The FCC's ban on Huawei and ZTE equipment: A deep dive into the national security ruling

Background: A targeted strike, not a blanket ban

In late 2022, headlines suggested a sweeping new directive from the U.S. Federal Communications Commission (FCC) targeting foreign-made internet hardware. The reality is more specific and represents a critical escalation in the long-simmering effort to secure American communications infrastructure. The FCC did not ban all foreign-made routers; instead, it adopted new rules prohibiting the authorization of any new communications equipment from a specific list of companies deemed to pose an unacceptable risk to U.S. national security.

This action, taken on November 25, 2022, effectively blocks future imports and sales of new equipment from Chinese telecommunications giants Huawei and ZTE. The ban also extends to Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology, companies known primarily for two-way radios and video surveillance equipment. These five firms and their affiliates now reside on the FCC’s “Covered List,” established under the Secure and Trusted Communications Networks Act of 2019. This legislation marked a formal commitment by the U.S. government to purge high-risk vendor equipment from its networks, particularly in the run-up to nationwide 5G deployment.

Technical details: A threat of potential, not just proof

Unlike a typical vulnerability disclosure based on a specific Common Vulnerabilities and Exposures (CVE) identifier, the FCC’s ban is a regulatory action rooted in supply chain risk management and counterintelligence. The core concern is not a single exploitable flaw but the fundamental relationship between these companies and the Chinese government.

U.S. intelligence agencies and policymakers operate on the premise that Chinese national security laws can compel any domestic company to cooperate with state intelligence services. This creates a series of feared, and difficult to disprove, attack vectors:

• Embedded Backdoors: The primary fear is that hardware or firmware could contain hidden access mechanisms, intentionally installed during manufacturing. These backdoors could allow for surreptitious data exfiltration or remote control, bypassing conventional security measures.
• Malicious Firmware Updates: A vendor could be compelled to push a compromised firmware update to deployed devices, transforming trusted infrastructure into a distributed network for espionage or disruption.
• Data Exfiltration: Network equipment like routers and switches are perfectly positioned to intercept, copy, and transmit sensitive data. The concern is that devices could be programmed to siphon off specific types of traffic and send it to servers controlled by a foreign adversary.
• Denial of Service and Sabotage: In a geopolitical conflict, compromised infrastructure could be remotely disabled, crippling communications, energy grids, and financial systems that depend on network connectivity.

The mechanism for enforcement is the FCC’s own equipment authorization process. Any device that emits radio frequency energy and is sold in the U.S. must receive FCC certification. By denying this authorization to new products from companies on the Covered List, the FCC has effectively closed the gate to the U.S. market for their future product lines.

Impact assessment: Ripples across the globe

The immediate and most direct impact is on the designated companies. Being locked out of the lucrative U.S. market for new products is a significant blow to Huawei, ZTE, Hikvision, and Dahua, further isolating them from Western technology ecosystems. However, the effects extend far beyond these manufacturers.

U.S. Telecommunications Carriers: Many small and rural network providers in the U.S. originally built their infrastructure using lower-cost equipment from Huawei and ZTE. These carriers are now at the center of the FCC’s “rip and replace” program, a multi-billion dollar effort to subsidize the removal of covered equipment and its replacement with hardware from approved vendors like Ericsson, Nokia, or Samsung. This process has proven to be costly, complex, and logistically challenging, sometimes delaying network upgrades in underserved communities.

Businesses and Consumers: For the average American consumer, the direct impact is minimal. Huawei and ZTE routers never achieved dominant market share in the U.S. consumer space. However, the ban on Hikvision and Dahua is more significant for businesses that relied on their cost-effective video surveillance systems. These organizations must now find alternative suppliers for future installations and expansions.

Geopolitical Tensions: The FCC’s ruling is another major development in the ongoing U.S.-China technology rivalry. Beijing has consistently condemned these actions as anticompetitive and politically motivated, designed to stifle the growth of Chinese tech champions. This further encourages a global bifurcation of technology, where nations may be forced to choose between U.S.-aligned and China-aligned supply chains, potentially leading to competing standards and a less interoperable internet.

How to protect yourself

While this ban targets the sale of new equipment, the underlying security principles are relevant to everyone. Protecting your home or business network from supply chain threats and other vulnerabilities requires proactive measures.

1. Identify Your Network Hardware: The first step is knowing what you have. Check the labels on your router, modem, security cameras, and other connected devices. Identify the manufacturer. While most U.S. consumers won't have a Huawei or ZTE router, it's worth checking, especially if the equipment was provided by a smaller internet service provider years ago.
2. Prioritize Replacement of High-Risk Devices: If you identify equipment from a vendor on the FCC's Covered List, especially a core device like a router, you should strongly consider replacing it with a model from a more trusted manufacturer.
3. Practice Router Security Hygiene: Regardless of the brand, all routers should be properly secured.
   • Change Default Credentials: Immediately change the default administrator username and password.
   • Update Firmware: Enable automatic updates if available, or regularly check the manufacturer's website for the latest firmware. Updates often contain critical security patches.
   • Use Strong Wi-Fi encryption: Ensure your Wi-Fi network is using WPA3 or, at a minimum, WPA2-AES encryption. Avoid outdated standards like WEP or WPA.
   • Disable Unnecessary Features: Turn off features you don't use, such as Universal Plug and Play (UPnP), WPS, and remote administration, as they can be vectors for attack.
4. Segment Your Network: For more security-conscious users or businesses, create separate network segments (VLANs). Keep untrusted devices, like IoT gadgets or guest devices, on a separate network from your computers and servers that handle sensitive data. This contains the damage if one device is compromised.
5. Consider a VPN service: A Virtual Private Network encrypts the traffic leaving your devices, providing a layer of protection against snooping on untrusted networks and can help obscure your activity from your internet service provider.

The FCC's action is a stark reminder that national security and cybersecurity are now inextricably linked to the global technology supply chain. While driven by high-level geopolitical strategy, the core lesson for all of us is the importance of knowing, trusting, and securing the hardware that connects us to the world.