FCC Moves to Block New Foreign-Made Routers

The Federal Communications Commission (FCC) is taking steps to prevent new foreign-manufactured internet routers from entering the U.S. market. This decision comes amid growing worries that foreign supply chains might expose American networks to cybersecurity threats.

Essentially, this initiative broadens the agency’s list of prohibited equipment, which is considered to pose an unacceptable risk to national security. As a result, new foreign routers will not be approved for sale in the United States unless they pass a thorough national security review that assesses everything from ownership to supply chains and software controls.

Matt Wickhouse, who is the CEO of cybersecurity firm Finite State, shared his thoughts, saying that “the FCC will effectively ban all new routers because there are currently no routers in the country that meet that standard.” He added that, as it stands, “no one can clear this bar at the moment.”

Concerns Over Undisclosed Surveillance Risks

The FCC has compiled a list that includes various communications devices and services which they believe pose significant risks to both national security and public safety. They pointed out several instances where foreign devices have been involved in cyberattacks targeting U.S. infrastructure. The agency noted that “malicious actors are exploiting security gaps in foreign routers” to conduct cyber operations, affecting American homes and networks.

This regulation mainly affects devices made overseas, particularly routers from China, where a substantial portion of the world’s network hardware is produced. Recent estimates suggest that a large majority of home routers in the U.S. are tied to Chinese supply chains.

TP-Link, a Chinese-founded router manufacturer that’s popular on Amazon, is under heightened scrutiny amid rising concerns about cybersecurity risks. A spokesperson from TP-Link remarked that “nearly every manufacturer in this space produces their hardware overseas or relies on global supply chains,” viewing the new regulations as a step toward enhancing security in the router industry. They also mentioned that the company is planning to establish manufacturing facilities in the U.S. to support local operations.

Broader Context of Supply Chain Vulnerabilities

A review indicated that most major router brands sold in the U.S. depend heavily on Chinese engineering and manufacturing, even if they are marketed as American products. Some companies that have moved production to countries like Vietnam still rely on Chinese manufacturers, keeping their supply chains largely intact.

Wickhouse emphasized that “the country in which a device is manufactured does not necessarily determine whether the product is safe,” pointing out that a vast global supply chain is involved in everything from chipsets to final assembly.

Real-World Cyber Threats

Concerns about cyber threats have manifested in actual incidents. In 2023, the Department of Justice disrupted numerous compromised router networks across U.S. homes and small businesses, which had been infiltrated by Chinese state-sponsored hackers known as “Bolt Typhoon.” These infected devices were used to obscure the origin of attacks targeting critical infrastructure.

Hackers often exploit a compromised router to obscure their tracks, making it complex for experts to trace the source of attacks. Typically, a single router connects multiple devices in a household or small business, including smartphones, laptops, security cameras, and smart home devices. If compromised, these devices can provide attackers with insight into network traffic and facilitate further intrusions.

Officials indicated that the broader campaign aims to target vital sectors like energy and telecommunications, with an eye toward enhancing U.S. preparedness in potential future conflicts.

This FCC action forms part of a wider initiative to reduce dependence on foreign technology, especially from China, in key sectors such as telecommunications and consumer electronics.

Potential Market Implications

Supporters of the policy argue it mitigates long-term supply chain risks and decreases the chance of foreign adversaries accessing U.S. networks. However, many worry that the rule could strain supply chains and possibly lead to higher prices, given that most routers sold in the U.S. are made overseas.

Wykehouse noted an absence of domestic suppliers capable of meeting the demands of router manufacturing. He projected that “this will definitely increase prices” as companies adapt to the new requirements.

It’s important to highlight that this policy won’t affect routers already in use or legally purchased. Companies can continue to sell existing inventory. However, once this stock runs out, newer foreign models will be effectively blocked unless they pass the necessary security reviews.

While this new rule does not imply that existing routers in U.S. homes are known to be compromised, cybersecurity officials have long cautioned that older or unpatched devices can be vulnerable and potentially leveraged as part of extensive botnet networks.

Wickhouse pointed out that “the main problem with routers isn’t where they’re made, it’s that consumers don’t update their routers.” He stressed that selecting a router with automatic updates is far more crucial than simply opting for one branded as a U.S. product.

As of now, the Chinese embassy and related companies have not responded to inquiries regarding the matter.