US Router Ban National Security: What Every American Must Know in 2026

What Exactly Did the FCC Do?

On March 23, 2026, the FCC updated its so-called Covered List — a register of equipment deemed too risky for use in American networks — to include all consumer-grade routers produced in foreign countries. The decision was not the FCC acting alone. It followed a formal determination by a White House-convened interagency body of national security experts, who concluded that foreign-produced routers introduce supply chain vulnerabilities capable of disrupting the US economy, critical infrastructure, and national defense.

In plain English: your home Wi-Fi box, if manufactured abroad, is now considered a potential national security threat. And no new models built overseas can receive FCC authorization — the green light needed to be legally sold in the United States.

There are two important caveats consumers should know immediately. First, existing routers already in use are not affected. You are not required to unplug anything. Second, routers already authorized and sitting on store shelves remain legal to buy. The ban targets only new, unauthorized models going forward — particularly those supporting the upcoming Wi-Fi 8 standard, which will need to be manufactured domestically or receive special government clearance.

For companies, the path forward runs through a Conditional Approval process administered by the Department of Homeland Security and the Department of War. Manufacturers must submit detailed applications disclosing their corporate structure, supply chains, component origins, and proof that no foreign government has undue influence over their operations.

Foreign-made routers pose a severe cybersecurity risk that could be leveraged to immediately and severely damage US national security. — FCC Official Determination, March 2026

The Typhoon Attacks That Started It All

To understand why Washington moved so decisively, you have to understand the Typhoon campaigns — a series of sophisticated, state-sponsored cyberattacks linked to the Chinese government that exploited vulnerabilities in home and office routers to infiltrate American infrastructure at a breathtaking scale.

Volt Typhoon: The Digital Booby Trap

Active since at least 2021, Volt Typhoon is believed to be operated by the People’s Liberation Army Cyberspace Force. Its strategy is chillingly patient. Rather than stealing data immediately, the group quietly embeds itself deep within US critical infrastructure — power grids, water systems, communications networks, ports — and waits. American officials and all Five Eyes intelligence partners have concluded that these implants are strategic assets, positioned to be triggered in the event of a military confrontation with China, most likely over Taiwan. Volt Typhoon is not spying; it’s laying mines.

What makes detection so difficult is the group’s reliance on living off the land techniques — using built-in system tools like PowerShell and Windows Management Instrumentation rather than external malware. And critically, it hides its traffic by routing it through compromised small office and home office (SOHO) routers, using everyday consumer devices as unwitting cover.

Salt Typhoon: The Great Wiretap

Salt Typhoon operates differently, and its ambitions are arguably even more alarming in the immediate term. Operated by China’s Ministry of State Security, this group spent years quietly infiltrating major US telecommunications companies — AT&T, Verizon, Lumen, and others — compromising the very routers and switches that carry America’s digital communications. By the time it was publicly disclosed in late 2024, the breach had been running silently for one to two years and had compromised dozens of countries globally.

The FBI described the operation as targeting the systems used for court-authorized wiretaps — meaning Chinese operatives potentially had access to law enforcement surveillance channels. The scale prompted the US government to issue the extraordinary advice that senior officials should assume their communications were transiting to Beijing and switch immediately to end-to-end encrypted services like Signal.

Flax Typhoon: The IoT Botnet Builder

The third major actor, Flax Typhoon, distinguished itself by weaponizing everyday IoT devices — cameras, DVRs, and yes, home routers — to build massive botnets used for reconnaissance and command-and-control operations. By taking over millions of ordinary consumer devices, the group created a distributed infrastructure that is genuinely difficult to track and dismantle.

Together, these three campaigns made a powerful argument to US policymakers: the home router is no longer just a convenience. It is a front line in an active, ongoing cyberwar.

Which Router Brands Are Affected?

Here is where the policy gets complicated — and potentially expensive for the industry. The FCC’s definition of foreign-produced is deliberately broad. It covers not just where a router is physically assembled, but also where it was designed and developed. That means even a router made by an American-headquartered company qualifies as foreign-produced if key parts of its development happened overseas.

The result is that virtually every major consumer router brand is affected. Asus, TP-Link, D-Link, Linksys, Google Nest, Eero, MSI, and Synology all manufacture overseas. Even US-headquartered firms like Netgear and Ubiquiti are caught by the ruling because their factories are in Vietnam, China, Taiwan, Indonesia, and Mexico. The only mass-market consumer router that currently escapes the ban by virtue of its manufacturing location is the Starlink Wi-Fi router, built at SpaceX’s facility in Texas — though it requires a Starlink satellite subscription and is not a general-purpose home router.

Industry association CEDIA has warned its professional integrators to expect frozen product pipelines, limited new inventory, and upward price pressure as existing stock depletes.

The Netgear Exemption: A Special Pass?

The first notable crack in the ban’s uniformity came on April 15, 2026, when Netgear became the first consumer router manufacturer to receive Conditional Approval from the FCC — allowing it to continue importing its foreign-made Nighthawk, Orbi, and cable gateway product lines until October 1, 2027.

The exemption quickly attracted scrutiny. Gizmodo noted that Netgear had filed nothing with the SEC indicating plans to reshore its manufacturing. Technology Policy Institute analyst commentary raised a pointed concern: the ban creates the very vulnerability it claims to address, suggesting that inconsistent exemptions undermine the policy’s core logic.

Since then, eero also received a similar conditional approval valid through October 2027. ASUS and TP-Link have both publicly stated confidence that they can navigate the approval process as well.

The FCC has set the standard for what hardware enters our homes. In an era of sophisticated state-sponsored cyber threats, a professionally installed network is no longer a luxury — it is a baseline requirement for a secure home. — CEDIA Global President Daryl Friedman

What Does This Mean for Everyday Users?

For the vast majority of American consumers, the immediate answer is: not much — yet. If your router is already plugged in and working, you are under no obligation to replace it, and existing firmware updates will continue at least through 2027 for authorized models.

The medium-term picture is murkier. As existing inventory clears and the Wi-Fi 8 generation of routers begins arriving, consumers could face a dramatically narrowed selection, higher prices, and longer waits for new models.

For businesses and home users who take security seriously, the FCC’s guidance is clear: make sure your router is running the latest firmware, change default passwords immediately, and enable two-factor authentication on critical accounts. For the most sensitive communications, end-to-end encrypted messaging apps like Signal remain the gold standard.

You can learn more about securing your home network through CISA’s Secure Our World initiative, review the FCC’s full guidance at fcc.gov, and follow the latest updates on the FCC’s official announcement page.

The Bigger Picture: Hardware as a Geopolitical Weapon

Zoom out, and the router ban is one piece of a much larger geopolitical puzzle. The United States has spent recent years constructing a broad technology firewall against China: restricting semiconductor exports, scrutinizing TikTok’s data flows, pressuring allies to exclude Huawei from 5G networks, and now extending that logic down to the humble home router.

What’s new here is the admission — implicit in the FCC’s language — that supply chain integrity is a national security matter, not merely a commercial one. A device designed in Shenzhen, assembled in Vietnam, and sold at a big-box retailer in Ohio carries with it a chain of custody that US officials now explicitly consider a risk vector.

The harder question is whether domestic manufacturing can realistically fill the gap. Building a new router supply chain in the United States requires factories, trained workers, component ecosystems, and years of investment. The Conditional Approval process buys time, but it is not a solution. The deeper transformation will take a decade, and its costs will almost certainly be passed on to consumers.

What is certain is that the era of treating everyday consumer electronics as politically neutral objects is over. Your router is now, officially, a matter of national security.

Conclusion