Propublica is a nonprofit newsroom that investigates power abuse. Sign up and receive the biggest story as soon as it’s published.
For nearly a decade, Microsoft has been using Chinese engineers to maintain a highly sensitive defense department computer system. Propublica’s research reveals how a model relying on “digital escorts” to oversee foreign technical support leaves some of the country’s most sensitive data vulnerable to hacking from major cyber enemies.
Here are some key points from that report:
Only US citizens with security clearances have access to the Department of Defense’s most sensitive data.
Since 2011, cloud computing companies that wanted to sell services to the US government had to establish ways to ensure the “permissions” and background screening that require personnel to handle federal data. Additionally, the Department of Defense requires that those who process sensitive data be US citizens or permanent residents.
This presented a problem for Microsoft, which relies on a vast global workforce with important activities in India, China and the European Union.
Lesser-known Microsoft programs could expose the Department of Defense to Chinese hackers
To avoid this ban, Microsoft has established a profile “digital escort” program.
As Microsoft’s foreign labor is not allowed to directly access sensitive cloud systems, the tech giant has hired US “digital escorts” who had security clearances that allowed them to access sensitive information, taking direction from overseas experts. Engineers may briefly describe the jobs to be completed. For example, check logs that update your firewall, fix bugs and install updates, or troubleshoot issues. Next, copy and paste the engineer command into the Federation Cloud.
The problem that Propublica discovered is that digital escorts do not necessarily have the sophisticated technical expertise needed to discover the problem.
“We believe what they’re doing is unspoken, but we really don’t know,” the current escort said.
Escorts process data that has a “devastating” effect if leaked.
Microsoft uses escort systems to process the most sensitive government information under “classification.” According to the government, this includes “data that includes life protection and financial ruin.” The “loss of confidentiality, integrity, or availability” of the information “is expected to have severe or catastrophic negative effects,” the government said.
Department of Defense data in this category includes material that directly supports military operations.
The program could expose Pentagon data to cyberattacks.
As US-based escorts are taking direction from foreign engineers, including people based in China, the country’s biggest cyber enemy, it could potentially unconsciously insert malicious code into the Department of Defense computer systems.
A former Microsoft engineer who worked on the system acknowledged this possibility. “If someone runs a script called ‘fix_servers.sh’, but it actually does something malicious, then [escorts] Engineer Matthew Erickson told Propobrica.
Former Microsoft vice president Pradeep Nair said he helped develop the concept from the start, saying various safeguards, including audit logs, a digital trail for system activities, can alert Microsoft or the government of potential issues. “These controls are strict so the residual risk is minimal,” Nair said.
Digital escorts bring natural opportunities for spies, experts say.
“If I were an operative, I see it as an invaluable way of access, and I have to be very concerned about it,” said Harry Coker, a senior executive at the CIA and National Security Agency. Coker, who was also the national cyber director during the Biden administration, added that he and his former Intelligence Report colleagues “wanted such access.”
Chinese law allows government officials to collect data “as long as they do what they think is justifiable.” Microsoft’s China-based technical support for the US government offers the opening for Chinese espionage whether they have already put people who are intelligence agents in one of those jobs or go to those involved in the work to ask for information. “It’s difficult for Chinese citizens and companies to meaningfully resist direct requests from security forces or law enforcement.”
Microsoft says the program is government approved.
In a statement, Microsoft said its personnel and contractors operate in a way that “aligns with the requirements and processes of the US government.”
The company’s global workers “have no direct access to customer data or customer systems,” the statement said. The escorts “provided direct support with proper clearance and training. These personnel will be provided with specific training in protecting sensitive data, preventing harm, and using specific commands/controls within the environment.”
Insight Global – A contractor providing digital escorts to Microsoft provided training by saying that “we will assess the technical capabilities of each resource throughout the interview process to ensure that the technical skills required are ensured.”
Microsoft says it has revealed details about its government escort program. The former Secretary of Defense said they had never heard of it.
Microsoft told Propublica that it explained the escort model in a document submitted to the government as part of the cloud vendor authentication process. Former defense and intelligence reporting officials said in an interview that they had never heard of digital escorts. Even the Department of Defense IT agency didn’t know about it until they reached a comment by Propublica.
“We probably should have known about this,” said John Sherman, chief information officer at the Department of Defense during the Biden administration. He said the system is a major security risk for the department and called for a “full review.” [the Defense Information Systems Agency]Cyber Command and other stakeholders involved in this. ”
DISA states, “While experts based on escort supervision do not have direct access to the government system, they provide guidance and recommendations to authorized administrators who perform the task.”
There was an early warning about the risks.
Several people have raised concerns about escort strategies over the years, including that they are still under development. A former Microsoft employee involved in the company’s cybersecurity strategy told the executive that he opposed the concept and viewed it as too dangerous from a security standpoint.
Around 2016, Microsoft hired escorts by escorting contacts from Lockheed Martin. The project manager tells his counterpart at Microsoft that he is concerned that he will not have a “right eye” for his job, given his relatively low wages.
Microsoft did not respond to questions about these points.
Other cloud providers wouldn’t say if they would use escorts either.
It is unclear whether other major federal cloud service providers also use digital escorts for technical support. Amazon Web Services and Google Cloud declined to comment on the record of this article. Oracle did not respond to requests for comment.
