Much of the analysis following special counsel Robert Mueller’s Friday indictment of 12 Russian intelligence officers has focused on their alleged conspiracy to hack into Clinton campaign and Democratic Party computers and email systems during the 2016 election, and on questions about coordination between then-candidate Donald Trump’s campaign and the Russian infiltrators. But the indictment also included new revelations about the extent of Russia’s attacks on our election systems in 2016—and those details provide a warning that we need to get serious about preparing for even more damaging attacks in this year’s midterms. The latest indictment alleges that Russian intelligence officers hacked into the website of a yet-unidentified state board of elections. Among other new information, it alleges Russia used that hack to steal information related to 500,000 voters.
That figure’s surprising. We already know that hackers targeted election systems in 21 states and allegedly hacked into the computers of a private U.S. elections systems vendor. (The indictment did not name the vendor, but details seem to match a reported hack of the company VR Systems; VR Systems has denied any breach had occurred.) But, thus far, officials have only confirmed that databases from the Illinois election systems had ever actually been compromised. What’s more, reports previously indicated the records of only about 100,000 voters had been accessed in the Illinois breach. That means the reach of Russia’s infiltration of election systems likely went deeper than we’d understood.
Perhaps most importantly, as Wired’s Kim Zetter identifies, the indictments suggest the Russians’ attack against U.S. election infrastructure may have been an afterthought. The indictment puts the research and execution of the state board of election and vendor attacks in June through October of 2016—well into the election, and months after the initial hacks of the Democratic National Committee and Hillary Clinton’s campaign. As she notes, we would be wise to assume future attacks will involve more advanced planning. Combine this with the fact that the Russians undoubtedly learned information from their 2016 efforts, and there is reason to believe future attacks on our election infrastructure could be far more damaging.