Congress Wants to Secure Every American Router and Modem — Can it Be Done?

Why Trust Techopedia
KEY TAKEAWAYS

  • The ROUTERS Act aims to evaluate security risks posed by consumer routers, modems, and IoT devices.
  • The assessment will focus on devices from countries considered national security threats.
  • Supporters advocate for a "rip and replace" approach, removing foreign-made devices from the U.S. market.
  • Implementing the act is challenging due to the vast number of devices and complex supply chains.
  • Experts disagree on the feasibility of conducting a comprehensive study within a year.

Congress is back at it again, taking on a technology issue that affects national security. This time it’s routers, modems, and Internet of Things devices on the agenda.

The ROUTERS Act proposes conducting an exhaustive nationwide study on the integrity, security, and vulnerability of devices and networks that connect Americans, industries, and local governments.

However, inventorying and assessing modems, routers, networks, IoT, and related connectivity hardware and software is monumental. And Congress wants it done in just one year.

So, can it be done? Techopedia talks to experts to answer the big question.

Fast-Tracked ROUTERS Act Gets Bipartisan Support

For the past month, Congress has been working on a law, the ROUTERS Act  — Removing Our Unsecure Technologies to Ensure Reliability and Security Act.

On September 9, about one month after Representative Robert E. Latta introduced the bill for the first time in the House, the Act was fast-tracked and received unanimous bipartisan support from members of the House. The act and its bipartisan support are symbols of the tense state of geopolitical conflicts and the increased weaponization of technology, as we have seen in Lebanon this week.

The ROUTERS Act, if approved by the Senate, instructs the Secretary of Commerce, acting through the Assistant Secretary of Commerce for Communications and Information, to conduct a “study of the national security risks posed by consumer routers, modems, and devices that combine a modem and routers, designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the influence of a ‘covered’ country.

By ‘covered country’ — as per section 4872(d)(2) of title 10 of the United States Code — the U.S. Congress refers specifically to; the Democratic People’s Republic of North Korea, the People’s Republic of China, the Russian Federation, and the Islamic Republic of Iran.

As mentioned, the ROUTERS Act faces a big enforcement challenge. Modems, routers, and network connectivity devices in America are not only counted in the hundreds of millions but tracking manufacturers, imports, and supply chains for foreign components is daunting.

Even top U.S. routers and modern manufacturers often import components from a covered country or an organization linked to it. Additionally, government information on imports and experts and data on the entire supply chain of modems and routers is unlikely to exist in full.

So, Can it be Done? Is the ROUTERS Act Feasible?

Techopedia spoke with John Terrill, CSO at the IoT firm Phosphorus, a company currently working in the U.S. government critical infrastructure industry, to know if the act is feasible.

“I suspect the review process will resemble something similar to the recent select committee on the CCP’s maritime industry report.

“They’ll engage a lot of different agencies, vendors, etc., to get a lay of the land. The difference is they’ll find that the consumer landscape for vendors-devices is far greater and much more chaotic than a commercial entity like suppliers of a shipping port.”

Organizations like the Foundation for American Innovation, Digital First Project, Consumer Choice Center, the Heritage Foundation, and others have already expressed their support for the ROUTERS Act.

In a letter to Congress, the mentioned organizations encouraged the government to investigate national IT infrastructure and called for a “rip and replace” of any hardware manufactured by a company controlled by a foreign adversary nation.

We asked Terrill from Phosphorus how exactly could a detailed examination of American routers and modems be done and whether automation could play a big part in this assessment.

He said:

“To an extent. This falls into the field of vulnerability research for external entities, auditors, consultancies, and product-application security for the router vendors.”

“Some of the vendors may proactively attempt to identify vulnerabilities, and many of them will release updated firmware when those vulnerabilities are reported,” Terrill said.

However, not everyone thinks the ROUTERS Act is feasible. Tom Marsland, VP of Technology for Cloud Range, a company that provides full-service, customizable cyberattack simulation training solutions, spoke about the Act with Techopedia.

“This (the ROUTERS Act) isn’t feasible at all. A study could be completed on the effects a vulnerable router could have on national security, but this won’t be a study of the various routers out there — that’s not a task that can be achieved in one year.”

Marsland said that the implications of routers and modems with backdoors and vulnerabilities are significant. For example, Distributed Denial of Service (DDoS) attacks, which Marsland explains affect the ‘Availability’ leg of the CIA Triad, are a national security problem as they impact our ability to communicate and process data.

Routers and Modem Threats Escalate

The ROUTERS Act has been driven by increased cyberattacks and cyberespionage campaigns against the U.S. from Russia, China, Iran, and others. However, in the aftermath of the attacks against Hezbollah, which leveraged wireless devices, the Act now faces greater challenges and broader threats.

Destructive events targeting routers are not that uncommon. In May, 2024,

600,000 American routers were completely destroyed and taken offline. Terrill spoke about this event, dubbed ‘Pumpkin Eclipse‘ by Lumen Technologies. Terrill spoke about Pumpkin Eclipse.

“There’s a lot we don’t know about this particular attack as the malware involved isn’t traditionally used for destructive purposes like this, and the researchers couldn’t pinpoint the initial point of infection.”

Hardware and Firmware Level Threats and Risks

There are several historical examples of tech products that were built with hardware-level integrated malware, software-level firmware malware, and even backdoors to spy on populations. NSA’s backdoor in encryption hardware, the Huawei and ZTE equipment scandal, and Soviet-Era trojan-integrated hardware are just a few examples of this trend.

Terrill from Phosphorus said that routers are so ubiquitous that they can end up anywhere and sit at a critical point to broker traffic between the public Internet and local networks.

“Being able to compromise them can give attackers a route into networks, bypassing firewalls and NAT,” Terril said.

“Any backdoor and that includes deliberately included vulnerabilities, would give attackers broad access to a lot of networks.”

Terril said that while recent hardware-level threats are supporting evidence of the problem, they are not the most likely source of intelligence that motivated members of Congress to support the ROUTERS Act.

The most likely source was an intelligence briefing to members of Congress that talked about ‘Camaro Dragon’ — a Chinese state-sponsored hacking group that was targeting E.U. officials.”

During this attack, threat actors compromised TP-Link routers, the largest supplier of routers from China, along with a series of vulnerabilities in 2024 TP-Link routers.

“I’m sure a member of Congress looked on a wall, saw one of these routers, and had the realization this was now a problem.”

Terrill said that attacks against routers date back to 2020 when a BlackHat talk labeled “How to hack a million routers” put the issue front and center.

“It’s just become more and more pervasive over time as the number of devices has exploded and the level of security — whether intentional or not — has not meaningfully improved,” Terrill told Techopedia.

The Bottom Line: The Great Firewall

The support of the ROUTERS Act in the U.S. Congress is a call for the government to respond to the current state of geopolitical affairs and the use of technology in cyberwarfare and hybrid wars.

As modern cyber threats are being redefined, cyber espionage reaches all-time highs, disinformation, and nation-state-supported sabotage and cybercriminal attacks go unchecked, new laws are being put forward to protect citizens and preserve national security against technological threats.

The problem is that to ensure that technology is safe, strict scrutiny, controls, and actions will demand costly resources.

More concerningly, the approach requires a somewhat isolationist concept. Similar to “The Great Firewall of China”, but at the hardware and software level, isolation policies always come with their own risks and impact free markets, innovation, and communities.

Related Terms

Related Article