COVID-19 , Governance & Risk Management , IT Risk Management
Report Says House Members Could Securely Vote RemotelyBut Republicans Urge Caution, Call for Further Study
A House of Representatives staff report concludes that existing technology and infrastructure could be used to allow lawmakers to securely cast their votes remotely during the COVID-19 pandemic. But some Republicans question whether remote voting is, indeed, feasible.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The report, released this week, was prepared by the staff on the Democratic-led House Administration Committee, which oversees the general administration of the House, including its day-to-day activities. House members are now required to be present to cast votes even as the COVID-19 virus continues to spread and makes gatherings of large groups of people potentially dangerous.
The report notes that 75 House members have already tested positive for COVID-19 and that there is a clear need to allow members to work remotely, including voting on legislation.
"This staff report concludes that operable and secure technology exists that would permit the House to conduct remote voting and that such a tool could be developed to further establish the House’s flexibility and resiliency to operate during the pandemic," the report notes.
While Democrats on the committee have signaled their support for moving toward remote voting, Republicans are not convinced that this is feasible or secure.
In a letter sent this week, Rodney Davis, R-Ill., the ranking member of the Administration Committee, noted that it's premature to say remote voting is secure without additional study.
"While I stand firmly against allowing members to vote remotely because I believe it would fundamentally change this institution and not for the better, I believe it is premature to state we have operational technology to implement a secure process," Davis wrote.
In addition, Senate Republican Major Leader Mitch McConnell of Kentucky is opposed to remote voting for the upper house of Congress, according to the New York Times.
Remote Voting System
On July 17, the Administration Committee held a hearing to discuss remote voting for House member, hearing expert testimony.
The experts agreed that remote voting in the House in a secure manner is technologically feasible and the "key to this conclusion is the fact that unlike public elections, remote voting for House members does not require a secret ballot," according to this week’s staff report.
The key to developing a successful remote voting system is to base it on the principles of the CIA Triad model, which many security experts believe should form the cornerstone of any organization's secure infrastructure, according to the report.
"The three elements of the CIA triad are confidentiality (i.e. information can only be accessed by those who need to access it), integrity (i.e. the information is trustworthy, consistent, accurate and originated from the correct person), and availability (i.e. a member is able to cast a vote during the period that voting is open without interference)," the report notes.
To implement a CIA Triad model for the House, the new staff report suggests:
- A secure remote network should be connected using a layered approach that prevents a member from connecting to malicious or compromised networks.
- Members of the Congress should be provided with a dedicated voting device that can be used only for voting and made secure.
- To prevent interference from digital spoofing and "man-in-the-middle attacks," multifactor authentication and end-to-end encryption techniques should be used.
- The remote voting system should be dependent on internet-based applications rather than the public telephone network so it can use adaptive to protective measures such as multifactor authentication and end-to-end encryption.
- The remote voting system should always maintain immutable logs of all votes, documents and actions.
- The system should allow members to contest inaccurately recorded votes. "This should include a manual system of vote verification to counter against concerns surrounding vote tallying systems and to mitigate against denial-of-service attacks, and could take the form of a simple solution such as monitoring the vote on C-SPAN.”
- All the votes should be made public immediately after voting, and the remote voting system should make sure that members’ internet traffic should merge with others to create a "lost in a crowd" effect.
- The House should regularly test the remote voting system and assign a technology partner to evaluate security products and solutions.
The House has access to experts and technology from the U.S. National Security Agency, which has already built these types of secure networks and infrastructures for other government agencies, such as the Defense Department, the report notes.
Gregory Touhill, a retired U.S. Air Force brigadier general who was appointed by President Barack Obama as the first federal CISO of the U.S., agrees with the report’s conclusion that today’s technology and can be adapted for the needs of lawmakers who want to remotely vote.
"As an example, software-defined perimeter technology, which has already been red teamed and PEN tested by Defense Department … and is being fielded in the .mil, .gov, and .com domains, is purpose-built to support workloads such as proposed in this initiative," Touhill tells Information Security Media Group. "This technology is much less expensive and less complex than the cited NSA and DoD solution."
Nevertheless, Touhill says remote voting “should not be envisioned as a long-term substitute for in-person representation in the Congress. Rather, it should be considered a technical countermeasure during this pandemic and other future extraordinary situations where Congress cannot meet in person."
The report points out the House previously adopted several methods to handle daily operational tasks remotely using computers.
This includes the creation of an electronic hopper to permit the virtual submission of all floor documents through a dedicated and secure email system as well as using a House members' electronic signature to submit extensions of remarks to the Congressional Record.