‘China is not our friend, and we should not bring CCP-controlled equipment into American homes,’ Sen. Cynthia Lummis said.
A bicameral group of 17 Republican lawmakers is urging Commerce Secretary Howard Lutnick to ban the sales of networking equipment from TP-Link, saying that the company has “deep ties” to the Chinese Communist Party (CCP).
Led by Sen. Tom Cotton (R-Ark.) and Rep. Riley Moore (R-W.Va.), the lawmakers sent a letter, dated May 14, to Lutnick, calling TP-Link “a state-sponsored networking equipment company” that poses “a clear and present danger.”
“China is not our friend, and we should not bring CCP-controlled equipment into American homes,” Sen. Cynthia Lummis (R-Wyo.), who cosigned the letter, wrote on the social media platform X on May 14.
“Proud to join my colleagues in supporting [Commerce Department’s] investigation of TP-Link and urging swift action to prohibit sales.”
The lawmakers stated that Chinese state cyber actors “have exploited” the company’s small and home office (SOHO) products, such as Wi-Fi routers, cellular gateways, and mobile hotspots, in their cyber campaigns against the United States.
“CCP agents commonly exploit SOHO routers because those systems have ideal bandwidth and computing power for sustained cyber activities but lack additional layers of security common in enterprise networks,” the letter reads.
Citing an advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) in February 2024, the lawmakers warned that the Chinese regime “uses SOHO equipment for ongoing espionage and targeting of critical infrastructure to pre-position itself for destructive attacks on Americans and communication channels with our allies.”
The CISA advisory named a Chinese threat actor group, Volt Typhoon, and how it used the technique of multi-hop proxies composed of virtual private servers or SOHO routers to carry out its cyber attacks.
In October 2024, Microsoft reported that a Chinese botnet known as CovertNetwork-1658 had hijacked many SOHO routers, the majority of which were manufactured by TP-Link, to carry out “highly evasive password spray attacks.” Microsoft added that its operation was discovered in August 2023, and the botnet consisted of about 8,000 compromised devices at any given time.
The lawmakers also warned that TP-Link “is subject to China’s National Security Law,” thus allowing the CCP to gain access to U.S. systems via the company’s devices, “before American authorities know a vulnerability exists.”
TP-Link was also accused by the lawmakers of engaging in “predatory pricing,” resulting in the company being able to quickly “capture nearly 60 percent” of the U.S. market share on retail routers and Wi-Fi systems.
According to the letter, the Department of Justice has launched an investigation into TP-Link’s pricing practices, and the Department of Commerce also has conducted its own probe into the company.
The lawmakers said Lutnick should “immediately prohibit the future sales” of TP-Link’s SOHO products in the United States.
“Each day we fail to act, the CCP wins while American competitors suffer, and American security remains at risk,” they wrote.
TP-Link, founded in China in 1996, states on its website that it has split into U.S.-based TP-Link Systems and China-based TP-Link Technologies, and the two are “no longer affiliated.”
In response to an inquiry from The Epoch Times, TP-Link Systems dismissed the letter, saying that it is “based on unfounded press rumors” and “we look forward to setting the record straight about our company.”
“As a U.S. company, no foreign country or government—including China—has access to or control over the design and production of our products,” it said.
Other cosignees of the letter are Reps. Gus Bilirakis (R-Fla.), Abraham Hamadeh (R-Ariz.), and John Rose (R-Tenn.), as well as Sens. John Barrasso (R-Wyo.), Tedd Budd (R-N.C.), Bill Cassidy (R-La.), Josh Hawley (R-Mo.), Jim Justice (R-W.Va.), Bernie Moreno (R-Ohio), Pete Ricketts (R-Neb.), James Risch (R-Idaho), Eric Schmitt (R-Mo.), Rick Scott (R-Fla.), and Tommy Tuberville (R-Ala.).
On May 6, Texas Attorney General Ken Paxton issued warnings to what he called CCP-affiliated companies, including TP-Link, for violating the state’s privacy laws. According to Paxton’s office, the companies were given 30 days to disclose whether “they process consumer data, allow consumers to opt out of data collection, and enable consumers to delete their personal data entirely” in accordance with the Texas Data Privacy and Security Act.
The attorney general said in a statement that the companies must “protect Texans’ data from falling into the hands of the CCP.”
Paxton’s office said that “additional legal action will be taken” if the companies fail to comply before the deadline.