The U.S. government has effectively implemented a ban on most new routers entering the domestic market, a move driven by a national security determination regarding risks posed by networking equipment produced overseas. While the order is broad, it is important to note that existing models already approved by the FCC—such as those currently found on retail shelves—are not prohibited from being sold or imported. The restriction specifically targets new products that have not yet received FCC certification.
I dive into the order and what it might mean in my latest video.
This action follows long-standing concerns from both the Biden and Trump administrations regarding vulnerabilities in consumer networking hardware.
Specifically, federal authorities pointed to prior sophisticated cyberattacks, such as those the Vault, Flax, and Salt Typhoon attacks, which utilized botnets of small office and home office (SOHO) routers to conceal the origin of attacks against U.S. critical infrastructure. In many cases, these attacks exploited “end-of-life” routers that no longer received security firmware updates from their manufacturers.
To gain authorization for new products, manufacturers must now apply for a conditional approval from the DoW/DOD or DHS. This process requires an extensive disclosure of the company’s supply chain, including a detailed bill of materials, the country of origin for all components and software, and an identification of any single points of failure in the manufacturing process.
Beyond security audits, the government is requiring a commitment to domestic production. Applicants must submit a time-bound plan to establish manufacturing and assembly operations within the United States. This includes detailing planned capital expenditures and providing progress reports on onshoring efforts. Currently, the list of compliant router manufacturers remains empty, as drone makers are the only technology to have successfully navigated a similar regulatory process thus far.
The definition of a “router” under this regulation is tied to NIST standards, focusing on devices marketed for residential use and customer installation. This creates a technical distinction for hardware such as small-form-factor computers; while these devices can be configured to function as routers using open-source software like pfSense, they are not currently subject to the ban because their primary marketed purpose is as a general-use computer.
Industry reactions have been varied according to a report in PC Magazine. TP-Link, which had previously been a specific focus of government scrutiny, expressed confidence in its supply chain and stated it welcomed an evaluation that applies to the entire industry. U.S.-based Netgear commended the action, suggesting that the regulations could lead to a more secure digital future. Both companies will likely benefit from the action – TP-Link gets to survive and Netgear has the capacity to comply with the domestic onshoring when many of their competitors may not.
I will be monitoring the FCC’s exception list to see which manufacturers are the first to successfully onshore their operations and return new hardware to the pipeline. In the meantime, the focus remains on whether these requirements will effectively eliminate orphaned firmware and provide the level of transparency the government is seeking.