New CISA initiative aims for critical infrastructure to operate offline during cyberattacks

The federal cyber defense agency unveiled a new initiative this week aimed at preparing critical infrastructure organizations for technology and telecommunications outages caused by cyberattacks. 

The Cybersecurity and Infrastructure Security Agency (CISA) published a guide that urges critical infrastructure organizations to prepare to operate through a crisis or conflict and continue delivering services even when under attack. 

The initiative, named CI Fortify, focuses on isolation and recovery efforts that would see critical infrastructure organizations proactively disconnect from third-party dependencies and find ways to operate without reliable telecommunications and internet.

The document also says critical infrastructure organizations should be able to quickly restore compromised systems while isolated. 

“CI Fortify is timely, actionable guidance that helps organizations protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure,” said CISA Acting Director Nick Andersen. 

Andersen told reporters that CISA will be conducting targeted assessments of critical infrastructure but would not say how many have been done or where. The assessments will vary based on the organization and industry, he added. 

According to Andersen, the goal is for critical infrastructure organizations to have detailed emergency plans and operational technology systems that are segmented and isolated from other parts of a network. 

Volt Typhoon attacks

The webpage for the initiative presents the effort as a way to combat recent nation-state hacking campaigns — including the Volt Typhoon cyberattacks where Chinese threat actors prepositioned on U.S. critical infrastructure to enable destructive cyber action in the event of a kinetic military conflict. The first link shared on the CI Fortify site is for a CISA advisory from 2024 about the Volt Typhoon campaign.  

When the Volt Typhoon campaign was first publicized in 2023, U.S. officials said their goal was to root out all of the Chinese hackers embedded in critical infrastructure systems in the U.S. Former CISA director Jen Easterly said in 2024 that teams at the agency “found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors.” Easterly again said in 2025 that the goal was to “identify and evict Chinese cyber actors.”

At least one U.S. official argued last year that the Volt Typhoon effort was “not successful” for China but researchers have repeatedly come forward to say Chinese hackers are still deeply embedded in critical infrastructure systems even after three years of work by U.S. law enforcement. 

In comments to Recorded Future News, Andersen argued that the CI Fortify effort was “not in response to any particular nation-state actor” and denied that it was aimed specifically at Volt Typhoon. The initiative was designed to “prevent the potential destructive impact to OT by any nation-state actor,” he said. 

Anderson noted that in addition to China’s Volt Typhoon campaign, the campaign would also address tactics used during alleged Russian cyberattacks on OT networks in Poland that took place earlier this year.

Advanced nation-state actors like Volt Typhoon are already embedded deeply enough that eradication is no longer a near-term, deterministic outcome, cybersecurity expert Matthew Hartman explained.

“Eviction remains the objective but it cannot be the lone strategy. Prioritizing segmentation and resilience is a pragmatic shift, assuming compromise and limiting blast radius rather than chasing a constantly reconstituting threat. With AI accelerating both offensive capability and scale, this layered defensive posture is necessary.”

Several others explained that evicting Volt Typhoon hackers was never possible considering CISA admitted some victims had been breached as far back as 2019. The CISA advisory warned that Volt Typhoon re-targets the same organizations repeatedly and steals domain credentials that they keep on hand to enable continued access. 

Andersen added that artificial intelligence is also a primary concern prompting the pivot to CI Fortify. He told reporters on Tuesday that CISA and the Trump administration have had deep discussions about “the increasing speed and velocity at which… artificial intelligence is going to sort of change and morph the types of impacts we would see for cyber defenders across the board, both for critical infrastructure and operational technology as well as traditional information technology.”

Cybersecurity researchers have reported multiple recent cases of hackers using AI models to conduct large portions of cyber intrusions. Incident response firm Dragos said on Wednesday that a hacker used an AI model to compromise a municipal water and drainage utility in Monterrey, Mexico.