As of Monday this week, March 23, the US Federal Communications Commission issued a press release (DOC-420034A1.pdf) stating that it had updated its Covered List to include consumer-grade routers produced in foreign countries. This action effectively bans the import and sale of such devices in the United States. Routers are the networking devices in homes (and your home office) that connect computers, phones, and smart devices to the internet.
By the way, drones are being affected because they are wireless devices and thus also fall under the FCC’s regulatory mandate.
This is relevant to CMCs because…
It is unlikely, but if you were to suffer some sort of cybersecurity issue while using networking equipment banned by the United States government for being insecure, who knows what the consequences might be.
This could conceivably happen.
While Internet service providers typically provide a router with their service, consultants working from a small office/home office (SOHO) sometimes add or substitute their own router for various reasons, such as improving a Wi-Fi dead zone.
Many SOHOs use consumer rather than business-grade networking products. This is because consumer products offer an appealing combination of simplicity, wide availability in retail outlets, adequate basic functionality, and low price points.
So, if you were thinking of upgrading your Internet infrastructure, this is a factor to consider.
Why did the FCC do this?
The press release states that:
‘This followed a determination by a White House-convened Executive Branch interagency body with appropriate national security expertise that such routers “pose unacceptable risks to the national security of the United States or the safety and security of United States persons.” The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense”, and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.’
Several Chinese communication equipment manufacturers and service providers have had their products and services banned by the US government for years. The reasons range from poor cybersecurity functionality to the inclusion of back doors.
I would like to note that we should not assume this is always due to malicious intent. Manufacturers offering a global product have to comply with national Internet and cybersecurity regulations everywhere their products will be sold. For example, it could be the case that some networking products are required to include a facility for access by justice or national security personnel. In some markets this might be understood; in others, it might be perceived as enabling espionage.
In theory, there is a loophole in this ban. Foreign manufacturers can apply for approval of their equipment and communication service providers, and you can see who has been approved here: List of Equipment and Services Covered By Section 2 of The Secure Networks Act | Federal Communications Commission
I checked just minutes ago, and as of today, no foreign manufacturers of consumer routers are currently shown as having conditional approvals.
So what does this all mean to you, and what should you do?
First, keep calm and carry on.
Canadian regulatory agencies have not enacted any such ban. Could there possibility be some applicability for consultants working with government agencies that collaborate with their US counterparts?
I’m not a lawyer, but if you use the router provided by your service provider, it is hard to imagine that you could have any liability. Your service provider selected and provided your premise equipment, implying that it is fit for purpose.
But if you decide to use your own networking equipment, and ignore a widely-publicised warning from the world’s largest telecommunications regulator, then maybe there could be some risk.
The other unknown is if insurance carriers will decide this is a reason not to honour cybersecurity-related claim.
Expect prices of SOHO networking gear to go up
Most popular routers brands such as market-leaders Asus, Netgear, and TP-Link are affected. Remember foreign means “non-US”, not just Chinese. In the short term, I expect the inventory of US-made routers will be limited, so their prices will go up.
Approved devices will also be inherently more valuable. And there could be costs involved for manufacturers to obtain a conditional approval. These costs will likely be passed on to buyers.
Nobody (probably) is targeting you
Maintaining the confidentiality of client information is essential for CMCs, but the FCC is more worried about the potential of massive cyber attacks from thousands or millions of consumer routers. In this scenario, routers would be accessed by foreign agents and reprogrammed with malware that uses your Internet connection to mount attacks on the government, power grid, communication networks, and other public infrastructure.
What can you do today to improve your cyber-resilience?
Most experts recommend a few simple -- and free -- cybersecurity measures. You should do these regardless of what router you have.
Number one is to change your Wi-Fi and network passwords. In order to make consumer-grade products easy to install, manufacturers use ridiculously-simple administrative ids and passwords, or even none at all. You would be surprised how many routers you can log into using IT credentials like “admin”, “guest”, and the manufacturer’s name. Change these from the defaults. Even better, change them on a regular basis.
The next thing you can do is to upgrade your router’s firmware, since routers can need software upgrades just like your PC does, sometimes to patch security vulnerabilities. Manufacturers cover how to do this in the product documentation. You can often find this information on the Internet with a quick search for your router’s brand, model number and the words “firmware upgrade”. It usually is not that hard to update the firmware, but if you are uncomfortable with it, get help from a colleague or somebody like the Geek Squad.
The third free thing you can do is to reboot your router from time to time. If it has been infected and is running malicious software in memory, a reboot might be enough to clear it out. Just unplug your router for a minute or two, and then plug it back in. Everything should reconnect just fine.
Your final option, and the one that costs money, is to upgrade to a business-class router with enhanced security features. Networking products intended for the small business market aren’t that much more expensive, and a good computer store could help you select appropriate products that are reasonably priced. However, business-class products are much more flexible and usually require more configuration when being installed. This means you will 1) need to have some IT expertise to install business-class networking products, or 2) access someone with IT expertise who can help, or 3) be willing to learn about networking technology.
Where to get more information
If you wish to monitor the situation, there is already quite a bit of press coverage about the FCC’s decision to ban foreign-made consumer routers.
Here is what PC World has to say The FCC's router crackdown clouds the future of home Wi-Fi.
Greg Graham, FCMC, ASMEC, MBA, B.Eng, is a sole practitioner with a background in ICT. After working out of a home office for the past quarter-century, he is very familiar with the IT challenges faced by independent consultants and other professionals who work from home. His home-office IT infrastructure was state of the art when installed, with CAT6 cabling, a Cisco-powered local area network, Gigabit Ethernet switches, a security router, a stand-alone wireless access point located for optimal signal coverage throughout his two-storey house, network-attached storage for automated backups, and a Nortel phone system with voicemail and a fax server. Ten years on, this infrastructure needs to be refreshed, and Greg has been investigating current SOHO technology trends.
“The opinions expressed in this article are those of the author and are provided for discussion and informational purposes only. They do not represent the official views or positions of CMC-Canada.”
