National security risks in routers, modems targeted in bipartisan Senate bill

The national security risks posed by routers, modems and similar devices produced by U.S. adversaries would be the subject of a new federal study under a bipartisan Senate bill introduced Monday.

The Removing Our Unsecure Technologies to Ensure Reliability and Security (ROUTERS) Act from Sens. Marsha Blackburn, R-Tenn., and Ben Ray Luján, D-N.M., is aimed at better safeguarding the public’s communications networks from technology controlled by foreign adversaries, including China, Russia, Iran, North Korean, Cuba and Venezuela.

“Tens of millions of families and small businesses across the country use wireless routers as their primary access point to the internet,” Blackburn said in a statement. “Many of these routers are susceptible to infiltration by foreign actors — including China — exposing our country to serious danger. This bill will better protect U.S. communications networks and our national security.”

If signed into law, the ROUTERS Act would charge the Commerce Department’s assistant secretary for communications and information with overseeing a study of the national security risks presented by routers, modems or devices that combine both technologies, and that are “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the influence of a covered country,” the bill text reads. 

The study from the assistant secretary — who also serves as administrator of the National Telecommunications and Information Administration — would be reported to the Senate Commerce, Science, and Transportation and House Energy and Commerce committees within a year of the legislation’s enactment.

“The ROUTERS Act is a crucial step in ensuring that everyday internet devices like consumer routers and modems don’t pose a risk to our national security or consumer privacy,” Luján said in a statement. “Securing our broadband infrastructure is a top priority, and we must create safeguards at every point across our systems.”

The federal government’s cybersecurity-focused offices have long raised concerns that small office/home office (SOHO) routers present risks to the country. Last September, the National Security Agency, in collaboration with the FBI, U.S. Cyber Command, and international allies, issued an advisory highlighting the threat posed by Chinese-linked cyber actors who have compromised SOHO routers globally to create a botnet for malicious activities. 

A separate bipartisan Senate bill introduced Monday would deliver a different cybersecurity-related assignment to NTIA’s leader: creating a working group on cyber insurance. 

The Insure Cybersecurity Act from Sens. John Hickenlooper, D-Colo., and Shelley Moore Capito, R-W.Va., calls for the creation of a “dedicated working group to develop information for issuers, agents, brokers, and customers to improve communication over cybersecurity insurance coverage levels.” 

Per the bill, which Hickenlooper and Capito previously introduced in the last Congress, working group members would include at least one representative from the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the Federal Trade Commission and the Treasury and Justice departments. There would also be at least one state insurance regulator with cybersecurity and cyber insurance experience.

“Small businesses need cyber insurance to protect their businesses and guard their data. Unclear policies and ambiguous language can leave businesses stranded after a cyberattack,” Hickenlooper said in a statement. “Easy to understand cyber insurance resources will help make sure businesses are secure, covered, and resilient.”

The legislation calls on the NTIA to make public any resources on cyber insurance that “prospective customers can easily understand.” The working group should be able to “analyze and explain” to the public technical jargon commonly associated with cyber insurance, how various measures correspond with cyber incidents, such as ransomware attacks, and why policy issuers face certain constraints in covering especially large losses.

“Cyberattacks across the world continue to grow in scope and scale, and it’s critical that we do what we can to identify and prevent them from occurring,” Capito said in a statement. “This legislation will assist businesses in better understanding the complex cyber insurance environment. It will also help lower the cost burden victims must bear when they are attacked by cyber-criminals so businesses can continue operations and pay their workers if they are targeted.”