Earlier this month, the Colorado State Senate’s Committee on Business, Labor, and Technology voted to advance Senate Bill 90. The bill would create an exemption for “critical infrastructure” in the state’s existing right-to-repair law for digital electronic equipment. That might sound like a commonsense safeguard.
In practice, it would make Colorado’s critical infrastructure less safe by stripping businesses of the ability to repair the servers, routers, switches, firewalls, and other IT equipment they depend on, without requiring software manufacturers to make those systems more secure in the first place.
The bill draws on the federal definition of “critical infrastructure” as systems and assets “so vital to the United States that their incapacity or destruction would have a debilitating impact on security, national economic security, public health, or safety.” In plain terms, that means IT devices used across sectors like health care, financial services, energy and communications could only be serviced by the manufacturer or providers they authorize.
Crucially, Senate Bill 90 currently does not specify which products qualify for this exemption. In effect, that determination is left to manufacturers themselves, with no clear burden of proof. A company could exempt its own networking equipment from Colorado’s right-to-repair requirements simply by asserting that it is too sensitive for independent repair.
The bill appears to be motivated, at least in part, by the idea that limiting access to repair tools, parts and documentation improves security. That assumption does not align with how cybersecurity risk is actually created in practice.
The central problem in critical infrastructure is not who performs repairs. It is how the underlying technology is built and shipped. Manufacturers routinely release products with known vulnerabilities, insecure default configurations, and limited or unclear pathways for patching and support. These conditions define the security posture of a system long before an operator ever attempts to repair it.
Senate Bill 90 would not address those conditions. It restricts access to repair while leaving the root causes of insecurity untouched, placing more burden on operators and none on the manufacturers most capable of reducing systemic risk.
Our experience leading Cybersecurity and Infrastructure Security Agency’s Secure by Design initiative consistently showed that the conditions set by manufacturers shape what is possible for operators in the field. The initiative aimed to shift responsibility for security outcomes toward those best positioned to build it in, rather than those left to manage the consequences.
The analogy to automobile safety is instructive. We do not expect drivers to compensate for the absence of seatbelts or crumple zones, nor do we ask them to retrofit those features after purchase. Safety is a property of design.
Software should be treated the same way. When systems are built with unsafe components and shipped with unsafe defaults, downstream controls cannot reliably compensate.
Senate Bill 90 would tighten control over who can service systems while leaving manufacturers free to continue shipping insecure ones. It also introduces a second risk: delay. If only manufacturers or their authorized providers can perform repairs, capacity becomes a constraint. In crisis conditions, it could slow response and recovery at the moment speed matters most.
Recent events illustrate the stakes. In early 2024, federal officials testified before Congress about widespread compromises of U.S. critical infrastructure by the nation-state sponsored cyber actor, Volt Typhoon. These intrusions compromised systems in the water, energy, telecommunications and transportation sectors.
Many were enabled by the exploitation of known, preventable weaknesses in network edge devices such as routers and firewalls — the very systems intended to protect these environments. Restricting who can repair those systems does not reduce that risk. It may instead extend the time those systems remain compromised.
In critical infrastructure environments, delays in remediation can affect access to water, emergency services and health care. Policy choices that slow recovery can translate directly into consequences for public safety.
Colorado’s right-to-repair law reflected a sound instinct: that operators should have meaningful ability to maintain and repair the systems they rely on. Senate Bill 90 would retreat from that principle in the environments where it matters most, in exchange for a security benefit the evidence does not support.
If lawmakers want to improve cybersecurity outcomes in critical infrastructure, the focus should be on manufacturer accountability: secure defaults, vulnerability disclosure, lifecycle transparency and timely patching. These are the conditions that determine whether systems can withstand attack and recover when they fail. Senate Bill 90 does not move us in that direction. Legislators should direct their efforts toward the harder, more consequential work of holding manufacturers to a higher standard.
Bob Lord, of San Francisco, is a former senior technical advisor at CISA, where he co-led the Secure by Design initiative and is the founder of Hacklore.org.
Lauren Zabierek, of Boston, was a senior advisor at the Cybersecurity and Infrastructure Security Agency where she co-led the Secure by Design initiative.
The Colorado Sun is a nonpartisan news organization, and the opinions of columnists and editorial writers do not reflect the opinions of the newsroom. Read our ethics policy for more on The Sun’s opinion policy. Learn how to submit a column. Reach the opinion editor at opinion@coloradosun.com.
Follow Colorado Sun Opinion on Facebook.