On March 23, 2026, the Federal Communications Commission released DA-26-278, expanding the Covered List under Section 2 of the Secure and Trusted Communications Networks Act. The expansion is unprecedented — not because it names new entities, but because it names a new category.
All communications equipment produced in foreign countries — specifically routers, switches, and edge networking devices — are now added to the Covered List. Production is defined broadly: manufacturing, assembly, design, development. If any of those steps happen outside the United States, the device is covered.
This is not a sanctions list against specific bad actors. This is a blanket geographic exclusion. The FCC has declared that the location of production is itself the risk vector.
Covered List equipment cannot receive FCC equipment authorization. Without equipment authorization, it cannot be legally sold or operated in the United States. The effect is immediate for new authorizations. Existing authorized equipment retains its authorization — for now.
The order cites three specific cyber campaigns:
Chinese state-sponsored actors compromised small office / home office routers to build a botnet used for reconnaissance of US critical infrastructure. Targeted energy, water, communications, and transportation sectors. Lived in compromised firmware for months without detection.
Exploited IoT devices and consumer routers to create a proxy network for intelligence collection. Over 260,000 devices compromised globally. The botnet infrastructure persisted across firmware updates because the compromise lived below the update layer.
Penetrated US telecommunications providers through compromised edge equipment. Accessed lawful intercept systems — the wiretapping infrastructure itself was wiretapped. The attack surface was the router firmware.
CISA's assessment is blunt: edge networking devices are the "attack-vector of choice" for state-sponsored cyber operations. The FCC's response is equally blunt: if you can't audit the supply chain, you can't trust the device.
Before DA-26-278, the Covered List was entity-specific. You were on it or you weren't:
| Entity | Category | Status |
|---|---|---|
| Huawei | Telecom equipment | Covered |
| ZTE | Telecom equipment | Covered |
| Hikvision | Video surveillance | Covered |
| Dahua | Video surveillance | Covered |
| Kaspersky | Software | Covered |
| China Mobile | Telecom services | Covered |
| China Telecom | Telecom services | Covered |
| China Unicom | Telecom services | Covered |
| Foreign drones | UAS (blanket) | Covered |
| All foreign-produced routers | Edge networking | NEW — Covered |
The new entry is categorically different from the others. Huawei was banned because it's Huawei. Foreign-produced routers are banned because they're foreign-produced. The distinction matters: this is not intelligence about a specific threat actor. This is a structural assessment that the supply chain itself is the vulnerability.
The order defines production as encompassing:
This is maximally broad. A router designed in San Jose but assembled in Shenzhen is covered. A router manufactured in Taiwan but running firmware developed in Bangalore is covered. Every step in the chain must be domestic.
96% of Americans use the internet. The vast majority of consumer and small business routers are manufactured abroad — primarily in China, Vietnam, and Taiwan. TP-Link alone holds roughly 65% of the US consumer router market. Every one of those devices is now on the Covered List.
The order is not a cliff edge. It includes a conditional approval process — a structured path for foreign manufacturers to continue operating while transitioning production to the United States.
Manufacturers may apply to the Department of War or the Department of Homeland Security for an 18-month Conditional Approval. Yes — the Department of War. The Department of Defense was renamed in the same legislative session. The symbolism is not subtle.
To receive Conditional Approval, applicants must:
Corporate structure: Full ownership chain, beneficial owners, government affiliations, subsidiary relationships. No shells. No opacity.
Supply chain and BOM: Complete bill of materials. Every component, every vendor, every subcontractor. Where each part is sourced, manufactured, assembled. The entire dependency graph.
Onshoring plan: A detailed, binding plan to move production to the United States within 18 months. Milestones, timelines, capital commitments, facility plans.
The conditional approval is not a waiver. It's a supervised transition with full transparency requirements. The government is saying: we'll let you keep selling, but only if we can see everything and you're actively moving.
TP-Link — and every other foreign router manufacturer — faces a choice: submit to total supply chain transparency and commit to onshoring, or exit the US market. There is no third option. There is no "keep doing what you're doing."
96% of Americans use the internet. The majority of their routers are manufactured in countries whose intelligence services have been caught — three separate times — living inside the firmware.
The fundamental issue is not that Chinese routers are bugged. Some are. The fundamental issue is that you cannot know whether a router is bugged if you cannot audit the supply chain that produced it.
A modern consumer router is a general-purpose computer running a real-time operating system with network access to everything in your home. It has a bootloader, a kernel, a userspace, and firmware that can be updated remotely. The firmware is typically a binary blob — compiled code with no source available for inspection.
When you run a binary you didn't compile from source you can read, you are trusting:
Each layer is an assumption. Each assumption is a dependency. Each dependency is an attack surface. The Typhoon campaigns demonstrated that state actors can compromise any of these layers and persist across updates to the layers above.
The FCC's position is that if the entire production chain is foreign, then every layer of trust is foreign. And foreign trust, in the context of state-sponsored cyber operations, is not trust at all.
There is a function that maps any system to a scalar predicting whether it will survive contact with the world:
When f ≈ 1, the system is lean. Its form is its content. When f ≫ 1, the system has committed to more structure than its information requires. It is brittle in proportion to its apparent strength.
A foreign-produced router's firmware is the canonical example of f ≫ 1. The information content of the firmware — route packets, manage DHCP, provide a web interface — is modest. The structural commitment — a complete opaque binary compiled from unknown source in an unauditable facility in a foreign jurisdiction with potential state-mandated backdoor requirements — is enormous.
The ratio of what-you-can't-see to what-you-need is the vulnerability. Every bit of unexplained structure in the binary is a bit that could be hostile. And you can't distinguish hostile structure from benign structure without access to the source.
| System | S (Structural Commitment) | I (Information Content) | f |
|---|---|---|---|
| OpenWrt on domestic hardware | Open source, auditable, reproducible builds | Route packets, manage network | ≈ 1 |
| Foreign router, open firmware | Hardware trust gap, but firmware auditable | Route packets, manage network | ~3 |
| Foreign router, binary blob firmware | Opaque binary, opaque supply chain, opaque jurisdiction | Route packets, manage network | ≫ 1 |
| US national router infrastructure (aggregate) | 96% internet penetration, majority foreign hardware | Connect Americans to the internet | ≫ 1 |
The FCC, without using this language, has performed an f(s) analysis on the national router infrastructure and concluded: the structural commitment vastly exceeds the information content. The system is over-specified with untrusted dependencies. It will be destroyed by the first perturbation it didn't enumerate in advance.
Three perturbations arrived. They were named Volt, Flax, and Salt.
In 1999, the world prepared for a systems failure that might not come. Billions were spent. Programmers audited COBOL. Governments formed task forces. The bug was real but the preparation was adequate — precisely because people took it seriously.
In 2026, we have the inverse. The bug is confirmed — three separate state-sponsored campaigns have already exploited it — and the preparation is just beginning. We know the firmware is compromised. We know the supply chain is opaque. We know 96% of Americans are connected through devices we cannot audit.
Y2K was a date arithmetic bug. You could test for it. You could patch it. The fix was deterministic: change the date handling, verify the output.
The router bug is a trust architecture bug. You cannot test for it because you don't know what to test. The firmware is a black box. The compromise might be in the bootloader, the kernel, the radio driver, the management plane. It might activate on a trigger you'll never anticipate. It might already be active.
Y2K asked: will this system break on January 1?
The router bug asks: is this system already broken and we can't tell?
The FCC's answer is: assume yes. Rebuild the supply chain. The millennium bug is real this time, and it lives in your TP-Link.
The transition from f ≫ 1 to f ≈ 1 is never smooth. It always requires a destructive pass. The FCC just initiated the destructive pass on American router infrastructure.
Chaos. TP-Link and other manufacturers scramble to file Conditional Approval applications. Router prices spike as supply contracts. Hoarding. Enterprise IT departments panic-audit their edge infrastructure. The secondary market for "pre-ban" routers will be robust and stupid.
Onshoring begins or manufacturers exit. New domestic production facilities are announced. Some will be real. Some will be Potemkin factories with foreign components and domestic final assembly — and the BOM disclosure requirement will catch them. The Conditional Approval process becomes the de facto regulatory framework for the router industry.
The US router market restructures around domestic production. Prices are higher. Selection is narrower. But the supply chain is auditable. The firmware is inspectable. The trust architecture is domestic.
Or — and this is the other possibility — the order is challenged, delayed, watered down, lobbied into irrelevance, and we get Typhoon number four. The structural commitment remains. The information content remains unknown. f ≫ 1 persists.
The FCC has bet that the destructive pass is worth the cost. History suggests they're right. But the destructive pass is destructive. That's the point.
See also: routers — vibes · routers — philosophy · f(s)