ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
For nearly a decade, Microsoft has used engineers in China to help maintain highly sensitive Defense Department computer systems. ProPublica’s investigation reveals how a model that relies on “digital escorts” to oversee foreign tech support could leave some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary.
Here are the key takeaways from that report:
Only U.S. citizens with security clearances are permitted to access the Defense Department’s most sensitive data.
Since 2011, cloud computing companies that wanted to sell their services to the U.S. government had to establish how they would ensure that personnel working with federal data would have the requisite “access authorizations” and background screenings. Additionally, the Defense Department requires that people handling sensitive data be U.S. citizens or permanent residents.
This presented an issue for Microsoft, which relies on a vast global workforce with significant operations in India, China and the European Union.
A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers
Microsoft established its low-profile “digital escort” program to get around this prohibition.
Microsoft’s foreign workforce is not permitted to access sensitive cloud systems directly, so the tech giant hired U.S.-based “digital escorts,” who had security clearances that authorized them to access sensitive information, to take direction from the overseas experts. The engineers might briefly describe the job to be completed — for instance, updating a firewall, installing an update to fix a bug or reviewing logs to troubleshoot a problem. Then the escort copies and pastes the engineer’s commands into the federal cloud.
The problem, ProPublica found, is that digital escorts don’t necessarily have the advanced technical expertise needed to spot problems.
“We’re trusting that what they’re doing isn’t malicious, but we really can’t tell,” said one current escort.
The escorts handle data that, if leaked, would have “catastrophic” effects.
Microsoft uses the escort system to handle the government’s most sensitive information that falls below “classified.” According to the government, this includes “data that involves the protection of life and financial ruin.” The “loss of confidentiality, integrity, or availability” of this information “could be expected to have a severe or catastrophic adverse effect” on operations, assets and individuals, the government has said.
Defense Department data in this category includes materials that directly support military operations.
The program could expose Pentagon data to cyberattacks.
Because the U.S.-based escorts are taking direction from foreign engineers, including those based in China, the nation’s greatest cyber adversary, it is possible that an escort could unwittingly insert malicious code into the Defense Department’s computer systems.
A former Microsoft engineer who worked on the system acknowledged this possibility. “If someone ran a script called ‘fix_servers.sh’ but it actually did something malicious, then [escorts] would have no idea,” the engineer, Matthew Erickson, told ProPublica.
Pradeep Nair, a former Microsoft vice president who said he helped develop the concept from the start, said a variety of safeguards including audit logs, the digital trail of system activity, could alert Microsoft or the government to potential problems. “Because these controls are stringent, residual risk is minimal,” Nair said.
Digital escorts present a natural opportunity for spies, experts say.
“If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that,” said Harry Coker, who was a senior executive at the CIA and the National Security Agency. Coker, who also was national cyber director during the Biden administration, added that he and his former intelligence colleagues “would love to have had access like that.”
Chinese laws allow government officials there to collect data “as long as they’re doing something that they’ve deemed legitimate,” said Jeremy Daum, senior research fellow at the Paul Tsai China Center at Yale Law School. Microsoft’s China-based tech support for the U.S. government presents an opening for Chinese espionage, “whether it be putting someone who’s already an intelligence professional into one of those jobs, or going to the people who are in the jobs and pumping them for information,” Daum said. “It would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.”
Microsoft says the program is government-approved.
In a statement, Microsoft said that its personnel and contractors operate in a manner “consistent with US Government requirements and processes.”
The company’s global workers “have no direct access to customer data or customer systems,” the statement said. Escorts “with the appropriate clearances and training provide direct support. These personnel are provided specific training on protecting sensitive data, preventing harm, and use of the specific commands/controls within the environment.”
Insight Global — a contractor that provides digital escorts to Microsoft — said it “evaluates the technical capabilities of each resource throughout the interview process to ensure they possess the technical skills required” for the job and provides training.
Microsoft says it disclosed details of the escort program to the government. Former Pentagon officials said they’d never heard of it.
Microsoft told ProPublica that it described the escort model in documents submitted to the government as part of cloud vendor authorization processes. Former defense and intelligence officials said in interviews that they had never heard of digital escorts. Even the Defense Department’s IT agency didn’t know about it until reached for comment by ProPublica.
“I probably should have known about this,” said John Sherman, who was chief information officer for the Defense Department during the Biden administration. He said the system is a major security risk for the department and called for a “thorough review by [the Defense Information Systems Agency], Cyber Command and other stakeholders that are involved in this.”
DISA said, “Experts under escort supervision have no direct, hands-on access to government systems; but rather offer guidance and recommendations to authorized administrators who perform tasks.”
There were warnings early on about the risks.
Multiple people raised concerns about the escort strategy over the years, including while it was still in development. A former Microsoft employee, who was involved in the company’s cybersecurity strategy, told an executive they opposed the concept, viewing it as too risky from a security perspective.
Around 2016, Microsoft engaged contacts from Lockheed Martin to hire escorts. The project manager says they told their counterpart at Microsoft they were concerned the escorts would not have the “right eyes” for the job given the relatively low pay.
Microsoft did not respond to questions about these points.
Other cloud providers wouldn’t say if they also use escorts.
It’s unclear whether other major cloud service providers to the federal government also use digital escorts in tech support. Amazon Web Services and Google Cloud declined to comment on the record for this article. Oracle did not respond to requests for comment.
