On March 23, 2026, the Federal Communications Commission added every consumer-grade router manufactured outside the United States to its Covered List — the regulatory kill-list that prevents new devices from receiving FCC equipment authorization and therefore from being imported, marketed, or sold in America. The justification was national security. The mechanism was a White House-convened interagency determination. The practical effect is that an industry in which roughly 98 percent of consumer products are manufactured overseas now requires the blessing of the Department of Homeland Security or the newly renamed Department of War before a single new model can reach a shelf.
The ban is real. The threats it claims to address are real. But the policy itself is a blunt instrument swung in a dark room, and the longer you look at who gets hit and who doesn't, the harder it becomes to take the national-security framing entirely at face value.
The Threat Is Not Imaginary
Let's dispense with the easy dismissal first. The cybersecurity case for scrutinizing foreign-manufactured networking hardware is not fabricated out of thin air. The Volt Typhoon campaign — a Chinese state-sponsored operation that pre-positioned itself inside U.S. critical infrastructure networks throughout 2024 and 2025 — exploited compromised consumer routers as staging points. Flax Typhoon operated a botnet of hundreds of thousands of compromised devices, predominantly TP-Link hardware, which were used for credential spraying, DDoS attacks, and anonymous proxying for espionage. The FBI disrupted that botnet in September 2024, but replacement networks using similar techniques appeared within months. Salt Typhoon targeted U.S. telecommunications providers directly.
These are documented campaigns with named threat actors and confirmed damage. Pretending they don't exist would be intellectually dishonest. The question is not whether the threat is real — it is whether a geographic manufacturing ban is a remotely competent response to it.
A Hatchet Where You Need a Scalpel
The FCC's approach treats the problem as though insecure routers are insecure because they're made in Shenzhen rather than in Tulsa. This is, to put it gently, a misdiagnosis. As Jason Soroko, senior fellow at the cybersecurity firm Sectigo, put it, by fixating on where a device's silicon originates rather than how it's maintained, the directive confuses supply-chain provenance with the far more pervasive threat of administrative complacency. Router compromises overwhelmingly stem from operational failures: default credentials left unchanged, firmware patches never applied, management interfaces left exposed to the public internet. These vulnerabilities exist across domestic and foreign hardware alike.
Jake Williams, a former NSA hacker and cybersecurity consultant, made the point even more directly: you can make a secure router anywhere in the world if you enforce the right requirements, and you can make an insecure one in Oklahoma just as easily as in Guangdong.
The European Union, facing the same threat landscape, chose a fundamentally different path. The EU's Cyber Resilience Act, which entered into force in December 2024, requires all connected devices sold in Europe — regardless of country of origin — to meet mandatory cybersecurity standards. Unique default passwords. Mandatory vulnerability disclosure programs. Automatic security updates for a defined minimum period. Transparency about the software bill of materials. The EU approach says: we don't care where you build it, but it must be built securely, or you can't sell it here. The FCC approach says: we don't care how securely you build it, as long as you build it on American soil — soil that currently houses approximately zero consumer router manufacturing lines.
Matt Wyckhouse, founder and CEO of the cybersecurity firm Finite State, captured the absurdity: the FCC has effectively banned all new routers, because no domestic manufacturer currently exists that can clear the bar. The ban creates a vacuum with no product to fill it.
The Grandfathering Loophole and the Shadow Market It Creates
The FCC was careful to reassure consumers that existing routers are unaffected. Anything already purchased or previously authorized for sale can continue to be owned, operated, sold, and imported indefinitely — as long as the manufacturer makes no hardware changes that require new FCC equipment authorization. Firmware updates for existing models are permitted until March 1, 2027.
On the surface, this sounds reasonable. In practice, it creates a set of perverse incentives that actively undermine the stated security goals.
First, the firmware cutoff. If the entire justification for this ban is that foreign-manufactured routers represent a cybersecurity risk, then blocking security patches after March 2027 is not a security measure — it is the opposite. Every router that cannot receive firmware updates after that date becomes a permanently unpatched node on the American internet. The very botnets the FCC cited as justification — Volt Typhoon, Flax Typhoon — exploited routers running outdated firmware. The ban's own timeline guarantees the creation of millions more such devices.
Second, the grandfathering clause creates an enormous incentive for manufacturers to simply stop releasing new models. Why go through a conditional approval process administered by DHS — an agency with no institutional experience in consumer electronics certification and a process that is neither free nor fast — when you can just keep selling your existing Wi-Fi 7 router for another three years? Several industry analysts have already predicted exactly this: a freeze in innovation, with manufacturers extending product lifecycles well past the point at which they would normally iterate.
Third, and most cynically, the combination of a new-model ban with an existing-inventory exemption creates classic conditions for a secondary market. When retailers can sell through their current stock but no new units can be imported, prices on remaining inventory will climb. As supply dwindles, the aftermarket for "last generation" routers — devices that are, by the FCC's own logic, security risks — will thrive. We've seen this pattern with every supply-constrained piece of consumer electronics. The FCC has created the conditions for a market in which the scarcest and most expensive devices are the ones the government just told you are dangerous.
Follow the Money
The FCC insists this is about national security. The stock market seems to think it's about something else.
Netgear shares surged 12 percent the day after the ban was announced. Stifel analyst Tore Svanberg immediately noted that Netgear was "well positioned" to navigate the regulatory change. Raymond James called it "incrementally positive." Within three weeks, Netgear had secured conditional approval from the FCC for its entire Nighthawk and Orbi product lines — a suspiciously swift turnaround for a process that is supposed to involve rigorous national-security vetting by DHS.
Starlink — the satellite internet subsidiary of Elon Musk's SpaceX — is inherently exempt because it manufactures its routers in Texas. One does not need to be a conspiracy theorist to note that Starlink's exemption is convenient given FCC Chairman Brendan Carr's well-documented history of defending Musk's business interests. In 2023, when the FCC under the Biden administration revoked Starlink's $885 million rural broadband award, Carr issued an extraordinary dissent accusing the agency of participating in a "campaign of regulatory harassment" against Musk. He has consistently championed Starlink's interests throughout his tenure. Now, as chair, he oversees a policy that hands Starlink a structural advantage in the networking hardware market while locking its competitors into an approval process that may take months or years.
By late April 2026, the list of companies that have received conditional approval consists of exactly three: Starlink (exempt by manufacture), Netgear, and Adtran, a small enterprise-focused firm. Eero (Amazon) received its approval on April 22. Everyone else — ASUS, TP-Link, Ubiquiti, Linksys, Google Nest, and the rest of the consumer networking market — remains in regulatory limbo.
The beneficiaries of this policy are a vanishingly small group of companies, mostly U.S.-headquartered, whose stock prices and market positions improve with every week that competitors remain locked out of the approval process. The losers are consumers, who face reduced selection and rising prices, and the broader security ecosystem, which loses the competitive pressure that drives firmware quality and innovation.
Bryan Reimer, a research scientist at MIT's Center for Transportation and Logistics, framed it concisely: American households will end up paying more for routers while consumers abroad benefit from lower-cost global supply chains and faster technology cycles. Security concerns may drive policy, but consumers bear the economic cost.
The FCC as Political Instrument
Any discussion of the router ban's credibility must contend with the broader context in which it was issued. The FCC under Brendan Carr has not exactly been a model of apolitical technocratic governance.
In the weeks immediately preceding the router ban, Carr threatened to revoke the broadcast licenses of television networks whose coverage of the U.S. conflict with Iran displeased President Trump. He expanded the FCC's "equal time" doctrine to morning and late-night shows, threatening action against networks that interview Democrats. He pressured ABC into temporarily pulling Jimmy Kimmel off the air after the comedian's on-air commentary angered conservatives. He reportedly made Skydance's acquisition of Paramount conditional on CBS committing to reduce what Carr characterized as liberal bias in its news coverage. He publicly attacked CNN — a cable network over which the FCC has no direct regulatory authority — for its reporting on Iranian diplomatic communications, calling for "accountability" and "time for change at CNN."
A multipartisan coalition of over 80 First Amendment scholars, civil society groups, and litigators sent Carr a letter demanding he cease what they called "unlawful jawboning" — using regulatory threats to coerce editorial decisions the agency has no legal authority to dictate. Even Republican Senator Ron Johnson said he did not "like the heavy-handed government, no matter who is wielding it." Representative Marjorie Taylor Greene — hardly a progressive critic of the Trump administration — warned that such precedents could be turned against conservative media under a future Democratic administration.
This is the institutional context in which the FCC issued its router ban. An agency whose chairman has spent the preceding months explicitly using regulatory authority as a tool of political intimidation now asks the public to trust that its sweeping ban on foreign networking hardware is motivated purely by cybersecurity considerations. The request strains credulity.
Carr is not the first FCC chair to act with political motives, and he will not be the last. But the brazenness of the pattern — threats against broadcasters one week, a market-reshaping hardware ban the next — makes it impossible to evaluate any single FCC action in isolation. The router ban exists in a regulatory environment where the agency has demonstrated, repeatedly and publicly, that it is willing to use its authority for purposes well beyond its statutory mandate.
What a Competent Policy Would Look Like
The irony is that effective router security policy already exists — it just hasn't been tried in the United States. A standards-based approach modeled on the EU's Cyber Resilience Act would require all routers sold in America, regardless of origin, to meet enforceable cybersecurity baselines: unique default credentials, mandatory patching for a defined support window, transparency about embedded software components, vulnerability disclosure programs. Such an approach would improve security across the entire installed base rather than creating a geographic moat around a manufacturing sector that doesn't yet exist.
The ROUTERS Act, currently under consideration in Congress, would direct the Department of Commerce to conduct a proper risk assessment of consumer networking equipment. That's the kind of evidence-based process that should have preceded the FCC's ban, not followed it. Instead, the agency jumped to the most dramatic possible intervention — a blanket import prohibition — without establishing that lesser measures had failed or would be inadequate.
The charitable interpretation is that the FCC acted in genuine alarm at the scale of the Typhoon campaigns and reached for the strongest tool available. The less charitable interpretation is that the ban serves a constellation of interests — protectionist economics, stock-price manipulation for a handful of domestic companies, and the broader administration agenda of decoupling from China — that have little to do with whether your home router is secure.
The Forecast
Here is what is likely to happen over the next twelve to eighteen months. Most major manufacturers will eventually obtain conditional approval, because the alternative — losing the American market entirely — is unacceptable. But the process will be slow, opaque, and arbitrary, because DHS has no established framework for this kind of evaluation and is building the plane while flying it. In the interim, consumers will pay more for less. ISPs, facing the same constraints, may revert to the old model of providing bare modems and charging separately for routing capability — a pricing structure that older internet users will remember with no fondness.
The grandfathered device inventory will dwindle. Prices on remaining stock will rise. The secondary market will flourish. And by the time the firmware update cutoff arrives in March 2027, millions of American routers will become permanently unpatched endpoints — the exact security outcome the FCC claimed to be preventing.
Meanwhile, in Europe, manufacturers will continue shipping routers that meet actual cybersecurity standards regardless of where they were assembled, and European consumers will continue buying them at competitive prices. The comparison will not be flattering.
The router ban is what happens when a real problem — state-sponsored cyber exploitation of consumer networking infrastructure — meets a political apparatus more interested in leverage than in solutions. The threat actors are real. The policy is theater. And the audience, as usual, is paying for the tickets.
Jonathan Brown for Border Cyber Group
Member discussion: