Microsoft Failed to Disclose Use of China-Based Engineers in U.S. Defense Work
12 days ago
- #Microsoft
- #Defense Department
- #Cybersecurity
- Microsoft omitted key details in its 2025 security plan submitted to the U.S. Defense Department, including its use of China-based employees for sensitive systems.
- Microsoft's security plan did not disclose that non-U.S. citizens in foreign countries, including China, were involved in maintaining Defense Department cloud systems under 'digital escort' supervision.
- The Pentagon is investigating the use of foreign personnel by IT contractors after ProPublica exposed Microsoft's practices, raising concerns about security risks.
- Microsoft's security plan failed to mention that 'digital escorts' could be contractors, not employees, and often lacked technical expertise to oversee foreign engineers.
- Experts warn that allowing China-based personnel to work on U.S. government systems poses significant security risks due to China's broad data collection laws.
- Microsoft has since stopped using China-based engineers for Defense Department cloud systems but defended the 'digital escort' practice as tightly monitored.
- The Defense Department's approval process for cloud security plans relies on third-party assessors like Kratos, which critics say creates conflicts of interest.
- Sen. Tom Cotton called for stronger oversight of contractors, citing the 'digital escort' practice as unwise and outrageous.
- The FedRAMP process, used to evaluate cloud service providers, faces criticism for allowing companies to pay their own auditors, raising impartiality concerns.
- The Defense Department's investigation into foreign personnel use by tech companies is complete, but potential actions remain undisclosed.