Digital Repair Legislation Will Undermine Security of All Minnesotans

By – Jeff Tollefson, President & CEO of the Minnesota Technology Association

The nature of our digital lives has changed, with information technologies being far more sophisticated and networked than ever before. At the Minnesota Technology Association (MnTech), our members see this every day. Their clients and customers have become accustomed to the benefits of an online and networked world that continues to deliver an explosion of immediate, seamless online services – banking, government, retail, healthcare, food service, etc.¹ The information technology and telecommunications systems that run this critical infrastructure – from mainframe computers to network servers to edge computing – underpin and create the magic of these services, and this infrastructure is expected to be resilient, secure, and high performing.

The Minnesota legislature is considering legislation that, as drafted, would require original equipment manufacturers of digital equipment to provide software code, digital repair tools, documentation, and parts, to independent repair providers, even in situations where providing that software, digital repair tools, and documentation could be used to undermine the security of this IT and telecommunications infrastructure. Legislators are working to address this problem in the legislation, and we urge them to continue to do so.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has reported that in 2021, there were ransomware attacks against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors.² We see this problem right here in Minnesota, as evidenced by recent data hacks involving the Minneapolis Public Schools³ and Rochester Public Schools.⁴

To make our IT and telecommunications infrastructure more secure, President Biden issued an Executive Order⁵ in 2021 to improve our nation’s cybersecurity, focusing on modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. Our members are stepping up to do their part to comply with the Order and do even more to help protect American citizens and their data from cyber breaches. Governor Walz also recognized the importance of strengthening cybersecurity by issuing Executive Order (EO) 22-20 in 2022 – Directing State Agencies to Implement Cybersecurity Measures to Protect Critical Infrastructure in Minnesota.⁶ Critical infrastructure under EO 22-2 has the same definition as that used by CISA.⁷ In addition to improving cybersecurity within state agencies, EO 22-2 also directs those agencies with regulatory oversight over critical infrastructure providers to use “their existing authority to the extent necessary and permissible to enable providers to perform their own risk assessments and elevate necessary defenses to counter immediate cyber threats”.

Our daily lives now depend on the dependability, security, and resilience of digital equipment, including enterprise IT and telecommunications systems, and the networks through which they connect. This infrastructure is critical to keeping Minnesota’s economy up and running, including the functioning of government. The risk is too high to mandate that original equipment manufacturers provide software code, digital repair tools, documentation, and parts to independent repair providers, many of whom have not made the appropriate investments in training and security. Once access to critical information has been shared, the risk of it falling into the hands of bad actors rises significantly, leaving Minnesotans unnecessarily vulnerable to security and economic disruptions.

We urge legislators to exclude from repair legislation the requirement to provide the software, tools, documentation, and parts where they could be used to undermine the security of the IT and telecommunications infrastructure on which we all so heavily depend.

Commentary submitted to Star Tribune on 4/28/23
Jeff Tollefson, President & CEO
Minnesota Technology Association

1. MnTech’s member companies range from producers of technology (e.g., 3M, Seagate, IBM, Medtronic, etc.) to those that rely on digital systems to drive their increasingly tech-enabled business models (e.g., Target, Cargill, U.S. Bank, CHS, Land O’Lakes, etc.), with issues related to information access and security a top concern for all.
2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-040a
3. https://www.cbsnews.com/minnesota/news/hackers-post-more-stolen-minneapolis-public-school-data-to-dark-web/
4. https://www.mprnews.org/story/2023/04/10/rochester-public-schools-says-data-was-breached
5. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity
6. https://mn.gov/governor/assets/EO%2022-20_tcm1055-539386.pdf
7. Under Executive Order 22-20, “Critical Infrastructure” is defined as “the 16 critical infrastructure sectors identified by CISA because their assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”