US router ban is ‘industrial policy’ not better infosec • The Register

https://www.theregister.com/2026/03/30/professor_criticizes_fcc_router_ban/

Publish Date: 2026-03-30 00:31:00

The United States’ ban on foreign-made SOHO routers won’t improve security, and only makes sense as “industrial policy disguised as cybersecurity,” according to Milton Mueller, Professor at the University of Georgia’s School of Public Policy and founder of its Internet Governance Project.

Mueller notes that the Federal Communications Commission (FCC) justified its ban with two arguments, one of which refers to CISA and FBI analysis that found attackers targeted SOHO routers to build a botnet that hid the Volt Typhoon and Salt Typhoon intrusions. The other argument relied on a Department of Commerce study that Mueller summarized as finding “the concentration of 85 percent of the consumer router supply chain in China creates a ‘systemic vulnerability’ where a single firmware update could be weaponized to disable U.S. home internet access.”

The academic thinks neither argument holds water.

“The digital economy is global,” he pointed out in a Saturday post. “A router ‘Made in the USA’ likely runs a Linux kernel maintained by global contributors, uses Wi-Fi drivers written in Taiwan, and incorporates open-source libraries managed by developers worldwide.”

“By focusing on the geographic location of the assembly line, the FCC ignores the logical supply chain of the software. A U.S.-assembled router with a poorly written UPnP (Universal Plug and Play) implementation is just as vulnerable to a hijacking as a foreign one.”

He also points out that the FCC worries about backdoors in routers, when research into the Typhoon gangs found they exploited unpatched bugs, unchanged default device credentials, and bad design that leaves some network ports exposed to the public internet.

“Perhaps the most obvious lack of logic in the FCC’s policy is its exclusive focus on new equipment…

Source