On March 23, 2026, the FCC solved America’s router security problem by banning all foreign-made routers from entering the US market. There’s just one catch: every consumer router is made overseas. Zero domestic alternatives exist. Security experts are calling it “fake cybersecurity“—a policy that will make home networks less secure, not more, because it forces millions of Americans to keep using old, vulnerable routers for years longer than they should.
The Policy and Its Fatal Flaw
The FCC updated its “Covered List” to include all consumer-grade routers produced in foreign countries. The justification was straightforward: Chinese state-sponsored groups Volt Typhoon, Flax Typhoon, and Salt Typhoon had exploited routers in cyberattacks targeting US infrastructure. Volt Typhoon alone compromised 30 percent of visible Cisco RV320/325 routers in just 37 days. A White House interagency body determined that foreign-made routers pose “unacceptable risks to national security.”
The problem? About 60 percent of home routers in the US are manufactured in China. The rest come from Taiwan, Vietnam, and other Asian countries. American companies like Netgear and Google manufacture their routers overseas. There are zero US-made consumer routers on the market. The ban prevents new foreign routers from getting FCC approval, which means they can’t enter the country. Consumers can keep using existing routers, but they can’t buy new ones. The exemption process exists but has approved exactly zero routers as of today.
Security Experts Call It “Fake Cybersecurity”
Professor Milton Mueller from Georgia Tech’s Internet Governance Project didn’t mince words. He called the FCC router ban “industrial policy masquerading as national security” and accused the agency of peddling “fake cybersecurity.” His core criticism cuts to the heart of the issue: “Not a single instance of a hardware-level manufacturing backdoor was identified” in the Volt Typhoon campaigns that justified the ban.
The attacks exploited unpatched software bugs and weak default passwords—vulnerabilities that affect routers from all manufacturers, regardless of where they’re made. Mueller points out that “a U.S.-assembled router with a poorly written UPnP implementation is just as vulnerable” as one made in Shenzhen. Router software relies on globally developed components: Linux kernels maintained by international teams, open-source libraries managed on GitHub, chipset firmware from Taiwan. The location of the factory tells you nothing about security.
Malwarebytes security researchers reached the same conclusion. Their analysis shows that device age and software support matter far more than manufacturing origin. The FCC is solving the wrong problem.
The Unintended Consequence: Aging Fleet, Bigger Attack Surface
This is where the policy doesn’t just fail—it actively makes things worse. Consumer routers typically reach end-of-life status about five years after launch, sometimes as early as three years. When a router hits EOL, the manufacturer stops releasing firmware updates and security patches. Any vulnerabilities discovered after that point will never be fixed. These devices become permanent attack vectors.
The FBI warned in March 2026 that routers from 2010 or earlier are high-risk and should be replaced immediately. The bureau recommends replacing routers every two to four years to ensure they continue receiving security patches. However, the FCC just made that impossible. If you can’t buy a new router because they’re all banned, you’re stuck with your old one. That 2019-era Netgear with known vulnerabilities? You get to keep it for another few years.
This creates a dark irony. The Volt, Flax, and Salt Typhoon attacks that justified the ban specifically targeted outdated routers running unpatched firmware. The FCC’s response to state-sponsored actors exploiting old routers was to ban new routers—the ones with Wi-Fi 7, WPA3 encryption, secure boot, and active security support. As Mueller noted, “the total attack surface of the United States actually increases” because the ban forces American households to retain precisely the equipment that was compromised in the first place.
What Real Security Policy Would Look Like
The FCC chose to target manufacturing origin because it’s politically easy. Banning foreign routers looks tough on China and plays well in national security briefings. But it doesn’t address the actual threat. If the agency cared about results instead of optics, here’s what effective router security policy would mandate:
First, require manufacturers to support firmware updates for at least five to seven years. Second, implement security certification requirements that apply to all routers regardless of origin—audit the code, test the implementations, fail devices that ship with weak default credentials. Third, mandate rapid patching for disclosed vulnerabilities, with financial penalties for manufacturers that ignore security advisories. Fourth, ban insecure defaults entirely: no more “admin/admin” passwords, no unencrypted management interfaces, WPA3 mandatory.
These policies would address the software vulnerabilities that Volt, Flax, and Salt Typhoon actually exploited. They would force the industry to prioritize security over convenience and cost-cutting. They would be harder to implement than a blanket ban, requiring technical expertise and enforcement infrastructure. But they would work.
Security theater is easier than security policy. The FCC chose theater.
