Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 PM
Connect Directly

The Best Way To Secure US Elections? Paper Ballots

Voting machines that do not provide a paper trail or cannot be independently audited should immediately be removed, concludes a new report from the National Academies of Sciences, Engineering, and Medicine.

A new report from the National Academies of Sciences, Engineering, and Medicine is recommending the use of human-readable paper ballots as the best way to protect the security and integrity of US elections, at least in the immediate future.

In fact, the committee behind the report wants election officials to consider ditching voting methods that do not provide a reliable paper-verifiable audit trail as early as the upcoming 2018 midterms and for all local, state, and federal elections by 2020.

It also does not want jurisdictions to permit the use of the Internet and Internet-connected systems to return marked ballots until "very robust guarantees" of security and verifiability are developed. Other recommendations include the need for states to mandate risk-limiting audits prior to the certification of election results and routine assessments of the integrity of voter registration systems and databases.

The report, funded by grants from the Carnegie Corporation, the William and Flora Hewlett Foundation, and several others, is based on an exhaustive analysis of the state of US election security in the wake of concerns over Russian interference in the 2016 general elections. It also examines the current state of technology and standards for voting across the country with a particular emphasis on the challenges — including those related to cybersecurity issues — stemming from the last elections.

Lee Bollinger, president of Columbia University and co-chair of the committee that developed the report, described the study as coming at a critical time for American democracy.

In a live-streamed event on Thursday, Bollinger said that when the committee began working on the report, it had fully expected to find that US voting systems were moving away from physical, in-person balloting toward Internet and remote voting.

"However, by the time the committee's first meeting in April 2017, it was clear the most significant threat to American elections was coming not simply from the need for new technologies, but rather from efforts by foreign actors seeking to undermine the credibility of election results," he said.

The report makes note of assessments by the US intelligence community of Russian involvement in several cyberattacks and attempted attacks against US election infrastructure in the months leading to the 2016 presidential election. Among them was an incident in June 2016 when network credentials to the Arizona state voter registration system were posted on a site frequented by suspected Russian hackers, and another later that month involving a voter registration system in Illinois.

Such incidents combined with aging and insecure voting equipment, inadequate poll worker training, and vulnerable voter registration systems mandate a return to paper ballots, Bollinger said. The ballot could be marked either by hand or machine using a ballot-marking device and could be counted using an optical scanner or even hand-counted.

"Paper ballots are evidence that cannot be manipulated by faulty software or hardware," he noted. "And they can be used to audit and verify the results of an election."

Marian Schneider, president of election watchdog group Verified Voting, says the recommendations in the new report are exactly in line with what her organization has been calling for, as well.

While many states already use the kind of paper-based voting system that the report recommends, many others do not, she says. Some states use completely paperless voting systems or Direct Recording Electronic (DRE) systems, for which a voter's choice is recorded and stored directly in the computer. Some DREs support a paper-based audit trail where voters can verify the system has properly captured their intent before casting their vote. And many states use a combination of paper and paperless systems, Schneider notes.

Five states — Delaware, New Jersey, Georgia, Louisiana, and South Carolina — currently vote exclusively on machines that do not support a paper record. In a report this July, the Committee on House Administration categorized these states as being exposed to the most critical election security vulnerabilities. "It is nearly impossible to determine if paperless voting machines have been hacked and if vote tallies have been altered," the report had noted.

Even DREs that support a voter verifiable paper audit trail are not foolproof because voters may not always verify their ballots before casting them. So it is possible that the information stored in a computer's memory does not accurately reflect the voter's intent, Schneider says. At the moment, the best way to mitigate such risks is to use hand- or machine-marked paper ballots.

"The most significant takeaway is that certain times in a nation's history demand unity. This is one of them," Schneider says.

The new report comes amid ongoing concerns over hacking and other forms of interference in US elections. A survey conducted at Black Hat by security vendor LastLine found 84% of the respondents saying there will be some form of hacking during the 2018 midterm elections. About 54% believed it would happen at a national level, while 47% expected disruption at the state level, with the goal of influencing state-level races. Nearly one-third believed that any hacking that takes place would be designed for propaganda purposes and not to affect the outcome of the election.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/13/2018 | 1:18:03 PM
I agree with Paper Ballots
The entire year of investigations into our voting process and it being hacked needs to be stopped. The analysis conducted by the National Academies of Science, Engineering, and Medicine has an approach. Sometimes it's just best to unplug. Paper Ballots and trusted senior citizen volunteers who have nothing to gain or lose from counting the ballots and love the work they do for their country is the way to go. Pitch the voting machines! No digital devices allowed and as a result, no interference from any hackers. Let's shut the digital wall on them by cutting the cord completely. How difficult can that be? 
User Rank: Ninja
9/12/2018 | 9:24:29 AM
If you have computer voting, it is all on an in-location isolated network - no internet!    Results are tabulated on a central system also isolated.  Results are then "voice phone" to central location for final count which is kept offline too and when done = VOILA - internet free election. 
User Rank: Strategist
9/10/2018 | 3:53:01 PM
Re: True, but
Hemp will cure the "Tree" issue, Save a tree, insist on hemp paper!
User Rank: Ninja
9/7/2018 | 9:51:31 AM
True, but
Then all the advocates of Brazillian rain forests and tree huggers will come down on de-forestation. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...