What You Need to Know About the FCC Router Ban

On March 23, the Federal Communications Commission announced its intention to ban the sale of all foreign-made Wi-Fi routers moving forward, with manufacturers able to apply for a conditional approval exemption on the FCC’s website. While this will obviously have an impact on businesses of all shapes and sizes, it may not be the one you’d expect.

Let’s talk about what this ban means, both in terms of its requirements and in relation to your business. Spoiler: it’s going to get complicated.

Long Story Short: The FCC Has Considerably Increased Its Covered List

On March 23rd, the FCC added all consumer-grade routers produced outside the United States to its Covered List—a collection of communications equipment and services that pose a risk to the safety and security of US residents or of the nation itself. In doing so, the commission banned the import (for sale or use) of the overwhelming majority of routers, as a router is considered foreign-made if any major process of its creation occurs outside the United States.

So, if ACME were to design a router in Duluth, manufacture the components in Hanoi, and assemble it in Albuquerque, that router would still fall under the scope of this ban and could not be used or sold in the United States unless granted conditional approval. 

Under these restrictions, effectively all routers currently available for purchase in the US fail to meet the criteria. All currently owned or authorized devices are grandfathered in; this ban applies only to new hardware… but with a caveat: currently owned devices will only be allowed to receive new software and firmware updates until March 1, 2027.

This Deadline Lives Up to Its Name in More Ways Than One

It is important to recognize that cybercriminals are always looking for new ways to undermine the security of the devices and software we all use every day, often sharing the new tools and strategies they develop on the Dark Web as they identify the vulnerabilities that a developer may have missed. This is one half of an ongoing arms race between hackers and developers, as developers work to resolve these vulnerabilities faster than attackers can find and exploit them, until the tech in question is deemed no longer worth the effort to keep safe.

At that point, it no longer provides these updates, and anything an attacker comes up with afterward will always work. From a security perspective, these devices are now dead in the water.

Why Was this Ban Put in Place?

According to an FAQ sheet, these updates were implemented after an interagency executive body convened by the White House determined that routers produced in any foreign country posed the aforementioned risks and should therefore be added to the Covered List. The cited concern was that routers were the vehicle for the Volt, Flax, and Salt Typhoon cyberattacks, which utilized networking hardware vulnerabilities to take root. As FCC Chair Brendan Carr said in a statement, the shift is intended to help protect cyberspace, as well as the critical infrastructure and supply chains, in the US.

As a result, most new routers cannot be authorized by the FCC and therefore cannot be marketed, imported, or sold in the United States.

We All Need to Brace for Hardware Shortages

As things currently stand, the only router manufacturer that is exempt from the ban is the Texas-based Starlink, with Netgear and TP-Link vocally supporting it despite currently being subject to it, but also in some of the better positions to shift their operations. Regardless, Rome wasn’t built in a day, and with a deadline of about a year, the idea of all of these companies completely shifting their operations is impractical at best.

What Businesses Should Do in Response

As of this writing, your business is partially shielded from the impacts of this ban, although there are bound to be some repercussions that ripple back to you.

This ban specifically applies to consumer-grade routers, so if your business is using the kind of hardware you should be, and not “consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer,” your business’ hardware should be okay. On the other hand, if your team members own a device (standalone or router/modem combination) from any of the following router brands…

• Asus
• D-Link
• Eero
• Linksys
• Nest
• Netgear
• Razer
• Synology
• TP-Link

…or rents from their ISP and receives a router from…

• Arcadyan
• Wistron
• Netgear
• Arris
• Technicolor
• Askey
• Sagemcom
• Humax
• Nokia

…they could soon be required to invest in a compliant option, or rely on their service provider to do so (with costs likely offset by increasing service charges). As a result, this could impact your team’s ability to work remotely in the very near future.

You Still Need to Do Everything You Can to Protect Your Business’ Security

This is not to say that you are now absolved of any responsibility to protect your business by maintaining your own infrastructure. Again, these restrictions are specifically on consumer-grade hardware, not business-appropriate options… but threats and the updates that help resolve them are anything but discerning. The hardware’s country of origin simply doesn’t matter.

Therefore, all businesses should prioritize a few defensive measures:

• Use professional-grade hardware. Consider this the last straw that finally pushes you to upgrade your business’ network infrastructure, as these devices are built to be more secure and robust enough to handle a higher workload.
• Keep the router’s firmware updated. Outdated firmware offers minimal protection for your router, leaving your network open to attackers. Patching it in a timely manner helps close the window of opportunity for an attacker to exploit it.
• Fortify your credentials. Most routers and other pieces of hardware come with standardized access credentials for the purposes of initial setup. These should be changed immediately after you hook them up, and should be replaced with long, complex passwords or passphrases that hit the balance between easy to remember but hard to guess.
• Encrypt your traffic. Using a virtual private network (or VPN) helps maintain privacy and security by shielding what you are looking at from anyone who may be keeping watch. By encrypting your traffic, the best an attacker will get is a scrambled mess of gibberish instead of your secret data.

We’re Here to Help Your Business Navigate Technology and All Its Challenges

Don’t wait until it's too late to try and cobble together a strategy with whatever hardware you can get. Instead, work with us to help manage your business tech each and every day to make the most of it.

We’ll be there to ensure you are in the best position to succeed, planning and executing on a roadmap that ensures your IT empowers your operations. Give us a call at (281) 816-6430 to learn more.