It’s hard to remember a time in technology when Microsoft wasn’t reviled. 1987? Most people seemed to think that Word 3.0 was pretty solid. But even then, it was widely believed in many sectors of the hacking community that MS-DOS had at least partially ripped off Gary Kildall’s CP/M operating system. But even for Microsoft, outsourcing Department of Defense work to Communist China is a new low.
Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.
How could anyone, anywhere at Microsoft or DoD think this is a good idea?
The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.
Why was the arrangement “critical” to Microsoft winning the contract? Because they work cheaper than Americans? “We hire Chinese spies and pass the savings on to you!”
Americans overseeing the work isn’t a “barrier” to anything, since the Americans are presumably several thousand miles. If the Chinese backup American data to thumb drives and ship them off to Beijing in a big red box labeled STOLEN AMERICAN SECRETS, how are these “digital escorts” supposed to know?
But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.
“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” said one current escort who agreed to speak on condition of anonymity, fearing professional repercussions.
“We’re just letting the foxes run the hen house and hoping for the best.”
The system has been in place for nearly a decade, though its existence is being reported publicly here for the first time.
Microsoft told ProPublica that it has disclosed details about the escort model to the federal government. But former government officials said in interviews that they had never heard of digital escorts. The program appears to be so low-profile that even the Defense Department’s IT agency had difficulty finding someone familiar with it. “Literally no one seems to know anything about this, so I don’t know where to go from here,” said Deven King, spokesperson for the Defense Information Systems Agency.
Oh, that’s great. Microsoft outsourced DoD work to China and nobody knows anything about it.
National security and cybersecurity experts contacted by ProPublica were also surprised to learn that such an arrangement was in place, especially at a time when the U.S. intelligence community and leading members of Congress and the Trump administration view China’s digital prowess as a top threat to the country.
The Office of the Director of National Intelligence has called China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.” One of the most prominent examples of that threat came in 2023, when Chinese hackers infiltrated the cloud-based mailboxes of senior U.S. government officials, stealing data and emails from the commerce secretary, the U.S. ambassador to China and others working on national security matters. The intruders downloaded about 60,000 emails from the State Department alone.
Snip.
Microsoft uses the escort system to handle the government’s most sensitive information that falls below “classified.” According to the government, this “high impact level” category includes “data that involves the protection of life and financial ruin.” The “loss of confidentiality, integrity, or availability” of this information “could be expected to have a severe or catastrophic adverse effect” on operations, assets and individuals, the government has said. In the Defense Department, the data is categorized as “Impact Level” 4 and 5 and includes materials that directly support military operations.
“Hey, let’s ask our outsourced experts in Guangdong if we have enough missiles in place to defend Taiwan!”
WHY. THE. FUCK. WAS. THIS. OUTSOURCED????
John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica’s findings. “I probably should have known about this,” he said. He told the news organization that the situation warrants a “thorough review by DISA, Cyber Command and other stakeholders that are involved in this.”’
Asleep at the switch all the way down.
In an emailed statement, the Defense Information Systems Agency said that cloud service providers “are required to establish and maintain controls for vetting and using qualified specialists,” but the agency did not respond to ProPublica’s questions regarding the digital escorts’ qualifications.
There’s a lot more details about the “escort” system, but potential flaws in the system are way beside the point of the central fact that Chinese nationals should never have access to to any Department of Defense system or data. Anywhere. Ever. Not even to maintain the website for the Pentagon cafeteria.
“No, really, we’ve got a great system for storing fireworks in the welding shop!”
Remember, when you have your data in “the cloud,” that just means it exists “on someone else’s computer.” Sometimes that’s fine. If you’re a private company looking to get speed to market on your product, that might be the way to go. But handing Uncle Sam’s military data to Chinese nationals and hoping for the best is simply insane.
Heads should roll.
(Hat tip: Director Blue.)
Tags: China, Communism, Crime, Defense Information Systems Agency, Department of Defense, Deven King, Foreign Policy, John Sherman, Microsoft, Military, ProPublica, spying, technology
The best part is Microsoft nor any of the DoD personnel involved will suffer any financial loss or be punished in any way.
The DoD is spending taxpayer money on escorts: Why am I not surprised?
Wonder if this escort program taught the PLA and MSS how to conduct their novel zero day attacks on Microsoft SharePoint servers?
The problem is, those that were promoted in the DoD system over the ;last 40 years did not see china as an adversary, let alone a potential enemy combatant. In fact, they figured using them would enhance the chance for world peace or some such non-sense. They were a trading ‘partner’. And of course, many of those promoted were communist/marxist idiots who wanted communist success.
I don’t care if this is a DoD or not. Anyone involved in information security should be wary of outsourcing anything to China. It is clear that China does not respect Intellectual Property rights. They are more than happy to copy other people’s work and then sale it as their own.
In this case, not only did they pass along data, Microsoft seems to also asked China to develop the system, which is worse than giving them the keys to sensitive data and more like asking them to be the key makers for access to that data. Again, DoD or not; that’s dangerous. If this was any other company; I think the fallout from this would end it.
On the aspect that it does involve DoD; yeah, somebody was asleep at the wheel in not tracking this was happening. You can’t just give contracts to US suppliers and let it go. When I worked at NASA, we could tell you the quarry that was the source rock for materials that went into equipment. This was because of the Shuttle Program’s history as a DoD project along with the critical aspects of material properties for such a project. My point here is the government used to care about all aspects of the supply chain from source to integration. With such a large bureaucracy, this should happen more often, not less. Alas, we live in the age of unaccountability, particularly amongst government bureaucrats.
[…] Did Microsoft Outsource DoD Data To China? “Why was the arrangement ‘critical’ to Microsoft winning the contract? Because […]
Chinese escorts? Feng-Feng, is that you?
Microsoft, 22 July:
‘Disrupting active exploitation of on-premises SharePoint vulnerabilities’
“….As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing….”
[…] Long overdue. “War Department bans Chinese nationals from Cloud environments.” (Previously.) […]