The Federal Communications Commission (FCC) on March 23, 2026, banned the import of all new foreign-made consumer wireless routers, adding them to its Covered List after a White House-convened interagency panel determined they pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure,” according to the FCC’s official fact sheet. The move follows the agency’s December 2025 decision to ban all foreign-made drones — a decision DroneXL covered in detail when it happened. The logic is identical. The scale is not.

For years, Congress and the FCC told us that DJI drones were the threat. Flying cameras. Consumer products used by wedding photographers, farmers, and search-and-rescue teams. Meanwhile, the router sitting between every American home and the internet — devices that Chinese state-backed hackers had already weaponized at scale — kept shipping in from overseas without restriction. Until Monday.

The Router Ban Dwarfs the Drone Ban

The FCC’s new rule adds all consumer-grade routers produced in foreign countries to its Covered List, prohibiting FCC authorization of any new models. As Bloomberg reported, virtually every major router brand — Netgear, Linksys, Asus, D-Link, TP-Link — builds its hardware overseas. No major consumer router is currently manufactured in the United States. The market disruption potential here is orders of magnitude larger than the drone ban, which at least had a small but growing domestic alternative industry to absorb some demand.

The FCC was careful to say existing, already-authorized router models can still be imported and sold. New models require either a Conditional Approval from the Department of War or the Department of Homeland Security — the same exemption pathway the agency set up for drones in December, which has so far cleared exactly four non-Chinese drone systems while leaving DJI and Autel fully blocked.

Volt Typhoon and Salt Typhoon Already Proved the Threat Was Real

The FCC cited the Volt Typhoon and Salt Typhoon hacking campaigns in its national security determination. Both are documented operations attributed to Chinese state actors. Volt Typhoon hijacked hundreds of end-of-life small office and home office routers — including Cisco and Netgear devices — and converted them into a botnet used to penetrate U.S. critical infrastructure. The FBI disrupted the operation in January 2024, but the attack vector remains active. Salt Typhoon went further, breaching major U.S. telecommunications carriers including AT&T and Verizon, where Chinese hackers reportedly stayed hidden for over 18 months while collecting metadata on tens of millions of Americans.

These were not theoretical risks. They were documented intrusions. The routers in American homes and offices were the entry points. And for all the time Washington spent debating whether a DJI Mavic could theoretically stream footage to Beijing, Chinese operatives were already inside the actual backbone of U.S. communications infrastructure — through the foreign-made boxes that nobody was talking about banning.

The Security Audit Problem Has Not Gone Away

FCC Chairman Brendan Carr welcomed the router ban, saying the agency would “continue to do our part in making sure that U.S. cyberspace, critical infrastructure, and supply chains are safe and secure.” That’s the same Carr who banned all foreign drones in December without conducting the security audit that Congress specifically mandated. Section 1709 of the Fiscal Year 2025 National Defense Authorization Act required a U.S. national security agency to complete an evidence-based review of DJI before any ban could take effect. No agency did it. The Executive Branch issued a national security determination one day before the December 23 deadline instead, skipping the evidentiary process entirely — as we reported at the time.

There is no indication the router ban followed a different process. The same White House-convened interagency panel that triggered the drone ban has now triggered the router ban. Companies can apply for Conditional Approval — just as drone manufacturers can — but the bar for Chinese-origin products appears functionally insurmountable, given that every drone exemption granted so far has gone to non-Chinese manufacturers. TP-Link, one of the world’s largest router makers and a company that was spun out of a Chinese parent firm, already faces a lawsuit from the Texas Attorney General over data security allegations. Conditional Approval for TP-Link looks unlikely.

Security Theater Has a Manufacturing Policy Agenda Inside It

The Conditional Approval pathway requires companies to commit to establishing or expanding U.S. manufacturing for the products they want to bring to market. That is not a security requirement. That is an industrial policy requirement dressed in security language. The same structure exists in the drone ban exemption framework. The four drone systems that received exemptions so far — the SiFly Aviation Q12, Mobilicom SkyHopper Series, ScoutDI Scout 137, and Verge X1 — are all non-Chinese products. As we noted in our March 2026 analysis, every exemption granted since December has gone to a non-Chinese manufacturer.

The Liliputing tech blog put it bluntly: “If it was about security, they could force all old and new routers and other networking gear to renew the FCC certification every year. To prove that the software is updated and secure. But forbidding everything made outside of the USA, is only to force manufacturing to move to the USA.” That’s a fair read. A genuine security-focused policy would require software audits and mandatory patching attestation for every device on U.S. networks, regardless of country of origin. This policy doesn’t do that. It bans new imports while leaving millions of existing foreign-made devices in place — devices that are, by the FCC’s own logic, severe cybersecurity risks.

Drones, Routers — Your Doorbell Camera Is Probably Next

The Covered List didn’t start with drones, and it didn’t stop with routers. In 2022, the FCC banned new authorizations for security cameras and video surveillance equipment from Chinese manufacturers Hikvision and Dahua — two companies that together supply a significant share of the world’s security camera market. That ban applied to the same forward-only logic: existing cameras stayed in place, new models were blocked. Sound familiar?

Follow the architecture and the next targets write themselves. The FCC’s Covered List covers communications equipment. Most consumer electronics sold in the United States today have radios in them. A Ring doorbell connects to your Wi-Fi. A foreign-made smart TV has a wireless chip. The laser scanner at your local port has network connectivity. Your office printer has a radio and a hard drive. Every one of those devices, by the FCC’s own stated logic, is a potential vector for exactly the threats the agency cited to ban drones and routers.

The FCC’s December 2025 rulemaking explicitly sought comment on “modular transmitters and component parts in relation to covered equipment” — meaning the agency is already thinking about how to push bans down to the chip and component level. That matters because almost every connected device in an American home contains a wireless module made or designed overseas. A blanket component-level ban would not just hit routers and drones. It would hit smartphones, tablets, smart speakers, connected appliances, medical devices, and industrial equipment. The regulatory framework is already built. All that’s missing is the next White House interagency determination.

Laptops are a case study in how long the government can look the other way. Lenovo, the world’s largest PC maker, is majority-owned through Legend Holdings by the Chinese Academy of Sciences — a state-backed institution with documented links to Chinese military and intelligence programs. The U.S. State Department banned Lenovo computers from its classified networks in 2006 after Five Eyes intelligence agencies discovered backdoor vulnerabilities in their hardware and firmware. The U.S. Marine Corps in Iraq found Lenovo products transmitting data to unknown recipients in China in 2008. The Navy replaced $378 million worth of IBM servers after Lenovo acquired that division. The DoD Inspector General flagged Lenovo laptops as “known cybersecurity risks” in a 2019 audit. Despite all of that, Lenovo remains one of the top-selling PC brands in the United States, still sells through government channels, and has never received a blanket import ban equivalent to what just hit routers or drones. If the FCC’s Covered List logic is applied consistently, that’s the next conversation.

Container cranes at U.S. ports — many built by Chinese state-owned manufacturer ZPMC — were already flagged by Congress in 2023 as potential espionage platforms. In 2024, the U.S. Navy found cellular modems on ZPMC cranes at American commercial ports that had no documented operational purpose. That story never generated the public outrage the DJI drone ban did, despite being a far more direct infrastructure threat. The pattern is consistent: the thing that gets photographed easily becomes the political target. The thing actually doing the damage keeps humming along until Washington gets around to it.

Why Did We Start With DJI?

Of all the Chinese-made technology embedded in American life — routers, laptops, security cameras, port cranes, printers — Washington chose to start with the camera drone hovering at 400 feet over a suburban park. There are three real reasons for that, and none of them is primarily about security.

First, drones are visible. A Lenovo laptop or a TP-Link router sits quietly on a desk. A DJI Mavic is in the sky, filming. It produces images. It feels like surveillance in a way that a blinking router light does not. That optics gap made drones politically actionable in a way that other Chinese hardware simply wasn’t.

Second, there was an American industry to protect. Skydio, Brinc Drones, Zipline, and a handful of other U.S. drone companies exist and lobby. There is no comparable domestic router industry to champion. American drone manufacturers had every incentive to fund the narrative that DJI was dangerous — and several did, directly or through trade associations — because the business case for banning the competition was obvious. As we noted in November 2025, the anti-DJI campaign’s real motivation became increasingly clear over time: American drone manufacturers could not compete with DJI’s technology or pricing, so they pursued legislation instead of innovation.

Third, the Army gave regulators an early hook. In August 2017, the U.S. Army issued an internal ban on DJI products citing “cyber vulnerabilities.” No specific breach was documented. No evidence of actual data exfiltration was ever made public. The Navy’s own May 2017 memo, later released through a FOIA request, identified the theoretical concern that a drone’s data link could be intercepted — the same vulnerability that exists in any wireless device, including the router on your desk. But the Army memo gave lawmakers a citation to build on, and the DJI narrative hardened into policy over the next eight years through a series of escalating restrictions: the 2019 Pentagon procurement ban, the 2020 Commerce Entity List designation, the 2022 DoD Chinese military company listing, and finally the December 2025 FCC Covered List action. Each step made the next step easier. None required producing the evidence that Congress had specifically mandated.

The Lenovo story shows what happens when a Chinese tech product doesn’t have those three ingredients. Lenovo had documented hardware backdoors, a U.S. Marine Corps data transmission incident, a $378 million Navy server replacement, and a DoD Inspector General “known cybersecurity risk” designation — and still sells laptops to government agencies today. No ban. No Covered List entry. No congressional deadline. Because Lenovo laptops don’t fly, there’s no domestic PC champion running ads in Washington, and the 2006 State Department restriction stayed buried in procurement footnotes rather than cable news chyrons.

DroneXL’s Take

I’ve been covering the DJI ban since since 2017, and one thing has been consistent throughout: the security justification has never matched the enforcement pattern. A DJI Mini 4 Pro flying at 400 feet filming a cornfield was treated as a national security emergency requiring congressional legislation, executive branch determinations, and FCC Covered List action. The router sitting 18 inches from your TV — the one Volt Typhoon and Salt Typhoon actually used to burrow into critical U.S. infrastructure — kept shipping in unchallenged for years after those breaches were publicly documented. The Lenovo laptop on the Senator’s desk that was flagged by the DoD Inspector General as a known cybersecurity risk in 2019 is probably still on that desk.

The drone ban was always as much about protecting nascent American drone manufacturers as it was about security. The router ban makes that industrial policy subtext impossible to ignore. Both bans use the same legal architecture, the same Covered List mechanism, the same Conditional Approval carve-out requiring domestic manufacturing commitments. The security framing is the wrapper. Onshoring manufacturing is the contents.

That doesn’t mean the security concerns are fabricated. Volt Typhoon and Salt Typhoon were real operations causing real damage. Foreign-made routers were genuine vectors. But if national security were truly the driver, we’d have mandatory annual software audits for every device on U.S. networks, not a forward-only import ban that leaves the existing installed base untouched. By the end of 2026, the router industry will mirror the drone industry: a small set of conditionally approved, largely non-Chinese products, a growing gray market in grandfathered models, and a domestic manufacturing pipeline that is nowhere near ready to fill the gap. And if the FCC’s own regulatory momentum holds, the doorbell camera on your front porch may well be the next item on the agenda.

DroneXL uses automated tools to support research and source retrieval. All reporting and editorial perspectives are by Haye Kesteloo.