The "Covered List" of brands/products banned under the Secure Networks Act. There are also conditional approvals, but the current ones are just drones; no routers. Definition of a "Consumer...
The U.S. Federal Communications Commission said on Monday it was banning the import of all new foreign-made consumer routers, the latest crackdown on Chinese-made electronic gear over security concerns.
The "Covered List" of brands/products banned under the Secure Networks Act. There are also conditional approvals, but the current ones are just drones; no routers.
Definition of a "Consumer Router:"
Routers: For the purpose of this determination, the term “Routers” is defined by National
Institute of Science and Technology’s Internal Report 8425A to include consumer-grade
networking devices that are primarily intended for residential use and can be installed by the
customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between
networked systems.
Basically seems like all "consumer routers." I'd be shocked if any major networking vendors actually manufacture routers and other devices in the US. Even US-designed stuff is manufactured overseas. And not just in China.
Also, feel free to move this to ~society or elsewhere if it makes more sense.
No, unfortunately not, but I’m sure by now it’ll have been covered elsewhere as well. Tangent: I’m fairly certain this behavior of forced pay-or-allow-tracking will not be around for that much...
No, unfortunately not, but I’m sure by now it’ll have been covered elsewhere as well.
Tangent: I’m fairly certain this behavior of forced pay-or-allow-tracking will not be around for that much longer with EU publishers, if it’s any consolation. Here’s an auto-translated article on the topic if anyone reading is curious (not tracking-walled :-)).
So while this doesn't immediately solve the issue for consumers, this would seemingly be easily circumvented by taking consumer grade router hardware and stripping out the firmware/software. Then...
Routers: For the purpose of this determination, the term “Routers” is defined by National
Institute of Science and Technology’s Internal Report 8425A to include consumer-grade
networking devices that are primarily intended for residential use and can be installed by the
customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between
networked systems.
So while this doesn't immediately solve the issue for consumers, this would seemingly be easily circumvented by taking consumer grade router hardware and stripping out the firmware/software. Then it's just a general purpose computing device with extra network ports on it. Then anyone can import it. Then a separate legal entity that operates independently that buys the imported general purpose hardware and loads the firmware/software onto it. The key part is that TP-Link or such can't just establish another LLC in the US because that would be one entity trying to circumvent the law, but one entity who is only importing general computing devices and another independent entity who is only loading software onto already imported devices are two entities who are doing nothing illegal.
And yes, you can already do this with hardware that is already available. I bought some myself and previously used untangle on it, but now switched to opnsense. I haven't tried OpenWRT yet.
I strongly suspect that this is a similar case to Tik-Tok. US leadership doesn't care about privacy or security of US citizens in general, they only care about protecting them from foreign adversaries and it makes sense for them to supplant the foreign adversaries in the role of invading privacy and security of US citizens with domestic allies. I'm sure Larry Ellison wouldn't mind having access to everyone's home routers, and the current US leadership would be quite happy with that arrangement as well.
This is exactly what Jeff Geerling advocated for in his brief video on the subject. "No sir that's not a network router made in China, that's a mini computer with 5x 10gbps SFP ports made in...
This is exactly what Jeff Geerling advocated for in his brief video on the subject. "No sir that's not a network router made in China, that's a mini computer with 5x 10gbps SFP ports made in China"
You'd also be correct on the tiktok analogy. Sounds like the "conditional approval" is basically a bribe to the FCC.
Has anyone seen a list--or even any specific individual model(s)--of routers that are not banned? So far, per a BBC article, the only router that's not banned is Starlink, which is made in Texas.
Has anyone seen a list--or even any specific individual model(s)--of routers that are not banned?
So far, per a BBC article, the only router that's not banned is Starlink, which is made in Texas.
Looks like Comcast contracts out their own-brand stuff to CommScope, which is a subsidiary of Amphenol and does have at least some manufacturing in the US. No idea whether that’s where this...
Looks like Comcast contracts out their own-brand stuff to CommScope, which is a subsidiary of Amphenol and does have at least some manufacturing in the US. No idea whether that’s where this specific hardware is made, but it seems like a possibility for a US-based company that’s going to have to deal with this one way or another?
The problem (well, one of the many problems) with the Trump administration is we can’t even assume it’s straightforward corruption and work backwards from there. It could be that they’re deliberately doing this to benefit a few specific businesses - and I’d bet on Comcast being one of them if so, it’d be entirely their style to cut off the supply of routers to the entire US just to force their own customers into some absurd equipment rental fee. It could be that they’re doing it to extort fees from those businesses to get their hardware on the approved list and the businesses are just as pissed off about it as everyone else. It could be that they’re planning on mandating some kind of absolutely insane surveillance and censorship infrastructure built right into the network hardware and don’t want anyone working around it. Or it could be that someone in the office thought this made for a solid “China bad, America strong” headline and literally didn’t even bother to ask whether there are any US made alternatives before implementing it.
So they're trying to force everyone to use Starlink (Tesla) or Comcast's terrible "standard" routers that intentionally throttle your network and have obvious security flaws built into them? It'll...
So they're trying to force everyone to use Starlink (Tesla) or Comcast's terrible "standard" routers that intentionally throttle your network and have obvious security flaws built into them?
It'll be nice to see the lawsuits that come out of this.
The FCC page has a link to the exceptions... and currently there are none. The announcement was only made yesterday though, so that's isn't surprising for this clown show. The announcement did...
The FCC page has a link to the exceptions... and currently there are none. The announcement was only made yesterday though, so that's isn't surprising for this clown show.
The announcement did include this line "Consumers can continue to use any router they have already lawfully purchased or acquired." so most people should be fine waiting for this idea to hopefully implode under the weight of all the lawsuits.
From: The FCC's Wi-Fi Router Ban Explained I doubt that access to the latest models of routers will matter much, at least for consumers. They're pretty mature tech.
The FCC order targets all foreign-made consumer-grade routers, but existing models are not banned from use or sale. "Today’s action does not impact a consumer’s continued use of routers they previously acquired,” the FCC said on Monday. “Nor does it prevent retailers from continuing to sell, import, or market router models approved previously through the FCC’s equipment authorization process.”
I doubt that access to the latest models of routers will matter much, at least for consumers. They're pretty mature tech.
Sure, but if this ruling stands, eventually, none of them will. If you find out your router is compromised, it's not like the average consumer would be able to go out and buy a new one that...
Sure, but if this ruling stands, eventually, none of them will. If you find out your router is compromised, it's not like the average consumer would be able to go out and buy a new one that doesn't have unpatched vulnerabilities.
Maybe some vendors would stop selling their existing models, but that means more market share for those that stay in the market. And if they’re still selling them, wouldn’t they keep supporting them?
Maybe some vendors would stop selling their existing models, but that means more market share for those that stay in the market. And if they’re still selling them, wouldn’t they keep supporting them?
I guess that depends on if the US market is lucrative enough that the small amount of purchases they'd get for replacing broken hardware is enough to justify continuing to support an old router...
I guess that depends on if the US market is lucrative enough that the small amount of purchases they'd get for replacing broken hardware is enough to justify continuing to support an old router that no one in the rest of the world wants.
The only reason most people buy a new router is if the one that have broke, or if they want faster speeds/better wifi. If you cut off the possibility of the latter reason being a motivating factor, do enough people have broken routers to make it worth a company's time to keep manufacturing them and releasing security updates?
In reality, I think the most likely scenario is realistically that people continue to import foreign routers that aren't FCC certified after retailers figure out that the federal government is not staffed to enforce this. Either via blatantly just doing it, having some grey area loophole like rebranding some white label or shipping blank hardware that has an easy flash button or something, or via some sort of bribe to the president allowing them to get on the exception list.
Either way though, it's a really bad thing for consumer internet costs, security, and American competitiveness in the tech market. I also suspect it's just yet another grift by the Trump administration to enrich Trump and his family, like a good half of the federal policy decisions made nowadays.
Unfortunately they're probably right, even if this is the wrong way to do it. We've just ignored the insane level of security we outsource to foreign nations because we're ignorant of how much...
Unfortunately they're probably right, even if this is the wrong way to do it. We've just ignored the insane level of security we outsource to foreign nations because we're ignorant of how much damage could actually be done.
Short answer, yes it does. I'll be honest with you though, much of it comes from executives or laymen who have no real cybersecurity experience, or especially threat modeling experience. I would...
Short answer, yes it does. I'll be honest with you though, much of it comes from executives or laymen who have no real cybersecurity experience, or especially threat modeling experience.
I would say that the norm these days for most organizations is to assume China=bad. I can't think of a single US company nowadays that would be willing to run Huawei networking equipment, for instance.
The issue is that the entire IT hardware supply chain is Chinese. Outside of extremely expensive TAA compliant hardware (even then though in some cases) almost all of the base electronic components are either manufactured in China, or by Chinese companies operating elsewhere. High performance CPUs and GPUs are still fabbed in Taiwan, but your average IC or dimm module or transistor or whatever is going to come from China at some point.
In many cases the hardware is just straight up Chinese.
People won't buy Huawei because it's on the covered list already and "sounds Chinese", but ZTE? Sure, go right ahead.
In sober, informed organizations where cybersecurity decisions are left to professionals, the situation is a little different. The risk is dependent on a few different variables.
One, is your organization a likely target of state level actors? I don't mean ransomware gangs that operate out of China; those types of actors wouldn't get access to the CCPs juicy vault of supply chain compromised hosts (if they exist). I mean does your company operate critical infrastructure like oil and gas production, nuclear fuel enrichment, power generation? Do they operate within the defense industrial base? Do they make up a major platform for financial transactions like banking or securities exchanges?
If not, you're probably not going to be targeted by Chinese state hackers. China has not interest in potentially blowing the lid off of very valuable vulnerabilities to learn what the burger of the month is at your fast food chain.
Two, exactly which components are manufactured in countries of concern? If the chassis is made with Chinese steel, but the ICs and SOC are coming from Taiwan, you're probably ok. Same goes for passive electronic components like diodes or resistors or capacitors. (Supply chain compromise is a thing still, but that has other mitigating controls and is a whole other conversation).
Third, where are the devices going to be deployed, and what's their use case?
A digital sign that's deployed in an isolated VLAN without internet access? Not a real concern worth considering in most places.
Your core router? Probably something to look into.
Fourth, and probably the biggest ones, are regulatory constraints. For many of these organizations, it's already just straight up illegal to use devices from certain manufacturers, or components built in certain countries. This is the biggest actual constraint, because it's no longer a matter of opinion or subjective risk analysis, it's a law that you'll be fined or go to jail if you violate.
So yes, it does come up, and it probably comes up more often than it should, in my opinion.
It's a concern in certain situations, yes, but not nearly as much of a concern as the random 10 year old "built in america" firewall that no one knows about anymore running 8 year old firmware that every organization seems to have somewhere in their production network.
Yes, as an American I'd agree with you. The US has amazing capabilities in hardware design and software development. We no longer have decent manufacturing capabilities though. I'd be very wary of...
Yes, as an American I'd agree with you. The US has amazing capabilities in hardware design and software development. We no longer have decent manufacturing capabilities though. I'd be very wary of anything actually built in the US, especially electronic components manufactured en masse for a competitive price. We just have no realistic way to do that without putting out complete crap.
If this ban is something thats actually enforced, it's going to mean a lot consumers being totally priced out of the market, or a lot of new reliability issues that never existed before. (How often does your home router just straight up die to due a hardware failure now? Probably not often).
The thing that the trump admin doesn't seem to understand is that the biggest beneficiary of globalization, and by a long shot, is the US. If we had to manufacture everything domestically, Americans quality of life would plummet. We managed to have a strong global economy, and a ridiculously strong domestic economy because we allowed countries to specialize in what they could efficiently produce. China creates cheap high quality electronics. Germany produces reliable automobiles, Taiwan fabs advanced chips, the EU produces luxury goods and services, Japan produces high end machine parts, and so on. If everyone has to go back to producing everything themselves, we're all worse off, but the US suffers the most out of everyone. We've built our economy on extremely high end financial services, entertainment, and technology. When no one buys from us because we won't buy from them, we need to go back to building low margin manufactured goods. But I digress.
I hate to agree, but yeah. Most routers sold to consumers are garbage and shouldn't be trusted. Unfortunately I don't believe for one second that enforcing a "US made" policy would do anything to...
I hate to agree, but yeah. Most routers sold to consumers are garbage and shouldn't be trusted. Unfortunately I don't believe for one second that enforcing a "US made" policy would do anything to fix it regardless of the existence of such a domestic industry.
This doesn't make any fucking sense. I have some expertise in this area, and I can say that the supporting information the administration is citing to justify this is nonsensical. There have been...
This doesn't make any fucking sense. I have some expertise in this area, and I can say that the supporting information the administration is citing to justify this is nonsensical.
There have been major attacks linked to compromised routers used in botnets, yes. Actually quite a lot of them. The reason why is because routers inherently sit on the open internet, listening for traffic to forward to the local network.
The thing is, foreign routers are no more vulnerable than the theoretical American consumer router that doesn't exist.
Those routers are exploited because of security vulnerabilities; CVEs. The manufacturers aren't intentionally handing them over to botnet owners. That would make no sense; they'd be screwing their customers over for no reason.
Usually, a new vulnerability comes out, starts being exploited in the wild, manufacturers come out with a hotfix to address them and... no one applies it. Because who logs into their router to check for updates regularly? Some of them update themselves automatically, but not all of them.
The thing is US built routers would have the exact same problem. How do I know this? Because enterprise grade routers designed in the US and built to spec are compromised all the time.
If a US company can't design a $200,000 next gen firewall to never include exploitable CVEs, how in the hell could they do it on a $60 consumer grade router?
Secondly, we have the exact same problem with any device with a network interface. TVs, thermostats, hot water heaters, garage door openers, security cameras, audio assistants, hell, fucking refrigerators have IP addresses nowadays. They all can, and do get compromised and used in botnets.
If instead of randomly decided that routers are what needs to be banned simply because they're built somewhere else, the Trump administration hadn't completely gutted CISA (you know, the agency directly responsible to ensure this kind of stuff doesn't happen), we could get actual supply chain security while not completely fucking over a market and not jeopardizing internet access for millions of Americans. That would be rational and level headed though, and we don't do that sort of thing around here anymore.
Even to a blind moron in a rush, it should be painfully obvious that this kind of intervention would require a grace period. If the US government went "alright, stop importing this shit. It'll be...
Even to a blind moron in a rush, it should be painfully obvious that this kind of intervention would require a grace period. If the US government went "alright, stop importing this shit. It'll be banned in two years. Get some domestic alternatives onto the market within two years." instead of "stop importing this shit now". If you don't want imports to surge in anticipation of the ban, put a cap on imports or some shit.
Like, this should be obvious to people not in IT. I could forgive them for neglecting some technical detail, many of which you mentioned, but this fuckup isn't even funny. They didn't even check if the alternative they want people to buy even exists.
If this were a normal administration it'd be a horrible sign of incompetence and/or malice. As it stands, we already know loud and clear that those are both the case, and this particular idea is...
If this were a normal administration it'd be a horrible sign of incompetence and/or malice. As it stands, we already know loud and clear that those are both the case, and this particular idea is so goddamn stupid and shortsighted that it'll probably just fall apart under a little bit of scrutiny.
I know that's not a lot of reassurance, but I don't think this in particular is that much to really worry about given the circumstances. At least not in comparison to a lot of other things they're doing.
The "Covered List" of brands/products banned under the Secure Networks Act. There are also conditional approvals, but the current ones are just drones; no routers.
Definition of a "Consumer Router:"
Source [PDF]
Also, an FAQ from the FCC.
Basically seems like all "consumer routers." I'd be shocked if any major networking vendors actually manufacture routers and other devices in the US. Even US-designed stuff is manufactured overseas. And not just in China.
Also, feel free to move this to ~society or elsewhere if it makes more sense.
German tech news outlet Heise has the answer: USA bans all new routers for consumers
Do you have a site that doesn't require me to agree to sell my data or subscribe to read the article?
No, unfortunately not, but I’m sure by now it’ll have been covered elsewhere as well.
Tangent: I’m fairly certain this behavior of forced pay-or-allow-tracking will not be around for that much longer with EU publishers, if it’s any consolation. Here’s an auto-translated article on the topic if anyone reading is curious (not tracking-walled :-)).
Why not? It's just a pay wall: either pay with your money or your data. I don't like it, but it's logical.
So while this doesn't immediately solve the issue for consumers, this would seemingly be easily circumvented by taking consumer grade router hardware and stripping out the firmware/software. Then it's just a general purpose computing device with extra network ports on it. Then anyone can import it. Then a separate legal entity that operates independently that buys the imported general purpose hardware and loads the firmware/software onto it. The key part is that TP-Link or such can't just establish another LLC in the US because that would be one entity trying to circumvent the law, but one entity who is only importing general computing devices and another independent entity who is only loading software onto already imported devices are two entities who are doing nothing illegal.
And yes, you can already do this with hardware that is already available. I bought some myself and previously used untangle on it, but now switched to opnsense. I haven't tried OpenWRT yet.
I strongly suspect that this is a similar case to Tik-Tok. US leadership doesn't care about privacy or security of US citizens in general, they only care about protecting them from foreign adversaries and it makes sense for them to supplant the foreign adversaries in the role of invading privacy and security of US citizens with domestic allies. I'm sure Larry Ellison wouldn't mind having access to everyone's home routers, and the current US leadership would be quite happy with that arrangement as well.
This is exactly what Jeff Geerling advocated for in his brief video on the subject. "No sir that's not a network router made in China, that's a mini computer with 5x 10gbps SFP ports made in China"
You'd also be correct on the tiktok analogy. Sounds like the "conditional approval" is basically a bribe to the FCC.
Has anyone seen a list--or even any specific individual model(s)--of routers that are not banned?
So far, per a BBC article, the only router that's not banned is Starlink, which is made in Texas.
Looks like Comcast contracts out their own-brand stuff to CommScope, which is a subsidiary of Amphenol and does have at least some manufacturing in the US. No idea whether that’s where this specific hardware is made, but it seems like a possibility for a US-based company that’s going to have to deal with this one way or another?
The problem (well, one of the many problems) with the Trump administration is we can’t even assume it’s straightforward corruption and work backwards from there. It could be that they’re deliberately doing this to benefit a few specific businesses - and I’d bet on Comcast being one of them if so, it’d be entirely their style to cut off the supply of routers to the entire US just to force their own customers into some absurd equipment rental fee. It could be that they’re doing it to extort fees from those businesses to get their hardware on the approved list and the businesses are just as pissed off about it as everyone else. It could be that they’re planning on mandating some kind of absolutely insane surveillance and censorship infrastructure built right into the network hardware and don’t want anyone working around it. Or it could be that someone in the office thought this made for a solid “China bad, America strong” headline and literally didn’t even bother to ask whether there are any US made alternatives before implementing it.
I agree, in that this one feels more complicated than most of the stupid things the Trump Admin does. Curious to see where it goes.
So they're trying to force everyone to use Starlink (Tesla) or Comcast's terrible "standard" routers that intentionally throttle your network and have obvious security flaws built into them?
It'll be nice to see the lawsuits that come out of this.
The FCC page has a link to the exceptions... and currently there are none. The announcement was only made yesterday though, so that's isn't surprising for this clown show.
The announcement did include this line "Consumers can continue to use any router they have already lawfully purchased or acquired." so most people should be fine waiting for this idea to hopefully implode under the weight of all the lawsuits.
From: The FCC's Wi-Fi Router Ban Explained
I doubt that access to the latest models of routers will matter much, at least for consumers. They're pretty mature tech.
They will when the models that are currently approved stop receiving security updates.
I can assure you that a great many of the routers people have in their homes are no longer receiving security updates.
Sure, but if this ruling stands, eventually, none of them will. If you find out your router is compromised, it's not like the average consumer would be able to go out and buy a new one that doesn't have unpatched vulnerabilities.
Maybe some vendors would stop selling their existing models, but that means more market share for those that stay in the market. And if they’re still selling them, wouldn’t they keep supporting them?
I guess that depends on if the US market is lucrative enough that the small amount of purchases they'd get for replacing broken hardware is enough to justify continuing to support an old router that no one in the rest of the world wants.
The only reason most people buy a new router is if the one that have broke, or if they want faster speeds/better wifi. If you cut off the possibility of the latter reason being a motivating factor, do enough people have broken routers to make it worth a company's time to keep manufacturing them and releasing security updates?
In reality, I think the most likely scenario is realistically that people continue to import foreign routers that aren't FCC certified after retailers figure out that the federal government is not staffed to enforce this. Either via blatantly just doing it, having some grey area loophole like rebranding some white label or shipping blank hardware that has an easy flash button or something, or via some sort of bribe to the president allowing them to get on the exception list.
Either way though, it's a really bad thing for consumer internet costs, security, and American competitiveness in the tech market. I also suspect it's just yet another grift by the Trump administration to enrich Trump and his family, like a good half of the federal policy decisions made nowadays.
This would be funny if it weren't real. It's astonishing how incompetent and deliberately damaging this administration is.
Unfortunately they're probably right, even if this is the wrong way to do it. We've just ignored the insane level of security we outsource to foreign nations because we're ignorant of how much damage could actually be done.
Short answer, yes it does. I'll be honest with you though, much of it comes from executives or laymen who have no real cybersecurity experience, or especially threat modeling experience.
I would say that the norm these days for most organizations is to assume China=bad. I can't think of a single US company nowadays that would be willing to run Huawei networking equipment, for instance.
The issue is that the entire IT hardware supply chain is Chinese. Outside of extremely expensive TAA compliant hardware (even then though in some cases) almost all of the base electronic components are either manufactured in China, or by Chinese companies operating elsewhere. High performance CPUs and GPUs are still fabbed in Taiwan, but your average IC or dimm module or transistor or whatever is going to come from China at some point.
In many cases the hardware is just straight up Chinese.
People won't buy Huawei because it's on the covered list already and "sounds Chinese", but ZTE? Sure, go right ahead.
In sober, informed organizations where cybersecurity decisions are left to professionals, the situation is a little different. The risk is dependent on a few different variables.
One, is your organization a likely target of state level actors? I don't mean ransomware gangs that operate out of China; those types of actors wouldn't get access to the CCPs juicy vault of supply chain compromised hosts (if they exist). I mean does your company operate critical infrastructure like oil and gas production, nuclear fuel enrichment, power generation? Do they operate within the defense industrial base? Do they make up a major platform for financial transactions like banking or securities exchanges?
If not, you're probably not going to be targeted by Chinese state hackers. China has not interest in potentially blowing the lid off of very valuable vulnerabilities to learn what the burger of the month is at your fast food chain.
Two, exactly which components are manufactured in countries of concern? If the chassis is made with Chinese steel, but the ICs and SOC are coming from Taiwan, you're probably ok. Same goes for passive electronic components like diodes or resistors or capacitors. (Supply chain compromise is a thing still, but that has other mitigating controls and is a whole other conversation).
Third, where are the devices going to be deployed, and what's their use case?
A digital sign that's deployed in an isolated VLAN without internet access? Not a real concern worth considering in most places.
Your core router? Probably something to look into.
Fourth, and probably the biggest ones, are regulatory constraints. For many of these organizations, it's already just straight up illegal to use devices from certain manufacturers, or components built in certain countries. This is the biggest actual constraint, because it's no longer a matter of opinion or subjective risk analysis, it's a law that you'll be fined or go to jail if you violate.
So yes, it does come up, and it probably comes up more often than it should, in my opinion.
It's a concern in certain situations, yes, but not nearly as much of a concern as the random 10 year old "built in america" firewall that no one knows about anymore running 8 year old firmware that every organization seems to have somewhere in their production network.
Yes, as an American I'd agree with you. The US has amazing capabilities in hardware design and software development. We no longer have decent manufacturing capabilities though. I'd be very wary of anything actually built in the US, especially electronic components manufactured en masse for a competitive price. We just have no realistic way to do that without putting out complete crap.
If this ban is something thats actually enforced, it's going to mean a lot consumers being totally priced out of the market, or a lot of new reliability issues that never existed before. (How often does your home router just straight up die to due a hardware failure now? Probably not often).
The thing that the trump admin doesn't seem to understand is that the biggest beneficiary of globalization, and by a long shot, is the US. If we had to manufacture everything domestically, Americans quality of life would plummet. We managed to have a strong global economy, and a ridiculously strong domestic economy because we allowed countries to specialize in what they could efficiently produce. China creates cheap high quality electronics. Germany produces reliable automobiles, Taiwan fabs advanced chips, the EU produces luxury goods and services, Japan produces high end machine parts, and so on. If everyone has to go back to producing everything themselves, we're all worse off, but the US suffers the most out of everyone. We've built our economy on extremely high end financial services, entertainment, and technology. When no one buys from us because we won't buy from them, we need to go back to building low margin manufactured goods. But I digress.
I hate to agree, but yeah. Most routers sold to consumers are garbage and shouldn't be trusted. Unfortunately I don't believe for one second that enforcing a "US made" policy would do anything to fix it regardless of the existence of such a domestic industry.
This doesn't make any fucking sense. I have some expertise in this area, and I can say that the supporting information the administration is citing to justify this is nonsensical.
There have been major attacks linked to compromised routers used in botnets, yes. Actually quite a lot of them. The reason why is because routers inherently sit on the open internet, listening for traffic to forward to the local network.
The thing is, foreign routers are no more vulnerable than the theoretical American consumer router that doesn't exist.
Those routers are exploited because of security vulnerabilities; CVEs. The manufacturers aren't intentionally handing them over to botnet owners. That would make no sense; they'd be screwing their customers over for no reason.
Usually, a new vulnerability comes out, starts being exploited in the wild, manufacturers come out with a hotfix to address them and... no one applies it. Because who logs into their router to check for updates regularly? Some of them update themselves automatically, but not all of them.
The thing is US built routers would have the exact same problem. How do I know this? Because enterprise grade routers designed in the US and built to spec are compromised all the time.
If a US company can't design a $200,000 next gen firewall to never include exploitable CVEs, how in the hell could they do it on a $60 consumer grade router?
Secondly, we have the exact same problem with any device with a network interface. TVs, thermostats, hot water heaters, garage door openers, security cameras, audio assistants, hell, fucking refrigerators have IP addresses nowadays. They all can, and do get compromised and used in botnets.
If instead of randomly decided that routers are what needs to be banned simply because they're built somewhere else, the Trump administration hadn't completely gutted CISA (you know, the agency directly responsible to ensure this kind of stuff doesn't happen), we could get actual supply chain security while not completely fucking over a market and not jeopardizing internet access for millions of Americans. That would be rational and level headed though, and we don't do that sort of thing around here anymore.
Even to a blind moron in a rush, it should be painfully obvious that this kind of intervention would require a grace period. If the US government went "alright, stop importing this shit. It'll be banned in two years. Get some domestic alternatives onto the market within two years." instead of "stop importing this shit now". If you don't want imports to surge in anticipation of the ban, put a cap on imports or some shit.
Like, this should be obvious to people not in IT. I could forgive them for neglecting some technical detail, many of which you mentioned, but this fuckup isn't even funny. They didn't even check if the alternative they want people to buy even exists.
This seems pretty scary, honestly, at least to my understanding of it.
If this were a normal administration it'd be a horrible sign of incompetence and/or malice. As it stands, we already know loud and clear that those are both the case, and this particular idea is so goddamn stupid and shortsighted that it'll probably just fall apart under a little bit of scrutiny.
I know that's not a lot of reassurance, but I don't think this in particular is that much to really worry about given the circumstances. At least not in comparison to a lot of other things they're doing.