Latest news with #TomCotton
AllAfrica
2 days ago
- Politics
- AllAfrica
The digital escort fraud: another major Pentagon security failure
Microsoft was caught with its pants down in a brilliant exposé by ProPublica that said that a major part of the Defense Department's Cloud Computer system was run by Chinese engineers and monitored by so-called digital escorts who supposedly looked out for any compromise of DOD information. Now, when Senator Tom Cotton called Defense Secretary Hegseth's attention to the mess, Microsoft withdrew the Chinese engineers and pretended everything was fixed. Nothing could be farther from the truth. Back in April, 2018 I participated at the Hudson Institute in a special panel review of the then-Pentagon plan to transition all its heritage computer databases to a single computer cloud. (Watch the full video here.) The Pentagon plan was to shut down the old computer systems after the cloud was up and running. DOD claimed that the cloud would be easier to maintain than a number of separate computers, and more secure. DOD's problem is that it has done a poor job on cyber security for years – and DOD contractors and sub-contractors, operating under weak departmental guidance, have been even worse. There have been many scandals as the so-called 'advanced persistent Cyber threat' has continued to get worse. A persistent cyber threat is one that operates in the shadows for long periods of time and steals vast quantities of sensitive information. At the time of the DOD cloud proposal, government and contractor computers were under constant attack from hackers. Some of these hackers were teams of Chinese and Russian operators, others came from domestic and international hackers who could sell the acquired information to different bidders, including terrorists. Still others were from rogue countries who are still engaged deeply in hacking, including from North Korea and Iran. Around the same time DOD determined that around 50 gigabytes or more F-35 stealth fighter jet data had disappeared. We know where it went: China. And we know the result: China was able to field a stealth fighter jet in record time. Chengdu J-20. F-35 stealth fighter jet data had disappeared. We know where it went: China. And we know the result: China was able to field a stealth fighter jet in record time. Of course it was not only the design information and other details that enabled China to be successful: China also conducts industrial espionage in depth, so its agents can penetrate US contractors and subcontractors and infiltrate their supplier networks. The US classifies some sensitive information, but actually quite a lot less than one might think. This enables contractors to work without the burden of cleared workers. We have seen numerous cases of people caught working in critical companies smuggling components needed by China either for further exploitation or use. In regard to cloud security in 2018 I said: DoD has laid down its own standards, if you want to call them that, or guidelines, if you want to call them that, on what it expects the security of a system that it's going to procure should look like. And basically what they've done, for the most part, is two things. One, of course, is to make sure the employees that are working in the cloud environment that's being proposed are cleared American employees. That, by the way, creates a significant problem in being able to find enough cleared American employees to do the job. And I'm not sure they are so readily available. But that is definitely a challenge, let's say, that's out there. And the second is to take some of the procedures that are used to secure DoD's existing computers and servers and equipment and apply that to the cloud. We understood, in 2018, that the cloud security problem was supposedly solved by using only security-cleared American employees. It seems that the pledge was violated by the Defense Department, which permitted foreign workers to support and service the DoD cloud so long as they were 'supervised.' The supervisors are called 'digital escorts.' The workers, so far at least in Microsoft's case, turn out to be Chinese. Chinese engineers work remotely in China, and it is probably a fair assumption that digital escorts allegedly monitor the work of the Chinese engineers, also remotely. In other words, the so-called escorts are virtual, they don't sit next to the Chinese operators. We do not know anything really about the qualifications of the digital escorts, or even if they understand the Cloud network they are supposedly protecting. They would have to understand the actual cloud software and the underlying processors, and they would need to follow guidelines on what might constitute any sort of breach of the protocols or data by the Chinese. Any clever operator in China could figure out how to insert malware into the cloud, but actually since they have full time access to it anyway there is no overpowering reason for them to do so. Instead they can just suck up all the data and run it through their supercomputers, or even their latest quantum computers. China leads the world in quantum computers, and if they really do work, they can smash encryption codes in seconds. DoD information in the cloud is supposed to be encrypted, or at least we are told that. But that may just be the outside of the system to keep out random hackers. The actual information may not actually be encrypted. That would mean a potential bonanza for China and a huge risk to US security. The original DOD contract was supposed to be to a single contractor. However, complaints from industry and the public – and from security experts, as in our panel discussio – pushed the department to support more than one cloud application (and also may have allowed for some backup if a cloud operation crashed, for whatever reason, although DoD has not told us about any backup). The question arises: If Microsoft was using Chinese engineers, were the other cloud providers doing the same thing, and did they have digital escorts, or something like them? Along with Microsoft, other participants in the DoD cloud contract, initially for $9 billion, were Amazon, Google and Oracle. All of them do business in China. Oracle has offices in Beijing. Amazon has offices in Beijing, Shanghai and Wuhan. Google has offices in Beijing, Shanghai and Shenzhen. Of course we do not know if DoD granted them the same deal they allowed for Microsoft, but it is important to find out. Or maybe DOD never agreed to digital escorts and Chinese engineers? We don't really know, but it is unlikely Microsoft could have hired Chinese engineers without some Defense Department input. If DoD never approved, then it is another example of a security failure. If they did approve, of course, it is also a security failure. Either way it is a disaster. Hegseth understands the digital escort issue is a big deal, but he cannot just accept Microsoft's decision to end China's participation in the Defense Department cloud. Hegseth needs to back a full scale inquiry and investigation. We need an assessment of how much damage was done and, potentially, what programs may have possibly been compromised. Such an investigation has to assess just how long the Digital Escort system has been in place. How long has China had access to the Defense Department's computer heartland? Hegseth needs to find out what the other contractors are doing and if they are using foreign workers. Finally there is a serious question about outsourcing American security to private contractors, especially those who are not core defense contractors and who depend on foreign revenues to support their bottom line. Companies that are mainly commercial are inherently a risk because they lack a security culture and always want to expand into markets that can prove difficult and risky. Putting trust in them raises more than eyebrows. Stephen Bryen is a special correspondent to Asia Times and a former US deputy undersecretary of defense for policy. This article, which originally appeared in his Substack newsletter Weapons and Strategy, is republished with permission.
Malay Mail
3 days ago
- Business
- Malay Mail
Microsoft drops China-based engineers from Pentagon cloud work after backlash
SAN FRANCISCO, July 19 — Microsoft on Friday said it will stop using China-based engineers to provide technical assistance to the US military after a report in investigative journalism outlet ProPublica sparked questions from a US senator and prompted Defense Secretary Pete Hegseth to order a two-week review of Pentagon cloud deals. The report detailed Microsoft's use of Chinese engineers to work on US military cloud computing systems under the supervision of US 'digital escorts' hired through subcontractors who have security clearances but often lacked the technical skills to assess whether the work of the Chinese engineers posed a cybersecurity threat. Microsoft, a major contractor to the US government, has had its systems breached by Chinese and Russian hackers. It told ProPublica it disclosed its practices to the US government during an authorization process. On Friday, Microsoft spokesperson Frank Shaw said on social media website X the company changed how it supports US government customers 'in response to concerns raised earlier this week ... to assure that no China-based engineering teams are providing technical assistance' for services used by the Pentagon. Earlier on Friday, Senator Tom Cotton, an Arkansas Republican who chairs the chamber's intelligence committee and also serves on its armed services committee, sent a letter to Defense Secretary Pete Hegseth about Microsoft's reported practices. Cotton asked the US military for a list of contractors that use Chinese personnel and more information on how US 'digital escorts' are trained to detect suspicious activity. 'The US government recognizes that China's cyber capabilities pose one of the most aggressive and dangerous threats to the United States, as evidenced by infiltration of our critical infrastructure, telecommunications networks, and supply chains,' Cotton wrote in the letter. The US military 'must guard against all potential threats within its supply chain, including those from subcontractors,' he wrote. US Defense Secretary Pete Hegseth ordered a two-week review to ensure China-based engineers were not working on any other cloud services contracts across the Defense Department. — Reuters pic In a video posted on X on Friday, Hegseth said he was initiating a two-week review to ensure China-based engineers were not working on any other cloud services contracts across the Defense Department. 'I'm announcing that China will no longer have any involvement whatsoever in our cloud services, effective immediately,' Hegseth said in the video. 'We will continue to monitor and counter all threats to our military infrastructure and online networks.' — Reuters
Time of India
3 days ago
- Business
- Time of India
Microsoft changes support policy for US government customers after 'national security threatening report': 'No China-based engineering teams...'
Representative Image Microsoft has introduced changes to its support policy for US government customers. The tech giant has confirmed that "no China-based engineering teams " will provide technical support for US defence clients using its cloud services. This revision follows a report by ProPublica that detailed the US Defence Department's reliance on Microsoft-hired software engineers who are based in China. The report also prompted US Senator Tom Cotton (R-AR) to send a letter to Defence Secretary Pete Hegseth seeking details of the tech giant's alleged use of Chinese engineers for US military systems, as it raised concerns about potential national security risks. What Microsoft said about changing its US government customer policy In a post shared on the social media platform X (earlier Twitter), Frank Shaw, Microsoft's chief communications officer, wrote: 'In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like An engineer reveals: One simple trick to get internet without a subscription Techno Mag Learn More Undo We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed.' The ProPublica report noted that Microsoft's Chinese Azure engineers are supervised by US-based 'digital escorts,' who often have less technical expertise than the overseas engineers they oversee. The report suggested that this setup could expose the US to potential cyber threats from China . In a recent video posted on X, Hegseth signed a memo for a review to check if cheap Chinese labour is being used in any other parts of the Defence Department. In the video, he said: ' Earlier this week, we were alerted to a potential vulnerability in our DOD computer systems, and we've been checking into it ever since. It turns out that some tech companies have been using cheap Chinese labour to assist with DOD cloud services. This is obviously unacceptable, especially in today's digital threat environment. Now, this was a legacy system created over a decade ago during the Obama Administration, but we have to ensure the digital systems that we use here at the Defence Department are ironclad and impenetrable, and that's why, today, I'm announcing that China will no longer have any involvement whatsoever in our cloud services effective immediately. And at my direction, the department will also initiate as fast as we can. A two-week review or faster to make sure that what we uncovered isn't happening anywhere else across the DoD. We will continue to monitor and counter all threats to our military infrastructure and online networks.' Philips TAS1209 Review: Why you must get this Bluetooth Speaker AI Masterclass for Students. Upskill Young Ones Today!– Join Now
Yahoo
4 days ago
- Business
- Yahoo
GOP senator asks Pentagon for information on Microsoft's Chinese engineers
Sen. Tom Cotton (R-Ark.) pressed the Defense Department on Thursday for information about Microsoft's reported use of Chinese engineers to help maintain the agency's computer systems. In a letter to Defense Secretary Pete Hegseth, Cotton pointed to recent reporting from ProPublica indicating Microsoft relies on Chinese engineers, who are overseen by U.S. citizens with security clearances known as 'digital escorts.' 'While this arrangement technically meets the requirement that U.S. citizens handle sensitive data, digital escorts often do not have the technical training or expertise needed to catch malicious code or suspicious behavior,' Cotton wrote. 'The U.S. government recognizes that China's cyber capabilities pose one of the most aggressive and dangerous threats to the United States, as evidenced by infiltration of our critical infrastructure, telecommunications networks, and supply chains,' he added. 'DoD must guard against all potential threats within its supply chain, including from those subcontractors.' The Arkansas Republican requested information from Hegseth about the Pentagon's contractors and subcontractors who hire Chinese personnel or digital escorts, as well as recommendations for closing loopholes in the security requirements for government cloud providers. In the face of these concerns, Microsoft announced Friday that it had made changes to ensure no China-based engineering teams are providing technical assistance for Defense Department cloud services. 'We remain committed to providing the most secure services possible to the US government, including working with our national security partners to evaluate and adjust our security protocols as needed,' Frank Shaw, Microsoft's chief communications officer, said in a statement. China-linked hackers have been tied to numerous high-profile breaches in the U.S. over the past year. The group known as Salt Typhoon has compromised at least nine telecommunications firms. One state's National Guard network was also hacked for nearly a year, according to a recent memo from the Department of Homeland Security obtained by NBC News. Updated at 5:36 p.m. EDT Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Solve the daily Crossword
Japan Times
4 days ago
- Business
- Japan Times
Microsoft to stop using engineers in China for U.S. military tech support
Microsoft on Friday said it will stop using China-based engineers to provide technical assistance to the U.S. military after a report in investigative journalism outlet ProPublica sparked questions from a U.S. senator and prompted Defense Secretary Pete Hegseth to order a two-week review of Pentagon cloud deals. The report detailed Microsoft's use of Chinese engineers to work on U.S. military cloud computing systems under the supervision of U.S. "digital escorts" hired through subcontractors who have security clearances but often lacked the technical skills to assess whether the work of the Chinese engineers posed a cybersecurity threat. Microsoft, a major contractor to the U.S. government, has had its systems breached by Chinese and Russian hackers. It told ProPublica it disclosed its practices to the U.S. government during an authorization process. On Friday, Microsoft spokesperson Frank Shaw said on social media website X the company changed how it supports U.S. government customers "in response to concerns raised earlier this week ... to assure that no China-based engineering teams are providing technical assistance" for services used by the Pentagon. Earlier on Friday, Sen. Tom Cotton, an Arkansas Republican who chairs the chamber's intelligence committee and also serves on its armed services committee, sent a letter to Defense Secretary Pete Hegseth about Microsoft's reported practices. Cotton asked the U.S. military for a list of contractors that use Chinese personnel and more information on how U.S. "digital escorts" are trained to detect suspicious activity. "The U.S. government recognizes that China's cyber capabilities pose one of the most aggressive and dangerous threats to the United States, as evidenced by infiltration of our critical infrastructure, telecommunications networks, and supply chains," Cotton wrote in the letter. The U.S. military "must guard against all potential threats within its supply chain, including those from subcontractors," he wrote. In a video posted on X on Friday, Hegseth said he was initiating a two-week review to ensure China-based engineers were not working on any other cloud services contracts across the Defense Department. "I'm announcing that China will no longer have any involvement whatsoever in our cloud services, effective immediately," Hegseth said in the video. "We will continue to monitor and counter all threats to our military infrastructure and online networks."
