On March 23, the **FCC** updated its Covered List, effectively banning the sale of new routers produced in foreign countries unless specifically exempted by the **Department of Defense (DoD)** or **DHS**. The justification: "security gaps in foreign-made routers" leading to widespread cyberattacks, referencing attacks by Chinese advanced persistent threat actors like **Volt**, **Flax**, and **Salt Typhoon**. This decision, while intending to mitigate the risk of residential routers being hijacked for attacks, is seen as a sweeping measure with potentially unintended consequences. ### Broad Impact, Limited Effectiveness Previously, the **FCC** targeted specific vendors like **Huawei** and **Hytera**. This new ban impacts almost all new consumer routers, excluding those manufactured in the U.S., such as **Starlink** in Texas. While some affected routers are indeed vulnerable, the ban doesn't differentiate between manufacturers with poor security track records and those with better practices. This approach may stifle competition and limit consumer choices without necessarily enhancing security. ### Missing the Mark: The IoT Elephant in the Room The **FCC**'s announcement referenced an Executive Branch determination highlighting the supply chain vulnerability posed by foreign-produced routers, potentially disrupting the U.S. economy, critical infrastructure, and national defense. However, critics argue that this ban fails to address the increasing involvement of connected devices in cyberattacks. Supply chain attacks have seen malware-infected Android TV boxes, sold by retailers like **Amazon**, fueling botnets like **Kimwolf** and **BADBOX 2**, used for fraud and residential proxy services. Prioritizing the banning of specific models and manufacturers known for producing vulnerable devices would be more effective than a blanket ban that punishes reputable brands. ### Geopolitical Undertones and Potential Consequences This ban aligns with broader administration efforts to impose tariffs and trade-related executive orders on foreign goods. While some larger companies with the resources to establish U.S. manufacturing plants may benefit, others may seek exemptions from the **DoD** or **DHS**. The immediate effect is an ill-targeted policy with limited impact on domestic cybersecurity, potentially reinforcing existing market players and fostering problematic quid-pro-quo arrangements. ### A Call for Nuance and Targeted Solutions Consumers deserve assurance that their devices, including routers and smart home devices, are secure regardless of their origin. A nuanced approach, such as the **U.S. Cyber Trust Mark** proposed in 2023, which carefully assesses products, is preferable to blanket bans.