“Literally no one seems to know anything about this” — Microsoft used China-based engineers to maintain DoD systems with high impact data

Microsoft used engineers in China to maintain computer systems of the United States Defense Department for almost 10 years. Those engineers were overseen by "digital escorts," but even some government officials were unaware of the practice.

Several of those who were aware of the use of digital escorts warned the government about the potential threat caused by the system. A contributing factor to the risks was the fact that the digital escorts often did not have the technical expertise required to perform their role.

The information was shared by Pro Publica. The outlet spoke to several people involved with the system, a former chief information officer for the Department of Defense, and a former senior executive of the CIA and NSA.

Digital escorts are used by Microsoft when handling sensitive information for the United States government. Specifically, the system is in place for "high impact level" data, which falls below "classified."

"High Impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals," explains the federal government.

"FedRAMP introduced their High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin."

Despite the sensitive nature of the data, the digital escorts lacked the technical expertise needed, such as coding experience. ProPublica discovered that many of the escorts were paid "barely more than minimum wage" and were often less qualified than the engineers they oversaw.

"We’re trusting that what they’re doing isn’t malicious, but we really can’t tell," said one escort that spoke anonymously to Pro Publica.

Who knew about digital escorts?

Despite being in place for almost a decade, the digital escort program was largely unknown, even within government agencies. ProPublica's piece is the first public discussion of the topic, according to the outlet.

Even some high-ranking officials within the government were unaware of the use of digital escorts. "I probably should have known about this," said John Sherman, former chief information officer for the Department of Defense.

Microsoft stated to Pro Publica that the company disclosed the escort system to the federal government, but several officials told the outlet that they had not heard of the system.

“Literally no one seems to know anything about this, so I don’t know where to go from here,” said Deven King, spokesperson for the Defense Information Systems Agency.

China and Chinese-based companies are considered a cyber threat to the United States government by The Office of the Director of National Intelligence.

A cybersecurity advisory panel commissioned by President Biden in 2023 investigated Microsoft after a Chinese hacker group breached Microsoft email accounts belonging to two dozen government agencies.

Concerns regarding China and Chinese-based organizations have wide-ranging effects, extending from government policy to the potential sale of TikTok.

Microsoft confirms use of digital escorts

Microsoft Chief Communications Officer Frank Shaw confirmed the use of digital escorts and announced changes to how the company offers support to the United States government in a post on X.

"In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.

We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed."

In a separate statement to Pro Publica, a Microsoft spokesperson stated the company operated in a way "consistent with US Government requirements and processes."

Shaw explained that Microsoft will no longer use China-based engineering teams to provide technical assistance for the Department of Defense cloud and related services.