The state party worked with the national party’s cybersecurity team, and with Harvard University’s Defending Digital Democracy project, but Price declined to answer directly whether any third party has investigated the app for vulnerabilities, as many cybersecurity experts recommend.
…Unlike many states in which local and state officials oversee the presidential primary election, in Iowa the state party is responsible for administering, staffing and funding the caucuses, relying primarily on trained but unpaid volunteers.
Cybersecurity experts interviewed by NPR said that the party’s decision to withhold the technical details of its app doesn’t do much to protect the system — and instead makes it hard to have complete confidence in it.
…A number of other potential vulnerabilities could also be introduced by using the technology, experts say.
If the app doesn’t work, either because a denial of service attack clogs the system or for any other reason, then there could be confusion at precincts across the state, and a potential delay on a winner being announced.
…Price did confirm that the app again would be downloaded onto the personal smartphones of the caucus precinct and party leaders, and not onto party-provided hardware.
That could make the system a more appealing attack target, according to Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute, because peoples’ phones also may contain sensitive messages, emails and passwords.
…Jones, the University of Iowa cybersecurity specialist, says transmitting results from precincts to the state party through a smartphone app isn’t as insecure as the virtual caucus plan — but that it’s still insecure for the same reasons.
“The entire ecosystem of smartphones is extraordinarily poorly secured,” Jones said. “And resting security functions on that ecosystem is something I don’t trust at all.”