The United States has taken a bold swing at a real problem, but in doing so may have created a different set of headaches entirely. On 23 March, the Federal Communications Commission added all foreign-made consumer routers to its Covered List, banning new models from receiving FCC authorization and preventing them from entering the US market. The question now is whether this dramatic action addresses a genuine security threat in a measured way, or represents regulatory overreach that punishes the broader market for specific, identifiable risks.
Let us be honest about what is really happening here: Volt Typhoon, Flax Typhoon, and Salt Typhoon were real, large-scale, state-sponsored intrusion campaigns that exploited vulnerabilities in small and home office routers to gain footholds in American networks. Foreign-made routers were directly implicated in the Volt, Flax, and Salt Typhoon cyberattacks targeting vital U.S. infrastructure. The threat is documented. The methods are known. American critical infrastructure, from telecommunications networks to power systems, has been compromised via router vulnerabilities. This is not hypothetical fear-mongering; it is a substantive national security concern.
China commands around 60% of the market for consumer routers. Foreign-produced routers pose a severe cybersecurity risk that could be leveraged to disrupt U.S. critical infrastructure and directly harm U.S. persons. The interagency determination behind the ban reflects genuine anxieties about supply chain vulnerability. The question is whether the remedy fits the diagnosis.
The counter-argument deserves serious consideration. The federal government has almost always opted to narrowly target specific foreign companies with known or problematic connections to foreign adversaries, like Chinese telecom Huawei or Russian antivirus firm Kaspersky Labs. This time, the FCC chose differently. The restrictions ban all routers "produced in a foreign country" except those granted conditional approval by the departments of Defense or Homeland Security.
Here is where the policy becomes unwieldy. Not a single major consumer router brand currently manufactures its products domestically, and even American-headquartered companies typically produce their routers overseas. Netgear, Amazon Eero, and Google Nest Wifi all manufacture in Asia, including Taiwan and countries that are not geopolitical adversaries. Brands including TP-Link, D-Link, Asus, and Linksys build their hardware across Taiwan, Thailand, and Vietnam. The FCC's own definition is sweeping; it covers not just manufacturing but design and development anywhere outside the United States.
Cybersecurity experts have warned that essentially no consumer-grade routers are manufactured domestically in the US, and many American companies assemble products in countries like Taiwan and Vietnam, meaning a blanket ban could cause huge disruption. At least one of China's previous major communications hacking operations, Salt Typhoon, predominantly targeted known vulnerabilities in Western-produced devices rather than relying on new points of entry into critical systems. The ban assumes that origin of manufacture determines security risk. The evidence suggests the relationship is more complex.
Strip away the talking points and what remains is a policy that may feel decisive but lacks a workable pathway to implementation. Manufacturers must apply for conditional approval from the Department of War or Department of Homeland Security and provide a plan to shift at least some manufacturing to the United States, with no established processing timeline. No major consumer router brand currently manufactures in the United States at any meaningful scale, and until manufacturers either obtain Conditional Approval or establish domestic production, no new router models are expected on US store shelves.
The practical stakes matter. Consumers who already own foreign-made routers can keep using them. If you already own a WiFi router, you can continue using it, and retailers can also keep selling models that have received FCC authorization confirmed by an FCC ID on the device. But for anyone wanting a new router, the market narrows considerably until manufacturers navigate the approval process.
The fundamental question is whether this policy serves national security or merely performs it. The threat from compromised routers is real. The question of whether banning an entire global product category, rather than targeting specific manufacturers with documented security problems, actually improves American security is where reasonable people can disagree. One approach tightens supply chain visibility and forces manufacturers to demonstrate security standards; the other creates uncertainty, potentially raises prices, and may drive less legitimate vendors toward workarounds.
This is not a left-right issue; it is a competence issue. Good policy recognises both the threat and the limits of what regulation can realistically achieve. Voters deserve better than sweeping bans that feel tough without being thoughtful.