A group of seventeen Republican lawmakers, led by Senate Intelligence Committee Chair Tom Cotton (R-Ark.), is urging the Department of Commerce to implement a nationwide ban on TP-Link products, citing the company’s alleged ties to the Chinese Communist Party and potential cybersecurity risks.
The lawmakers’ concerns focus particularly on security vulnerabilities in TP-Link’s small office and home office routers, which have been identified as frequent targets for Chinese hackers involved in U.S. infrastructure breaches. Despite relocating its headquarters to Irvine, California in late 2023, TP-Link continues to face scrutiny over its origins and operations. In spite of TP-Link’s recent designation as a CVE Numbering Authority, federal agencies including NASA, the Defense Department, and DEA have already purchased and deployed these routers throughout their networks.
The push for restrictions comes amid a broader bipartisan effort to remove Chinese technology from U.S. telecommunications infrastructure. This initiative follows similar actions taken against other foreign technology providers, including the Trump administration’s 2017 ban of Russian antivirus maker Kaspersky from federal networks and subsequent restrictions on Chinese firms Huawei and ZTE.
While TP-Link has not been directly linked to recent cyber attacks, including the “Salt Typhoon” breach that compromised major U.S. internet providers AT&T and Verizon, lawmakers describe the company as a “clear and present danger” to U.S. networks. The company has recently strengthened its security stance by becoming a signatory of CISA’s Secure by Design pledge.
The GOP legislators have additionally expressed concern about TP-Link’s alleged predatory pricing strategies, which they claim are designed to eliminate trusted American alternatives from the market.
Cybersecurity experts, nonetheless, maintain a more nuanced perspective on the situation. Industry professionals note that vulnerabilities in embedded devices are common across manufacturers, regardless of their country of origin.
Device vulnerabilities exist across all manufacturers globally, making country of origin less relevant than overall security practices.
TP-Link has demonstrated efforts to integrate into the cybersecurity community, joining prominent technology companies like Crestron, LG, Samsung, and Google as official CVE Numbering Authorities. The Commerce Department’s decision on this matter could set a significant precedent for how the administration balances national security concerns with international trade relationships.
