Iowa Caucus Meltdown Tied to Democrats’ Little-Tested App
(Bloomberg) -- The breakdown in reporting results from Iowa’s Democratic caucuses appears tied to failures in a mobile application that wasn’t ready for the load of a statewide election and which the head of the Homeland Security Department said wasn’t subjected to a cybersecurity test by his agency.
“This is more of a stress or load issue as well as a reporting issue that we’re seeing in Iowa,” acting Department of Homeland Security Secretary Chad Wolf said in a Fox News interview Tuesday.
Wolf said there’s little evidence of hacking of the app, which precinct officials struggled to use on Monday night. He said that his department’s cyber division had offered to test the software for vulnerabilities but was declined.
The Iowa Democratic Party planned to release the majority of caucus results at 5 p.m. New York time on Tuesday, its chairman, Troy Price, told the presidential campaigns on a call.
In a statement earlier on Tuesday, Price said there was “every indication” that the party’s systems were secure and there wasn’t a cybersecurity intrusion. He said the systems were tested by independent cybersecurity consultants before the caucuses, and that the performance failure was due to a “coding issue,” which has been fixed.
But the failure spotlights the need for hard-copy backups across election systems, as a handful of states are still using voting machines that don’t produce a paper receipt, according to Marian Schneider, president of the voting advocacy group Verified Voting and former deputy secretary for elections of Pennsylvania.
“It’s clear that mobile apps are not ready for prime time, but thankfully Iowa has paper records of their vote totals and will be able to release the results from those records,” Schneider said.
An estimated 12% of Americans will vote on machines that don’t produce a paper trail, down from about 20% in 2016, according to data from Verified Voting and the Brennan Center for Justice.
The breakdown has stoked some of the worst fears of election and security specialists that voter confidence could be shaken even without evidence of hacking.
‘Cloud of Doubt’
“This cloud of doubt appears irrespective of the perfect functioning of the precinct-based tabulation,” Nathaniel Persily, co-director of Stanford Law School’s Cyber Policy Center, wrote on Twitter.
Iowa Democrats paid Shadow Inc. about $68,000 in two installments between November and December of last year for the application it deployed to precincts across Iowa for Monday’s caucus. The company describes itself as working to build “political power for the progressive movement by developing affordable and easy-to-use tools for teams and budgets of any size.” It says it previously did work for Hillary for America, Obama for America, Google and the AFL-CIO.
In a statement on Twitter, Shadow said it regrets the Iowa reporting delay and the uncertainty that its app created even though “this issue did not affect the underlying caucus results data.”
“As the Iowa Democratic Party has confirmed, the underlying data and collection process via Shadow’s mobile caucus app was sound and accurate, but our process to transmit that caucus results data generated via the app to the IDP was not,” the company said.
Most cybersecurity experts say that the three months taken to build and test the app before it was used in the Iowa caucuses was woefully insufficient.
By contrast, Jason Ingalls, then with General Dynamics Corp., was contracted by the Executive Office of the President in 2009 to attack the latest version of WH.gov to find weaknesses. He spent four months breaking the site’s code line-by-line in search of flaws, then an additional two months stress-testing the site.
“I hope this is the last time we see this kind of mindless drive toward tech usage,” Ingalls said.
The Nevada Democratic Party said Tuesday that it won’t use the Shadow app in its caucuses on Feb. 22. “We will not be employing the same app or vendor used in the Iowa caucus,” said William McCurdy II, the state Democratic chair. “We had already developed a series of backups and redundant reporting systems and are currently evaluating the best path forward.
An official for Democrat Joe Biden’s campaign said the campaign had previously used Shadow’s services but stopped because its technology team expressed security concerns. The company’s technology didn’t pass a cybersecurity checklist, the official said. The campaign didn’t use the same app adopted by the Iowa Democratic Party.
The breakdown is more than an embarrassment for Iowa Democrats. It marks the second presidential election cycle where vulnerabilities were exposed in the party’s cyber infrastructure and will tarnish the results of the Iowa caucus that’s perennially a key election -- one that traditionally helps winnow the field of candidates, propelling underdogs into the national spotlight or undercutting candidates thought to be cruising toward greater success.
With little idea of the outcome, Democratic candidates were already arriving in New Hampshire on Tuesday morning for the next key vote in its primary.
“They have crushed the confidence of voters with this half-baked app,” said Ingalls, who now operates his own breach-response company Ingalls Information Security. “No one is going to want to deal with the possibility of a failed election because they rushed technology for technology’s sake.”
(Disclaimer: Michael Bloomberg is seeking the Democratic presidential nomination. He is the founder and majority owner of Bloomberg LP, the parent company of Bloomberg News.)
--With assistance from Tyler Pager and Jennifer Epstein.
To contact the reporters on this story: Michaela Ross in New York at email@example.com;Kartikay Mehrotra in San Francisco at firstname.lastname@example.org;Chris Strohm in Washington at email@example.com
To contact the editors responsible for this story: Bill Faries at firstname.lastname@example.org, ;Heather Rothman at email@example.com, Larry Liebert, Andrew Martin
©2020 Bloomberg L.P.