The United States wants to require routers not built in the USA to undergo a specific vetting process before they can be sold here. I’m not sure if anyone in DC is aware of how manufacturing works these days, but most companies rely on labor in China to make their products.
When the news first broke via TechRadar, people started freaking out—and for good reason. What isn’t built in China? While we now have to find a way to manufacture routers in the US, I am not opposed to the decision itself; I am just frustrated by the timeline and the lack of thought put into it.
According to TechRadar:
“It’s part of a wider movement by the US to reduce its reliance on other countries for hardware and software. The FCC’s statement pointed to a series of recent cyberattacks – including Volt, Flax, and Salt Typhoon – that involved foreign-made router technology.”
Let’s look at Salt Typhoon as an example. The associated CVEs involve networking software and hardware from companies like Ivanti, Palo Alto Networks, Cisco, Microsoft, Fortinet, Citrix Systems, and Sophos. CVE-2023-20273, for instance, was an attack against a Web UI Admin interface. Why are we still leaving admin pages exposed to the internet? I thought we learned our lesson about bad passwords—like “love,” “secret,” “sex,” and “god”—back in the 1995 movie Hackers.
That is just one example of a “stupid human mistake,” yet someone in DC thinks the solution is to simply stop allowing foreign routers to be sold in the USA. I also worry about the massive amount of e-waste this policy will create. The good news, as far as I am aware, is that we can still use the routers we currently own. The new regulations are set to take effect around March 2027.
Meanwhile, The Register reports that a “US military contractor open sources tool for validating hidden communications networks.” This software toolkit, built for DARPA to test covert networks, is now open source. According to the team:
“HCS designers using Maude-HCS need only ‘specify protocol behavior, adversary observables, and environmental assumptions,’ and Maude-HCS will generate results based on a range of scenarios that ‘can be used to audit claims of undetectability.'”
It can essentially detect “sneaky” activity that organizations might not otherwise notice. You would think we could use our own networks to monitor strange traffic. Oh wait, we already are? But we still don’t trust the routers from China? Confusing, I know.
Finally, per CNET:
“Following President Trump’s leadership, the FCC will continue to do our part in making sure that US cyberspace, critical infrastructure and supply chains are safe and secure,” said FCC Chair Brendan Carr.
For context, The Verge has been quite critical of Brendan Carr’s stance on tech issues. In my view, he often acts as a “yes man,” similar to many in government regardless of political affiliation. Most decisions in DC seem designed to line someone’s wallet rather than seeking advice from actual tech experts—and more importantly, listening to them. I have seen experts like Cathy Gellis offering great insights on things like Section 230. We need to “Trust your Technologist.”
If we want to start securing things, the first step should be for software companies to use tools like Claude Code to find security vulnerabilities and exposures. LLMs are great for performing probe tests against your own networks, hardware, and software. I don’t necessarily agree with how LLMs were trained—using human-generated images and text without knowledge or approval—but the tool is here and the “nuke” has been released. We know about it, and if used properly, it can be a great asset. But that entire conversation is a topic for a later blog post.