Iowa will be the first test case for 2020 election security

DES MOINES, IOWA >> Weeks before the Iowa caucuses and the start of the 2020 presidential election season, one of the few senior Democratic campaign staff members whose full-time job was guarding against hackers and stopping a repeat of 2016 quit in frustration.

The campaign — in this case, Pete Buttigieg’s — simply did not care enough about security, Mick Baccio, its former chief of information security, wrote in a five-page resignation letter this month, a portion of which was obtained by The New York Times.

“The campaign continues to mimic the relaxed behavior and poor security posture that led to the Russian intelligence compromises in 2016,” he wrote.

Buttigieg’s campaign is hardly unique, according to experts and current and former Democratic campaign officials. Despite four years of American intelligence assessments and federal indictments laying out how the Russians sought to interfere in the last presidential election, the 2020 Democratic primaries are getting underway in Iowa on Monday with campaigns once again dangerously exposed to hackers and state election systems still plagued by many of the same vulnerabilities exploited by Moscow in 2016.

While security officials have not seen any credible threats to the Iowa caucuses, Iowa Democrats, aided by the Department of Homeland Security, are taking no chances with the first presidential nominating contest since the 2016 election, and party officials are actively preparing to combat any disinformation campaigns leading up to and during the caucuses.

The state’s role as the first in the nation to vote may be much debated inside the Democratic Party, but its system of caucuses is a blessing for security. The caucuses are far more transparent than typical elections, with groups of people gathering in rooms and openly choosing candidates. Any attempt to fiddle with results after the fact — a serious concern among officials and experts who are working to secure the 2020 election — would most likely be spotted by caucusgoers who know the outcome of an event in which they took part. And, of course, there are no voting machines to hack.

Still, Iowa is taking security a step further this year, and for the first time in the state’s history caucus attendees will have to fill out a “presidential preference card” to document their choice. These cards, which will be individually numbered and have other security features, are intended to offer the caucuses some form of a “paper trail” that election security experts say is vital to protecting results.

Additionally, while the caucuses have relied on mobile apps to record and tabulate results in the past, the Iowa Democratic Party is using a new app this year that has been tested and verified by both security experts and the Department of Homeland Security. Described as a “fancy calculator,” the app will help precinct chairs tabulate results during each phase of the caucus and then send results to the Iowa Democratic Party headquarters. (For those chairs who don’t feel comfortable with an app, the traditional phone hotline will still be operating.)

After the results from the app are immediately transmitted to the party’s headquarters, a team of officials there will review them to look for possible outlier results. Each official will have a set of historical results and models that will help identify any result that looks suspicious; if a precinct has traditionally had a turnout of roughly 50% and results come in showing 98%, the team will be able to investigate.

“We knew that technology gave us some opportunities in this process, but with those opportunities came different challenges,” said Troy Price, chairman of the Iowa Democratic Party. He said that the preference cards were a “clear way of double-checking and verifying results” and noted that the level of data preparation was more extensive than in recent years.

“We have been very diligent about doing our modeling and figuring out exactly what projected turnout could be at different levels,” Price said. “So we’ll be able to see if things look wildly incongruent from what we would expect.”

In November, Iowa’s Democratic and Republican parties teamed up with the Defending Digital Democracy Project at Harvard to run a drill of worst-case scenarios. The event, led by Robby Mook, campaign manager for Hillary Clinton in 2016, and Eric Rosenbach, a former chief of staff at the Pentagon, featured a fire drill of sorts, designed by future Defense Department officers.

“We ran them through the ringer and pushed them really hard,” Mook said. “Some were much better at managing technical issues, and some were better managing information operations and disinformation, misinformation and communicating with the public. So I think they really learned from each other, and they created some best practices for each other.”

Evidence that officials in Iowa were taking outside threats seriously emerged nearly a year ago, when a plan for remote caucusing was quickly scuttled because of security concerns.

Though caucuses are inherently more secure as a result of their in-person structure, the decentralized nature presents an unusual challenge. Iowa, a state of 3 million people, has more than 1,700 precincts, and the chairs who run the caucuses are all volunteers. This year, there has been a more proactive and intensive training program, both on the new app and the new reporting process, led by the Iowa Democratic Party.

Of course, there is an element of performance to security; a physical show of force can act as a deterrent. On the ground in Iowa, security officials from the Democratic National Committee will be working with both state parties to respond to any perceived threats, and Facebook officials will be monitoring the lead-up to the caucuses through the weekend at their election offices in California.

Securing the campaigns themselves is a trickier proposition. The risks they face are varied: They have to protect their networks from hackers who could try to steal money; shut down systems at a key moment, like right before a debate or an election; or steal sensitive information, similar to the way that Clinton’s 2016 campaign chairman, John Podesta, was successfully baited into turning over his email credentials.

Like much in cybersecurity, these problems can be at least partly solved by throwing money at them, and campaigns are spending more this year on security than they have in the past, according to experts and veteran staff members. But they can afford to spend only so much. Campaigns are, in essence, startups that face the prospect of dying every day. A dollar spent to guard against the possibility of an attack is not spent on fundraising, advertising or turning out voters to win an election that is going to take place no matter what happens.

The same forces shape the culture of campaigns. They are mostly staffed by young people, and winning is the sole focus. Creating a culture that values security — a difficult proposition in the most established institutions — is particularly challenging in an organization that is by its very nature temporary.

The experience of the Buttigieg campaign and Baccio is instructive. The campaign eagerly promoted his hiring last summer, pointing out that it was the only Democratic campaign to have hired a chief information security officer.

But it was a poor match from the outset, according to people familiar with the inner workings of the campaign who spoke on the condition of anonymity because of nondisparagement clauses in the contract with Baccio. Many in the campaign saw Baccio’s security measures as clumsy and cumbersome; one staff member complained that an attempt to install mobile management software briefly cut off access to email across the entire campaign.

Baccio, for his part, saw the campaign’s resistance to some of the security measures he wanted to enact as indicative of a deeper cultural problem. “From the top down, there appears to be little desire to change or prioritize cybersecurity,” he wrote in his resignation letter.

There were other problems, too. The cybersecurity industry is filled with conferences, and speaking at them is routine for experts like Baccio, but the campaign’s leadership bristled at his appearances at events like CyberWarCon, which took place outside Washington in November. The campaign also wanted him to relocate to its headquarters in South Bend, Indiana, where Buttigieg served as mayor. Baccio insisted on working from his home near Washington.

Though security officials have found no credible current threats to the Iowa caucuses, the possibility of dangerous disinformation campaigns on social media platforms is a constant looming concern, and one that the Harvard team pushed Iowa party officials on as well.

“It was not just pure cyberthreats; it was a lot on potential response to disinformation on social media,” Mook said.

Leading up to February, when the four early states will hold their caucuses and primaries, the DNC held an intensive counterdisinformation training with each state party and has been following up with biweekly trainings before the Iowa caucuses. A security and disinformation newsletter from the DNC highlighting best practices is also sent out regularly.

And while Facebook has taken a hands-off approach to political campaigns that spread lies and disinformation in paid advertising, it has a specific policy that bans any disinformation about polling or voting. The company will be actively monitoring such activity and will be in contact with the DNC and the Iowa Democratic Party.

Officials have also turned the disinformation battle over to the public. On Wednesday, Price addressed Iowans on Twitter, directing them to alert the state party of any disinformation they spotted online and providing the state party’s dedicated email address.

“It’s our top priority to ensure everyone has accurate facts about the caucuses,” he wrote. “That’s why we’re diligently tracking any disinformation — but we need your help, too.”