The Consumer Technology Association (CTA) (a.k.a. the organization behind CES) is urging the FCC to reconsider how it plans to handle software updates of foreign-made routers currently on its ban (or “covered”) list. According to a regulatory filing issued April, 23, the Association suggested allowing networking companies to continue delivering software updates to existing routers to avoid unsupported equipment in homes and businesses.
The association also encouraged FCC officials to provide greater clarity on what devices are affected under the current policy, going so far as to suggest the commission loosen its approach in certain areas. Despite these criticisms of the current policy, the association did express its support for the administration’s overarching goal of strengthening US cybersecurity.
What is Set to Happen Under the Current FCC Policy
As it stands, any company whose products fall onto the FCC’s covered list as a “foreign-made consumer router” is allowed to issue software updates to existing devices until March 1, 2027. After that point, provided the company’s position on the list has not changed, all devices covered by the FCC policy will receive no future software updates.
Devices currently covered by FCC policy include foreign-made, consumer-grade Wi-Fi routers, cellular routers and Wi-Fi hotspots. Enterprise level equipment is not covered under the policy and is therefore unaffected.
Why the Current FCC Policy Poses a Risk
The main reason software updates are delivered to devices such as routers on a regular basis is to maintain device security on them. Without updates, these devices become unsupported, and become more vulnerable to cyberattacks, as existing vulnerabilities are unable to be patched out of the devices.
While the idea is likely that unsupported devices will eventually be replaced by supported ones, the reality is that consumers, to save money, will likely hold onto their devices until the hardware itself becomes nonfunctional, prompting a replacement at that point in time.
During that entire time, however, the device will continue to pose a security risk, which the FCC is currently trying to mitigate through its policy.
What the CTA is Advocating for Regarding the FCC Router Ban
While the software updates represent a major concern raised in the CTA’s meeting with FCC officials, clarity and communication were two other major issues addressed.
Regarding clarity, the FCC has recently updated its FAQ to mention that the policy covers two different types of networking devices not previously considered by the public.
On communication, the CTA encouraged the commission to collaborate more broadly with the executive branch, the National Security council and the Department of War on its initiatives for developing clearer guidelines, messaging and a roadmap for improving America’s national security standards.
Within the suggestions laid out by the CTA, a few stuck out:
- That the FCC adopt an open and transparent process for determining a device’s security profile as well as consider alternative mechanisms to address national security concerns like the U.S. Cyber Trust Mark.
- That the FCC publish clear public guidance on what constitutes a “safe” networking device and establish a potential fast-track on devices developed in countries with which the U.S. has an established defense alliance.
- That the FCC work with the Commerce department to explore initiatives supporting more business onshoring to support a “robust, competitive domestic market.”
Takeaways for Integrators
One of the biggest takeaways from the CTA’s comments is the suggestion that the FCC provide “at minimum an opportunity for public comment on proposed prohibitions with an explanation of the national security risk the prohibition seeks to address.”
This would put the current approach to policy more in line with the original hearings for the U.S. Cyber Trust Mark, as well as the initial public feedback period given for tariff-related decisions, like those given for the semiconductor and pharmaceutical industries.
At present time, the FCC has shown no inclination to pursue any of the CTA’s suggestions, aside from the recent clarifications added to its Q&A page regarding affected devices.
