ROUTERS Act

Legislative Summary: ROUTERS Act (S. 244)

Overview

The Removing Our Unsecure Technologies to Ensure Reliability and Security Act, known as the ROUTERS Act, is a legislative proposal designed to address national security vulnerabilities inherent in consumer networking hardware. The bill directs the U.S. Department of Commerce to investigate the risks posed by internet routers and modems manufactured by or associated with foreign adversaries.

Main Purpose and Intent

The primary objective of the ROUTERS Act is to identify and evaluate cybersecurity vulnerabilities in the hardware that serves as the primary gateway to the internet for millions of American households and small businesses.

The legislation is driven by concerns that foreign adversaries—specifically China—may use consumer networking devices to infiltrate U.S. critical infrastructure, steal intellectual property, or create "botnets" for cyberattacks. The bill specifically references recent investigations into manufacturers like TP-Link due to their alleged compliance with People's Republic of China (PRC) laws and associated security vulnerabilities.

Key Provisions

The bill mandates a formal study and reporting process:

• Mandated Study: The Secretary of Commerce (acting through the Assistant Secretary for Communications and Information) must conduct a comprehensive study on the national security risks and cybersecurity vulnerabilities of:
  • Consumer routers
  • Modems
  • Combination modem-router devices
• Scope of Investigation: The study focuses specifically on devices designed, developed, manufactured, or supplied by entities owned by, controlled by, or subject to the influence of a "covered country."
• Defined "Covered Countries": Following existing law (10 U.S.C. 4872(f)(2)), covered countries include:
  • The People's Republic of China
  • The Russian Federation
  • The Islamic Republic of Iran
  • The Democratic People's Republic of North Korea
• Reporting Requirement: The Secretary of Commerce must submit the results of the study to the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation within one year of the act's enactment.

Affected Parties

• U.S. Government: The Department of Commerce will be responsible for the research and reporting.
• Hardware Manufacturers: Companies based in or controlled by the "covered countries" will be the subject of the security analysis.
• U.S. Consumers and Small Businesses: While the bill does not currently mandate a ban or removal of devices, the findings of the study would likely inform future regulatory actions or consumer warnings regarding the hardware they use.

Procedural and Financial Aspects

• Timeline: The final report is due within one year of the bill becoming law.
• Estimated Cost: The Congressional Budget Office (CBO) estimates the cost of researching and writing the report to be approximately $1 million over the 2025–2030 period.
• Regulatory Impact: The bill does not create new regulatory programs or reporting requirements for private businesses at this stage; its current scope is limited to a government study.