It’s hard to remember a time in technology when Microsoft wasn’t reviled. 1987? Most people seemed to think that Word 3.0 was pretty solid. But even then, it was widely believed in many sectors of the hacking community that MS-DOS had at least partially ripped off Gary Kildall’s CP/M operating system. But even for Microsoft, outsourcing Department of Defense work to Communist China is a new low.
Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.
How could anyone, anywhere at Microsoft or DoD think this is a good idea?
The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.
Why was the arrangement “critical” to Microsoft winning the contract? Because they work cheaper than Americans? “We hire Chinese spies and pass the savings on to you!”
Americans overseeing the work isn’t a “barrier” to anything, since the Americans are presumably several thousand miles. If the Chinese backup American data to thumb drives and ship them off to Beijing in a big red box labeled STOLEN AMERICAN SECRETS, how are these “digital escorts” supposed to know?
But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.
“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” said one current escort who agreed to speak on condition of anonymity, fearing professional repercussions.
“We’re just letting the foxes run the hen house and hoping for the best.”
The system has been in place for nearly a decade, though its existence is being reported publicly here for the first time.
Microsoft told ProPublica that it has disclosed details about the escort model to the federal government. But former government officials said in interviews that they had never heard of digital escorts. The program appears to be so low-profile that even the Defense Department’s IT agency had difficulty finding someone familiar with it. “Literally no one seems to know anything about this, so I don’t know where to go from here,” said Deven King, spokesperson for the Defense Information Systems Agency.
Oh, that’s great. Microsoft outsourced DoD work to China and nobody knows anything about it.
National security and cybersecurity experts contacted by ProPublica were also surprised to learn that such an arrangement was in place, especially at a time when the U.S. intelligence community and leading members of Congress and the Trump administration view China’s digital prowess as a top threat to the country.
The Office of the Director of National Intelligence has called China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.” One of the most prominent examples of that threat came in 2023, when Chinese hackers infiltrated the cloud-based mailboxes of senior U.S. government officials, stealing data and emails from the commerce secretary, the U.S. ambassador to China and others working on national security matters. The intruders downloaded about 60,000 emails from the State Department alone.
Snip.
Microsoft uses the escort system to handle the government’s most sensitive information that falls below “classified.” According to the government, this “high impact level” category includes “data that involves the protection of life and financial ruin.” The “loss of confidentiality, integrity, or availability” of this information “could be expected to have a severe or catastrophic adverse effect” on operations, assets and individuals, the government has said. In the Defense Department, the data is categorized as “Impact Level” 4 and 5 and includes materials that directly support military operations.
“Hey, let’s ask our outsourced experts in Guangdong if we have enough missiles in place to defend Taiwan!”
WHY. THE. FUCK. WAS. THIS. OUTSOURCED????
John Sherman, who was chief information officer for the Department of Defense during the Biden administration, said he was surprised and concerned to learn of ProPublica’s findings. “I probably should have known about this,” he said. He told the news organization that the situation warrants a “thorough review by DISA, Cyber Command and other stakeholders that are involved in this.”’
Asleep at the switch all the way down.
In an emailed statement, the Defense Information Systems Agency said that cloud service providers “are required to establish and maintain controls for vetting and using qualified specialists,” but the agency did not respond to ProPublica’s questions regarding the digital escorts’ qualifications.
There’s a lot more details about the “escort” system, but potential flaws in the system are way beside the point of the central fact that Chinese nationals should never have access to to any Department of Defense system or data. Anywhere. Ever. Not even to maintain the website for the Pentagon cafeteria.
“No, really, we’ve got a great system for storing fireworks in the welding shop!”
Remember, when you have your data in “the cloud,” that just means it exists “on someone else’s computer.” Sometimes that’s fine. If you’re a private company looking to get speed to market on your product, that might be the way to go. But handing Uncle Sam’s military data to Chinese nationals and hoping for the best is simply insane.
Heads should roll.
(Hat tip: Director Blue.)