Is the FCC's Router Ban the Wrong Fix?

ENDPOINT SECURITY REMOTE WORKFORCE NEWS Is the FCC's Router Ban the Wrong Fix? The agency put foreign-made consumer routers on its list of prohibited communications devices, but the ban could create more problems down the road. Jai Vijayan,Contributing Writer March 26, 2026 4 Min Read SOURCE: SOLDATOOFF VIA SHUTTERSTOCK A March 23 decision by the Federal Communications Commission (FCC) to include foreign made routers on its national security risk list could ironically leave US consumers and small business more vulnerable over the long term. The FCC's move essentially prohibits the import of new models of consumer grade routers made by manufacturers outside the US. Consumers and businesses that are already using foreign made routers can continue using them, and retailer can continue to sell and import router models that the FCC has already previously approved for use.  However, the FCC will no longer approve new consumer-grade router models made outside the US, effectively banning their import. It will consider exemptions for some devices as needed. The agency said it arrived at the decision after a White House-convened interagency body determined that such routers "pose unacceptable risks to the national security of the United Sates," the FCC said.  Related:Ransomware's New Era: Moving at AI Speed A National Security Risk? The risks outlined by the FCC include the potential for adversaries to insert backdoors and to otherwise compromise routers to conduct mass surveillance and data theft, to use them in botnet attacks, and to gain unauthorized access to sensitive networks.  "Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage and facilitate intellectual property theft," the FCC said. "Foreign-made routers were also involved in the Volt, Flax and Salt Typhoon cyberattacks targeting vital U.S. infrastructure." Currently, almost all small office/home office (SOHO) routers that American consumers use — and also many commercial grade devices — are manufactured by companies based outside the US. And the supply chain risk they pose is real, particularly at the national security level, says Rebecca Krauthamer, CEO and co-founder, of QuSecure.  The FCC's move is about reducing geopolitical exposure and dependence on foreign-controlled components and not just addressing technical vulnerabilities at the device level, she says. "We are seeing a broader shift toward sovereign and trusted technology stacks in higher-security environments. When highly sensitive data is traversing or exposed to infrastructure components, origin truly does become a meaningful consideration," Krauthamer says. Potential Side Effects of the Router Ban Even so, the heavy US reliance on imported routers raises the question of whether the ban will leave Americans clinging to older, less secure devices for longer. Related:Cylake Offers AI-Native Security Without Relying on Cloud Services "The policy does not force immediate replacement, but it does raise the stakes on getting replacement right when the time comes," Krauthamer says. Many businesses are running routers that have been in place for a decade or more and are sitting directly in the critical path of network traffic, she says. "As businesses go to upgrade or replace infrastructure, they are likely to face a more constrained and potentially more expensive market, with fewer approved options and longer procurement cycles." Jim Needham, senior managing director at FTI Consulting, says the ban could force businesses using the affected class of routers to keep outdated equipment in place well beyond its normal replacement cycle, thus potentially weakening security. "There could be disruption and cost increases under the ban, as most routers are manufactured outside the U.S. and require periodic replacement to maintain strong security and keep pace with technological advancements," he says. However, because the ruling does not currently require replacing existing equipment, the concern is mostly prospective in nature at the moment, he adds. Another fundamental issue with the FCC's move, according to some security, experts is that router compromises rarely have to do with where a device is manufactured. In most cases, the risks are operational in nature and tied to issues like default credentials, missed patches and exposed management interfaces. Related:Bug in Google's Gemini AI Panel Opens Door to Hijacking "Threat actors exploit these vulnerabilities across domestic and international hardware alike," says Jason Soroko, senior fellow at Sectigo. "By fixating on silicon origin rather than maintenance rigor, the directive risks misdiagnosing the disease, conflating supply chain provenance with the far more pervasive threat of administrative complacency," he says. The European Union's approach to the issue — in the form of its Cyber Resilience Act — has been to require manufacturers selling connected devices in Europe, regardless of origin, to meet mandatory cybersecurity requirements covering secure defaults, vulnerability disclosure, and ongoing software support.  For the moment, the FCC's ban remains a forward-looking measure with limited immediate impact. The real test will come as older equipment ages out and businesses begin navigating a constrained replacement market. Pieter Arntz, researcher at Malwarebytes, says he found just one US made router — Starlink— in the category of routers that the FCC has banned. The big question now is whether the near-complete absence of domestic alternatives will drive investment in US manufacturing capacity or simply create a massive new vulnerability. "It depends on how lenient the FCC will be with the exemptions," Arntz says. "Currently, there is no immediate impact, but our fear is that it will make networks less secure in the long run." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like ENDPOINT SECURITY Bug in Google's Gemini AI Panel Opens Door to Hijacking by Elizabeth Montalbano MAR 02, 2026 ENDPOINT SECURITY DPRK Actors Deploy VS Code Tunnels for Remote Hacking by Elizabeth Montalbano, Contributing Writer JAN 22, 2026 ENDPOINT SECURITY Chrome Store Features Extension Poisoned With Sophisticated Spyware by Elizabeth Montalbano, Contributing Writer JUL 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE