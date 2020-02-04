Participants hold Presidential Preference Cards during the first-in-the-nation Iowa caucus in Des … [+] Moines, Iowa.

© 2020 Bloomberg Finance LP

Silicon Valley loves to boast that software is eating everything, but the latest bout of code indigestion just caused one of the most high-profile tech glitches in living memory.

Tech and security experts had warned the Iowa Democratic Party (IDP) against introducing a vote reporting app, but it went ahead and used it anyway—with unfortunate results. The software that was supposed to convey Caucus results to the party failed to function properly yesterday, leaving officials scrambling to get information about voters’ preferences.

The app was developed by a Washington, DC-based outfit called Shadow that is linked to a non-profit digital strategy firm called Acronym. (Acronym put out a statement late Monday saying it is one of a number of investors in Shadow and didn’t directly provide technology to the IDP.) The IDP paid Shadow $63,000 to develop the app according to a report in the Wall Street Journal, spread over two payments late last year, and also received payments from campaigns who used the app for campaign work.

According to multiple reports, election officials had problems getting connectivity via the app and in some cases accessing it from their phones. The backup plan system using telephones to call in results was quickly overwhelmed, leading to long delays. In a statement issued on Tuesday, IDP Troy Price blamed the problem on a “coding issue” and added that the underlying data collected by the app was “sound” but that it caused data that had been collected to be only partially reported. Price said the problem has since been fixed.

The events are a stark reminder of just how dependent the U.S. electoral system remains on the proper functioning of software. The odd glitch here and there may be tolerable in a shopping or travel app, but failures in code can be disastrous for confidence in the outcome of elections. While results have finally been filtering through, some campaigns have already been raising questions about the integrity of the technology and the reporting process.

Since the 2016 US presidential vote, security experts and parties have been working to shore up the technologies used to manage the U.S. electoral process. These have been designated “critical infrastructure” by the government, putting them on a par with software used in things like nuclear power plants and mass transit systems.

The idea behind this label is that the classic “ship it fast, patch it later” approach to software development isn’t acceptable. Instead, code needs to be developed carefully and robustly tested before being deployed. It also needs to be thoroughly vetted for potential cybersecurity vulnerabilities. Backup systems are supposed to get the same level of attention.

The use of internet-connected devices to tally votes—and sometimes to cast them—is still very rare in the U.S. West Virginia, for instance, has trialled an app using blockchain technology to accept absentee ballots from overseas voters. Proponents of the technology say it’s more secure than returning ballots by other systems that have also been tried, including email. It also offers advantages in terms of convenience and efficiency.

But Iowa is a stark reminder of the downsides that can overshadow such benefits. As well as triggering a review of the app’s implemention, the problems in Iowa will likely reinforce scrutiny of other code that’s going to be crucial to this year’s electoral process.

While massive online disinformation campaigns stole the headlines during the 2016 presidential campaign, the threat to electronic voting infrastructure was shown to be very real. Since that race, evidence has emerged that Russian hackers targeted election infrastructure in all 50 states. They and other cyberattackers are likely to do so again, testing the defenses of everything from voter registration databases to the machines used to check people at polling stations.

Electronic voting machines may well be another target, as will systems that, like the Iowa app, are used to collate and report results. The good news is that the IDP appears to have a trail of good old-fashioned paper that it has been using to verify the results from the Shadow app. The bad news is that millions of Americans will still cast their votes this year on electronic machines that can’t claim the same thing.

Source