The Iowa Caucuses debacle offers important insights into how our democratic process needs to work through the primaries and, most importantly, for the Presidential election in November. We learned critical lessons about the intersection of technology, human behavior, and election security.
Lesson #1: No jurisdiction should use technology for the first time in prime time.
Election night is not the night for a maiden voyage. Technology should be tested and exercised in its full functional form. Statements released by Shadow, the voting application developer, explaining that it didn’t want to release the app too soon for fear of it being hacked are ludicrous. If the company had such low confidence in the integrity of its code to prevent those who had to use it from testing it ahead of time, the app should not have been deployed at all. Additionally, lots of vendors are in the business of verifying code for companies – and, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) offered to vet the app and the code. Even if that offer of support from the feds didn’t get to the right people at the Iowa Democratic Party, certainly the party apparatus (i.e., DNC) should have been paying attention to the security and viability of the app.
Lesson #2: Human behavior is the foundation of security.
We continue to make the same mistakes about human behavior and technology. Consumer-based technology (i.e., Iowa Caucus app) requires education. We can never assume that technology can be fully functional without the appropriate training of users. Human behavior can be a force multiplier for technology and increase any entity’s return on investment in technology. But human behavior can also be the greatest vulnerability for any enterprise or operation. It can single-handedly produce the opposite outcome the technology was designed to create. In this case, a technology intended to make a process simpler and more efficient, obstructed the process completely and now, the credibility of the process itself is called into question.
As eager and enthusiastic as we are to hand the reigns over to technology for non-essential functions, like brewing coffee in the morning, to processes upon which our democratic process is founded, we must always recognize and acknowledge that human behavior is critical to the success of these technologies. We often talk about the potential harm of reckless technology; but, an uneducated, untrained human can also be a dangerous weapon.
Lesson #3: State and local governments need to work with the federal government to prepare for November.
CISA has invested enormous time and resources in supporting the election security of 10,000 jurisdictions. The federal government and state governments are working to strike the right balance between state rights and federal support.
State and local jurisdictions have an obligation and responsibility to assess their efforts, operations, and systems and know when to reach out for support and help. One of the primary lessons learned from the many ransomware attacks against municipalities in 2019 is that these municipalities weren’t educated on the threats, the solutions, and how they applied to their networks. The multiple jurisdictions responsible for elections run the risk of similar failure. If these 10,000 jurisdictions don’t already know it, CISA and efforts like Defending Digital Campaigns, have resources to help. State and local jurisdictions cannot secure the elections on their own; they must collaborate with the federal government. The partnership between municipalities and federal government is critical to the security of the 2020 elections and the confidence of the American people in the process.
The Iowa Caucuses were a black eye in the modern history of our democracy.
But, we, as a nation have the opportunity to take the mistakes of Tuesday night and turn them into lessons learned and successes for our democratic process throughout 2020. This opportunity is not a choice, but a responsibility. The democracy of our country depends on it.