It is one thing for China to hack into sensitive U.S. files. However, when a powerful U.S. company practically invites them to do so, and thereby gain access to crucial information from the Department of Defense, Congress should use all its investigative powers to determine what went wrong and why.
At issue is Microsoft’s “using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary.”
That is the lead from a thoroughly researched, investigative journalism piece by ProPublica, published on July 15.
Overseeing the Chinese workers were “digital escorts.” These individuals had security clearances, though many lacked computer skills. As ProPublica said, “Some are former military personnel with little coding experience who are paid barely more than minimum wage for their work.”
Within three days of the article’s publication, Sen. Tom Cotton, R-Ark., the chairman of the Senate Select Committee on Intelligence, demanded that the practice end. Secretary of Defense Pete Hegseth strongly agreed with the request, and a Microsoft public relations executive tweeted the company would no longer use engineers in China on these contracts.
While that is positive, especially regarding the actions of Cotton and Hegseth, much more needs to be done.
First, Cotton asked a series of probing questions of the DoD, including providing “a list of subcontractors that hire digital escorts for Microsoft, or any other entity, and their interview and technical assessment process for candidates.” That, and the other information the senator requested, should be provided and shared with the public.
Most important, Congress needs to demand forensic audits to determine how much information may have been shared with the Chinese government and to ensure such practices are never repeated.
As ProPublica pointed out, Microsoft had these Chinese engineers “handle the government’s most sensitive information that falls below ‘classified.’” The loss of information in this category, the government warns, “could be expected to have a severe or catastrophic effect on operations, assets and individuals.”
As such, it is crucial to pull out all the investigatory stops. Congress should launch a probe by the government’s nonpartisan auditor, the Government Accountability Office. The Senate Intelligence Committee and the House Select Committee on the Chinese Communist Party should subpoena documents and consider holding hearings.
ProPublica also reports that in August 2024, the Defense Information Systems Agency Office of the Inspector General (DISA IG) shut down an investigation on this matter, saying it was not “within the avenue of redress by DISA IG” and that the matter was referred to management.
Hegseth should demand to know who dropped the ball and why, and how far up the chain of command this issue reached. And if it did not rise, why not?
This situation, though, is a matter of non-partisan good government at its core.
ProPublica points out that John Sherman, who was chief information officer for the Defense Department during the Biden administration, said, “I probably should have known about this,” adding the situation warrants a “thorough review by DISA, Cyber Command, and other stakeholders that are involved in this.”
This investigation has added impetus, as the U.S. government uses Microsoft for numerous cybersecurity projects. Understanding how its corporate culture, which led to the “digital escorts” debacle, and how this may be affecting other projects is vital.
In April 2024, the independent Cyber Safety Review Board released a stinging report about Microsoft regarding a 2023 attack by Chinese hackers that “accessed the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.”
It criticized Microsoft for not stopping this “preventable” attack and “identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management.”
That practice has continued. It is time for Congress to demand better from one of the world’s largest and most successful companies.