Understanding the FCC’s National Security Determination on Foreign-Made Network Routers

---

What Prompted the FCC’s National Security Determination?

The Federal Communications Commission (FCC) recently issued a National Security Determination focusing on foreign-made consumer-grade network routers. This decision addresses the increasing number of cyberattacks leveraging vulnerabilities in routers produced abroad. The FCC highlighted that both state-sponsored and non-state actors are using these vulnerabilities to launch direct attacks on American civilians in their homes. This determination partly stems from findings summarized in joint Cybersecurity Advisories by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in 2024. Notably, a September 2024 advisory titled “People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations” revealed that thousands of Internet-connected devices, including small office/home office (SOHO) routers, had been compromised to form a botnet containing over 126,000 devices in the United States.

Impact on Existing and Future Consumer-Grade Routers

As of now, the FCC’s action does not prohibit the sale or use of currently authorized foreign-produced routers available on the market. However, it will no longer grant equipment authorization for new models of such routers. This means that new foreign-produced devices cannot be legally imported, marketed, or sold in the United States. Additionally, as with other banned items, it is possible that foreign-produced travel routers could face similar ban enforcement with potential seizures by U.S. Customs at entry points in the future.

Affected Consumer Brands and Market Dynamics

Many consumer router brands sold in the U.S., including Netgear, D-Link, TP-Link, Asus, and Eero, are foreign-made. Any new models that continue to be manufactured abroad would be barred from import and sale in the U.S. This shift from large-scale production in China to on-shored development is expected to result in higher retail prices for new devices. However, since existing consumer router models are not banned, consumers may continue purchasing currently available foreign-produced routers.

Security Threats from Foreign-Produced Routers

The primary security threat is unauthorized access and use of consumer routers for malicious cyber activities. The FCC’s determination cites routers produced abroad as being directly implicated in the Volt, Flax, and Salt Typhoon cyberattacks, which targeted critical American infrastructure, including communications, energy, transportation, and water systems.

Ensuring the Security and Trustworthiness of Network Routers

To build consumer routers in the U.S., router vendors will need access to trusted supply chains while still relying on foreign-made electronic components for use in future products. Enhanced security testing of embedded software and prompt remediation of identified vulnerabilities with timely patches will be crucial. Router manufacturers offering secure automatic downloads and installation of upgrades will likely gain a market advantage.

Thoughts on the FCC’s Decision and TAC’s Role

The FCC’s determination is a significant step in protecting U.S. citizens, infrastructure, and businesses from malicious cyberactors in the future. However, a few concerns remain:

1. Banning future foreign-made consumer routers from sale or import into the United States does not address the current national cybersecurity exposure due to the tens of millions of foreign-made consumer router devices in use today.
2. Even most of the US-branded consumer grade routers (e.g. Netgear) are manufactured outside the United States. There are few practical U.S.-made market alternatives for security conscious consumers to purchase instead.
3. In addition to routers, there are many consumer-grade IoT devices (such as thermostats, appliances, and smart home hubs that remain foreign-made and connect to foreign-hosted networks) that currently pose additional cyberattack risks.

The Technology Advancement Center (TAC), a non-profit organization, is dedicated to understanding national-security threats posed by emerging technologies. We train, accelerate, and connect the workforce and U.S. government with innovations to enhance our national defense and protect critical infrastructure.

At minimum we recommend users of ALL consumer-grade routers do the following:

1. Regularly update router firmware: Check that your router has the latest available version of firmware installed provided by the manufacturer. Be sure to download and install firmware only obtained directly from the manufacturer’s support website.
2. Change default router administration password: It is estimated between 30% and 40% of routers on the Internet still use the default password. Most consumer routers allow you to set a password to administer the device. Change your default router password to a mix of upper-case, lower-case, numbers, and symbol characters (if permitted). The longer and more random the password the better.
3. Check router configuration settings: Sometimes users accidentally reset configuration settings during new firmware upgrades. In addition, new firmware may include new security features that can be used. Verify that your intended or newly available settings are correct after updates have been installed. If offered as features, require HTTPS to secure your network connection to administer the router, enable automatic firmware download and installation, and disable remote device administration (e.g. not allowing administrator login from the Internet-facing side of your router), and disallow UPnP (by default).
4. Update Wi-Fi settings: We strongly discourage leaving Wi-Fi networks “open” (e.g. no encryption enabled). Be sure to enable the strongest Wi-Fi encryption setting supported by your wireless devices (e.g. WPA3, if available) and pick a strong password for your Wi-Fi networks. 
5. Upgrade old routers: If your router is more than 5 years old or does not allow all of the above, consider upgrading your router anyway. Despite the ban, upgrading to a modern U.S. consumer-router brand device will raise your baseline security, especially if you take these recommended steps.

… and there are many more intermediate and advanced recommendations to improve the security posture of consumers’ router and network.

If you’re local state federal government looking to shape policies surrounding this issue, contact us. If your industry looking to inform market or capabilities, contact us. If you’re an individual who is very interested in your personal security or these issues that might affect you or the company you work for – contact us.

Check out TAC events and blog posts to help us increase vigilance and collaboration to secure the United States’ digital landscape.