For nearly a decade, Microsoft has relied on engineers based in China to maintain computer systems for the U.S. Department of Defense. This practice was conducted under the supervision of what are referred to as “digital escorts,” and alarmingly, many government officials were completely unaware of this arrangement.
Several individuals familiar with the situation, including advisors to the Senate, expressed significant concerns about the security implications posed by this system. One key issue was that digital escorts typically didn’t have the necessary technical skills to effectively manage the complexities of the tasks they were overseeing.
A report from ProPublica detailed insights from multiple sources, including a former chief information officer of the DoD and high-level executives from the CIA and NSA.
“We’re trusting that what they’re doing isn’t malicious, but we really can’t determine that,” shared an unnamed digital escort.
Microsoft’s digital escorts come into play when handling sensitive government data that is significant but not classified. This includes what is termed as “high impact level” data.
According to the federal government, “high impact data” often pertains to sectors like law enforcement, emergency services, financial systems, and healthcare. Unauthorized access or disruption of such information could potentially lead to dire outcomes for both organizations and individuals.
As pointed out, the FedRAMP program established a high baseline to safeguard the government’s vital unclassified information in cloud environments, highlighting the importance of maintaining strict security standards.
However, it has come to light that many of these digital escorts received pay that was only marginally above minimum wage, rendering them less qualified than the engineers they were responsible for supervising, which adds another layer to the potential for security risks.
An anonymous escort mentioned to ProPublica: “We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” emphasizing the unpredictability of the scenario.
Who Was Aware of the Digital Escort System?
This digital escort program had been largely hidden from view, even within government circles. As highlighted in ProPublica’s findings, this was the first public exposure of the topic.
High-ranking officials like John Sherman, who previously served as the chief information officer for the DoD, have admitted that they were unaware of the escorts’ involvement: “I probably should have been informed about this,” he noted.
While Microsoft claimed they informed the federal government about the escort system, many officials expressed that they had never heard of it until now.
“Literally no one seems to know anything about this, so I don’t know where to go from here,” stated Deven King, a spokesperson from the Defense Information Systems Agency.
According to The Office of the Director of National Intelligence, China and its enterprises pose significant cyber threats to the U.S. government.
In light of these concerns, a cybersecurity advisory panel formed by President Biden in 2023 launched an investigation into Microsoft after a notable breach involving a Chinese hacker group, which compromised email accounts from various government entities.
Wider implications of cybersecurity issues tied to China are influencing decisions not just within the government but the private sector as well, exemplified by debates over the potential repercussions of selling TikTok.
Microsoft Acknowledges the Digital Escort Scenario
Microsoft Chief Communications Officer Frank Shaw formally acknowledged this escort system and announced revisions to how Microsoft interacts with U.S. government clients in a post on X.
“In light of recent concerns regarding foreign engineers supervised from the U.S., we’ve made modifications to our support practices for U.S. government customers, ensuring that no China-based teams are providing technical aid for DoD-related cloud services,” he stated.
“We’re dedicated to offering the most secure services to the U.S. government and are collaborating with national security stakeholders to reassess and enhance our security protocols accordingly,” he noted subsequently.
In a further declaration to ProPublica, a spokesperson reaffirmed that Microsoft’s operational methods align with the requirements set by the U.S. government. Shaw highlighted that the company will no longer enlist engineers from China for support relating to Department of Defense cloud systems.
