Mastodawn

RE: https://infosec.exchange/@briankrebs/116280575943263005

You might wonder how it is the FCC regulates Internet routers. It's complicated.

First, FCC certification has long been required for virtually all microprocessor-equipped electronics, to ensure compliance with RF emission limits.

Then, in 2020, Congress enacted 47 USC § 1601, the "secure networks act", which requires the FCC to maintain a list of networking equipment determined to pose risks to national security: https://www.law.cornell.edu/uscode/text/47/1601

Equipment on the list can't receive FCC certification.

Show thread

Matt Blaze 14h ago

So the regulatory authority for the FCC here is rather indirect, kind of a backdoor.

They don't regulate the Internet Protocols or Internet security per se, but they do regulate most of the *equipment* that the Internet runs on (because almost everything uses RF-emitting processors that require FCC certification).

Show thread

Matt Blaze 14h ago

What the FCC has done here is added *all* foreign made consumer routers (that is, all consumer routers) to the "covered list" of national-security-threatening network gear, unless an exemption is obtained. See https://docs.fcc.gov/public/attachments/DA-26-278A1.pdf

Weirdly, they cite incidents like Salt Typhoon, which compromised carrier-grade equipment, not, as far as I know, consumer routers.

Show thread

Matt Blaze 14h ago

There will undoubtably be a lot of hairsplitting over definitions here. What constitutes "foreign made"? Assembled overseas? Made of components from overseas? Running firmware written overseas? etc.

Show thread

Matt Blaze 14h ago

Also, this will re-ignite the long standing debate over how to pronounce the word "router".

Show thread