Move Slow and Break Nothing

Connor Fairman is a research associate in the Digital and Cyberspace Policy program at the Council on Foreign Relations.

In 2009, Mark Zuckerberg’s advice was to “move fast and break things.” Companies have since taken his advice to heart and prioritized rapidly bringing their products to market over circumspect and test-driven product development. While this approach may work for some consumer products, the 2020 Iowa caucus demonstrated that it also has the potential to produce serious consequences when the stakes are high.

The 2020 Iowa caucus could have been a showcase for the usefulness of new technologies in U.S. elections. Instead, its use of IowaReporterApp, a mobile app built by a for-profit company called Shadow Inc., to count and report voting results from across the state turned the event into a debacle.

First, downloading the app proved to be too cumbersome for many precinct leaders, and some couldn’t figure out how to properly install it on their phones, let alone report vote counts back to Iowa Democratic Party (IDP) headquarters. Others reported being kicked off the app after attempting to log in. This confusion and bugginess led precinct leaders to attempt to call in their results over the phone, as they had always done. However, because the IDP was expecting vote counts to be communicated through the app, the few phone lines that were set up before voting became jammed for hours, delaying the final vote count.

Second, embarrassing details have emerged about IowaReporterApp revealing that it was alarmingly rudimentary and insecure. Described as an “off-the-shelf, skeleton project,” cybersecurity analysts and developers criticized the app for a variety of reasons. Kasra Rahjerdi, an Android development expert interviewed by Motherboard, described it as “clearly done by someone following a tutorial” that people frequently use when they are learning how to code. One bug in the app’s reporting system caused it to only report partial data to IDP officials, which means that even if precinct leaders used the app properly, there was still a possibility that their results would be misreported. Also, a team of researchers at Stanford University discovered API keys hardcoded into the app’s source code, which goes against best practices and could allow an attacker to manipulate or delete data on the app’s servers. Cybersecurity firm Veracode also reported similar issues and warned that vulnerabilities that they discovered allowed vote totals, passwords, and other sensitive information to be intercepted.

Finally, the New York Times reported that the app had been developed in two months and was not adequately tested at scale. Building an app for a school project in two months is fairly reasonable, though it will be assumed that it will have numerous flaws. Creating an app for use in democratic elections in such a short amount of time is unrealistic and irresponsible. Most concerning of all, according to acting U.S. Department of Homeland Security (DHS) Secretary Chad Wolf, the IDP rejected an offer from DHS to audit the IowaReporterApp for cybersecurity flaws and vulnerabilities. A thorough assessment by DHS would have likely uncovered many of the app’s flaws, prompting its developers to fix them before it was put into use on election day.

Despite what happened in Iowa, election technology is not disappearing anytime soon. There are other companies, aside from Shadow Inc., that are trying to enter the market, such as Voatz, which develops applications for blockchain-based voting and biometric verification. Blockchain is vulnerable to some of the same attacks that have historically threatened anonymity networks, and similar to IowaReporterApp, cybersecurity experts have raised concerns about vulnerabilities in Voatz software.

Instead of moving fast and breaking things, the creators of election technology should be held to rigorous standards mandated by the federal government. Specifically, the U.S. government should implement a process for approving individual election technologies modeled after the Food and Drug Administration’s (FDA) pre-market approval process for Class III medical devices, which is reserved for the roughly 5 percent of medical devices that support life, like pacemakers. Election technology is similar to this category of medical devices because of its relatively small market and the high stakes of elections.

This new process should fall under the responsibility of DHS’ Cybersecurity and Infrastructure Security Agency (CISA), which already provides cybersecurity services for elections to local governments and officials free of charge. CISA should audit all proposed election technologies and either reject or approve their use in democratic elections. This would incentivize companies to implement sound product development practices and reassure voters that the technology they are using is safe.

Most importantly, a rigorous approval process for election technology overseen by DHS will help ensure that what occurred during the Iowa caucus does not happen again. It appears that no one hacked IowaReporterApp, despite its reported vulnerabilities. However, we may not be so lucky next time, and the United States cannot rest assured that adversaries will not target election technology during primary elections and the presidential election. It is time for the federal government to intervene on this issue.