The US Federal Communications Commission (FCC) has moved to ban imports of new foreign-made consumer routers over cybersecurity concerns, a move that, while focused on home networks, carries broader implications for enterprise risk, including exposure from remote work environments and increased scrutiny of network supply chains.
“Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft,” the FCC said in a statement. “Foreign-made routers were also involved in the Volt, Flax, and Salt Typhoon cyberattacks targeting vital US infrastructure.”
While the order applies to consumer-grade devices, it underscores risks around unmanaged endpoints and the potential for compromised home networks to serve as entry points into enterprise systems.
The move builds on the FCC’s “covered list” of communications equipment and services deemed to pose national security risks, which includes several Chinese companies such as Huawei and ZTE, and comes amid longstanding US government concerns over Chinese-linked networking equipment.
TP-Link, in particular, has found itself in the crosshairs of US authorities lately over alleged security gaps.
The order allows exceptions for devices that have already received regulatory clearance.
According to Sanchit Vir Gogia, chief analyst at Greyhound Research, the move reflects a broader move beyond vulnerability-based security assessments, with a growing focus on influence over network infrastructure.
“This is about control, not just compromise,” Gogia said. “Routers sit at the network edge, but functionally they are part of the control plane of the enterprise.”
Pareekh Jain, CEO of Pareekh Consulting, said that this shift has practical implications for enterprise security teams. Instead of only fixing known bugs, they should also consider where a device comes from.
“The idea is that if a device is made in a country seen as a risk, it might not be fully trustworthy even if everything looks fine today,” Jain said.
However, the lack of detailed vulnerability disclosures suggests the immediate impact on enterprises may be limited in the near term, with the primary effect being compliance requirements for procurement, said Keith Prabhu, founder and CEO of Confidis.
Impact on network hardware supply chains
Shifting to US or allied vendors may reduce geopolitical exposure but introduces new challenges. Many trusted vendors still rely on global components and manufacturing, making software and hardware bill of materials transparency critical for risk assessment.
“As per market estimates, China and Taiwan produce 60 – 75% of routers, while the US produces 10%,” Prabhu said. “It will take a long time for manufacturing of routers to pick up in the US, and during this phase, foreign-made routers will continue to dominate the global market.”
Gogia said shifting to US or allied vendors does not eliminate broader exposure.
“Moving towards US or allied vendors addresses one category of concern, which is geopolitical exposure tied to ownership, jurisdiction, and potential state influence,” Gogia said. “But technical compromise risk does not disappear with a change in vendor geography. Attackers have consistently exploited vulnerabilities across widely used enterprise networking equipment, including from vendors considered trusted.”
At the same time, the shift introduces less visible but significant risks, including greater vendor concentration. As the pool of approved suppliers narrows, enterprises face increasing dependency and the potential for single points of failure. The change could also shift pricing power toward vendors and constrain innovation within a smaller ecosystem.
For CISOs, the new FCC decision serves as a reminder that the bill of materials is now a geopolitical document. Procurement is no longer just about the best price; it’s about the safest jurisdiction.