On the question of who profits when a federal agency bans nearly every router in America.
On the morning of March 24, 2026 — one day after the Federal Communications Commission added all foreign-manufactured consumer routers to its national security blacklist — Netgear's stock price jumped twelve percent. The company's shares had been drifting sideways for months, unremarkable in a market besotted with artificial intelligence. But overnight, the regulatory landscape beneath the entire American networking-equipment industry had shifted, and the market, which is nothing if not a ruthlessly efficient interpreter of who wins and who loses, rendered its verdict instantly. Stifel analyst Tore Svanberg issued a note calling Netgear "well positioned" to navigate the change. Raymond James described the development as "incrementally positive." Asian router manufacturers' share prices fell. The redistribution was clean, fast, and legible to anyone watching.
What the market understood, and what the FCC's press release labored to obscure, was that a policy framed entirely in the language of national security had produced a set of economic outcomes so precisely targeted that they could have been drawn up by a lobbyist. The ban affected virtually every consumer router on the American market — roughly ninety-eight percent of devices are manufactured abroad — while exempting a vanishingly small number of companies whose fortunes happen to be intertwined with the political network surrounding the current administration. The question was not whether the ban had economic winners. The question was whether creating those winners was incidental to the policy, or the point of it.
The man at the center of this particular regulatory event is Brendan Carr, whom Donald Trump designated as FCC Chairman on November 17, 2024, and who assumed the role on Inauguration Day. Carr is forty-seven years old, Washington-born, a career telecom lawyer who spent years as a mid-ranking FCC official before Trump elevated him. He has the affect of a mid-level bank manager — soft-spoken, amiable, careful with his syntax — and the instincts of a ward boss. Before the router ban, Carr had already established a pattern of using the FCC's regulatory authority in ways that his predecessors, of both parties, would have considered unthinkable.
When Skydance Media sought FCC approval to acquire Paramount Global in a deal valued at eight billion dollars, Carr made it clear — in a Bloomberg interview, on the record — that he would block any merger involving companies that maintained diversity, equity, and inclusion programs. Skydance's general counsel sent the FCC a letter confirming the elimination of all DEI initiatives at Paramount, the removal of DEI language from internal and external communications, and the installation of a CBS News ombudsman to police "viewpoint diversity." Paramount had already paid President Trump a sixteen-million-dollar settlement over a "60 Minutes" interview with Kamala Harris that the administration considered unfavorable. The FCC approved the merger in a two-to-one vote. Senator Adam Schiff demanded information on the sequence of events, writing that the approval's conditions "suggest an active effort by the FCC to shape the company's future programming content in alignment with President Trump's criticism of Paramount." The Freedom of the Press Foundation filed an ethics complaint against Carr with the District of Columbia Bar.
This was not an isolated episode. When ABC aired comments by Jimmy Kimmel that angered conservatives, Carr threatened the network's broadcast licenses and told an interviewer, "We can do this the easy way or the hard way." ABC's parent company, Disney, pulled the show off the air for several days. When Trump attacked media coverage of the U.S. conflict with Iran, Carr posted on social media that broadcasters running "hoaxes and news distortions — also known as the fake news" should "correct course before their license renewals come up." He expanded the FCC's "equal time" doctrine to cover morning shows and late-night programs, threatening action if networks interviewed too many Democrats. He publicly attacked CNN — a cable network over which the FCC has no regulatory jurisdiction whatsoever — demanding "accountability" for its Iran reporting. Even Senator Ron Johnson, a reliable Republican ally, said he did not "like the heavy-handed government, no matter who is wielding it." Marjorie Taylor Greene, not exactly a progressive civil libertarian, warned that the precedent could be turned against conservative media under a future administration.
A coalition of more than eighty First Amendment scholars, civil-society groups, and litigators sent Carr a letter accusing him of "unlawful jawboning" — the use of regulatory threats to coerce private actors into making decisions the government cannot legally compel. The letter noted that the Communications Act explicitly denies the FCC any "power of censorship" or authority to "interfere with the right of free speech." Carr, who in 2021 had issued a press release declaring that "a newsroom's decision about what stories to cover and how to frame them should be beyond the reach of any government official," did not appear troubled by the contradiction.
It is within this institutional context — an FCC that has spent the preceding fifteen months openly using its regulatory power as an instrument of political leverage — that the router ban should be understood.
The FCC's action, issued on March 23, 2026, added all "consumer-grade routers produced in a foreign country" to the agency's Covered List. The Covered List is the FCC's national-security blacklist: equipment placed on it cannot receive new FCC equipment authorizations, which means it cannot be imported, marketed, or sold in the United States. The ban applied to new models only. Existing devices — already purchased, already on shelves, already authorized — were grandfathered. Firmware updates for grandfathered equipment would be permitted until March 1, 2027.
The policy was based on a determination by a White House-convened interagency body that foreign-produced routers posed "unacceptable risks to the national security of the United States." The determination cited the Volt Typhoon, Flax Typhoon, and Salt Typhoon cyberattack campaigns — real, documented Chinese state-sponsored operations that had exploited consumer routers to penetrate critical American infrastructure. The security concerns were genuine. What was not genuine — or at least not self-evident — was the claim that a blanket geographic manufacturing ban was the appropriate response.
The cybersecurity community noticed this almost immediately. Jason Soroko, a senior fellow at the cybersecurity firm Sectigo, observed that the directive fixated on where a router's silicon originated rather than how the device was maintained, confusing supply-chain provenance with the far more prevalent problem of administrative neglect. Jake Williams, a former NSA hacker, made the point more directly: you can build a secure router anywhere on earth if you enforce the right standards, and you can build an insecure one in Tulsa just as easily as in Shenzhen. Matt Wyckhouse, the CEO of Finite State, noted that the FCC had effectively banned all new routers, because no domestic manufacturer currently exists that could clear the bar.
This last observation bears emphasis. There is, at present, essentially no American consumer-router manufacturing industry. The routers Americans buy at Best Buy and Amazon and Walmart — Netgear, ASUS, TP-Link, Linksys, Google Nest, Eero — are all manufactured overseas, predominantly in China, Vietnam, and Taiwan. Even Netgear, the American-headquartered company that would become the ban's most immediate beneficiary, manufactures its hardware abroad. The only router maker inherently exempt from the ban — the only company whose products require no conditional approval, no DHS review, no bureaucratic process of any kind — is Starlink, which assembles its satellite routers in Texas.
The Starlink exemption is where the policy's geometry becomes most interesting. Starlink is a subsidiary of SpaceX, which is controlled by Elon Musk, who is, by any reasonable assessment, the single most politically influential private citizen in the current administration's orbit. According to the New York Times, Musk privately expressed support for Carr's appointment as FCC chairman. Carr, for his part, has been a consistent and vocal champion of Musk's business interests throughout his career at the FCC.
When the Biden-era FCC revoked Starlink's $885 million rural broadband subsidy in 2022, Carr issued an extraordinary dissent accusing the agency of participating in a "growing list of administrative agencies that are taking action against Elon Musk's businesses." He characterized the revocation as part of an "unprecedented campaign of regulatory harassment" that had begun when President Biden remarked that Musk's activities were "worthy of being looked at." Carr defended SpaceX's interests repeatedly and publicly, to the point where Techdirt described him as behaving "like a dodgy used car salesman" for Starlink after he urged European allies to adopt the service, warning that the only alternative was "the CCP's version."
As chairman, Carr has awarded SpaceX federal radio spectrum and launched an investigation into EchoStar over 5G deployment requirements — an investigation that some observers interpreted as a mechanism to pressure EchoStar into yielding satellite spectrum to SpaceX. When Amazon filed a petition urging the FCC to reject SpaceX's application to launch up to one million low-Earth-orbit satellites, Carr publicly attacked Amazon, telling the company it "should focus on the fact that it will fall roughly 1,000 satellites short of meeting its upcoming deployment milestone." The FCC chairman was, in effect, acting as SpaceX's advocate against a competitor in a proceeding over which the FCC has adjudicatory authority.
None of this proves that the router ban was designed to benefit Starlink. Starlink's routers are, after all, satellite devices serving a different market segment than the typical home Wi-Fi router. But the structural advantage is real. Starlink is now the only consumer networking-equipment manufacturer in America that faces zero regulatory friction. Every competitor must navigate a conditional-approval process administered by the Department of Homeland Security — an agency with no institutional experience in consumer-electronics certification and no established framework for evaluating the security of networking hardware. The process is neither free nor fast. For companies operating at the margins of the American market, the cost and delay may prove prohibitive.
As of late April 2026, exactly three entities had cleared the process: Starlink (exempt by manufacture), Netgear (conditional approval granted April 15, expiring October 1, 2027), and Adtran, a small enterprise-focused firm. Eero, owned by Amazon, received approval on April 22. Everyone else — ASUS, TP-Link, Ubiquiti, Linksys, Google Nest, and the entire rest of the consumer-networking market — remained in limbo. The companies that had secured approval shared a common characteristic: they were either American-headquartered, politically well-connected, or both.
The conventional defense of the ban is that it addresses a genuine national-security threat, and this is true as far as it goes. The Typhoon campaigns were real. The exploitation of consumer routers as staging infrastructure for espionage and potential infrastructure disruption is documented and ongoing. But the particular instrument the FCC chose — a blanket geographic prohibition rather than enforceable security standards — is so poorly fitted to the stated problem that the mismatch invites structural suspicion.
Consider the evidence from the government's own investigations. The KV Botnet, which Volt Typhoon used as its primary obfuscation layer, was composed predominantly of end-of-life Cisco and Netgear devices — American-headquartered brands — that had stopped receiving security patches. The Department of Justice said as much in the court documents authorizing the FBI's takedown of the botnet. The routers were not compromised because they were manufactured in China. They were compromised because they were old, unpatched, and running default credentials.
The April 2026 FBI/NSA/CISA joint advisory on the Russian GRU's FrostArmada campaign — which documented APT28 exploiting TP-Link and MikroTik routers for DNS hijacking — identified the attack vector as a known software vulnerability (CVE-2023-50224) in devices running unpatched firmware with default passwords and exposed management interfaces. The country of manufacture appeared nowhere in the advisory's threat analysis. The remediation guidance was entirely operational: update firmware, change default credentials, disable remote management. The NCSC's companion advisory said the same thing.
Check Point Research's 2023 analysis of the Horse Shell implant — custom malware deployed by the Chinese APT group Camaro Dragon on TP-Link routers — explicitly stated that the implant's components were "firmware-agnostic" and "not specific to any particular product or vendor." The researchers assessed that initial access was likely achieved through known vulnerabilities or default passwords. The research lead told TechTarget that TP-Link's security posture was not specifically or particularly poor.
The pattern is consistent across every documented campaign. The attack surface is operational: default credentials, unpatched firmware, exposed management interfaces, and end-of-life devices. The country of manufacture is incidental. The FCC's geographic ban addresses none of these factors. A router built in Houston with the default password "admin" and its management port open to the internet would be fully compliant. A TP-Link router built in Vietnam with unique credentials, WPA3 encryption, and automatic security updates would be banned.
The European Union, confronting the same threat landscape, chose a standards-based approach. The Cyber Resilience Act, which entered into force in December 2024, requires all connected devices sold in Europe — regardless of origin — to meet mandatory cybersecurity baselines: unique default credentials, mandatory vulnerability disclosure, automatic security updates, software-bill-of-materials transparency. The EU's approach regulates security outcomes. The FCC's approach regulates geography. One of these addresses the actual mechanisms of router compromise. The other creates a protected market.
There is a term in regulatory economics for what happens when a government agency creates artificial barriers to market entry that benefit a small number of incumbents at the expense of consumers and competitors: regulatory capture. The concept, developed by the economist George Stigler in the nineteen-seventies, describes a dynamic in which regulated industries come to exert disproportionate influence over the agencies that regulate them, shaping policy to serve private interests rather than the public good. The classic markers are present here: a policy that reduces competition, raises consumer prices, and delivers concentrated benefits to a small group of firms with political access.
The router ban does not require anyone to hold stock in a domestic networking startup for the capture dynamic to operate. The mechanism is more subtle and more durable than personal financial interest. What the ban creates is structural advantage — a regulatory moat around any company that can navigate the approval process or that happens, by geographic accident or strategic foresight, to manufacture on American soil. The companies that clear the process first gain market share. The companies that clear it last, or never, lose it. The process itself — administered by DHS, an agency that has never done anything like this before — is opaque, discretionary, and ripe for the kind of informal influence that Washington has perfected over two centuries of practice.
Bryan Reimer, a research scientist at MIT's Center for Transportation and Logistics, offered a concise summary of the distributional consequences: American households will pay more for routers while consumers abroad benefit from lower-cost global supply chains and faster technology cycles. Security concerns may drive policy, but consumers bear the economic cost. Greg Guice, a former FCC regulatory attorney now at the Vernonburg Group, noted that the scope of the policy was unusual compared to past FCC actions, which had typically targeted specific companies rather than broad product categories.
The market, meanwhile, continues to speak clearly. Netgear's stock has held its gains. TP-Link, which reportedly held between twelve and sixty-five percent of the U.S. consumer-router market depending on whose numbers you trust, faces an existential regulatory challenge. ASUS, Ubiquiti, and Linksys wait. Starlink faces nothing. The conditional-approval process grinds forward at whatever pace DHS sees fit to operate, which is to say slowly, because DHS is simultaneously managing immigration enforcement, cybersecurity operations, border security, and a dozen other mandates, and consumer-router certification is not, one imagines, at the top of the priority list.
What makes the router ban distinctive is not that it serves economic interests — most regulatory actions do, intentionally or otherwise — but that it does so while wearing the particular costume of national-security urgency. The national-security framing insulates the policy from the ordinary mechanisms of democratic accountability. It is difficult to argue against "keeping Americans safe from cyber espionage" without sounding naive or, worse, unpatriotic. The framing also provides cover for an agency whose chairman has spent the preceding year demonstrating, in the most public possible fashion, that he views regulatory authority as a tool of political leverage.
Carr's track record is the variable that transforms the router ban from a debatable policy judgment into something that demands skepticism. An agency that threatens broadcast licenses to punish unfavorable news coverage, that conditions merger approval on the elimination of diversity programs and the installation of political commissars at news networks, that publicly advocates for the business interests of a single company whose founder is among the most politically connected figures in the administration — such an agency has forfeited the presumption of good faith. Every action it takes exists under the shadow of the actions it has already taken. The router ban may be, in its conception, a sincere if crude attempt to address a real cybersecurity problem. But it arrives from an institution that has demonstrated, repeatedly and on the record, that sincerity is not its governing principle.
The beneficiaries of the ban are a small, identifiable group. Starlink, exempt by manufacture. Netgear, approved within three weeks. Adtran, a niche enterprise player. Eero, approved after a month. The losers are a much larger group: every consumer who will pay more for less choice, every manufacturer locked in regulatory purgatory, and every American whose router will stop receiving security patches after March 2027 because the FCC decided that the best way to protect the country from cyber threats was to ensure that millions of devices become permanently unpatched.
Whether the people who designed this policy are personally invested in the companies it advantages is, in some respects, the wrong question. The more important question is whether the policy's structure — its particular combination of broad prohibition and narrow exemption, its geographic framing that avoids actual security standards, its timeline that creates artificial scarcity, its approval process that rewards political access — could have been designed to produce these outcomes if someone had wanted to. The answer, on the evidence, is that it could not have been designed more precisely if a team of consultants had been hired to optimize the result.
In Washington, the most sophisticated forms of corruption do not involve stock tips or brown envelopes. They involve the patient construction of regulatory frameworks that create value for the right people without anyone ever needing to make an explicit request. The framework does the work. The beneficiaries emerge, as if by natural selection, from a competitive landscape that has been subtly but decisively tilted. The public, presented with a policy wrapped in the flag of national security, is expected to be grateful.
The FCC's router ban is, in this sense, a masterpiece of the form. The threat is real. The solution is fake. And the people who profit from the distance between the two are already counting their gains.
Jonathan Brown for AetheriumArcana
Member discussion: