Numerous electronic voting machines used in United States elections have critical exposures that could make them vulnerable to hacking. Security experts have known that for a decade. But it wasn't until Russia meddled in the 2016 US presidential campaigns and began probing digital voting systems that the topic took on pressing urgency. Now hackers, researchers, diplomats, and national security experts are pushing to effect real change in Washington. The latest update? It's working, but maybe not fast enough.

On Tuesday, representatives from the hacking conference DefCon and partners at the Atlantic Council think tank shared findings from a report about DefCon's Voting Village, where hundreds of hackers got to physically interact with—and compromise—actual US voting machines for the first time ever at the conference in July. Work over three days at the Village underscored the fundamental vulnerability of the devices, and raised questions about important issues, like the trustworthiness of hardware parts manufactured in other countries, including China. But most importantly, the report highlights the dire urgency of securing US voting systems before the 2018 midterm elections.

"The technical community … has attempted to raise alarms about these threats for some years," said Frederick Kempe, president and CEO of the Atlantic Council, in a panel discussion. "Recent revelations have made clear how vulnerable the very technologies we use to manage our records, cast our votes, and tally our results really are ... These findings from the Voting Village are incredibly disconcerting."

Fortunately, the past few months have seen signs of progress. The Department of Homeland Security is moving forward with its critical infrastructure designation for voting systems, which frees up resources for helping states secure their platforms. The Texas Supreme Court is currently considering a lawsuit challenging the state's use of digital voting machines. And in Virginia, state officials are converting voting systems to use paper ballots and electronic scanners before the November 7 elections. They say the change was motivated by the findings at DefCon's Voting Village.

'These findings from the Voting Village are incredibly disconcerting.' Frederick Kempe, Atlantic Council CEO

Susan Greenhalgh, an elections specialist for the vote-security group Verified Voting, which worked with Virginia officials this fall, applauded the "transition into real-world change" that had transpired in just the last few months.

Virginia and Texas represent important progress, but plenty of work remains. Five states still rely solely on digital voting machines without paper backups, and at least 10 states have mixed voting infrastructure, with certain counties that use digital voting without paper. These systems are the most vulnerable to manipulation, because you can't audit them afterward to confirm or dispute the digital vote count in the case of suspected tampering.

"The one core point that election security experts and others have been making about why our votes are safe was that the decentralized nature of our voting systems, the thousands and thousands of voting offices around the country that administer the election, is what kept us safe," Jake Braun, a DefCon Voting Village organizer and University of Chicago researcher said. "Because Russians [or other attackers] would need to have tens of thousands of operatives go get physical access to machines to actually infiltrate the election. We now know that’s false."

With only a handful of companies manufacturing electronic voting machines, a single compromised supply chain could impact elections across multiple states at once. The Voting Village report emphasizes that there is a huge amount of change required in the US to address security issues at every point in the election workflow, from developing more secure voting machines to sourcing trustworthy hardware, and then actually setting up voting system devices and software for use in a secure way. DefCon founder Jeff Moss says that the goal for next year's Voting Village is to have a full election network set up so hackers can evaluate and find weaknesses in a complete system, not just individual machines.