In December, the Federal Communications Commission banned all future drones made in foreign countries from being imported into the United States, unless or until their maker gets an exemption. Now, the FCC has done the exact same for consumer networking gear, citing “an unacceptable risk to the national security of the United States and to the safety and security of U.S. persons.”
If you already have a Wi-Fi or wired router, you can keep on using it — and foreign companies that have already gotten FCC radio authorization for a specific product can continue to import that product.
But since the vast majority — if not all — consumer routers are manufactured outside the United States, the vast majority of future consumer routers are now banned. By adding all foreign-made consumer routers to its Covered List, the FCC is saying it will no longer authorize their radios, which de facto bans new devices from import into the country.
Now, router makers need to A) secure a “conditional approval” that lets them keep getting new products cleared for US entry while they work to convince the government that they’ll open up manufacturing in the US, or B) make the decision to skip selling future products in the US, like dronemaker DJI already did.
Like with the foreign drone ban, the FCC has a National Security Determination that it says justifies these actions, one which claims that “Allowing routers produced abroad to dominate the U.S. market creates unacceptable economic, national security, and cybersecurity risks,” and that “routers produced abroad were directly implicated in the Volt, Flax, and Salt Typhoon cyberattacks which targeted critical American communications, energy, transportation, and water infrastructure.”
“Given the criticality of routers to the successful functioning of our nation’s economy and defense, the United States can no longer depend on foreign nations for router manufacturing,” reads another passage.
It is true that a great many router vulnerabilities have surfaced over the years, which make them a popular target for hackers and botnets. It is also true that one Chinese company, TP-Link, is dominant in the US consumer market; US authorities had previously considered a specific TP-Link ban due to that dominance and national security concerns.
It is not clear how simply moving production of routers domestically would make them safer, though. In the Volt Typhoon hack, Chinese state-sponsored hackers primarily targeted Cisco and Netgear routers, routers designed by US companies, according to the Department of Justice. Those US companies had stopped providing security updates because they had discontinued those products.
While the FCC’s Covered List makes it sound like the US is banning all “routers produced in a foreign country,” it’s defined a bit more narrowly than that. It’s specifically banning “consumer-grade routers” as defined in NIST Internal Report 8425A, which refers to ones “intended for residential use and can be installed by the customer.”