Microsoft used China-based support for multiple US agencies
Last week, Microsoft announced that it would no longer use China-based engineering teams to support the Defense Department's cloud computing systems, following ProPublica's investigation of the practice, which cybersecurity experts said could expose the government to hacking and espionage.
But it turns out the Pentagon was not the only part of the government facing such a threat. For years, Microsoft has also used its global workforce, including China-based personnel, to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce, ProPublica has found.
This work has taken place in what's known as the Government Community Cloud, which is intended for information that is not classified but is nonetheless sensitive.
The Federal Risk and Authorization Management Program, the US government's cloud accreditation organization, has approved GCC to handle 'moderate' impact information 'where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency's operations, assets, or individuals.'
The Justice Department's Antitrust Division has used GCC to support its criminal and civil investigation and litigation functions, according to a 2022 report. Parts of the Environmental Protection Agency and the Department of Education have also used GCC.
Microsoft says its foreign engineers working in GCC have been overseen by U.S.-based personnel known as 'digital escorts,' similar to the system it had in place at the Defense Department.
Nevertheless, cybersecurity experts told ProPublica that foreign support for GCC presents an opportunity for spying and sabotage. 'There's a misconception that, if government data isn't classified, no harm can come of its distribution,' said Rex Booth, a former federal cybersecurity official who now is chief information security officer of the tech company SailPoint.
'With so much data stored in cloud services — and the power of AI to analyze it quickly — even unclassified data can reveal insights that could harm US interests,' he said.
Harry Coker, who was a senior executive at the CIA and the National Security Agency, said foreign intelligence agencies could leverage information gleaned from GCC systems to 'swim upstream' to more sensitive or even classified ones. 'It is an opportunity that I can't imagine an intelligence service not pursuing,' he said.
The Office of the Director of National Intelligence has deemed China the 'most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.' Laws there grant the country's officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.
Microsoft declined interview requests for this story. In response to questions, the tech giant issued a statement that suggested it would be discontinuing its use of China-based support for GCC, as it recently did for the Defense Department's cloud systems.
'Microsoft took steps last week to enhance the security of our DoD Government cloud offerings. Going forward, we are taking similar steps for all our government customers who use Government Community Cloud to further ensure the security of their data,' the statement said. A spokesperson declined to elaborate on what those steps are.
The company also said that over the next month it 'will conduct a review to assess whether additional measures are needed.'
The federal departments and agencies that ProPublica found to be using GCC did not respond to requests for comment.
The latest revelations about Microsoft's use of its Chinese workforce to service the U.S. government — and the company's swift response — are likely to fuel a rapidly developing firestorm in Washington, where federal lawmakers and the Trump administration are questioning the tech giant's cybersecurity practices and trying to contain any potential national security fallout. 'Foreign engineers — from any country, including of course China — should NEVER be allowed to maintain or access DoD systems,' Defense Secretary Pete Hegseth wrote in a post on X last Friday.
Last week, ProPublica revealed that Microsoft has for a decade relied on foreign workers — including those based in China — to maintain the Defense Department's computer systems, with oversight coming from US-based digital escorts.
But those escorts, we found, often don't have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable. In response to the reporting, Hegseth launched a review of the practice.
ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company's foreign employees, given the department's citizenship requirements for people handling sensitive data. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives 'substantial revenue from government contracts.'
While Microsoft has said it will stop using China-based tech support for the Defense Department, it declined to answer questions about what would replace it, including whether cloud support would come from engineers based outside the U.S. The company also declined to say whether it would continue to use digital escorts.
Microsoft confirmed to ProPublica this week that a similar escorting arrangement had been used in GCC — a dynamic that surprised some former government officials and cybersecurity experts. 'In an increasingly complex digital world, consumers of cloud products deserve to know how their data is handled and by whom,' Booth said. 'The cybersecurity industry depends on clarity.'
Microsoft said it disclosed details of the GCC escort arrangement in documentation submitted to the federal government as part of the FedRAMP cloud accreditation process. The company declined to provide the documents to ProPublica, citing the potential security risk of publicly disclosing them, and also declined to say whether the China-based location of its support personnel was specifically mentioned in them.
ProPublica contacted other major cloud services providers to the federal government to ask whether they use China-based support. A spokesperson for Amazon Web Services said in a statement that 'AWS does not use personnel in China to support federal contracts.'
A Google spokesperson said in a statement that 'Google Public Sector does not have a Digital Escort program. Instead, its sensitive systems are supported by fully trained personnel who meet the U.S. government's location, citizenship and security clearance requirements.' Oracle said it 'does not use any Chinese support for US federal customers.'
Renee Dudley is a ProPublica reporter focused on technology, cybersecurity and business. Doris Burke, who covers corporate wrongdoing, contributed reporting.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
HKFP
3 hours ago
- HKFP
Chinese leaders take aim at ‘pointless' meetings and ‘bureaucratism'
China's top lawmakers are telling officials across the country to hold fewer meetings and give shorter speeches in a bid to root out 'pointless formalities', state media reported on Wednesday. Streamlining meetings and capping documents at 5,000 words were among suggestions in a detailed government notice issued to 'free grassroots officials from bureaucratism and pointless formalities', state news agency Xinhua said. Cutting out unnecessary paperwork and having fewer meetings would 'reduce burdens' on cadres and help them 'devote more energy to implementation', according to a government notice uploaded by state news agency Xinhua. The 21-point directive on 'rectifying formalism' is more than 4,000 words long, according to an AFP count. All regions were to strictly implement the rules, it said. The notice — jointly issued by the Communist Party's Central Committee and the State Council — follows refreshed rules against lavish spending and vanity projects. In May, the two lawmaking bodies updated regulations set in 2013 targeting excessive spending within government ranks, including a ban on serving alcohol at work meals and restrictions on travel. Officials were also prohibited from having flowers or backdrops at work meetings, according to the directive. Chinese President Xi Jinping has waged a relentless campaign against official corruption since coming to power more than a decade ago. Hundreds of thousands of officials have faced disciplinary action, according to China's top anti-graft body, with some executed for 'serious violations of the law' — a euphemism for corruption. Supporters say the anti-corruption drive promotes clean governance, but critics say it serves as a tool for Xi to oust political opponents.
South China Morning Post
5 hours ago
- South China Morning Post
South China Morning Post journalist awarded Hong Kong Baptist University fellowship
Hong Kong Baptist University (HKBU) has awarded a fellowship to a South China Morning Post senior correspondent in a one-of-its-kind programme designed to raise industry standards for journalists working in the city. Natalie Wong, who specialises in political news at the Post, was among three journalists selected for the Professional Journalism Fellowship programme on Wednesday. The trio will take a funded absence from work to attend undergraduate or postgraduate courses as auditors for one or two semesters in the coming 2025-26 academic year to broaden their horizons before returning to their newsrooms. The university's Professor Raymond Roy Wong, known as the 'Godfather of Journalism' and the sponsor of the programme, said the initiative provided the fellows with an opportunity to reflect on their professional and personal growth at a time when the media sector was facing challenges. 'The global media industry is facing unprecedented challenges, ranging from the disruptive influence of artificial intelligence and the proliferation of misinformation to intense competition on social media platforms,' he said. 'Media professionals should demonstrate adaptability, innovation and critical thinking skills. I hope that the fellows will fully embrace their time at HKBU, seizing this opportunity to expand their knowledge, hone their skills, and reflect on their professional and personal growth, so they are well-equipped to meet the evolving challenges upon their return to the newsroom.' Natalie Wong is the Post's third award-winning journalist to receive the fellowship after news editor Denise Tsang and senior correspondent Laura Zhou in 2022.
South China Morning Post
6 hours ago
- South China Morning Post
China's Starlink rivalry, US-India tensions casting doubt over Quad: SCMP daily highlights
Catch up on some of SCMP's biggest China stories of the day. If you would like to see more of our reporting, please consider subscribing As China scrambles to build massive internet networks in space to rival Starlink, a growing divide is quietly emerging on the ground between national priorities and local ambition. China spent decades carving out a commanding lead in the rare earth realm. Now the US wants its old piece of the supply chain back – is it still within reach? Chinese and Russian troops gather at a military port in Vladivostok, Russia on Friday ahead of the 'Joint Sea 2025' exercise. Photo: Xinhua A joint naval flotilla from China and Russia began its sixth Pacific patrol on Wednesday after concluding combat drills near Vladivostok, according to a Wednesday report by the People's Liberation Army Daily.
