Microsoft said it will cease using China-based computer engineering teams for work on Pentagon cloud systems and other classified systems after an investigation this week led to national security concerns at the highest levels over a program that Microsoft has used since 2016.
A ProPublica report released Tuesday accused Microsoft of allowing China-based engineers to assist with Pentagon cloud systems with inadequate guardrails in an effort to scale up its government contracting business.
The report got the attention of GOP lawmakers and the Trump administration, with Defense Secretary Pete Hegseth insisting Friday that foreign engineers from ‘any country … should NEVER be allowed to maintain or access DOD systems.’ He added that the Defense Department would be ‘looking into this ASAP.’
After Hegseth’s indication that the Pentagon would be looking into the matter, Fox News Digital reached out to Microsoft, which responded that it would be ceasing its use of China-based computer engineers providing assistance to sensitive Defense Department cloud ‘and related’ services.
‘In response to concerns raised earlier this week about U.S.-supervised foreign engineers, Microsoft has made changes to our support for U.S. government customers to assure that no China-based engineering teams are providing technical assistance for DOD government cloud and related services,’ Frank Shaw, chief communications officer at Microsoft, said.
‘We remain committed to providing the most secure services possible to the U.S. government, including working with our national security partners to evaluate and adjust our security protocols as needed.’
The ProPublica report released earlier this week, which spurred Microsoft’s action, cited current and former employees and government contractors who worked on a cloud computing program deployed by Microsoft in 2016. The program, meant to meet federal contracting regulations, used a system of ‘digital escort’ chaperones for global cybersecurity officials, such as those based in China, meant to create a security buffer so that they can work on agency computing systems. DOD guidelines require that people handling sensitive data be U.S. citizens or permanent residents.
According to sources who spoke to ProPublica, including some who had intimate familiarity with the hiring process for the $18-per-hour ‘digital escort’ positions, the tech employees being hired to do the supervising lacked the adequate tech expertise to prevent a rogue Chinese employee from hacking the system or turning over classified information to the CCP.
The sources elaborated that the escorts, often former military personnel, were hired for their security clearances more than their technical abilities and often lacked the skills to evaluate code being used by the engineers they were supervising.
Microsoft used its escort system to handle sensitive government information that falls below ‘classified,’ the ProPublica report indicated. That includes ‘data that involves the protection of life and financial ruin.’ At the Defense Department, the data is categorized as ‘Impact Level’ four and five, which ProPublica reported includes materials directly supporting military operations.
People in China are governed by sweeping laws compelling government cooperation with data collection efforts.
Before Microsoft’s announcement Friday that it would be ceasing its use of China-based engineers for sensitive Defense Department programs, the company defended its ‘digital escort’ program, noting all personnel and contractors with privileged access must pass federally approved background checks. The company also pointed to a response from the Defense Information Systems Agency, which said that ‘digital escorts’ are used ‘in select unclassified environments.’
‘For some technical requests, Microsoft engages our team of global subject-matter experts to provide support through authorized U.S. personnel, consistent with U.S. government requirements and processes,’ a company spokesperson told Fox News Digital Tuesday. ‘In these instances, global support personnel have no direct access to customer data or customer systems.’
The spokesperson added at the time that Microsoft adheres to the federal security requirements outlined by the Defense Department and the Federal Risk and Authorization Management Program established in 2011 to address the risks associated with moving from entirely government-controlled servers to cloud-based computing.
‘We establish layers of mitigation at the platform level with security and monitoring controls to detect and prevent threats. This includes approval workflows for system changes and automated code reviews to quickly detect and prevent the introduction of vulnerabilities,’ the spokesperson said. ‘This production system support model is approved and regularly audited by the U.S. government.’
Fox News Digital reached out to the Pentagon to inquire whether Microsoft’s action changes its planned investigation but did not receive a response by publication time.