Security News

High-Tech Elections: Cybersecurity Expert Calls For 'Quality Over Speed'

“For several years, [the marketplace] has seemed to favor the idea of ‘be the first to market, get the market share, and we can patch and add on necessary portions later, but it’s more important to get to market first.’ That’s not a good approach to building in security, safety or privacy,” Purdue University professor Gene Spafford told CRN.

We’re still months away from the 2020 presidential election but the primaries are upon us, and following the Iowa caucuses debacle earlier this month, concerns about the use of new technology in the nation’s electoral process are on the rise.

Shadow Inc., the company behind the app that delayed the results of the Democratic presidential caucus in Iowa on Feb. 3, took to Twitter admitting to its software’s failure.

We sincerely regret the delay in the reporting of the results of last night’s Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers.

— Shadow, Inc. (@ShadowIncHQ) February 4, 2020

Some industry experts have spoken out, questioning whether integrating such technology into elections is a good idea.

“Using any kind of software for vote counting, vote taking, is not a good idea,” said Gene Spafford, a computer sciences professor at Purdue University and a cybersecurity expert with more than 40 years of experience.

Spafford said the nation’s trust in the election process is at stake.

“We really are not to the point where we should be entrusting important elections to software and hardware that have not been appropriately verified, validated with good security protocols in place and tested thoroughly,” he added. “We just are gambling with our democracy and belief in the voting system if we continue to do that.”

Shortly after the Iowa incident, Nevada called off its plans to use Shadow’s app for its caucus scheduled for February 22, a decision Spafford agreed with.

But, he raised objections to the use of an alternative “online mechanism, which raises new questions about how well is that secured [and] how well is that going to work in an intensive environment of trying to tabulate [votes].”

Shadow, founded in 2019, reportedly brought to market its state-wide vote counting application within a few months. Spafford said that kind of drive to bring an app to market quickly is a common occurance.

“For several years, [the marketplace] has seemed to favor the idea of ‘be the first to market, get the market share, and we can patch and add on necessary portions later, but it’s more important to get to market first.’ That’s not a good approach to building in security, safety or privacy,” Spafford told CRN.

Spafford told CRN because there’s “very little penalty to not giving sufficient thought to security … [there’s] a tendency to rush production, to not use known good methods, and to rely on patching after the fact for security. So as we move more into critical applications like voting, health care, some Internet of Things in real time, patching isn’t going to do it."

Which is why he’s encouraging the channel to “change the mindset of how we go to market to try to get [a product] secured first.”

Learn More: Cloud Security| Current Threats

Advertisement