As part of the country’s defense-shoring strategy, the US Federal Communications Commission (FCC) has put “all consumer-grade routers produced in foreign countries” on the Covered List. This means foreign routers are now “deemed to pose an unacceptable risk to the national security of the US or the safety and security of US persons” and will require special permission to be sold in the US.
The FCC notes that “the restrictions imposed today apply to new device models”, not ones consumers already own, or ones being sold and marketed that have been previously approved by the FCC.
This is considered an application of President Trump’s strategy [PDF] to “re-secure our own independent and reliable access to the goods we need to defend ourselves and preserve our way of life.” Ie, isolationist economics, ostensibly for national security.
It makes sense for routers, specifically, to be on this list, given the potential vectors for attack they open up. And if those routers are foreign-made, it makes sense that a state might be cautious. We’ve already seen, for instance, TP-Link routers being hijacked by hackers working on behalf of the Chinese government. And there have been calls to ban these routers for some time.
The FCC’s decision is informed by an inter-agency expert determination [PDF] that explains the risk: “Given the criticality of routers to the successful functioning of our nation’s economy and defense, the United States can no longer depend on foreign nations for router manufacturing … Compromised routers can enable in-depth network surveillance, data exfiltration, botnet attacks, and unauthorized access to US government or American businesses’ networks … foreign-produced routers present additional and unacceptable risks to Americans.”
(Image credit: Future)
This statement cites a report from CISA, the NSA, and the FBI that says these bodies “assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States.”
These concerns aren’t anything new, as anyone who’s got an eye on cybersecurity will likely have seen increasing focus on ‘supply chain’ attacks over the last year or two. The Open Web Application Security Project (OWASP), for instance, recently said “software supply chain failures” are one of the top web app security risks. In other words, vulnerabilities at source (or some other point in the supply chain) are becoming a real issue. Throw in some increased risk of interference from the manufacturer’s state agencies, and you can see why precautions might be prudent.
Thus the ban on new foreign routers. However, it’s not an unbreakable blanket ban, as the determination states—and the FCC agrees—that there should be a way for routers to become approved:
“To facilitate this transition period, entities that produce routers in a foreign country are encouraged to apply for Conditional Approvals (Annex A) which, if approved, will allow such producers to continue to receive FCC authorization for their products while they work to address the US government’s national security concerns described above.”
So, it’s not as if all TP-Link routers are going to disappear in a cloud of smoke and you’ll have the state knocking at your door to collect contraband. Instead, it just looks like the US government is getting a little more serious about ensuring the networking devices it lets in are secure and don’t pose a national security threat.
