The ROUTERS Act Outlines the Path to Greater Digital Security

Last week, the House of Representatives passed 25 bills through the chamber as part of its long-anticipated “China Week.”

This legislative sprint centered on legislation to counter the growing threat posed by Chinese firms in emerging and dual-use technologies, such as drones, batteries, and American’s genetic data. One bill in particular, the ROUTERS Act, should be prioritized in the Senate and passed quickly. 

The ROUTERS Act, which would require the Department of Commerce to study the threats posed by internet routers and wireless infrastructure from companies located in countries of concern, passed through committee and the full chamber without the registration of an objection.

After a clean handoff from the House, the Senate should utilize this momentum to clarify that the National Telecommunications and Information Administration should be in charge of the report and then pass this legislation.

Public reporting shows the Chinese government targeting vulnerabilities

Wireless routers are the hardware that enable devices to connect to wireless networks and access the internet. Public reporting and government investigations have shown that Chinese Communist Party-supported hacker groups have targeted software vulnerabilities in end-of-life (a product no longer supported or updated by the manufacturer) and Chinese-made routers, respectively, to conduct digital espionage and cyber attacks in the United States and Europe. 

The National Institute of Standards and Technology’s National Vulnerability Database, a repository of known software vulnerabilities, shows that one Chinese-based company’s products, TP-Link, contain hundreds of technical vulnerabilities.

These compromised products allow hackers to remotely access networks hosted on these devices, implanting malware to siphon information from unwitting users, as has happened to officials in the European Union. TP-Link is one of the most popular brands of routers within the U.S., with products widely available and promoted at major retailers such as Amazon and Walmart. The U.S. government has also purchased TP-Link equipment for use within the Department of Defense, the General Services Administration, and the National Aeronautics and Space Administration. 

The ROUTERS Act would be the first step in preventing foreign adversaries from weaponizing a critical component of our information technology infrastructure. If the bill is enacted, the Department of Commerce will have one year to conduct a study investigating the national security risks posed by consumer routers, modems, and devices with analogous capabilities that are designed, developed, or manufactured by an entity owned or controlled by a covered country, which includes China, Iran, Russia, North Korea, and Venezuela. Conducting this study would allow the Department of Commerce to quantify the threat posed by insecure consumer hardware and begin building a record to inform future legislation to mitigate any threats if deemed necessary. 

The NTIA should be the agency designated responsible for this issue

While the legislation already enjoys bipartisan support in the Senate, the chamber could strengthen the legislation by designating the NTIA as the agency within the Department of Commerce responsible for drafting and overseeing the study. The NTIA straddles the divide between economic and national security considerations within the Department of Commerce.

The NTIA collects and analyzes data related to the digital economy, domestic broadband funding and access, and the free flow of information and data. The agency also works alongside the Bureau of Industry and Security on issues such as router security, as well as with the Department of Homeland Security to identify threats to internet and communications infrastructure. This expertise makes the agency the ideal candidate to direct a study that focuses on the potential threat of insecure hardware that is widely available and often purchased by American consumers to get online.

The ROUTERS Act is thoughtful legislation that seeks to uncover information about a potentially serious security vulnerability within American’s digital infrastructure. Protecting American economic and national security in the digital age is of paramount importance. NTIA’s experience managing, contributing to, and overseeing cross-agency and government projects is an asset that should not be overlooked. Cybersecurity concerns are often overlooked or left to a company’s CISO or government officials until catastrophe strikes.

Congress should not wait for such an event to determine whether these products pose a risk to everyday Americans. The Senate should take up the ROUTERS Act quickly and send the bill to President Biden’s desk.

Joshua Levine is Manager of Technology Policy at the Foundation for American Innovation. His work focuses on policies that foster digital competition and interoperability in digital markets, online expression, and emerging technologies. This Expert Opinion is exclusive to Broadband Breakfast.

Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to commentary@breakfast.media. The views expressed in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.