US foreign router ban criticized for being ‘industrial policy disguised as cybersecurity’

Public policy professor says it will make America less secure but hits Netgear’s lobbying goals
The United States’ ban on foreign-made SOHO routers won’t improve security, and only makes sense as “industrial policy disguised as cybersecurity,” according to Milton Mueller, Professor at the University of Georgia’s School of Public Policy and founder of its Internet Governance Project.

The academic thinks neither argument holds water.

“The digital economy is global,” he pointed out in a Saturday post .

“A router ‘Made in the USA’ likely runs a Linux kernel maintained by global contributors, uses Wi-Fi drivers written in Taiwan, and incorporates open-source libraries managed by developers worldwide.”
“By focusing on the geographic location of the assembly line, the FCC ignores the logical supply chain of the software.

A U.S.-assembled router with a poorly written UPnP (Universal Plug and Play) implementation is just as vulnerable to a hijacking as a foreign one.”
He also points out that the FCC worries about backdoors in routers, when research into the Typhoon gangs found they exploited unpatched bugs, unchanged default device credentials, and bad design that leaves some network ports exposed to the public internet.

“Perhaps the most obvious lack of logic in the FCC’s policy is its exclusive focus on new equipment authorizations while leaving legacy devices in place,” Mueller wrote.

He offered that idea because the Typhoon gangs targeted end-of-life routers and machines that use insecure legacy protocols.

“By banning the sale of the newest, most secure Wi-Fi 7 and Wi-Fi 8 routers from dominant foreign manufacturers, the FCC forces the American public to pay substantially more for upgraded, more secure equipment or, what is more likely, to keep their older, more vulnerable devices for longer,” he argued.

Mueller concludes that by using only the criteria of “foreignness,” the ban “actually worsens the security situation.”
He then ponders if the policy makes any sense.

“It does if you see the FCC’s ban as an exercise in industrial policy disguised as cybersecurity,” Mueller argues, then points out that US company Netgear has funded lobbying efforts on issues including the Removing Our Unsecure Technologies to Ensure Reliability and Security Act - aka The “ROUTERS Act.”