Microsoft Failed to Disclose Key Details About Use of China-Based Engineers in U.S. Defense Work, Record Shows
In interviews with ProPublica, Microsoft has maintained that it disclosed the digital escorting arrangement in the plan, and that the government approved it. But Defense Secretary Pete Hegseth and other government officials have expressed shock and outrage over the model, raising questions about what, exactly, the company disclosed as it sought to win and keep government cloud computing contracts.
None of the parties involved, including Microsoft and the Defense Department, commented on the omissions in this year’s security plan. But former federal officials now say that the obliqueness of the disclosure, which ProPublica is reporting for the first time, may explain that disconnect and likely contributed to the government’s acceptance of the practice. Microsoft previously told ProPublica that its security documentation to the government, going back years, contained similar wording regarding escorts.
Former Defense Department Chief Information Officer John Sherman, who said he was unfamiliar with the digital escorting process before ProPublica’s reporting, called it a “case of not asking the perfect question to the vendor, with every conceivable prohibited condition spelled out.”
In a LinkedIn post about ProPublica’s investigation, Sherman said such a question “would’ve smoked out this crazy practice of ‘digital escorts.’” His post continued: “The DoD can’t be exposed in this way. The company needs to admit this was wrong and commit to not doing things that don’t pass a common sense test.”
Experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government computer systems poses major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”
Following ProPublica’s reporting last month, Microsoft said that it had stopped using China-based engineers to support Defense Department cloud computing systems. The company did not respond directly to questions from ProPublica about the security plan and instead issued a statement defending the escort practice.
“Escorted sessions were tightly monitored and supplemented by layers of security mitigations,” the statement said. “Based on the feedback we’ve received, however, we have updated our processes to prevent any involvement of China based engineers.”
Sen. Tom Cotton, a Republican who chairs the Senate Select Committee on Intelligence, wrote to Hegseth last month suggesting that the Defense Department needed to strengthen oversight of its contractors and that current processes “fail to account for the growing Chinese threat.”
“As we learn more about these ‘digital escorts’ and other unwise — and outrageous — practices used by some DoD partners, it is clear the Department and Congress will need to take further action,” Cotton wrote. He continued: “We must put in place the protocols and processes to adopt innovative technology quickly, effectively, and safely.”
Since 2011, the government has used the Federal Risk and Authorization Management Program, known as FedRAMP, to evaluate the security practices of commercial companies that want to sell cloud services to the federal government. The Defense Department also has its own guidelines, which include the citizenship requirement for people handling sensitive data.
Both FedRAMP and the Defense Department rely on “third party assessment organizations” to evaluate whether vendors meet the government’s cloud security requirements. While the government considers these organizations “independent,” they are hired and paid directly by the company being assessed. Microsoft, for example, told ProPublica that it enlisted a company called Kratos to shepherd it through the initial FedRAMP and Defense Department authorization processes and to handle annual assessments after winning federal contracts.
On its website, Kratos calls itself the “guiding light” for organizations seeking to win government cloud contracts and said it “boasts a history of performing successful security assessments.”
In a statement to ProPublica, Kratos said its work determines “if security controls are documented accurately,” but the company did not say whether Microsoft had done so in the security plan it submitted to the Defense Department’s IT agency.
Microsoft told ProPublica that it has given demonstrations of the escort process to Kratos but not directly to federal officials. The security plan makes no reference to any such demonstration. Kratos did not respond to questions about whether its assessors were aware that non-screened personnel could include foreign workers.
A former Microsoft employee who worked with Kratos through several FedRAMP accreditations compared Microsoft’s role in the process to “leading the witness” to the desired outcome. “The government approved what we paid Kratos to tell the government to approve. You’re paying for the outcome you want,” said the former employee, who requested anonymity to discuss the confidential proceeding.
Kratos said it “vehemently denies the characterization from an unnamed source that Kratos’ services are pay for play.” In its statement, Kratos said that it has been “accredited and audited by an independent, non-profit industry group” for factors that “include impartiality, competence and independence.”
“Kratos hires and retains the most technically sophisticated, certified security and technology experts,” the company said, adding that its personnel “are beyond reproach in their work.”
For its part, Microsoft said hiring Kratos was simply part of following the government’s cloud assessment process. “As required by FedRAMP, Microsoft relies on this certified assessor to conduct independent assessments on our behalf under FedRAMP’s supervision,” Microsoft said in its statement.
Still, critics take issue with the FedRAMP process itself, saying that the arrangement of a company paying its auditor presents an inherent conflict of interest. One former official from the U.S. General Services Administration, which houses FedRAMP, likened it to a restaurant hiring and paying for its own health inspector rather than the city doing so.
The GSA did not respond to requests for comment.
The Defense Information Systems Agency, the Defense Department’s IT agency, reviewed and accepted Microsoft’s security plan. Among those involved were senior DISA officials Roger Greenwell and Jackie Snouffer, according to people familiar with the situation. Neither responded to phone messages seeking comment, and DISA and Defense Department spokespeople did not respond to ProPublica’s request to interview them.
A DISA spokesperson declined to comment for this article, saying “any responses will come from Office of the Secretary of Defense Public Affairs.”
The Office of the Secretary of Defense did not respond to questions about whether Greenwell and Snouffer, or anyone at DISA, understood that Microsoft’s China-based employees would be supporting the Defense Department’s cloud. A spokesperson also did not directly respond to questions about Microsoft’s System Security Plan but in an emailed statement said the information in such plans is considered proprietary. The spokesperson noted that “any process that fails to comply with” department restrictions barring foreigners from accessing sensitive department systems “poses unacceptable risk to the DOD infrastructure.”
That said, the office left open the door to the continued use of foreign-based engineers with digital escorts for “infrastructure support,” saying that it “may be deemed an acceptable risk,” depending on factors that include “the country of origin of the foreign national” being escorted. The department said in such scenarios foreign workers would have “view-only” capabilities, not “hands-on” access. In addition to China, Microsoft has operations in India, the European Union and elsewhere across the globe.
In a statement to ProPublica on Friday, Hegseth’s office said the Pentagon’s investigation into tech companies’ use of foreign personnel “is complete and we have identified a series of possible actions the Department could take.” A spokesperson declined to describe those actions or say whether the department would follow through with them. It’s unclear whether Microsoft’s security plan or DISA’s role in approving it was a part of the review.
“As with all contracted relationships, the Department works directly with the vendor to address concerns, to include those that have come to light with the Microsoft digital escort process,” Hegseth’s office said in the statement.
Renee Dudley is a ProPublica reporter focused on technology, cybersecurity, and business. Doris Burke covers corporate wrongdoing for ProPublica. This story was originally published by ProPublica. ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive ProPublica’s biggest stories as soon as they’re published.
