On October 8, 2014, the Cyber Statecraft Initiative hosted a panel of experts to discuss how online voting and e-voting could become a larger part of the political process in the United States and in other participatory democracies with the right security to back it up.

Representative James Langevin joined the discussion via Skype, a very fitting method of communication for a discussion about the future of digital democracy. “E-voting has incredible promise” Langevin explained “especially to the population of disabled voters.” He went on to describe that in order to unlock this promise for all voters, politicians, federal agencies, and private companies need to work together to ensure that the integrity of electoral process remains intact.

Representative James Langevin’s Remarks:

I’m particularly pleased to be joining you because of what this issue means to me personally. It really is the marriage of two passions of mine. Way back in 1994, when I became Secretary of State in my home state of Rhode Island, we had the imperative to confront huge challenges with both an outdated electoral system and a less-than-transparent government. I’ve seen firsthand what shortcomings in those areas can do to trust and faith in government. But it also made me very passionate about the accessibility of the voting process, which is so fundamental to our democracy. E-voting has incredible promise in this regard, especially to the population of disabled voters who may require a diversity of interfaces to the electoral process.

Now, the promise of e-voting for increasing accessibility and turnout is what originally interested me in the field, but my time in Congress has given me a complementary perspective on the topic. In 2008, I founded the Congressional Cybersecurity Caucus with my friend Mike McCaul of Texas because I was concerned that Congress was paying far too little attention to the potential for cyber intrusions to cause grave harm to our country. Chief among my concerns is that critical infrastructure, long hardened against physical attack, could be vulnerable in this new domain. Of course, our voting infrastructure is central to our country’s existence as a democracy, and just like any other sector, there are vulnerabilities in expanding the use of information technology.

Our electoral system prizes two fundamental principles: that each person should be entitled to cast one and only one vote, and that his or her ballot should be kept secret. Unfortunately, these principles can clash with our desire that elections also be verifiable, that a voter should have confidence that his or her vote is counted. The traditional voting system does an excellent job of ensuring anonymity and authentication: there are very few instances of voter fraud or intimidation. Verification is a bit shakier. Hundreds of thousands of ballots are spoiled each election cycle, preventing voters’ voices from being heard. Additionally, the ballots themselves are vulnerable to tampering and loss after being cast. To reduce risk, we rely on distributing oversight across many individuals, reducing the chances that a single bad actor could materially alter an election’s outcome.

E-voting systems have these same goals but must achieve them in very different ways. For instance, in traditional systems, double voting is prevented by requiring that a citizen vote only in her precinct. Preventing double voting remotely while retaining anonymity is a thornier problem since the scale can be orders of magnitude larger – a single authentication authority might cover an entire state. Challenges of scale manifest themselves in other ways, including the complexity of code running the system and ability of a single bad actor to compromise multiple services.

Thankfully, our academicians have some clever solutions to these problems, and it turns out that solid cryptographic systems allow one to do all sorts of counterintuitive things.

But here’s the rub: the channel of communication between our brilliant cryptographers and our policymakers is filled with static. For instance, end-to-end verifiability is deemed by many scholars to be essential to a trustworthy e-voting system, as it allows auditors to confirm that ballots have been counted correctly without relying on the integrity of those doing the counting. Policymakers understand this goal – no matter how corrupt your election officials are, if they tamper with the results it will be noticed – but they definitely do not understand how it is implemented in different systems. In fact, the “how” is often viewed as borderline magical. That one e-voting system uses a mathematical property for security and one relies on the integrity of election officials is not necessarily going to be evident to policymakers. Worse, without a concerted effort to educate politicians, there is a real risk that they will come to view different e-voting systems as Coke vs Pepsi – slightly different versions of the same product – when in fact the security of the competitors may be wildly different. Think Coke versus antifreeze.

It is difficult to overemphasize this point, so let me put it another way. Politicians are used to seeing shades of gray, and that’s generally a good thing – policymakers need to compromise. But this ability to see ambiguity can be dangerous when confronted with facts that are not intuitive. That is why facts can get lumped in with theories during political debate. When talking to policymakers about e-voting, therefore, it is imperative that properties we’d like to see in a system, such as end-to-end verifiability, are separated from implementation choices of a particular system or else policymakers are liable to miss critical points.

Of course, policymakers are certainly not the only fallible humans involved in standing up an e-voting system. Even a cryptographically sound system relies on people to code it, people to deploy it, and people to maintain it. A coding error might open the system to denial of service attacks that halt an election. A mistake during deployment could allow an adversary to steal voting credentials and cast fake ballots. During routine maintenance, a database could be revealed instead of deleted, resulting in a huge loss of voter privacy. These vulnerabilities are real: the Halderman group analysis of Estonia’s I-voting system, for example, showed problems across all three of these phases.

It is important to realize that our present voting systems have numerous human points-of-failure. But the complexity of e-voting again sets it apart. Being a checker or ballot clerk in a traditional system requires few specialized skills. Being a system administrator charged with overseeing an e-voting server, on the other hand, requires significant training and experience. Being a CISO for an election requires even more. And experienced cybersecurity professionals are in short supply.

Part of the shortage is a result of the lag time in education: cyber is a relatively new domain, so our universities are still ramping up cyber training capacity. But part of it is also tied to the inherent differences between cyberspace and meatspace. Defending against an adversary has always been difficult: an attacker needs to find only a single point-of-failure to be successful, while a defender must protect against all possible breaches. This paradigm is exponentially more challenging in cyberspace for two reasons. One, it’s just as easy to attack someone across the planet as it is to attack someone across the room, so the attack space is much larger. Two, it’s almost as easy to attack everyone with a vulnerability as it is to attack one entity with a vulnerability, making the attack space larger still. As a result, attacking is more lucrative, which draws off important talent even as more defenders are needed.

Government agencies have been particularly hard hit in the battle for cyber talent. Part of this is due to the supply problem I highlighted, and part is due to strict compensation rules. But we can also blame a lack of coordination within the government, and a corresponding duplication of effort. For example, after the recent Heartbleed vulnerability was revealed, the Department of Homeland Security got its servers patched almost immediately. However, because it had to ask other agencies to scan their networks for the flaw, it took days before the .gov domain was comprehensively scanned, days in which attacks were propagating in the wild.

These are challenges that must be addressed if an e-voting solution is going to be deployed in the US. In Congress, my Executive Cyberspace Coordination Act would clarify the lines of authority in the Executive Branch to allow DHS to quickly address challenges on civilian networks and would allow for top-level budgetary review of agency cyber budgets. I have strongly advocated for increased funding for cybersecurity research to help grow our academic infrastructure to meet demand. I am also open to alternative hiring practices that allow programmers with non-traditional educational backgrounds the chance to protect their country. And while Congress continues to deliberate, I have voiced my full support for the NIST Cybersecurity Framework, which will help raise cybersecurity standards across the critical infrastructure domains. That a company like Target could be hacked through its HVAC vendor shows exactly why we need to promote raising the bar.

Before I close, I must make a brief digression into client-side security. When governments or policymakers talk about implementing an e-voting system, the focus is almost always server-side: can we maintain the integrity of the ballots cast? But what if the ballot itself is compromised? Relying on a voter’s PC or smartphone to honestly represent her intentions is simply naïve with malware as prevalent as it is. Protecting the integrity of an election is not limited to the edge of the government network. Without a risk mitigation strategy that accounts for the very real possibility of outside influence targeted on voters themselves, an e-voting system is incomplete.

To say that e-voting is a challenging project is an understatement. But just as there are many security concerns – with cryptosystems, with the humans that run them, and with the devices that access them – there are many potential benefits as well. I reject the notion that e-voting is a solution in search of a problem, just as I reject the notion that it is ready to be deployed today. Changing something as essential to our identity as the way we choose our leaders ought to be a deliberative process. I hope I’ve impressed upon you the importance of engaging with policymakers about e-voting systems in a manner that demystifies the guts as much as possible. And as the corollary to that appeal, I hope you will join me in advocating for the better use and better training of cybersecurity professionals, that they may defend our country from harm – and better advise our nation’s policymakers.

Again, thank you all for allowing me to remotely join you, and I look forward to working with you all to address these challenges.