A new ProPublica report accused Microsoft of allowing China-based engineers to assist with Pentagon cloud systems with inadequate guardrails in an effort to scale up its government contracting business, raising espionage concerns from national security experts.
The report cited current and former employees and government contractors who worked on a cloud computing program deployed by Microsoft in 2016 that would allow the tech giant to sell its cloud services to the government, known as a ‘digital escort’ framework.
The security measure, meant to meet federal contracting regulations, was effectively a program that included a ‘digital escort’ chaperone for global cybersecurity officials, such as those based in China, so they can work on agency computing systems.
Defense Department guidelines require that people handling sensitive data be U.S. citizens or permanent residents.
According to sources who spoke to ProPublica, including some who had intimate familiarity with the hiring process for the $18-per-hour ‘digital escort’ position, the tech employees being hired to do the supervising lacked the adequate tech expertise to prevent a rogue Chinese employee from hacking the system or turning over classified information to the CCP.
The sources elaborated that the escorts, often former military personnel, were hired for their security clearances more than their technical abilities and often lacked the skills to evaluate code being used by the engineers they were supervising.
In China, people are governed by sweeping laws compelling government cooperation with data collection efforts.
‘If ProPublica’s report turns out to be true, Microsoft has created a national embarrassment that endangers our soldiers, sailors, airmen and marines. Heads should roll, those responsible should go to prison and Congress should hold extensive investigations to uncover the full extent of potential compromise,’ said Michael Lucci, the CEO and founder of State Armor Action, a conservative group with a mission to develop and enact state-level solutions to global security threats.
‘Microsoft or any vendor providing China with access to Pentagon secrets verges on treasonous behavior and should be treated as such.’
‘This is like asking the fox to guard the henhouse and arming the chickens with sticks in case the fox gets mad,’ Michael Sobolik, a Hudson Institute foreign policy senior fellow, added. ‘It beggars belief.’
Microsoft uses its escort system to handle sensitive government information that falls below ‘classified,’ which includes ‘data that involves the protection of life and financial ruin,’ ProPublica reported. At the Defense Department, the data is categorized as ‘Impact Level’ four and five, which ProPublica reported includes materials directly supporting military operations.
A Microsoft spokesperson defended the company’s ‘digital escort’ model, saying all personnel and contractors with privileged access must pass federally approved background checks.
‘For some technical requests, Microsoft engages our team of global subject matter experts to provide support through authorized U.S. personnel, consistent with U.S. government requirements and processes,’ the spokesperson added. ‘In these instances, global support personnel have no direct access to customer data or customer systems.’
The Defense Information Systems Agency’s (DISA) public information office was initially unaware of the program when ProPublica began asking questions about it, but it eventually followed up to point out that ‘digital escorts’ are used ‘in select unclassified environments’ at the Defense Department for ‘advanced problem diagnosis and resolution from industry subject matter experts.’
Fox News Digital reached out to the DISA and DOD but did not immediately receive a response.
In 2023, Chinese hackers infiltrated Microsoft’s cloud servers and stole data belonging to senior U.S. government officials, including data and emails from the commerce secretary, the U.S. ambassador to China and others involved in national security work. Hackers were able to access tens of thousands of emails from the Defense Department.
A postmortem from the federal Cyber Safety Review Board, which has since been disbanded, cited Microsoft security failures that allowed hackers to infiltrate the cloud. However, the after-incident report did not include any links to the ‘digital escort’ program, according to ProPublica.
Microsoft said in response to the recent ProPublica report that it considers ‘anyone’ with access to sensitive government systems, no matter their location or role, a potential risk.
‘We establish layers of mitigation at the platform level with security and monitoring controls to detect and prevent threats. This includes approval workflows for system changes and automated code reviews to quickly detect and prevent the introduction of vulnerabilities,’ a company spokesperson told Fox News Digital.
The spokesperson added that Microsoft adheres to the federal security requirements outlined by the Defense Department and the Federal Risk and Authorization Management Program, which was established in 2011 to address the risks associated with moving from entirely government-controlled servers, to cloud-based computing.
‘This production system support model is approved and regularly audited by the U.S. government,’ the spokesperson concluded.
Still, if the ProPublica allegations are true, Lucci says the federal government should cease its work with Microsoft.
‘If these [ProPublica] allegations are credible, the federal government should never again rely on Microsoft to protect the data that keeps our men and women in uniform safe, especially given Microsoft’s extensive record of being compromised by the CCP,’ Lucci said Monday. ‘Our military cannot operate in security and secrecy if a vendor repeatedly and intentionally invites the enemy into the camp.’