On March 23, 2026, the Federal Communications Commission (FCC) updated its list of communications equipment deemed to pose an “unacceptable risk” to U.S. national security to include all “consumer-grade routers produced in foreign countries.” This move continues the Trump administration’s pattern of protectionist policies that, despite being wrapped in the rhetoric of national security, do little to address legitimate security concerns while layering more bureaucracy onto an industry already beset by spectrum and equipment regulations. The ban is premised on a faulty conception of cybersecurity and does more to advance the interests of politicians and bureaucrats than those of the United States as a whole.

Cybersecurity is not something that can simply be provided by administrative fiat or cobbled together with bans on (real or imagined) threat vectors. If the administration’s goal is to strengthen the security of America’s communications infrastructure, the focus should be on ensuring that American capabilities remain ahead of adversaries, not just on addressing the inadequacies in the existing security architecture. Indeed, cybersecurity is best conceptualized as an ongoing competition between the capabilities of attackers and defenders, rather than a state that can be attained once and for all. Thus, producing cybersecurity requires constant innovation and adaptation, two functions that markets have a comparative advantage in. Markets create incentives for market actors to develop new security parameters or certifications and new products intended to mitigate the costs of cyberattacks, thereby providing the innovation and flexibility needed to keep cyber capabilities moving forward.

Cybersecurity and the FCC

The FCC order reflects an executive branch interagency body conclusions that foreign-manufactured routers create risks by “(1) introducing a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense; and (2) establishing a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.” It is upon these grounds that the blanket ban is premised, with the task force stating that “Routers in the United States must have trusted supply chains so we are not providing foreign actors with a built-in backdoor to American homes, businesses, critical infrastructure, and emergency services.”

To this end, the process whereby a company may apply for a waiver of this ban stipulates that the applicant must provide a “detailed, time-bound plan to establish or expand manufacturing in the United States for the router for which the applicant is seeking Conditional Approval.” In effect, the primary concern would seem to be where devices are manufactured, rather than whether they are secure.

Despite the bold assertion in the FCC press release about the need for a secure router supply chain, the U.S. router manufacturing industry is effectively nonexistent. A recent industry report highlights that next to no consumer-grade routers are manufactured entirely in the United States, with even the handful of American brands relying heavily on components manufactured in Asia. Creating domestic capacity to serve as an alternative to imports would require substantial investments in both physical and human capital, entailing a highly time-intensive process.

In the near term, the only alternative would be through the grant of “conditional approval” by either the Department of War (DoW) or the Department of Homeland Security (DHS). This is worrisome, especially considering that the Chinese company TP-Link, for example, accounts for approximately 65 percent of the market for home and small business routers as of 2024. Fully compliant U.S. manufacturers, on the other hand, supply only 2 percent of consumer-grade routers. While several companies have been granted waivers, including Netgear, Amazon eero, and Adtran, the process whereby such approvals are made remains opaque.

From the standpoint of ensuring the safety of America’s digital infrastructure, simply banning foreign-produced routers is the wrong approach. The FCC’s public notice cited the Salt Typhoon, Flax Typhoon, and Volt Typhoon attacks as being primary reasons for the ban. Yet the vulnerabilities revealed by these attacks were unrelated to where the routers themselves were manufactured. Instead, the Typhoon attacks exploited weaknesses created by weak passwords, unpatched vulnerabilities in network equipment, and poor threat monitoring and detection capabilities. All of these weaknesses tie back to issues of software or system management, rather than anything to do with component hardware.

Even if the Commission were correct in targeting routers themselves, the ban only extends to new routers. It does not “restrict the continued use by consumers of previously-purchased devices.” Thus, the order fails to fully address even the imagined threat of routers serving as attack vectors by leaving in place potentially compromised devices in homes and offices. Indeed, by preventing consumers from acquiring new, more secure routers, the ban may actually increase the vulnerability of the United States to cyberattacks.

More generally, the administration is not consistent in considering these routers an unacceptable national security risk. Earlier this year, President Trump put on hold plans to ban routers built by TP-Link—a Chinese manufacturer that had been investigated for its connections to the Chinese government and the potential risks these posed—ahead of his summit with Chinese President Xi Jinping. If the risks created by imported routers are sufficient to justify a wholesale ban on their sale, then such a ban should not be a potential bargaining chip for international negotiations. The move calls into question the seriousness of the threat allegedly posed by foreign routers to U.S. cybersecurity.

The Costs of Protectionism

Beyond the contradictions in the policy itself, the costs attendant to the ban are likely to outweigh its supposed benefits. By prohibiting the sale of new routers without the approval of either DHS or DoW, the ban effectively shields incumbent firms from the next wave of innovation in security and patching protocols. The animating force of market competition is the injection of new, innovative products into markets, which deliver value to consumers in the form of lower prices or better products while directly contesting the market share of existing firms. Insofar as the ban succeeds in limiting the introduction of newer, better-protected routers into the market, it will lessen the competitive pressures faced by current sellers.

Additionally, limiting competition in the new router marketplace to firms that have secured a conditional waiver grants them greater power over the prices they can charge consumers. Under such conditions, approved sellers would likely charge higher prices than they otherwise could. Moreover, since any firm looking to enter the consumer router market would first have to obtain the approval of DHS or DoW, the discipline imposed on incumbents by the potential entry of new competitors into the market would be reduced. The result is that consumers face fewer choices and higher prices.

These direct costs to consumers are compounded by downstream effects on businesses. Higher prices for new routers would impose costs on businesses and potentially adversely impact small business formation, since many small businesses use consumer-grade routers in their operations.

Moreover, there remains the uncertainty around whether the ban will be extended to enterprise-grade routers as well. According to one estimate, 91.2 percent of business-grade routers are produced by companies that could be noncompliant with the terms of the FCC’s ban. Many enterprise-grade router manufacturers contract out production to foreign firms, and the line between consumer and enterprise routers is ambiguous, making their restriction more likely. This uncertainty would force businesses to devote more of their attention and resources to ensuring compliance with government regulations, as well as bearing the higher cost of updating their networking systems should the ban be extended.

Insuring Cybersecurity 

Given the evident costs associated with the administration’s current top-down approach, whether such an approach is actually required to achieve cyber resilience bears consideration. This is especially true because private governance offers a better path by which cyber capabilities can be improved and the downside risks of cyberattacks mitigated.

One effective mechanism of private governance is cyber insurance. Starting in the late 1990s, insurers began offering policies designed to offset the financial risks associated with cyberattacks. This market has grown significantly, particularly over the last decade, and been complemented by expanded reinsurance and private sector investment in catastrophe bonds. By setting risk-adjusted premiums and stipulating cybersecurity standards as part of insurance contracts, insurers create incentives for their customers to invest in better security systems and controls.

In fact, after a decade of premium growth and in the face of mounting claims, cyber insurance premiums fell by 5 percent on average in Q4 of 2024, reflecting, in part, the investments made by insured parties in their cybersecurity controls. Research, moreover, has shown that the capacity of insurers to absorb losses extends to catastrophic loss scenarios, where cyberattacks cascade across multiple critical economic sectors. A recent actuarial study found that losses stemming from such events ranged between $0.7 billion to $35 billion, meaning that even on the upper end, these losses remain insurable by private markets.

If improving the security of the telecommunications industry is the objective, then harnessing private markets to drive the innovation and experimentation needed to ensure that American capabilities stay ahead of adversaries is the right approach.

Cybersecurity as a Trojan Horse

Equipment bans are simply the wrong approach to addressing cybersecurity. The FCC’s policy is poorly targeted to actual risks, hurts consumers by limiting competition and choice, and creates uncertainty for businesses while leaving gaps in the country’s cybersecurity architecture. Tellingly, the FCC has seemingly recognized the inadequacies of its “cudgel” approach to cybersecurity in its decision to extend the window within which existing devices can receive software and firmware updates out to 2029. Ideally, the FCC would go a step further and repeal the ban in its entirety, though for reasons Part II of this series will make clear, a full repeal is unlikely.

Indeed, given how poorly targeted the router ban is and the ability of private market mechanisms to address and mitigate the losses associated with cyberthreats, the question remains: What purpose does the FCC’s action serve? The answer lies not in national security but in political economy.

Our Technology and Innovation program focuses on fostering technological innovation while curbing regulatory impediments that stifle free speech, individual liberty, and economic progress.