All This Has Happened Before

The FCC added all consumer-grade routers produced outside the United States to its Covered List — the same mechanism used to ban DJI drones back in December. Effective immediately, no new foreign-made router model can receive FCC equipment authorization. No authorization means it can't be legally imported or sold in the US.

The security justification is the Volt, Flax, and Salt Typhoon cyberattacks — a series of state-sponsored intrusions that exploited vulnerabilities in home and small office routers to get into American networks and infrastructure. The FCC's framing is straightforward: foreign routers are a backdoor, and we're closing it.

Sounds reasonable on the surface. Start pulling the thread and it gets complicated fast.

Here's the thing nobody is saying plainly enough: there is currently no fully US-manufactured consumer router to buy. Not one. TP-Link is Chinese-founded, makes its hardware primarily in Vietnam. ASUS is Taiwanese. Netgear designs stateside but manufactures in Vietnam and Taiwan. Google's Nest routers are made in Vietnam and China. Eero — Amazon's mesh system — same story. D-Link, Linksys, all of them. Every router you can walk into Best Buy and purchase today was made somewhere the FCC just decided is a security risk.

The rule doesn't pull existing inventory off shelves. Models already authorized before March 23rd can still be imported and sold. So the router market is effectively frozen — what's there now stays, nothing new gets in — until manufacturers either get a "Conditional Approval" exemption from the Department of Defense — or the Department of War, depending on which day you're reading this and what the current signage at the Pentagon says — or DHS, or move their manufacturing to US soil.

No Conditional Approvals have been granted yet. No US manufacturing exists. The replacement product this policy implicitly demands does not exist and building it would take years.

So the practical message to every American household is: your router is a security risk, please replace it with something we haven't built yet.

Here's the part that actually matters to you personally, and that most coverage is burying in paragraph nine.

Existing routers — the ones already authorized, the ones on shelves, the ones in your home — can keep running. For now. Firmware updates are allowed to continue... until March 1, 2027. After that, unless a manufacturer has obtained Conditional Approval, they cannot push new security patches to your device.

Read that again. The government banned foreign routers for security reasons. The policy response to that security risk is to guarantee that in roughly a year, tens of millions of households will be running foreign routers without security updates. Unpatched. Indefinitely. Because nobody is replacing them.

Ask Microsoft how that plays out. Windows XP hit end of life in 2014. Years later, hospitals, ATMs, government systems, and businesses were still running it — frozen in time, accumulating unpatched vulnerabilities while the threat landscape kept evolving around them. WannaCry hit in 2017, three years after end of life, and XP machines were still getting destroyed by it. Microsoft eventually had to issue emergency patches for a dead operating system because the unpatched installed base had become everyone's problem.

The lesson Microsoft took from XP is exactly why Windows 11 updates the way it does — aggressively, persistently, bordering on hostile. They decided a massive unpatched installed base was a worse outcome than annoying users who wanted control of their own schedule. You can delay, you can defer, but eventually it's updating whether you like it or not.

Routers have no equivalent forcing function. Microsoft controls Windows and can push. Nobody controls your router firmware except the manufacturer — and after March 2027 the manufacturer is legally blocked from pushing anything without Conditional Approval that doesn't yet exist. There's no Windows Update equivalent. No "eventually it just happens." Just a device sitting on your network, frozen at 2027 firmware, accumulating unpatched CVEs (known vulnerabilities) while the threat landscape moves on without it.

The router equivalent of WannaCry hitting in 2029 on hardware that hasn't seen a security patch in two years is not a remote scenario. It's the logical conclusion of this policy if nothing changes.

I have several ASUS ZenWiFi nodes scattered around the house — bought on sale over time, because that's how you build a mesh network when you're not made of money. We've been broken into before. The cameras those nodes support aren't paranoia, they're a response to a real thing that happened. The mesh isn't overkill, it's infrastructure for actual physical security. Replacing it means starting over on the network side at least — the cameras themselves stay put unless a future rule decides to come for Eufy next, which given that Anker is a Chinese company and 2026 is 2026, I wouldn't rule out entirely. Either way we're talking about spending several hundred dollars on hardware that works perfectly fine right now.

I'm not doing that. Most people aren't doing that. Which means most people are going to be sitting on unpatched hardware in March 2027 without fully understanding why.

That's not a security improvement. That's a security time bomb with a government-issued fuse.

At least I know my mesh exists. ISP customers renting their gateway hardware often have no idea what model it is, who made it, or what firmware it's running.

Think about the scale here. Comcast has somewhere around 32 million internet subscribers. A significant portion of them are renting a gateway device. Many of those devices are foreign-made. The ISP owns the hardware, not the customer. The ISP controls the updates. And the ISP is looking at a potential bill of hundreds of millions — possibly billions — to replace hardware that is currently working fine and generating steady rental fee revenue.

They're not doing it voluntarily. And here's the trap: if they try to pass the cost to customers as a new fee, most ISP contracts have material change of terms clauses. Customers whose deal suddenly includes a "router compliance surcharge" have grounds to walk. ISPs cannot afford mass churn any more than they can afford mass replacement.

So the most likely outcome is: ISPs do nothing for as long as legally possible, lobby furiously for extensions and exemptions, and the firmware deadline quietly gets pushed out — once, twice, indefinitely — while millions of gateway devices age past their support window with renters who have no idea.

The person who eventually gets left holding the bag is always the same person.

Let's talk about the actual threat model for a second, because it matters.

The Volt, Flax, and Salt Typhoon attacks — the ones used to justify this rule — were targeting critical infrastructure. Power grids, water systems, telecom backbones, defense contractors. That is what a nation-state actor cares about. Not your living room. Not your Ring doorbell footage. Not your Steam library or your self-hosted Jellyfin instance.

And here's the uncomfortable detail: critical infrastructure should not be running consumer-grade routers. A water treatment facility or a power substation running on the same TP-Link hardware as your home network is a procurement and compliance failure that predates this rule by years. The solution to that failure is not to ban consumer hardware. It's to ask how critical systems ended up on consumer hardware in the first place.

Meanwhile, Salt Typhoon — one of the three attacks cited — hit Cisco. Cisco is a California company. Enterprise hardware. The vulnerability problem isn't "foreign-made consumer gear." It's that networked hardware has vulnerabilities, full stop, regardless of where it was assembled.

And the data a foreign actor would actually want from ordinary households? It's largely already out there. Public social media. Data broker databases. The seemingly endless parade of corporate breaches that generate "we take your security seriously" emails that everyone reads and immediately forgets. Some bigwig in Beijing making strategic decisions about American infrastructure does not need your home network to do it. They can just open Twitter.

Here's where I have to step back and look at what this rule is actually for.

This isn't really a security rule. It's a geopolitical move dressed as one — a shot across the bow at China and Southeast Asian manufacturing more broadly, using the same national security framework that went after DJI drones. The underlying message is: we want this manufacturing back on US soil, and we're using Covered List designations as the lever to make it happen.

That's a legitimate policy goal. Dependence on foreign supply chains for critical hardware is a real problem. The chip shortage during COVID illustrated that in painful detail. Dune illustrated it sixty years ago — he who controls the spice controls the universe. Except the spice is semiconductors, Taiwan is Arrakis, and TSMC is basically the Spacing Guild. Everyone knows the dependency is dangerous. Nobody has managed to actually quit it.

The problem isn't the goal. It's the timeline, the workforce, and the self-defeating moves being made simultaneously.

Reshoring manufacturing doesn't happen in a year. It doesn't happen in three years. You need facilities, supply chains for components, and workers — and the workers are the part nobody wants to talk about. The US has spent thirty years steering people away from manufacturing toward service work and college degrees. You can't flip a switch and have a trained production workforce appear. The people who know how to build this stuff are in the countries you're trying to decouple from.

We know this because we watched it happen in real time, in Georgia, with a Hyundai battery plant.

In September 2025, ICE raided a Hyundai-LG battery plant under construction in Ellabell, Georgia. 475 workers detained — mostly South Korean nationals, engineers and specialists brought in temporarily to install equipment and train American workers. The largest single-site enforcement operation in ICE's history.

Here's the part that makes the head spin: those workers were there specifically to transfer knowledge to American employees. They were the pipeline. The training program. The reason the plant could eventually run without them. ICE arrested the workforce whose entire job was to create the domestic workforce everyone says they want. The plant was delayed. South Korea's president issued a public warning that businesses would "hesitate to make direct investments in the United States." The workers — many later confirmed to have had valid visas — are now suing for unlawful arrest and racial profiling.

And the irony that completes the circle: South Korea is one of America's most critical defense manufacturing partners. The US has more than $30 billion in active government-to-government military sales with South Korea. More importantly, as US weapons stockpiles drained supporting conflicts overseas, South Korea stepped up to help fill the gap — artillery shells, howitzers, armored vehicles, at volume and speed, because they've spent decades maintaining that industrial capacity with North Korea thirty-five miles away.

So the US is:

You don't kick your ammunition supplier in the teeth while you're running low on ammunition. That's not ideology. That's logistics.

Before anyone concludes this rule is the end of the story — remember TikTok.

TikTok was going to be banned. Definitely. Any day now. For about four years. It's still here.

BSG called it years ago: all this has happened before and all this will happen again. The pattern with these bans is pretty well established at this point: dramatic announcement, immediate legal challenges, enforcement gets murky, deadlines get extended, courts weigh in and complicate things, years pass, something eventually happens but rarely what was originally announced.

TP-Link alone — 60-65% of the US consumer router market, headquarters now in Irvine, California — is not going to go quietly. They've been under federal investigation since late 2024 and they've been positioning legally for exactly this fight. ASUS, Netgear, and every other manufacturer with US revenue at stake will lawyer up. And the moment it clicks for Comcast's and AT&T's legal departments that the government just put a sunset on hardware they own and lease to tens of millions of customers — those firms have more lobbying muscle than arguably anyone else in this fight.

This could easily be a 4-5 year saga. The announcement is the opening move, not the final answer.

Here's the honest answer: nobody knows. That's the most truthful thing you can say about this.

Best case: Conditional Approvals start flowing in a few months. ASUS and Netgear get exemptions relatively quickly. The firmware deadline gets extended at least once because the political optics of leaving millions of households on unpatched hardware are terrible. The market adapts slowly and awkwardly but doesn't collapse. This follows the pattern of the drone ban getting partially walked back in January.

Worst case: The approval process drags for years. No meaningful US manufacturing materializes. The March 2027 deadline holds. Millions of households end up on unpatched hardware with no affordable replacement. The ISP situation becomes a slow-motion crisis. The legal fights drag on long enough that the whole thing is effectively in limbo when the next administration arrives and either doubles down or quietly walks it back.

Most likely: Somewhere messy in the middle. Some manufacturers get approved, some don't. TP-Link fights it in court for years. The firmware deadline gets quietly extended. Prices on existing authorized inventory creep up as supply tightens. Nothing gets resolved cleanly.

The uncertainty itself is the problem. People building or expanding home networks right now — self-hosters, people setting up cameras, WFH setups, the kind of reader who ends up here — are making real infrastructure decisions in a fog. And the fog isn't going to lift soon.

Speaking of cycles that keep repeating — Villeneuve's Dune: Part Three trailer landed last week, with a December 18th release. Paul Atreides dealing with the consequences of too much power, trying to figure out how to escape the cycle of violence he created.

Herbert wrote Dune Messiah as a deliberate deconstruction of the hero worship the first book generated. The point was never that Paul was a hero. The point was what happens when the spice supply gets weaponized, when the politics of resource control get dressed up as liberation, and when the people making the decisions aren't the ones who pay the consequences.

Policy that claims to protect ordinary people from security threats while guaranteeing that ordinary people end up on unpatched hardware. A reshoring push that arrests the workers doing the reshoring. A security rule that doesn't fix the actual security problem because the actual security problem was never about your home router.

The spice must flow. The firmware cliff is coming. And the router sitting in your wall right now — the one that works perfectly, the one you paid real money for during real financial constraint, the one your cameras and your work setup and your whole home network depend on — is the collateral in a geopolitical argument that was never actually about you.

Watch the thread. This one's got years left in it.