Last month, the Federal Communications Commission updated its Covered List, adding “consumer-grade routers produced in foreign countries.” The move came as the Executive Branch determined that foreign-made routers were “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense,” but also posed “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”
Moreover, President Donald Trump’s 2025 National Security Strategy stated: “the United States must never be dependent on any outside power for core components—from raw materials to parts to finished products—necessary to the nation’s defense or economy.”
A Problem That Has Been Ignored For Years
This is an issue that cybersecurity experts have warned has been ignored, or at least overlooked, for years. The issue is that most consumer routers sold in the U.S. are manufactured overseas, with estimates indicating that around 60% of the market is produced in China, making the ruling broadly impactful across the industry.
The restriction applies to new devices seeking FCC approval, meaning previously authorized products and routers already in use are not affected.
“Supply chain compromise is becoming one of the most serious threat vectors for nation states and advanced intrusion activity targeting critical infrastructure. The FCC’s decision to add foreign-manufactured consumer routers to its Covered List reflects a risk the security community has been warning about for years,” explained Jacob Krell, senior director for Secure AI Solutions & Cybersecurity at Suzu Labs.
In an email to ClearanceJobs, Krell added that as endpoint and product security have improved, adversaries have increasingly looked upstream toward manufacturing, firmware, and other supply chain dependencies where compromise can create durable access.
“The FCC’s citation of Volt Typhoon, Flax Typhoon, and Salt Typhoon is consistent with that concern,” Krell added. “Network devices are especially attractive targets because they sit in the path of every packet entering and leaving an environment, and predeployment compromise can be exceptionally difficult to detect and remediate.”
Yet, the dangers to the average consumer could be overstated.
Most Americans don’t have classified secrets on their home networks and instead largely use the devices to stream video content to a tablet or smartphone. The most “compromising” information might be one’s browsing history.
“This is a massive expansion of U.S. tech protectionism, moving beyond specific Chinese entities like Huawei or ZTE to a blanket ban on all foreign-produced consumer routing hardware,” suggested Damon Small, board of directors at Xcape, Inc.
“By citing the weaponization of SOHO routers by groups like Volt Typhoon and Salt Typhoon, the FCC is treating the humble home router as a primary vector for national-scale pivot attacks against critical infrastructure,” Small also told ClearanceJobs.
Unforeseen Consequences
Since the FCC announcement, there have been reports that foreign-made routers will only receive software updates until March 1, 2027, potentially setting an expiration date for the security of most individuals’ home Internet.
The Technology Policy Institute even issued a warning last week: “The ban creates the very vulnerability its claims to address.”
CNET also reported that it will be hard to recommend a Wi-Fi router to retailers, as it is unclear what products might receive an update. FCC clarification is almost certainly needed.
“Effectively, the FCC would ban all new routers, because there are no domestic routers that meet that standard today. No one can clear the bar right now,” said Matt Wyckhouse, founder and CEO at cybersecurity provider Finite State.
The issue is compounded because of the global supply chain. Even U.S.-made routers are filled with parts from around the world, so is one only assembled in the USA actually “American-made?” That’s a serious issue that the FCC ban doesn’t address.
“The country where a device is manufactured does not necessarily determine the security of that product,” Wyckhouse told ClearnaceJobs. “There’s a pretty large global supply chain involved—from chipsets to software to final assembly. There are no domestic suppliers for all products involved in router manufacturing.”
Political or Security Issue?
Some cybersecurity experts are suggesting this is really more of a political issue than a cybersecurity one.
“The goal is to economically hurt foreign router makers and protect domestic ones like Cisco,” said Paul Bischoff, consumer privacy advocate at Comparitech.
Bischoff told ClearanceJobs the reasons stated for banning routers are all based on conjecture and have little evidence to stand on, and added, “Salt Typhoon, for example, did not happen because of foreign routers but because of telecom deregulation. Also, foreign router makers can still get approved if they agree to move manufacturing to the USA in the future. In the end, this is effectively just a more complicated tariff.”
Foreign-made routers still provide security, or at least will until next year. The issue is that many consumers and even enterprise users don’t bother to install updates for their Wi-Fi routers, even if they know such devices can be updated.
“The biggest issue is the users’ failure to implement patches/updates issued by the OEMs and continued use of devices that have already reached end of life,” explained Eric Greenwald, general counsel at Finite State.
“The vast majority of threat actors that use routers as an attack vector rely on known vulnerabilities for which patches have long ago been issued,” Greenwald wrote in an email. “Nation-state attackers simply do not need to rely on supply-chain attacks to compromise routers because the ecosystem is littered with devices that are child’s play to commandeer.”
Expect Routers to Increase in Price
The short-term impact of the FCC’s announcement is that there will be fewer options, and the rules of supply and demand will quickly come into play. Currently, more than 60% of the market is dominated by foreign makers.
For the enterprise, the next year should be spent replacing legacy equipment.
“Defenders should audit their current fleet of remote-access hardware and prioritize vendors moving toward U.S.-based manufacturing or those actively seeking DHS ‘Conditional Approval,’” said Small. “While existing hardware is safe for now, expect insurance carriers and federal auditors to eventually move the goalposts from ‘legal to use’ to ‘compliant to keep.’”
This will be a new expense for consumers and enterprises.
“This will definitely increase prices,” added Wyckhouse. “Companies will have to invest in U.S. manufacturing or retool existing operations, and that’s a major cost shift.”
Time will tell if it adds a layer of cybersecurity in the process.
“The FCC is finally treating home routers like the Trojan Horses they are,” Small continued. “Though I’m sure ‘Made in the USA’ will magically add 40% to the MSRP and zero to the patch frequency.”
