Will Forcing Routers to be Assembled in the US Make Them Secure?

The FCC recently issued an order banning NEW foreign made routers from getting FCC approval to be sold unless someone certifies them as safe. There are no rules as to what would be required to determine that a router is safe. For example, would contributing a million dollars to a politician’s campaign make a router safe and approved? There is nothing in the rule saying that would be a problem.

But lets look some of the problems with the order according to a professor at the University of Georgia.

1. The Chinese hackers behind Volt Typhoon and Salt Typhoon targeted “end of life” routers that were no longer being supported or patched. Does making a router in the US solve this problem? NO!
2. They also targeted routers with weak or default passwords. Would making a router here fix that? NO!
3. They targeted routers where the owner did not install patches that were available. Again, would making routers right here in the US of A solve this? NO!
4. Routers usually run a version of Linux. That is a global operating system with contributors everywhere. Do Router makers have to write and patch their own operating systems?
5. There are drivers, say for WiFi, that are installed in these routers and they could be made in any country. Does this rule stop that? No, not really. It is possible that some drivers in specific situations would need to be made in the US. Maybe.
6. This does nothing to fix the problem of probably hundreds of millions of old, unsupported, foreign routers that will continue to be used and are still allowed to be sold in the US forever.
7. It also stops router makers from selling the newest and possibly most secure routers here since they can’t get certified since they were not made in the US. That means that people will continue to run a 10 year old or 15 year old unpatched Chinese router. What does that fix?
8. In most cases, a consumer’s router is provided by and managed (or not managed) by their Internet providers. Since it would cost an ISP a lot of money to replace all the existing routers and also since they won’t get paid for it, they have no motivation to replace those hundreds of millions of existing obsolete, non-secure routers. WITH NON-EXISTANT US-MADE ROUTERS.

There are a couple of possible solutions.

Maybe this is all for show in an election year and the FCC will approve a waiver for many foreign routers, apparently showing that assembling a router in another country does not make it secure or not secure.

Alternatively, perhaps, a company could make a “campaign contribution” and have their equipment show up on the approved list. In other countries this might be called a bribe.

None of the above is to say that there isn’t a legitimate problem, but rather that a very simplistic “solution” from the FCC is not going to work. That won’t stop political hacks from saying “see what we have done”.

Credit: The Register

by