Fossilised
The FCC said foreign routers were a national security threat. Then it made sure you couldn’t replace them.
On 23 March 2026, the Federal Communications Commission added all foreign-produced consumer-grade routers to its Covered List -- the register of communications equipment deemed to pose an unacceptable risk to US national security. The determination was sweeping. Not this manufacturer. Not that country of origin. All of them. Any router where a foreign entity was involved in any significant stage of design, development, manufacturing, or assembly is now prohibited from receiving new FCC equipment authorisation.
The justification was serious and the threat real. The FCC explicitly cited the Volt Typhoon, Flax Typhoon, and Salt Typhoon campaigns -- a series of Chinese state-sponsored intrusions that burrowed into American energy, water, communications, and transportation infrastructure. The vector in each case was the same: compromised routers, predominantly aging devices running unpatched firmware, sitting unattended on the edge of networks that mattered. The KV Botnet that supported Volt Typhoon was built largely on Cisco RV320 and Netgear devices that manufacturers had long since abandoned. End of life. No patches. Wide open.
The FCC looked at that attack surface and decided to act. What it did next is worth examining carefully.
What the Policy Actually Does
New foreign-produced router models cannot receive FCC equipment authorisation. They cannot be imported, marketed, or sold in the United States. Routers already on the market -- already in homes, offices, and small businesses across the country -- are unaffected. Consumers can keep using what they have. Retailers can keep selling existing authorised stock until it runs out.
There is a waiver. The FCC’s Office of Engineering and Technology issued a blanket permission allowing previously authorised foreign routers to continue receiving software and firmware updates -- specifically those that “mitigate harm to US consumers.” The waiver covers security patches, vulnerability fixes, and compatibility updates. It does not cover new features. It runs until at least 1 March 2027, after which it may or may not be extended.
Foreign manufacturers can apply for Conditional Approval from the Department of Homeland Security or the Department of War, exempting specific models from Covered List restrictions. The application requires extensive corporate, investor, supply chain, and manufacturing disclosures, plus a detailed plan for onshoring US production. It is not a quick process, and it is not designed to be.
That is the policy in full. Now look at what it produces.
The Contradiction at the Centre
The FCC’s threat model is explicit: foreign-produced routers are an unacceptable national security risk. Compromised routers enable network surveillance, data exfiltration, botnet recruitment, and unauthorised access to critical infrastructure. The determination makes this case at length and with specificity. Accept it entirely. The threat is real.
Now apply that threat model to the policy outcome.
The routers already deployed across tens of millions of American homes and businesses are the ones the FCC’s own evidence identifies as the actual attack surface. Volt Typhoon did not exploit hardware backdoors in newly shipped devices. It exploited aging hardware running outdated firmware on networks where nobody was paying attention. The installed base is the risk.
The policy does not touch the installed base. It cannot -- the FCC explicitly declined to recall or ban existing devices. What it does instead is remove the primary mechanism by which that installed base gets refreshed: the ability to buy a newer, better-supported replacement from the same manufacturer you’ve been using.
Your TP-Link or ASUS or Netgear router from 2021 is still there. A newer model with better security architecture, active support, and automatic updates cannot replace it through normal retail channels. So it stays. The attack surface does not shrink. It ages.
The Waiver Problem
The firmware waiver is presented as a pragmatic concession -- the FCC acknowledges that cutting off security patches immediately would leave the installed base worse off than the theoretical risk of a manufacturer-pushed update. That reasoning is sound as far as it goes.
But the waiver is permissive, not mandatory. There is no obligation on any manufacturer to actually push updates. A company that has been formally expelled from the US market, faces no prospect of selling new devices, and is being asked to invest engineering resource in patching hardware its customers cannot upgrade has a diminishing commercial incentive to do so diligently. The waiver creates a legal window. It does not create a patch. And when it closes, every foreign router in the US becomes state-mandated abandonware.
And the window closes. March 2027 is not far away. If the waiver lapses -- or is not extended -- those same devices become unpatched by policy. The FCC will have constructed, through regulation, precisely the conditions it cited as justification for the regulation.
The Upgrade Paradox
There is a further problem the policy does not address. The consumer router market is dominated by manufacturers whose production is substantially or entirely foreign. Asus, TP-Link, Netgear, and their peers manufacture in Taiwan, Vietnam, and China. Under the FCC’s definition -- which captures any significant stage of design, development, manufacturing, or assembly -- the overwhelming majority of consumer routers currently available cannot receive new authorisation.
Domestic alternatives exist but are limited in range, carry significant price premiums, and in many cases are not yet shipping current-generation hardware at consumer price points. The practical effect for most households is not “buy American.” It is “don’t upgrade.”
Users who would have moved to a newer Wi-Fi 7 router with stronger security defaults, active vendor support, and modern firmware architecture will instead continue running the older hardware they have. The security improvement that comes with hardware refresh -- newer chipsets, better memory isolation, more capable firmware stacks -- does not happen.
The policy optimises for controlling the future market while leaving the present attack surface largely intact. The devices that matter to an adversary planning the next Volt Typhoon campaign are the ones already deployed, already aging, and now harder to rotate out.
Accepting the Threat Model
It is worth being clear about what this analysis does and does not argue.
This is not an argument that the FCC’s concerns about foreign hardware are unfounded. Supply chain risk is real. State-sponsored compromise of network infrastructure is documented and ongoing. A serious government takes those threats seriously.
The argument is narrower: the policy response does not match the threat model the FCC itself articulated. If the risk is aging, unpatched routers on the edge of sensitive networks, the policy should make it easier to replace them with better-supported hardware. This policy makes it harder. The installed base fossilises. The waiver window narrows. The patch incentive weakens.
The FCC looked at the attack surface, named it correctly, and then passed a rule that makes it more durable.
That is not a security policy. It is a market policy wearing security’s clothes -- and the attack surface will still be there in 2027, older and less supported than it was before.
The Sovereign Auditor covers data protection, digital sovereignty, and infrastructure governance. Published from the Isle of Man.