Propublica is a nonprofit newsroom that investigates power abuse. Sign up and receive the biggest story as soon as it’s published.
Last week, Microsoft announced that it would no longer use China-based engineering teams to support the Department of Defense’s cloud computing system, following a survey on Propublica’s practices that stated that cybersecurity experts could expose the government to hacking and espionage.
But it turns out that the Pentagon was not the only part of the government facing such a threat. For many years, Microsoft has used the global workforce, including China-based personnel, to maintain cloud systems for other federal sectors, including the Judicial, Treasury and some of the commerce.
This work is carried out in what is known as the government community cloud for unclassified but sensitive information purposes. The Federal Risk and Authorization Management Program, the US government’s cloud accreditation body, has approved the GCC to process “moderate” impact information.
The Department of Justice’s antitrust division uses the GCC to support criminal and civil investigation and litigation functions, according to a 2022 report. Some of the Environmental Protection Agency and the Department of Education also use GCC.
According to Microsoft, foreign engineers working at GCC are overseen by US-based personnel known as “digital escorts,” and resemble the systems introduced at the Department of Defense.
Nevertheless, cybersecurity experts told Propublica that foreign support for the GCC provides opportunities for spying and sabotage. “There’s a misconception that if government data is not classified, it’s not harmful to distribution,” said former federal cybersecurity officer Rex Booth, now Chief Information Security Officer at Tech Company Sailpoint.
Microsoft’s “digital escorts” program could make sensitive government information vulnerable to spying. Here’s what you need to know.
“The cloud services store so much data, and the power of AI to analyze quickly, can reveal insights that can harm US interests, even unclassified data,” he said.
Harry Coker, a senior executive at the CIA and National Security Agency, said foreign intelligence agencies could use “swim” information to “swim” from the GCC system to “swim” information collected. “It’s an opportunity that I can’t imagine what intelligence reporting agencies aren’t pursuing,” he said.
The Director of National Intelligence has seen China as “the most active and lasting cyber threat to the US government, the private sector and critical infrastructure networks.” The law therefore grants national officials a wide range of authority to collect data, and experts say it is difficult for Chinese citizens and companies to meaningfully resist direct requests from security forces or law enforcement agencies.
Microsoft has rejected an interview request for this story. In response to questions, the tech giant issued a statement suggesting it would discontinue the use of China-based support for the GCC, as it had recently done with the Department of Defense cloud systems.
“Last week, Microsoft took steps to enhance the security of DOD Government Cloud Offerings. We are taking steps similar to all government customers who use government community clouds to further secure their data,” the statement said. The spokesman declined to elaborate on what these steps were.
The company also said next month it will “conduct a review to assess whether additional measures are needed.”
The federal department and agencies that were found to be using GCC did not respond to requests for comment.
The latest revelation regarding Microsoft’s use of China’s workforce to serve the US government, and the company’s rapid response, is likely to drive a rapidly developing fire in Washington, where Congressman and the Trump administration question the tech giant’s cybersecurity practices and seek to contain potential national security fallouts. “Of course, foreign engineers should never be allowed to maintain or access the DOD system from any country, including China,” Defense Secretary Pete Hegses wrote in an X post last Friday.
Last week, Propublica revealed that Microsoft has relied on foreign workers, including people based in China for 10 years, maintaining the Department of Defense computer systems and being monitored by US-based digital escorts. However, these escorts often do not have the advanced technical expertise to police far more highly skilled foreigners, making highly sensitive information vulnerable. In response to the report, Hegseth began reviewing the practice.
Propublica has discovered that Microsoft has developed an escort arrangement to satisfy Department of Defense officials who are concerned about their foreign employees given the department’s citizenship requirements for those processing sensitive data. Microsoft has won the federal cloud computing business and said in its revenue report it will “receive significant revenue from government contracts.”
Microsoft said it would stop using the Department of Defense’s China-based technical support, but refused to say whether it would continue using digital escorts, including whether cloud support would occur from engineers based outside the US.
Microsoft confirmed this week to Propublica that a similar escort arrangement is being used at the GCC. “In an increasingly complex digital world, cloud product consumers deserve to know how their data is processed, who and how,” Booth said. “The cybersecurity industry relies on clarity.”
Microsoft said it has revealed details of the GCC escort arrangement in a document filed with the federal government as part of the Fedramp Cloud certification process. The company refused to provide documents to ProPublica, citing potential security risks it publicly discloses, and also refused to say whether the location of China-based aid personnel is specifically mentioned.
Propublica contacted the federal government with other major cloud service providers and asked if they would like to use China-based support. A spokesman for Amazon Web Services said in a statement that “AWS is not using Chinese personnel to support federal contracts.” A Google spokesperson said in a statement, “Google Public Sector does not have a digital escort program. Instead, its confidential systems are supported by fully trained personnel who meet the requirements for US government location, citizenship and security clearance.” Oracle said it “is not using China’s support for US federal customers.”
