There were obviously failures in terms of the functionality, but were there security risks?
PM: What I just discussed is one big part, and the second part is the security. The security approach they used, and one of the reasons why they had problems, was they didn’t show the app to anybody. They thought if they kept the app closed and they didn’t share with anybody, whoever would want to manipulate the app or service couldn’t actually hack the system because they don’t know what the software is.
This is in direct violation of one of the principles of security: security through obscurity almost never works. And it is a bad security practice. And that part has just come out within the last 24 hours (as of the time of interview on the morning of Wednesday, Feb. 5). There wasn’t any kind of external analysis the way you would expect for something so important.
To be clear about security risks, I haven’t seen any evidence of anything remotely suspicious here. This looks like a normal collapse of a software on rollout date. And this isn’t the first one. There are actually some other apps, particularly in the voting space, apps not for voting but for giving people rides to polling places, that have failed in the past. This is the first time that I’m aware of that a piece of a quasi-election has failed completely — and in such a way that the results were not available.
But this wasn’t a failure of anyone in the election process; this was largely the caucus. This is not a failure of government elections. I think there’s a little bit of confusion because there’s a difference between a caucus and an election. They’re not run by the same people.
While this failure was not caused by a security breach, is there any chance that a failure of this nature could then lead to, not be caused by but lead to, a security risk or breach?
PM: It’s dangerous to speculate on what possible security failures would be a result of this system. I will say that any system with this many flaws almost certainly has flaws that are security relevant. Since this application wasn’t evaluated for security or for liability just as a function of software development processes, it almost certainly has some security problems. This failure is demonstrating the lack of maturity of the software, and it’s fair to assume that because you’re having reliability issues, you probably have security issues as well. And the only way to ever know that would be for them to do a real analysis of the software and get some external input.
One New York Times article quoted a professor of computer science and law at Georgetown, Matt Blaze, as saying, “The consensus of all experts who have been thinking about this is unequivocal. Internet and mobile voting should not be used at this time in civil elections.” What’s your take on that?
PM: Totally agree. I think the consensus among the technical community is that no system is going to be perfect, no system is going to be free of flaws and probably no system is going to be free of security flaws as well. And for that reason, it’s just too dangerous to risk things like democracy on potentially flawed systems.
Can you talk a bit about the work that you’re doing in terms of improving election security and how that work relates to this?
PM: Mostly, at this point, I’m working with policy folks and helping people understand what best practices are. We at Penn State have been deeply involved in helping shape best practices. We understand that the technology that is used today to run elections is imperfect and will never be perfect. We’ve worked with people in the government to ensure that those best practices are codified and realized in elections.
Elections are some of the most underfunded processes of government, and they only operate one day a year or sometimes two or three days a year. (The government) buys equipment that is supposed to stick around for 20 years, and they have to go with the low bidder because they don’t have much money, so the quality is low.
What are the key takeaways and lessons?
PM: There is a valuable lesson for elections here. It’s that for any service that you introduce that is going to serve the election or serve the voters, you need to have a professional software process with significant investment, significant time and real external evaluation of the quality of the security and reliability of the systems. And I think, unfortunately, in Iowa they failed on those scores. Professional software development: that’s what it’s all about.
About Patrick McDaniel:
In 2018, McDaniel was awarded a five year, nearly $10 million National Science Foundation Frontier grant to establish and lead the Center for Trustworthy Machine Learning. In the same year, he helped to coordinate and lead the Penn State Symposium on Election Security. He also was selected by the National Science and Technology Council in coordination with the Executive Office of the President of the United States to lead a technical workshop and co-author the subsequent report with experts from across the nation on cybersecurity in 2019.