The Fundamentals: An IT Pro’s Take on the Iowa Caucuses Meltdown

I think it’s a safe bet that folks around the world have already heard about the Iowa caucuses meltdown. We’ve often worried about some sort of perceived enemy. But in the case of Iowa, we have met the enemy – and in this case, the enemy appears to be us. And I mean us, here. Not just the organizers of the Iowa caucuses, Shadow (the company that created the app everyone is talking about), or tech professionals. I mean everyone involved.

What we witnessed wasn’t a technical meltdown, per se. We witnessed an organizational meltdown, with tech, apparently, only at the core. I say “apparently,” because once you deconstruct this meltdown, we’re seeing an organizational issue, where the tech folks usually become the scapegoat. Like the Fukushima nuclear meltdown, we witnessed the acute technical moment where the technology exploded. But trust me, this issue was a slow-motion meltdown that was months in the offing.

This event is especially interesting to me personally, and not because my mom was born in Iowa (Des Moines). It’s because I had a chance to discuss the “root causes” of the Iowa caucuses meltdown about two weeks before it happened. Let me explain.

About two weeks ago, Adam Powell at the University of Southern California invited me to represent CompTIA at their Election Cybersecurity Initiative Roundtable. It was quite the crowd: Vint Cerf, co-creator of TCP, Clifford Neuman, a creator of the Kerberos authentication protocol, and representatives from the U.S. Department of Homeland Security, the Associated Press, and many others were there. And, little old me. We discussed organization and technical issues surrounding this year’s elections.

What Are the Stakes?

At the panel, we discussed how over the years, we’ve seen attacks on key pillars of society.

• Identity: U.S. Office of Personnel Management
  
• Credit: Equifax
• Healthcare The US healthcare.gov site, as well as statewide issues, such as the State of Oregon’s health exchange
• Electoral Process: 2015 U.S. elections database, 2016 elections, Iowa
• Retail: Tesco, Target

We discussed how so much is at stake, kind of on a sliding scale, from better to worse, if things go wrong during specific points of the election cycle. They include, from better to worse:

1. Loss of service: Critical, embarrassing delays that effectively deny a service.
2. Loss of confidence in an event: Where we can’t tell what really has happened, or where a pillar (e.g., an election) is somehow compromised.
3. Loss of confidence in the entire process: Where people don’t just question a specific event, but the very democratic process itself.

We discussed that while it may seem dramatic at this point, if too many issues occur, then we could see an erosion in confidence in the entire system. I find this interesting, because word on the street in Washington, D.C., after Iowa, is that for the next election cycle (four years from now), the Iowa caucuses won’t even be on the political radar.

That’s quite a development, seeing as how the caucuses have sometimes been where candidates have “broken out” to a national audience. It doesn’t matter how much folks did or didn’t value the sometimes-quirky Iowa caucuses in the past. Now, that value is under serious question.

The Blame Cycle

When things like this happen – especially in the context of a democratic election, folks start to point fingers. First, they blame the messenger, especially if that messenger isn’t properly prepared. Next, they blame the technology. For example, we’re seeing articles blaming the not-so “mysterious startup” called Shadow for the problem. Yeah, blame the provider! Then, folks usually in order:

1. The messenger
2. The vendor
3. The technology
4. The IT department (or a lucky scapegoat)
5. The executives running the organization

In my experience, it should be the folks running the organization, but let’s not focus on just pointing fingers.

Can That Happen to Us?

I think quite a few folks who are in the throes of rolling out their own digital solutions to replace existing analog processes are probably asking the same question. At the recent panel, we discussed three elements that are necessary to transparency:

1. Proper planning
2. Cybersecurity hygiene
3. Crisis communication

If you’re figuring out what to say, then you’re not communicating properly. You need to have had the answer all figured out, and effectively in a secure location that says: “In case of massive, spastic caucuses (technical) meltdown, break glass.” Then, you have more of a chance to manage the issue.

Read more about incident response planning.

Asking the Tough Questions

It’s not enough to say, “do we have our ducks in a row,” here. Consider asking the tough questions:

• Is this thing necessary? Going digital is usually pretty cool, but it needs to accomplish something. It’s vital for something new to properly replace the analog process it is replacing.
• What are the existing conditions? No IT pro wants to unleash code into the world without first understanding how it will be used, how it will react to the world, and how the world will react to it.
• Is there an adequate timeline? A good rollout occurs over a proper timeline. Clearly, organizers had only a percentage of the time available that it really takes to roll out a good app.
• Can we publicize our processes? Transparency is critical. What may be a proper amount of caution or a bit of disorganization can be misinterpreted as being “shadowy.”
• Privacy and clarity: Are we capable of being transparent, here, to our customers?

Achieving Transparency

To create real transparency, it’s vital to conduct a few organizational tasks. Again, they’re not technical, really. Otherwise, you’ll be accused of lack of transparency. These include:

• Using open processes: Security through obscurity never works. If you have proper processes, you’ll find that revealing them never defeats security.
• Testing: Regression testing, stress testing, and real-time tests are all essential. You just can’t skip these steps.
• Communication workshops: It’s not enough to just have a prepared statement behind a piece of glass that says, “In case of a malfunction or data breach, break glass.” It’s vital to ensure that you have an informed individual who can act as a spokesperson. This way, you will have the ability to communicate authoritatively.