On March 23rd the FCC added every consumer-grade router produced outside the United States to its Covered List. No new foreign-made router model can receive FCC equipment authorization going forward. That means no new imports. No new models on store shelves. Nothing. Cue the Jumbotron. Roll the confetti. America is safe now, right?
Ha. Not even close.
The stated reason is national security. The Volt Typhoon, Salt Typhoon, and Flax Typhoon cyberattacks proved that foreign-made routers are being weaponized against American networks. That part is true. Chinese state-sponsored hackers compromised routers at scale to infiltrate US infrastructure, intercept law enforcement wiretaps, and access the call metadata of over a million Americans. That's not hypothetical. That happened. This is a real problem that deserves a real solution.
Instead we got the government equivalent of putting a "Protected by ADT" sticker on your window without actually installing the alarm system.
The Ban That Bans Nothing That Matters
There are hundreds of millions of foreign-made routers already operating in American homes right now. This ruling doesn't touch a single one of them. No mandatory firmware audits. No patching requirements. No security attestation standards. The routers that were actually exploited in Volt Typhoon and Salt Typhoon? Still humming along in living rooms and home offices across the country with the same vulnerabilities they had yesterday.
If your house is on fire you don't ban future houses from being built. You put out the fire.
Remember when your parents told you to "just say no" to drugs and that was supposed to solve everything? Same energy. The FCC just said no to future routers while ignoring the 200+ million compromised ones already in the building. Nancy Reagan would be proud.
"Conditional Approval" Is Industrial Policy in a Security Costume
The "Conditional Approval" pathway for manufacturers to get around the ban is telling. To bring a new router model to market, companies have to disclose their full management structure, detail their supply chain, and lay out a concrete plan for shifting manufacturing to the United States. That's not a security requirement. That's an industrial policy requirement wearing a security costume. It's like requiring a background check to buy a fire extinguisher while the building burns.
Look at the precedent. The FCC did the exact same thing with drones in December 2025. Since then exactly four drone systems have received Conditional Approval. All four were non-Chinese manufacturers. Market leaders DJI and Autel are still fully blocked. Shocked? Nobody who grew up watching the government lie about everything from Iran-Contra to WMDs is shocked.
This isn't about whether your router was built securely. It's about where it was built. And those are two very different questions.
The Hypocrisy Is Chef's Kiss
Here's where it gets really interesting. FCC Chair Brendan Carr, who announced this ban with great fanfare about protecting Americans from cybersecurity threats? Four months ago he led a 2-1 vote to eliminate mandatory cybersecurity requirements for telecom carriers. Let that marinate.
The rules he killed were put in place specifically because Salt Typhoon proved that companies like AT&T and Verizon had failed to implement basic security measures. We're talking one admin account with access to over 100,000 routers. No password protection on servers containing authentication keys. The White House said the breach would have been "far riskier, harder and costlier for the Chinese" if companies had minimum security practices in place.
Carr killed those requirements. Called them "neither lawful nor effective." Replaced them with voluntary industry collaboration. The same telecom carriers whose networks were breached by Chinese hackers lobbied for the rollback and got it. If you're old enough to remember the tobacco companies testifying before Congress that cigarettes don't cause cancer, this feels awfully familiar.
Senator Maria Cantwell called it "a pattern of weakness on national security issues." FCC Commissioner Anna Gomez said Carr's approach "leaves us without a credible plan" to address the vulnerabilities Salt Typhoon exploited.
So to recap: the guy who killed mandatory cybersecurity rules for the companies that actually got hacked is now banning router imports in the name of cybersecurity. Read that again.
If this were a movie, this is the part where John Cusack holds up a boombox outside the FCC and it just plays the sound of a dial-up modem failing to connect.
What Actually Makes a Router Secure
Here's the thing nobody in Washington wants to say out loud: country of manufacture is a terrible proxy for security. An American-made router running proprietary firmware with default passwords and no network segmentation is not secure. A router built in Taiwan running open-source OPNsense with published configurations and regular audits is.
You know what actually makes a router secure?
Open source firmware you can audit. Not proprietary black boxes running code nobody outside the company has ever reviewed. When the firmware is open, anyone can find vulnerabilities before they get exploited. When it's closed you're trusting the manufacturer with your entire network and hoping they got it right. Hope is not a security strategy. Gen-X learned that lesson the hard way watching every institution we were told to trust turn out to be full of it.
Transparent configurations. If you can't see what your router is doing you can't verify that it's doing what the manufacturer claims. Every default setting, every firewall rule, every DNS configuration should be reviewable by the person who owns the hardware. At OSS we publish every single configuration on Forgejo. Not because we have to. Because "trust us" is what every company says right before they screw you.
Regular, verifiable security updates. Not "trust us, we patched it" but actual auditable evidence that the software running on your device is current and hasn't been tampered with. Our SafeNet VPN servers run weekly published security audits that anyone can download and verify. That's what transparency looks like. Everything else is marketing.
Network segmentation. Your security cameras and smart thermostats should not be on the same network as your laptops and phones. A compromised IoT device on an isolated VLAN can't reach your personal files. On a flat consumer network it can reach everything. This is networking 101 for businesses. For homes it barely exists because consumer routers can't do it.
None of these things have anything to do with whether the router was assembled in Shenzhen or San Jose.
The Firmware Cutoff Nobody Is Ready For
One detail buried in the FCC FAQ that should scare the hell out of you: foreign-made routers are only guaranteed to receive firmware and security updates through March 1, 2027. After that, if a manufacturer hasn't received Conditional Approval, they may not be able to push new patches.
Think about what that means. Millions of routers. No more security updates. Sitting in American homes running increasingly outdated firmware with increasingly known vulnerabilities. The FCC just created a ticking clock for every foreign-made router in the country to become a cybersecurity liability. It's like Y2K but this time the threat is real and nobody is panicking because nobody read past the headline.
The Typhoon hackers exploited routers that weren't being patched. The FCC's response is to create conditions where even more routers won't get patched. Outstanding move.
What You Can Actually Do
I'm not going to tell you to panic. Your current router is fine for now and the FCC explicitly says you can keep using it. But if you care about the security of your home network, the answer was never going to come from Washington. It never does. If you're Gen-X you already knew that. We've been fending for ourselves since we were latchkey kids heating up Totino's Pizza Rolls while our parents were still at work.
Stop trusting black boxes. If you can't see the code running on your router you're making a bet that the manufacturer cares about your security more than their bottom line. History says that's a bad bet. Every single time.
Look into open source firewall platforms. OPNsense and pfSense are free, battle-tested, and run on commodity hardware like Protectli Vaults. Everything is auditable. The community is massive and the documentation is thorough. You can build this yourself if you've got 25-35 hours and the patience for it.
Segment your network. Put your IoT devices on their own VLAN. Put your guest WiFi on its own VLAN. Stop letting every device in your house talk to every other device. Network isolation is the single most impactful thing you can do for home security and almost no consumer router does it properly out of the box.
Or skip the project entirely. If you want enterprise-grade security without becoming a network engineer, that's why SecureNet exists. Professionally configured OPNsense on Protectli hardware. 8 isolated networks. 200,000+ threat signatures. Every configuration published openly. You own everything. The FCC ban doesn't affect us because we were never selling you a consumer-grade black box in the first place.
The FCC can ban whatever it wants. The only person who is going to secure your network is you.
Download the AI Whitepaper and ask any AI assistant your questions, or schedule a free 10-minute intro call with an OSS engineer. No pressure. No commitment. No black boxes.