The IT Nerd

So it seems that the FCC in the United States has decided to ban pretty much every wireless router from being sold in the US. The FCC posted this PDF explaining the decision. But here’s the part that you need to care about:

The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

And:

The National Security Determination states that “Production generally includes any major stage of the process through which the device is made, including manufacturing, assembly, design, and development.”

Since no router that I am aware of is built in the USr, it means that anything that you could purchase from Best Buy, or get from your ISP, or from companies like Cisco or Ubiquiti is effectively banned. So what does that mean? Well, from what I read it means the following:

• This ban applies to the importation and sale of routers.
• You can continue to use your existing router.

Now there is a lifeline of sorts for router companies. They can apply for an exemption by proving that their devices are safe. What that entails is a bit of a question mark at the moment. But I pretty much assume that router companies are rushing to take advantage of that. On top of that, router companies could get around this by building their gear in the United States. But that could take years to scale up and since labour in the US is more expensive than labour in Asia for example, prices are sure to go up.

So why is the US doing this? It’s likely a reaction to companies like TP-Link having what is perceived to be insecure gear that could be leveraged by threat actors of various descriptions to launch attacks. I mention TP-Link because most of the noise around this has centered around TP-Link being accused of working for Chinese intelligence. But the US is said to have said similar things about other router companies.

What should you do in regards to this issue? Well, if you are in the US and you were considering upgrading to a new router to get say WiFi 7 or better performance or more features, now might be a really good time to upgrade given that the US banned drones from DJI using a similar rationale. Thus supplies may run out quickly whether it’s from your local Best Buy, your ISP, of from companies like Cisco.

This will be very interesting to watch as I am going to guess that this whole scenario may not play out the way that the FCC wants it to.

UPDATE: I have some commentary on this. Starting with Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs had this to say:

   “Supply chain compromise is becoming one of the most serious threat vectors for nation state and advanced intrusion activity targeting critical infrastructure. The FCC’s decision to add foreign manufactured consumer routers to its Covered List reflects a risk the security community has been warning about for years.

   “As endpoint and product security have improved, adversaries have increasingly looked upstream toward manufacturing, firmware, and other supply chain dependencies where compromise can create durable access. The FCC’s citation of Volt Typhoon, Flax Typhoon, and Salt Typhoon is consistent with that concern. Network devices are especially attractive targets because they sit in the path of every packet entering and leaving an environment, and predeployment compromise can be exceptionally difficult to detect and remediate.

   “This ruling applies only to new devices seeking FCC authorization, which shows policymakers are treating this as a structural, long-term risk rather than a one-off enforcement action. The market impact could be significant, given how much of the consumer router market is manufactured overseas. Public reporting has suggested that at least one newer Starlink Wi-Fi router is manufactured in Texas, but the broader reality is that domestic production capacity appears extremely limited.

   “Security leaders should treat this as a procurement signal. If the federal government has concluded that foreign manufactured network hardware can present unacceptable supply chain risk, organizations should be reviewing whether their own vendor diligence, firmware assurance, and hardware sourcing practices reflect that same reality. Every router, switch, and access point in the environment came from a supply chain. Knowing where that hardware was manufactured, who wrote the firmware, and what visibility exists into that process is no longer a theoretical exercise. The geopolitical environment is making these questions urgent, and this ruling is unlikely to be the last of its kind.”

Damon Small, Board of Directors, Xcape, Inc. adds this:

   “This is a massive expansion of U.S. tech protectionism, moving beyond specific Chinese entities like Huawei or ZTE to a blanket ban on all foreign-produced consumer routing hardware. By citing the weaponization of SOHO routers by groups like Volt Typhoon and Salt Typhoon, the FCC is treating the humble home router as a primary vector for national-scale pivot attacks against critical infrastructure.

   “For security leaders, the immediate risk isn’t an overnight “dark start,” but a long-term supply chain squeeze; with over 60% of the market currently dominated by foreign manufacturing, procurement for remote-worker kits and branch offices is about to become significantly more expensive and limited to a handful of “trusted” (likely domestic) vendors.

   “Defenders should audit their current fleet of remote-access hardware and prioritize vendors moving toward U.S.-based manufacturing or those actively seeking DHS “Conditional Approval.” While existing hardware is safe for now, expect insurance carriers and federal auditors to eventually move the goalposts from “legal to use” to “compliant to keep.”

   “The FCC is finally treating home routers like the Trojan Horses they are, though I’m sure “Made in the USA” will magically add 40% to the MSRP and zero to the patch frequency.”

The FCC announced it is creating a national security council to improve US defenses against Chinese cyber-attacks and in an effort to “[win] the strategic competition with China over critical technologies” such as 5G, AI, and quantum computing.

The new FCC chair Brendan Carr said he was establishing the council to focus on the “persistent and constant threats from foreign adversaries, particularly the Chinese Communist party”.

  “These bad actors are always exploring ways to breach our networks, devices, and technology ecosystem. It is more important than ever that the FCC remain vigilant and protect Americans and American companies from these threats,” Carr said.

Carr also mentioned that the council would “pull resources from a variety of FCC organizations” and target mitigating US vulnerabilities to cyber-attacks, espionage and surveillance and reducing supply chain dependence on adversarial states.

The new council is expected to shift focus from individual Chinese entities to a more sectoral approach due to US loopholes, such as a Chinese group changing its name, that allowed threat actors to circumvent punitive actions.

  “The US side, instead of playing up the so-called ‘China threat’, should adopt an objective and rational perception of China. It needs to work with China, under the principles of mutual respect, peaceful coexistence and win-win co-operation, for stable, sound and sustainable development of China-US relations,” said Liu Pengyu, the embassy spokesperson, in learning of the new council.

Evan Dornbush, former NSA cybersecurity expert had this to say:

The FCC announcement to build a China-focused response capability is only a few days old, so it may be too early to understand the first-order tactics (and their effectiveness). This is a bold step. The FCC owns the airwaves, and with so much technology leveraging wireless, from drones using GNSS, to cellular networks using foreign-made 5G routing, to mesh networks coordinating over the managed spectrum, it’s clear the FCC is crucially placed to have impact.

This also gives the FCC a “stick” to match its “carrot”. Over the summer when US telecom carriers revealed that the lawful intercept systems they are obligated to operate (due to CALEA, which is managed by FCC), were exposed to foreign adversaries. The resulting action? Congress gave a $3B hand out to “rip and replace” foreign-manufactured equipment. With that gone, telcos still have vast exposure from old legacy equipment likely vulnerable to both known and zero-day exploits.

What might it take for these companies to upgrade? The new authorities could increase audits and inspections. It could increase stricter fines or other penalties.

And this stick could apply to areas other than telcos. It is common practice for foreign companies to white label through US shell entities to get around various disclosures and other restrictions pertaining to license applications. Tightening up the authorization process to trace the supply chain can perturb aggressors trying to preposition deeply embedded malware.

The Chinese are clearly a threat as demonstrated by their past actions. Thus anything that can be done to counter that threat is a good thing in my mind.

According to a press release from Wednesday, the FCC has officially adopted changes to its data breach notification rules to hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised.

The FCC order will broaden the commission’s scope of customers’ personally identifiable information that is collected and held by telecommunications carriers and expand the definition of “breach” to include “inadvertent access, use, or disclosure of customer information.”

Customers will now receive notice of a breach within 30 days of discovery unless law enforcement asks for a delay. In addition to contacting the FBI, carriers and providers will also be required to alert the FCC of breaches in addition to their current responsibilities.

The vote follows other new and controversial federal data breach reporting requirements from the SEC and FTC.

Ted Miracco, CEO, Approov Mobile Security had this comment:

   “Mobile devices hold a treasure trove of sensitive data, and the consequences of their compromise can be catastrophic, exposing personal, financial, and even medical information to potential misuse. This underscores the vital importance of the FCC’s updated regulations, which aim to strengthen data breach notifications and protect consumers in an era where safeguarding their information is paramount.”

The key thing here is accountability. You shouldn’t be able to sweep a data breach under the rug. Nor should you be able to drag your feet in terms of when you notify the public. Thus it’s positive that these rules are being changed to match the times that we live in.

You might remember that the FAA was mulling the idea of letting people make phone calls on planes. Well, clearly Americans don’t agree with them and have complained to the FCC:

Unlike most FCC issues, which tend to draw highly technical and legal arguments, the in-flight cellphone concept has kindled the passions — and penmanship — of many ordinary Americans.

“Dear FCC,” begins one entry to Docket No. 13-301, received in the agency’s mailroom on Dec. 23, “What better use of my extra Christmas card than to ask you to please use any influence you have, during the process of allowing cellular use on planes, to guide airlines towards allowing data but not voice use in flight. Thank you.” Dave Moncjeau, who sent the card from Springvale, Maine, even wrote in “Happy Holidays” and “Merry Christmas.”

Other submissions are less cordial.

“Mr. Wheeler — Phones on planes is a terrible idea. You must fly on private planes or first class in an enclosed pod. This is the dumbest idea ever!” Paul Geddes of Needham, Massachusetts, wrote on a memo pad before tearing it off and sending it in.

I for one agree that this qualifies as one of the worst ideas ever. I fly frequently to clients in the US and overseas. I have to put up with enough on flights as it is and I really don’t need to hear someones conversation for the three hours that I am in flight. Now if 30% of the people on the flight do exactly the same thing, flights will quickly become unbearable. I hope the FCC listens to the travelling public and shelves this idea forever.