On March 23, 2026, the Federal Communications Commission (FCC) issued a Memorandum and Order banning the import of “covered” consumer-grade networking hardware. The decision demonstrates once again how the Trump administration’s economic nationalism and its use of “national security” claims as a basis for arbitrary executive-branch actions are having disastrous effects on the global digital economy, while doing nothing to improve cybersecurity. 

The Secure and Trusted Communications Networks Act of 2019 required the FCC to maintain a list of communications equipment if someone in the government thinks it poses a risk to national security. Previous iterations of this list target specific corporate entities like Huawei, ZTE, or Hikvision. Last week’s action expanded the “Covered List” to include ordinary household internet equipment, not specific companies, based entirely on foreign origin. 

What is banned? 

The ban targets new Small Office/Home Office (SOHO) routers, Wi-Fi extenders, and mesh systems. These devices can be found in practically every American home. The import ban includes any device where the “critical manufacturing and firmware assembly” occurs within a jurisdiction designated as a foreign adversary (primarily the People’s Republic of China, Russia, and Iran). The leverage for the ban comes from the FCC’s Equipment Authorization process. No new models from these regions can receive the “FCC ID” required for legal sale in the U.S. The Defense Department or the Department of Homeland Security (DHS) can exempt a product by transmitting to the FCC a specific determination that a given router or class of routers do not pose such risks. 

As of March 23, 2026, the FCC ceases all new equipment authorizations for covered devices. Starting in September 2026, retailers are prohibited from importing new inventory of covered devices. A year from now, March 2027, the “Maintenance Waiver” expires, and even security patches for existing legacy devices must undergo a secondary federal audit if they originate from covered jurisdictions. 

Fortunately, this bit of security theater does not apply to hardware that is already authorized and currently in consumers’ homes, or in the retail channel. These products can continue to be a “national security threat.” It also does not apply to enterprise or carrier-grade equipment, which remains governed by previous specific-entity bans. Certain sub-components (like passive capacitors or casing) are exempt, provided the “logic-bearing” components (SoCs and Firmware) are not of foreign-adversary origin. 

Legal Authorities 

The primary vehicle for this action is the Secure and Trusted Communications Networks Act of 2019; the law passed after an orchestrated and sustained U.S. intelligence community campaign portraying Huawei equipment as a potential (but never actualized) Trojan Horse. Additionally, the Secure Equipment Act of 2021 prevents the FCC from reviewing or approving any authorization for equipment after it has been placed on the Covered List, effectively turning a “warning list” into a “market ban.” 

Just as this new move will prove to be very costly to consumers, the “Rip and Replace” program authorized by the 2019 Act generated a massive funding shortfall. While the law initially estimated costs at $1 billion, and Congress appropriated $1.9 billion, the actual requests from carriers totaled nearly $5 billion. Many small carriers started “ripping” without enough money to finish the “replacing,” leading to concerns about service outages in rural areas. In the years preceding this farce, not a single compromise of American telecom networks or data were attributable to the use of Huawei gear. On the other hand, dozens of Chinese-instigated compromises occurred by means of compromises of American-made software and phishing.

Factual Studies and Intelligence Reports 

To support its decision, the FCC cited two primary types of evidence.  

1. The “Typhoon” Campaign Reports: Intelligence from CISA and the FBI regarding Volt Typhoon and Salt Typhoon. These reports detailed how state-sponsored actors hijacked thousands of SOHO routers to create a “botnet” that obfuscated attacks on U.S. power grids and water systems. 
2. The 2025 Supply Chain Audit: A Department of Commerce study argued that the concentration of 85% of the consumer router supply chain in China creates a “systemic vulnerability” where a single firmware update could be weaponized to disable U.S. home internet access. 

Just as the Huawei and TikTok scares played on the general public’s ignorance of actual cybersecurity risks and vulnerabilities, the new FCC ban follows the same pattern. These reports do not provide evidence for the policy.

Deconstructing the “Foreignness” Fallacy 

The central logical pillar of the FCC ban is that the origin of manufacture is the primary determinant of risk. However, an empirical look at the “Typhoon” intrusions reveals a profound disconnect between this premise and the technical reality. 

Vulnerabilities vs. Backdoors. The FCC justifies the ban on the potential for “backdoors”—intentional entry points built at the factory. Yet, in the history of the Volt Typhoon and Flax Typhoon campaigns, not a single instance of a hardware-level manufacturing backdoor was identified. Instead, these actors exploited: 

• Unpatched Software Bugs: Standard coding errors (CVEs) that exist in software globally. 

• Weak Credentials: Default “admin/admin” passwords in cheap devices that users never changed. 

• Management Interfaces: Ports left open to the public internet due to poor user configuration or “Secure-by-Design” failures. 

The Geography of Code. The digital economy is global. A router “Made in the USA” likely runs a Linux kernel maintained by global contributors, uses Wi-Fi drivers written in Taiwan, and incorporates open-source libraries managed by developers worldwide. By focusing on the geographic location of the assembly line, the FCC ignores the logical supply chain of the software. A U.S.-assembled router with a poorly written UPnP (Universal Plug and Play) implementation is just as vulnerable to a hijacking as a foreign one. 

If one looks at the Cybersecurity Advisory issued by DHS, NSA, and other agencies about the botnets used by the Chinese, one finds that U.S.-based processor architectures were involved in over 90% of the compromises, and that vendors and products like Juniper, Apache, Linux, Fortinet, Atlassian and others not located or headquartered in “adversary nations” were exploited. 

Targeting New Devices instead of Legacy Ones?

Perhaps the most obvious lack of logic in the FCC’s policy is its exclusive focus on new equipment authorizations while leaving legacy devices in place. Empirical data from cybersecurity firms consistently shows that older devices are significantly more vulnerable than new ones. 

• End-of-Life (EOL) Status: The Volt Typhoon campaign specifically targeted “End-of-Life” routers because they no longer receive security patches. 

• Legacy Protocols: Older routers often use outdated encryption (WEP/WPA) and lack modern hardware-level protections like Secure Boot or Trusted Platform Module (TPM). 

By banning the sale of the newest, most secure Wi-Fi 7 and Wi-Fi 8 routers from dominant foreign manufacturers, the FCC forces the American public to pay substantially more for upgraded, more secure equipment or, what is more likely, to keep their older, more vulnerable devices for longer. 

If a consumer cannot easily or affordably replace their 2019-era router because the 2026 models are banned, the total attack surface of the United States actually increases. The ban targets the very devices most likely to have modern, auto-updating security features, while providing a “free pass” to the millions of insecure, aging devices that state-sponsored actors are currently exploiting. 

The FCC’s decision assumes that manufacturing origin is the primary risk factor. However, cybersecurity data suggests that device age and software support are far more critical indicators of whether a router will be compromised. 

All new Wi-Fi 7 and most Wi-Fi 6 devices utilize WPA3, which protects against common “offline” password-cracking attacks. Many legacy devices in homes rely on WPA2, which has known architectural flaws like the KRACK vulnerability.  Modern hardware is designed to only run firmware that has been digitally signed by the manufacturer. This would have prevented the “Typhoon” actors from overwriting the router’s operating system with a malicious one. Most legacy routers targeted by the KV-Botnet lacked this physical protection. CISA and the FBI noted that the Volt Typhoon campaign specifically targeted End-of-Life routers from Cisco and Netgear. These devices are technically “trusted” by the FCC because they were authorized years ago, yet they are the most vulnerable items on the network because they no longer receive security patches. 

Conclusion 

By blocking the importation of modern Wi-Fi 7 equipment based solely on its “foreignness,” the FCC actually worsens the security situation. Incentives to upgrade to modern, more secure hardware are reduced, and users are encouraged to keep using unpatched legacy equipment—the exact hardware that state-sponsored actors have successfully weaponized for years.  

Does this whole thing make any sense? It does it you see the FCC’s ban as an exercise in industrial policy disguised as cybersecurity. Netgear, a US-founded and headquartered company, has been lobbying the government on “cybersecurity and strategic competition with China.” Once again – as with the semiconductor export controls and the TikTok ban – we see the bootleggers seeking protection from competition hiding behind the religious banner of national security. While the risks of state-sponsored infrastructure attacks are real, the remedy chosen—a geographic ban on new hardware – prioritizes geopolitical decoupling over the immediate technical hardening of the American digital home. 

The post Fake Cybersecurity: The FCC Router Ban appeared first on Internet Governance Project.