Sen. Shaheen Questions Pentagon on Cybersecurity Measures
On Monday, Sen. Jeanne Shaheen (D-N.H.) pressed the Pentagon for clarity regarding a contract issue, following reports that Microsoft employs engineers based in China to manage its agency computer systems.
As a prominent member of the Senate Foreign Affairs Committee, Shaheen addressed her concerns in a letter to Secretary of Defense Pete Hegseth. She highlighted the necessity for defense contractors to inform authorities when countries known for cyber threats request access to their source code.
This requirement, included in the National Defense Authorization Act of 2018, has seen no rules proposed by the Department of Defense until the previous November.
“It took PRC engineers six years to reach this initial phase,” Shaheen noted in her correspondence.
Propublica disclosed in mid-July that Microsoft relies on China-based engineers who supervise security clearances, labeled as “digital escorts,” for U.S. citizens overseeing the Department of Defense’s systems.
Sen. Tom Cotton (R-Ark.) also expressed concerns about this practice in his letter to Hegseth. He indicated that while these practices may meet technical security standards, digital escorts “often lack the necessary technical training or expertise to identify malicious code or suspicious activity.”
Following those revelations, Microsoft announced adjustments to ensure that its Chinese engineering team would not be involved in providing technical support for the Department of Defense’s cloud services.
Hegseth initiated a two-week evaluation across the Department of Defense to “ensure that what we’ve uncovered isn’t happening elsewhere.”
While Shaheen appreciated Microsoft’s decision to end its contractual arrangement, she raised significant issues regarding the Department of Defense’s enforcement of U.S. laws designed to oversee the procurement of information technology systems.
New Hampshire Democrats sought details on the timeline for the 2018 regulations’ implementation and questioned the delays in rule proposals. Shaheen demanded further information on Microsoft’s contract, steps to prevent similar risks in the future, and the extent of the two-week review.
“Given the cybersecurity risks stemming from PRC factors, the U.S. government should avoid exposing highly sensitive IT systems due to insufficient surveillance,” she cautioned.
