The Federal Communications Commission took radical action this week to ban the import of internet routers manufactured in foreign countries, citing the unacceptable security risks posed by Chinese hackers to U.S. critical infrastructure.

Internet routers connect computers, cellphones, and other electronic devices to the internet. In the modern, digital economy, routers are everywhere, used by citizens, businesses, schools, utility providers, emergency services, and the U.S. military. More than 90% of Americans use the internet daily. In most cases, that service comes through an internet router, whether at home, their place of work, or in public. 

In recent years, Chinese hackers have extensively burrowed into U.S. critical infrastructure networks — in industries like communications, energy, transportation, and water supply — in the continental U.S. and overseas territories, like Guam. 

Foreign-made routers leave a secret back door to data intrusion

The FCC specifically cited three rounds of intrusions, known as the Volt, Flax, and Salt Typhoon cyberattacks, which pursued targets ranging from energy utilities to communications data on U.S. citizens. The agency says that foreign routers were vital in opening the door for the Chinese hackers who exploited built-in vulnerabilities. 

“Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft,” the FCC said in a statement. “Foreign-made routers were also involved in the Volt, Flax, and Salt Typhoon cyberattacks targeting vital U.S. infrastructure.”

Shortly before the FCC moved to halt the import of foreign routers, the Trump administration issued a National Security Determination earlier this month, which warned of the vulnerability for the U.S. to rely heavily on foreign routers. 

“A majority of the routers currently in Americans’ homes and businesses are manufactured in foreign countries. Given the criticality of routers to the successful functioning of our nation’s economy and defense, the United States can no longer depend on foreign nations for router manufacturing,” the administration concluded. 

Several years of escalating warnings

The FCC’s new policy adds all foreign-manufactured internet routers to the Covered List, which bans the import of such devices to the United States, but it does not affect previously purchased routers. However, foreign producers of routers that have conditional approval for use by the Departments of War and Homeland Security are exempt from the determination. 

The dramatic move by the FCC followed several years of escalating warnings from the U.S. intelligence community and lawmakers, who were growing increasingly concerned about the security risks posed by consumer-grade internet routers manufactured by companies based in the People's Republic of China. 

The scrutiny focused on major brands like TP-Link, a Chinese company that is a global leader in networking devices, including routers. While TP-Link’s routers are popular for their affordability and widespread availability, their extensive use in American homes, businesses, and even government networks alarmed lawmakers. 

One fear was that the PRC government could compel Chinese companies, under their national security laws, to install backdoors, gather data, or enable sabotage on behalf of the Chinese Communist Party. Under China’s 2015 National Security Law, Chinese companies and citizens must cooperate with the Chinese Communist Party and intelligence agencies. 

Chairman John Moolenaar, R-Mich., and Ranking Member Raja Krishnamoorthi, D- Ill., of the House Select Committee on the Chinese Communist Party sent a letter in 2024 to then-Commerce Secretary Gina Raimondo, outlining these concerns.   

“TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting. When combined with the PRC government’s common use of [commercial] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming,” the pair wrote. 

China is "poised to attack whenever Beijing decides the time is right.”

That same year, then-FBI Director Christopher Wray said that Chinese hacking in the United States had “reached something closer to a fever pitch” and warned that China is "poised to attack whenever Beijing decides the time is right.”

The U.S. Intelligence Community has determined that in recent years, Chinese hackers have executed aggressive cyber campaigns targeting U.S. critical infrastructure, telecommunications companies, and individuals. 

Three campaigns—known as Volt Typhoon, Flax Typhoon, and Salt Typhoon—were cited by the FCC in its decision to ban foreign routers, citing the vulnerabilities that Chinese hackers exploited in these campaigns. 

Volt, Flax, and Salt Typhoon were detailed in an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which determined with the help of the FBI, that Chinese hackers were “seeking to pre-position” themselves on U.S. networks in order to carry out “disruptive or destructive cyberattacks” in the event of a “major crisis or conflict with the United States.

The U.S. agencies found that the Volt Typhoon compromised networks in several critical U.S. sectors like communications, energy, transportation systems, and water and wastewater systems. 

Volt Typhoon, in particular, was characterized by its ability to evade detection, achieving "living off the land" by utilizing legitimate network administration tools already present in the compromised systems. This technique allowed the hackers to blend their activity with normal network traffic, making it extremely difficult for defenders to remove the threat. 

Targets spanned U.S. critical infrastructure sectors both in the continental U.S. and in U.S. territories, particularly Guam, a strategic military hub in the Pacific that would be vital in any potential conflict between the U.S. and China. 

Both Flax Typhoon and Salt Typhoon exhibited similar characteristics of exploiting common network devices, including routers, to gain initial access to U.S. networks, CISA found.