FCC bans imports of new foreign-made consumer routers

The US Federal Communications Commission has ordered a ban on importing new consumer routers that are manufactured overseas, citing “unacceptable risks” to national security and pointing to recent intrusions attributed to China-backed hacking groups. The order, published late Monday and reported by TechCrunch, says it will cover “all consumer-grade routers produced in foreign countries,” while leaving existing devices in homes and warehouses unaffected.

The immediate consequence is to turn a messy engineering problem—how to ship secure, patchable networking gear into millions of unmanaged households—into a border-control problem. The FCC’s text, as described by TechCrunch, offers a carve-out: new devices may be granted an exception if the Departments of Defense or Homeland Security approve. That puts the practical gatekeeping power not with independent labs or liability insurers, but with federal agencies whose incentives run toward defensible paperwork and politically legible decisions.

The ban also collides with how routers are actually made. “Foreign-made” is not a clean category in a supply chain where chipsets, firmware, assembly and cloud management can be spread across several countries and subcontractors. According to Reuters, cited by TechCrunch, China commands around 60% of the consumer-router market; forcing a sudden reconfiguration of sourcing would not just affect Chinese brands but also US and European labels that rely on overseas manufacturing.

The FCC has not provided evidence that routers built in the United States are inherently more secure than those built abroad. TechCrunch notes that Salt Typhoon, a China-backed espionage group, has exploited vulnerabilities in routers made by Cisco, an American firm. Another group, Flax Typhoon, is accused by US authorities of running a botnet that targeted both US-made and foreign-made routers. In practice, the attack surface tends to be firmware quality, update mechanisms and default configurations—not the passport of the final assembly line.

That mismatch is where the economic stakes sit. If import permission becomes conditional on federal sign-off, compliance becomes the product: larger vendors can fund certification programs, maintain government liaison teams and absorb shipment delays, while smaller competitors face a new fixed cost to enter the market. The FCC’s order effectively creates a regulatory choke point that can be used to reshape the vendor landscape without having to prove that the resulting devices are safer.

The political logic is familiar. When a consumer router is hijacked and used for surveillance or denial-of-service attacks, the failure is diffuse: a vendor shipped it, a user never updated it, an ISP didn’t notice, and an attacker exploited a known flaw. A border ban concentrates the story into a single decision—allowed or blocked—making future breaches easier to frame as “we kept the bad hardware out,” even when the vulnerabilities are in software and operational practice.

The FCC chairman Brendan Carr said the agency would keep working to secure “U.S. cyberspace, critical infrastructure, and supply chains.” TechCrunch also notes that Carr was among the commissioners who voted in November to scrap cybersecurity rules requiring telecom operators to secure lawful intercept systems—an area where compliance is measurable and responsibility is closer to the operator.

For now, the order leaves existing routers in place. The next household upgrade cycle will determine whether US router security improves—or whether the main change is who gets permission to sell the next box.