The FCC Router Ban Protects One Company, Not Your Network

Netgear's stock jumped 16.7% after the FCC announced a ban on foreign-made consumer routers on March 23, 2026. That number is worth sitting with. A national security measure was announced, and the company that publicly praised it first was also the first to receive conditional approval to keep selling. Its rivals, operating nearly identical Asian supply chains, are still waiting. The market read that sequence correctly, even if the security press did not.

The ban adds all foreign-made consumer-grade routers to the FCC's Covered List under the Secure and Trusted Communications Networks Act of 2019. FCC Chair Brendan Carr framed it as protecting critical infrastructure from state-sponsored attacks, citing Volt, Flax, and Salt Typhoon, three real hacking campaigns that exploited router vulnerabilities. The threat is genuine. The policy response is something else.

Origin Is Not a Vulnerability Class

Security researchers do not categorize router risks by country of assembly. They categorize them by firmware quality, update cadence, default credential practices, and exposed management interfaces. A router manufactured in Vietnam with strong firmware and automatic patching is safer than one assembled in Texas with a four-year-old kernel and no update mechanism. The FCC ban addresses none of those variables. It addresses where the device was made, which is a trade policy dressed in a security argument.

The exemption criteria make this clearer. Netgear qualified, at least conditionally, by committing to U.S. expansion and praising the administration's action. The specific technical benchmarks for what makes a router "trusted" remain opaque. Bjørn Jensen, CEO of WhyReboot, noted the ban might push consumers toward enterprise-grade hardware, which is a real security improvement, but that outcome is incidental. The policy does not mandate it. It just disrupts the consumer supply chain and waits to see what fills the gap.

Here is the cost that does not appear in the press release: firmware updates for existing banned routers are permitted only until March 1, 2027. After that, tens of millions of devices in American homes stop receiving patches. The ban does not remove those routers. It just stops them from being maintained. A household that cannot afford to replace a router it bought two years ago will run an unpatched device indefinitely, which is precisely the attack surface the Typhoon campaigns exploited. The ban accelerates that exposure for anyone who does not upgrade.

Who Pays When the Exemptions Run Out

I will grant the counterargument its strongest form: supply chain provenance does matter, and a policy that forces manufacturers to prove trusted status is better than no accountability at all. That is fair. But accountability without defined criteria is just leverage, and leverage in a regulatory process tends to flow toward whoever has the best lobbyists and the most to gain from a competitor's exclusion.

Netgear's conditional approval runs 18 months. Its rivals face an indefinite ban while the exemption criteria stay unpublished. Meanwhile, the ROUTERS Act, which would actually direct the Department of Commerce to assess security risks systematically, is still in congressional discussion as of March 26, 2026. The rigorous version of this policy does not exist yet. What exists is a ban that cleared one company's stock price and left everyone else's home network running on the same hardware it ran on before, just with a shorter update window.

The FCC should publish specific, technical criteria for trusted status, apply them uniformly, and mandate minimum firmware support periods for any device sold in the U.S. market. That would be a security policy. What we have now is a procurement advantage with a national security label on it.