Colorado Bill Threatens Cybersecurity of Critical Infrastructure

$90 million. That's the estimated annual cost of cyberattacks on Colorado's critical infrastructure. Yet, the state is considering a bill that could weaken its defenses. Senate Bill 90, recently advanced by the Colorado State Senate's Committee on Business, Labor, and Technology, aims to exempt "critical infrastructure" from the state's right-to-repair law for digital electronic equipment.

For context, the current right-to-repair law allows businesses to repair their own equipment, such as servers and routers, without needing permission from the manufacturer. This law has been in place to promote self-sufficiency and reduce reliance on external vendors. However, the proposed bill would create an exemption for critical infrastructure, which includes systems and assets vital to national security, economic security, public health, or safety.

Let's do the math. If this bill passes, it would mean that businesses in critical sectors like healthcare, finance, and energy would no longer be able to repair their own equipment. They would have to rely on the manufacturer or authorized providers, which could lead to delays and increased costs. In practice, this could result in a significant increase in the $90 million annual cost of cyberattacks, as businesses would be less able to respond quickly to security threats.

The bill's proponents argue that limiting the ability of companies to fix their own equipment would improve security. However, this assumption does not align with how cybersecurity risk is actually created. The central problem in critical infrastructure is not who performs repairs, but rather how the underlying technology is built and shipped. Manufacturers often release products with known vulnerabilities, insecure default configurations, and limited pathways for patching and support.

On paper, the bill appears to prioritize security, but in reality, it would restrict businesses' ability to maintain and fix their equipment, while leaving the root causes of insecurity untouched. This would place more burden on operators, who would have to rely on manufacturers to provide timely and effective support. The manufacturers, on the other hand, would not be held accountable for building secure products in the first place.

The analogy to automobile safety is instructive. We do not expect drivers to compensate for the absence of seatbelts or crumple zones, nor do we ask them to retrofit those features after purchase. Safety is a design consideration that must be built into products from the outset. Similarly, cybersecurity should be a primary concern for manufacturers, rather than an afterthought.

It's worth noting that the bill does not specify which products qualify for this exemption, leaving it to manufacturers to decide. This lack of clarity and oversight could lead to abuse, with companies exempting their own equipment from the right-to-repair requirements without justification.

In the end, this bill would cost taxpayers and businesses more in the long run. By restricting the ability of businesses to respond to security threats, we would be creating a less secure environment. The practical bottom line is that this bill would increase the financial burden on local businesses and potentially put critical infrastructure at greater risk. For folks around here, that means a higher risk of cyberattacks and increased costs for businesses, which could ultimately be passed on to consumers.