So what can be done to address this risk?

We need to make sure that every vote is recorded on a piece of paper, too. Without paper, there may be no evidence we can go back and look at that would reveal vote tampering. We also need to make attacks as difficult as possible by making sure systems used to program ballot design are locked down and never accessible from the internet.

What other areas beyond voting machines are vulnerable?

Voter registration systems connected to the internet are a major concern. In 2016, one of the most worrying cyberattacks was Russian attempts to probe, and in some cases hack into, voter registration databases. We also need to worry about electronic poll books that many states use to check voters in on Election Day. This equipment is often networked, and if it fails it could lead to chaos at the polls.

How can we bolster defenses here?

The main thing is to apply the same good security practices developed for protecting other government and industry databases. We also need to have backup procedures in place in case the technology fails.

Auditing results can catch vote manipulation. Are post-election audits in the US sufficiently robust?

No. Some states don’t check ballots at all; others examine them in a fixed fraction of precincts, but in a close contest, that might not catch vote tampering concentrated in precincts that aren’t checked. We need “risk-limiting” audits. Here you agree in advance the probability you’re willing to tolerate of an election outcome being manipulated and not detected. You then look at enough paper ballots so the odds of someone getting away with fraud are lower than the target percentage.

Why don’t we have these audits everywhere?

States have been slow to adopt new ways of countering cyberthreats. Fortunately, risk-limiting audits don’t have to be particularly expensive. When an election isn’t close, you might be able to confirm the result with high statistical confidence by examining a few hundred ballots across a state; in extremely close elections, you often have to do an automatic recount anyway.

Would it be better if the US had a federally mandated, nationwide voting system rather than many different state and local ones?

It might be easier to secure a single, unified voting system, but election administration in the US is the responsibility of state and local governments, and I don’t see that changing soon. What we can do is to set national standards for election cybersecurity that states should meet or exceed.

Could one tie federal money for securing elections to the adoption of those standards at the state level?

That could be quite effective, and there’s a bipartisan draft bill in Congress called the Secure Elections Act that would do just that.

What would have to happen for online voting, Estonia-style, to become broadly viable in the US?

Online voting carries extremely big risks. You need to protect internet-­connected servers running the election from sophisticated adversaries and protect voters’ own devices from malware. That’s why Estonia is the only country where national elections are largely online, and its system is unlikely to withstand a concerted attack. It may be decades before we’re able to secure online systems to the same level we expect from voting in polling places today.

Some people have floated the idea of blockchain-based voting systems. Are you a fan?

Blockchain doesn’t fix the hard parts of securing online elections. It’s just another form of recording votes. If attackers compromise voters’ devices or the servers that record votes and log them to the blockchain, they can still manipulate election outcomes. There are no easy solutions here.