Pentagon Ends Microsoft's Use Of China-based Support Staff For DoD Cloud

The Pentagon has formally kiboshed Microsoft's use of China-based employees to support Azure cloud services deployed by US government agencies, and it's demanding Microsoft do more of its own digging to determine whether any sensitive data was compromised. 

Defense secretary Pete Hegseth announced the change in policy Thursday. He said that even though Microsoft designed its policy of using staff based behind the Great Firewall to comply with government contracting rules, it was still an unacceptable risk.

"It blows my mind that I'm even saying these things … [and] that we ever allowed it to happen," Hegseth said of the so-called "digital escorts program." 

ProPublica first reported in July Microsoft was using engineers based in China to support the DoD's Azure use. Those engineers were being remotely supervised by US "escorts," whom Microsoft said are all US citizens with government security clearances. Hegseth said he intended to investigate the matter last month, and yesterday's notice was the first outcome to come from that work. 

As is likely obvious to anyone except Microsoft, allowing China-based developers to support operations on sensitive government systems is fraught with risk. According to ProPublica, none of the other major cloud providers it spoke to admitted to doing anything similar. 

"If you're thinking America first, and common sense, this doesn't pass either of those tests," Hegseth said. 

While developers working from China are no longer supporting DoD systems, according to both Hegseth and Microsoft itself, the investigation is not over. 

The DoD said that it sent a "formal letter of concern" to Microsoft over the incident and is "requiring a third-party audit of the digital escorts program to pore over the code and submissions made by Chinese nationals." Hegseth has also tasked the DoD with investigating whether any of the employees "negatively impacted the coding of DoD cloud systems," and the DoD is now requiring that all software vendors identify and end any involvement from of devs in China with DoD cloud systems. A timeline for those investigations wasn't provided.

How many more straws can this camel handle?

Microsoft has been caught being sloppy on security with government agencies before. 

Readers may recall when China broke into the Commerce and State Departments' Exchange Online instances in 2023, or when attackers exploited a Sharepoint vulnerability to hit an unnamed "major western government" in July. 

• Microsoft reportedly cuts China's early access to bug disclosures, PoC exploit code
• Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended
• Microsoft answered Congress' questions on security. Now the White House needs to act
• US officials, experts fear China ransacked Exchange servers for data to train AI systems

Former senior White House cyber policy director AJ Grotto told us last year that he considers Microsoft to be a national security threat. He's not alone, either, with former White House cyber and counter terrorism advisor Roger Cressey also expressing incredulity at the fact Redmond's been allowed to continue rolling in government cash (even Pentagon money) despite its repeat failures. 

"The Chinese are so well prepared and positioned on Microsoft products that in the event of hostilities, we know for a fact that Chinese actors will target our critical infrastructure through Microsoft," Cressey told The Register in an interview earlier this month. 

"This is the latest episode of a decades-long process of Microsoft not taking security seriously. Full stop," Cressey added, referring to yet another Exchange vulnerability it revealed in early August. 

We also feel it important to point out that Microsoft's statement on the digital escorts program only mentions ending China-based engineer support for "DoD Government cloud and related services," with no mention of it ending the practice at other government agencies. Microsoft's statement to us didn't clarify matters.

"Microsoft has terminated the use of any China-based engineering teams for DoD cloud systems and we will continue to collaborate with the US Government to ensure we are meeting their expectations," a company spokesperson told The Register in an emailed statement. "We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed.”

Whether the government has actually learned its lesson this time is unclear. Microsoft hasn't suffered much for its previous security failings, some of which included the actual theft of sensitive data. 

We reached out to the DoD and White House to see if this has finally made it reconsider giving Microsoft such a high level of control over federal government IT, but neither responded by publication time. ®