\n<\/p>\n
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they\u2019re published.<\/p>\n
For nearly a decade, Microsoft has used engineers in China to help maintain highly sensitive Defense Department computer systems. ProPublica\u2019s investigation reveals how a model that relies on \u201cdigital escorts\u201d to oversee foreign tech support could leave some of the nation\u2019s most sensitive data vulnerable to hacking from its leading cyber adversary.<\/p>\n
Here are the key takeaways from that report:<\/p>\n
Since 2011, cloud computing companies that wanted to sell their services to the U.S. government had to establish how they would ensure that personnel working with federal data would have the requisite \u201caccess authorizations\u201d and background screenings. Additionally, the Defense Department requires that people handling sensitive data be U.S. citizens or permanent residents.<\/p>\n
This presented an issue for Microsoft, which relies on a vast global workforce with significant operations in India, China and the European Union.<\/p>\n
\n A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers<\/strong>\n <\/p>\n Microsoft\u2019s foreign workforce is not permitted to access sensitive cloud systems directly, so the tech giant hired U.S.-based \u201cdigital escorts,\u201d who had security clearances that authorized them to access sensitive information, to take direction from the overseas experts. The engineers might briefly describe the job to be completed \u2014 for instance, updating a firewall, installing an update to fix a bug or reviewing logs to troubleshoot a problem. Then the escort copies and pastes the engineer\u2019s commands into the federal cloud.<\/p>\n The problem, ProPublica found, is that digital escorts don\u2019t necessarily have the advanced technical expertise needed to spot problems.<\/p>\n \u201cWe\u2019re trusting that what they\u2019re doing isn\u2019t malicious, but we really can\u2019t tell,\u201d said one current escort.<\/p>\n Microsoft uses the escort system to handle the government\u2019s most sensitive information that falls below \u201cclassified.\u201d According to the government, this includes \u201cdata that involves the protection of life and financial ruin.\u201d The \u201closs of confidentiality, integrity, or availability\u201d of this information \u201ccould be expected to have a severe or catastrophic adverse effect\u201d on operations, assets and individuals, the government has said.<\/p>\n Defense Department data in this category includes materials that directly support military operations.<\/p>\n Because the U.S.-based escorts are taking direction from foreign engineers, including those based in China, the nation\u2019s greatest cyber adversary, it is possible that an escort could unwittingly insert malicious code into the Defense Department\u2019s computer systems.<\/p>\n A former Microsoft engineer who worked on the system acknowledged this possibility. \u201cIf someone ran a script called \u2018fix_servers.sh\u2019 but it actually did something malicious, then [escorts] would have no idea,\u201d the engineer, Matthew Erickson, told ProPublica.<\/p>\n Pradeep Nair, a former Microsoft vice president who said he helped develop the concept from the start, said a variety of safeguards including audit logs, the digital trail of system activity, could alert Microsoft or the government to potential problems. \u201cBecause these controls are stringent, residual risk is minimal,\u201d Nair said.<\/p>\n \u201cIf I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that,\u201d said Harry Coker, who was a senior executive at the CIA and the National Security Agency. Coker, who also was national cyber director during the Biden administration, added that he and his former intelligence colleagues \u201cwould love to have had access like that.\u201d<\/p>\n Chinese laws allow government officials there to collect data \u201cas long as they\u2019re doing something that they\u2019ve deemed legitimate,\u201d said Jeremy Daum, senior research fellow at the Paul Tsai China Center at Yale Law School. Microsoft\u2019s China-based tech support for the U.S. government presents an opening for Chinese espionage, \u201cwhether it be putting someone who\u2019s already an intelligence professional into one of those jobs, or going to the people who are in the jobs and pumping them for information,\u201d Daum said. \u201cIt would be difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.\u201d<\/p>\n In a statement, Microsoft said that its personnel and contractors operate in a manner \u201cconsistent with US Government requirements and processes.\u201d<\/p>\n The company\u2019s global workers \u201chave no direct access to customer data or customer systems,\u201d the statement said. Escorts \u201cwith the appropriate clearances and training provide direct support. These personnel are provided specific training on protecting sensitive data, preventing harm, and use of the specific commands\/controls within the environment.\u201d<\/p>\n Insight Global \u2014 a contractor that provides digital escorts to Microsoft \u2014 said it \u201cevaluates the technical capabilities of each resource throughout the interview process to ensure they possess the technical skills required\u201d for the job and provides training.<\/p>\n Microsoft told ProPublica that it described the escort model in documents submitted to the government as part of cloud vendor authorization processes. Former defense and intelligence officials said in interviews that they had never heard of digital escorts. Even the Defense Department\u2019s IT agency didn\u2019t know about it until reached for comment by ProPublica.<\/p>\n \u201cI probably should have known about this,\u201d said John Sherman, who was chief information officer for the Defense Department during the Biden administration. He said the system is a major security risk for the department and called for a \u201cthorough review by [the Defense Information Systems Agency], Cyber Command and other stakeholders that are involved in this.\u201d<\/p>\n DISA said, \u201cExperts under escort supervision have no direct, hands-on access to government systems; but rather offer guidance and recommendations to authorized administrators who perform tasks.\u201d<\/p>\n Multiple people raised concerns about the escort strategy over the years, including while it was still in development. A former Microsoft employee, who was involved in the company\u2019s cybersecurity strategy, told an executive they opposed the concept, viewing it as too risky from a security perspective.<\/p>\n Around 2016, Microsoft engaged contacts from Lockheed Martin to hire escorts. The project manager says they told their counterpart at Microsoft they were concerned the escorts would not have the \u201cright eyes\u201d for the job given the relatively low pay.<\/p>\n Microsoft did not respond to questions about these points.<\/p>\n It\u2019s unclear whether other major cloud service providers to the federal government also use digital escorts in tech support. Amazon Web Services and Google Cloud declined to comment on the record for this article. Oracle did not respond to requests for comment.<\/p>\n","protected":false},"excerpt":{"rendered":" ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they\u2019re published. For nearly a decade, Microsoft has used engineers in China to help maintain highly sensitive Defense Department computer systems. ProPublica\u2019s investigation reveals how a model that relies on \u201cdigital escorts\u201d to oversee foreign<\/p>\n","protected":false},"author":1,"featured_media":11003,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[247],"class_list":{"0":"post-11002","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-social-issues","8":"tag-propublica"},"_links":{"self":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/11002","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11002"}],"version-history":[{"count":0,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/11002\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/media\/11003"}],"wp:attachment":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11002"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n Microsoft established its low-profile \u201cdigital escort\u201d program to get around this prohibition.
\n<\/h3>\n\n The escorts handle data that, if leaked, would have \u201ccatastrophic\u201d effects.
\n<\/h3>\n\n The program could expose Pentagon data to cyberattacks.
\n<\/h3>\n\n Digital escorts present a natural opportunity for spies, experts say.
\n<\/h3>\n\n Microsoft says the program is government-approved.
\n<\/h3>\n\n Microsoft says it disclosed details of the escort program to the government. Former Pentagon officials said they\u2019d never heard of it.
\n<\/h3>\n\n There were warnings early on about the risks.
\n<\/h3>\n\n Other cloud providers wouldn\u2019t say if they also use escorts.
\n<\/h3>\n