We've known for some time that Russia waged a wide-ranging psyops campaign during the 2016 presidential election aimed at undermining the U.S. political system. This week we found out that it was even worse than we had been led to believe.

That's thanks to a report from The Intercept, which published portions of a highly classified National Security Agency report disclosing new details on a "spear-phishing" hacking operation run by Russian intelligence aimed at penetrating a U.S. company, reportedly VR Systems, which sells voting software and equipment. Previously the official line about the 2016 Russian hacking attack was that it was largely limited to the hacking of the Democratic National Committee and subsequent leaking of its documents and also the weaponization of fake news. This report demonstrates anew that the operations were broader.

"It proves that the extent of the Russian meddling in the 2016 election wasn't limited to the information warfare and information leaking we were focused on but that they were in the process of targeting the machinery of our democracy itself," says J. Alex Halderman, director of the University of Michigan's Center for Computer Security and Society. "It's significant because we know that there are major vulnerabilities [in our voting systems]. … That a foreign adversary really was taking steps toward targeting that voting equipment should raise major alarm bells not just for the 2016 election but 2018, 2020 and beyond."

That's key: We need to find out exactly what Russia was up to in 2016 not to re-litigate that campaign but as a safeguard against what foreign adversaries are nearly certain to do in coming elections. This should not be a partisan issue. "It is not a Republican thing or a Democratic thing," as former FBI Director James Comey said Thursday. "It really is an American thing."

This new report is a stark reminder of not only how vulnerable our system is but also that international malefactors are actively trying to exploit those weaknesses.

Phishing is the practice of using fake electronic messages to try to get unwitting users to either disclose key personal information like email passwords or to get them to click on a link which will infect their computers with malware; spear-phishing is a customized version of this attack, directed at a specific person or group of people. In this case the targets were employees of a company which produces and sells software which handles voter rolls. The hackers then apparently used information they got to try to spear-phish "U.S. local government organizations," according to the NSA report, likely officials "involved in the management of voter registration systems."

To what end? It's not clear. Perhaps fudging voter rolls to make it hard for people to vote: Change their addresses or party registrations, for example, or remove them from the rolls entirely. Imagine the chaos and disruption if tens of thousands of voters – either across the country or in key states or precincts – were prevented from casting ballots on Election Day or were forced to cast provisional ballots because, it was later learned, the voting rolls had been hacked. In many cases there are hard-copy back-ups of the voter rolls but widespread chaos would itself cause damage even if it could be mostly corrected in the long run. It could, says Bruce Schneier a cybersecurity expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, "cause havoc and cause us to lose faith in the system." Remember that the U.S. intelligence community concluded that one of the main goals of the Russian cyberattack was "to undermine faith in the US democratic process."

There's no indication that any of this took place in 2016 but again, this isn't important for looking backward but for looking forward. "This attack seems much more exploratory than operational," says Schneier. "They're looking to see what they can do." Because they're not done.

That raises a related issue: There's no reason to believe that foreign adversaries, having targeted one part of our political infrastructure, wouldn't ultimately go after the big prize: Hacking actual vote tabulations. This sort of attack could just as easily be aimed at the systems of officials involved with actually counting votes, whether by attempting to infect voting machines themselves or by infecting computers involved with, say, county-level aggregation of vote totals.

The fact that Russia did not try this or were not successful in 2016 is no reason to believe it's not on their agenda for 2018, 2020 or beyond.

Because why should they stop? The main response to Russia's attack last year was the expulsion of their staff from a pair of compounds they were using to conduct the attacks – a response President Donald Trump's administration is reportedly preparing to undo. Any other national response has been stultified by partisan polarization. Trump dismisses the Russian attacks as "fake news" and many Republicans insist on chasing the "unmasking" red herring while downplaying the Russian attack as routine and in keeping with long-standing Russian and Soviet operations. (Intelligence officials and cybsersecurity experts have noted that the rise of social media and cyberwarfare allow the Russian operations to achieve unprecedented scope and potency; or as Comey put it Thursday: "It's stepped up a notch in a significant way in '16.")

"The problem we have is that elections are partisan in ways that no other hack is," notes Schneier. "After an election is hacked, half of the country is happy." Partisan reflexes impede our ability to react because they give an incentive to downplay the hacks' importance. And that national sclerosis only invites more attacks.

So what are we doing and what should we be doing? In January, outgoing Homeland Security Secretary Jeh Johnson declared the nation's election systems to be "critical infrastructure." That sounds more impressive than it is. "The designation of critical infrastructure provides services to the states from DHS if they choose to avail themselves of it," says Susan Greenhalgh, an election specialist at Verified Voting, a nonpartisan group that focuses on ballot transparency and security issues. "There's a real limit to what DHS can do."

Will states ask for help and what assistance will they get? Thirty-three did in the months leading up to the 2016 election, as did 36 counties (but "were not told about the seriousness of a potential hack or that Russia was the instigator," according to McClatchy). But the National Association of Secretaries of States passed a resolution blasting the critical infrastructure designation as federal overreach. "The states are rightly protective of their constitutional privilege to run our elections and their constitutional authority," says Greenhalgh. "But we're in a new world now and these types of threats are real. And the Department of Homeland Security has familiarity, expertise and understanding ... that's probably well more than what election officials are familiar with because it's not their world."

The secretaries of state association has formed a task focused on election cybersecurity and DHS officials reportedly plan to meet and work with it. But all of that is necessarily piece-meal and in terms of a legitimately national response, the U.S. remains bizarrely quiescent.

What should we be doing? States can start by hardening their election-related computer systems by using security measures like two-factor authentication, for example. Beyond that, as I wrote in December, there's a crying need for U.S. elections to maintain a verifiable voting paper trail. Five states use voting machines which record votes electronically without any paper records; another 10 use those sort of machines at least in part. Over all, Pamela Smith of Verified Voting told me then, between 20 and 25 percent of voters cast ballots electronically without an accompanying paper record.

Relatedly, each state should conduct a post-election, risk-limiting audit of its ballots to check that they were accurately counted on Election Day. This would not be a full recount but a check of a sufficiently-sized sample of ballots to ensure accuracy.

"There's a lot of, 'That's hard to do,'" says Susannah Goodman, director of the voting integrity project at Common Cause. "We have to stop thinking about how hard it is and start thinking about how easy it is to lose your democracy to hackers."

The ongoing Russia investigation and this week's revelations from The Intercept remind us that none of this is theoretical. "It was worse this time than it was last time and it will be worse next time than it was this time," says Harvard's Schneier. Comey was succinct on Thursday: "They will be back."