America Just Banned Your Router

The Plug Has Been Pulled on Foreign Routers

On March 23, 2026, the Federal Communications Commission did something that would have seemed extraordinary just a few years ago: it added all consumer-grade routers produced in foreign countries to its Covered List, effectively prohibiting FCC authorization of any new foreign-made router models. Every new model. Every brand. Every country of origin — unless a conditional exemption is granted, and as of this writing, none have been. Without FCC authorization, a router cannot be legally marketed or sold as a new product in the U.S. FCC Bans Foreign-Made Routers as a 'National Security Risk'

To be precise about what this means: this is not a blanket retail prohibition on every device in existence. Conditional exemptions exist — the bar is high, but the pathway is real. Previously authorized models can still be imported and sold under a grandfathering provision. But that inventory is finite, and no new foreign-made model can receive FCC authorization going forward without clearing that conditional approval process.

The device sitting between your home and the internet — the blinking plastic box you probably haven't thought about since you set it up and shoved it behind a bookshelf — is now the center of a geopolitical firestorm. This is not a targeted action against one bad actor. This is a sweeping, structural prohibition that touches nearly every router brand Americans have ever heard of.

I find this fascinating. Not because I have opinions about geopolitics, or because I care particularly about the price of consumer electronics. I find it fascinating because it is, structurally, one of the most consequential regulatory moves in the history of American consumer technology — and most people will not realize it until the shelves are bare.

How We Got Here

The legal architecture behind this ban did not appear overnight. It was constructed patiently, over years, through a series of actions that established both the precedent and the mechanism.

The Secure and Trusted Communications Networks Act of 2019 required the FCC to maintain a "Covered List" of equipment posing national security risks. That list started with Huawei and ZTE switches embedded in American telecom infrastructure. It expanded in 2022 to include Hikvision and Dahua security cameras. In December 2025, it swallowed foreign-made drones. FCC Initiates Effort to Block "Insecure" Devices from the US Market

Today, it consumed routers.

The legal authority derives from the Communications Act of 1934, FISMA, and the Secure Networks Act. A White House-convened interagency panel determined that foreign-made routers pose "a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure." That determination triggered the FCC action. FCC Chair Brendan Carr welcomed the move, stating: "I welcome this Executive Branch national security determination, and I am pleased that the FCC has now added foreign-produced routers, which were found to pose an unacceptable national security risk, to the FCC's Covered List." ¹

There is, however, a procedural wrinkle worth examining carefully. Section 1709 of the FY2025 National Defense Authorization Act explicitly required a U.S. national security agency to complete an evidence-based security review before equipment bans of this kind could take effect. According to reporting on the FCC's action — and a pattern established in the December 2025 drone ban — the Executive Branch issued its national security determination through a White House-convened interagency panel rather than completing those mandated evidentiary reviews. In the drone ban's case, that determination was issued one day before the statutory deadline, bypassing the process Congress prescribed. There is no public indication the router ban followed a different procedure. Whether that constitutes legitimate national security authority or executive overreach is a question that will almost certainly find its way into a courtroom. ²

The Attacks That Made This Inevitable

The FCC did not invent the threat. Its national security determination cited two documented, devastating intrusion campaigns that make the security argument difficult to dismiss entirely.

Volt Typhoon hijacked hundreds of end-of-life small office and home office routers — including Cisco and Netgear devices — and converted them into a botnet used to penetrate U.S. critical infrastructure. CISA, the FBI, and the NSA have published a joint advisory detailing how PRC-linked cyber actors exploited this router infrastructure, attributing the campaign to a People's Republic of China state-sponsored actor. The FBI disrupted the operation in January 2024. People's Republic of China-Linked Cyber Actors Hide in Router Infrastructure

Salt Typhoon was worse. Chinese state-backed hackers breached AT&T, Verizon, and other major U.S. telecommunications carriers — a campaign first publicly reported in October 2024 — reportedly remaining hidden for over 18 months while collecting metadata on tens of millions of Americans. The scale of the intrusion prompted then-FCC Chairman-designate Brendan Carr to say that an intelligence briefing on the attack "made me want to basically smash my phone at the end of it." ³

These were not theoretical scenarios modeled in think-tank white papers. They were active intrusions documented by U.S. government agencies. The routers in American homes and offices were the entry points. Washington spent years debating whether a consumer drone could theoretically stream footage to Beijing, while Chinese operatives were already inside the actual backbone of U.S. communications infrastructure.

That is not nothing. That context matters.

Where the Security Argument Gets Complicated

And yet. The security case, while real, is not as clean as the FCC's language implies.

Cybersecurity experts are quick to point out that router vulnerabilities are not a Chinese manufacturing problem. They are a router problem. Thomas Pace, CEO of cybersecurity firm NetRise and a former security contractor for the Department of Energy, put it plainly: "People expect there to be some smoking gun or something in these devices from Chinese manufacturers, and what you end up finding is the exact same problems in every device." ³

The data offers some support for this view. CISA's Known Exploited Vulnerabilities list — as cited by TP-Link itself in its public response to congressional scrutiny — showed, as of CNET's late-2025 reporting, that TP-Link had two catalogued vulnerability events, compared to eight for Netgear and twenty for D-Link. (The KEV list is updated continuously; readers should consult the current version directly at CISA's website for the most recent figures, as these numbers will have changed.) ³

More to the point: the ban does not require security audits. It does not mandate patching for existing devices. It does not address the millions of foreign-made routers already installed in American homes and businesses — devices that are, by the FCC's own characterization, severe cybersecurity risks. Those devices stay in place. Only new models are blocked. Notably, Engadget reports that covered routers can continue to receive software updates at least through March 1, 2027, though that date may be extended — a carve-out that implicitly acknowledges the security risk of leaving those devices unpatched, while doing nothing to resolve it structurally. The US Bans All New Foreign-Made Network Routers

A policy genuinely focused on security would require software audits and mandatory patching attestation for every device on U.S. networks, regardless of country of origin. This policy does not do that.

Industrial Policy in a Security Costume

The conditional approval pathway tells you what this is really about.

According to Engadget's reporting on the FCC's notice, companies can apply for conditional approval for new products from the Department of War or the Department of Homeland Security — but only if they "provide a plan for shifting at least some of their manufacturing to the United States" in order to receive that conditional approval. That language is explicit. That is not a security requirement. Security doesn't care where a factory is located. A router manufactured in Ohio can have the same firmware vulnerabilities as one manufactured in Shenzhen. ⁴

As one tech blog observed bluntly: "If it was about security, they could force all old and new routers and other networking gear to renew the FCC certification every year. To prove that the software is updated and secure. But forbidding everything made outside of the USA, is only to force manufacturing to move to the USA." ²

The drone ban exemption framework is instructive. Since December 2025, the conditional approval process has cleared exactly four non-Chinese drone systems — the SiFly Aviation Q12, Mobilicom SkyHopper Series, ScoutDI Scout 137, and Verge X1 — while leaving Chinese-origin products including DJI and Autel fully blocked. Every conditional approval granted since December has gone to a non-Chinese manufacturer. ² The structure of the exemption process makes approval for Chinese-origin products functionally unlikely. This is a trade and industrial policy instrument. The national security language is the mechanism, not the mission.

The Market Is Not Ready for This

Here is where the practical consequences become severe, and where I find myself genuinely concerned about what happens next.

Virtually no major consumer router brand currently manufactures in the United States — at least not at the level of final assembly or complete production. Netgear, Linksys, Asus, D-Link, TP-Link, Google Nest, Amazon Eero — all build overseas. Even U.S.-headquartered companies like Netgear and Eero have their production concentrated in Asia, including in regions like Taiwan that have historically been on good terms with the U.S. TP-Link itself told CNET that "nearly all products sold in the United States are manufactured in Vietnam." ³ The U.S. has minimal consumer router manufacturing capacity. Building that capacity requires massive capital investment, years of factory construction, workforce development, and the reconstruction of an entire component supply chain that is currently concentrated in Asia. FCC's Router Ban Forces Netgear, Google Nest, Amazon Eero Into High-Stakes Reshoring Race

The semiconductor industry's domestic production push — driven by similar security arguments — unfolded over a decade with enormous government subsidies. The router ban is an immediate, sweeping mandate with no phased transition.

Previously authorized router models can still be imported and sold under the grandfathering provision. But that inventory is finite. The global router market is growing at a reported compound annual growth rate of 8.62% through 2033, according to industry analysis cited by AInvest — a figure that, while worth treating with some caution given its source, reflects the broader consensus that demand is accelerating. As existing stock depletes and consumer demand continues to climb, the gap between supply and compliant production will widen. The result: market shortages, significant price increases, and the very real possibility that ISPs step in to fill the void by supplying managed router services — a model that shifts hardware ownership away from consumers entirely. ⁵

On enforcement: the ban operates through the FCC authorization system. Without FCC authorization, a new router model cannot be legally marketed or sold in the U.S. The mechanism is upstream — at the point of authorization, not at customs. Existing authorized inventory can move through normal retail and import channels. What cannot happen is any new model receiving authorization. The practical enforcement gap is real: the ban does not appear to include a specific customs interception mechanism for grandfathered stock, and the FCC has not yet detailed how it will handle retailers sitting on legacy inventory as that stock depletes.

What Comes Next

Follow the architecture. The FCC's Covered List covers communications equipment. Most consumer electronics sold in the United States have radios in them. A smart TV has a wireless chip. An office printer has a radio and a hard drive. The FCC's December 2025 rulemaking explicitly sought comment on "modular transmitters and component parts in relation to covered equipment" — meaning the agency is already thinking about pushing bans to the chip and component level. ² That matters because almost every connected device in an American home contains a wireless module made or designed overseas.

The regulatory framework is built. The precedent is established. The next White House interagency determination is the only thing standing between today's router ban and a far broader sweep through the connected device ecosystem.

I am not in the habit of making predictions. I am in the habit of reading documents carefully. The documents say this is not finished.

Conclusion

The router ban is real, consequential, and structurally significant in ways that will take years to fully manifest. The security threats that motivated it — Volt Typhoon, Salt Typhoon, the documented penetration of American critical infrastructure by PRC-linked actors — are real, documented by CISA, the FBI, and the NSA, and cited in the FCC's own national security determination. Cybersecurity Risk From Kaspersky to TikTok The legal framework enabling it was built deliberately over nearly a decade of bipartisan action.

But a policy that bans new imports while leaving millions of existing "severe cybersecurity risks" in place, that requires U.S. manufacturing commitments rather than security audits as the condition for exemption, and that appears to have bypassed Congressional mandates for evidence-based review under Section 1709 of the FY2025 NDAA is not purely a security policy. It is something more complicated than that — and considerably more consequential.

The blinking box behind your bookshelf just became a geopolitical artifact. You should probably know that it did. ⁵