You can still use the insecure router (or combined modem and router) that you already have. But a massive new FCC rule would ban most new foreign-made consumer models as an unacceptable national security risk. Companies can apply for exceptions to the ban.
CNET says: “This is a monumental development for the US Wi-Fi router market. With the exception of newer Starlink routers, nearly every router available for purchase in this country is at least partially manufactured outside the US, including TP-Link, Asus and Netgear. An estimated 60% of routers in the US are manufactured in China.”
Wired points to a clarification in an FCC FAQ about “covered” (banned) devices: “Non-‘covered’ devices do not become ‘covered’ simply because they contain a ‘covered’ component part, unless the ‘covered’ component part is a modular transmitter under the FCC’s rules. Therefore, a router produced in the United States is not considered ‘covered’ equipment solely because it contains one or more foreign-made components.”
The FCC defines routers as “the boxes in every home that connect computers, phones, and smart devices to the internet,” not super-precise but good enough for government work. CableTV.com defines modems as the gadgets that “translate internet data into signals your computer (and other internet-enabled devices) can understand, and they prep your outgoing data for the internet network.” A router “directs internet traffic between your modem and the multiple internet-enabled devices in your home.”
Cybersecurity
According to the FCC’s fact sheet on the new rules:
The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”…
Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft. Foreign-made routers were also involved in the Volt, Flax, and Salt Typhoon cyberattacks targeting vital U.S. infrastructure….
New devices on the Covered List, such as foreign-made consumer-grade routers, are prohibited from receiving FCC authorization and are therefore prohibited from being imported for use or sale in the U.S. This update to the Covered List does not prohibit the import, sale, or use of any existing device models the FCC previously authorized.
This action does not affect any previously purchased consumer-grade routers. Consumers can continue to use any router they have already lawfully purchased or acquired.
Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations. Interested applicants are encouraged to submit applications to conditional-approvals@fcc.gov.
Wired wonders whether TP-Link, a Chinese company, “will have to apply for Conditional Approval or spin up manufacturing in the US to sell any new routers.” What about Asus routers? “Asus primarily makes its routers in Taiwan, though it has production facilities in China and works with several third-party manufacturers. Recent tariff pressures led the company to branch out to Thailand, Vietnam, Indonesia, Mexico, and the Czech Republic, but the bulk of its routers still come from Taiwan or China.”
How readily in general will the FCC be granting exemptions now that it has issued a seemingly tough ban on risky foreign-made routers? If U.S. export controls on high-end AI chips have proved to be somewhat malleable, maybe these new rules governing foreign-made routers will be too. How the ban is enforced could end up being overkill, unfairly imputing a security risk; or deficient, letting CCP-linked routers that are demonstrably vulnerable to intrusion off the hook.
