When opponents of proposed right to repair laws talk about cybersecurity, they usually sound ominous: opening up access to service manuals, software updates, or diagnostic tools will somehow invite hackers in. But talk to actual cyber security experts and you get a very different story. A vibrant and healthy market for repair isn’t a cybersecurity risk. In fact, it should be considered a cybersecurity imperative!
That was the message of a recent podcast discussion I hosted to talk about a ground-breaking law that took effect January 1st: the state of Colorado’s right to repair law which extends to technology sold in so-called “business to business” technology sales (aka “enterprise IT”).
I was joined in the studio by Billy Rios, a world-renowned security researcher and co-founder of QED Secure Solutions and Andrew Brandt a noted cybersecurity expert and one of the main forces behind the new non-profit Elect More Hackers. Also joining us was Danny Katz, the Director of Colorado Public Interest Research Group (COPIRG), a guiding force behind the passage of Colorado’s electronics right to repair law.
Andy, Billy, Danny and I had a wide-ranging conversation on the cybersecurity impacts of right to repair laws: whether they create cyber risk—as electronics industry groups like TechNet argue – or whether the opposite is true: that a right for technology owners to repair their property is an essential part of modern cyber defense.
There was a clear consensus: a right to repair isn’t a cyber risk. The real cyber risks to businesses in Colorado and elsewhere come from vendors’ poorly built and maintained software – rife with exploitable vulnerabilities and vulnerable configurations, as well as customer “lock in” that makes service and repair expensive and hard to come by.
Cybersecurity Depends on Repair
I opened our conversation by stating the obvious: the right to repair is often discussed in the context of phones or home appliances, but the stakes are just as high in enterprise technology: servers, routers, switches, firewalls, and industrial control systems that run modern businesses. These enterprise IT systems are the backbone of modern businesses and critical infrastructure, representing trillions of dollars in global economic activity.
In Colorado—the only state with a robust right to repair law covering business technology—those systems underpin hundreds of thousands of jobs. Preventing organizations from repairing or maintaining them or hiring independent professionals to do so isn’t just costly; it directly undermines resilience.
If you can’t fix or service critical equipment quickly, securely, and locally, you end up running outdated, unpatched systems. And in cybersecurity, vulnerable, unpatched systems are the low-hanging fruit attackers love.
Danny Katz from Colorado PIRG talks about the many ways that manufacturers complicate even basic repairs like fixing a fan, power cord, or motherboard component by requiring special codes for parts authorization.These unnecessary barriers – often erected in the name of preventing the use of stolen or pirated parts – mostly serve to prevent business-to-business repair facilities from performing straightforward fixes -with broad implications for businesses. Imagine, Katz said, if you could only bring your car to the dealer you purchased it from for service and maintenance?
Hackers Aren’t Waiting for Repair Manuals
Billy Rios brought a cybersecurity expert’s perspective. Having spent years breaking into systems—from medical devices to power infrastructure—he’s seen firsthand how vulnerabilities actually get exploited. Attackers don’t need repair manuals or diagnostic software. They reverse-engineer firmware, buy equipment on secondary markets, or exploit known flaws that vendors never fixed.
Locking down repair access won’t stop attackers. It mainly blocks defenders. Rios emphasized that many of the most serious vulnerabilities he’s uncovered existed because manufacturers tightly controlled access while failing to invest in long-term security maintenance. When only the vendor can repair a system—and they don’t—the risk compounds over time, especially since cyber criminal and nation-backed hacking crews already have obtained and hacked into the software and firmware of interest to them.
Transparency Makes Systems Safer
Andrew Brandt zoomed out to the policy level. In cybersecurity, transparency is a feature, not a flaw. The industry has learned—sometimes the hard way—that hiding system internals doesn’t make software or hardware safer. It makes weaknesses harder to find and easier to exploit silently.
Brandt noted that independent researchers, repair technicians, and security professionals all play a role in discovering flaws before attackers do. Right to repair laws expand that ecosystem of scrutiny and accountability.
From a workforce perspective, this matters too. We already face a shortage of skilled defenders. Restricting who can legally interact with or analyze systems only shrinks the pool further.
Who Benefits from the Fear Narrative?
A recurring theme in the discussion was skepticism about who’s pushing the “repair equals risk” argument. Large manufacturers often frame right to repair as a cybersecurity issue, but the incentives are clear: controlling repair preserves lucrative service monopolies and keeps customers locked in.
The same companies warning about hypothetical cyber threats are often slow to patch known vulnerabilities or support aging hardware. In that context, invoking “critical infrastructure risk” looks less like security stewardship and more like market protection.
Security Through Obscurity Is Failing. Repair Is Part of the Fix.
The takeaway from the conversation is blunt: in a world of constant cyber threats, the ability to repair, maintain, and update systems is not optional. It’s foundational.
Right to repair doesn’t weaken security. It strengthens it by:
- Reducing downtime and exposure from unpatched systems
- Enabling faster incident response and recovery
- Encouraging independent security research and oversight
- Increasing competition and accountability among vendors
For businesses and critical infrastructure operators, repair isn’t a liability. It’s a line of defense.