TP-Link is under U.S. investigation for security and antitrust concerns. As Congress targets federal risks, states and localities must address their reliance on vulnerable Chinese-made routers.
TP-Link routers pose serious cybersecurity risks.
TP-Link, the China-based network equipment manufacturer, is in trouble. The Department of Justice is conducting a criminal antitrust investigation into the China-based network equipment manufacturer because of its strategy of intentionally undercharging for its products to drive out competitors. Meanwhile, the ROUTERS Act, which would require the Department of Commerce to investigate security issues in America’s wireless infrastructure, specifically from routers manufactured in China, is making its way through Congress. With all these concerns coming to a head, now is an ideal time to discover just how dependent the U.S. government is on Chinese-manufactured routers, not only at the federal level but also among states and local governments.
TP-Link routers are known to be incredibly vulnerable. First, the routers are filled with technical vulnerabilities, which the National Standards and Technology (NIST) National Vulnerability Database, a compendium of software vulnerabilities, tracks. Second, because of China’s national security laws, Chinese companies such as TP-Link have to support the Chinese government’s military and intelligence goals. This can involve companies turning a blind eye to state entities using their hardware as a cyber-attack source.
In fact, TP-Link routers have already been exploited by CCP-backed hackers to target Americans. In one case, malicious firmware linked to Chinese state-sponsored hackers was implanted into TP-Link routers. In another recent case, a vulnerability in TP-Link routers was used to build an Internet of Things botnet targeting American organizations. The most high-profile event came late last year when TP-Link routers were used to attack Microsoft. These vulnerabilities are so widespread that several countries, including Taiwan, have already banned TP-Link routers from their government and educational facilities. Despite the risks, multiple federal agencies continue to use TP-Link routers, from the Department of Defense to NASA.
Congress is addressing federal cybersecurity threats through legislation like the ROUTERS and FACT Acts.
In response to the threat foreign routers pose to American cybersecurity, Congress has introduced legislation to strengthen American wireless networks and cybersecurity at the federal level. The legislation includes the previously mentioned ROUTERS Act, which would require the Department of Commerce to study the threats posed by internet routers and wireless infrastructure from companies based in countries of concern. Another is the Foreign Adversary Communications Transparency (FACT) Act, which would require public disclosure of ownership stakes in American telecom companies that could pose a threat to national security.
However, these efforts would only help solve the federal government’s problem. There are also fifty state governments and countless local agencies to consider as well. States and local agencies are just as vulnerable to the cybersecurity risks created by Chinese-made products as federal entities are. To make matters worse, state and local agencies are often far less educated on cybersecurity risks, and, understandably, they buy the cheaper equipment, even if the products are manufactured in adversarial countries.
Despite federal efforts, state and local governments remain vulnerable due to widespread use of TP-Link routers.
Local and state organizations across the country use TP-Link, including schools, public utility companies, cities, and state transportation departments. Considering that TP-Link controls roughly 65% of the U.S. market for routers for homes and small businesses, it is proven through public procurement data that local and state agencies buy TP-Link routers.
For example, as of May 2025, state agencies in California have spent at least $189,000 on TP-Link routers, according to the state’s procurement database. This is a lower bound estimate, as many router purchases on the website do not list the specific brand of router they purchased. TP-Link routers typically cost $50–$60, at minimum, suggesting that thousands are deployed across various California agencies. In Virginia, the state’s procurement dashboard shows several cases of the state buying TP-Link routers. Unfortunately, the procurement dashboard does not display the brand of routers, so it undercounts how many times Virginia purchased TP-Link routers.
While Congress is understandably focused on federal vulnerabilities, it also has a role in ensuring the safety of local and state agencies from hardware sourced from adversarial nations. There is room to strengthen the ROUTERS Act to help solve state and local problems. For example, in the required study, Congress should require the National Telecommunications and Information Administration to investigate the scope of where routers are purchased and used across federal, state, and local governments.
While states typically do not buy routers directly from TP-Link, they do buy from suppliers that sell TP-Link products. States often purchase goods through contracts negotiated by the National Association of State Procurement Officials (NASPO), a nonprofit organization that helps states negotiate cooperative contracts to buy goods and services in bulk. Several of the contractors approved by NASPO, such as CDW or GovConnection, sell TP-Link routers as one of the many IT products they sell to state and local agencies.
NASPO should consider working with federal agencies such as NIST or the Cybersecurity and Infrastructure Security Agency to evaluate the security of NASPO-approved vendors. CISA has provided NASPO guidance in the past, so this would not be a new collaboration. NASPO could also ask that the contractors it works with not sell IT products from covered countries.
Congress and states must take coordinated action to strengthen procurement standards and protect American infrastructure.
The problem of public entities purchasing critical goods from covered countries is not new. Many states have already passed laws restricting their ability to purchase goods from covered countries. States should follow those laws and apply it to routers manufactured in adversarial countries. Some states have taken steps to solve this problem. In Tennessee, for example, the House and Senate introduced the TN Critical Infrastructure Act to protect critical infrastructure in the state. The bill has a provision that would ban state agencies from using routers produced by a company based in a covered country.
The ROUTERS Act is a strong piece of legislation that helps uncover information about security vulnerabilities in our wireless infrastructure. However, we need to know where the objects that create the vulnerabilities are. Congress should update the ROUTERS Act to solve this problem and ensure states know where they are vulnerable. States should update their critical infrastructure legislation to include routers from covered countries. Congress and state governments must act now—before these products become weapons in a future cyberattack.
About the Authors: Lars Erik Schönander and Luke Hogg
Lars Erik Schönander is a Research Fellow at the Foundation for American Innovation. He was previously a Congressional Innovation Fellow for TechCongress, working for the Senate Committee on Small Business and Entrepreneurship, and a Policy Technologist at the Foundation for American Innovation. He holds a BA from The George Washington University in International Affairs and Economics and is an incoming MBA student at the Tuck School of Business at Dartmouth College. His writing has appeared in the Wall Street Journal, American Affairs, the National Interest, Tablet, and elsewhere.
Luke Hogg is Director of Technology Policy at the Foundation for American Innovation, where he focuses on the intersection of technological innovation and public policy. Before joining FAI, Luke was Federal Affair Manager at FreedomWorks, where he concentrated on blockchain, internet governance, and regulatory issues. He holds a BA in Government and Data Science from the College of William and Mary and lives in Washington, DC. You can follow him on Twitter at @LEHogg.
Image: Shutterstock
