A recent Federal Communications Commission ban on foreign-made internet routers could end up straining supply chains, while failing to address critical cybersecurity vulnerabilities hackers are known to exploit.

According to an April 9 report published by the Global Electronics Association, more than 100 million consumer routers are currently active in the U.S., virtually none of which were made in the U.S. Those routers are primarily assembled and manufactured in Taiwan, Vietnam, Thailand, and to a smaller extent China. However, the GEA asserts that the vulnerabilities that make routers attractive targets for hackers "have little to do with where they are built."

"Insecure defaults, exposed management interfaces, weak authentication, and above all, inadequate patching and end-of-life support are engineering and lifecycle failures, not geographic ones," the report reads, noting that those issues appear across brands and countries of origin alike. And in fact, one of the most prominent cyber-intrusions in recent memory was when Chinese hacker group Salt Typhoon penetrated the systems of U.S.-based telecommunications companies in 2024, by exploiting American-designed equipment that was running unpatched software.

Furthermore, the FCC's ban — enacted over concerns related to potential security gaps in foreign-made routers — carries an implicit requirement to establish a domestic router manufacturing base that does not exist, the GEA notes. No major router manufacturer operates a U.S. production line, while the predominant existing ecosystem for building consumer networking equipment is concentrated almost entirely in Asia.

The result is an FCC policy the GEA describes as a "reshoring mandate embedded inside a security framework," weighed down by untested approval processes, unrealistic timelines, and a "fundamental mismatch" between the policy's geographic concerns and the engineering failures that actually make routers vulnerable to cyberattacks.

"A policy framework that treats a router assembled in Vietnam or Taiwan as inherently riskier than one assembled in the U.S. misidentifies the source of the problem," the GEA explains.

The GEA also acknowledged that securing router supply chains should still be a priority, albeit one focused on a targeted approach that should include mandatory security baselines, requirements around software patching, and better overall supply chain visibility.