Microsoft has relied on engineers based in China for years to help maintain some of the U.S. Department of Defense’s (DOD) most sensitive cloud computing systems, potentially leaving them vulnerable to hacking, according to a new investigation from ProPublica released Tuesday.
Because U.S. law prohibits foreign nationals from directly accessing federal systems that handle sensitive data, Microsoft has been funneling work through American “digital escorts” — low-paid workers with security clearances but often possessing limited technical expertise — who input commands from more skilled China-based engineers into federal networks, according to ProPublica. The arrangement, largely unknown even within the federal government, is raising alarms among national security and cybersecurity experts as the engineers could gain access to sensitive government data with little oversight, potentially exposing critical systems to Chinese cyber espionage.
The system has reportedly been in place for over a decade, ProPublica reported. China remains America’s top cyber security adversary, posing both a threat to government and private sector entities, according to a February 2024 report from the Office of the Director of National Intelligence.
This arrangement is used to handle “high impact level” information, which includes “data that involves the protection of life and financial ruin,” where “loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals,” according to U.S. government policy reviewed by ProPublica. The escorts effectively act as middlemen, copying and pasting commands from foreign workers into Pentagon-linked systems, in some cases without fully understanding the functions of those commands.
“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” one escort, who works for Microsoft contractor Insight Global and spoke on condition of anonymity, told ProPublica. “They’re telling nontechnical people very technical directions,” the current Insight Global escort said, adding that the foreign engineer could install an update allowing an outsider to access the network.
“If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that,” Harry Coker, former senior executive at the CIA and the National Security Agency, told ProPublica.
Over the years, various individuals involved in the work told ProPublica that they had warned the company about the risks. Despite the presence of an escort with a security clearance, ProPublica found that foreign engineers have access to details about the federal clouds that hackers can exploit.
“If someone ran a script called ‘fix_servers.sh’ but it actually did something malicious then [escorts] would have no idea,” a former Microsoft engineer who worked on the escort system, told ProPublica.
Microsoft told the DCNF that its personnel and contractors are audited by the U.S. government, and that the Chinese engineers in question would have “no direct access to customer data or customer systems.”
“As part of our Secure Future Initiative and in accordance with zero trust principles, Microsoft assumes anyone that has access to production systems, regardless of location or role, can pose a risk to the system, whether intentionally or unintentionally, and we establish layers of mitigation at the platform level with security and monitoring controls to detect and prevent threats,” a Microsoft spokesperson said in a statement to the DCNF. “This includes approval workflows for system changes and automated code reviews to quickly detect and prevent the introduction of vulnerabilities.”
Many of the escorts are former military personnel paid as little as $18 an hour and lack the technical training to identify malicious activity, according to ProPublica.
Microsoft employs approximately 50 escorts, each of whom partake in hundreds of interactions with China-based engineers and plug in the engineers’ commands into federal computers, according to ProPublica.
Notably, in 2023, Chinese hackers compromised the emails of the U.S Commerce and State Departments, including those of the U.S. ambassador to China, a breach that was ultimately blamed on vulnerabilities created by Microsoft’s security lapses.
“I probably should have known about this,” John Sherman, former chief information officer for the DOD, told ProPublica.
Moreover, China hawks point out that Chinese law allows the Communist Party to collect data from companies and individuals at will.
“It would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement,” Jeremy Daum, a senior research fellow at the Paul Tsai China Center at Yale Law School, told ProPublica.
The Pentagon did not respond to the Daily Caller News Foundation’s request for comment.
Melissa O’Rourke contributed to this report.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact licensing@dailycallernewsfoundation.org