Note: this is a copy of an email sent to Colorado state senators ahead of a planned vote on SB26-090, AN ACT CONCERNING EXEMPTING CRITICAL INFRASTRUCTURE FROM THE CONSUMER REPAIR BILL OF RIGHTS ACT. The bill, backed by Big Tech firms seeks to exempt IT equipment sold to businesses in Colorado from the state’s right to repair law, (falsely) citing risks to critical infrastructure. Our letter urges Colorado senators to vote to reject the bill.
Dear Senate President Coleman and Members of the Colorado State Senate:
On behalf of Secure Repairs (securepairs.org), a coalition of more than 400 cybersecurity and IT professionals we, the undersigned, urge you to vote in opposition to SB26-090, a bill to “Exempt Critical Infrastructure from Right to Repair.”
As written, SB26-090 will effectively strip tens of thousands of Colorado businesses of their ability to repair and maintain their own IT equipment – things like servers, routers, switches and firewalls. And it will deny them the benefit of a healthy and open marketplace for repair service providers. That will weaken Colorado’s existing right-to-repair protections leading to higher operating costs for Colorado businesses and other harmful consequences for cybersecurity, and market competition.
A Massive Exemption That Helps Big Tech, And Hurts Colorado Businesses
As written, SB26-090 exempts traditional enterprise IT systems from right-to-repair requirements simply because those same technologies might be used by the small number of organizations in Colorado that also own or operate critical infrastructure. That gaping exemption will grant manufacturers like Cisco, IBM, and others a de facto monopoly over lucrative repair and maintenance services. By removing customers’ and independent repair professionals’ access to information needed to diagnose and repair IT equipment, the bill will drive up repair and maintenance costs, reduce service availability, and place small and mid-sized Colorado businesses at a significant disadvantage.
Iran’s Attacks On Critical Infrastructure Show Us: Repair Information Is NOT The Problem
The bill’s justification for creating this monopoly —protecting “critical infrastructure”— is not backed by any data or facts. Instead, it is a cynical effort to sow confusion over the nature of cyber threats to critical infrastructure; tap into public anxiety over cyber attacks; and offer false promises of better security.
For proof, look at the Cybersecurity and Infrastructure Security Agency’s (CISA’s) alert on April 7th about Iranian state-backed cyber actors’ ongoing attacks on U.S. critical infrastructure. Those attacks are the latest in a years-long campaign by Iranian hacking crews. As CISA makes clear: the Iranian hackers compromised critical infrastructure by scanning the Internet for public-facing devices that were vulnerable because of exploitable flaws in manufacturer supplied software, or weak configurations like the use of default passwords or even no passwords.
Want To Keep Colorado’s Critical Infrastructure Secure? Ensure A Healthy Market For Repair!
If you want to stop attacks like that against Colorado critical infrastructure, know that restricting repair will have the opposite effect: worsening security by delaying needed software fixes and limiting the ability of Colorado businesses to find skilled professionals to help them respond to emerging threats.
To be clear, Senator Snyder, we understand that keeping Coloradans safe from disruptive cyber attacks is a top priority for you and Colorado’s legislature. That is why we urge you to oppose passage of SB26-090 and preserve Colorado’s leadership in advancing policies that support competition, affordability, and cybersecurity resilience.
Thank you for your consideration.
Sincerely,
Paul F. Roberts, Founder
Secure Repairs (securepairs.org)
Chris Blask
CEO, QuietWire
Andrew Brandt
Executive Director, Elect More Hackers
Jon Callas
Founder, Zatik Security
Lodrina Cherne
Instructor, SANS Institute
Ming Chow
Professor, Tufts University
Dan Geer
Senior Fellow, In-Q-Tel
Joe Grand
Founder, Grand Idea Studios
Andrew ‘bunnie’ Huang
Owner, Bunnie Studios LLC
Brian (“Jericho”) Martin
CSO, attrition.org
Gary McGraw
Co-founder, Berryville Institute of Machine Learning
Billy Rios
QED Secure Solutions
Cris Thomas (“Space Rogue”)
Semgrep
Beau Woods
Founder, Stratigos Security