A week after the Federal Communications Commission banned foreign-made consumer routers on national security grounds, a public policy professor from the University of Georgia has challenged whether the order actually achieves its stated goal.
Milton Mueller, founder of the Internet Governance Project, says the ban "only makes sense as industrial policy disguised as cybersecurity." The FCC justified its action by citing two main concerns: evidence that cyberattacks by Chinese-linked hacking groups exploited vulnerabilities in home routers, and a Department of Commerce finding that China controls 85 percent of the global consumer router supply chain.
Mueller's core argument rests on a practical observation about how real cyberattacks actually work. Research into recent botnets shows the reason routers are exploited isn't because they were made abroad, but because they are shipped with default credentials and unclear directions on how to change them. When examining actual Volt Typhoon and Salt Typhoon intrusions, evidence suggests attackers exploited unpatched bugs, unchanged default device credentials, and bad design that leaves network ports exposed to the public internet. A router's country of assembly, he contends, has nothing to do with these fundamental security lapses.
The ban creates a different problem: incentive structures. By preventing the sale of newer, more secure Wi-Fi 7 and Wi-Fi 8 routers from foreign manufacturers, consumers may be forced to pay more for upgrades or, more likely, to keep older, more vulnerable devices in place longer. This matters enormously. Security researchers have found that end-of-life routers become perfect entry points; Volt Typhoon compromised 30 percent of visible older Cisco routers within just 37 days.
Mueller raises a logical inconsistency in the FCC's approach. The ban targets the very devices most likely to have modern, auto-updating security features, while providing a free pass to millions of insecure, aging devices that state-sponsored actors are actively exploiting. The government's own disruption efforts against Volt Typhoon in early 2024 focused precisely on removing malware from outdated routers, confirming these older devices remain threats.
What complicates the picture is the commercial dimension. Netgear shares rose as much as 16.7% in after-hours trading following the announcement, with investors apparently believing the company would gain an exemption while competitors like TP-Link faced constraints. Netgear has been lobbying the government on cybersecurity and strategic competition with China, and disclosed $60,000 in lobbying expenses during the fourth quarter of 2024, including efforts on the ROUTERS Act.
This raises fair questions about whether policy reflected technical reality or competitive advantage. Cybersecurity experts have noted that TP-Link routers have no more vulnerabilities than competitors, yet Netgear repeatedly referenced TP-Link on security concerns in what TP-Link described as a "smear campaign." The practical outcome: TP-Link commands roughly 35 percent of the US consumer router market, with Netgear and Asus accounting for another 25 percent. A ban that disadvantages TP-Link significantly reshuffles competitive positions.
The legitimate national security concerns are real. Malicious hackers have exploited flaws in foreign-made routers to attack US households, disrupt networks, and enable cybercrime and surveillance. State-sponsored Volt Typhoon, Flax Typhoon, and Salt Typhoon cyberattacks exploited vulnerabilities in home and small-office routers to gain access to American networks and critical infrastructure. Those threats warrant policy responses. Yet the question Mueller poses remains uncomfortable: does banning where routers are assembled meaningfully reduce those threats, or does it simply redirect market advantage to established US players at the expense of genuine security improvements?
Even American-headquartered companies typically produce their routers overseas; Netgear manufactures models in Vietnam and Taiwan. The ban applies only to new devices receiving FCC authorisation and does not restrict continued use of previously-purchased routers. That distinction matters for consumers, but it doesn't resolve Mueller's fundamental critique: that geography-based restrictions address symptoms rather than the underlying security problems that made routers attractive targets in the first place.
The evidence suggests reasonable people can disagree on whether this policy makes sense. The government's assertion that foreign manufacturing creates unacceptable systemic risk deserves serious consideration. But Mueller's observation that the remedy may prove worse than the disease also warrants attention. When old, less secure equipment becomes the only option because new equipment carries geopolitical complications, the total security of American networks might actually decline.