The Federal Communications Commission (FCC) has significantly expanded its efforts to secure U.S. Networks, but the latest strategy may be treating the symptoms rather than the disease. In a move that shifts the agency’s approach from targeting specific bad actors to a sweeping geographical restriction, the FCC issued an update on March 23 to its “Covered List,” effectively banning the sale of new routers produced in foreign countries unless they receive a specific exception from the Department of Defense (DoD) or the Department of Homeland Security (DHS).
This FCC foreign router ban is framed as a necessary defense against sophisticated cyber threats. The Commission pointed to critical “security gaps” in foreign-made hardware that have been exploited by Chinese advanced persistent threat (APT) actors—specifically groups known as Volt Typhoon, Flax Typhoon, and Salt Typhoon—to launch widespread attacks. By limiting the entry of new foreign hardware, the government aims to prevent domestic residential routers from being hijacked and used as residential proxies to mask malicious traffic.
However, for those of us who have spent years in the trenches of software engineering and cybersecurity, this approach feels like using a sledgehammer to fix a watch. While the threat of botnets is very real, a blanket ban on the country of origin does little to incentivize actual security innovation. Instead, it creates a regulatory environment where a product’s birthplace matters more than its codebase.
From Targeted Restrictions to Blanket Bans
For years, the FCC’s Covered List operated with a degree of surgical precision. The agency previously banned hardware from specific vendors with documented security risks or ties to foreign intelligence services. A notable example occurred in 2021, when the FCC banned equipment from companies like Huawei and Hytera due to national security concerns.
The new policy represents a fundamental shift. Rather than identifying a specific company’s failure, the FCC is now restricting almost all new consumer routers produced outside the United States. The only immediate winners are domestic manufacturers, such as Starlink’s operations in Texas, which remain unaffected. This shift creates a paradox: a U.S.-based manufacturer with a poor security record now has a competitive advantage over a highly secure foreign manufacturer simply because of where the assembly line is located.
| Feature | Previous Approach (Vendor-Specific) | New Approach (Blanket Ban) |
|---|---|---|
| Target | Specific companies (e.g., Huawei) | All foreign-produced routers |
| Criteria | Documented security/political risk | Country of manufacture |
| Exemptions | Case-by-case regulatory review | DoD or DHS specific exceptions |
| Primary Goal | Remove known bad actors | Secure the general supply chain |
The IoT Blind Spot
The most concerning aspect of this policy is what it ignores. The FCC is targeting routers, yet some of the most vulnerable entry points in the modern American home aren’t the routers themselves, but the myriad of Internet of Things (IoT) and smart home devices connected to them.
Supply chain attacks frequently target low-cost, no-name electronics that bypass traditional security scrutiny. For instance, certain Android TV boxes sold through major retail giants like Amazon have been found to come pre-loaded with malware. These infected devices fuel massive fraud operations and residential proxy botnets, such as the Kimwolf and BADBOX 2 networks, which are often more active in cybercrime than the routers the FCC is currently banning.
By focusing exclusively on the router, the government is leaving the “back door” wide open. A secure, U.S.-made router cannot protect a network if a malware-ridden smart bulb or streaming box is already inside the perimeter, communicating with a command-and-control server. To truly improve the national cybersecurity posture, the focus must shift from where a device is made to how It’s secured.
Economic Pressures and the “Exception” Game
This regulatory move does not exist in a vacuum. It coincides with a broader administration push toward protectionism, including the imposition of tariffs and various trade-related executive orders aimed at foreign goods. While this may encourage some large tech firms to move manufacturing to U.S. Soil, it creates a daunting barrier for smaller, innovative companies that lack the capital to build domestic factories.
the reliance on DoD and DHS exceptions introduces a layer of opacity into the process. When security approvals are granted via executive exception rather than transparent, technical standards, it opens the door for corporate lobbying to supersede actual security audits. In the worst-case scenario, this could entrench existing industry players and foster quid-pro-quo arrangements that do nothing to actually harden our infrastructure.
A Path Toward Verifiable Security
American consumers deserve more than a choice between a domestic product and nothing; they deserve hardware that is objectively secure. A more effective path forward is the implementation of nuanced, technical certifications. One such example is the U.S. Cyber Trust Mark, a proposed labeling program that would allow consumers to identify devices that meet rigorous cybersecurity standards regardless of where they were manufactured.
By prioritizing a “security-by-design” framework—which includes mandatory security updates, the elimination of default passwords, and transparent vulnerability reporting—the U.S. Can create a market where the most secure products win, not just the most local ones.
The next critical checkpoint for this policy will be the first round of DoD and DHS exception filings, which will reveal which companies the government deems “trustworthy” and what criteria are being used to develop those determinations. As these lists emerge, the industry will have a clearer picture of whether this is a genuine security initiative or a trade policy dressed up as cybersecurity.
Do you think where your router is made affects your online security? Share your thoughts in the comments or join the conversation on our social channels.
