The Federal Communications Commission (FCC) recently decided to add specific foreign-made routers to its national security risk list. While intended to protect infrastructure, this March 23 policy change introduces complexities that could inadvertently extend the lifecycle of older, less secure hardware for US consumers and small businesses over the long term.
The directive restricts the import of new consumer-grade router models manufactured outside the US. Organizations and consumers can continue using their current devices, and retailers may still sell previously approved models. However, the FCC will halt approvals for new foreign-made consumer routers, though it will review exemption requests as needed. The agency based this decision on findings from a White House-convened interagency body, which concluded that these devices present unacceptable national security risks.
Assessing the national security context
The FCC documented concerns that unauthorized parties could introduce backdoors or tamper with routers to conduct mass surveillance, expose sensitive data, establish botnets, and gain unauthorized access to critical networks. According to the agency, security gaps in foreign-made routers have allow intellectual property theft and network disruption. They specifically referenced the Volt Typhoon, Flax Typhoon, and Salt Typhoon security incidents as examples of events involving foreign-made equipment.
Currently, the vast majority of small office/home office (SOHO) and commercial-grade routers used in the US are manufactured internationally. Rebecca Krauthamer, CEO and co-founder of QuSecure, notes that supply chain risks are genuine, particularly at the national security level. The FCC's restriction focuses on limiting geopolitical exposure and reliance on foreign-controlled components, extending beyond device-level vulnerabilities.
"We are seeing a broader shift toward sovereign and trusted technology stacks in higher-security environments," Krauthamer explains, noting that the origin of infrastructure components is a meaningful consideration when sensitive data is involved.
Potential side effects on hardware lifecycles
The heavy reliance on imported routers introduces questions about whether the restriction might prompt users to hold onto older, out-of-support devices. Krauthamer observes that while the policy does not mandate immediate replacement, it complicates future procurement. Many businesses rely on routers that have been in place for a decade or more, sitting directly in the critical path of their network traffic. Upgrading this infrastructure could soon involve a more constrained, potentially more expensive market with longer procurement cycles.
Jim Needham, senior managing director at FTI Consulting, explains that businesses might retain outdated equipment well beyond normal replacement cycles, which can weaken overall security postures. Since most routers require periodic replacement to maintain current security standards and keep pace with hardware advancements, the restriction could increase costs and cause operational friction. Because the ruling is prospective, however, these concerns apply primarily to future planning.
Prioritizing operational security fundamentals
Several security researchers point out that device vulnerabilities are rarely tied directly to manufacturing origin. Instead, risk typically stems from operational gaps, such as default credentials, delayed patch management, and exposed management interfaces.
Jason Soroko, senior fellow at Sectigo, notes that unauthorized parties leverage these vulnerabilities across both domestic and international hardware alike. He cautions against focusing solely on hardware origin rather than maintenance rigor, which could misdirect attention away from the more pervasive issue of administrative oversight.
For contrast, the European Union addresses device security through its Cyber Resilience Act. This legislation requires manufacturers selling connected devices in Europe to meet mandatory cybersecurity requirements. Including secure defaults, vulnerability disclosure, and ongoing software support—regardless of where the hardware was built.
Navigating future equipment replacements
Currently, the FCC's restriction serves as a forward-looking measure. The practical impact will surface as existing equipment reaches end-of-life and organizations enter a constrained replacement market. Pieter Arntz, a researcher at Malwarebytes, observed only one US-made router, Starlink—currently available in the consumer category affected by the FCC's policy.
The core challenge for the industry is whether the lack of domestic alternatives will spur new investment in US manufacturing or result in prolonged use of aging hardware. The outcome will depend heavily on how the FCC manages its exemption process. In the meantime, security teams can best protect their environments by focusing on rigorous operational hygiene: applying firmware updates promptly, disabling unnecessary remote management interfaces, and strictly controlling administrative credentials.