Iowa Caucus Results Saved by Plain Old Paper After App Fails

(Bloomberg) -- In 2010, Washington D.C. opened its proposed online voting system to public scrutiny. Officials wanted to know if the new platform was safe to use in elections. Within 36 hours, hackers from the University of Michigan broke into the network and changed every single vote cast in a pilot election.

The team of Michigan students and staff took control of the voting system, and the security cameras at the Board of Elections, too. Yet officials had no idea, even after the hackers modified the “Thank You” page that appeared at the end of the test vote to play the University of Michigan fight song.

Washington elections officials discovered the attack two days later, then ultimately scrapped the program.

A decade on, American elections officials remain hopeful that the internet can make voting more accessible and the reporting of results more efficient. But cybersecurity experts point to case after case in which connecting voting systems to the internet and over-reliance on technology creates more problems than it solves.

Glitches in the mobile application used by Democrats in the Iowa caucus on Monday are just the latest in a decade full of such examples. Fortunately for the Iowa Democratic Party, which ran the election, the caucus was saved by its decision to mothball the original plan to use the app for tabulation and some voting, too.

“It could’ve been so much worse if actual voters had been using an app-based system to submit results,” said J. Alex Halderman, a cybersecurity professor at the University of Michigan and one of the masterminds behind the D.C. hack in 2010. “That’s why this was merely an embarrassment for the Iowa Democratic Party and not a catastrophe.”

Iowa caucus results were available and verifiable thanks to the use of “paper documentation,” according to the Iowa Democratic Party. That has raised worries that reliance on technology may hurt voter confidence in 2020 and beyond. The episode augments a growing public wariness since reports that Russiaian cyber-attacks infiltrated state voting systems in the 2016 election.

Despite these concerns, 32 states will offer some semblance of mobile voting in 2020. For example, according to current planning in West Virginia, disabled voters and military personnel deployed overseas will be able to use their smartphones to cast ballots through a platform called Voatz, according to West Virginia Secretary of State Mac Warner, who said the program has passed multiple stress tests.

The mobile voting technology has spent a couple of months at Idaho National Laboratory, where the Department of Homeland Security is testing the security of the technology “inside and out” -- with an assessment of its security expected soon, according to Donald Kersey, general counsel in Warner’s office, At that time, West Virginia will decide whether to use the technology -- an updated version of the mobile voting technology used in 2018 -- or move forward with other options for disabled and overseas voters to cast their ballots, such as email or fax.

The Department of Homeland Security didn’t conduct this type of testing on Iowa’s app for reporting caucus results, Chad Wolf, the department’s acting secretary, said Tuesday on Fox News. Even so, cybersecurity experts continue to wonder if new voting technologies -- even if they have been well tested -- are worth the added risks.

“There is this idea that we’re going to use this technology to improve access, without adequately reviewing security concerns,” said Susan Greenhalgh, vice president at the National Election Defense Coalition. “Instead, so many states are looking at tech as solution and believing what voting machine vendors are telling them about it.”

The use of paper in the voting and voter registration process -- which can be audited for accuracy, particularly in the event of an Iowa-like malfunction -- is “the greatest area of need” in election security, Chris Krebs, head of the Department of Homeland Security’s cybersecurity and infrastructure security agency, said last year at a House of Representatives committee hearing. But as of March, about a quarter of U.S. states relied on some voting equipment that produce no paper. Four states -- Delaware, Georgia, Louisiana and South Carolina -- utilized those paperless machines across the state, according to a report from the Brennan Center for Justice.

While some states are buying a new generation of digital voting machines in preparation for the presidential election, experts have told Bloomberg News that these machines are costly and insecure.

When the new digital system broke down Monday in Iowa, caucus staff defaulted to a manual approach, according to the Iowa Democratic Party. “Staff activated pre-planned backup measures and entered data manually,” the party said in a statement.

Following the failure of the new app in Iowa, officials in other states expressed confidence in traditional, offline methods of reporting results, including Nevada, which had also planned to use an app to tabulate results during its Feb. 22 Democratic caucus.

“We will not be employing the same app or vendor used in the Iowa caucus,” William McCurdy II, the chairman of the Nevada State Democratic Party, said in a statement. “We had already developed a series of backups and redundant reporting systems, and are currently evaluating the best path forward.”

Still, Iowa is “a pretty graphic illustration” of why it’s a bad idea to connect election systems to the internet, said Rich DeMillo, a Georgia Institute of Technology computer science professor and former Hewlett-Packard chief technology officer.

“Computers can be misprogrammed, misconfigured, misused and hacked,” DeMillo said. “Imagine the scale of the disaster if Iowa did not have hand-marked paper caucus result to rely on.”

©2020 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.