Feb 6, 2020

Axios Codebook

Welcome once again to Codebook, where our jaw is still hovering near the floor at the incomplete results from the Iowa caucus, three days after the event.

This week's newsletter is 1,552 words, a 6-minute read.

1 big thing: After Iowa, thinking smarter about election security

Illustration: Aïda Amer/Axios

The big lesson from Iowa: Security is only a starting point in protecting elections. Usability, reliability and redundancy are just as important.

Why it matters: As long as election officials neglect software fundamentals and view security only as a matter of locking hackers out, we will keep facing trust-eroding system meltdowns like this week's Iowa caucus fiasco.

The big picture: The U.S. is already struggling to bolster the perceived stability and reliability of its elections, which are under stress from extreme partisanship, the spread of conspiracy theories on social media, and the still-fresh memories of Russian meddling in the 2016 contest.

Iowa presented the nation with a vexing scenario in which a primary contest was so compromised by tech snafus that its results weren't available for days.

  • The caucuses weren't hacked, as far as we know — although a ProPublica report found that Iowa Democrats' new vote-tallying app was vulnerable.
  • But the confusion and delays they suffered were as damaging as meddling from bad actors might have been. As Zeynep Tufekci asked in the Atlantic, "Who needs the Russians?"
  • The Iowa system failures created an information void that opened fertile ground for conspiracy theories and influence operations.

Two days after Iowa turned into the "Waiting for Godot" caucus, it's clear that Iowa's new caucus app had all the hallmarks of a software disaster:

  • Changing requirements, driven by a need to tally winners in three new ways.
  • Failure to field test.
  • Inadequate fallback plans.
  • A hard-stop deployment deadline that left no wiggle room.

Here's what we now know about the mistakes made by Shadow, the app-developer contractor, and the Iowa Democrats:

  • The app went out to users in a not-ready-for-prime-time test mode, which made it harder to install.
  • The app recorded results correctly but then transmitted different numbers to the party HQ, thanks to what officials now admit was a "coding error."
  • Use of the app was optional, but when local officials fell back on phone calls, there weren't enough people to take the data.

Of note: This kind of disaster isn't exclusive to the digital world. After low-tech failures of Florida's punch-card voting machines, the 2000 presidential election hung in the balance for weeks and the dispute had to be resolved by the U.S. Supreme Court.

The good news:

  • Most states don't hold caucuses, and the more common primary elections are less complex and easier to run.
  • The same patchwork of differing state election systems that makes security so hard to guarantee also means that any one state's vulnerabilities are likely to be local.

Experts recommend that all election systems should be:

  • Simple: Don't try to score an election three different ways if you can avoid it. This may be a bad moment to experiment with ranked choice and other complex voting schemes.
  • Transparent: People will trust systems more when all parties to the election have had an opportunity to examine them. Even in a party-only primary like Iowa, all the competing campaigns should have had a chance to try out and stress-test the app.
  • Auditable: Assume that failures of all kinds are inevitable and recounts are likely. Make sure that there are ways to deliver accurate election results no matter what — by candlelight if necessary.

Auditable paper trails remain the gold standard, according to the National Academy of Sciences and an overwhelming consensus of security experts.

Yes, but: Iowa had them and still messed up.

Our thought bubble: In an interview with Axios' Sara Fischer, Tara McGowan — co-founder of Acronym, a nonprofit consultancy that owns app-maker Shadow — doubled down on "pushing the envelope." But Silicon Valley's "disruption" mindset, with its "move fast and break things" mantra, is uniquely ill-suited for election tech.

The bottom line: This is one realm where it's better to move slowly and handle with care.

2. New in your home: The hackable lightbulb

Screenshot from Check Point video

If you connect your lightbulb to the internet, the internet could connect back, according to a new report from Check Point detailing a security flaw in Philips Hue Smart Bulbs.

How it works: This isn't really about cyber criminals gaslighting you by dimming your lights — but that's exactly how this hack starts.

  • Erratic behavior by the bulb prompts the owner to reboot the network, giving hackers a chance to slip some malware into the system.
  • They gain entrance to your home network via an entry point you didn't even know existed.

Details: An attacker with a laptop and an antenna within 328 feet of your smart bulb could execute this attack, according to Check Point.

  • The researchers said the exploit depends on a flaw in the Zigbee protocol, a basic building block of "internet of things" (IoT) products that's widely used by many so-called smart home devices.
  • Philips has issued a patch for owners of the affected products.

What's next: The IoT industry remains a security disaster waiting to happen, according to many experts. Reports like this keep the industry on its toes, but it still has a long way to go.

3. How tech is making dictators' lives easier

Digital technology is turbocharging the power of dictators around the globe, according to the authors of a new study in Foreign Affairs.

Why it matters: AI, face recognition and other tech systems are increasingly doing the police-state jobs of keeping tabs on citizens and intimidating dissidents that used to be performed by human beings, write Andrea Kendall-Taylor, Erica Frantz, and Joseph Wright in "The Digital Dictators."

What they're saying:

  • "High-resolution cameras, facial recognition, spying malware, automated text analysis, and big-data processing have opened up a wide range of new methods of citizen control. These technologies allow governments to monitor citizens and identify dissidents in a timely — and sometimes even preemptive — manner. No regime has exploited the repressive potential of AI quite as thoroughly as the one in China."
  • "Dictatorships that increase their use of digital repression also tend to increase their use of violent forms of repression 'in real life,' particularly torture and the killing of opponents. This indicates that authoritarian leaders don’t replace traditional repression with digital repression. Instead, by making it easier for authoritarian regimes to identify their opposition, digital repression allows them to more effectively determine who should get a knock on the door or be thrown in a cell. This closer targeting of opponents reduces the need to resort to indiscriminate repression, which can trigger a popular backlash and elite defections."
  • "Not only has the rising tide of technology seemingly benefited all dictatorships, but our own empirical analysis shows that those authoritarian regimes that rely more heavily on digital repression are among the most durable."

Worthy of your time.

4. White House's new plan to jump-start U.S. alternatives to Huawei

Illustration: Lazaro Gamio/Axios

In its latest move to counteract a perceived threat from Huawei, the Trump administration is proposing a new approach to 5G networks that would rely on virtualization and other features to give U.S. companies a broader role, as first reported by the Wall Street Journal.

Why it matters: Right now, none of Huawei's traditional networking gear rivals are U.S.-based, and their products are typically more expensive than Huawei's, Axios' Ina Fried reports.

How it works: The idea is to push for open software that could run on nearly any standard hardware, with Microsoft, AT&T and Dell among those said to be involved in the effort, per the Wall Street Journal.

Oracle confirmed it is also among the companies interested in taking part.

The big picture: As we wrote last week, the U.S. has been going to its allies and asking them not to use Huawei gear in their networks. But affordable Western alternatives to the Chinese products haven't been easy to find.

  • Some technical trends are already moving in the direction of the new U.S. proposal — notably, the shift away from dedicated products that perform a specific role in the network and toward virtualizing different functions using software that can run on commodity hardware, such as servers made by companies like HP and Dell, using chips from Intel and Nvidia.

Meanwhile: Facebook has been spearheading an effort for several years known as Telecom Infra Project, designed to allow for a more open, software-based approach to cellular networking.

  • That effort, though, is still in its early stages and has seemed mostly focused on lowering costs for the developing market, industry consultant Chetan Sharma told Axios.

Yes, but: Making 5G gear still requires a fair amount of know-how that's specific to the cellular industry.

Flashback: This is at least the third plan that has been floated from within the Trump administration to kickstart 5G and ensure the U.S. plays a leading role.

  • Back in 2018 (as first reported by Axios) there was talk of nationalizing 5G in an effort to outrace China.
  • Then, last year, there was a notion raised of building a wholesale 5G network that all players could use.

The bottom line: So far, though, it is the industry's existing approaches that have prevailed — with 5G rolling out from all the major carriers, starting last year, using traditional equipment vendors like Nokia, Ericsson and, to some degree, Samsung.

5. Odds and ends
  • The FBI's director told the House Judiciary Committee that the Justice Department's arguments for law enforcement access to encrypted systems don't contradict the Defense Department's advocacy of strong encryption. (NextGov)

What could possibly go wrong over the coming week? Whatever it is, we'll be right there for you.