Tall tales of hacked voting machines and hijacked tabulation software gain an air of plausibility by citing the essential work done by serious cybersecurity experts in recent years to document vulnerabilities in widely deployed voting technology. Until angels learn to code, all software, whether installed on a laptop, smartphone, or voting machine, will have flaws and vulnerabilities an attacker might exploit. A robust approach to cybersecurity, therefore, requires more than just finding and closing those loopholes. It means designing systems that will work reliably even if compromised—a level of resiliency that discourages hackers from attacking them in the first place. For election systems, that means ensuring that a voter-verified physical ballot—an auditable paper trail—exists for every vote cast. Manual counts of a sample of those paper ballots, known as risk-limiting audits, can then be used to confirm that the digital tallies are accurate.
Happily, many states have heeded the advice of experts in recent years, implementing routine audits and replacing direct-recording electronic, or DRE, machines, an antiquated technology in which touch screens record choices without creating a paper ballot for the voter to inspect. Yet several states that have done virtually everything right, many at the urging of Republican officials previously seen as Trump allies, have found themselves at the center of conspiracy theories.
Pennsylvania, Georgia, and Michigan have successfully replaced their DRE machines—meaning every voter either hand-marks a ballot or is presented with a printed paper record of their selections to verify—and implemented risk-limiting audit programs.