The US Federal Communications Commission (FCC) has moved to ban consumer-grade routers made outside the United States, following a determination that such hardware poses an unacceptable risk to national security and to the safety of American citizens and residents. The decision, announced in late March 2026, stems from an interagency body convened by the White House, which highlighted the potential for supply chain vulnerabilities that could cause downstream disruption and severe cybersecurity risks. According to the FCC, these risks "could be leveraged to immediately and severely disrupt US critical infrastructure and directly harm US persons."

Background and Rationale

The ban aligns with President Donald Trump's National Security Strategy, which aims to end US dependency on foreign countries for core components, whether raw materials, parts, or finished goods essential to defense or the economy. The FCC noted that malicious actors have long exploited security gaps in router hardware to conduct cyber attacks against various targets. For instance, intrusions attributed to Chinese state-sponsored groups such as Salt Typhoon and Volt Typhoon have targeted critical infrastructure, leveraging compromised routers as entry points.

FCC Chairman Brendan Carr welcomed the executive branch's national security determination, stating, "I am pleased that the FCC has now added foreign-produced routers, which were found to pose an unacceptable national security risk, to the FCC's Covered List. Following President Trump's leadership, the FCC will continue to do our part in making sure that US cyberspace, critical infrastructure, and supply chains are safe and secure."

Scope and Exemptions

The addition of non-US routers to the Covered List means that any equipment produced outside the United States will not receive equipment authorization from the FCC prior to importation, marketing, or sale. The FCC defines "produced" broadly, covering "any major stage of the process through which the device is made including manufacturing, assembly, design, and development."

However, the ban includes an exemption for equipment that has received conditional approval from either the Department of Defense (DoD), which has been renamed the Department of War (DoW) by the Trump administration, or the Department of Homeland Security (DHS). The FCC "encouraged" producers of consumer-grade routers to apply for conditional approval to continue importing their products. Additionally, the change does not apply to routers that have already received equipment authorization or any equipment already acquired.

One notable exception mentioned in the article is the routers supplied for Elon Musk's Starlink service, which are manufactured in Texas. This highlights a critical issue: essentially, no consumer-grade routers are mass-produced within the United States, except for niche cases like Starlink.

Industry and Expert Reactions

The ban has sparked significant debate among cybersecurity experts and industry analysts. Ryan McConechy, principal security architect at Barrier Networks, noted that the policy raises several pressing questions. He pointed out that major router manufacturers, including American companies like Cisco, assemble their products in countries such as Taiwan and Vietnam. "A blanket ban like this could cause huge disruption," McConechy said. "Moving large manufacturing operations into new countries can take years and may not even be viable if costs prove too high." He added that the lack of wider regional supply chains often makes such shifts impossible, and at best, only basic assembly might move to the US in the short term.

McConechy also argued that the ban does not address the underlying security allegations about routers built outside the US. "Backdoors and spyware can still be integrated into networking technology, and security vulnerabilities will exist in router products regardless of where they're manufactured," he said.

Rik Ferguson, vice-president of security intelligence at Forescout, echoed these concerns. "The risk isn't just where a router is made; it's the millions already deployed, running outdated software, exposed to the internet, and rarely patched," he told reporters. Ferguson emphasized that adding foreign-made consumer-grade routers to the Covered List does not magically secure the millions of routers already in use, many of which will remain in homes and small offices for years. "That installed base matters because it's where so many attackers already live—in exposed management interfaces, abusing weak or reused admin credentials, and slow patching cycles, or end-of-life equipment that still works," he added.

Data on Router Vulnerabilities

The FCC's determination is backed by mounting evidence that network edge devices such as routers are inherently high-risk. Data released by Forescout's Vedere Labs analysts reveals that routers have overtaken traditional PCs as the devices most at risk of compromise, accounting for one-third of the most critical vulnerabilities uncovered in 2025. Daniel dos Santos, Forescout senior director and head of research, noted that routers have an average of 32 vulnerabilities each in monitored networks. Their 2025 Threat Roundup report also identified network infrastructure devices as a rapid-growth exploitation category: 19% of exploits observed in 2025 targeted such devices, up from 14% in 2024 and 11% in 2023.

The Vedere Labs report, titled The Riskiest Connected Devices in 2026, showed a surge in newly identified high-risk device types, with 11 appearing on the list for the first time, including serial-to-IP converters, time clocks, RFID readers, BACnet routers, and medical image printers. The team noted that 40% of the riskiest device types did not appear on the list in 2025, and 75% did not in 2024. This diversification poses a challenge for security teams, as such devices are often harder to harden, inventory, or patch.

Supply Chain and Economic Implications

Economically, the ban could have far-reaching consequences. Consumer-grade routers are a global commodity, with production concentrated in Asia, particularly in China, Taiwan, and Vietnam. Shifting supply chains to the US would require massive investment in new factories, skilled labor, and component sourcing. For example, many routers rely on chipsets from Taiwanese firms (e.g., MediaTek) and other components from various Asian suppliers. The US has limited semiconductor fabrication capacity for such chips, and building a self-sufficient ecosystem would take years.

Moreover, the ban might inflate costs for consumers and businesses. If domestic manufacturing cannot keep pace, prices for routers could rise sharply, or shortages could occur. Internet service providers (ISPs) that rely on customer-premises equipment provided by router manufacturers could face logistical hurdles. The FCC's encouragement for conditional approval suggests a potential workaround, but the process remains unclear.

Broader Cybersecurity Concerns

The focus on hardware manufacturing may divert attention from more pressing cybersecurity issues. Security experts argue that the majority of router compromises result from poor security practices rather than supply chain tampering. For instance, many users fail to change default passwords, disable remote management, or apply firmware updates. Attackers often exploit known vulnerabilities in widely deployed devices, regardless of their country of origin.

Furthermore, the ban does nothing to address the large installed base of foreign-manufactured routers already in use. As Ferguson noted, consumers and businesses are unlikely to discard functional routers simply because of new import restrictions. These devices will continue to be vulnerable for years unless proactive measures are taken to secure them. The FCC might need to consider additional initiatives, such as mandatory security standards for existing devices or incentives for upgrading.

The issue of cybersecurity in network edge devices is not limited to routers. Similar concerns apply to modems, switches, firewalls, and Internet of Things (IoT) devices. A holistic approach would involve improving software update mechanisms, encouraging secure configuration, and promoting threat intelligence sharing. The ban, while addressing one dimension, may create a false sense of security if other attack vectors remain unaddressed.

Historical Context: US Trade and Technology Policy

This ban is part of a broader trend in US trade and technology policy under the Trump administration. The administration has pursued tariffs and restrictions on Chinese technology, citing national security concerns. For example, earlier measures targeted telecommunications equipment from Huawei and ZTE. The router ban extends this logic to consumer hardware, reflecting a growing preoccupation with supply chain security. Critics argue that such measures can be counterproductive, as they may stifle innovation, reduce competition, and strain diplomatic relations with key allies. However, proponents maintain that the risks outweigh the costs, especially given the sophistication of state-sponsored cyber attacks.

The ban also echoes earlier US actions against Russian and Chinese influence in critical infrastructure. In 2020, the FCC added certain Chinese telecom companies to the Covered List. The inclusion of routers represents an escalation, as the devices are ubiquitous in homes, small businesses, and even some enterprise environments. The FCC's decision underscores the perception that any hardware supply chain outside US control poses a potential threat.

Looking Ahead: The Future of Network Security

As the ban takes effect, the cybersecurity community will watch closely for its impact. In the short term, the market may see a scramble for conditional approvals as manufacturers seek to maintain access to the US market. Over the longer term, domestic manufacturing could emerge, but it remains uncertain whether it will be cost-competitive. The ban might also accelerate the development of open-source router firmware or alternative networking solutions that allow users to verify hardware integrity.

Ultimately, the FCC's action is a significant policy shift that raises more questions than it answers. While it addresses a genuine national security concern, the practical implications for supply chains, existing devices, and overall cybersecurity effectiveness are complex. Whether the ban makes Americans safer or merely creates new challenges will depend on how well it is implemented and complemented by other security measures.

Source: ComputerWeekly.com News