Propublica is a nonprofit newsroom that investigates power abuse. Sign up and receive the biggest story as soon as it’s published.
what happened
The Department of Defense has stepped up cybersecurity requirements for high-tech companies selling cloud computing services to the Pentagon.
An update issued this month prohibits vendors from using China-based personnel to tackle the department’s computer systems and maintain digital paper trails for maintenance performed by foreign engineers.
background
The change follows a Propublica investigation that revealed how Microsoft can use China-based engineers to maintain government computer systems for nearly a decade.
US supervisors known as “digital escorts” were supposed to serve as a check on these foreign employees, but often lacked the expertise needed to effectively oversee engineers with far more advanced technical skills.
What they said
The Department of Defense now states in its “Security Requirements Guide” in its “Security Requirements” that only “people in non-reciprocal countries” can tackle cloud systems, and that escorts that oversee those foreign workers are “technically qualified in the code/system or technology that provides technical access.”
Additionally, cloud providers must maintain detailed audit logs, which are digital trails of actions on computer systems. The logs have changed the details and settings of the commands executed, including the country of origin: “Escort and escort identification must be included.”
Why is it important?
Until our report, top Pentagon officials said they were unaware of Microsoft’s digital escort system. He said it was developed as an effort to address the defense department’s requirements that people with sensitive data are US citizens or permanent residents.
Cybersecurity and intelligence experts told Propublica that the arrangement poses a major risk to national security given Chinese law gives country officials a wide range of authority to collect data. Key members of Congress have called on the Department of Defense to tighten security requirements while blowing up Microsoft for what some Republicans called “people betrayal.”
The Pentagon is currently conducting a survey of its digital escort program, focusing on Microsoft’s China-based engineers.
response
Following a report from Propublica, Microsoft announced in July that it would halt its defense cloud systems for use by China-based engineers. In a statement in this article, the spokesman said the company is committed to implementing new requirements for the division.
“Our commitment to national security is the basis and we continue to focus on providing the safest service possible to the US government,” the spokesman said. “We have recently implemented changes to our departmental support model and will continue to work with our national security partners to evaluate and coordinate security protocols in light of the new directive.”
Lesser-known Microsoft programs could expose the Department of Defense to Chinese hackers
Doris Burke contributed to his research.
