This piece was originally published on Just Security, an online forum for analysis of U.S. national security law and policy.

When it comes to the security of our elections, we have a battle on two fronts. On the first, Russia has attacked our election infrastructure and our intelligence community believes Russia, and others, will do so again. On another front, we have a battle in Congress over funding and even the need for a more robust response to the threat to our electoral integrity. To win the first, we should end the second, and soon.

It is a tactic of war chronicled by Sun Tzu: When confronted by an enemy of overwhelming might, sow confusion and dissension in its ranks. Though comparatively weak nearly 30 years after the fall of the Soviet Union, Russia remains our adversary. And our top intelligence officials have said that the danger of Russian cyberattacks today is similar to the warnings the U.S. had before 9/11. “The warning lights are blinking red again,” said Dan Coats, the director of national intelligence. “Today, the digital infrastructure that serves this country is literally under attack.”

One set of attacks was described in the indictment of 12 Russian intelligence officers for meddling in the 2016 election. The goals and methods of that attack were made clear. Federal agencies, most recently officials from the Department of Homeland Security in congressional testimony last week, have made clear that the Russians are using a 21st-century version of Sun Tzu’s ancient playbook, and we are called upon to respond.

Potential vulnerabilities are not limited to the strategies laid out in the Mueller indictment.

The attackers famously worked to use our political and social divisions against us. Russian hackers stole or created identities of conservative and progressive activists to sow misinformation and aggravate mistrust. As if the misinformation campaign were not enough, just before the election, Russian intelligence targeted election systems in at least 21 states. In a hearing before the House Oversight Committee last week, it became clear that more states may have been attacked, but they were flying blind, lacking the technology needed to detect an attack. The indictment against the GRU operatives alleged that the assailants breached the firewalls in at least one state, Illinois, where Russians gained access to information related to the records of about 500,000 voters. Although there’s no evidence vote tallies were changed, the number of records breached would have been sufficient to swing either Florida, Ohio, or Pennsylvania from Trump to Clinton. Significantly, the hackers were instructed to focus on purple states.

On Aug. 6, 2001, President George W. Bush’s daily intelligence briefing reported that “Bin Ladin … has wanted to conduct terrorist attacks in the US,” and “FBI information … indicates patterns of suspicious activity in this country consistent with preparations for hijackings.” Then–CIA Director George Tenet said, “The system was blinking red.” Unfortunately for the nation, the response was inadequate. After 9/11, a staffer at the National Security Council apologized for not doing enough in response to those warnings. In 2001, only a handful of people had access to the information that should have prompted a vigorous response. Today, we all know so much more about the nature and direction of the next attacks. We all must do more.

Potential vulnerabilities are not limited to the strategies laid out in the Mueller indictment. Last week, the FBI informed Maryland state officials that in 2015, a Russian oligarch alleged to be close to Vladimir Putin purchased ByteGrid, the company that hosts the statewide voter-registration, candidacy, and election-management system as well as the online voter-registration system, online ballot-delivery system, and unofficial election night–results website. (The FBI informed the officials that there was no evidence that the election had been compromised.) This incident highlighted just how creative we must be in imagining potential threats. Democratic Rep. Jamie Raskin of Maryland has introduced the Election Vendor Security Act as an example of the forward thinking necessary to avoid doing little more than fighting the last war.

With the intelligence community warning of ongoing attacks and the Mueller investigation documenting the goals and methods of the previous one, there is only one reasonable course of action: act aggressively both to protect our institutions from assault and to bridge the divisions that the Russians sought to foment.

So, our next line of defense must come on three fronts:

Establish a bipartisan commission on the 2016 election. The Senate Intelligence Committee, led by conservative North Carolina Republican Richard Burr, recently issued bipartisan findings that made clear the reasons for such a panel: that Vladimir Putin himself authorized meddling in the last election, that the meddling was designed to help elect President Trump, and that Russian agents attacked our election infrastructure and the Democratic National Committee in order to pursue those ends. The Senate should build on that work and create a bipartisan commission that would find the facts so needed in a public debate that has been debased by “alternative facts.” It would also help to bridge the bitter partisan divide that the Russians have continued to exploit by committing leadership of both parties to protecting the sanctity of the franchise for all of us. After 9/11, the nation established a bipartisan commission in which Republicans and Democrats were effectively co-leaders. We would do well to learn the lessons of that commission and apply them in the face of these attacks.

Recognize that the states are a new battleground for assaults on our national security. Individual states, counties, and municipalities manage and protect the bulk of our election infrastructure. As Coats made clear in his speech, a successful attack in just one state could cast doubt on the midterm elections or on the next presidential election. There is no doubt that both will be hotly contested and both targets are too tempting for the Russians to ignore. Indeed, the weak presidential response to the Russians may embolden others to meddle as well. There is not enough time before the next elections to replace all vulnerable voting systems, but a lot can be done in the more than 100 days remaining. Where vulnerable machines are not replaced, each state should develop a set of counterresponses that will ensure elections can go forward securely. First and foremost, every voting machine should leave a paper trail so that the actual votes cast are the votes that are actually counted. Now that we know better, we must do better.

Adequately fund needed updates to our voting system. It has been more than 15 years since President George W. Bush signed the Help America Vote Act. That measure required states to reform their voting systems and infrastructure by, among other things, updating and upgrading their voting information, voting equipment, and voter-registration databases. He knew full well the danger of assuming office after an election marred by outmoded voting mechanisms. And that was without our nation being under assault. Although Congress appropriated $380 million in additional HAVA grants this fiscal year, that funding level is simply inadequate to counter the threat. And as the National Association of Counties testified last week, the funding stream going forward must be consistent and reliable. As of 2016, a majority of districts in an overwhelming majority of states were using voting machines that were at least a decade old—a time frame that is close to the end of, or exceeds, their projected lifespan.

At the hearing last week, members of the House Oversight Committee expressed skepticism about the need for more funding and even raised the long-debunked threat of voter fraud as the primary assault on our system. The system is blinking red. Our foreign adversaries are attacking American institutions. We have the capacity to push back. More importantly, it is our duty to do so.

More From Just Security:

Who Says Collusion Is a Crime: the Justice Department



The Trial of Paul Manafort: What to Expect