US router ban criticized as 'industrial policy' not better infosec

The United States' ban on foreign-made SOHO routers won't improve security, and only makes sense as "industrial policy disguised as cybersecurity," according to Milton Mueller, Professor at the University of Georgia's School of Public Policy and founder of its Internet Governance Project.

Mueller notes that the Federal Communications Commission (FCC) justified its ban with two arguments, one of which refers to CISA and FBI analysis that found attackers targeted SOHO routers to build a botnet that hid the Volt Typhoon and Salt Typhoon intrusions. The other argument relied on a Department of Commerce study that Mueller summarized as finding "the concentration of 85 percent of the consumer router supply chain in China creates a 'systemic vulnerability' where a single firmware update could be weaponized to disable U.S. home internet access."

The academic thinks neither argument holds water. "The digital economy is global," he pointed out in a Saturday post. "A router 'Made in the USA' likely runs a Linux kernel maintained by global contributors, uses Wi-Fi drivers written in Taiwan, and incorporates open-source libraries managed by developers worldwide."

"By focusing on the geographic location of the assembly line, the FCC ignores the logical supply chain of the software. A U.S.-assembled router with a poorly written UPnP (Universal Plug and Play) implementation is just as vulnerable to a hijacking as a foreign one."

He also points out that the FCC worries about backdoors in routers, when research into the Typhoon gangs found they exploited unpatched bugs, unchanged default device credentials, and bad design that leaves some network ports exposed to the public internet.

"Perhaps the most obvious lack of logic in the FCC's policy is its exclusive focus on new equipment authorizations while leaving legacy devices in place," Mueller wrote. He offered that idea because the Typhoon gangs targeted end-of-life routers and machines that use insecure legacy protocols.

"By banning the sale of the newest, most secure Wi-Fi 7 and Wi-Fi 8 routers from dominant foreign manufacturers, the FCC forces the American public to pay substantially more for upgraded, more secure equipment or, what is more likely, to keep their older, more vulnerable devices for longer," he argued.

"If a consumer cannot easily or affordably replace their 2019-era router because the 2026 models are banned, the total attack surface of the United States actually increases."

"The ban targets the very devices most likely to have modern, auto-updating security features, while providing a 'free pass' to the millions of insecure, aging devices that state-sponsored actors are currently exploiting."

Mueller concludes that by using only the criteria of "foreignness," the ban "actually worsens the security situation."

"Incentives to upgrade to modern, more secure hardware are reduced, and users are encouraged to keep using unpatched legacy equipment—the exact hardware that state-sponsored actors have successfully weaponized for years."

He then ponders if the policy makes any sense. "It does if you see the FCC's ban as an exercise in industrial policy disguised as cybersecurity," Mueller argues, then points out that US company Netgear has funded lobbying efforts on issues including the Removing Our Unsecure Technologies to Ensure Reliability and Security Act - aka The "ROUTERS Act."

"While the risks of state-sponsored infrastructure attacks are real, the remedy chosen – a geographic ban on new hardware – prioritizes geopolitical decoupling over the immediate technical hardening of the American digital home," Mueller concludes.

"Once again – as with the semiconductor export controls and the TikTok ban – we see the bootleggers seeking protection from competition hiding behind the religious banner of national security."

The FCC's ban on foreign routers has sparked debate about whether it truly enhances cybersecurity or serves as a protectionist measure for US manufacturers. While the agency cites national security concerns, critics argue the policy may actually increase vulnerability by discouraging upgrades to newer, more secure hardware.