Concerns Over Microsoft’s Access to Sensitive DOD Systems

Microsoft has been managing some of the US Department of Defense’s (DOD) most sensitive cloud computing systems for years, raising concerns about potential vulnerabilities to hacking, according to a recent study from Propublica.

Due to US laws restricting foreign access to federal systems handling sensitive data, Microsoft has been working with American “digital escorts.” This approach, not widely known within the federal government, has alarmed national security and cybersecurity experts because it allows engineers access to sensitive data with minimal oversight. This setup may leave critical systems exposed to Chinese cyber espionage.

The system has reportedly been operational for over a decade. As noted in a February 2024 report from the Director of the National Intelligence Bureau, China stands as America’s primary cybersecurity threat, affecting both government and private sectors.

This arrangement handles “high impact level” information, including data vital for life and financial security. Any loss of confidentiality, integrity, or availability could lead to devastating consequences. Essentially, the escorts function as intermediaries—copying and pasting commands from foreign engineers into systems associated with the Pentagon.

A Microsoft contractor, who spoke to Propublica on the condition of anonymity, commented, “We believe what they’re doing is unmalicious, but we can’t really know.” The contractor observed that non-technical individuals are being directed by foreign engineers, who can install updates or grant outsiders access to the network.

Harry Coker, a former senior CIA official, expressed concerns, stating that if he were an operative, he’d view this as a significant access point and would be quite worried about it.

Over the years, various individuals have alerted Microsoft to the potential risks. Despite the presence of escorts with security clearance, Propublica found that foreign engineers have access to sensitive cloud details that could be exploited by hackers.

“If someone runs a script called ‘fix_servers.sh’ but actually engages in malicious activities…” noted a former Microsoft engineer familiar with the escort system.

In response, Microsoft stated that HR and contractors have been audited by the US government, asserting that the Chinese engineer “cannot directly access customer data or customer systems.”

The company outlined its commitment to future security measures, intending to implement a platform-level mitigation layer with security and monitoring controls. This will ensure that anyone accessing a production system, no matter their location or role, can be monitored for potential risks. The new approach includes an approval workflow for system changes and automated code reviews to identify vulnerabilities quickly.

Many of these escorts are reportedly former military personnel earning $18 an hour and often lack the technical expertise to detect malicious actions.

Microsoft currently employs around 50 escorts, each partaking in numerous interactions with engineers based in China, entering commands into federal systems. In 2023, Chinese hackers gained access to emails from the US Department of Commerce and the Chinese Ambassador, raising alarm over vulnerabilities in Microsoft’s security.

One significant insight came from John Sherman, the former chief information officer at DOD, who indicated, “You probably knew about this.” Additionally, Chinese law permits the Communist Party to gather data from businesses and individuals, complicating the resistance efforts of Chinese citizens against such requests.

Jeremy Daum, a senior researcher at the Paul Tsai China Centre at Yale Law School, emphasized how challenging it is for Chinese entities to refuse direct requests from security forces or law enforcement.

The Pentagon has not commented on the issues raised.