Among policy and security people, the term they bandy about is Advanced Persistent Threat (APT). They're not wrong; there are a number of recent cases, and these are ongoing, and you've heard of some of them: Volt, Flax and Salt Typhoon and Velvet Ant. There are more you haven't heard about, because only the operators know they exist.

These are networks of controlled devices. They're hard to eradicate, as shown by the fact that they haven't been eradicated: they're still active and being used to compromise systems, including defense and intelligence systems, power systems, financial systems, identity systems, etc.

Is banning foreign gear going to fix this? No. Security isn't a product. It is, however, a process, and in a process you take steps. I think this: we (individuals and institutions) enjoy tremendous liberty in the use of communications equipment in the US and most of the West. Taking that for granted is a mistake. If part of keeping this means the US has to spin up a domestic supply of network gear, or carefully modulate where such gear comes from, then lets do that. Otherwise, The Powers That Be will leverage its concerns into far worse steps.

It's everything you mention in the second paragraph, and additionally just the ability to turn them off.

Imagine everyone had their routers disabled simultaneously. I don't know if the cell networks could function with the surge in standard traffic that would happen, and then you've effectively plunged all or part of the country into a communication blackout.

I think "turn it off permanently by bricking it" is almost as bad as "leverage for DDoS".

I worked on Bot Mitigation at Amazon, and we once saw a ton of traffic that was heavily distributed amongst consumer devices world-wide, but surprisingly in the US too. We suspected compromised routers that were using the home page as a health check. There was a lot of investigation I did, and the short realization after talking with the network engineers is that the amount of traffic, and distribution of sources, would be impossible to stop. There merely isn't enough bandwidth in the world to stop so many residential device if it hits a specific target. To be clear, this was coming from less than half of active Amazon customers, not everyone in the US.

Anyway, it wasn't routers, but it was a consumer device, and it wasn't nefarious, it was incompetence (in code), as usual.

The FCC Chairman is sucking up to the President.

If this were really about computer security they would follow California’s example of requiring unique passwords. Maybe make manufacturers liable for not patching known remote exploitable security vulnerabilities. It doesn’t matter if the source of a DDoS is a Huawei box or a Netgear box.

There are a few reasons

- Access to data (dns/ips, domain names (if not using ESNI), amount of traffic, etc) of sites you are visiting

- Access to the inside of your network where it can attack machines that may not be secure

- DDoS

- The ability to shut down your internet

I'm sure there are more.

> is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?

That should probably be the technical concern. Even if you have traffic protected by TLS, you still typically have enough metadata to cause some problems for users individually, but the assumption that foreign equipment is back-doored by some security service or other is probably safe.

The policy rationale is the Trump admin takes bribes to permit router imports. No different than how various companies won tariff exemptions.