Unprecedented cybersecurity measures being taken to safeguard Iowa caucus results

Lee Rood Jason Clayworth
Des Moines Register

No one knows how many of Iowa’s 1,700 precinct leaders will opt to use a new smartphone app to report Democratic caucus results Monday night. But the security of that app will be the source of much scrutiny.

After reports of Russian hacking attempts in the 2016 presidential election, party leaders are taking unprecedented precautions to protect against cybersecurity breaches and the spread of disinformation on social media.

On Wednesday, Democratic Party officials in Iowa and Washington confirmed that the Democratic National Committee is deploying security staff to work with the state party to assist with any caucus problems.

“We take our responsibility to protect the integrity of our democratic process and secure Iowans’ votes very seriously,” said Iowa party Chairman Troy Price. “We continue to work closely with security experts to prepare our systems and we are confident in the security systems we have in place.”

Updated: Coverage from Caucus Day

Experts across the county and in Iowa have said that the app — which is downloaded on the personal cellphones of caucus managers to tabulate and report results — is a potential target for early election interference.

“The cellphone ecosystem is pretty poisonous these days,” said Douglas Jones, an associate professor of computer science at the University of Iowa. “The net result is if you’re running an app on a cellphone that has other apps installed, you really don’t know what permissions those other apps have and if they are in a position to be nefarious.”

To assure results are accurate, party officials say there will be: a paper trail for all vote counting and reporting on caucus night; on-site double-checking by party officials and the campaigns of individual candidates; and other measures to ensure security and accuracy.

“You can never say there is no vulnerability, but I’m confident there’s not an elevated risk because of the app,” said Linn County Auditor Joel Miller. “We use smartphone apps for banking every day. Hopefully this is as robust and secure as the banking applications.”

Miller, a Democrat, has raised other concerns about vulnerabilities associated with the voter registration system in Iowa. Earlier this month, the Iowa Voter Registration Commission dismissed his complaint alleging Iowa’s voting system is prone to hackers and violates the federal Help America Vote Act. 

The Iowa Democratic Party has not released information about the vendor who created the caucus reporting app, but it has said the app was tested by an independent third party. It said top cybersecurity experts advise against releasing too much information because it could result in the vendor being targeted.

Some, including Jones, the computer science professor, believe not being more transparent is a mistake.

“To have the acquisition process done behind closed doors strikes me as irresponsible," he said. "The argument that, ‘Well, if we exposed who built this app, it would give attackers a head start,’ is a dangerous argument. Public scrutiny of the entire election process is necessary.”

Kiersten Todt, managing director of the Cyber Readiness Institute, an organization started by the CEOs of businesses like Microsoft to reduce hacking risks, said hacks like a recent one targeting Amazon CEO Jeff Bezos also have heightened concerns about mobile phone "phishing."

Mohammed bin Salman, the crown prince of Saudi Arabia, is alleged to have been involved in the hack that exposed an extramarital affair involving Bezos, the owner of The Washington Post, in retaliation for the newspaper's editorials criticizing his regime.

Investigators believe hackers gained access to Bezos' phone via a corrupted WhatsApp message the Saudi prince sent to Bezos.

“Certainly mobile security can be a challenge,” Todt said. “Mobile devices are so vulnerable because of all the access points on a phone, and the Jeff Bezos case is the greatest, most recent example of that.”

The Republican Party of Iowa also intends to use a new app to report results from its caucuses. Former U.S. Rep. Joe Walsh and former Massachusetts Gov. Bill Weld are challenging President Donald Trump, though the incumbent is a prohibitive favorite.

Aaron Britt, communications director for the Republican Party of Iowa, said the party isn’t releasing the name of its app vendor for reasons similar to the Democrats'.

But he said he thinks some national media, which have been stressing cybersecurity concerns, don’t understand how quickly any problems would be discovered given that caucusing is so public.

“The national reports have honestly been very frustrating,” Britt said. “I understand there are concerns, and that makes sense. But I also think they don’t understand the process and how transparent it is.”

Republicans, he said, write down their presidential preferences and those are counted, recorded and announced in front of everyone in attendance.

If there were problems, party leaders and the people attending the caucuses would see them right away, Britt said. Precincts also collect paper reports and turn them over to the state party should there be a need for a recount, he said.

Both Iowa parties and their app and web development vendors participated in an exercise last fall with Harvard’s Defending Digital Democracy Project. Led by campaign experts Robby Mook and Matt Rhodes, as well as experts in cybersecurity, national security, technology and election administration, they simulated various scenarios involving cyber and misinformation threats to the caucuses.

A statement from the Belfer Center said that no technology, including the mobile app, was used or tested at the event.

Mook, 2016 campaign manager for Hillary Clinton, and Rhodes, Mitt Romney's 2012 campaign manager, helped develop a public-service video to alert campaigns to the warning signs of hacking and misinformation.

It was released in 2018, days after a federal indictment detailed how Russian intelligence operatives hacked Clinton's presidential campaign, the DNC and the Democratic Congressional Campaign Committee in 2016.

According to the indictment stemming from Special Counsel Robert Mueller’s investigation into Russian interference, Russian officers targeted state and county offices in several states, including Iowa, to steal voter data and other information.

They were successful in Illinois, but not in Iowa.

Ever since, both parties in Iowa have been working to safeguard caucus results and held training sessions to assure caucus leaders know about heightened security measures. 

Party officials acknowledge the 2020 election cycle poses a heightened threat of disinformation. But “until Mitch McConnell decides to act on the bipartisan-passed House of Representatives election security bills sitting on his desk, cybersecurity prevention will continue to play a growing role in our elections,” Price said.

Miller said Wednesday his concerns leading into Iowa’s general election have not waned.

Key questions remain, such as the physical location of his county’s voter records and who within state government is leading an effort to replace a 15-year-old voter registration system known as I-Voters.

Pate, who took office in 2015, launched a process in 2016 to replace the system. But legislators have yet to allocate all of the estimated $7 million needed.

 As a result, Iowa will continue to use I-Voters in the 2020 presidential election cycle.

HOW IT WILL WORK: Here's how Iowa Democrats say caucus result reporting will work on Monday night:

  • Caucus chairs will have a smartphone app they can use to tabulate and report results, but they are under no pressure to use it. Chairs will also have the option of calling in results via a secure phone number. In either instance, results also will be recorded at the caucus site and verified on paper.
  • Caucus-goers will complete numbered presidential preference cards to document their choices. The cards will be delivered to the state party via a previously established chain of custody in the event of a need of any recount.
  • The DNC’s national Disinformation Team will work closely with state party officials to monitor disinformation surrounding the caucus operation and act if necessary.