Executive Summary
On 24 March 2026, the US Federal Communications Commission formally added all foreign-manufactured consumer-grade routers to its national security Covered List, effectively banning their import and sale in the United States. The determination, driven by Executive Branch national security agencies, explicitly identifies foreign-produced routing hardware as both a supply chain vulnerability capable of disrupting critical infrastructure and a severe cybersecurity risk exploitable against US networks at scale. Whilst the regulatory action is US-specific, the underlying threat model — state-sponsored actors leveraging compromised and potentially backdoored routing hardware to conduct long-term persistent access campaigns against enterprise and critical infrastructure networks — is a global concern. This article examines the technical and strategic implications for UK and EU CISOs.
The Threat Actors Behind the Decision
The FCC's National Security Determination did not emerge in a vacuum. It reflects years of documented, active exploitation of routing hardware by state-nexus threat actors. Understanding who is being actioned against, and how, is essential for enterprise security teams attempting to calibrate their own risk posture.
Volt Typhoon, a People's Republic of China (PRC) state-sponsored actor attributed by US, UK, Australian, Canadian, and New Zealand intelligence services, has been documented conducting pre-positioning operations within US critical infrastructure — including energy, water, transportation, and communications sectors — using compromised SOHO and small business routing hardware as covert relay nodes. The operational signature is characterised by extreme stealth and patience: the objective is persistent access for potential future disruption rather than immediate data exfiltration.
Flax Typhoon, a separate PRC-linked cluster, was documented operating a 260,000-device botnet — Raptor Train — predominantly comprised of compromised SOHO routers and network-attached storage devices. The botnet was used for covert proxy infrastructure, enabling attackers to conduct operations that appear to originate from benign, geographically distributed residential and business IP addresses.
Salt Typhoon represents arguably the most significant documented exploitation of routing hardware to date. The group achieved persistent access to major US telecommunications carriers by leveraging compromised, foreign-produced routers as pivot points — gaining long-term residency within carrier networks and accessing lawful intercept infrastructure. The FCC's NSD specifically called out Salt Typhoon's methodology as a primary driver for the ban.
In Salt Typhoon attacks, state-sponsored cyber threat actors leveraged compromised and foreign-produced routers to jump to embed and gain long-term access to certain networks and pivot to others depending on their target. — US National Security Determination, March 2026
The Two-Layer Risk Model: Exploitation vs. Implantation
Enterprise security teams must distinguish between two fundamentally different risk vectors when evaluating foreign-manufactured network hardware. Conflating them leads to incomplete mitigation strategies.
The first vector is post-deployment exploitation: threat actors identifying and exploiting unpatched vulnerabilities in routing firmware to achieve remote code execution, credential theft, or persistent access. This is well-understood, extensively documented, and addressable through rigorous patch management, network segmentation, and anomaly monitoring. The attacks attributed to Volt Typhoon, Flax Typhoon, and Salt Typhoon largely fall into this category — though the scale and sophistication of execution far exceeds what most enterprise teams model against.
The second vector is supply chain implantation: the introduction of malicious or surveilling functionality at the point of manufacture or within the distribution chain, before the device reaches the end user. This is the harder problem. It does not manifest as a CVE. It does not trigger vulnerability scanners. It may not generate anomalous traffic signatures. The US National Security Agency has itself been documented intercepting Cisco routers in transit for firmware modification — the vector is not theoretical. For hardware manufactured in jurisdictions where state authorities can compel manufacturer cooperation without public disclosure, this risk must be part of the enterprise threat model.
UK and EU Regulatory Context
The UK government has not issued an equivalent blanket ban on foreign-made routing hardware. However, the NCSC's supply chain security guidance — in particular its principles for assessing supplier risk — explicitly addresses the need to evaluate the geopolitical and legal context in which hardware is manufactured. The NCSC has separately published advisories on Volt Typhoon and the broader PRC cyber threat to UK critical national infrastructure.
Within the EU, the Network and Information Security Directive (NIS2), which came into force in October 2024, introduces significantly tightened supply chain security requirements for operators of essential services and important entities. Article 21 of NIS2 explicitly requires organisations to implement measures addressing supply chain security, including the security of relationships between each entity and its direct suppliers and service providers. National transposition and enforcement is ongoing, but the direction of travel is clear: hardware provenance is now a compliance matter, not merely a technical consideration.
The EU Cyber Resilience Act (CRA), applicable from 2027, will further impose mandatory cybersecurity requirements on manufacturers of hardware with digital elements placed on the EU market — including transparency requirements around software bills of materials (SBOMs) and mandatory security updates throughout a product's lifecycle. CISOs procuring hardware today should be evaluating vendor readiness for CRA compliance.
CovertNetwork-1658 and the Proxy Infrastructure Problem
The FCC determination specifically highlighted CovertNetwork-1658 (also tracked as Quad7) as an example of how compromised foreign routing hardware enables evasive attack infrastructure. The botnet, attributed to Storm-0940 — a PRC-linked threat actor — has been used to conduct large-scale, highly evasive password spraying attacks against enterprise Microsoft 365 environments, VPN infrastructure, and authentication endpoints.
The operational security value to the attacker is significant: each authentication attempt appears to originate from a different legitimate business or residential IP address, defeating IP-based detection controls and rate limiting. Victim organisations see what appears to be geographically dispersed low-and-slow credential stuffing that does not trigger traditional brute-force detection thresholds. The compromised routers generating this traffic are not the target — they are the weapon. Their owners are entirely unaware of their participation.
For UK enterprise security teams, this has direct implications. Conditional Access policies that rely solely on IP reputation or geographic location as authentication signals are operating with a degraded signal. The legitimate-looking IP addresses generating authentication attempts against your identity infrastructure may be compromised hardware in UK offices, European SMEs, or domestic broadband connections — all running foreign-manufactured routing hardware with unpatched firmware.
Strategic Response: A Framework for CISOs
The appropriate enterprise response to the risk landscape described above operates across four domains: asset visibility, procurement governance, detection capability, and architecture resilience.
- Asset visibility: Maintain a current, complete inventory of all network hardware — routers, firewalls, switches, wireless access points, and out-of-band management devices — including manufacturer, country of manufacture, firmware version, and end-of-support date. Many organisations discover significant gaps in this inventory when they attempt it. Without it, risk assessment is impossible.
- Procurement governance: Introduce country-of-manufacture and supply chain transparency as formal evaluation criteria in hardware procurement processes. Require vendors to provide SBOMs for network hardware. Evaluate whether the regulatory environment in which hardware is manufactured creates state-compellability risk. Prefer hardware manufactured in jurisdictions with aligned security interests and transparent legal frameworks.
- Detection capability: Deploy network traffic analysis (NTA) and DNS monitoring capable of detecting anomalous outbound connections from network hardware. Baseline normal firmware update call-home behaviour so deviations are detectable. Integrate threat intelligence feeds covering known C2 infrastructure associated with Volt Typhoon, Flax Typhoon, Salt Typhoon, and Quad7 operations.
- Architecture resilience: Implement network segmentation that limits blast radius in the event of routing hardware compromise. Enforce Zero Trust principles so that lateral movement from a compromised network device does not automatically yield access to higher-value systems. Ensure out-of-band management networks use separately sourced, trusted hardware.
Hardware Trust and the 'Made in Britain' Consideration
The FCC ban raises a legitimate question for UK enterprise procurement: does country of manufacture matter for security hardware beyond routing devices? The answer, informed by the threat model above, is yes — particularly for devices that have privileged network positions, persistent connectivity, or access to sensitive traffic.
UK Cyber Defence's SOC in a Box is a network security monitoring appliance — not a router — but it operates at a privileged position on enterprise and mid-market networks, with visibility into network flows, DNS queries, and threat telemetry. We are transparent about its provenance: SOC in a Box is designed, manufactured, and supported in the United Kingdom, under a legal and regulatory framework that does not compel undisclosed cooperation with foreign state actors. For CISOs conducting supply chain risk assessments under NIS2 or NCSC guidance, we consider that provenance a material differentiator — and we encourage the same scrutiny to be applied to all security hardware vendors, including ourselves.
Conclusion: The Hardware Layer Is Now a Strategic Risk Domain
The FCC's decision to ban foreign-made routers is a significant regulatory milestone — but its deeper significance is what it signals about the maturation of state-sponsored cyber threat doctrine. Routing hardware has been weaponised at scale. Supply chain implantation is a credible, documented vector. And the regulatory framework across the US, UK, and EU is rapidly converging on the position that hardware provenance is a legitimate component of enterprise security governance.
CISOs who treat this as a US-specific regulatory curiosity are misreading the signal. The threat actors named in the FCC determination are not limiting their operations to American targets. The botnet infrastructure built from compromised foreign routing hardware spans the globe. And the UK businesses running those devices — including, in many cases, the routers connecting offices, branch sites, and remote workers — are part of that infrastructure whether they know it or not.
The appropriate response is not panic, but rigour: a structured review of hardware inventory, procurement governance, and detection capability that treats the physical network layer with the same security discipline already applied to cloud infrastructure, identity systems, and endpoint estate.