It has been reported that the US Federal Communications Commission, citing national security concerns, has announced a ban on all new routers manufactured overseas being imported into and sold within the US. Under the ban, manufacturers will need to apply for approval on a case-by-case basis to import their products into the US; the ban does not apply retroactively, and existing routers are unaffected. The current ban follows a similar move last year by the FCC to ban foreign-manufactured drones, and comes in the wake of debate among US lawmakers around Chinese manufacturers like TP-Link and their potential connections to the Chinese government and state-backed threat actors. Here, Ryan McConechy, Principal Security Architect at Barrier Networks, gives his thoughts on the news.
“This announcement from the FCC raises many unanswered questions, a notable one being the fact that essentially no consumer-grade routers are manufactured domestically in the US. Many of the major router manufacturers, including American companies like Cisco, assemble their products in countries like Taiwan and Vietnam, and a blanket ban like this could cause huge disruption.
“Moving large manufacturing operations into new countries is a task that can take years and may not even be viable if costs prove too high, not to mention the lack of wider regional supply chains that manufacturing industries may be dependent on and which are often impossible to shift. At best, and in the short term, basic assembly of routers could move to the US.
“While this ban seems reasonable from some perspectives, given heightened geopolitical tensions and the influence foreign nations have over their technology sectors, at no stage does it fundamentally address the underlying security allegations about foreign-made routers: without a wholesale shift of entire supply chains to the US, backdoors and spyware can still be integrated into networking technology, and security vulnerabilities will exist in router products regardless of where they’re manufactured.
“This latter point is key, because most prior attacks on routers and networking technology have involved this type of vulnerability. Rather than being the result of coordinated state-level espionage, much of the risk around routers arises from basic problems, like manufacturers and end users failing to update firmware regularly, and firmware running on exploitable and outdated platforms.
“Router manufacturers themselves can also be targeted, and the infrastructure used for managing routers and providing firmware updates make for easy targets, a problem which exists regardless of the country where manufacturers reside.
“Without targeted policies aimed at tackling these specific problems, this ban will do nothing to improve router security, and without further support from the US government, it’s not realistic for manufacturers to shift their supply chains in a timely enough fashion to avoid disruption to the consumer market.”
US regulator bans imports of new foreign-made routers, citing security concern – Reuters
FAQs on Recent Updates to FCC Covered List Regarding Routers Produced in Foreign Countries – FCC
For more cybersecurity news, click here
