War Stories

Bring Back Paper Ballots

The new Senate report on election hacking makes it clear that electronic voting will never be safe enough.

A ballot sheet
A ballot sheet is viewed for the recount of ballots cast in Oakland County, Michigan, on Dec. 5, 2016 in Waterford, Michigan. Jeff Kowalsky/AFP/Getty Images

Just hours after Senate Republicans blocked a vote on a bill to make elections less vulnerable to cyberattacks, the Senate Intelligence Committee released a 67-page report, concluding that, leading up to the 2016 election, Russians hacked voting machines and registration rolls in all 50 states, and they are likely still doing so.

The heavily redacted document, based on a two-year investigation, found no evidence that the hackers altered votes or vote tallies, though it says they could have if they’d wanted to.

However, three former senior U.S. intelligence officials with backgrounds in cybersecurity told me that the absence of evidence isn’t the same as the evidence of an absence. One of them said, “I doubt very much that any changes would be detectable. Certainly, the hackers would be able to cover any tracks. The Russians aren’t stupid.”

Hacking individual voting machines would be an inefficient way to throw an election. But J. Alex Halderman, a computer scientist who has tested vulnerabilities for more than a decade, testified to the Senate committee that he and his team “created attacks that can spread from machine to machine, like a computer virus, and silently change election outcomes.” They studied touch-screen and optical-scan systems, and “in every single case,” he said, “we found ways for attackers to sabotage machines and steal votes.”

Another way to throw an election might be to attack systems that manage voter-registration lists, which the hackers also did in some states. Remove people from the lists—focusing on areas dominated by members of the party that the hacker wants to lose—and they won’t be able to vote.

One former senior intelligence official told me, “If I was going to hack such a system, I’d leave the records alone and corrupt the tally software”—the programs that count the votes and transmit results to a central headquarters. The transmission is done through a network, which is vulnerable to hackers. Some data are transmitted from the voting machines via USB ports, which are also easy to hack.

In the past decade, many states have installed voting machines with paper backups. (One of the measures blocked in the Senate this week would have required them.) But the Senate report notes that 19 states do not conduct complete postelection audits to compare these ballots to the electronic results; five of them do not audit at all. Paper backups mean little if nobody looks at them.

Computerized voting might be inherently vulnerable. Matt Blaze, who holds the McDevitt Chair of Computer Science at Georgetown Law, said at a hacking conference in Washington earlier this year, “Voting security is by far the hardest problem I have ever encountered.”

The American system compounds the difficulties. The voting process must be transparent but also secret. Every vote must be counted, but no one should be able to trace a specific ballot back to a specific person—thus making verification impossible. More daunting, states, counties, and even local election districts set and enforce their own rules and standards. The Senate report notes that when President Barack Obama tried to declare elections to be “critical infrastructure,” which would have allowed intelligence and law enforcement agencies to offer technical assistance on security, many states resisted, fearing a “federal takeover.”

Finally, even if someone found a solution to the problem and convinced every election district to comply, some hacker might find a way around it. The offense-defense race in cyberspace will probably never end.

However, there is a solution to this problem, and it’s maddeningly simple: Take presidential elections out of cyberspace. In other words, go back to the paper ballot.

Paper ballots have their downside. The history of elections is pockmarked with stuffed and pilfered ballot boxes. In his book The Fight to Vote, Michael Waldman writes that, in New York City, in the 19th century, ballot boxes were routinely seen floating in the river on Election Day. The first voting machines were built, in the early 20th century, in part because they were considered too heavy to throw in a river.

Absent outright corruption, paper ballots can also be misread, unreadable (because of smudges), or ambiguous because of a poorly designed format. (Remember the “hanging chads” on the Florida ballots that won George W. Bush the presidency in 2000.)

If we were to revive paper ballots, standards would have to be uniform and strict. The ballots would have to be clear. The counting would have to be done by nonpartisan groups (the League of Women Voters used to do this) and monitored by officials from all parties. This is time-consuming business, but so what? In the pre-internet era, elections were frequently up in the air until the next day. No one, except perhaps cable newscasters, should mind the delay, if it means a more reliable and trustworthy outcome.

That’s the key. The Senate report speculates that one of the Russians’ motives, in hacking the election networks, might be to “undermine confidence” in American democracy. Whether or not that is their intention, lowered confidence was certainly a byproduct of the election of 2016 and the findings of Russian interference in that election, by the director of national intelligence and the report by special counsel Robert Mueller, both of which focused on manipulation of social media and didn’t even examine (at least not in the unclassified versions) possible distortions at the ballot box.

Cybersecurity solutions would cost hundreds of millions of dollars. Paper ballots cost next to nothing. Switching to paper would be an elegant bit of jiujitsu: It would defeat the intruder not by countering him with force but by whisking away his target.