WASHINGTON, DC — This week, Congressman August Pfluger (TX-11) led a letter with several colleagues commending Federal Communications Commission (FCC) Chairman Brendan Carr on his decision to establish the new Council for National Security within the FCC, and urging him to use the council to mitigate cybersecurity risks associated with unsecured routers.

In part, the members wrote, "The recent proliferation of cybersecurity incidents underscores the need for the entire federal government to work together to address and deter cyber threats. We write to you today because we believe there is more the FCC can do to reduce the likelihood of such incidents. As the backbone of the Internet, routers play a critical role in securing communications for consumers and businesses. When these devices are insecure, they can serve as gateways for cyberattacks. For example, weak, default, or easily predicted passwords make routers vulnerable to exploitation. Malicious actors can exploit these vulnerabilities in routers to disrupt service, steal sensitive data, or even launch attacks against critical infrastructure..."

"We are increasingly concerned about the prevalence of these devices and that unsecured routers may allow the CCP to surveil American data or disrupt our networks. Although the Department of Commerce is reviewing whether or not to ban routers made by Chinese-owned companies in the future, many of these devices remain on our networks, which nefarious actors could still leverage."

The letter outlines several examples of how the Chinese Communist Party (CCP) has repeatedly tried to leverage private companies and create backdoors in our critical infrastructure technology. The letter also highlights that under Chairman Carr's leadership, the Council for National Security can take action against the CCP by leveraging equipment authorization to require routers to allow only uniquely identifiable devices known to the household and securely authenticated by the network owner.

See the full letter HERE or read the full text below.

Dear Chairman Carr,

Firstly, we write to commend your decision to establish the new Council for National Security within the Federal Communications Commission (FCC), a crucial step in safeguarding America's telecommunications infrastructure. Congress stands ready to work with you on this initiative to reduce America’s dependence on foreign adversaries, mitigate cyberattack vulnerabilities, and ensure U.S. supremacy in critical technologies.

As you know, the House Energy and Commerce Committee has worked diligently to combat the People’s Republic of China’s (PRC) efforts to leverage private companies to create backdoors in our telecommunications infrastructure. For example, the House of Representatives just recently passed H.R. 866, the ROUTERS Act, to safeguard Americans' communications networks from foreign-adversary controlled technology, including routers, modems, or devices that combine both. Additionally, in the 118th Congress, the House passed H.R. 7521, the Protecting Americans from the Foreign Adversary Controlled Applications Act, which prevents foreign adversary-controlled applications from targeting, surveilling, and manipulating Americans through online applications like TikTok. Congress also worked to ensure that the Secure and Trusted Communications Networks Reimbursement Program, or the “Rip and Replace” program, received proper funding to remove untrusted equipment such as Huawei and ZTE from our networks.

Last year, the House Committee on Homeland Security and the Select Committee on the Chinese Communist Party released their Joint Investigation report into Shanghai Zhenhua Heavy Industries Company (ZPMC), a PRC-owned and operated company. The investigation yielded that ZPMC, or a third-party company contracted with ZPMC, installed cellular modems onto STS cranes currently operational at U.S. ports. These installations fall outside the scope of any contract between the affected U.S. ports and ZPMC. The modems created an obscure method to collect information and bypass firewalls in a manner that could potentially disrupt port operations.

Even more recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that the Chinese-made Contec CMS8000 patient monitors contained a hard-coded IP address linked to an unidentified third party, allowing for reverse backdoor functionality. This vulnerability allows for remote access of the medical device and may allow for potential manipulation, risking patient safety and compromising sensitive health data.

These are just a few examples of how the CCP will use every tool at its disposal to undermine U.S. economic and national security interests to further its agenda. The recent proliferation of cybersecurity incidents underscores the need for the entire federal government to work together to address and deter cyber threats. We write to you today because we believe there is more the FCC can do to reduce the likelihood of such incidents.

As the backbone of the Internet, routers play a critical role in securing communications for consumers and businesses. When these devices are insecure, they can serve as gateways for cyberattacks. For example, weak, default, or easily predicted passwords make routers vulnerable to exploitation. Malicious actors can exploit these vulnerabilities in routers to disrupt service, steal sensitive data, or even launch attacks against critical infrastructure.

It has been reported that TP-Link, a Chinese company, owns roughly 65% of the routers used in U.S. homes and small businesses. Additionally, the Department of Defense and other federal government agencies have used TP-Link Routers before. Multiple TP-Link routers have been added to the National Institute of Science (NIST) National Vulnerability Database for containing a directory traversal vulnerability, allowing unauthenticated remote attackers to access sensitive files by sending specially crafted requests.

We are increasingly concerned about the prevalence of these devices and that unsecured routers may allow the CCP to surveil American data or disrupt our networks. Although the Department of Commerce is reviewing whether or not to ban routers made by Chinese-owned companies in the future, many of these devices remain on our networks, which nefarious actors could still leverage.

With the new Council for National Security, the FCC can take various actions to mitigate cybersecurity risks associated with unsecured routers. The FCC could leverage equipment authorization through the Telecommunications Certification Body to require routers to allow only uniquely identifiable devices known to the household and securely authenticated by the network owner onto a customer’s network. These steps represent broadly accepted minimum security practices under NIST guidance and are necessary first steps toward protecting our nation’s consumers and networks from cyber risks. Other immediate-term options, such as prohibiting any new sales of TP-Link routers, or requiring ISPs to block new TP-Link routers from being added to home networks, would stop the influx of these devices on networks. Additionally, as we think beyond TP-Link routers, ISP authentication will strengthen U.S. networks’ ability to defend themselves against future untrusted Internet of Things (IoT) devices joining their networks.

We are confident that, under your leadership, we can advance national cybersecurity initiatives

and create robust strategies to strengthen U.S. networks against cybersecurity threats. Together,

we can foster a secure digital environment that instills trust and confidence among users

nationwide.

Sincerely,