WASHINGTON, D.C. – A new investigation reveals China may have had access into sensitive U.S. military systems for over a decade thanks to a major federal contractor.
Beijing’s potential “in” to DOD networks didn’t come in the form of a cyber-attack, or a rogue agent inside the government, but rather Microsoft employees based in China, operating under the oversight of under-trained U.S.-based supervisors.
“These Microsoft engineers based in mainland China were feeding code to what were called Digital Escorts. So these were DOD employees with security clearances. They’re able to take the code that was produced by Microsoft engineers and then put it directly into DOD systems,” said Jack Burnham, a research analyst with the Foundation for Defense of Democracies.
While these Microsoft employees are not known Chinese agents, according to a ProPublica investigation, many of the digital escorts tasked with patching their work into DOD systems report being ill-equipped to understand the code they receive.
***Please sign up for CBN Newsletters and download the CBN News app to ensure you receive the latest updates.***
Burnham sees this arrangement as creating two main security concerns.
“There’s both a concern about vulnerabilities in terms of Chinese engineers employed by Microsoft having an extensive knowledge of the cloud computing system, so being able to target certain aspects, as well as potentially introducing vulnerabilities that these digital escorts may not have known existed because they didn’t have the technical expertise in order to spot them,” Burnham told CBN News.
Both Microsoft and the Pentagon were reportedly notified over the last decade regarding potential security concerns given the location of the Microsoft engineers, but when ProPublica spoke with former and current DOD officials, many had little to no knowledge of the program, or how it operated.
The spokesperson for the Defense Information Systems Agency, Deven King, said, “Literally no one seems to know anything about this, so I don’t know where to go from here.”
Microsoft, meanwhile, issued a statement saying its personnel and contractors operate in a manner “consistent with U.S. government requirements and processes.”
No matter what circumstances led to this system flying under the radar for so long, Defense Secretary Pete Hegseth says it ends now.
“I want to thank all those Americans out there, in the media and elsewhere, who raised this issue to our attention so we could address it,” Hegseth said in a statement on X.
Effective immediately, he says China will no longer have any involvement in DOD Cloud services, and he’s ordered a two-week review of all other Pentagon systems.
“This is obviously unacceptable, especially in today’s digital threat environment. Now, this was a legacy system created over a decade ago during the Obama administration, but we have to ensure the digital systems we use here at the Defense Department are ironclad and impenetrable,” Hegseth said.
National security experts say it’s time for a cybersecurity mindset shift across the federal government, and for a major investment in a trusted workforce here at home, capable of ensuring more critical systems aren’t left vulnerable.
