Microsoft: Chinese Technicians looked after the US Department of Defense cloud

Contents

Microsoft has been providing the Azure-based cloud infrastructure for the US Department of Defense (DoD) for around a decade. An investigation by the US organization ProPublica has now revealed that the company was probably grossly negligent in its handling of highly sensitive government data: It also left the maintenance of the infrastructure to technicians from non-US countries – including China. Their work was apparently only superficially monitored remotely – by so-called "digital escorts", US citizens with the appropriate security clearance.

Acute danger averted...

It is not yet known whether data was spied on in the process or whether damage was caused by malicious code being introduced. The scale of the incident, i.e. the number of Chinese IT specialists involved, also remains unclear.

ProPublica's research results were initially indirectly confirmed by a Microsoft spokesperson last Friday: On X, Frank X. Shaw assured that the company had stopped the involvement of Chinese developers in the support of the DoD government cloud and "related services". He cited "concerns" that had arisen regarding the involvement of foreign IT specialists as the reason for the stop.

Further confirmation in much more drastic terms followed shortly afterwards from US Secretary of Defense Pete Hegseth on X. He spoke of "cheap Chinese labor", the use of which was "obviously unacceptable" and which represented a potential vulnerability in the DoD computer systems. With immediate effect, China is no longer involved in the operation of the DoD cloud and an investigation has been launched.

In his short speech, Hegseth also held the Obama administration partly responsible, as it had negotiated the original cloud deal. He did not mention Microsoft by name; instead, he spoke more generally about "some tech companies". According to ProPublica, it is not known whether other cloud providers working for the US government, such as Amazon Web Services or Google Cloud, also rely on digital escorts. They declined to comment when asked.

... Basic problem misjudged

This raises the question of how such gross security blunders can occur in the first place. The Federal Risk and Authorization Management Program (FedRAMP for short) actually sets out specific requirements. Among other things, it states that deployed servers must not only be administered and maintained by qualified personnel. They must also have a security clearance to ensure that processed, potentially sensitive data does not fall into the wrong hands. This clearance is limited to US citizens.

In order to obtain the lucrative government projects despite the lack of FedRAMP-compliant personnel, Microsoft has apparently creatively reinterpreted these requirements: Foreign IT workers did the actual work, while "DoD Secret Cleared Escorts" remotely handled clearance. The workflow according to ProPublica: The responsible technician roughly explains what work needs to be carried out – such as a firewall update or a bug fix. And the escort as the executing instance copies and pastes the specified commands. They are also supposed to check them – but in many cases this is likely to be far beyond their technical skills, explains ProPublica.

A job advertisement for a "DoD Secret Cleared Escort" shows that escorts do not need to be very technically adept: "Proven knowledge in the administration of Windows servers, domain servers, supporting desktops, desktop applications and Active Directory" are listed there merely as dispensable "nice to have" skills. The responsible foreign technicians are often vastly superior to their digital escorts in terms of technical expertise; in practice, they are, for example, decommissioned military personnel with security clearance but no special technical expertise and minimum wages. "We trust that what they do is not malicious, but we can't say for sure," the platform quotes an escort it interviewed.

The sticking point: China

It is not yet clear how many such tandems of escorts and foreign technicians Microsoft employs and which countries they come from. It is also unclear how high the proportion of Chinese IT workers is; not even an order of magnitude is known. However, the discussion has now only been sparked by the Chinese, and it is only the Chinese who apparently want Hegseth and Shaw to leave the company. In an open letter to the US Department of Defense, US Senator Tom Cotton has now requested more specific information on the concrete scope of this problem. Whether this information will be provided and then made public is another matter.

(ovw)