported late last night.)
Sorry, folks. I did NOT have anythjng to do with building the Iowa caucus app. I dont know anything about it, had no role in it, and dont own a company that makes mobile appa. Please contact @iowademocrats with questions about it.— Robby Mook (@RobbyMook) February 4, 2020
The stakes only get higher as the primary season continues and November's big vote approaches. And last night's eye-popping drama raises the specter that huge investments states and the country have made in election security and technology since 2016 will be for nought.
Democratic officials had even game planned for a similar breakdown and planned out possible responses including seeking help from the Department of Homeland Security, my colleague Isaac Stanley-Becker reported. Instead, the night descended into chaos with caucus leaders waiting hours to deliver results by phone and texting and even tweeting pictures of their tallies.
The night also highlighted serious security and transparency failures by the Iowa Democratic Party, which insisted its app was secure but refused to disclose the vendor that created it or what security vetting it had gone through.
“The use of an untested app here was an extremely risky proposition from the start,” Matt Blaze, an election security expert at Georgetown University, told me. “Any complex new software system like this can at best be expected to have bugs and glitches when it’s rolled out. The use of the Internet and general mobile phone platforms also greatly increases the exposure to tampering and disruption by malicious actors.”
As Lawrence Norden, director of the Election Reform Program at New York University’s Brennan Center for Justice, put it: “Macy’s doesn’t roll out its new cash registers on Black Friday and it feels like that’s what happened here.”
The app was cobbled together over the past two months after Democratic National Committee officials balked at a plan for caucus participants to call their votes in by phone, the New York Times’s Nicole Perlroth reported. It was never tested at a statewide scale. And it could have been even worse. Up until August, Iowa Democratic party officials were planning to allow party members to actually vote remotely on a mobile app before the national Democratic party forced them to reverse course over security concerns.
One silver lining is that Iowa caucus sites all have paper records of their voting totals. So it’s likely the party will be able to ultimately tally and release accurate results from those records. It just might take a long time.
“I don’t think there’s any question about the accuracy of the results or that they’re going to get it right. But they’re under a magnifying glass right now,” Norden told me. “If there’s a choice between getting the results right and getting them quickly, it’s far more important that they get them right and they seem to be doing everything they can to get them right.”
Still, the Iowa debacle should also give ammunition to election security hawks advocating for paper ballots, which they say are the only way to ensure the integrity of a vote if hackers compromise election technology or if it goes haywire.
Paper records have surged in states since 2016 but Republicans in Congress have balked at mandating them. About 10 percent of Americans will vote without a paper record in November, according to the most recent estimate from the Brennan Center for Justice.
From David Levine, the elections integrity fellow at the Alliance for Securing Democracy:
1/ While the new voting app and challenges with transmitting results get a lot of attention, it's worth noting that the Iowa Democratic caucuses are also for the first time using presidential preference cards for each voter to create a paper backup system. https://t.co/67CQ8eAXvK— David Levine (@davidalanlevine) February 4, 2020
It was a busy night for security experts on Twitter, who were up all night commenting on the issues.
Iowa shows how technical errors can “can cause doubts that independently undermine confidence in results,” said Nathaniel Persily, Co-Director of Stanford Cyber Policy Center:
As I and others have been arguing, the technology involved beyond the polling place — including, in particular, the election night reporting system— can cause doubts that independently undermine confidence in results.— nathaniel persily (@persily) February 4, 2020
“Who even needs election interference to mess with a caucus if the app simply doesn't work to begin with?” quipped NBC News’s Ben Collins:
That said, who even needs election interference to mess with a caucus if the app simply doesn't work to begin with?— Ben Collins (@oneunderscore__) February 4, 2020
Josh Rudolph, a fellow at the Alliance for Securing Democracy, called the long delay in releasing results a “ripe environment for disinfo”:
Waiting for Iowa caucus results reminds me of waiting for verified news on the night of the Iranian missile attack almost a month ago – ripe environment for disinfo.— Josh Rudolph (@JoshRudes) February 4, 2020
We need to be patient and let officials and professional reporters do their job.
I'll start by going to bed now.
“Holy lord it's scary to think about the security of the results entrusted to a smartphone app,” New York Times opinion writer Charlie Warzel wrote:
i did not know about this iowa caucus voting app until tonight but holy lord it's scary to think about the security of the results entrusted to a smartphone app https://t.co/MYe4dPAtYM pic.twitter.com/q7PDsbPUI7— Charlie Warzel (@cwarzel) February 4, 2020
And, of course, the Trump campaign team was crowing about the confusion:
Live look at the Democrat Party doing 'quality control' pic.twitter.com/YCiJIeiYry— Team Trump (Text TRUMP to 88022) (@TeamTrump) February 4, 2020
PINGED, PATCHED, PWNED
PINGED: Cybersecurity firm McAfee is also sounding an alarm about another election security concern this morning -- the danger Russia or another U.S. adversary could hijack county election websites and use them to spread disinformation about when and where to vote during primaries or the general election.
McAfee found that nearly 50 percent of county election websites in 13 battleground and early primary and caucus states don’t have the most secure level of encryption – indicated by an HTTPS at the left of the web address. That makes it would be far easier for hackers to break into those sites and seed them with misinformation.
More than 80 percent of those counties aren’t using a government-supplied web domain that ends with the .gov suffix, McAfee found. That means there’s no clear indication for voters that they’re looking at a real county election website and not a phony site scammers set up to mislead them.
Hackers could use those vulnerabilities to depress turnout in some caucuses and primaries and raise doubts about the results. They could even send targeted emails linking to a phony site to people likely to vote for a particular candidate to hurt that candidate’s chances.
Even if that effort didn’t change an election’s outcome, it could sow anger within the Democratic party and damage voters’ faith in the democratic process, McAfee Chief Technology Officer Steve Grobman told me.
Those results are only slightly improved from November, when McAfee tested county election websites in a smaller number of swing states.
PATCHED: The trial of an ex-CIA employee allegedly responsible leaking agency secrets at the very time cyber conflict with Russia was escalating kicked off yesterday. The leaked documents revealed the agency's techniques for hacking smartphones, computers and even smart televisions, raising concerns about the agency's ability to protect its hacking tools.
The prosecution alleges Joshua Schulte, a disgruntled former CIA employee, leaked 8,000 pages of secret material to WikiLeaks to get revenge against his former employer. The “Vault 7" leak came a year after a separate trove of NSA hacking tools were leaked by a mysterious group called Shadow Brokers.
Schulte's defense lawyers have unsuccessfully argued that the Espionage Act charges are vague and overly broad. But the case could still be difficult to prosecute because the CIA will be wary of revealing even more information about its hacking operations, Rebecca Davis O'Brien at the Wall Street Journal reports.
Schulte's lawyers will argue that Schulte acted in the public interest to reveal how the government hacked into commercial technologies, Jeff Stone at CyberScoop reports.
PWNED: House Republicans introduced a resolution yesterday condemning the United Kingdom for allowing Chinese telecommunications company Huawei to build parts of its 5G networks, despite U.S. warnings the company could be a conduit for Beijing spying.
“Huawei equipment is absolute poison — providing them access to any aspect of a 5G network compromises the integrity of the entire system and will result in network data being sent back to Communist Party leaders in Beijing,” wrote the lawmakers led by Rep. Michael McCaul (Tex.), the top Republican on the House Foreign Affairs Committee. The lawmakers added they hope the United Kingdom will “reverse course.”
The resolution was also sponsored by GOP Reps. Liz Cheney (Wyo.), Ted Yoho (Fla.), Michael R. Turner (Ohio) and Mike Gallagher (Wis.). Cheney, a member of the House Armed Services Committee, has also pushed for legislation that would cut intelligence sharing with nations that allow Huawei into their 5G networks.
Similar legislation was introduced in the Senate, though it's unclear if the White House is on board with the drastic measure. Secretary of State Mike Pompeo assured British leaders last week that relations between the two countries are “not at risk” because of the U.K.’s decision.
-- Huawei and ZTE, another Chinese telecommunications company, want the Federal Communications Commission to reevaluate a November decision to restrict telecoms from using federal funding to purchase their technologies, according to filings submitted to the agency yesterday. The agency deemed both companies a national security risk in November.
ZTE says it is fully compliant with U.S. export controls and has improved its cybersecurity, the company told the agency in a filing submitted yesterday. The company says it has more than 1,500 security specialists and a cybersecurity committee chaired by senior management.
Huawei also challenged the FCC, calling the national security risk label a “campaign by certain government officials, including members of Congress, to single out Huawei for burdensome and stigmatizing restrictions, put it out of business in the United States, and impugn its reputation here and around the world.”
In addition to banning telecoms that accept federal funding from buying ZTE and Huawei equipment, the FCC is weighing a decision that would force wireless broadband providers to remove and replace equipment from the companies.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- New America’s Open Technology Institute will host an event titled “Privacy’s Best Friend: How Encryption Protects Consumers, Companies, and Governments Worldwide” on Feb. 4 at noon.
- New America will host an event on "Kickstarting the Digital Heartland" Wednesday from 12pm to 2pm
- Georgetown Law’s Institute for Technology Law & Policy in partnership with the Georgetown Law Technology Review will co-host a daylong conference on “Election Integrity in the Networked Information Era on Friday from 9am to 5pm
- The Senate Homeland Security and Governmental Affairs Committee will host hearings to examine a roadmap for effective cybersecurity, focusing on what states, locals, and the business community should know and do on Feb 11 at 9:30 am
- The Senate Armed Services Committee will host hearings to examine United States Special Operations Command and United States Cyber Command in review of the Defense Authorization Request for fiscal year 2021 and the Future Years Defense Program on Thursday at 10am.
- RSA Conference 2020 is scheduled for Feb. 24-28 in San Francisco