Microsoft has been managing some of the U.S. Department of Defense’s (DOD) most sensitive cloud computing systems for years, raising concerns about potential hacking vulnerabilities, according to a recent Propublica study released on Tuesday.
Due to U.S. laws that restrict foreign access to federal systems handling sensitive information, Microsoft is utilizing American “digital escorts” to facilitate this work. This relatively obscure arrangement has caught the attention of national security and cybersecurity experts, as it provides engineers with access to critical government data with minimal oversight. This, in turn, raises fears about the risk of Chinese cyber espionage.
The Propublica report suggests that this system has been operating for over a decade. China is considered a top cybersecurity threat to both government and private sectors, as highlighted by a report from the Director of the National Intelligence Bureau in February 2024.
This system manages “high impact level” information, which includes data critical for life protection and financial security. The consequences of losing secrecy, integrity, or availability in this data could have severe impacts on both organizational operations and individuals. Essentially, these escorts act as middlemen, relaying commands from foreign engineers into Pentagon networks.
“While we consider their operations to be unmalicious, it’s hard to truly assess,” one Microsoft contractor working as an escort remarked to Propublica on the condition of anonymity. They noted that these engineers provide highly technical instructions to those who may not fully understand the implications, allowing foreign personnel to install updates and gain network access.
Harry Coker, a former CIA executive, expressed significant concerns, stating that if he were an operative, he would find this access incredibly valuable.
Over the years, individuals involved in this process have reportedly alerted Microsoft to the associated risks. Despite having escorts with security clearance, Propublica found that foreign engineers could access sensitive details about federal cloud systems, a vulnerability that hackers could exploit.
One former engineer pointed out that a seemingly innocuous command, like “fix_servers.sh,” could potentially lead to malicious actions.
In response, Microsoft communicated that their HR and contractor practices were audited by the U.S. government and emphasized that the Chinese engineer involved does not have direct access to customer data or systems. They stated their commitment to safety through a new initiative, which includes additional security and monitoring controls to detect potential risks effectively.
According to Propublica, many of the escorts are ex-military personnel earning around $18 an hour and may lack the technical expertise to recognize harmful activities.
Microsoft reportedly employs approximately 50 escorts, each involved in numerous interactions with engineers from China, inputting commands into federal systems.
Notably, in 2023, Chinese hackers accessed sensitive emails from several U.S. government entities, including the Department of Commerce, which raised alarms about vulnerabilities in Microsoft’s security.
John Sherman, a former DOD chief information officer, remarked that the concerns raised were likely known within the organization long before. Moreover, there’s a worry that Chinese law permits the Communist Party to request data from businesses and individuals with relative ease.
Jeremy Daum, a researcher at the Paul Tsai China Centre at Yale Law School, highlighted the challenges faced by Chinese citizens or corporations when resisting requests from security or law enforcement.
The Pentagon has not provided any comments in response to inquiries regarding these issues.
