The Federal Communications Commission is taking a hard turn on internet security, advancing a plan that could effectively shut out new foreign-made routers from the U.S. market amid growing concerns about cyber threats tied to overseas supply chains.
The proposal expands the FCC’s “covered list,” which blocks equipment deemed a national security risk. If implemented as outlined, new routers would either need to be manufactured in the United States or pass a strict national security review examining ownership, supply chains, and software control before being approved for sale.
Industry experts say that the standard may be impossible to meet in the short term.
“Effectively, the FCC would ban all new routers, because there are no domestic routers that meet that standard today,” said Matt Wyckhouse, CEO of cybersecurity firm Finite State. “There’s no one who can clear the bar right now.”
The move comes as federal officials warn that foreign-made routers have already been exploited in cyberattacks targeting Americans. According to the FCC, malicious actors have used vulnerabilities in these devices to infiltrate home networks, conduct espionage, and mask attacks on U.S. infrastructure.
Much of the concern centers on China-linked manufacturing. A large share of routers sold in the United States rely on Chinese engineering, components, or assembly, even when marketed under American or allied brands. That includes top-selling companies like TP-Link, which has faced increasing scrutiny in Washington.
Despite that scrutiny, TP-Link signaled support for tighter standards, calling the rule a step toward improving security while noting plans to expand U.S.-based manufacturing alongside existing operations in Vietnam.
Still, shifting production away from global supply chains presents a major challenge. Even companies that have moved assembly out of China often continue to rely on Chinese-owned facilities or engineering teams, leaving key parts of the supply chain unchanged.
Core elements like firmware development and chipset design are frequently tied to overseas teams, raising concerns about hidden vulnerabilities embedded deep within widely used devices.
Recent cyber incidents have intensified those concerns. In 2023, the Justice Department disrupted a network of compromised routers linked to a Chinese state-backed hacking group known as Volt Typhoon. The group used infected home and small-business routers to disguise cyberattacks on critical U.S. infrastructure, routing malicious traffic through domestic networks to avoid detection.
Because a single router connects multiple devices — from phones and laptops to security cameras and smart home systems — a breach can provide broad access inside a household or business network.
The FCC’s proposal is part of a broader push in Washington to reduce reliance on foreign technology across key sectors, including telecommunications and semiconductors. Supporters argue it addresses long-standing security gaps, while critics warn it could disrupt supply chains and drive up prices.
“This will definitely increase prices,” Wyckhouse said, pointing to the cost of building domestic manufacturing capacity or restructuring existing operations.
The rule would not affect routers already in use or those currently approved for sale in the U.S. But once existing inventory runs out, new foreign-made models could be blocked unless they meet the new requirements.
Cybersecurity experts also note that many risks tied to routers stem from outdated software rather than the country of origin. Devices that are not regularly updated remain vulnerable to exploitation, regardless of where they are made.
“The primary problem with routers is not where they’re made, it’s that consumers don’t update them,” Wyckhouse said. “It’s far more important to choose a router that updates automatically.”
