[Reading Time - 2 minutes 37 seconds]
"Debacle" is perhaps the best way to describe what happened earlier this week (Feb 3 2020) with the app that was used for tallying the votes from the Iowa caucuses. It was a clear recipe for how not to securely develop an app.
On Monday night Iowa caucusgoers gathered at about 1,700 sites across the state to tally support for their preferred Democratic presidential candidate. The results from the different polling places were to be entered into an app developed by the Colorado company Shadow, and these results were to compiled with the results announced later that evening.
But everything went terribly wrong. Why? It appears that because standard app development and basic security practices were simply ignored.
Developing an application requires several different stages. These stages include development, testing, staging, and production. An application development lifecycle model is a conceptual model that describes these different stages involved in creating an application. And there are several detailed models and guidelines by the National Institute of Standards and Technology (NIST) and others that are often used as a framework for secure app development.
Evidently Shadow completely ignored these when developing their app for the Iowa Democratic Party (IDP). Here is a short list of the errors that we know about so far from various sources:
There has been significant fallout from this debacle. A recanvassing of the results had to take place. It took until Friday (Feb 7 2020)--four days later--for the results of the Iowa primary to finally be announced. Now the Nevada Democratic Party has announced that it will not use the Shadow app for its state caucuses later this month on Feb 22.
But that doesn't mean that those states that don't use the Shadow app are in the clear (pun intended).
A recent report by the cybersecurity research firm McAfee found that most election websites operated by local governments in the "battleground" states are not part of the ".gov" domain. Having the .gov domain name makes these sites more difficult to spoof. Of 1,117 counties in 13 key states (which account for 201 of the 270 Electoral College votes that determine the winner of presidential contests) a whopping 83.3 percent did not have the .gov validation, McAfee said.
What's more, only about half of the state election sites use SSL/TLS encryption (aka "HTTPS" or the padlock icon on your web browser), according to McAfee. That means that the tallying of votes is sent in the clear. It could be possible for the election results to be intercepted and altered before being sent on.
What happened in Iowa was a debacle. Let's hope that the other 49 states learn from this disaster and work hard to make their election sites secure.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.